Versus71 Posted April 30, 2012 Share Posted April 30, 2012 12309.php is an advanced webshell with the main aim at executing shell commands in all possible ways. It obviously has been coded in PHP and is released with a 3-clause BSD license. In addition to executing shell commands, it has a lot of interesting features as under. 12309.php also allows you to read files with mysql. Features: You could choose desired function to execute code with (+pcntl_exec, +ssh2_exec) Internal Perl, Python and SSI mini-webshells – save them to disk and run, if PHP system functions are disabled Backconnect/bind port on PHP, Python, and “classic” perl and C backconnect/bind. Also there are several small one-line backconnects on different languages, useful too coz they do not need to save temporary file somewhere Fully interactive backconnect on Python (yes, you can run even vim & mc via backconnect!) On old PHP versions (such as 5.1.6, 5.2.9) this script could bypass open_basedir and read other users` files (if you`re running it with webserver`s rights, i.e. kind of apache-mpm-prefork or -worker, not kind of -itk or -peruser, and if your account is not in chroot/jail). Also there is ability to read files with mysql and with usual file_get_contents Nice extra functions (file manager, file editor, system info, text coders/decoders, local open ports scanner, etc) Now, what we liked about this webshell is that you can use pcntl_exec or ssh2_exec methods to execute files. pcntl_exec is a thin wrapper around the execve() function that runs programs in the current process space. This means that the program that you launch runs normally, with the same PID as PHP had before it called pcntl_exec(), but it replaces the PHP process entirely! With ssh2_exec – another execution option included with 12309.php - you can execute a command on a remote server! Another thing that we like about 12309.php is that if the PHP subsystem denies access to your favourite commands, you can try and execute the included Perl, Python or Server Side Includes (SSI) shells. Albeit they will have a limited functionality compared to 12309.php, but something is better than nothing right? If on stealth features like This is the hidden content, please Sign In or Sign Up and This is the hidden content, please Sign In or Sign Up were added to this one. The backconnect feature could help you under some circumstances. Just that 12309.php traffic could occur on uncommon ports and be detected. Download: This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts