Through this article I would like to share file uploading using different type web shell scripts on a web server and try to get unauthorized access in the server.
Web shells are the scripts that are coded in different languages like PHP, Python, ASP, Perl and many other languages which further use as backdoor for unauthorized access in any server by uploading it on a web server.
Once the shell get uploaded on the target location, the attacker may able to perform the read and write operation directly, he will be able to edit any file or delete the file from the server.
Attacker: Kali Linux
Open terminal and type following command to download b374k script from github.
Git clone https://github.com/b374k/b374k
This is a PHP shell which provides reveres connection to the attacker machine and where he can execute the command to retrieve victim’s information.
Following command will create a malicious file shell.php as the backdoor shell with password raj123.
Php –f index.php -- -o shell.php –p raj123
Now let’s open the target IP in browser: 192.168.1.103:81/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.
Here you can see the web server allow us to upload an image under the web page of unrestricted file upload.
Click on browse to upload the shell.php in the web server and then click on upload.
Now you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.
Here required password to execute shell.php and I had given raj123 as its password.
From given screenshot you can see, we are inside the directory of images.
Click on terminal tab from menu bar of b374k which will provide victims terminal to execute the desired commands. From given image you can read the command which I have executed.
Now I will connect b347k shell from netcat and try to access victim’s shell. Open the terminal in kali Linux and type following command for netcat.
Nc 192.168.0.103 8888
Inside shell b347k from menu select network option to open bind connection give IP of target: 192.168.0.103 as server IP and port 8888 now scroll down the list and select Perl then click on run.
This will give you reverse connection on netcat and from the given screenshot you can read the victim information which I have got when I execute the following commands.
Download c99shell from the given link
C99shell is a PHP backdoor which provides details of files and folders when it get uploaded and let you perform command execution through it.
This time again open web server IP in the browser to upload the c99shell.php
Here you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.
Here our php malicious file is executed where it is dumping the names of 25 files. From screenshot you can see all files under images directory are jpg, png, gif images.
Now select bind option from menu to connect host from netcat. Repeat the same process to run netcat at the background and then give host IP: 192.168.0.103 and port: 8888 select using Perl and click on connect.
This will give you reverse connection on netcat.
Weevely Web Shell
Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.
Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shapes an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.
Open the terminal and type following command which will create a web shell as backdoor.php on the Desktop with password pass.
weevely generate raj123 /root/Desktop/weevely.php
Open the target location where you want to upload your backdoor. Now I am going to browse weevely.php and then click on upload to upload your web shell. Now you can see from the given screenshot the weevely.php has been successfully uploaded.
Make right click on the link “here” and click on copy link location.
Again type following command to start the attack on the web server and post above copied URL with password raj123 inside the weevely command.
Now you can see that I have got victim shell through Weevely. Now type following command to retrieve victim’s information.
Type help in front of weevely which will show all module present inside it.
Download this script from given link.
This also a PHP script which is quite similar to c99shell.php & b347k.php shells and perform same function as c99 script.
Again repeat the same process to upload wso2.5.1.php script inside the bwapp then click on link “here”.
After executing the shell, you will see it has retrieved the basic information of target and dump the files and folder names.
Now all options are same as above, now try yourself to connect this shell with netcat.