๐Ÿ˜ PHP Web Shells

๐Ÿ”Ž Overview

  • PHP (Hypertext Preprocessor) is the most widely used server-side language (78.6% of web servers).

  • PHP processes requests like login forms server-side (e.g., login.php on rConfig).

  • PHP web shells exploit file upload vulnerabilities to achieve remote command execution or reverse shells.

๐Ÿงช Hands-On: Gaining a PHP Web Shell (rConfig v3.9.6)

๐Ÿง  Objective

Upload a malicious PHP file disguised as an image to exploit rConfig's file upload mechanism, then use it as a browser-accessible shell.

โœ… Step 1: Access rConfig and Navigate to Vendor Upload

  1. Login to rConfig

    • Credentials: admin:admin

  1. Navigate to: Devices > Vendors > Add Vendor

  1. Choose File Upload for "Vendor Logo".

โœ… Step 2: Prepare Your PHP Web Shell

๐Ÿ“ Tool used: WhiteWinterWolf's PHP Web Shell

๐Ÿ’ก Either download or paste the code into a file:

nano connect.php

๐Ÿงผ Best practice:

  • Remove author comments and ASCII art to avoid detection by AV.

Bypassing Filetype:

โœ… Step 3: Launch Burp Suite and Intercept the Upload

  1. Open Burp Suite

  2. Set browser proxy settings:

    • IP: 127.0.0.1

    • Port: 8080

  1. Intercept HTTP traffic.

  1. Go back to rConfig, click โ€œBrowseโ€ and select connect.php, then click โ€œSave.โ€

โœ… Step 4: Modify the Intercepted POST Request in Burp

Once the POST request containing the file upload is intercepted:

Change:

Content-Type: application/x-php

To:

Content-Type: image/gif

๐Ÿ“Œ This bypasses rConfigโ€™s image file-type filter.

  1. Click โ€œForwardโ€ twice in Burp Suite to submit the request.

โœ… Step 5: Confirm File Upload Was Successful

Look for:

Message: Added new vendor NetVen to Database

๐Ÿ–ผ๏ธ If the file type wasn't recognized, it may display a generic image icon โ€” thatโ€™s okay.

โœ… Step 6: Access the Web Shell

Navigate to or right click on the newly added image

http://<rConfig-IP>/images/vendor/connect.php

๐Ÿ”ง You now have a web shell interface that lets you run system commands via the browser.

๐Ÿ“ Commands entered here execute on the underlying Linux OS.

๐Ÿ” Additional Notes

  • This shell is non-interactive (no TTY).

  • Useful for:

    • Enumeration

    • Dropping reverse shells

    • Uploading more payloads

Previous๐Ÿง  Antak Webshell + ASPX ConceptsNextShells & Payloads - The Live Engagement

Last updated