Difference between revisions of "Exploiting web shells - working your way around blacklisted commands"
m (→ls) |
m (→ls) |
||
Line 7: | Line 7: | ||
Here is the list of possible workarounds. | Here is the list of possible workarounds. | ||
− | == ls == | + | == Alternatives to 'ls' == |
<syntaxhighlight lang=shell-session highlight="" line> | <syntaxhighlight lang=shell-session highlight="" line> | ||
printf '%s\n' * | printf '%s\n' * |
Revision as of 16:16, 30 May 2018
Not so long ago I was working on one of the VulnHub VMs and at one point I stumbled upon a type of web shell. A find like this is a gold mine as it presents an opportunity to execute commands remotely on the host which can lead to all kind of fun things. After good hour of poking I eventually managed to get a reverse shell and move forward.
Took me longer than usual to get to that point - all because of certain precautions put in place by the shell developers to make my life harder. But as they say - "there is more than one way to skin a cat" and if there is a server (a web shell) that is willing to listen to us, we can always find a way to fool it into accepting what we have to say.
In our case, the following commands were black-listed inside PHP "ls, pwd, cat, ifconfig".
Here is the list of possible workarounds.
Alternatives to 'ls'
printf '%s\n' *
echo *
printf '%s\n' .* *
printf '%s\n' *(D)
find . ! -name . -prune
lsattr
lsattr -a # to include hidden files like with ls
dir # make sure you 'man dir' as it takes many interesting options