Tuesday, 25 September 2012

Blackhole 2.0

Was not in my todo list to talk about Blackhole but i've broken a server and found this shit on it.

Advert:

Login:

Dashboard:

"TXT" feature

Threads:

Thread statistics:

Thread parameters:



Files:

Soft Version:

Security:

Preferences:

If you look for furter information about Blackhole have a look here: http://blog.spiderlabs.com/2012/09/blackhole-exploit-kit-v2.html
And here: http://malware.dontneedcoffee.com/2012/09/behind-captcha-or-inside-blackhole.html

Paunch use kcaptcha (http://www.captcha.ru/en/kcaptcha/) and have changed alot of parameters, my blackhole 1.x.x tools are all dead.


but it's just a question of time to adapt the work... again.

If you want to recognise a blackhole 2.0 use these paths as help:
autoupdate.php
api.php
l.php
bhstat.php?threadID=22&ruleID=33&key=0c382c13dbaca1490c207a89b61a2c53
bhstat.php?ThreadID=04&data=5744af702a50d95793f9425af1569696
w.php
update.php
bhadmin.php
cron_updatetor.php
cron_update.php
cron_checkdomains.php
cron_check.php
adm.php
master.php
main.php
move_logs.php
content/1fdp.php
content/2fdp.php
content/hcp_asx.php
content/hcp_js.php
content/hcp_vbs.php
content/pch.php
data/ap1.php
data/ap2.php
data/hcp_asx.php
data/hcp_vbs.php
data/hhcp.php
library/browser2.php
library/browser.php
library/db.php
library/errors.php
library/files.php
library/funcs.php
library/js.php
library/lang.php
library/logs.php
library/prefs.php
library/sc.php
library/template.php
library/threadData.php
library/threadDataLoader.php
library/threads.php
library/kcaptcha/index.php
library/kcaptcha/kcaptcha.php
library/kcaptcha/kcaptcha_config.php
library/kcaptcha/util/font_preparer.php
library/templates/pda/addFile.php
library/templates/pda/files.php
library/templates/pda/fileScan2.php
library/templates/pda/fileScan.php
library/templates/pda/login.php
library/templates/pda/prefs.php
library/templates/pda/secur.php
library/templates/pda/threads.php
library/templates/default/addFile.php
library/templates/default/addRule2.php
library/templates/default/addRule3.php
library/templates/default/addRule.php
library/templates/default/addThread.php
library/templates/default/addWidget.php
library/templates/default/adv.php
library/templates/default/files.php
library/templates/default/filesAjax.php
library/templates/default/fileScan2.php
library/templates/default/fileScan.php
library/templates/default/fileStat.php
library/templates/default/login.php
library/templates/default/menu.php
library/templates/default/newWidget.php
library/templates/default/prefs.php
library/templates/default/secur.php
library/templates/default/threads.php
library/templates/default/threadsAjax.php

yandere.fr/blackhole2.0_sql_dump.zip


11 comments:

  1. Hell Yes! Way to go! Thanks as always!

    ReplyDelete
  2. Stupid enough => http://oase2.net/bhadmin.php
    found with : inurl:bhadmin.php

    ReplyDelete
  3. Hey xyli, I want to pen test BH kit for security vulns other than brute force. Have you by any chance got the new version of the kit? does not matter if it is encrypted by ioncube or whatever - I just want to pentest on localhost to see if I can do anything with it! let me know in the comments

    PS willing to provide proof that I'm whitehat and have no intention of doing anything malicious with it, just curious. Let me know!

    ReplyDelete
  4. what is the password for the file provided above ?yandere.fr/blackhole2.0_sql_dump.zip

    ReplyDelete
  5. you can do nothing with ioncube having blackhole will not help you ;)

    @Rian: It's a common password used by the av industry if you can't find it maybe it's not for you :)

    ReplyDelete
  6. Hello, can you upload the version of BlackHole 2.0 that I can analyze all the details please ?

    ReplyDelete
  7. To all the douches here that didn't wanted to give the pass to the zip.
    The common pass is
    infected
    kinda logical when u think about it

    ReplyDelete
  8. Password in "infected" without ""

    ReplyDelete