Sunday, July 15, 2007

Backdoor scripts to compromise web servers

I have been putting together a collection of scripts used to gain command execution or reverse-shell access on web servers. We use this type of tool frequently during pen-tests; all you need is the ability to upload files to the web server (and a little luck - remember that you're executing under the context of the server process, which may have limited permissions). These scripts are available for most of the common platforms, including JSP, PHP, ASP, Perl, and even ColdFusion.

Here is what I've got so far:
  • Perl Reverse-Shell - Once executed on the web server, this Perl script throws a shell to a Netcat listener running on your machine.
  • PHP Reverse-Shell - Same idea as the Perl script above, by the same author.
  • JSP Reverse-Shell - Designed to run on any server supporting Java Server Pages. The provided example is designed for Windows as it invokes cmd.exe.
  • PHP-Shell - Not a true interactive shell, but lets you execute commands and view their output via a web-based form.
  • PHPTerm - Another PHP web-based command shell.
  • Open-Labs Hacker WebKit - Collection of scripts for ASP, CFM, EXE, JSP, PHP, PL, SERVLET and SH. Provides command execution, file browsing, and file uploading.
Another good collection of web "backdoors", including a variety of ASP and ASPX scripts, is available at Unsec.Net.

1 comment:

pentestmonkey said...

Hi Ryan,

The following POC is slight variation on the above scripts.

http://pentestmonkey.net/tools/php-findsock-shell/

It demonstrates how PHP scripts can attach a shell to the TCP connection between browser and web server.

It's therefore possible to get an interactive shell even when Firewalls make the use bindshells or reverse shells impossible.