I don't know who did the PHP but he deserve a medal, it's more easy to hack than SpyEye. (yeah i didn't think it was possible too)
Here i will talk about a simple code injection but there is a lot of others vulnerabilities in theses leaked panels.
e.g: stupid code allow IP spoofing:
No but seriously the best vulnerability is the RCE one, the guys who coded this is really mentally retarded:
Oh good timing, some Carberp C&C appeared on vx.vault:
Let's write a spl0it now, i think most of you come here for a PoC right ?
The 'encoded' part do a file_get_contents() on includes/config.php
Then connect to the SQL db and show the Carberp credentials. (in case if we don't have phpMyAdmin)
But it would be useless if we can't show the login page due to Auth key so it parse index.php and retrieve it.
Cool payload huh ?
Let's test it so...
I've tested on some others C&C and everything went fine.
And it's a RCE so you can execute some cool shit like system('wget http://xxx.xxx');
To download a backdoor or whatever...
Here are some screenshots of the panel: