# Shells & Payloads: Web Shells Overview ## Web Shells Overview * **Web Apps as Targets:** * Common attack vector in external pentests (file uploads, SQLi, RFI/LFI, etc.). * Password spraying and social engineering also key methods. * **Web Shell Upload:** * Web shells often uploaded via file upload forms, profile pic uploads, or misconfigurations (e.g., Tomcat, FTP). * **What is a Web Shell?** * Browser-based shell for interacting with the server OS. * Gained via file upload vulnerabilities. * Allows remote code execution (RCE), but can be unstable. * **Persistence:** * Web shells may be deleted over time; typically upgraded to a more stable reverse shell. ## **Laudanum Web Shell** * **What is Laudanum?** * A collection of pre-made web shell files for multiple languages (PHP, JSP, ASP, etc.). * Allows reverse shell access and command execution via a browser. * Built into Parrot OS and Kali; other distros need manual installation. * **Working with Laudanum:** * Found in `/usr/share/laudanum` on Kali/Parrot. * Modify shell files (e.g., add attacker's IP) before use. * Ensure to read file comments for correct usage. * **Using Laudanum:** * Copy shell file (e.g., `shell.aspx`) to a new location: * `cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx` * Modify IP in the shell file to your attacker's IP. * Upload shell via the vulnerable web app (e.g., upload function on status page). * **Accessing the Shell:** * After upload, navigate to the shell path (e.g., `status.inlanefreight.local/files/demo.aspx`). * Once accessed, issue commands (e.g., `systeminfo`) to interact with the server. ## **Antak Webshell** * **ASPX Overview:** * **ASPX (Active Server Pages Extended)**: Used with ASP.NET on Windows servers to generate web forms and handle user data. * ASPX-based web shells allow remote control of Windows systems via the web server. * **Antak Webshell:** * **Antak**: An ASPX web shell part of the Nishang project, utilizing PowerShell for interacting with Windows servers. * **Location**: `/usr/share/nishang/Antak-WebShell`. * Powerful: Executes commands as new processes, runs scripts in memory, and encodes commands. * **Working with Antak:** * Copy shell to a working directory: * `cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx` * Modify the shell: Add credentials (user/pass) for security, remove ASCII art/comments to evade detection. * **Using Antak:** * Upload the modified shell to a web application. * Access via the browser and enter credentials to interact with the system. * Run PowerShell commands, upload/download files, and execute encoded scripts through the web shell. * Start with `help` to explore available commands. ## **PHP Web Shells** * **PHP Overview:** * **PHP**: A widely used open-source scripting language, essential for dynamic web pages. Powers 78.6% of websites (W3Techs, 2021). * PHP processes server-side, making it possible to use pre-written payloads to exploit vulnerabilities and gain a shell or reverse shell access. * #### **Practical Example (rConfig):** * **rConfig**: A web app using PHP that allows device management. Can be targeted for web shell upload. * **Target:** Upload a PHP web shell via the "Add Vendor" page (uses `.png`, `.jpg`, `.gif` file restrictions). * **Exploiting File Upload Restriction:** * **Burp Suite**: Used to intercept and modify the request to bypass file type restrictions by changing the `Content-Type` header to `image/gif` for a `.php` file. * **Process:** * Configure browser to use Burp as a proxy. * Upload the PHP web shell via the "Browse" button. * Modify `Content-Type` from `application/x-php` to `image/gif` in Burp. * Forward the request and complete the upload. * **Using the Web Shell:** * Once uploaded, navigate to `/images/vendor/connect.php` on the rConfig server to trigger the PHP shell and gain command execution on the server. * **Result**: Non-interactive shell session in the browser, where commands can be executed on the OS. ## **Considerations with Web Shells:** * Web apps may auto-delete files after a period. * Limited interactivity may hinder progress (e.g., chaining commands like `whoami && hostname`). * Web shells can be unstable and easily detectable. * In engagements, aim for stealth: delete payload after establishing a reverse shell to avoid detection. * **Documentation**: Track methods, payload names, upload locations, and hashes (e.g., SHA1, MD5) for reporting. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://edu.noirchapeau.com/shells-and-payloads-shell-overview/shells-and-payloads-web-shells-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.