- Local File Inclusion – a web vulnerability that allows an attacker to inject directory traversal characters on a certain website or tamper data by using a Firefox add-on User-Agent switcher and spawn a shell.
- Remote Code Execution or Command Injection – can be achieved if a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the website’s hosting server.
- Structured Query Language Injection or SQLI – after the attacker gets the username and password of the website administrator, he or she could use that privilege to access the website admin panel and could possibly upload a backdoor shell using nullbyte injection on the image upload page.
- Bruteforce Attacks – if possible attacks just cannot be done, then attackers may bruteforce the File Transfer Protocol or SSH Logins to get in the web server.
- Cross Site Scripting – if a user can can send requests and get responses from the victim, then it’s possible to backdoor a page.
- Social Engineering
- Remote File Inclusion
In this write-up, we will be talking about PHP backdoor shells since most websites are coded in PHP. Below is a simple PHP code that is very popular and is scattered all over the web (http://stackoverflow.com/questions/3115559/exploitable-php-functions; http://shipcodex.blogspot.com/2012/01/simple-php-backdoor-shell.html).
This code allows an attacker to execute *nix commands (command execution/injection):