Exploiting web shells - working your way around blacklisted commands
Not so long ago I was working on one of the VulnHub VMs and at one point I stumbled upon a type of web shell. A find like this is a gold mine as it presents an opportunity to execute commands remotely on the host which can lead to all kind of fun things. After good hour of poking I eventually managed to get a reverse shell and move forward.
Took me longer than usual to get to that point - all because of certain precautions put in place by the shell developers to make my life harder. But as they say - "there is more than one way to skin a cat" and if there is a server (a web shell) that is willing to listen to us, we can always find a way to fool it into accepting what we have to say.
In our case, the following commands were black-listed inside PHP "ls, pwd, cat, ifconfig, nc, netcat".
Here is the list of possible workarounds.
Alternatives to 'ls'
printf '%s\n' * echo * printf '%s\n' .* * printf '%s\n' *(D) find . -name "*" find . ! -name . -prune lsattr lsattr -a # to include hidden files like with ls dir # make sure you 'man dir' as it takes many interesting options
Alternatives to 'cat'
strings <file> grep "*" <file> head <file> head -c 50000000 <file> tail <file>
- to be continued -