Slip a Backdoor into PHP Websites with Weevely How to Install a Persistent Empire Backdoor on a MacBook To make use of these hooks, enter the following code in /scripts/postsuspendacct:įor i in `/bin/cat /etc/userdomains | /bin/grep ": $ Using Weevely in Kali Linuxīuild a Daemonic Reverse Backdoor in Python - Part1 Luckily, cPanel allows hooks when suspending or unsuspending an account, therefore you can use those hooks to comment the line to the forwarder in /etc/valiases/domain file for any domains which are part of the account in question. I've created a fix for this issue using a single sed command, which adds a single character to any pipes in the email aliases file. Once in a reverse shell the attacker can do many things, such as run perl scripts, crash the server, send spam, look at other user's files, exfiltrate data, and in the case of an additional security vulnerability, possibly escalate their privileges.įor the purpose of this proof of concept, shell access will be set to "Disabled Shell" in WHM for the user I'm testing with. Such scripts are widely available on many sites, including one of my favorties, PenTest Monkey: /tools/web-shells/perl-reverse-shell The fact that this stays active after an account has been suspended, poses a huge security risk, since a malicious user, or a hacker who has compromised a cPanel account, can add a forwarder to a script which spawns a reverse shell back to them for later use, on demand, in the event the account gets suspended. A common use for this is if you have an auto-responder, which adds a user to a database and send them a series of emails. One feature of most email systems is for an email address to be forwarded (piped) to a script, an incoming email acts as a "trigger" to execute that script. While they disable certain email features, such as mailman, pipes to scripts added by the user are left active. The logic behind the first vulnerability stems from the "feature" of cPanel, which allows some aspects of email to remain operational, even if an account is suspended.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |