Found something while crawling a particular site.
#1
Before i start i should tell you that I wrote a tool a while ago called DorkNet that, as the name may suggest, helps with Google Dorking. Since it takes in a list of dorks and appends the results to a text file it's a fast and easy way of cataloging a lot of websites in a relatively short amount of time based on the criteria(Dorks) you have provided.

If you are interested check it out at my repo at Github.

Anyway, As I was going over the latest batch of search results I noticed I had an entry for the website of the Saskatchewan Association of Chiefs of Police.  And decided to spider/crawl it for the heck of it.

At some point I came across a page that would not render in browser but had large response body. Inspecting the source code revealed the presence of a variable which had been assigned the value of a very long base64 encoded string and ended in:

Code:
;eval(base64_decode($QBDB51E25BF9A7F3D2475072803D1C36D));?>

Indicating that the string was encoded PHP, to be decoded and executed. My first thought was that we were dealing with a PHP shell and after decoding the string it became apparent that we were.

[Image: 1*vdVi9ceQ3IgmBATm3FuRUQ.png]

On the left is the decoded string and on the right you can see the original.

Note the URL that's commented into the original source file. Following it we end up on a little website that has a bunch of shells which one may download and use at leisure, it would appear. In the decoded payload there is another set of URLs, presumably linking to the websites of the original authors of it.
If you're interested in looking at the source code for yourself feel free to 'wget' it from here https://www.sacp.ca/news/download_attachment.php?id=16

Who ever put it there were successful in exploiting their target. Interestingly enough, they left some sort of  data dump behind on the server. As far as I am able to tell this data originated from three separate sources possibly unrelated to the main target(SACP Server). Most notably there's one originating from what appears to be compromised FBI systems. Secondly there is a data dump from what appears to be dukecorperation.com, and lastly an unnamed dump that could be related to the SACP server.

Anyway If you're interested in the data, I have collected it and separated it into three pastes according to their presumed origins.

Data Dump #1(FBI)
Data Dump #2(Duke Corp)
Data Dump #3(Potentially SACP)

The complete file can be found right on the SACP server as well by clicking here.


Anyway, this is kind of a cross post from my blog, but i thought it was a pretty interesting find so i figured i would go ahead and share it on the forum as well.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  McAfee Institute Partial Site Rip. [45GB][Mega] Hellsing 0 1,078 03-30-2019, 10:17 PM
Last Post: Hellsing
  Using dorks to gather info on target site xany 3 5,584 01-22-2018, 07:26 AM
Last Post: Vhaka
  Just found 0day.today grimmbot 8 8,980 11-02-2017, 11:27 PM
Last Post: grimmbot
  0day's by Null Security, get them while they're hot.(or not, turns out they're old) Vector 7 10,132 09-08-2016, 11:54 AM
Last Post: Insider