Exploiting web shells - working your way around blacklisted commands

Not so long ago I was working on one of the VulnHub VMs and at one point I stumbled upon a type of web shell. A find like this is a gold mine as it presents an opportunity to execute commands remotely on the host which can lead to all kind of fun things. After good hour of poking I eventually managed to get a reverse shell and move forward.

Took me longer than usual to get to that point - all because of certain precautions put in place by the shell developers to make my life harder. But as they say - "there is more than one way to skin a cat" and if there is a server (a web shell) that is willing to listen to us, we can always find a way to fool it into accepting what we have to say.

In our case, the following commands were black-listed inside PHP "ls, pwd, cat, ifconfig, nc, netcat".

Here is the list of possible workarounds.

Alternatives to 'ls'

printf '%s\n' *
echo *
printf '%s\n' .* *
printf '%s\n' *(D)
find . -name "*"
find . ! -name . -prune
lsattr -a # to include hidden files like with ls
dir # make sure you 'man dir' as it takes many interesting options

Alternatives to 'cat'

strings <file>
grep "*" <file>
head <file>
head -c 50000000 <file>
tail <file>

- to be continued -