Java WebSHell – wsh README

USE ONLY DURING LEGAL AND AUTHORIZED ACTIVITIES, eg Penetration Tests with a legal agreement.

The first version of this JAVA WebShell. It is pretty old, please search the last UPDATE!

Many links (known_bugs, HELP files, etc…) cannot be seen from this page: you need either to upload the war file and see them from there, or eiter unzip the war file and to to the web/help/… path

WSH is Web-SHell written in Java to be used in Java environments. A Web Shell is a Web Application that acts like a shell to let you execute commands on a target. Actually, this is a little more than a webshell, because it gives you an user friendly “File Manager” to examinate file systems, and a way to open a backdoor on a taget.

You should use this utility uploading the war file through the Application Server management console (Tomcat Manager, Weblogic Console, SunAS console, etc…) and then visiting the deploy page. If you are reading this web-help on a web page, and not by cat on you filesystem, you did everything correctly.
The application consist in a single web page you can reach in various way, but mainly go to

http(s)://[the_server_you_uploaded_into]:[the_server_port]/wsh/ to start

or try

to http(s)://[the_server_you_uploaded_into]:[the_server_port]/wsh1.1.0/ to start

As you can see, there are two frames in this page (you can easily resize one of them to “conceal” it and use only the other one):

  1. The upper one, referred as the “Web Shell
  2. The lower one, referred as the “File Manager

I think it’s very clear what anyone can do using the lower side functions: you can navigate the whole filesystem quickly, reading text (and no-text) files, seeing images, and so on… Only an important note: DON NOT CLICK/VISUALIZE/cat A UNIX/LINUX DEVICE. If you don’t know what this can cause, perhaps you should not use this software. You will display the flow of the device content and the whole application will probably hang; you may seriously harm the server, at least from a prestational point of view. In addition, you won’t be able to stop the process if you did not use the “Max time execution” function (see down)

If your target is a Windows SO, you should pay attention to a couple of things; please refer to Known Bugs (you can see it only from the webshell, path web/help/known_bugs.txt) for details.

If your target is a Windows SO, you should pay attention to a couple of things; please refer to Known Bugs for details.
The web shell has many functionality, divided into columns of a big table on the upper side of the screen. Reading them from left to right:

Please remember this is an application written to support ethical hackers, not to show how to write secure applications! It has many bugs, many parameters are not sanitized, and requests/sessions are not built to resist users manipulation. If you find a security hole, i will not fix it: the application itself is intended to be an enourmus security hole!!
The application is not W3C compliant, not validated against any HTTP DTD/XmlSchema; this is done on purpose, because such standards have no sense if applied on an extremely dedicated and particular contest like this.

Always read Known Bugs before using any function
Please read Future Works for a list of planned upgrades


2 thoughts on “Java WebSHell – wsh README

  1. Pingback: Java WebSHell – wsh-g UPDATE « Goats Uncovered

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s