Jump to content

Locked Dendroid vulnerability


Recommended Posts

Analyzing the leaked code revealed multiple vulnerabilities due to a lack of user input validation including Cross-Site Scripting (XSS), Arbitrary File Upload, SQL Injection, and PHP Code Execution.


Unsanitized user input is written to the Panel/config.php file via POST requests to the Panel/applysettings.php file. This vulnerability allows PHP code to be injected and then executed with subsequent requests at the Panel/config.php URL. Rewriting this configuration file will not only allow execution of specially crafted PHP code, but will also render the control panel inept, effectively creating a Denial of Service condition.


Here is one proof of concept that passes the GET parameter “c” for system command execution:

This is the hidden content, please

Let’s break down each of these POST parameters to show what they do. Curl is instructed to send a POST request for the timezone parameter with the URL encoded string:

This is the hidden content, please

This POST value will subsequently be written to the Panel/config.php on line 13 with compiler happy code:

This is the hidden content, please

The other POST values postboxsize and botoffline are assigned expected integer values so PHP does not throw any errors. Our post exploit Panel/config.php file now contains the contents below. Notice that the database connection information (dbhost, dbname, etc.) was overwritten which stops the control panel from functioning:

This is the hidden content, please

And now the backdoor shell can be accessed by issuing system commands to the POST “c” parameter:

This is the hidden content, please

Example using "whoami" system command

Link to comment
Share on other sites

  • 3 months later...
This topic is now closed to further replies.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.