Webshells - Interactive(I/O)?

GDX · December 21, 2018, 8:10pm

Hello everyone,

I know there are a few “terminal-emulator”-Webshells out there, meaning that they look like a terminal and also work like one, but I have one problem (so all of this is a problem if you aren’t able to get a reverse or bind shell because of some restrictions or a firewall, you only have access to the website):

It seems like all of them can’t handle input and ouput while running a command.
So for example I have this simple python script that will wait for user input: input = raw_input("Print something: ")

Now when you run this program inside one of those shells, they either print something like EOFError: EOF when reading a line or they simply don’t wait for input but quit instantly after printing "Print something: " cause they can’t manage user input.

Now I know that you’re able to fix this in some cases by using echo "Input" | ./script.py, but how would you fix the issue of not being able to input things interactively when it comes to for example running root-exploits (dirtycow,etc…) through a webshell / a website?

peek · December 21, 2018, 9:57pm

how that : “you only have access to the website” ? what do you mean exactly ?

GDX · December 22, 2018, 4:59pm

@peek said:
how that : “you only have access to the website” ? what do you mean exactly ?

You only have access to port 80 (the website). Of course if you are able to gain root later through for example an exploit you could change these settings.

Btw I think something like “expect” could work here, but it’s not that simple to execute a command with active input using this tool since you would need to program it for everything you want to run individually.

peek · December 24, 2018, 10:20pm

if you can run a command, you might trigger a shell