🐘 PHP Web Shells

🔎 Overview

PHP (Hypertext Preprocessor) is the most widely used server-side language (78.6% of web servers).
PHP processes requests like login forms server-side (e.g., login.php on rConfig).
PHP web shells exploit file upload vulnerabilities to achieve remote command execution or reverse shells.

🧪 Hands-On: Gaining a PHP Web Shell (rConfig v3.9.6)

🧠 Objective

Upload a malicious PHP file disguised as an image to exploit rConfig's file upload mechanism, then use it as a browser-accessible shell.

✅ Step 1: Access rConfig and Navigate to Vendor Upload

Login to rConfig
- Credentials: admin:admin

Navigate to: Devices > Vendors > Add Vendor

Choose File Upload for "Vendor Logo".

✅ Step 2: Prepare Your PHP Web Shell

📁 Tool used: WhiteWinterWolf's PHP Web Shell

💡 Either download or paste the code into a file:

nano connect.php

🧼 Best practice:

Remove author comments and ASCII art to avoid detection by AV.

Bypassing Filetype:

✅ Step 3: Launch Burp Suite and Intercept the Upload

Open Burp Suite
Set browser proxy settings:
- IP: 127.0.0.1
- Port: 8080

Intercept HTTP traffic.

Go back to rConfig, click “Browse” and select connect.php, then click “Save.”

✅ Step 4: Modify the Intercepted POST Request in Burp

Once the POST request containing the file upload is intercepted:

Change:

Content-Type: application/x-php

To:

Content-Type: image/gif

📌 This bypasses rConfig’s image file-type filter.

Click “Forward” twice in Burp Suite to submit the request.

✅ Step 5: Confirm File Upload Was Successful

Look for:

Message: Added new vendor NetVen to Database

🖼️ If the file type wasn't recognized, it may display a generic image icon — that’s okay.

✅ Step 6: Access the Web Shell

Navigate to or right click on the newly added image

http://<rConfig-IP>/images/vendor/connect.php

🔧 You now have a web shell interface that lets you run system commands via the browser.

📝 Commands entered here execute on the underlying Linux OS.

🔐 Additional Notes

This shell is non-interactive (no TTY).
Useful for:
- Enumeration
- Dropping reverse shells
- Uploading more payloads

Previous🧠 Antak Webshell + ASPX Concepts NextShells & Payloads - The Live Engagement

Last updated 10 months ago

hashtag🔎 Overview

hashtag🧪 Hands-On: Gaining a PHP Web Shell (rConfig v3.9.6)

hashtag🧠 Objective

hashtag✅ Step 1: Access rConfig and Navigate to Vendor Upload

hashtag✅ Step 2: Prepare Your PHP Web Shell

hashtagBypassing Filetype:

hashtag✅ Step 3: Launch Burp Suite and Intercept the Upload

hashtag✅ Step 4: Modify the Intercepted POST Request in Burp

hashtag✅ Step 5: Confirm File Upload Was Successful

hashtag✅ Step 6: Access the Web Shell

hashtag🔐 Additional Notes