Today I will show you how you can upload a webshell to a website after you have successfully found your way into the admin panel. I will start with the end of my SQLi session and dive into working to upload a shell through the admin panel. Please hold your questions till the end ;)
Ok so you found a vulnerable site and or somehow have managed to come across the admin credentials.
Uh oh, it is encrypted MD5! It's OK, we do quick check with the big online databases to save time and if we don’t find it there then we follow my other tutorial on how to use Hashcat tools to crack it ourselves. Lucky for us our Admin choose poor strength password which was easily found online with a quick check:
OK, so now we have admin credentials. We use our favorite admin finder, cross our fingers, and hope we find one that will work with the credentials we found. Here is a good online admin finder if you need one: http://sc0rpion.ir/af/
Once you make your way into the actual admin panel it is wise to take a look around to see what all you have access to. If you just want to leave your mark you may be able to quickly edit HTML on pages or inject a hidden iframe or an effective stored XSS of some kind (pop-up or redirect), but for this tutorial we will be focusing on how we can get a web-shell on the site, something like c99, GNY, etc. We will have much more flexibility with a full featured web-shell. OK, so you will want to look around and see what you can do as admin, maybe quickly add a new user with some rights in case the real admin changes their password. Then start looking for ways to upload things, doesn't really matter what it is for now - typically you can find areas to add news, products, images, movies, etc. We will leverage one of these upload fields to inject our shell instead and gain better access to our target site. In some cases you will find you can simply upload your shell with no problems, so always check if it will take “shell.php” first. In most cases it won't, if it does then there is no reason to continue reading as you’re in J. If it doesn't then things get interesting as we need to now find a way to manipulate our upload so it bypasses any file restrictions. How can we do this you say? By controlling our request we send in more detail. We will use Live HTTP Headers add-on for Firefox in this example, you could also use Burp Suite, or Tamper Data add-on (others exist too but these are main options I know). We will use these tools which allow us to manipulate more aspects of the actual HTTP request we send when we hit the actual upload button. We first will upload our file as “shell.php”.
We typically will get an error indicating we can’t upload PHP files, and if we are lucky it will tell us what kind of files are acceptable. OK, let us try to fool it into thinking it is something else that is on the acceptable list. We can play wile file naming conventions or through the addition of NULL bytes (). They both are effective and you really have to play with both options until you find something which works, here are a few common methods I use which you can easily expand upon:
You get the idea. The point is that the “.xxx” file ending is what gets read during check and when server scans hopefully the null byte () causes it to stop reading the rest making it stop at “.php”. If this doesn't work or you shell is getting messed up when it is uploaded then we will use Live HTTP Headers to modify the request on the fly and in addition to faking out the file type we will straight change the file type in the request we send. Start Live HTTP Headers and make sure it is setup to capture requests (small check box at bottom):
Then you first submit the one that works to simply work and get the request formatting saved. Then replay the request so that a new window pops up and then modify the text in the request to remove the fake.fake-file-ending part so all that is left is “shell.php”.
NOTE: you probably need to scroll to the top and choose the first one since we started it only to capture the submission this should be the first request
When you hit replay it pulls up the original request to modify before sending. Find the part for the filename (use FIND to make it quick). Change the file name so all that is left is “shell.php” and then hit replay again. It will submit through browser and you should now be done.
Now find the file by right clicking or whatever means necessary and open in new browser tab.
Voila shell properly uploaded and working – Game Over, you win!
If you have problems finding your shell, here are a few helpful hints to finding it:
1 – Right click uploaded image on site and check its location. See if directory indexing is turned off, if it is not then you can easily see what all is in the folder until you find your shell. You might have to try a few images or locations on the site, just try to use other items from the same category your uploading to and think logically about it.
2 – If you can’t find it then I suggest scanning the site with a web-scanner like Accunetix, W3af, or something else you like better to see if it can find it (infrastructure scanning, or if you require password for shell check for auth files, or backdoors, etc)
3 – If you absolutely still can’t find it, you can try Google search to help find your shell. Use dorks and text from your shell or file name to try and find it on site.
Remember you won’t always get admin access and you can’t shell every site, but here is one more trick to add to your bag to increase your chances. If you’re a coder, then this is one more reason to check your uploads as you won’t always get what you expect coming through, don’t expect every user to be nice and use the system as intended as this method can be used against any upload form, not just admin panels. I hope you have enjoyed this brief tutorial. If any questions, comments, or suggestions please post here or let me know.
For those that need a video to grasp the concept, here you go:
Until next time, Enjoy!