PHP Web Shells

shinobi · November 28, 2023, 5:38pm

I’m stuck in the phpwebshell module, i cant go on at the answear
"Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif) ".
I follow all the steps described by the module, but I can’t load the webshell on the site, the steps I take are these
-I download the web shell

I unzip it and see the ‘webshell’ file
-now I go to the IP address that htb generated for me
I enter with my credentials
-go devices->vendor
-I open burpsuite and go to the proxy section
-I open the browser settings and in the proxy section I set 127.0.0.1 with port 8080
-I go to the web and add new
-I enter the credentials and using the browse button I find the .php file
-I save,
This is where the problems begin:
1, the page loads endlessly
2, burpsuite seems to have done its job but the web page never stops loading,
I don’t understand what the problem is, can someone tell me where I went wrong and what? can you give me some suggestions?

l3risch · November 30, 2023, 10:35am

To be clear: Have you executed the transactions with the browser within burpsuite? After forwarding all your requests, you just need to upload the webshell and modify the Content Type of your web request in burpsuite as stated in the docs.

Regon · November 30, 2023, 7:03pm

Hi, I have a problem with Burpsuite, how can I load the web shell without paying for the pro version?

urhom3yr4hul · March 5, 2024, 11:34am

Looks like you did not click on Forward in Burpsuit, twice.

afrohacker · March 6, 2024, 2:57pm

I’m stuck as well. I have been able to upload the php file and got the “Added new vendor NetVen to Database” message.
But when I go to https://target IP/images/vendor/connect.php, I get 404 Not Found.

urhom3yr4hul · March 6, 2024, 10:23pm

because it is not vulnerable that way. I tried tha too.
Check the hint for quest’n and go for /manage page vulnerability.

afrohacker · March 8, 2024, 4:49am

Finally figured it out. I should’ve known not to follow the lesson verbatim.

thor.elveneyes · March 22, 2024, 7:59pm

Please, I need to help.

afrohacker · April 2, 2024, 1:49am

Did you figure it out already?

thor.elveneyes · April 2, 2024, 9:43pm

No, I not. Now I am studying another module (Password Attack), because I don’t found a method for solve that section

afrohacker · April 3, 2024, 10:29am

Follow the steps in the lesson to craft and upload your payload. Once done, visit
https://target IP/images/vendor/name of payload.php
Hope this helps

DR4K0N · April 17, 2024, 10:31am

Hi! I’m a little lost in this exercise. What credentials did you use to enter rConfig? HTB use to give us creds like: user “htb-student” and password “HTB_@cademy_stdnt!”

Roisindddd · May 27, 2024, 8:02am

its admin/admin, found by looking at the default creds for the rconfig msf exploit

ghn03 · November 21, 2024, 10:49am

i need help, i do all as is supposed but when i navigate to the URL all i got is a black window with no shell

Topic		Replies	Views
PHP Web Shells Question 2 Academy	6	482	October 7, 2024
PHP Web Shells Academy	2	255	December 1, 2023
Shells Jack Us In, Payloads Deliver Us Shells - PHP Web Shells Academy	1	112	March 22, 2024
HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments Academy htb-academy	50	10224	July 31, 2024
Need help with .php shell in webshell Programming	0	153	June 1, 2024

PHP Web Shells

Related topics