Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Pandora DDoS botnet 0days

John Menerick

I will not go too much into Pandora DDoS botnet. It is a derivative of the Dirt Jumper toolkit. The creators made it extremely hard to find C&C panels via Google Hacking. I was able to find one but the domain was already offline by the time of this post. Pandora works well enough to take down small to moderate systems. The code isn’t optimized. As a result, the command center hits performance bottlenecks once there are 2000+ bots. On to the 0days.

SQL Injection-

Within index.php, the u parameter, via GET, is received on line 4. It is assigned to $ip. Then line 11 constructs a mysql query and executes it. No attempt at validation and / or sanitization. Why they didn’t use a bind, I have no idea.

XSS Reflected-

Within m_d.php, the URL parameter, via POST, is received on line 87. It is assigned to $URL1. Then transitively assigned to $URL on line 100. On line 154, builtin_echo sends the output to the browser to render. No attempt at validation and / or sanitization.

XSS Persistent-

Time to name your country alert(XSS) . Within m_d, on line 29, a query against the database is run. The query results are assigned to $res. On line 38, mysql_fetch_array is performed. Which is then assigned to $row. Which is then assigned to $ip on line 39. Which is then assigned to $stat2[‘?’] on line 42. Which is then sent to the function user_geo_ip(0 : return) and returned with a builtin_echo response to the browser. This would be a bit trickier since the C&C panel relies on the compromised web host to determine the zombie’s public ip and place it within the DB.

Source - https://github.com/aeonsf/Application_Security/tree/master/blackhat/malicious...

Rapid7 Google hacks extended

Firesale WebPanel botnet 0days