Webhandler – Write your own module

What is webhandler:
A handler for PHP system functions & also an alternative ‘netcat’ handler that is written in Python.
Also it tries to simulate a ‘Linux bash prompt’ to handle and process:

  • PHP program execution functions e.g. system, passthru, exec, etc
  • Bind shell connections
  • Reverse shell connections

To learn more about webhandler, check our github page.
I’ll demonstrate how to write your own module and get it workin’ with webhandler.

For basic usage click HERE.

Through the following post I’ll guide you to write your own module and get it integrated into webhandler
Requirements:

  1. Writing simple codes in Python
  2. Knowing how things work in Linux

Webhandler’s core was written in OOP concept, so it will be easy to get some other codes implemented inside it,
but its up to you to get you module written in a class based or even a functional based.

Here’s the tree of the application:

.
├── core
│   └── libs
│       └── thirdparty
└── modules
    ├── bruters
    ├── icrackhash
    ├── scanners
    └── services

8 directories

In order to get your module working in webhandler you need to write it in some place within the app tree ‘modules/ recommended’ and register it into the executer.py module

Today will show how to write a port scanner in PHP and trigger it through a webhandler module.
First lets write our scanner in modules/scanners/ and give it a name e.g. port.php:

<?php
error_reporting(0);
$host = $argv[1];
$range = explode('-', $argv[2]);
for($i=$range[0]; $i<=$range[1]; $i++){
    $f = fsockopen($host, $i);
    if($f){
        echo "Connection to " . $host . " port " . $i . " succeeded!\n";
    }
    fclose($f);
}
?>

Lets check if the code works like expected:

ruinedsec

Now our port scanner works like expected and now we’re ready to write webhandler’s module that will trigger the php scanner

Before we start writing the module, Webhandler offers some pre-written methods that will help you to easily write you module e.g:

linux.get_writble_dir()   ->   That will offer you a writeable path in the document root
file_handler.upload_file(lfile, rfile)   ->   That will upload files into the remote system
file_handler.clean(file)   ->   That will remove files from remote system
make_request.get_page_source(cmd)  -> That will execute arbitrary command execution

Ok, Here’s the scenario to write the module:

  1. Calling linux.get_writble_dir() to get a writeable dir
  2. Calling file_handler.upload_file() to upload our PHP scanner
  3. Calling make_request.get_page_source() to execute the scanner
  4. Calling file_handler.clean() to clean the mess
  5. Register the module into executer.py

The module that will run the PHP code:

from core.libs.shell_handler import linux
from core.libs.file_handler import file_handler
from core.libs.request_handler import make_request
from core.libs.thirdparty.termcolor import cprint, colored

class Scanner(object):
    def help(self):
        msg = colored('\n[+] Usage: @scan  \n', 'blue')
        msg += colored('Example. @scan 127.0.0.1 1-2000', 'white')
        print(msg)

    def scan_host(self, host, range):
        folder = linux.get_writble_dir()
        if folder:
            cprint('[+] Uploading scanner to the box ...', 'green')
            scanner = folder + '/webhandler_scanner.php'
            file_handler.upload_file('modules/scanners/port.php', scanner)
            cmd = 'cd {0}; php {1} {2} {3}'.format(folder, scanner, host, range)
            cprint('\n[+] Scanning the target ...', 'green')
            cprint('----------------------------')
            try:
                output = make_request.get_page_source(cmd)
                if output:
                    print ""
                    for line in output:
                        cprint(line, 'white')
                else:
                    cprint('\n[+] Didn\'t find any open ports match the range "{0}"'.format(range), 'red')

                file_handler.clean(scanner)
            except KeyboardInterrupt:
                file_handler.clean(scanner)

scanner = Scanner()

Lets register the module into executer library:
1- Open core/libs/executer.py with you favorite text editor e.g. VIM
2- Import the module into the header e.g. from modules.scanners.scanner import scanner
3- Write a tiny method to trigger your module

    def scan(self, command):
        if len(command) != 3:
            scanner.help()
        else:
            scanner.scan_host(command[1], command[2])

4- Call the method into the constructor function

    def __init__(self):
        self.commands = {
            '@history': self.history,
            '@info': self.info,
            '@update': self.update,
            '@banner': self.banner,
            '@backdoor': self.backdoor,
            '@enum': self.enum,
            '@download': self.download,
            '@upload': self.upload,
            '@brute': self.brute,
            '@mysql': self.mysql,
            '@crack': self.cracker,
            '@scan': self.scan,
        }

Here is the result of the module:

webhanlder_scannerWritten by: Ahmed Shawky aka @lnxg33k

Advertisements
This entry was posted in web-application and tagged , , , , , , . Bookmark the permalink.

3 Responses to Webhandler – Write your own module

  1. Omar Ezz says:

    Awesome job, man..!
    Keep up, bro.. 😉

  2. Faris says:

    Nice tut , so useful as well 🙂
    keep up the good working bro

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s