Monday, February 27, 2012
Shell Uploading By Passing Security Checks
Published :
6:00 AM
Author :
shwekoyantaw
Upload Page ေတြ႕တယ္ Shell Upload လုပ္လို႕မရဘူးဆိုတဲ့ အသံေတြက Beginner ေတြဆီကထြက္တတ္ေလ့ရွိပါတယ္. အခုေတာ့ အဲ့ဒီ့ကိစၥေတြအတြက္ ေရးလို္က္ပါတယ္.။ Developer ေတြလည္း Check လုပ္ႏုိင္ေအာင္ Black Hat မ်ားလည္း အသံုး၀င္ေအာင္ ( ကၽြန္ေတာ့္ထံုးစံအတုိင္း အတြင္းက်က် တတ္ႏိုင္သမွ် ) ေရးေပးလိုက္ပါတယ္။ :-)
ပထမဆံုး Upload Page က Upload Form ကို အရင္ၾကည့္ရေအာင္
<form name=upload action=upload.php method=post>
upload a file : <input type=file name=fileName >
<input type=submit name=upload>
</form>
ရႈပ္ရႈပ္ရွက္ရွက္လည္းမဟုတ္ေတာ့ သိပ္မရွင္းေတာ့ပါဘူး Post Method နဲ႕ တင္တဲ့ File ကို တင္တယ္ေပါ့ :-D ဒီလိုတင္တဲ့ေနရာမွာ.....
(a) Normal Implementation
အခု ေျပာမွာကေတာ့ Normal Upload Form ပါ.။ Seurity Check မရွိဘဲ ရိုးရိုးတင္ခ်င္တဲ့ File အတင္ခံတဲ့ Upload Page ေပါ့ ။
<?php
$uploaddir = 'uploads/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
echo "File is valid, and was successfully uploaded.\n";
}
else
{
echo "File uploading failed.\n";
}
?>
ပံုမွန္ဆိုတဲ့အတိုင္းပံုမွန္ပါပဲ.။ Upload တင္ခိုင္းတဲ့ File ကို သတ္မွတ္ထားတဲ့ Directory အတိုင္း တင္သြားမယ္.။ ၾကားထဲကမွ Connection Error မ်ိဳးျဖစ္ရင္ Failed ျပမယ္ ဒါပါပဲ.။ ဒီေတာ့ ပံုမွန္အတိုင္းျပႆနာမရွိတင္ႏိုင္ပါတယ္
http://www.site.com/uploads/shell.php
(b) Content Type Verification
ဒီေနရာမွာေတာ့ ခုနကလို တင္ခုိင္းသမွ် ဖိုင္ကို လြယ္လြယ္ကူကူ မတင္ခိုင္းေတာ့ပါ.။ File အမ်ိဳးအစားကို စစ္ျပီးမွ အတင္ခံပါ့မယ္.။ .txt File မ်ိဳး .php File မ်ိဳးကို အတင္မခံေတာ့ပါ. ေအာက္မွာၾကည့္လိုက္ရင္ ရွင္းသြားမွာပါ.။
<?php
//checks if file is Gif or not
if($_FILES['userfile']['type'] != "image/gif")
{
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
echo "File is valid, and was successfully uploaded.\n";
}
else
{
echo "File uploading failed.\n";
}
?>
ၾကည့္လုိက္ပါ.။ ဖိုင္ကို Upload မလုပ္ခင္ .Gif Image ဟုတ္ မဟုတ္ အရင္စစ္ပါတယ္ တကယ္လို႕ မဟုတ္ဖူးဆိုရင္ "Sorry, we only allow uploading GIF images" Alert တက္ခုိင္းပါ့မယ္ ဒီေတာ့ .php လိုမ်ိဳးကို ဒဲ့တင္လို႕မရေတာ့ပါ :lol
သုိ႕ေသာ္လည္း GIF Image မဟုတ္တဲ့ ဖိုင္ကိုတင္မယ္ဆိုရင္ HTTP Request ကေတာ့ ဒီလိုသြားေနပါလိမ့္မယ္
POST /upload2.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: libwww-perl/5.803
Content-Type: multipart/form-data; boundary=xYzZY
Content-Length: 156
--xYzZY
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: text/plain
ဒီလို Security Check လိုဟာမ်ိဳးကိုေတာ့ Temper Data လို Firefox Addon နဲ႕ Shell တင္ႏုိင္ပါတယ္
( C ) File Name Verification
ဒီတခါေတာ့ Developer က File ရဲ႕ Extensions ကို စစ္ျပီးမွ အတင္ခံမွာျဖစ္ပါတယ္။ တစ္ခ်က္ၾကည့္ရေအာင္.။
<?php
$blacklist = array(".php", ".phtml", ".php3", ".php4");
foreach ($blacklist as $item)
{
if(preg_match("/$item\$/i", $_FILES['userfile']['name']))
{
echo "We do not allow uploading PHP files\n";
exit;
}
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
}
else
{
echo "File uploading failed.\n";
}
ၾကည့္လိုက္ပါ ပထမဆံုး လာလာခ်င္းမွာပဲ .php , .phtml , php3 စတဲ့ အႏၱရာယ္ရွိႏိုင္ေသာ Extensions မ်ားကို Blacklist လုပ္ျပီး ပိတ္ခ်ပစ္လိုက္ပါတယ္ ျပီးမွ We do not allow uploading PHP files
ဆိုျပီး Alert တက္ခုိင္းတယ္ ျပီးမွ Upload Form ဆက္ပါတယ္
ဒီလို Check မ်ိဳးကိုေတာ့ Nulled Byte သံုးျပီး Extension ဆင့္ခံျခင္းျဖင့္ တင္ႏိုင္ပါတယ္
Shell.php.gif လုိေပါ့..။
ဒါဆို ပံုမွန္အတုိင္းပဲ http://www.site.com/uploads/Shell.php ဆိုျပီး Shell ကို Access လုပ္ႏုိင္ပါျပီ.။
( D ) Image File Content Verification
ဒီတစ္ခုကေတာ့ အရင္ဟာေတြထက္ အဆင့္ျမင့္သြားပါတယ္ Image ဆိုရင္ေတာင္ Image File Content ကို ကိုယ္တုိင္စစ္ျပီး ဟုတ္မွ အတင္ခံမွာပါ Extensions ေတြနဲ႕တင္မဟုတ္ပဲေပါ့ :-D
<?php
$imageinfo = getimagesize($_FILES['userfile']['tmp_name']); //check image size
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg')
{
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
အထက္ပါ Code ကိုၾကည့္လိုက္ရင္ သိသာပါတယ္. Image File ဟုတ္ရဲ႕လားဆိုျပီး ေသခ်ာ မေသခ်ာစစ္ျပီးမွ အတင္ခံတာပါ ဒါမ်ိဳး Security Check ကိုေတာ့ Gimp လို Image Editor မ်ိဳးသံုးျပီး Shell Code ကို GIF Image ထဲ Embedded လုပ္ျပီး တင္ရပါမယ္ ဒီေတာ့ Security Check က စစ္ေတာင္ Image Code ေတြေတြ႕တဲ့အတြက္ Image File ဆိုျပီး အတင္ခံမွာပါ ဒါေပမယ့္ Shell ကိုသြား Access လုပ္တဲ့အခါမွာေတာ့
http://www.site.com/uploads/shell.gif ဆိုရင္ GIF Image ကို ေတြ႕ရမွာျဖစ္ျပီး
http://www.site.com/uploads/shell.php ဆိုရင္ shell ကို Access လုပ္ႏိုင္မွာျဖစ္ပါတယ္ :-D
( E ) Antivirus
အေရွ႕မွာေျပာခဲ့ဟာ အားလံုးဟာ Upload Form မွာတင္ Check လုပ္ေနတဲ့ Security Check ေတြပါ Upload Form ကိုေက်ာ္လႊားႏုိင္ခဲ့ေပမယ့္ Server မွာ Run ထားတဲ့ Antivirus က Shell Script ကို ဖ်က္ခ်ပစ္ပါတယ္ ဒီေတာ့ Shell ကို Encrypt လုပ္ရပါ့မယ္.။ Shell Script ဆိုတာကလည္း PHP Script ေတြပဲျဖစ္လို႕ PHP Encrypter ေတြနဲ႕လုပ္ရပါမယ္ Google မွာ PHP Encrypter ေတြအမ်ားၾကီးရွိပါတယ္ ၾကည့္ၾကပ္သံုးလို႕ရပါလိမ့္မယ္..။
ကဲ ျပီးပါျပီ နည္းနည္း လည္း ရွည္သြားပါတယ္.ကၽြန္ေတာ့္ရဲ႕စာေတြဟာ တစ္စံုတစ္ဦးကိုမွ် အဆိပ္မသင့္ဖို႕ေမွ်ာ္လင္ပါ့တယ္
Pageviewers
CBOX
Manutd-Results
LINK
Label
Android
(3)
autorun
(3)
Backtrack
(8)
batch file
(19)
blogger
(10)
Botnet
(2)
browser
(5)
Brute Force
(6)
cafezee
(2)
cmd
(5)
Cookies
(2)
crack
(12)
Cracking
(2)
crypter
(7)
DDos
(20)
deepfreeze
(4)
defacing
(1)
defence
(16)
domain
(4)
Dos
(9)
downloader
(4)
ebomb
(2)
ebook
(48)
Exploit
(26)
firewall
(3)
game
(2)
gmail
(11)
google hack
(16)
Hacking Show
(3)
Hash
(4)
hosting
(1)
icon changer
(1)
ip adress
(6)
Keygen
(1)
keylogger
(8)
knowledge
(67)
locker
(1)
maintainence
(8)
network
(17)
news
(31)
other
(35)
passwoard viewer
(7)
password
(12)
Philosophy
(6)
Phishing
(8)
premium account
(2)
proxy
(7)
RAT
(10)
run commands
(4)
script
(27)
Shell code
(10)
shortcut Key
(2)
SMTP ports
(1)
social engineering
(7)
spammer
(1)
SQL Injection
(30)
Stealer.crack
(5)
tools
(125)
Tools Pack
(4)
tutorial
(107)
USB
(3)
virus
(32)
website
(84)
WiFi
(4)
word list
(2)
HOW IS MY SITE?
Powered by Blogger.
Blog Archive
-
▼
2012
(210)
-
▼
February
(38)
- How to Hack Gmail, Facebook with Backtrack 5
- Joomla Administrator Panel BruteForcer python script
- Shell Uploading By Passing Security Checks
- RFI Hacking Technique
- Web Developing Necessary for Begineers
- What is Cross-Site-Scripting & Cookie Stealing wit...
- Template ေျပာင္းလဲမည္။
- super virus code
- Local File Inclusion Tutorial
- XPath Injection Tutorial
- List of All Google Domains
- bsqlhacker (Tool)
- Cisco Router Password cracking
- ေၾကညာခ်က္
- Types of search engine
- ယေန႔ေခတ္စား လာတဲ့ ျမန္မာႏုိင္ငံကိုခ်ိန္းေျခာက္ေနေသ...
- ဆူပါဟက္ကာအေၾကာင္း
- Defacing လုပ္တယ္ဆိုတာ
- Hacker's Black Book
- Google hacking ဆုိတာ
- hacker အဖြဲ့ တစ္ခုရဲ ေျကညာခ်က္
- Calculate Binary Code --> MD5 Decrypter
- Google hacker guide (ebook)
- Google dorks for finding admin page
- Net Tools 5.0 (Net Tools 5.x)
- LFI Hacking Ebook
- How to learn Hacking
- D@ngerous google se@rching
- The-secret-of-hacking
- Virus Knowledge and Tutorial Ebook
- Interview with Blink Hacker Group Ex-Admin
- Hacking:the Art of Exploitation
- Free Download : Havij 1.15 pro Final
- FCKeditor v2 remote File Upload Exploit
- CEH:7 Review
- automated-sql-injection-with-pangolin
- KindEdior Remote File Upload exploit
- How to make flash songs
-
▼
February
(38)
Followers
About Me
Popular Posts
-
SQL Dorks အသစ္ေလးေတြလို႔ထင္ပါတယ္..ဒီက ဟက္ကာေတြအတြက္ေတာ့ ေဟာင္းခ်င္ေဟာင္းေနမွာေပါ့..ကၽြန္ေတာ့္ဆီရွိတာေလးေတြပါ..မၾကိဳက္လဲ ေနေပါ့. :P inurl...
-
အေကာင္းစားမွန္ဘီလူး (မ်တ္ခ်က္။ ။ရွားေလာ့ဟုန္းဆီကမဟုတ္ပါ) ကၽြန္ေတာ္မွန္ဘီလူးေလးတစ္လက္ရထားတယ္။ ဘယ္ႏွယ္ဗ်ာ ကၽြန္ေတာ့္မွန္ဘီလူးကိုမ်ာ...
-
အဓိက က ေတာ့ forums ေတြပဲ. Register လုပ္မွ ၀င္ေရာက္ၾကည့္ရွဳ ႏိုင္မယ္.. bypass လုပ္ဖုိ႔ ကေတာ့ SQL injection ကေတာ့ အေကာင္းဆံုးေပါ့.. အခုေတာ့ ...
-
အသိပညာ ဗဟုသုတသည္ ဟက္ကာတုိ႔ရန္မွ ကာကြယ္ရန္ စြမ္းအားတစ္ခုၿဖစ္ေပသည္။ ယေန႔ေခတ္ အုိင္တီနယ္ပယ္ဆုိင္ရာ စီမံခန္႔ခြဲမႈတြင္ တာ၀န္ရွိသူမ်ားသည္ ၄င္းတ...
-
ဘာရယ္လို႕မဟုတ္ပါဘူး ဒီေန႕ဘာတင္ရ မလဲစဥ္းစားရင္း အေျခခံကစၾကတာေပါ့။ ပထမဆံုး notepad ကိုေခၚပါ။batch file ေရးနည္းက programmingအာလံုး .bat...
-
ကဲဆိုက္တစ္ခုကရတာျပန္ျပီးေတာ့ေ၀မွ်လိုက္ပါတယ္။စမ္းသပ္ခ်င္သူေတြအတြက္ပါ။ သံုးခ်င္ရင္ သံုးပါ။စည္ကမ္းေတာ့ရိွပါေစ။ code: http://13campaign.org...
-
LFI Local File Inclusion ေလး အေၾကာင္းေျပာခ်င္ပါတယ္ ညီကိုတို႔.... Online မွာ LFI ေပါက္ေနတဲ့ဆိုက္ေတြ သန္းခ်ီပီးရွိေနပါတယ္.... Web Hacking ေ...
-
၀ိကိလိခ္၏ အတြင္းေရးမ်ား ဆိုတဲ႔ စာအုပ္ကို MCM မွ ကို Giacomo က ဘာသာၿပန္ၿပီး တင္ေပးထားတာၿဖစ္ပါတယ္ ။ ဒီလိုစာအုပ္မ်ိဳးကို ဘာသာၿပန္ၿပီး တ...
-
ဒီပိုစ့္ေလးဟာ LFI ေပၚမွာဆင့္ကဲေျပာင္းလဲထားတာျဖစ္ျပီးေတာ့ BASE 64 php filter ကိုအသံုးျပဳမွာျဖစ္ပါတယ္....။ဆာဗာမွာရိွတဲ့ connect.php / conf...
-
Fg Power DDOSER This tool is primarily a “hostbooter” and is aimed at giving unscrupulous gamers an advantage by flooding oppon...
Labels
- Android (3)
- autorun (3)
- Backtrack (8)
- batch file (19)
- blogger (10)
- Botnet (2)
- browser (5)
- Brute Force (6)
- cafezee (2)
- cmd (5)
- Cookies (2)
- crack (12)
- Cracking (2)
- crypter (7)
- DDos (20)
- deepfreeze (4)
- defacing (1)
- defence (16)
- domain (4)
- Dos (9)
- downloader (4)
- ebomb (2)
- ebook (48)
- Exploit (26)
- firewall (3)
- game (2)
- gmail (11)
- google hack (16)
- Hacking Show (3)
- Hash (4)
- hosting (1)
- icon changer (1)
- ip adress (6)
- Keygen (1)
- keylogger (8)
- knowledge (67)
- locker (1)
- maintainence (8)
- network (17)
- news (31)
- other (35)
- passwoard viewer (7)
- password (12)
- Philosophy (6)
- Phishing (8)
- premium account (2)
- proxy (7)
- RAT (10)
- run commands (4)
- script (27)
- Shell code (10)
- shortcut Key (2)
- SMTP ports (1)
- social engineering (7)
- spammer (1)
- SQL Injection (30)
- Stealer.crack (5)
- tools (125)
- Tools Pack (4)
- tutorial (107)
- USB (3)
- virus (32)
- website (84)
- WiFi (4)
- word list (2)
Labels
- Android (3)
- autorun (3)
- Backtrack (8)
- batch file (19)
- blogger (10)
- Botnet (2)
- browser (5)
- Brute Force (6)
- cafezee (2)
- cmd (5)
- Cookies (2)
- crack (12)
- Cracking (2)
- crypter (7)
- DDos (20)
- deepfreeze (4)
- defacing (1)
- defence (16)
- domain (4)
- Dos (9)
- downloader (4)
- ebomb (2)
- ebook (48)
- Exploit (26)
- firewall (3)
- game (2)
- gmail (11)
- google hack (16)
- Hacking Show (3)
- Hash (4)
- hosting (1)
- icon changer (1)
- ip adress (6)
- Keygen (1)
- keylogger (8)
- knowledge (67)
- locker (1)
- maintainence (8)
- network (17)
- news (31)
- other (35)
- passwoard viewer (7)
- password (12)
- Philosophy (6)
- Phishing (8)
- premium account (2)
- proxy (7)
- RAT (10)
- run commands (4)
- script (27)
- Shell code (10)
- shortcut Key (2)
- SMTP ports (1)
- social engineering (7)
- spammer (1)
- SQL Injection (30)
- Stealer.crack (5)
- tools (125)
- Tools Pack (4)
- tutorial (107)
- USB (3)
- virus (32)
- website (84)
- WiFi (4)
- word list (2)
Archive
-
▼
2012
(210)
-
▼
February
(38)
- How to Hack Gmail, Facebook with Backtrack 5
- Joomla Administrator Panel BruteForcer python script
- Shell Uploading By Passing Security Checks
- RFI Hacking Technique
- Web Developing Necessary for Begineers
- What is Cross-Site-Scripting & Cookie Stealing wit...
- Template ေျပာင္းလဲမည္။
- super virus code
- Local File Inclusion Tutorial
- XPath Injection Tutorial
- List of All Google Domains
- bsqlhacker (Tool)
- Cisco Router Password cracking
- ေၾကညာခ်က္
- Types of search engine
- ယေန႔ေခတ္စား လာတဲ့ ျမန္မာႏုိင္ငံကိုခ်ိန္းေျခာက္ေနေသ...
- ဆူပါဟက္ကာအေၾကာင္း
- Defacing လုပ္တယ္ဆိုတာ
- Hacker's Black Book
- Google hacking ဆုိတာ
- hacker အဖြဲ့ တစ္ခုရဲ ေျကညာခ်က္
- Calculate Binary Code --> MD5 Decrypter
- Google hacker guide (ebook)
- Google dorks for finding admin page
- Net Tools 5.0 (Net Tools 5.x)
- LFI Hacking Ebook
- How to learn Hacking
- D@ngerous google se@rching
- The-secret-of-hacking
- Virus Knowledge and Tutorial Ebook
- Interview with Blink Hacker Group Ex-Admin
- Hacking:the Art of Exploitation
- Free Download : Havij 1.15 pro Final
- FCKeditor v2 remote File Upload Exploit
- CEH:7 Review
- automated-sql-injection-with-pangolin
- KindEdior Remote File Upload exploit
- How to make flash songs
-
▼
February
(38)