Friday, 19 August 2011

cc-grabbers admin panel bender edition

When i've hacked another e-crime server today, i've found this interesting panel who reminds me of something


Brian Krebs has already made a blog post about this, you can read it here: http://krebsonsecurity.com/2011/03/big-scores-and-hi-scores/#more-8778

So, let's review.

This panel don't need a SQL support
Connect infos are saved into config.php


The 'passkey' value is used as password to log-in into panel
It's hashed in MD5 and then SHA-512.


You just need to drop the kit into your server and choose a password:


when operational:

For the stolen credit cards informations etc...
That stored into a ciphered text file at "data/droplist.txt"
Using XXTEA, the decypher key is the same password you use to log-in.
So even if you 'steal' a droplist.txt you can't decypher it without knowing the good key.

How work the gate ?
Like this:
update.php?password=&bank=&country=&name=&lastname=&card=&cvv=&expdate=&adres=&state=&zip=&ssn=&dob=&action=&city=&vbv=&id=&a1=&a2=&a3=&a4=&a5=&a6=&memvord=&tbpassword=&mmn=&userid=


When you call the gate, that will return you: 8|0|s|||||none|none|none||none|none|none|none|none|none|noneCould not connect!

The 'Could not connect!' here is due to a bad configuration of jabber/icq notifications, and the 'none' chans are the submited infos ('none' if nothing on the variable).

The coder has never heard of XSS attack:


And same when datas are displayed inside (when logged)

Another stupid things about variables is "password"
You can think you will use the hashed version directly on the variable but not.
When you 'call home' the query need to be done with the the plaintext password, and then it's hashed to MD5/SHA512 and compared with passkey inside config.php

Panel:

When you double-click on an item:

Pacman game:

Configurations:

CSV export:

I wonder how many ZeuS/Carberp/SpyEye/phishing guys use this crap.

2 comments:

  1. Извини ...срывает крышу.
    Откуда ты берешь такие лулзы?

    Я таких богомерзких картинок и такого старого трололо нигде еще не видал.

    ReplyDelete
  2. чел опоздал с постом примерно на полгода, че уж тут такого, на каком треккере он раскопал это УГМ

    ReplyDelete