Home

Awesome

SubShell Web Shell Framework

Author: Joe Vest

Copyright 2015 - SubShell

Written by: Joe Veat

Company: MINIS

DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes.

Please read the LICENSE in LICENSE.md for the licensing information

  _________    ___      _________ __            __   __   
 /   _____/__ _\  |__  /   _____/|  |__   ____ |  | |  |  
 \_____  \|  |  \ __ \ \_____  \ |  |  \_/ __ \|  | |  |  
 /        \  |  / \_\ \/        \|   |  \  ___/|  |_|  |__
/_________/____/|_____/_________/|___|__/\_____>____/____/

SubShell - Webshell Console - Joe Vest - 2015

Usage: 
    subshell.py  --url=<url>
    subshell.py  --url=<url> [--useragent=<useragent] [--logdir=<logdir>] [--debug] [--mysqlu=<MySQL Username] [--mysqlp=<MySQL Password> [--mysqls=<MySQL Server>]]
    subshell.py (-h | --help) More Help and Default Settings

Options:
    -h --help                This Screen
    --url=<url>              URL source of webshell (http://localhost:80)
    --useragent=<useragent>  User-Agent String to use [default: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)]
    --mysqlu=<username>      Set MYSQL Username
    --mysqlp=<password>      Set MySQL Password
    --mysqls=<server>        Set MySQL Server IP or Hostname
    --logdir=<logdir>        Directory path to logs [default: ./logs]
    --debug                  Enable Debugging

SubShell is a python command shell used to control and execute commands through HTTP requests to a webshell. SubShell acts as the interface to the remote webshells.

SubShell has a companion project named TinyShell. TinyShell is similar and may offer benefits over SubShell in certain situations.

TinyShell - https://github.com/minisllc/tinyshell

This project was born out of the need for a consolidated webshell framework. There are numerous available, but I wanted to created backend framework that supports numerous web languages with a common backend.

This project uses the principle of hiding in plain sight (even over non-encrypted communications). The goal is minimize attention. Like numerous malicious tools, they are easy to find by defenders once they have a reason to look. This project is designed to be stealthy, not through high-tech means, but by minimizing the triggering of a defenses such as IDS, Firewall, AV etc.

How does it do this?

Current Features

Python Dependencies

SubShell Console Reference

Interaction with a remote 'shell' using subshell is similar to a non-interactive shell. Non interactive commands can be submited and the results displayed.

If an interactive command is submitted, the command will not return. Command will display a timeout error. This is an HTTP timeout and not an error of whether the command executed or not.

CommandDescriptionExample
cdchange directorycd c:\temp
commandOptional command used to issue remote command. If no other built in command matches, then this command is assumed.command tasklist
configShow current settingsconfig
dirdirectory commanddir c:\temp
downloaddownload remote file. Files stored in ./downloads. The original file structure is created.download c:\temp\myfile.txt
exitexit command shellexit
helpDisplay help for commandshelp
historyshow command historyhistory
lsalias for dirls c:\temp
mysqlIssue SQL command to MySQL Server base on MySQL configurationmysql show databases
mysql_dbSelect MySQL databsemysql_db mysql
mysql_passwordSelect MySQL passwordmysql_password password
mysql_serverSelect MySQL servermysql_server localhost
mysql_usernameSelect MySQL usernamemysql_username root
psList processesps
pwdshow current directorypwd
pythondrop to interactive python shellpython
shellsubmit command to local shellshell ifconfig
statusShow status for Uploads and Downloadsstatus
timeoutdisplay or set the command timeout setting in secondstimeout 120
uploadupload file to remote server.upload myfile.txt c:\windows\temp\myfile.txt

API Used to Communicate to web shells

All command submitted to the shell are POST request with a minimum of 2 parameters (sessionid,command)

POST Parameters

ParameterDescription
sessionidUsed to 'authenticate' requests and minimized replay attacks. Based on current time. Any request +/- 12hrs will not be allowed. If the time is off an HTTP 408 will be sent with the HTTP header expires:'timevalue'. SubShell can use this value to adjust its authentication it sends.
apikeyused to submit OS commands
apikeydDownload file from remote host
apikeyuUpload file to remote host
feedstores Base64 encoded file. Used for upload

Features Support by Shell Type

Featurejspaspxaspphp
Replay Protectionxxxx
Issue commandxxxx
Uploadxx
Downloadxxxx
MySQL connectorx
404 on GETxxxx

Initial Thought and Requirements to build project