I want to recommend this tool http://code.google.com/p/knull-shell/downloads/detail?name=knull-shellv1-beta.php for testing security issues.

With it I was able to hack into one of my client’s web server (literally the server that hosted the web application) and was able to create folders and  delete files.

The script can be used for hacking a web application in places where you can upload images or any other files.

Example of a scenario:

1) Check if the web app has a section to upload an image (usually user profile)

2)Use an image with a specific name that you can recognize and upload it

3) Check after upload and storage where is the image now located (check if the name is intact ; check if the size is the same )

4) If the image is stored with the same name or is not altered, you can try uploading the knull-shell script and the check the url

5) if the url of the stored file ends in …/some_location/knull-shellv1-beta.php and permissions are set badly, you can try to execute that script by opening that url

6) If you are successful you should have something like this:

Username: root

Password  :toor

and you should have something like this

Now you can try to see how far you can go!

ShareThis