hett-patell/ShardShell
GitHub: hett-patell/ShardShell
Stars: 3 | Forks: 0
# ShardShell - Smoker Shell v4.0
[](LICENSE)
[](#disclaimer)
Advanced PHP web shell built for authorized penetration testing and red team engagements. Two versions: Linux and Windows, each tuned with OS-native commands and priv-esc vectors.
## Versions
| File | Target OS | Notes |
|---|---|---|
| `shell-linux.php` | Linux / macOS | Uses `/proc`, `find -perm`, `crontab`, `ss`, etc. |
| `shell-windows.php` | Windows / IIS | Uses `whoami /priv`, `wmic`, `schtasks`, `netstat -ano`, registry checks, etc. |
## Features
Both versions share the same core framework and UI. OS-specific modules differ as shown:
| Module | Linux | Windows |
|---|---|---|
| **Dashboard** | System stats, PHP config | Same |
| **File Manager** | Browse, edit, upload, download, hex view, chmod | Same (minus chmod) |
| **Terminal** | `sh` commands, session history | `cmd.exe` commands, session history |
| **System Recon** | `/proc`, `ps aux`, cron, `/etc/passwd` | `systeminfo`, `tasklist`, `schtasks`, `net user`, `whoami /all` |
| **Network Tools** | Port scan, revshell gen (11 types), `dig` | Port scan, revshell gen (11 types incl. PowerShell/mshta), `nslookup` |
| **Database** | MySQL, SQLite | MySQL, MSSQL (sqlsrv), SQLite |
| **Priv-Esc** | SUID/SGID, capabilities, kernel CVEs, sudo, container detection | Token privileges, unquoted service paths, AlwaysInstallElevated, AutoLogon, stored creds, WiFi passwords, AV detection |
| **Encoding** | Base64, Hex, URL, HTML, ROT13, hashing | Same |
| **Stealth** | Apache/Nginx/syslog clearing, bash history | Windows Event Log clearing (wevtutil), IIS log clearing, PowerShell history |
## Deployment
Drop the appropriate version into any PHP-enabled web server directory.
# Local test
php -S 0.0.0.0:8888 -t .
Default password: `admin` — change `$CONF['passwd']` at the top of the file.
## Build System
ShardShell ships with a build-time obfuscator that produces hardened, AV-evasive PHP shell variants from clean source. The builder runs as a Python 3 CLI — no PHP runtime needed at build time.
### Quick Start
# Build all variants (standard + loader)
./build/build.sh --all
# Build with lint verification (requires podman or php-cli)
./build/build.sh --all --lint
# Custom build
python3 build/obfuscate.py shell-linux.php -o shell-obf.php
python3 build/obfuscate.py shell-linux.php --loader -o shell-enc.php
### Obfuscation Levels
| Level | Techniques |
|---|---|
| `none` | Comment stripping + minification only |
| `standard` (default) | Comment stripping, XOR+base64 string encoding, variable renaming, safe minification |
| `aggressive` | All above + function call indirection |
### Loader Mode (`--loader`)
Wraps the entire obfuscated payload in a self-decrypting loader:
1. **XOR** payload with a 32-byte random key
2. **GZip** compress (level 9)
3. **Base64** encode
4. Ship as `".gzinflate(XOR(base64_decode(payload),key))) ?>`
The original shell never appears in plaintext — even `strings` shows nothing recognizable. Loader output is ~37% the size of the original.
### What Gets Obfuscated
| Technique | Effect |
|---|---|
| **String encoding** | All single-quoted string literals → `_sXXXX("base64...")` calls, decoded at runtime with embedded XOR key |
| **Variable renaming** | `$command`, `$result`, etc. → random identifiers (superglobals preserved) |
| **Comment stripping** | Removes `//`, `#`, `/* */` comments; correctly handles `?>` within comments |
| **Minification** | Collapses PHP whitespace only; HTML/CSS/JS blocks left intact |
| **Function indirection** (aggressive) | `exec()` → `_f('exec')()`, `shell_exec()` → `_f('shell_exec')()` via runtime lookup |
### Output
| File | Typical Size |
|---|---|
| `dist/shell-linux-obf.php` | ~105 KB |
| `dist/shell-windows-obf.php` | ~110 KB |
| `dist/shell-linux-loader.php` | ~35 KB |
| `dist/shell-windows-loader.php` | ~37 KB |
### Manual AV Evasion (no build system)
For bare-metal deployments, wrap with a `__halt_compiler()` loader:
'.$f(substr(file_get_contents(__FILE__),__COMPILER_HALT_OFFSET__+1)));__halt_compiler();
{base64 encoded shell here}
## Disclaimer
This tool is intended **exclusively** for authorized security assessments and penetration testing under a valid contract or written authorization. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.
## License
MIT - see [LICENSE](LICENSE).
## The Shard ecosystem
| Repo | What it does |
|---|---|
| [ShardLure](https://github.com/hett-patell/ShardLure) | SSH honeypot + threat-intel dashboard |
| [ShardC2](https://github.com/hett-patell/ShardC2) | Red-team C2 framework in Go |
| [ShardFlow](https://github.com/hett-patell/ShardFlow) | Layer-2 LAN workbench (ARP, drop, throttle) |
| [ShardShell](https://github.com/hett-patell/ShardShell) | PHP post-exploitation shell |
| [ShardPass](https://github.com/hett-patell/ShardPass) | Minimal TOTP authenticator (Chrome MV3) |
| [ShardPet](https://github.com/hett-patell/ShardPet) | Pixel-Pokémon browser extension |
Advanced PHP web shell built for authorized penetration testing and red team engagements. Two versions: Linux and Windows, each tuned with OS-native commands and priv-esc vectors.
## Versions
| File | Target OS | Notes |
|---|---|---|
| `shell-linux.php` | Linux / macOS | Uses `/proc`, `find -perm`, `crontab`, `ss`, etc. |
| `shell-windows.php` | Windows / IIS | Uses `whoami /priv`, `wmic`, `schtasks`, `netstat -ano`, registry checks, etc. |
## Features
Both versions share the same core framework and UI. OS-specific modules differ as shown:
| Module | Linux | Windows |
|---|---|---|
| **Dashboard** | System stats, PHP config | Same |
| **File Manager** | Browse, edit, upload, download, hex view, chmod | Same (minus chmod) |
| **Terminal** | `sh` commands, session history | `cmd.exe` commands, session history |
| **System Recon** | `/proc`, `ps aux`, cron, `/etc/passwd` | `systeminfo`, `tasklist`, `schtasks`, `net user`, `whoami /all` |
| **Network Tools** | Port scan, revshell gen (11 types), `dig` | Port scan, revshell gen (11 types incl. PowerShell/mshta), `nslookup` |
| **Database** | MySQL, SQLite | MySQL, MSSQL (sqlsrv), SQLite |
| **Priv-Esc** | SUID/SGID, capabilities, kernel CVEs, sudo, container detection | Token privileges, unquoted service paths, AlwaysInstallElevated, AutoLogon, stored creds, WiFi passwords, AV detection |
| **Encoding** | Base64, Hex, URL, HTML, ROT13, hashing | Same |
| **Stealth** | Apache/Nginx/syslog clearing, bash history | Windows Event Log clearing (wevtutil), IIS log clearing, PowerShell history |
## Deployment
Drop the appropriate version into any PHP-enabled web server directory.
# Local test
php -S 0.0.0.0:8888 -t .
Default password: `admin` — change `$CONF['passwd']` at the top of the file.
## Build System
ShardShell ships with a build-time obfuscator that produces hardened, AV-evasive PHP shell variants from clean source. The builder runs as a Python 3 CLI — no PHP runtime needed at build time.
### Quick Start
# Build all variants (standard + loader)
./build/build.sh --all
# Build with lint verification (requires podman or php-cli)
./build/build.sh --all --lint
# Custom build
python3 build/obfuscate.py shell-linux.php -o shell-obf.php
python3 build/obfuscate.py shell-linux.php --loader -o shell-enc.php
### Obfuscation Levels
| Level | Techniques |
|---|---|
| `none` | Comment stripping + minification only |
| `standard` (default) | Comment stripping, XOR+base64 string encoding, variable renaming, safe minification |
| `aggressive` | All above + function call indirection |
### Loader Mode (`--loader`)
Wraps the entire obfuscated payload in a self-decrypting loader:
1. **XOR** payload with a 32-byte random key
2. **GZip** compress (level 9)
3. **Base64** encode
4. Ship as `".gzinflate(XOR(base64_decode(payload),key))) ?>`
The original shell never appears in plaintext — even `strings` shows nothing recognizable. Loader output is ~37% the size of the original.
### What Gets Obfuscated
| Technique | Effect |
|---|---|
| **String encoding** | All single-quoted string literals → `_sXXXX("base64...")` calls, decoded at runtime with embedded XOR key |
| **Variable renaming** | `$command`, `$result`, etc. → random identifiers (superglobals preserved) |
| **Comment stripping** | Removes `//`, `#`, `/* */` comments; correctly handles `?>` within comments |
| **Minification** | Collapses PHP whitespace only; HTML/CSS/JS blocks left intact |
| **Function indirection** (aggressive) | `exec()` → `_f('exec')()`, `shell_exec()` → `_f('shell_exec')()` via runtime lookup |
### Output
| File | Typical Size |
|---|---|
| `dist/shell-linux-obf.php` | ~105 KB |
| `dist/shell-windows-obf.php` | ~110 KB |
| `dist/shell-linux-loader.php` | ~35 KB |
| `dist/shell-windows-loader.php` | ~37 KB |
### Manual AV Evasion (no build system)
For bare-metal deployments, wrap with a `__halt_compiler()` loader:
'.$f(substr(file_get_contents(__FILE__),__COMPILER_HALT_OFFSET__+1)));__halt_compiler();
{base64 encoded shell here}
## Disclaimer
This tool is intended **exclusively** for authorized security assessments and penetration testing under a valid contract or written authorization. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.
## License
MIT - see [LICENSE](LICENSE).
## The Shard ecosystem
| Repo | What it does |
|---|---|
| [ShardLure](https://github.com/hett-patell/ShardLure) | SSH honeypot + threat-intel dashboard |
| [ShardC2](https://github.com/hett-patell/ShardC2) | Red-team C2 framework in Go |
| [ShardFlow](https://github.com/hett-patell/ShardFlow) | Layer-2 LAN workbench (ARP, drop, throttle) |
| [ShardShell](https://github.com/hett-patell/ShardShell) | PHP post-exploitation shell |
| [ShardPass](https://github.com/hett-patell/ShardPass) | Minimal TOTP authenticator (Chrome MV3) |
| [ShardPet](https://github.com/hett-patell/ShardPet) | Pixel-Pokémon browser extension |标签:ffuf