Difference between revisions of "Exploiting web shells - working your way around blacklisted commands"
m (→Alternatives to 'ls') |
m |
||
Line 3: | Line 3: | ||
Took me longer than usual to get to that point - all because of certain precautions put in place by the shell developers to make my life harder. But as they say - "there is more than one way to skin a cat" and if there is a server (a web shell) that is willing to listen to us, we can always find a way to fool it into accepting what we have to say. | Took me longer than usual to get to that point - all because of certain precautions put in place by the shell developers to make my life harder. But as they say - "there is more than one way to skin a cat" and if there is a server (a web shell) that is willing to listen to us, we can always find a way to fool it into accepting what we have to say. | ||
− | In our case, the following commands were black-listed inside PHP "ls, pwd, cat, ifconfig". | + | In our case, the following commands were black-listed inside PHP "ls, pwd, cat, ifconfig, nc, netcat". |
Here is the list of possible workarounds. | Here is the list of possible workarounds. | ||
Line 28: | Line 28: | ||
tail <file> | tail <file> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | - to be continued - |
Latest revision as of 16:26, 30 May 2018
Not so long ago I was working on one of the VulnHub VMs and at one point I stumbled upon a type of web shell. A find like this is a gold mine as it presents an opportunity to execute commands remotely on the host which can lead to all kind of fun things. After good hour of poking I eventually managed to get a reverse shell and move forward.
Took me longer than usual to get to that point - all because of certain precautions put in place by the shell developers to make my life harder. But as they say - "there is more than one way to skin a cat" and if there is a server (a web shell) that is willing to listen to us, we can always find a way to fool it into accepting what we have to say.
In our case, the following commands were black-listed inside PHP "ls, pwd, cat, ifconfig, nc, netcat".
Here is the list of possible workarounds.
Alternatives to 'ls'
printf '%s\n' *
echo *
printf '%s\n' .* *
printf '%s\n' *(D)
find . -name "*"
find . ! -name . -prune
lsattr
lsattr -a # to include hidden files like with ls
dir # make sure you 'man dir' as it takes many interesting options
Alternatives to 'cat'
strings <file>
grep "*" <file>
head <file>
head -c 50000000 <file>
tail <file>
- to be continued -