There is nothing more frustrating than obtaining a remote code execution on a PHP webapp and being constrained by disable_functions while performing an intrusion test... This shell tries to offer useful features for post-exploitation, while no exec-like function is allowed.
This shell is protected by a password, and because of lack of imagination, default credentials are poisonprince:poisonprince. You may want to change it before uploading the shell, because leaving it unprotected on a server is a security hole. This shell is meant to evaluate the strength of an already hardened server (but maybe not sufficiently). Use it with caution. Do no harm.
So of course features are quite limited and may be broken if disable_functions forbids the use of too much routines, and open_basedir cannot be bypassed.
Let's render upon to Ceasar with is Ceasar's: the layout and some features come from the p0wny@shell:~# project, a single-file PHP webshell. The p0wny@shell project is licensed under the WTFPL
🚧
Work in progress ... I try to add new bypass techniques and commands on a regular basis. Still, the shell may misbehave if some functions it uses are also disabled, although they are not exec-like. For the moment, Windows servers are not supported.
To begin with, press ? or help or nothing to get help.
If the command you typed fails, it may be because of the following reasons:
open_basediris enforced and you tried to read/write beyond the scope it allows- lack of permissions
- you used quotes and spaces in your file paths, and sorry, but it is not perfectly handled yet ...
Order of the argument DOES matter
Reads a file, like the command you already know.
Usage: is cat </path/to/file>
The path can be relative.
Changes the current working directory.
Usage: cd <destination?>
The path can be relative.
If destination is null, it tries to go to the home directory, if any.
You do not need to put quotes if path contains spaces, but autocompletion may fail.
Tries to find ways to evade disable_functions, based on installed modules and versions.
Usage: chkbypass <-k?>
If the switch -k is set, it skips versions check and only verifies installed modules and stuff
Client-side command, it clears the console
Downloads a file (not a whole folder)
Usage: download <file>
Echoes something to a file
Usage: echo <what> > <outfile> or echo <what> >> <outfile> to append.
You can use \n to write carriage returns, cuz the shell """stdin""" is a single line.
Displays the environment variables
Usage: env
Evaluates the given PHP code, just as the eval routine in PHP does (no need to put the <?php ?> markers then):
Usage: eval <code>
Displays the output if any
Reads *_history files in the home directory, or the current one if no home is configured
Usage: gethist
Looks for potential secrets, in the given folder or the current one if none
Usage: getpasswd <path?>
Can be quite slow if the given folder is huge. Prints it like a grep
Looks for a given string, in a given folder (recursively) or file. If the switch -i is set, it ignores the case. If the path is not set, if assumes the current folder
Usage: grep <pattern> <path?> <-i?>
Can be quite slow if the given folder is huge. Prints it like a grep
Prints the current user id and name, as well as group info
Usage: id
List files and directories. If the path is not set, it assumes the current folder. If the switch -R is set (off by default), it prints recursively
Usage: ls <-R?> <path?>
Creates a directory. It creates intermediate ones if they don't exist
Usage: mkdir <name>
Renames a file/folder
Usage: mv <name> <newname>
Quotes can be used, but once again, not sure that they are properly handled. And who the hell uses blank spaces in file names ?!
Runs the routine phpinfo and puts the output in a frame
Usage: phpinfo
Only works if /proc is readable. Lists the running processes
Usage: ps
Prints the current working directory
Usage: pwd
Beware of this one, a folder could be unintentionally removed ... Removes a file or a folder. If this is a folder, it deletes recursively
Usage: rm <path>
Compresses a folder, and immediately tries to download it. If no argument is provided, it tar's the current folder
Usage: tar <path?>
Uploads a file/folder. The expected argument is the destination name
Usage: upload <name>
- Better handling of quoted values
- More commands
- offer ways to bypass disabled functions like file_get_contents, cuz the shell heavily relies on it
- Make it windows-compatible
- (maybe) automatically try to verify if no-exec bypass work, if possible
The define directives may be tweaked to look for more interesting files.
I really suck at finding names 😥
My favourite song is The Man Who Sold The World, but the name was a bit too long. Hence I took my number 2