Author: Bawan GitHub: https://github.com/bawanu
This tool is intended strictly for educational purposes and for use by authorized security professionals in legitimate, sanctioned security assessments. The author is not responsible for any misuse or damage caused by this tool. Unauthorized access to any system is illegal and unethical. Use at your own risk.
This project provides a powerful, feature-rich PHP web shell designed for penetration testers and security researchers. To enhance its stealth and deployment capabilities, the project also includes a separate AES-256-CBC encrypter. This allows the user to wrap the web shell in an encrypted form, making it harder to detect by signature-based scanners and security products.
The encrypted.php file will only execute the web shell in memory if the correct decryption key is provided as a GET parameter, otherwise, it will return a 404 Not Found error, revealing nothing about its true nature.
- System Information: Get a detailed overview of the OS, PHP version, server software, and network configuration.
- Full File Manager: Browse, upload, download, edit, create, and manage files and directories.
- Interactive Command Terminal: Execute shell commands directly on the server.
- Process Manager: View and kill running processes.
- PHP Evaluation: Execute arbitrary PHP code securely.
- Reverse Shell Utility: Easily generate and execute various reverse shell payloads (Bash, Python, PHP, Perl, etc.).
- Network Scanner: Discover live hosts on the local network and perform port scanning on selected targets.
- Advanced Security & Stealth:
- Access Control Rules: Lock down the shell to specific IP addresses, user agents, or HTTP headers to prevent unauthorized access.
- "Only Me" Mode: Instantly restrict access to your current browser session.
- Session Management: Monitor and kick other active users.
- Self-Destruct: Completely remove the shell and all its related tracking files from the server with a single click.
The project is organized into a clean and easy-to-understand structure:
.
├── web-shell/
│ └── webshell.php # The core web shell source code
├── encrypter/
│ └── encrypter.php # The AES encryption script
| └── webshell.php # the core webshell source code to be encrypted
├── LICENSE
└── README.md
git clone https://github.com/bawanu/webshell-project.git
You can use the web shell in two ways: as a standalone script or in its encrypted, stealthier form.
For quick assessments in a trusted environment, you can use the web shell directly.
- Navigate to the
web-shell/directory. - Upload
webshell.phpto your target server. - Access it via your browser:
http://target.com/path/to/webshell.php?decrypt=anything - CRUCIAL FIRST STEP: Immediately navigate to the "Users & Security" tab and configure access control rules. It is highly recommended to add a rule for your IP address to prevent anyone else from accessing the shell.
This method provides a strong layer of obfuscation. The web shell is encrypted and will only execute if the correct key is provided in the URL.
Step 1: Configure the Encrypter
-
Open the
encrypter/encrypter.phpfile in a text editor in your own machine. -
Change the default secret key. This is the most important step. Modify the
$keyvariable to a long, unique, and random string. This will be your password.// encrypter/encrypter.php // CONFIG $method = "AES-256-CBC"; // !!! CHANGE THIS KEY TO YOUR OWN SECRET PASSWORD !!! $key = "your-new-super-secret-key-that-nobody-can-guess123!@#"; $iv = random_bytes(16);
Step 2: Generate the Encrypted Shell
- enter the encrypter Folder
cd encrypter - run the encrypter script using the command line:
php encrypter/encrypter.php
- You will see a confirmation message:
encrypted.php generated successfully. A new file,encrypted.php, has now been created in the same directory.
Step 3: Deploy and Access
- Upload the
encrypted.phpfile to the target server. - To access the shell, open your browser and navigate to the following URL, replacing the key with the one you set in Step 1:
http://target.com/path/to/encrypted.php?decrypt=your-new-super-secret-key-that-nobody-can-guess123!@#
- If the key is correct, the web shell will be decrypted and executed in memory, and you will see the full interface.
- If the key is incorrect or missing, the script will immediately respond with a
404 Not Founderror, effectively hiding its presence.
This tool was developed by Bawan.
This project is licensed under the MIT License. Please review the license file for more details on your rights and obligations.