Pandora DDoS botnet 0days

I will not go too much into Pandora DDoS botnet. It is a derivative of the Dirt Jumper toolkit. The creators made it extremely hard to find C&C panels via Google Hacking. I was able to find one but the domain was already offline by the time of this post. Pandora works well enough to take down small to moderate systems. The code isn’t optimized. As a result, the command center hits performance bottlenecks once there are 2000+ bots. On to the 0days.

SQL Injection-

Within index.php, the u parameter, via GET, is received on line 4. It is assigned to $ip. Then line 11 constructs a mysql query and executes it. No attempt at validation and / or sanitization. Why they didn’t use a bind, I have no idea.

XSS Reflected-

Within m_d.php, the URL parameter, via POST, is received on line 87. It is assigned to $URL1. Then transitively assigned to $URL on line 100. On line 154, builtin_echo sends the output to the browser to render. No attempt at validation and / or sanitization.

XSS Persistent-

Time to name your country alert(XSS) . Within m_d, on line 29, a query against the database is run. The query results are assigned to $res. On line 38, mysql_fetch_array is performed. Which is then assigned to $row. Which is then assigned to $ip on line 39. Which is then assigned to $stat2[‘?’] on line 42. Which is then sent to the function user_geo_ip(0 : return) and returned with a builtin_echo response to the browser. This would be a bit trickier since the C&C panel relies on the compromised web host to determine the zombie’s public ip and place it within the DB.

Source - https://github.com/aeonsf/Application_Security/tree/master/blackhat/malicious...