Upload Exploitation
π― Core Technique: The final step in exploiting file upload vulnerabilities - deploying web shells and reverse shells for remote code execution
Overview
The final step in exploiting file upload vulnerabilities is to upload malicious scripts in the same language as the web application, such as web shells or reverse shell scripts. Once we upload our malicious script and visit its link, we can interact with it to take control over the back-end server.
Web Shells
π₯οΈ Interactive Control: Web-based command execution interfaces for compromised servers
Using Existing Web Shells
We can find many excellent web shells online that provide useful features, like directory traversal or file transfer. One good option for PHP is phpbash, which provides a terminal-like, semi-interactive web shell.
SecLists Web Shell Collection:
Location:
/opt/useful/seclists/Web-Shells/Languages: PHP, ASP, ASPX, JSP, Perl, Python
Features: Various functionality levels from basic to advanced
Deployment Process
Download appropriate web shell for target language (PHP, ASP.NET, etc.)
Upload through vulnerable upload feature
Navigate to uploaded file location
Interact with the web shell interface
Example phpbash deployment:
Expected output:
Web Shell Advantages
Easy to use - Terminal-like interface
File management - Upload/download capabilities
Directory traversal - Navigate server filesystem
Command execution - Run system commands
Persistent access - Remains until removed
Writing Custom Web Shell
βοΈ Manual Creation: Building simple but effective web shells when online tools aren't available
PHP Web Shell
Basic PHP Web Shell:
Usage:
Example execution:
Enhanced PHP Web Shell
Improved version with better formatting:
ASP.NET Web Shell
Basic .NET Web Shell:
Usage:
Viewing Output in Browser
π‘ Pro Tip: When using custom web shells in browsers, use source-view (Ctrl+U) to see command output as it would appear in terminal, without HTML rendering affecting the formatting.
Reverse Shell
π Direct Connection: Establish reverse connection back to attacker machine for full interactive shell
Using Existing Reverse Shell Scripts
Popular Reverse Shell Resources:
Pentestmonkey PHP Reverse Shell - Reliable and feature-rich
SecLists Reverse Shells - Multiple languages and frameworks
RevShells.com - Online reverse shell generator
Pentestmonkey PHP Reverse Shell Setup
Step 1: Download and Configure
Step 2: Start Netcat Listener
Step 3: Upload and Execute
Expected Connection:
Reverse Shell Advantages
Full interactive shell - Complete terminal functionality
Better stability - More reliable than web shells
Direct connection - No need for web interface
File transfer capabilities - Easy upload/download
Tunneling possibilities - Can tunnel other tools
Generating Custom Reverse Shell Scripts
π οΈ Automated Creation: Using msfvenom to generate custom reverse shell payloads
msfvenom Reverse Shell Generation
PHP Reverse Shell:
JSP Reverse Shell:
ASPX Reverse Shell:
WAR Reverse Shell (Tomcat):
msfvenom Advantages
Bypass restrictions - May evade certain security filters
Multiple formats - Various output formats available
Custom encoding - Built-in evasion techniques
Framework specific - Optimized for different web technologies
HTB Academy Lab Solution
Target Information
Target:
94.237.49.23:52640Objective: Upload web shell and retrieve
/flag.txtTechnique: File upload exploitation
Step-by-Step Solution
Step 1: Create Simple Web Shell
Step 2: Upload Web Shell
Step 3: Execute Commands
Expected Flag Format:
Alternative Approaches
If basic upload fails:
Try different extensions:
.phtml,.php3,.php4,.php5Modify Content-Type: Change to
image/jpegwhile keeping PHP contentAdd magic bytes: Prepend
GIF89ato PHP codeUse reverse shell: Deploy pentestmonkey or msfvenom payload
This comprehensive approach to upload exploitation provides the foundation for compromising web applications through file upload vulnerabilities, leading to full server compromise through web shells or reverse shells.
Last updated