Shells & Payloads: Web Shells Overview
Web Shells Overview
Web Apps as Targets:
Common attack vector in external pentests (file uploads, SQLi, RFI/LFI, etc.).
Password spraying and social engineering also key methods.
Web Shell Upload:
Web shells often uploaded via file upload forms, profile pic uploads, or misconfigurations (e.g., Tomcat, FTP).
What is a Web Shell?
Browser-based shell for interacting with the server OS.
Gained via file upload vulnerabilities.
Allows remote code execution (RCE), but can be unstable.
Persistence:
Web shells may be deleted over time; typically upgraded to a more stable reverse shell.
Laudanum Web Shell
What is Laudanum?
A collection of pre-made web shell files for multiple languages (PHP, JSP, ASP, etc.).
Allows reverse shell access and command execution via a browser.
Built into Parrot OS and Kali; other distros need manual installation.
Working with Laudanum:
Found in
/usr/share/laudanumon Kali/Parrot.Modify shell files (e.g., add attacker's IP) before use.
Ensure to read file comments for correct usage.
Using Laudanum:
Copy shell file (e.g.,
shell.aspx) to a new location:cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx
Modify IP in the shell file to your attacker's IP.
Upload shell via the vulnerable web app (e.g., upload function on status page).
Accessing the Shell:
After upload, navigate to the shell path (e.g.,
status.inlanefreight.local/files/demo.aspx).Once accessed, issue commands (e.g.,
systeminfo) to interact with the server.
Antak Webshell
ASPX Overview:
ASPX (Active Server Pages Extended): Used with ASP.NET on Windows servers to generate web forms and handle user data.
ASPX-based web shells allow remote control of Windows systems via the web server.
Antak Webshell:
Antak: An ASPX web shell part of the Nishang project, utilizing PowerShell for interacting with Windows servers.
Location:
/usr/share/nishang/Antak-WebShell.Powerful: Executes commands as new processes, runs scripts in memory, and encodes commands.
Working with Antak:
Copy shell to a working directory:
cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx
Modify the shell: Add credentials (user/pass) for security, remove ASCII art/comments to evade detection.
Using Antak:
Upload the modified shell to a web application.
Access via the browser and enter credentials to interact with the system.
Run PowerShell commands, upload/download files, and execute encoded scripts through the web shell.
Start with
helpto explore available commands.
PHP Web Shells
PHP Overview:
PHP: A widely used open-source scripting language, essential for dynamic web pages. Powers 78.6% of websites (W3Techs, 2021).
PHP processes server-side, making it possible to use pre-written payloads to exploit vulnerabilities and gain a shell or reverse shell access.
Exploiting File Upload Restriction:
Burp Suite: Used to intercept and modify the request to bypass file type restrictions by changing the
Content-Typeheader toimage/giffor a.phpfile.Process:
Configure browser to use Burp as a proxy.
Upload the PHP web shell via the "Browse" button.
Modify
Content-Typefromapplication/x-phptoimage/gifin Burp.Forward the request and complete the upload.
Using the Web Shell:
Once uploaded, navigate to
/images/vendor/connect.phpon the rConfig server to trigger the PHP shell and gain command execution on the server.Result: Non-interactive shell session in the browser, where commands can be executed on the OS.
Considerations with Web Shells:
Web apps may auto-delete files after a period.
Limited interactivity may hinder progress (e.g., chaining commands like
whoami && hostname).Web shells can be unstable and easily detectable.
In engagements, aim for stealth: delete payload after establishing a reverse shell to avoid detection.
Documentation: Track methods, payload names, upload locations, and hashes (e.g., SHA1, MD5) for reporting.