Tutorials | Challenges | Tools | Downloads | Resources | Documentaries

Creating & uploading a backdoor to a target

In this tutorial, we are going to create a PHP backdoor that will allow us access to our target on demand.. By using this method, there is no need to re-hack our target more than once. Once our backdoor has been uploaded, we can easily gain access at any time.

Let's open up weevely on our Kali system.
As you can see, we are greeted with the the commands that are necessary for using weevely.

[Image: 1.png]


From here, we need to generate a backdoor. When doing so, we need to state a password for connecting to our backdoor (HS.php), and the path of our save location.

[Image: 2.png]
 Once we press enter, we informed that backdoor has been created in our save location, along with the password that we configured for it.

I chose the to save the backdoor (HS.php) on my desktop, therefore, that's where I see it appear:

[Image: 4.png] 

Now we need to find a website that allows us to upload files.
Note: We need to consider whether the website will allow us to upload our file type (.php). 
[Image: 5.png]


Unfortunately, our .php file was rejected an an upload file type:

[Image: 6.png]


The error message "Your image was not uploaded" tells us that it is expecting the file to contain an extension related to an image file type.

To bypass this issue, let's rename the file type of our backdoor.
As shown below, .jpg is added after .php. Our backdoor is now officially an image file.

[Image: 7.png]




[Image: 8.png] 


It worked! Now we need to find the specific location of our backdoor.
This leads us to discover the following URL:

[Image: 9.png]
We have now got our backdoor uploaded to our target!
To connect to our backdoor, we need to return to weevely.
Weevely requires to know the location of the backdoor & password.
[Image: 10.png]

We have now successfully hacked into out target by connecting to our backdoor.

[Image: 12.png]

If were are unfamiliar with what commands we can use, we can type help.

[Image: 13.png]

The above commands provide us with a great choice. Personally, first, I prefer to check the contents of our current location, by typing ls

We can see that our backdoor (HS.php.jpg) is uploaded in this location along with a few other files. The file accounts.txt.jpg catches my attention. Not only because the file is named accounts, but it seems the real file type is being hidden as a .jpg file.

[Image: 14.png]

Let take a closer look by downloading that file. According to the commands list, to download it, we need to type file_download <file name> <save location>
[Image: 15.png]

[Image: 16.png]

The error 500 can be ignored. We now simply surf to the file's save location.

[Image: 16.png]

once we have located the download file, we can remove the extention .jpg, which leaves the file as accounts.txt

[Image: 17.png]

The file opens perfectly as a .txt file, and show us the following contents:

[Image: 18.png]
Labels:
Reactions:

Post a Comment

[blogger]

GrayHatHackers

{twitter https://twitter.com/ghhackers}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget