Penetration TestingWeb Pentest

How To Get Root By Uploading a Shell to a Web Server (Backdoor Image)

Photo of Noor Qureshi Noor Qureshi Follow on Twitter May 26, 2017

Hacking a server isn’t easy there’s so many ways you can do it, but right now we’re gonna upload a shell by uploading image backdoor to web server. There are so many ways and websites which let you upload an avatar pictures and let you edit profile.

Let’s start!

For this tutorial i’ll be using DVWA to upload a simple shell using .php extension with low security in DVWA.

So, as you can see the screenshot above i was successfully able to upload a shell on a web server with just simply .php extension (backdoor.php) which sometimes didn’t work for some sites because they put some restriction on file types.

Let’s try changing the low security to medium in DVWA.

Now if i upload the shell again with medium security i get this error.. (Your image was not uploaded. We can only accept JPEG or PNG images.)

Now, As you can see i try to upload backdoor.php but failed because the web application only accepting image/jpg file upload. Don’t worry we can intercept the POST data using some tools to bypass this and access our backdoor in PHP extension. So fire up burpsuit.

Compare Low Security VS Medium Security Code

Low Security Code

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
        // No
        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {
        // Yes!
        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}

?>

Medium Security Code

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>

Now let’s try to intercept the Live HTTP Post method and change this:

// Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) )

 

I will cover the high and impossible security is next part of this tutorial till then have fun! Please comment if you have any questions?

Photo of Noor Qureshi Noor Qureshi Follow on Twitter May 26, 2017
Photo of Noor Qureshi

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button