A few days ago, while doing a CTF I’ve encountered a problem. I was able to upload a PHP file to the target server, but I couldn’t spawn a web shell due to firewall restrictions. The only way I could interact with the server was by executing commands using the uploaded PHP files and printing output on the page.
The simplified PHP file (the original one utilized a
disabled_functions bypass, because
exec() was disabled in the config):
<?php echo exec($_GET(['cmd'])); >
Until that CTF I was using a python script to automate it. In a while loop: get user input, create a request and print the response to the terminal. It works, but it’s very inefficient mainly because it doesn’t keep the current path. Fortunately, I found a tool that does exactly what I need!
webwrap is a tool that automates the process described above and creates a pseudo shell that simulates a real one. Github: https://github.com/mxrch/webwrap
curl -s https://raw.githubusercontent.com/mxrch/webwrap/master/install.sh | sudo sh
sudo apt install rlwrap git clone https://github.com/mxrch/webwrap; cd webwrap; sudo python3 -m pip install -r requirements.txt
git clone https://github.com/mxrch/webwrap; cd webwrap; python -m pip install -r requirements.txt
my_verycool_webshell.phpis your shell file
cmdis the argument that shell uses
While using this tool you need to remember that it is not a real shell. Commands such as
shh will not work as they require a full interactive terminal, but some of them can be bypassed with e.g. python’s pty. Additionally, commands that take more than ~2 seconds to execute will time out the request and break the script.
webwrap is an amazing tool to use when you cannot have a regular reverse shell. It automates a process of requesting command executions and makes you gain speed. Although it has its limitations I’ll definitely use it in future CTFs.