A backdoor shell can be a PHP, ASP, JSP,
etc. piece of code which can be uploaded on a site to gain or retain
access and some privileges on a website. Once uploaded, it allows the
attacker to execute commands through the shell_exec () function,
upload/delete/modify/download files from the web server, and many more.
For defacers, it allows them to navigate easily to the directory of the public_html or /var/www and modify the index of the page.
There
are ways of attacking a web application in order to plant a backdoor
shell on a website. Some cases or instances are below:
- Local File Inclusion – a web vulnerability that allows an attacker to inject directory traversal characters on a certain website or tamper data by using a Firefox add-on User-Agent switcher and spawn a shell.
- Remote Code Execution or Command Injection – can be achieved if a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the website’s hosting server.
- Structured Query Language Injection or SQLI – after the attacker gets the username and password of the website administrator, he or she could use that privilege to access the website admin panel and could possibly upload a backdoor shell using nullbyte injection on the image upload page.
- Sniffing
- Bruteforce Attacks – if possible attacks just cannot be done, then attackers may bruteforce the File Transfer Protocol or SSH Logins to get in the web server.
- Cross Site Scripting – if a user can can send requests and get responses from the victim, then it’s possible to backdoor a page.
- Social Engineering
- Remote File Inclusion
In this write-up, we will be talking about PHP backdoor shells since most websites are coded in PHP. Below is a simple PHP code that is very popular and is scattered all over the web (http://stackoverflow.com/questions/3115559/exploitable-php-functions; http://shipcodex.blogspot.com/2012/01/simple-php-backdoor-shell.html).
This code allows an attacker to execute *nix commands (command execution/injection):
|
if(isset($_GET['shell'])) echo(" |
if(isset($_GET['php'])) echo(eval(stripcslashes($_GET['php']))); |
if(isset($_GET['echo'])) echo($_GET['echo']); |
?> |
Más..
Fuente: resources.infosecinstitute.com/
.
No hay comentarios:
Publicar un comentario