From 0e8dac15558210677eb55fc269c1fa02c1266411 Mon Sep 17 00:00:00 2001 From: Jacopo Cavallo Date: Mon, 15 May 2023 19:25:30 +0200 Subject: [PATCH 1/3] add carriage return backdoor --- README.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 12f7a10..feaef3e 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Background reverse shell](#backdoor-background-reverse-shell) 1. [authorized_keys](#backdoor-auth-keys) 1. [Remote access an entire network](#backdoor-network) + 1. [Carriage return backdoor](#carriage-return-backdoor) 1. [Shell Hacks](#shell-hacks) 1. [Shred files (secure delete)](#shred) 1. [Restore the date of a file](#restore-timestamp) @@ -1027,12 +1028,28 @@ gs-netcat -p 1080 # Your workstation. # Access route.local:22 on the Host's private LAN from your Workstation: socat - "SOCKS4a:127.1:route.local:22" ``` + Read [Use any tool via Socks Proxy](#scan-proxy). Other methods: * [Gost/Cloudflared](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) - our very own article * [Reverse Wireguard](https://thc.org/segfault/wireguard) - from segfault.net to any (internal) network. + +**6.iv. Carriage Return Backdoor** + +This method allows to hide from cat the malicious content of a file with a simple carriage return character: +```sh +bash$ echo -e "\r" > /var/www/html/test.php +bash$ cat test.php + +bash$ php test.php +hello world this is a test +bash$ strings test.php + + +bash$ +``` --- ## 7. Shell Hacks @@ -1368,7 +1385,8 @@ System Information Gathering Backdoors 1. https://www.gsocket.io/deploy - The world's smallest backdoor 1. https://github.com/m0nad/Diamorphine - Linux Kernel Module for hiding processes and files -1. https://www.kali.org/tools/weevely - PHP backdoor +1. https://www.kali.org/tools/weevely - PHP backdoor +1. https://www.hahwul.com/2019/01/23/php-hidden-webshell-with-carriage/ - Carriage Return backdoor Scanners 1. https://github.com/robertdavidgraham/masscan - Scan the entire Internet From 1ac25d33c5a9cb3977783c13fe7cf464cacbac0d Mon Sep 17 00:00:00 2001 From: Jacopo Cavallo Date: Mon, 15 May 2023 19:28:59 +0200 Subject: [PATCH 2/3] fixed spaces --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index feaef3e..98bc66c 100644 --- a/README.md +++ b/README.md @@ -1041,9 +1041,9 @@ Other methods: This method allows to hide from cat the malicious content of a file with a simple carriage return character: ```sh bash$ echo -e "\r" > /var/www/html/test.php -bash$ cat test.php +bash$ cat test.php -bash$ php test.php +bash$ php test.php hello world this is a test bash$ strings test.php From 420f3d46c0a107a8e6a245b900922382faa61430 Mon Sep 17 00:00:00 2001 From: Jacopo Cavallo Date: Mon, 15 May 2023 19:32:32 +0200 Subject: [PATCH 3/3] fixed typo --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 98bc66c..fd83c6d 100644 --- a/README.md +++ b/README.md @@ -1028,7 +1028,6 @@ gs-netcat -p 1080 # Your workstation. # Access route.local:22 on the Host's private LAN from your Workstation: socat - "SOCKS4a:127.1:route.local:22" ``` - Read [Use any tool via Socks Proxy](#scan-proxy). Other methods: