Check out http://sourceforge.net/projects/laudanum/ .  They have some things that will do what you want.  There are also some cleansed versions of what the evil folks out there are using.  They have some advanced functionality such as ability to escalate privileges, deal with databases, etc. 

Then, there's a fun one.  If you can turn it into a remote file injection, metasploit has a payload (exploit/unix/webapp/php_include) that will allow you to inject a php meterpreter.  It may be injectable on it's own, but you can then route traffic through that php file and do further enumeration, scanning, and ssh brute-force in order to get what you want.  And of course, you will have a shell, so you can do most of what you're looking for.

Hope this helps

Alrighty now... Kungfunix time... You have write access but it is likely you are restricted because of the type of user/group on the server (e.g., apache:wheel) so your first goals would be to perform recon on the machine. If you can run the script you posted:


Then you should think about getting the following information to use for later tasks:

- Find out EXACTLY what kind of server you're on
- What directory are you in
(get rid of things you can't access (ignore denied))
(sure I could have made this shorter, not the point )

ME... What I like to do is look for configs from time to time, they yield a lot of information as do *_history files when available. I personally would try to get as much information as I could in order to launch a targeted attack with SPECIFICS for that system. For example, so what you can upload and run applications to the server, you will likely still need to escalate in order to truly accomplish anything.

By focusing on the information (uname -a/version, etc.) you gain a better view of what you're up against so you can upload a focused exploit which will save you time, headaches, etc. Anyhow, my point is... You has semi-root... Now what? If this is for the OSCP, OSCE, CPT, CEPT, chances are there is something exploitable left for you to find. Can you gather usernames, groups, anyone crisscross groups? Anything out of the ordinary permissions-wise?

Think like an administrator for a moment and then an attacker. "Why am I running this server, who needs to access it, what do I need to potentially HIDE from prying eyes..." This should include directories with obscure names, e.g. TMP, TEMP, .TEMP and so on. Don't forget the spaces For example, on a term do a mkdir " " followed by an ls you'll see no directory. On the system itself with a window manager you will see a directory, but on terminal its blanked out so don't forget to search extensively.

You're right dante, for example, here is a link...
http://pentestmonkey.net/tools/php-reverse-shell/

I really wanted to start a discussion on the subject and see what people were doing. I was hoping for something a bit more interesting, like the link apollo added and the comments sil provided.

But you are right, my first post wasn't too good...  

Wow, thanks great Sil!


I don't understand (and I can't test it right now...). What is the vulnerability being exploited? You need a "Remote File Include" vulnerability?

From file 7444:

Like the author of this file, I have never seen this before. That's why I could understand it. Thanks Dante, I am good now.