x-o-r-r-o/PHP-Webshells-Collection
Stars: 140
Forks: 114
Pull Requests: 1
Issues: 0
Watchers: 11
Last Updated: 2020-05-19 22:06:28
Most Wanted Private and Public PHP Web Shells Can Be Downloaded Here. (Educational Purpose Only)
License:
Languages: PHP, Perl
- All Web Shells Located at websites mentioned below are infected.
- Exploit
- PHPShell
The stuff they will download with their shells is listed below.
Email address they used to collect logs is [email protected]. All shells from above mentioned sites send email to this email address instantly with your infected url and pass also i shell have any.
Most Wanted Private and Public PHP Web Shells Can Be Downloaded Here. (Educational Purpose Only)
I am not responsible for how you use this stuff.
Default Password for All Shells (if not available in shell description): wso
Note: check out KahuSecurity's site directly for latest versions of these tools.
A collection of awesome penetration testing resources
- Metasploit Unleashed - Free Offensive Security Metasploit course
- PTES - Penetration Testing Execution Standard
- OWASP - Open Web Application Security Project
- PENTEST-WIKI - A free online security knowledge library for pentesters / researchers.
- Kali - A Linux distribution designed for digital forensics and penetration testing
- ArchStrike - An Arch Linux repository for security professionals and enthusiasts
- BlackArch - Arch Linux-based distribution for penetration testers and security researchers
- NST - Network Security Toolkit distribution
- Pentoo - Security-focused livecd based on Gentoo
- BackBox - Ubuntu-based distribution for penetration tests and security assessments
- Parrot - A distribution similar to Kali, with multiple architecture
- Metasploit Framework - World's most used penetration testing software
- Burp Suite - An integrated platform for performing security testing of web applications
- ExploitPack - Graphical tool for penetration testing with a bunch of exploits
- BeeF - The Browser Exploitation Framework Project
- faraday - Collaborative Penetration Test and Vulnerability Management Platform
- evilgrade - The update explotation framework
- commix - Automated All-in-One OS Command Injection and Exploitation Tool
- routersploit - Automated penetration testing software for router
- [redsnarf] (https://github.com/nccgroup/redsnarf) - Post-exploitation tool for grabbing credentials
- Nexpose - Vulnerability Management & Risk Management Software
- Nessus - Vulnerability, configuration, and compliance assessment
- Nikto - Web application vulnerability scanner
- OpenVAS - Open Source vulnerability scanner and manager
- OWASP Zed Attack Proxy - Penetration testing tool for web applications
- Secapps - Integrated web application security testing environment
- w3af - Web application attack and audit framework
- Wapiti - Web application vulnerability scanner
- WebReaver - Web application vulnerability scanner for Mac OS X
- DVCS Ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR
- arachni - Web Application Security Scanner Framework
- nmap - Free Security Scanner For Network Exploration & Security Audits
- pig - A Linux packet crafting tool
- tcpdump/libpcap - A common packet analyzer that runs under the command line
- Wireshark - A network protocol analyzer for Unix and Windows
- Network Tools - Different network tools: ping, lookup, whois, etc
- netsniff-ng - A Swiss army knife for for network sniffing
- Intercepter-NG - a multifunctional network toolkit
- SPARTA - Network Infrastructure Penetration Testing Tool
- dnschef - A highly configurable DNS proxy for pentesters
- DNSDumpster - Online DNS recon and search service
- dnsenum - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results
- dnsmap - Passive DNS network mapper
- dnsrecon - DNS Enumeration Script
- dnstracer - Determines where a given DNS server gets its information from, and follows the chain of DNS servers
- passivedns-client - Provides a library and a query tool for querying several passive DNS providers
- passivedns - A network sniffer that logs all DNS server replies for use in a passive DNS setup
- Mass Scan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
- Zarp - Zarp is a network attack tool centered around the exploitation of local networks
- mitmproxy - An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
- mallory - HTTP/HTTPS proxy over SSH
- Netzob - Reverse engineering, traffic generation and fuzzing of communication protocols
- DET - DET is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time
- pwnat - punches holes in firewalls and NATs
- dsniff - a collection of tools for network auditing and pentesting
- tgcd - a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls
- smbmap - a handy SMB enumeration tool
- scapy - a python-based interactive packet manipulation program & library
- Dshell - Network forensic analysis framework
- Debookee (MAC OS X) - Intercept traffic from any device on your network
- Dripcap - Caffeinated packet analyzer
- Aircrack-ng - a set of tools for auditing wireless network
- Kismet - Wireless network detector, sniffer, and IDS
- Reaver - Brute force attack against Wifi Protected Setup
- Wifite - Automated wireless attack tool
- wifiphisher - Automated phishing attacks against Wi-Fi networks
- SSLyze - SSL configuration scanner
- sslstrip - a demonstration of the HTTPS stripping attacks
- sslstrip2 - SSLStrip version to defeat HSTS
- tls_prober - fingerprint a server's SSL/TLS implementation
- WPScan - Black box WordPress vulnerability scanner
- SQLmap - Automatic SQL injection and database takeover tool
- weevely3 - Weaponized web shell
- Wappalyzer - Wappalyzer uncovers the technologies used on websites
- cms-explorer - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
- joomscan - Joomla CMS scanner
- WhatWeb - Website Fingerprinter
- BlindElephant - Web Application Fingerprinter
- fimap - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs
- Kadabra - Automatic LFI exploiter and scanner
- Kadimus - LFI scan and exploit tool
- liffy - LFI exploitation tool
- LOIC - An open source network stress tool for Windows
- JS LOIC - JavaScript in-browser version of LOIC
- T50 - The more fast network stress tool
- SET - The Social-Engineer Toolkit from TrustedSec
- Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
- theHarvester - E-mail, subdomain and people names harvester
- creepy - A geolocation OSINT tool
- metagoofil - Metadata harvester
- Google Hacking Database - a database of Google dorks; can be used for recon
- Censys - Collects data on hosts and websites through daily ZMap and ZGrab scans
- Shodan - Shodan is the world's first search engine for Internet-connected devices
- recon-ng - A full-featured Web Reconnaissance framework written in Python
- github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak
- vcsmap - A plugin-based tool to scan public version control systems for sensitive information
- Tor - The free software for enabling onion routing online anonymity
- I2P - The Invisible Internet Project
- Nipe - Script to redirect all traffic from the machine to the Tor network.
- IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
- IDA Free - The freeware version of IDA v5.0
- WDK/WinDbg - Windows Driver Kit and WinDbg
- OllyDbg - An x86 debugger that emphasizes binary code analysis
- Radare2 - Opensource, crossplatform reverse engineering framework
- x64_dbg - An open-source x64/x32 debugger for windows
- Immunity Debugger - A powerful new way to write exploits and analyze malware
- Evan's Debugger - OllyDbg-like debugger for Linux
- Medusa disassembler - An open source interactive disassembler
- plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code
- peda - Python Exploit Development Assistance for GDB
- Pwntools - CTF framework for use in CTFs
- The Art of Exploitation by Jon Erickson, 2008
- Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011
- Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014
- Rtfm: Red Team Field Manual by Ben Clark, 2014
- The Hacker Playbook by Peter Kim, 2014
- The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013
- Professional Penetration Testing by Thomas Wilhelm, 2013
- Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012
- Violent Python by TJ O'Connor, 2012
- Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007
- Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014
- Penetration Testing: Procedures & Methodologies by EC-Council, 2010
- Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010
- Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014
- Bug Hunter's Diary by Tobias Klein, 2011
- The Database Hacker's Handbook, David Litchfield et al., 2005
- The Shellcoders Handbook by Chris Anley et al., 2007
- The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009
- The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011
- iOS Hackers Handbook by Charlie Miller et al., 2012
- Android Hackers Handbook by Joshua J. Drake et al., 2014
- The Browser Hackers Handbook by Wade Alcorn et al., 2014
- The Mobile Application Hackers Handbook by Dominic Chell et al., 2015
- Car Hacker's Handbook by Craig Smith, 2016
- DEF CON - An annual hacker convention in Las Vegas
- Black Hat - An annual security conference in Las Vegas
- BSides - A framework for organising and holding security conferences
- CCC - An annual meeting of the international hacker scene in Germany
- DerbyCon - An annual hacker conference based in Louisville
- PhreakNIC - A technology conference held annually in middle Tennessee
- ShmooCon - An annual US east coast hacker convention
- CarolinaCon - An infosec conference, held annually in North Carolina
- SummerCon - One of the oldest hacker conventions, held during Summer
- Hack.lu - An annual conference held in Luxembourg
- HITB - Deep-knowledge security conference held in Malaysia and The Netherlands
- Troopers - Annual international IT Security event with workshops held in Heidelberg, Germany
- Hack3rCon - An annual US hacker conference
- ThotCon - An annual US hacker conference held in Chicago
- LayerOne - An annual US security conference held every spring in Los Angeles
- DeepSec - Security Conference in Vienna, Austria
- SkyDogCon - A technology conference in Nashville
- SECUINSIDE - Security Conference in Seoul
- DefCamp - Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
- AppSecUSA - An annual conference organised by OWASP
- BruCON - An annual security conference in Belgium
- Infosecurity Europe - Europe's number one information security event, held in London, UK
- Nullcon - An annual conference in Delhi and Goa, India
- RSA Conference USA - An annual security conference in San Francisco, California, USA
- Swiss Cyber Storm - An annual security conference in Lucerne, Switzerland
- Virus Bulletin Conference - An annual conference going to be held in Denver, USA for 2016
- Ekoparty - Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
- 44Con - Annual Security Conference held in London
- BalCCon - Balkan Computer Congress, annualy held in Novi Sad, Serbia
- FSec - FSec - Croatian Information Security Gathering in Varaždin, Croatia
- Kali Linux Tools - List of tools present in Kali Linux
- SecTools - Top 125 Network Security Tools
- C/C++ Programming - One of the main language for open source security tools
- .NET Programming - A software framework for Microsoft Windows platform development
- Shell Scripting - Command-line frameworks, toolkits, guides and gizmos
- Ruby Programming by @dreikanter - The de-facto language for writing exploits
- Ruby Programming by @markets - The de-facto language for writing exploits
- Ruby Programming by @Sdogruyol - The de-facto language for writing exploits
- JavaScript Programming - In-browser development and scripting
- Node.js Programming by @sindresorhus - JavaScript in command-line
- Node.js Programming by @vndmtrx - JavaScript in command-line
- Python tools for penetration testers - Lots of pentesting tools are written in Python
- Python Programming by @svaksha - General Python programming
- Python Programming by @vinta - General Python programming
- Android Security - A collection of android security related resources
- Awesome Awesomness - The List of the Lists
- AppSec - Resources for learning about application security
- CTFs - Capture The Flag frameworks, libraries, etc
- Hacking - Tutorials, tools, and resources
- Honeypots - Honeypots, tools, components, and more
- Infosec - Information security resources for pentesting, forensics, and more
- Malware Analysis - Tools and resources for analysts
- PCAP Tools - Tools for processing network traffic
- Security - Software, libraries, documents, and other resources
- Awesome List - A curated list of awesome lists
- SecLists - Collection of multiple types of lists used during security assessments
- Security Talks - A curated list of security conferences
- OSX collector - for forensic analysis
- MIDAS - Mac Intrusion Detection Analysis System
- OSX auditor - for forensic analysis
- Santa - binary whitelisting/blacklisting system
- Masochist - framework for creating XNU based rootkits
- Class-dump - command-line utility to dump Objective-C runtime information
- Mach inject - Inter process code injection for Mac OS X
- Task vaccine - similar to mach inject
- Hopper - Hopper disassembler (not free)
- Mach-O diff - mach-o diffing tool
- Mac4n6 - A collection of OS X and iOS forensic artifacts
- XGuardian scanner - Security Scanner for OSX
- Crashwalk
- PassiveFuzzFrameworks
A collection of ios security related resources
- IDB - iOS App Security Assessment Tool
- iRET - iOS Reverse Engineering Toolkit
- DVIA - Damn Vulnerable iOS App for learning
- LibiMobileDevice - A cross-platform protocol library to communicate with iOS devices
- Needle - iOS App Pentesting Tool
- snoop-it - A tool to assist security assessments and dynamic analysis of iOS Apps
A collection of android security related resources.
A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps.
- AndroTotal
- Androwarn - detect and warn the user about potential malicious behaviours developped by an Android application.
- QARK - QARK by LinkedIn is for app developers to scan app for security issues
- AndroBugs
- Nogotofail
- Android DBI frameowork
- Androl4b- A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
- Android Malware Analysis Toolkit - (linux distro) Earlier it use to be an online analyzer
- Mobile-Security-Framework MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
- AppUse – custom build for pentesting
- Cobradroid – custom image for malware analysis
- ViaLab Community Edition
- Droidbox
- Mercury
- Drozer
- Xposed - equivalent of doing Stub based code injection but without any modifications to the binary
- Android Hooker - Dynamic Java code instrumentation (requires the Substrate Framework)
- ProbeDroid - Dynamic Java code instrumentation
- Android Tamer - Virtual / Live Platform for Android Security Professionals
- DECAF - Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
- CuckooDroid - Android extension for Cuckoo sandbox
- Mem - Memory analysis of Android (root required)
- Crowdroid – unable to find the actual tool
- AuditdAndroid – android port of auditd, not under active development anymore
- Android Security Evaluation Framework - not under active development anymore
- Android Reverse Engineering – ARE (android reverse engineering) not under active development anymore
- Aurasium – Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
- Android Linux Kernel modules
- Appie - Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
- StaDynA - a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
- DroidAnalytics - incomplete
- Vezir Project - Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
- MARA - Mobile Application Reverse engineering and Analysis Framework
- NowSecure Lab Automated - Enterprise tool for mobile app security testing both Android and iOS mobile apps. Lab Automated features dynamic and static analysis on real devices in the cloud to return results in minutes.
Taintdroid - requires AOSP compilation
- Smali/Baksmali – apk decompilation
- IntentFuzzer
- FSquaDRA - a tool for detection of repackaged Android applications based on app resources hash comparison.
- Vulnerability Google Doc
- Contagio Mini Dump
- Android Malware Github repo
- Android Security (and Not) Internals
- Google play crawler (Java)
- smalihook
- Android Reverse Engineering 101 by Daniele Altomare
To the extent possible under law, x-o-r-r-o has waived all copyright and related or neighboring rights to this work. He makes no warranties about the work, and disclaims liability for all uses of the work.