Web shell For Linux

Wsh, "Web Shell" is a remote UNIX/WIN shell, that works via HTTP/HTTPS. The package contains two perl scripts for server and client hosts, one C source code and one Java servlet code for the server host : the client script is for console usage and the server scripts run as CGI/Servlet scripts on the target host.

The client part provides shell-like prompt, encapsulating user commands into HTTP POST requests and sending them to the server part script on the target web server directly or via HTTP proxy server.

The server part extracts and executes commands from HTTP post requests and returns STDOUT and STDERR output as HTTP response messages. By default both scripts encode HTTP data with Xor.

Here are some key features of "Web shell":

· SSL support · Command line history support · File upload/download · Protect server part script usage with secret key inside HTTP message · Data flow Xor encoding · Can work trough HTTP proxy server.

What's New in This Release:

· WSH server Java servlet version was added. · Disabled "why is it enabled ?" auth in wsh-c.conf. · Corrected header fields mistakes in wsh-c-* (X-* => HTTP_X*)

1. Check path to perl in the "config.pl" file;

2. Run "config.pl" : `./config.pl` OPTIONAL ---------------------------------------------------- Modify the file "wsh-c.conf", if you want to use HTTP proxy; use_proxy 1 proxy_ip port Check other client configuration options also.. -------------------------------------------------------------

3. For the wsh-s.c and WshServlet.java, check the Shell (*Nix or Win32) location;

4a. Perl server version : + Check path to perl and permissions of the newly created "wsh-c.pl"; + Upload wsh-s.pl under the target cgi-bin directory and check path to perl;

4b. C server version : + Upload wsh-s.c under the target cgi-bin directory and compile it (remove the source code after) : * Under *Nix : gcc -g2 -Wall -o wsh-s wsh-s.c * Under Win32 (Visual C++) : cl /W3 wsh-s.c ws2_32.lib * Under Win32 Cygwin : Set the WIN32_RUN variable in the source code and build it as for the *Nix version.

4c. Java servlet version : + Upload the java built version under a servlet executable location.

About SSL :

a. If you use a SSL wsh-c.pl client, you can configure the client to check the server certificate CN (but this check can be circumvented !): my $ssl_set_check=1; # (0 || 1) don't or check the webserver # ssl certificate with internal # ssl_crt_subject.

my $ssl_crt_subject="/C=Fr/ST=Paris/L=Paris/O=XXX/OU=XXX/CN=XXX"; => You only have to execute the wsh-c.pl client one time and grab the CN displayed by the error message.

b. We didn't check the wsh-c-SSL.pl client on a Win32 platform. If you manage to install the Net::SSLeay on Win32 and check wsh-c-SSL.pl, send us a mail.