Simple PHP shell which tries to bypass a bad configured PHP parser (disable_functions)
Still under development. Do not expect nice code!
As a pentester I still run from time to time into more or less secure configured PHP applications. PHP allows you to disable dangerous functions to mitigate the risk of an attacker being able to deplay a working webshell after he compromised a webserver. I saw rather often that admins do not disable all dangerous functions, be it because they made a mistake or because they need them for other reasons. Maybe I just did not googled it enough but I never found one simple shell which tests for different dangerous functions. There a are a lot heavy ones out there dealing with this like Weevely, which is however a great webshell, but was not what I was looking for. The provided webshell here just tests if different dangerous functions are disabled or not. If they are not disabled the script allows to execute commands on the server where it is deployed on.
I just made this script for personal purposes to speed up monkey work while doing web hacking on a PHP application. But maybe someone can make use of it too.
The following functions should be disabled via on the server (php.ini)
- exec
- shell_exec
- popen
- passthru
- proc_open
- system
- pcntl_exec
To disable them replace the disable_fcuntions line with this
disable_functions = exec,shell_exec,popen,passthru,proc_open,system,pcntl_execThe webshell currently covers the following functions
- exec
- shell_exec
- popen
- passthru
- system
ToDo:
- pcntl_exec
- proc_open
You can simply use simple.php by deploying it on the web server you want to test. Call it in the following way
http://servertotest/simple.php?r=COMMANDYou also can use the simple obfuscater I made to generate a one liner out of the code
python3 obfuscate.py simple.phpIf you want to help, contribute, say something or correct something just hit me up :)
See the license file for more information.