USE ONLY DURING LEGAL AND AUTHORIZED ACTIVITIES, eg Penetration Tests with a legal agreement.
The first version of this JAVA WebShell. It is pretty old, please search the last UPDATE!
Many links (known_bugs, HELP files, etc…) cannot be seen from this page: you need either to upload the war file and see them from there, or eiter unzip the war file and to to the web/help/… path
WSH is Web-SHell written in Java to be used in Java environments. A Web Shell is a Web Application that acts like a shell to let you execute commands on a target. Actually, this is a little more than a webshell, because it gives you an user friendly “File Manager” to examinate file systems, and a way to open a backdoor on a taget.
You should use this utility uploading the war file through the Application Server management console (Tomcat Manager, Weblogic Console, SunAS console, etc…) and then visiting the deploy page. If you are reading this web-help on a web page, and not by cat on you filesystem, you did everything correctly.
The application consist in a single web page you can reach in various way, but mainly go to
http(s)://[the_server_you_uploaded_into]:[the_server_port]/wsh/ to start
to http(s)://[the_server_you_uploaded_into]:[the_server_port]/wsh1.1.0/ to start
As you can see, there are two frames in this page (you can easily resize one of them to “conceal” it and use only the other one):
- The upper one, referred as the “Web Shell“
- The lower one, referred as the “File Manager“
I think it’s very clear what anyone can do using the lower side functions: you can navigate the whole filesystem quickly, reading text (and no-text) files, seeing images, and so on… Only an important note: DON NOT CLICK/VISUALIZE/cat A UNIX/LINUX DEVICE. If you don’t know what this can cause, perhaps you should not use this software. You will display the flow of the device content and the whole application will probably hang; you may seriously harm the server, at least from a prestational point of view. In addition, you won’t be able to stop the process if you did not use the “Max time execution” function (see down)
If your target is a Windows SO, you should pay attention to a couple of things; please refer to Known Bugs (you can see it only from the webshell, path web/help/known_bugs.txt) for details.
If your target is a Windows SO, you should pay attention to a couple of things; please refer to Known Bugs for details.
The web shell has many functionality, divided into columns of a big table on the upper side of the screen. Reading them from left to right:
- The green elements shows basic/extended informations about you target
- Shell and Shell Path Choice forms let you choose which shell to use
- Max Execution Time form let you specify the maximum ammount of time a command can run
- Alias Settings form let you add command aliases
- Backdoor let you open a backdoor to simulate a shell
Please remember this is an application written to support ethical hackers, not to show how to write secure applications! It has many bugs, many parameters are not sanitized, and requests/sessions are not built to resist users manipulation. If you find a security hole, i will not fix it: the application itself is intended to be an enourmus security hole!!
The application is not W3C compliant, not validated against any HTTP DTD/XmlSchema; this is done on purpose, because such standards have no sense if applied on an extremely dedicated and particular contest like this.