PHP Adminshell - Concept

[Schalla]

Hello there, I was having the idea to create a own kind of PHP Adminshell today, and just wrote down a small "concept", what to include, what may be fun to integrate and how.

Some notes I did:

==== PHP Adminshell Concept v0.1 ====

== General ==

- Sourcecode got type of a build process, which allows
  to enable/disable different types of modules
- Buildprocess is used just by a normal PHP Script,
  which combines multiple files into a single HTML File.

== Modularity ==

- Modules can be included, some examples can be a File Exmplorer,
  Shell Execution and some other gimmicks
- Modules are defined in 2 sections:
  - functions.php - Collection of Functions used of the Module
  - layout.php    - Layout of the Output

== Shell ==

Fallback using the 3 differnt functions of PHP, otherwise module
gets deactivated, with a warning.

== PHP Env. Checker ==

Checks for security related warnings like base.path, version and
some other stuff.

Check for the current rights of php running, its owner and so on.

== Security/Misc ==

Some weirdo concepts:

The shell gets encrypted, using AES. The Shell Content is then saved as string,
and gets decrypted at runtime. When eval() is avaiable, the string gets executed using eval().

In case eval() is deactivated, but the current folder got write rights,
the code would create a tmp file, include it, and delete it. That way the
shellcode would persist encrypted, at least as long there I no exact file logging.

Maybe there are some other weirdo concepts too, but that way the shell would be unable
to be detected by static-scanners, since you can use another salt every time.

The key can be passed as via Cookie or Header. Maybe even using a C&C Server, who uses
the IP + specific User Agent for authentication, sent by the PHP Script. That sounds rather
insecure, though.

== Why? ==

For me it's just some kind of educational project. If I would love to hear any
opinions, if that project is actually a fancy thing and if you have anything to add.

---------------------------

Thanks for reading.

Best Regards,
Schalla

[Schalla]

Hey Geoff, thanks for your feedback first of all.


The cipher was ment to be included as request variable of any kind, may it be server, get or cookie.
The whole encryption stuff was rather some fun stuff, nothing really serious. I guess the parser looking
for typical commands like exec, eval and passthru are of course able to find these shells anyway.


The tmp file could simply be included, since its valid php sourcecode after the decryption. Of course, it
is still detectable, but only for a short time, since it gets deleted after the usage again. So the script is save
against a anti virus scan on the filelevel, when not in exactly that moment the script gets executed.


I know that the authentication using the User Agent is not really viable, was just ment as additional level, but
may be better to leave it out completly.

[Schalla]

I worked today on a first interface for the Shell and figured out the first features.


I wanted to start with a simple Information area, where some warnings are gathered like when you are locked
due to open_basedir and information like the apache process owner, if you got write permissions in current folder etc.


Each module got a small block and can be accessed over the navigation, which is basicly just a "#<FEATURE>" link to
the id of the block.


Any feedback on the layout? I considered a tab navigation for the modules, but this would lead
to more code + that javascript is required.