Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/elliottophellia/aizawa

Simple command-line webshell that executes commands via the HTTP request in order to avoid any WAF or IDS while bypassing disable_function.
https://github.com/elliottophellia/aizawa

1kb-webshell bypass bypass-disable-function bypass-webshell command-line command-line-tool hacking hacktoberfest mini-shell pantest pantesting penetration-testing-tools php php-backdoor php-webshell tiny-shell web-security webshell webshell-bypass-403 webshells

Last synced: 3 months ago
JSON representation

Simple command-line webshell that executes commands via the HTTP request in order to avoid any WAF or IDS while bypassing disable_function.

Host: GitHub
URL: https://github.com/elliottophellia/aizawa
Owner: elliottophellia
License: gpl-2.0
Created: 2022-12-05T01:13:58.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2023-12-05T04:38:01.000Z (about 1 year ago)
Last Synced: 2023-12-05T05:34:34.918Z (about 1 year ago)
Topics: 1kb-webshell, bypass, bypass-disable-function, bypass-webshell, command-line, command-line-tool, hacking, hacktoberfest, mini-shell, pantest, pantesting, penetration-testing-tools, php, php-backdoor, php-webshell, tiny-shell, web-security, webshell, webshell-bypass-403, webshells
Language: PHP
Homepage:
Size: 4.93 MB
Stars: 35
Watchers: 2
Forks: 5
Open Issues: 0
Metadata Files:
- Readme: readme.md
- License: LICENSE

Awesome Lists containing this project

README

Aizawa is a super simple command-line webshell that executes commands via the HTTP request in order to avoid any WAF or IDS while bypassing disable_function. The name Aizawa itself is taken from virtual youtuber Aizawa Ema from Virtual Esport Project. Ema herself is a girl who likes bread and cats. She's always trying to improve her game skills. She wants to be a neat and tidy character, but is she really?

# TODO - v2.0.0

# Minor
- [ ] Find a better code execution method with eval to replace the current one (aizawa_ninja_eval_.php) which not that effective in newer versions of PHP
- [ ] Find a PoC to bypass disable_function in PHP 8.2.X

# Major
- [ ] Remove both HTTP_USER_AGENT and HTTP_ACCEPT_LANGUAGE methods entirely from the code base
- [ ] Replace httpx with HackRequests
- [ ] Replace Headers.create with random-header-generator
- [ ] Implement a http proxy rotator with support from [elliottophellia/yakumo](https://github.com/elliottophellia/yakumo) for each request to make it difficult to track
- [ ] Implement a replacement for HTTP_USER_AGENT and HTTP_ACCEPT_LANGUAGE which will be using AIZAWA_NINJA like the other NINJA Shell
- [ ] Moving the webshell itself into new repository to reduce confusion

# Misc
- [ ] Implement an Authentication for the webshells

# Prerequisites

- Python 3.10
- Pip 22.0.2
- Httpx[http2] 0.25.0
- Validators 0.22.0

# Installing

### 1. Clone this repository
```
git clone http://github.com/elliottopellia/aizawa
```
### 2. Change directory to aizawa
```
cd aizawa
```
### 3. Install dependencies
```
Windows, Linux, Mac, Termux:
pip install -r requirements.txt

Arch Linux based:
pacman -S python-httpx python-validators python-h2
```
### 4. Run aizawa
```
python main.py / python main.py [webshell url]
```

# Screenshot

![1](./images/ss1.png)
![2](./images/ss2.png)

# References

- [s0md3v](https://github.com/s0md3v/nano)
- [Acunetix](https://bit.ly/AcunetiX)
- [mm0r1](https://github.com/mm0r1/exploits)

# Licence

This project is licensed under the GPL 2.0 License - see the [LICENCE](https://github.com/elliottophellia/aizawa/blob/main/LICENSE) file for details

# Disclaimer

This project is for educational purposes only. I will not be responsible for any misuse of this project by any party, or any damage caused by this project.