Everything is a web application nowadays. We’re moving everything to the cloud. The ecosystem for web libraries and frameworks is booming! However, sometimes you run into a situation where you would like these powerful tools to work in your console. We had a situation where – for a security job – we needed sqlmap to work on the command line. This article describes how to create a web server to shell bridge. By using a relatively simple Node.js web server, we can glue these two applications together.
Starting the web server results in a simple page which accepts a parameter called param which forwards the request to the defined shell command.
The code for the web server can be found on the following GitHub URL:
You can try it yourself by starting the web server by executing:
The remainder of the article explains what challenges we ran into and how we solved them.
During a recent pentest that we conducted, we encountered a custom build command line application which would accept two parameters. Feeding some unexpected input to the second parameter would cause some abnormal output. That lead to the assumption of a possible attack vector using SQL injection. So that makes every pentester out there think: “Fire up sqlmap!”. This is where we were faced with the challenge of creating a bridge between our shell and the web. A relatively simple solution that came to mind was to put a web server in between.
Example of a web server to shell scenario
We’ll use echo as shell command to give some example usage of our solution instead of the application we encountered.
1var shellCommand = "echo \"param1\" \"PAYLOAD_PARAM\"";
In there the PAYLOAD_PARAM is where we are going to input our injection. Some input might not be properly handled by the shell application in the sense that it will crash the program or get stuck otherwise. That’s why we filter those out, in our case it was leading dashes and double quotes.
1var filterRegexes = [/\"/g, /^-/g];
Afterwards we can fire up the Node.js server using:
Now we can send POST and GET requests. There’s also a form with a submit button on the web page in case your tooling might require a form. After that we can run our automated tooling like sqlmap.
1w@hl:~/Downloads/webserver-shell-bridge$ curl -X GET -i 'http://localhost:8080/?param=$PATH' 2HTTP/1.1 200 OK 3Content-Type: text/html 4Date: Tue, 10 Sep 2019 09:42:49 GMT 5Connection: keep-alive 6Transfer-Encoding: chunked 7 8<html lang=""><body> 9<h1>Full command output: param1 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin 10<h1> 11<form method="GET"> 12<input type="text" placeholder="fill me up" name="param"> 13<input type="submit"> 14</form> 15</body></html>
In the end
Looking back on the result, it’s actually a really simple web application. That simple Node.js server serves as powerful glue which ties (legacy) shell applications and tools designed for web applications together. Remember to be careful not to run this server in a public place where it could put your console application at risk. The default runs on your localhost only. If you ever encounter such a situation, feel free to fire up the web server to shell bridge to take some work out of your hands so you can get on with the important stuff.
Your job at codecentric?
More articles in this subject area
Discover exciting further topics and let the codecentric world inspire you.