Skip to content

bawanu/webshell-project

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Advanced Web Shell & AES Encrypter for Security Researchers

Author: Bawan GitHub: https://github.com/bawanu


Disclaimer

This tool is intended strictly for educational purposes and for use by authorized security professionals in legitimate, sanctioned security assessments. The author is not responsible for any misuse or damage caused by this tool. Unauthorized access to any system is illegal and unethical. Use at your own risk.

Overview

This project provides a powerful, feature-rich PHP web shell designed for penetration testers and security researchers. To enhance its stealth and deployment capabilities, the project also includes a separate AES-256-CBC encrypter. This allows the user to wrap the web shell in an encrypted form, making it harder to detect by signature-based scanners and security products.

The encrypted.php file will only execute the web shell in memory if the correct decryption key is provided as a GET parameter, otherwise, it will return a 404 Not Found error, revealing nothing about its true nature.

Web Shell Features

  • System Information: Get a detailed overview of the OS, PHP version, server software, and network configuration.
  • Full File Manager: Browse, upload, download, edit, create, and manage files and directories.
  • Interactive Command Terminal: Execute shell commands directly on the server.
  • Process Manager: View and kill running processes.
  • PHP Evaluation: Execute arbitrary PHP code securely.
  • Reverse Shell Utility: Easily generate and execute various reverse shell payloads (Bash, Python, PHP, Perl, etc.).
  • Network Scanner: Discover live hosts on the local network and perform port scanning on selected targets.
  • Advanced Security & Stealth:
    • Access Control Rules: Lock down the shell to specific IP addresses, user agents, or HTTP headers to prevent unauthorized access.
    • "Only Me" Mode: Instantly restrict access to your current browser session.
    • Session Management: Monitor and kick other active users.
    • Self-Destruct: Completely remove the shell and all its related tracking files from the server with a single click.

Project Structure

The project is organized into a clean and easy-to-understand structure:

.
├── web-shell/
│   └── webshell.php      # The core web shell source code
├── encrypter/
│   └── encrypter.php    # The AES encryption script
|   └── webshell.php     # the core webshell source code to be encrypted
├── LICENSE
└── README.md

How to Use

Clone the Repo

git clone https://github.com/bawanu/webshell-project.git

You can use the web shell in two ways: as a standalone script or in its encrypted, stealthier form.

Option 1: Standalone Mode (Unencrypted)

For quick assessments in a trusted environment, you can use the web shell directly.

  1. Navigate to the web-shell/ directory.
  2. Upload webshell.php to your target server.
  3. Access it via your browser: http://target.com/path/to/webshell.php?decrypt=anything
  4. CRUCIAL FIRST STEP: Immediately navigate to the "Users & Security" tab and configure access control rules. It is highly recommended to add a rule for your IP address to prevent anyone else from accessing the shell.

Option 2: Encrypted Mode (Recommended for Stealth)

This method provides a strong layer of obfuscation. The web shell is encrypted and will only execute if the correct key is provided in the URL.

Step 1: Configure the Encrypter

  1. Open the encrypter/encrypter.php file in a text editor in your own machine.

  2. Change the default secret key. This is the most important step. Modify the $key variable to a long, unique, and random string. This will be your password.

    // encrypter/encrypter.php
    
    // CONFIG
    $method = "AES-256-CBC";
    // !!! CHANGE THIS KEY TO YOUR OWN SECRET PASSWORD !!!
    $key = "your-new-super-secret-key-that-nobody-can-guess123!@#"; 
    $iv = random_bytes(16);

Step 2: Generate the Encrypted Shell

  1. enter the encrypter Folder cd encrypter
  2. run the encrypter script using the command line:
    php encrypter/encrypter.php
  3. You will see a confirmation message: encrypted.php generated successfully. A new file, encrypted.php, has now been created in the same directory.

Step 3: Deploy and Access

  1. Upload the encrypted.php file to the target server.
  2. To access the shell, open your browser and navigate to the following URL, replacing the key with the one you set in Step 1:
    http://target.com/path/to/encrypted.php?decrypt=your-new-super-secret-key-that-nobody-can-guess123!@#
    
  • If the key is correct, the web shell will be decrypted and executed in memory, and you will see the full interface.
  • If the key is incorrect or missing, the script will immediately respond with a 404 Not Found error, effectively hiding its presence.

Authorship & License

This tool was developed by Bawan.

This project is licensed under the MIT License. Please review the license file for more details on your rights and obligations.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages