Get a Shell by Uploading Script to Webserver

I am going to show yous how to make a simple web server in PowerShell that serves the contents of the electric current directory on any port you lot choose. You volition have optional Agile Directory integration then that the HTTP requests sent from the browser respect the NTFS file permissions.

• Author
• Recent Posts

I am a PowerShell fanatic currently working in Windows customer management at Haworth based out of Holland, MI. I tinker effectually and certificate my findings at tiberriver256.github.io and you can find me on Twitter @tiberriver256.

Arrangement.Internet.HttpListener ^

System.Net.HttpListener is a powerful and by and large underused class introduced to .Cyberspace in .Internet Framework ii.0 and is still included in the current version of .Cyberspace. Thus, our web server is going to run on any system that has PowerShell and at least .Cyberspace 2.0. This means we tin can run information technology on most Windows server and client operating systems without having to install anything or download any libraries to support our code.

Let'southward create the listener to go started:

$listener = New-Object Organization.Net.HttpListener

Configuring the HttpListener ^

The commencement matter to do when creating an HttpListener is tell our web server where information technology should mind. Should it listen and respond to requests coming from other PCs on the network or only requests coming from the localhost? What port should it heed on? What proper name should information technology respond to? We reply all of that using a unmarried line of lawmaking:

$listener.Prefixes.Add("http://localhost:8080/")

This single line of code is deceptively simple. Setting up prefixes tin be the most circuitous process of creating a cocky-hosted application. Please read this article that explains UrlPrefix formatting. I recommend using a localhost prefix during development as this does non require any special setup to run and does not need authoritative rights. Let's only go out that line every bit it is for at present, and we will get back to setting this up to listen for requests coming from the network at the terminate of this article. For at present, all we need to exercise is start the listener.

$listener.Start()

Preventing directory traversal ^

We are going to serve files out of the current working directory in PowerShell, and nosotros desire to restrict access to just the files and folders in this directory. We can easily prevent the requester using the \..\..\.. notation in a URL to perform directory traversal attacks. Nosotros do this by creating a PSDrive from the current directory and using this as the root file path when our code is looking for requested files.

New-PSDrive -Proper name MyPowerShellSite -PSProvider FileSystem -Root $PWD.Path

Accessing the request with the HttpListenerContext object ^

Alright, and so we created a listener, we told it where to listen, and we started it. If you were curious you might have opened a spider web browser at this point to the URL given above, merely to come across what happens. I'm deplorable to disappoint y'all, but nosotros have one more pace left before our listener will begin working with a web browser.

We must tell our listener to get an HttpListenerContext object that gives us access to asking and response objects. We utilise the getContext() method on the $listener to do this synchronously. HttpListener does support asynchronous calls, merely that is beyond the scope of this commodity.

$Context = $listener.GetContext()

The console should hang waiting for an HTTP request to striking the URL information technology is listening on. Going to http://localhost:8080/ using any web browser should populate our $Context variable, and the browser volition brainstorm to spin waiting for a response.

The context variable ^

Inspection of the context variable reveals iii properties:

• Request: This contains data that came from the browser or HTTP client (URL requested, cookies, query string, HTTP method, etc.).
• Response: This automatically created object volition send a response back to the browser.
• User: Setting an authentication method on the HttpListener would populate this with details about the user (such every bit username and password or a Windows Identity object).

Yous tin can read more details about the HttpListenerContext .NET Grade on MSDN. This .NET class can practise a lot, but we volition focus on the simple stuff here. All nosotros need to know is what file the browser is requesting and ship it dorsum using the response.

Reading the request with getContext() ^

A URL property stores the details of the URL that the web browser or HTTP client requested. For example, if I scan to http://localhost:8080/MyFile.txt and then run the getContext() method, I can access the URL with $Context.Request.Url:

Reading the requested URL

Sending the HTTP response ^

The LocalPath property looks like information technology has exactly the information we need. Permit's get ahead and get that file and transport it back to the spider web browser.

$URL = $Context.Asking.Url.LocalPath $Content = Get-Content -Encoding Byte -Path "MyPowerShellSite:$URL" $Context.Response.ContentType = [Organisation.Web.MimeMapping]::GetMimeMapping("MyPowerShellSite:$URL") $Context.Response.OutputStream.Write($Content, 0, $Content.Length) $Context.Response.Shut()

The MimeMapping method detects the file type and converts it to a file type the browser understands. You lot should see the contents of your text file exposed in the browser now!

Wrap-up ^

This is of form a very simplistic example and only serves a single request. A more detailed example with directory browsing showcases how to use integrated Windows authentication and send back errors to a browser in this Github gist.

If you would like a ready-to-become cocky-hosted PowerShell web server solution written with HttpListener, y'all can check out the following projects:

Subscribe to 4sysops newsletter!

• PoSH Server
• NodePS
• PSWebServer

To set it upwards on something other than localhost with HTTPS and without running every bit admin, I recommend this article.

warrenanstivoung53.blogspot.com

Source: https://4sysops.com/archives/building-a-web-server-with-powershell/

Share this post