Firesale WebPanel botnet 0days

Oh, Firesale WebPanel botnet.  How entertaining it is to see you continue to raise your head over the years....

XSS Reflected –

This is a great example of reflected XSS. Within deleteTask.php, line 5, a malicious POST request with a tainted tasked paramenter is sent. Literally on the same line, builtin_echo sends the non-validated / sanitized input in the html response.


Much more subtle XSS are the DOM-based XSS features. From within index.php, line 119, the localScope response is viewed by the server. On line 120, the DOM is assigned to innerHTML. Ouch!

Poor SQL Injection mitigation -  

Without getting into too much detail, in handleCreateTask.php, line 24, there is an attempt to sanitize sql via mysql_escape_string(). While great in theory, mysql_escape_string() is easily bypassed. See here for further information.  It isn’t safe to use due to the false sense of security provided by the function.


Google hack to find instances