Web shells are the scripts
that are coded in different languages like PHP, Python, ASP, Perl and many
other languages which further use as backdoor for unauthorized access in any
server by uploading it on a web server.
Once the shell get uploaded on the target location,
the attacker may able to perform the read and write operation directly, he will
be able to edit any file or delete the file from the server.
Attacker: Kali
Linux
Target: Bwapp
Let’s begin!!!
B374k script
Open terminal and type
following command to download
b374k script from github.
Git clone https://github.com/b374k/b374k
This
is a PHP shell which provides reveres connection to the attacker machine and
where he can execute the command to retrieve victim’s information.
Following command will create a malicious file shell.php as the backdoor shell with password raj123.
Php –f index.php
-- -o shell.php –p raj123
Now let’s
open the target IP in browser: 192.168.1.103:81/bWAPP/login.php.
Enter user and password as bee and bug respectively.
Set security level low,
from list box chooses your bug select Unrestricted File Upload now and click
on hack.
Here
you can see the web server allow us to upload an image under the web page of
unrestricted file upload.
Click on browse to upload the shell.php in the web server and then click on upload.
Now
you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is
uploaded successfully. Now click on the link “here”.
Here required password to execute shell.php and I had given
raj123 as its password.
From given screenshot you can see, we are inside the
directory of images.
Click on terminal tab from menu bar
of b374k which will provide victims terminal to execute the desired commands.
From given image you can read the command which I have executed.
Lsb_release -a
Now I will connect b347k shell from netcat and try to
access victim’s shell. Open the terminal in kali Linux and type following
command for netcat.
Nc 192.168.0.103
8888
Inside
shell b347k from menu select network
option to open bind connection give IP of target:
192.168.0.103 as server IP and port 8888 now scroll down the list and select Perl then click on run.
This will give you reverse connection on netcat and from the
given screenshot you can read the victim information which I have got when I
execute the following commands.
Whoami
Cat/etc/passwd
C99shell script
Download c99shell from the given link
C99shell
is a PHP backdoor which provides details of files and folders when it get
uploaded and let you perform command execution through it.
This time again open web server IP in the browser to upload
the c99shell.php
Here you can read the message from the screenshot that”image has been uploaded here” which
means our php backdoor is uploaded successfully. Now click on the link “here”.
Here our php malicious file is executed where it is dumping the
names of 25 files. From screenshot you can see all files under images directory
are jpg, png, gif images.
Now select bind option from menu to connect
host from netcat. Repeat the same process to run netcat at the background and
then give host IP: 192.168.0.103 and
port: 8888 select using Perl and click on connect.
This will give you
reverse connection on netcat.
Weevely Web Shell
Weevely is a command line web shell dynamically extended
over the network at runtime, designed for remote server administration and
penetration testing.
Its
terminal executes arbitrary remote code through the small footprint PHP agent
that sits on the HTTP server. Over 30 modules shapes an adaptable web
administration and post-exploitation backdoor for access maintenance, privilege
escalation and network lateral movement, even in restricted environment.
Open the terminal and type
following command which will create a web shell as backdoor.php on the Desktop with password pass.
weevely generate raj123
/root/Desktop/weevely.php
Open
the target location where you want to upload your backdoor. Now I am going to browse weevely.php and then click on upload to upload your web shell. Now you can see from the given
screenshot the weevely.php has been successfully uploaded.
Make right click on the link “here” and click on copy link location.
Again
type following command to start the attack on the web server and post above
copied URL with password raj123 inside the weevely command.
Now
you can see that I have got victim shell through Weevely. Now type following command to retrieve victim’s information.
Whoami
Cat/etc/password
Type help in
front of weevely which will show all module present inside it.
WSO script
Download this script from given link.
This
also a PHP script which is quite similar to c99shell.php & b347k.php shells
and perform same function as c99 script.
Again repeat the same process to upload wso2.5.1.php script inside the bwapp then click on link “here”.
After
executing the shell, you will see it has retrieved the basic information of
target and dump the files and folder names.
Now all options are same as above, now try yourself to
connect this shell with netcat.
0 comments:
Post a Comment