Vulnerabiltiy report including a live c2c endpoint from Bunny Loader or stealer, Proving the stealer is extremely unsafe. This is being posted as a warning, and for security researchers and malware researchers to take a look at this garbage botnet.
Risk Level Number of Alerts High: 19 Medium: 12 Low: 10 Informational: 24
Name Risk Level Number of Instances Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause High 6 Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause (Generic comment) High 6 Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment) High 3 Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause (MySQL comment) High 7 Advanced SQL Injection - Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) High 1 Advanced SQL Injection - MySQL < 5.0 boolean-based blind - Parameter replace (original value) High 1 Advanced SQL Injection - MySQL > 5.0.11 stacked queries (comment) High 1 Advanced SQL Injection - MySQL >= 5.0.12 AND time-based blind High 1 Advanced SQL Injection - MySQL >= 5.0.12 AND time-based blind (SELECT) High 1 Advanced SQL Injection - MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET) High 1 Advanced SQL Injection - MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause High 6 Advanced SQL Injection - PostgreSQL boolean-based blind - Stacked queries High 1 External Redirect High 1 LDAP Injection High 1 NoSQL Injection - MongoDB High 10 Path Traversal High 1 SQL Injection High 60 SQL Injection - Authentication Bypass High 3 SQL Injection - SQLite High 21 Absence of Anti-CSRF Tokens Medium 6 Anti-CSRF Tokens Check Medium 3 Application Error Disclosure Medium 10 Bypassing 403 Medium 2 Content Security Policy (CSP) Header Not Set Medium 50 Directory Browsing Medium 10 HTTP Only Site Medium 8 Insecure HTTP Method - TRACE Medium 50 Missing Anti-clickjacking Header Medium 27 Relative Path Confusion Medium 1 Sub Resource Integrity Attribute Missing Medium 26 XSLT Injection Medium 45 Big Redirect Detected (Potential Sensitive Information Leak) Low 1 Cookie No HttpOnly Flag Low 7 Cookie without SameSite Attribute Low 7 Cross-Domain JavaScript Source File Inclusion Low 10 In Page Banner Information Leak Low 5 Insufficient Site Isolation Against Spectre Vulnerability Low 1 Permissions Policy Header Not Set Low 50 Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Low 27 Server Leaks Version Information via "Server" HTTP Response Header Field Low 54 X-Content-Type-Options Header Missing Low 29 Authentication Request Identified Informational 6 Cookie Slack Detector Informational 24 GET for POST Informational 7 Information Disclosure - Sensitive Information in URL Informational 4 Information Disclosure - Suspicious Comments Informational 5 Insecure HTTP Method - COPY Informational 1 Insecure HTTP Method - LOCK Informational 1 Insecure HTTP Method - MKCOL Informational 1 Insecure HTTP Method - MOVE Informational 1 Insecure HTTP Method - PROPFIND Informational 1 Insecure HTTP Method - PROPPATCH Informational 1 Insecure HTTP Method - UNLOCK Informational 1 Modern Web Application Informational 6 Non-Storable Content Informational 25 Possible Username Enumeration Informational 4 Sec-Fetch-Dest Header is Missing Informational 38 Sec-Fetch-Mode Header is Missing Informational 38 Sec-Fetch-Site Header is Missing Informational 38 Sec-Fetch-User Header is Missing Informational 44 Session Management Response Identified Informational 33 Storable and Cacheable Content Informational 30 User Agent Fuzzer Informational 98 User Controllable HTML Element Attribute (Potential XSS) Informational 4 Verification Request Identified Informational 1
High LDAP Injection Description LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory. URL http://142.202.242.172/TQUIA729JAULAMJS/login.php?key=EWREWTRUTHEWUFIUEWJFEWJFWEIUFHE324325473524632EFJWIFJWOJFIEWJOFJOWEFYEWFYUWEUFTUYEWTFUYEWTFUYEWOWEKPFOPWEPFKW Method POST Parameter password Attack Equivalent LDAP expression: [' UNION SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a') -- -)(objectClass=*]. Random parameter: [p1znp6wofqs4vmgkdzob037dwmdnpaovyv3zcpy7o9xf829jwq90wooa3789bdsugi4tptljm7y2pfxq34kv4exmqusopkl92uwo6]. Evidence Show / hide Request and Response
Request Header - size: 1,061 bytes. Request Body - size: 208 bytes. Response Header - size: 252 bytes. Response Body - size: 0 bytes. Instances 1 Solution Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be deny listed:
&
|
!
<
=
~=
=
<=
(
)
,
"
'
;
\
/
NUL character
Reference http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/LDAP-Injection https://owasp.org/www-community/attacks/LDAP_Injection Tags OWASP_2021_A03 WSTG-v42-INPV-06 OWASP_2017_A01 CWE Id 90 WASC Id 29 Plugin Id 40015