Web shells
All about shells
| Shell Type | Description |
|---|---|
Reverse shell |
Initiates a connection back to a "listener" on our attack box. |
Bind shell |
"Binds" to a specific port on the target host and waits for a connection from our attack box. |
Web shell |
Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command. |
Preconfigured webshells in Kali linux
Go to /usr/share/webshells/
Other resources
See reverse shells
A Web Shell is typically a web script that accepts our command through HTTP request parameters, executes our command, and prints its output back on the web page.
A web shell script is typically a one-liner that is very short and can be memorized easily.
Some basic web shells
asp
jsp
php
How to exploit a web shell
File upload vs Remote code execution
1. FILE UPLOAD: By abusing an upload feature. We would place this web shell script into the remote host's web directory to execute the script through the web browser.
2. REMOTE CODE EXECUTION: By writting our one-liner shell to the webroot to access it over the web. This would be if onle have remote command execution as a exploit vector. Here an example for bash:
So, for the second way of exploitation, it's relevant to identify where the webroot is. The following are the default webroots for common web servers:
| Web Server | Default Webroot |
|---|---|
| Apache | /var/www/html/ |
| Nginx | /usr/local/nginx/html/ |
| IIS | c:\inetpub\wwwroot\ |
| XAMPP | C:\xampp\htdocs\ |
Accessing the web shell
We can access to the web shell using the browser. Or Curl:
A benefit of a web shell is that it would bypass any firewall restriction in place, as it will not open a new connection on a port but run on the web port on 80 or 443, or whatever port the web application is using.