{"id":13777762,"url":"https://github.com/threatexpress/subshell","last_synced_at":"2025-08-15T14:13:14.153Z","repository":{"id":89453656,"uuid":"69883504","full_name":"threatexpress/subshell","owner":"threatexpress","description":"SubShell is a python command shell used to control and execute commands through HTTP requests to a webshell. SubShell acts as the interface to the remote webshells.","archived":false,"fork":false,"pushed_at":"2016-11-06T16:00:48.000Z","size":24,"stargazers_count":73,"open_issues_count":0,"forks_count":15,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-16T04:45:46.496Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/threatexpress.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-10-03T15:23:20.000Z","updated_at":"2025-04-13T04:04:02.000Z","dependencies_parsed_at":"2023-03-13T18:09:37.484Z","dependency_job_id":null,"html_url":"https://github.com/threatexpress/subshell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threatexpress%2Fsubshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threatexpress%2Fsubshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threatexpress%2Fsubshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threatexpress%2Fsubshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/threatexpress","download_url":"https://codeload.github.com/threatexpress/subshell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249688551,"owners_count":21311244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:00:48.358Z","updated_at":"2025-04-19T11:52:43.769Z","avatar_url":"https://github.com/threatexpress.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"faa91844951d2c29b7b571c6e8a3eb54\"\u003e\u003c/a\u003e新添加"],"sub_categories":[],"readme":"# SubShell Web Shell Framework\n\nAuthor: Joe Vest\n\nCopyright 2015 - SubShell\n\nWritten by: Joe Veat\n\nCompany: MINIS\n\nDISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes.\n\nPlease read the LICENSE in LICENSE.md for the licensing information\n\n\n```\n  _________    ___      _________ __            __   __   \n /   _____/__ _\\  |__  /   _____/|  |__   ____ |  | |  |  \n \\_____  \\|  |  \\ __ \\ \\_____  \\ |  |  \\_/ __ \\|  | |  |  \n /        \\  |  / \\_\\ \\/        \\|   |  \\  ___/|  |_|  |__\n/_________/____/|_____/_________/|___|__/\\_____\u003e____/____/\n\nSubShell - Webshell Console - Joe Vest - 2015\n\nUsage: \n    subshell.py  --url=\u003curl\u003e\n    subshell.py  --url=\u003curl\u003e [--useragent=\u003cuseragent] [--logdir=\u003clogdir\u003e] [--debug] [--mysqlu=\u003cMySQL Username] [--mysqlp=\u003cMySQL Password\u003e [--mysqls=\u003cMySQL Server\u003e]]\n    subshell.py (-h | --help) More Help and Default Settings\n\nOptions:\n    -h --help                This Screen\n    --url=\u003curl\u003e              URL source of webshell (http://localhost:80)\n    --useragent=\u003cuseragent\u003e  User-Agent String to use [default: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)]\n    --mysqlu=\u003cusername\u003e      Set MYSQL Username\n    --mysqlp=\u003cpassword\u003e      Set MySQL Password\n    --mysqls=\u003cserver\u003e        Set MySQL Server IP or Hostname\n    --logdir=\u003clogdir\u003e        Directory path to logs [default: ./logs]\n    --debug                  Enable Debugging\n\n```\nSubShell is a python command shell used to control and execute commands through HTTP requests to a webshell.  SubShell acts as the interface to the remote webshells.  \n\nSubShell has a companion project named TinyShell.  TinyShell is similar and may offer benefits over SubShell in certain situations.\n\nTinyShell - https://github.com/minisllc/tinyshell\n\nThis project was born out of the need for a consolidated webshell framework.  There are numerous available, but I wanted to created backend framework that supports numerous web languages with a common backend.\n\nThis project uses the principle of hiding in plain sight (even over non-encrypted communications).  The goal is minimize attention.  Like numerous malicious tools, they are easy to find by defenders once they have a reason to look.  This project is designed to be stealthy, not through high-tech means, but by minimizing the triggering of a defenses such as IDS, Firewall, AV etc.\n\nHow does it do this?\n\n  - POST requests minmize data written web logs\n  - Encoded traffic helps avoid clear text detection \n  - Console interface forces a slow down when issuing commands.  Use of a webshell should be deliberate and focused.  Numerous connections may attract attention.\n  - Customization of user-agent to help blend in.\n  - Valid 404 errors displayed when attemped to connect to shell without 'authetnication' information\n\n## Current Features\n\n  - Designed for used agains Windows Based servers\n  - Supports shells in asp, aspx, php, jsp\n  - Logging of all actions\n  - Base64 encoded command sent and receivied in POST requests\n  - Invalid request generates a legitimate 404 message.\n  - Tracks current directory by implementing common commands (cd, pwd, ls, dir)\n  - Built in helper commands\n  - Simple replay attack prevention.  Uses a token that is only valid +/- 12 hours of current time.\n  - 'Authentication' using replay attack prevention\n\n## Python Dependencies\n \n - refer to requirements.txt\n\n## SubShell Console Reference \n\nInteraction with a remote 'shell' using subshell is similar to a non-interactive shell.  Non interactive commands can be submited and the results displayed.  \n\nIf an interactive command is submitted, the command will not return.  Command will display a timeout error.  This is an HTTP timeout and not an error of whether the command executed or not.\n\n\n| Command       | Description                                                                                                         | Example\n|---------------|---------------------------------------------------------------------------------------------------------------------|--------------------------------------\n|cd             | change directory                                                                                                    | cd c:\\temp\n|command        | Optional command used to issue remote command.  If no other built in command matches, then this command is assumed. | command tasklist\n|config         | Show current settings                                                                                               | config\n|dir            | directory command                                                                                                   | dir c:\\temp\n|download       | download remote file.  Files stored in ./downloads.  The original file structure is created.                        | download c:\\temp\\myfile.txt\n|exit           | exit command shell                                                                                                  | exit\n|help           | Display help for commands                                                                                           | help\n|history        | show command  history                                                                                               | history\n|ls             | alias for dir                                                                                                       | ls c:\\temp\n|mysql          | Issue SQL command to MySQL Server base on MySQL configuration                                                       | mysql show databases\n|mysql_db       | Select MySQL databse                                                                                                | mysql_db mysql\n|mysql_password | Select MySQL password                                                                                               | mysql_password password\n|mysql_server   | Select MySQL server                                                                                                 | mysql_server localhost\n|mysql_username | Select MySQL username                                                                                               | mysql_username root\n|ps             | List processes                                                                                                      | ps\n|pwd            | show current directory                                                                                              | pwd\n|python         | drop to interactive python shell                                                                                    | python\n|shell          | submit command to local shell                                                                                       | shell ifconfig \n|status         | Show status for Uploads and Downloads                                                                               | status\n|timeout        | display or set the command timeout setting in seconds                                                               | timeout 120\n|upload         | upload file to remote server.                                                                                       | upload myfile.txt c:\\windows\\temp\\myfile.txt\n\n\n## API Used to Communicate to web shells\n\nAll command submitted to the shell are POST request with a minimum of 2 parameters (sessionid,command)\n\nPOST Parameters\n\n|Parameter  | Description |\n|-----------|-------------|\n|sessionid  |Used to 'authenticate' requests and minimized replay attacks.  Based on current time.  Any request +/- 12hrs will not be allowed.  If the time is off an HTTP 408 will be sent with the HTTP header expires:'timevalue'.  SubShell can use this value to adjust its authentication it sends.|            \n|apikey     |used to submit OS commands|\n|apikeyd    |Download file from remote host|\n|apikeyu    |Upload file to remote host |\n|feed       |stores Base64 encoded file.  Used for upload |\n\n## Features Support by Shell Type\n\n|Feature           | jsp  | aspx | asp  | php  |\n|------------------|------|------|------|------|\n|Replay Protection |  x   |   x  |   x  |  x   |\n|Issue command     |  x   |   x  |   x  |  x   |\n|Upload            |  x   |      |      |  x   |\n|Download          |  x   |   x  |   x  |  x   |\n|MySQL connector   |      |      |      |  x   |\n|404 on GET        |  x   |   x  |   x  |  x   |\n\n \n----------------------------------------------------------------------------------- \n\n## Initial Thought and Requirements to build project\n  - Single command and control server\n  - Web shell payloads (3 versions)\n    - .jsp, .asp, .aspx\n  - Requests/Responses must be obfuscated or encrypted\n    - SubShell is currently using base64\n  - Web shell features\n    - File browsing – (track current directory)\n    - File Upload/Download\n    - Command execution\n    - HTTP POST Requests used for C2 traffic\n    - Non-POST Requests render a valid 404 response","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreatexpress%2Fsubshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthreatexpress%2Fsubshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreatexpress%2Fsubshell/lists"}