I am covering most of the interesting web shells that we are aware of. 12309.php (yes, this is the name!) caught our attention for a number of reasons. Before we get to those, feel free to read about two of our favourite stealth PHP backdoors – weevely and WeBaCoo.
So, 12309.php is an advanced webshell with the main aim at executing shell commands in all possible ways. It obviously has been coded in PHP and is released with a 3-clause BSD license. In addition to executing shell commands, it has a lot of interesting features as under. 12309.php also allows you to read files with mysql!
Features of 12309.php:
You could choose desired function to execute code with (+pcntl_exec, +ssh2_exec)
Internal Perl, Python and SSI mini-webshells – save them to disk and run, if PHP system functions are disabled
Backconnect/bind port on PHP, Python, and “classic” perl and C backconnect/bind. Also there are several small one-line backconnects on different languages, useful too coz they do not need to save temporary file somewhere
Fully interactive backconnect on Python (yes, you can run even vim & mc via backconnect!)
On old PHP versions (such as 5.1.6, 5.2.9) this script could bypass open_basedir and read other users` files (if you`re running it with webserver`s rights, i.e. kind of apache-mpm-prefork or -worker, not kind of -itk or -peruser, and if your account is not in chroot/jail). Also there is ability to read files with mysql and with usual file_get_contents
Nice extra functions (file manager, file editor, system info, text coders/decoders, local open ports scanner, etc)
Now, what we liked about this webshell is that you can use pcntl_exec or ssh2_exec methods to execute files. pcntl_exec is a thin wrapper around the execve() function that runs programs in the current process space. This means that the program that you launch runs normally, with the same PID as PHP had before it called pcntl_exec(), but it replaces the PHP process entirely! With ssh2_exec – another execution option included with 12309.php - you can execute a command on a remote server! Another thing that we like about 12309.php is that if the PHP subsystem denies access to your favourite commands, you can try and execute the included Perl, Python or Server Side Includes (SSI) shells. Albeit they will have a limited functionality compared to 12309.php, but something is better than nothing right? If on stealth features like WeBaCoo and Weevely were added to this one. The backconnect feature could help you under some circumstances. Just that 12309.php traffic could occur on uncommon ports and be detected.