Releases: dotcppfile/DAws
New Release
- The shell now checks if it can CHMOD a directory(by comparing the values of the directory and the current process's owners) instead of just skipping one that doens't meat the requirements when looking for "DAws's directory".
- DAws now "copies" itself to "DAws's Directory" then drops the .htaccess and php.ini files, which are suppose to make life easier if suphp is installed, if that directory is within the web directory. It'll redirect the current user to that new copy of DAws. Because of all this DAws is much faster now since it is in its own directory, the right table doens't have to be full of crap that we don't care about and bypassing security systems if suphp is installed is now guaranteed.
- Fixed some "serious" permission bugs in the File Manager which were causing "Rename" and "Del" to appear/disappear when they shouldn't be.
- You can finally CHMOD a file/directory using the file manager. I am not sure why it took me so long to add this but who cares? It's here now, enjoy.
- Added File Owner and User's Group to the File Manager. Having this information is needed and should've been here since the beginning because the permissions makes no sense without it and I kept pushing this update because it's not "that" important since DAws checks everything for you but again, who cares? It's here now, enjoy lol.
- You can now "Wipe" a file instead of just Deleting it which makes it mostly impossible to get it recovered. DAws will simply replace the old file bytes with null ones, this isn't a very good "wiper" but it gets the job done pretty well.
- DAws now supports PDO for the Sql Connector. This is useful and needed in case "mysqli_connect" was blocked.
- You can now specify the "Host" when using the MySql Connector since the Host isn't always local and since a remote MySql server connection can be blocked unless it's coming from a specific client, so having this is obviously a good thing.
- You can now save the output of any Sql Query which is pretty useful if your MySql User had no file privileges.
- You can now execute Python, Perl and Ruby code on Windows.
- You can now chose the type of a Bind/Reverse shell instead of it being done automatically for you because why not? In some specific cases a coding language may fail because of some process restriction, for example, and DAws can't know that so this small change should solve that.
- You can now chose whether you want a reverse/bind shell or some eval code to run in the background or not(threw nohup for linux or start for windows) instead of it being chosen automatically for you.
- A dynamic fake 404 page has been finally added. (The code of the static one has been commented and is still at the top)
- DAws now checks if the current server is vulnerable to Shellshock threw "normal" command execution, I know that this isn't beneficial for DAws but it's good and useful information and you can now see it on the left table. (Keep in mind that DAws already uses Shellshock threw 2 methods to bypass security systems but this is completely something else).
- Removed a lot of extra lines that were holding nothing but a "{" for the sake of scrolling when reading the code...
- Fixed a lot of small bugs that were causing stuff like: showing the wrong location of the dropped cgi shell, wrong data in the .htaccess file for suphp on windows, getting redirected to the main shell's directory when using something other than the file manager, etc...
Big Release
- Full support for Windows.
- DAws is now completely POST based.
- SSH Method support has been applied but it is based on user's interaction. This method is based on creating a RSA key and adding the public key to the authorized_keys file that will allow the owner of that key to connect to ssh without using a password. Now for this to happen, DAws should find the user, the home directory, the ssh port, use about 4000 lines of codes to create a rsa key with openssh format and to ssh connect. Lets not forget that even if all this was presented the .ssh directory could simply be unreadable same for the authorized_keys file. So the success rate of all this is practically low unless the user helps out; in DAws, the user is supposed to find the ssh user and the home directory (by using DAws's file manager) and the ssh port (simple tcp scan) and upload the needed files manually (by using DAws's file manager) and this may take the user a minute while for DAws it may cause many problems specially if there's security systems, since a lot of functions will be used to retrieve all that information, which will instantly cose this whole thing to fail.
- After DAws's finds its directory (a writeable and readable one), DAws will try to move to that directory if it's a web directory. Now that will be useful for one thing and that thing is based on dropping a php.ini and a .htaccess which will allow DAws to do anything but this will only work if suphp was installed.
- If DAws failed to find its proper web directory then it will go searching randomly for anything else. Thanks to that, everthing in the shell will still work perfectly except for the CGI Shells.
- Added the usage of call_user_func, call_user_func_array, ArrayIterator, register_tick_function, array_map, array_walk, array_filter and register_shutdown_function to bypass Suhosin.
- Created multiple functions such as file_get_contents_extended, fopen_extended, etc to bypass Suhosin.
- Added Sql Connect
- Got rid of the 2 extra php xor encryption functions "sh3ll_this" and "unsh3ll_this" since the only difference was using the static key "dotcppfile".
- In some of these old functions, the usage of "system" and "passthru" wasn't possible since we couldn't store the output properly (using their
available "output" arguments was barely working thanks to PHP lol) so in this new function we used output buffering (ob_start, ob_get_contents, etc...) to get the output of these system commands. - Zipping a directory has been upgraded and well taken care of since we believe it's important. Anyways, if available and enabled, the class ZipArchive along with RecursiveIteratorIterator are being used get the job done, if not, we're using system commands; "powershell" or a vbs script for Windows and "zip" for Linux.
- Uploading, Creating and Zipping functions now outputs in DAws's chosen directory, which should have been done a long time ago since the current directory could be non writable, anyways, it's here now.
- We also added a recursive function based on "glob" to get that job done just in case the version of PHP is smaller than 5 because the first method is based on using "RecursiveIteratorIterator" which was added in PHP version 5.
- Increased the check for disabled/blocked functions (file_get_contents, file_put_contents, fopen, etc...)
- Aside of using "function_exists" and "class_exists" to check for installed libraries, we added the usage of output buffering (ob_start, ob_get_contents, etc...) incase "functions_exists" and "class_exists" were also disabled/blocked.
- Increase the check for installed softwares (bitsadmin, wget, etc...) since they'll be used in the shell.
- Fixed the code that was suppose to find a writeable/redable directory for DAws since it was a little bit buggy.
- Incase "RecursiveIteratorIterator" and the recursive glob function failed for some reason, the chosen directory will be "/tmp" for Linux or "C:/Users/".get_current_user()."/AppData/Local/Temp" for Windows.
- All the functions that were suppose to execute a system command have been merged into one called "execute_command" that is also used to check for installed software.
- The "remove directory" feature in the file manager has been modified; the old method was based on removing everything in the chosen directory
recursively but it was a bad method since permissions were making things worse so in this new update we simply decided to use system commands; "rmdir /s" for Windows and "rm -r" for Linux so let the OS deal with it lol. - Editing a file has been upgraded; we're not only using "file_put_contents" but also "fopen" in case "file_put_contents" was disabled/blocked.
- Uploading a file via a direct link to the server has been also updated; we're using Curl with fopen or file_put_contents with file_get_contents or fopen with file_get_contents, if none worked then we're using system commands; "bitsadmin" or "powershell" for Windows and "curl" or "wget" for Linux.
- Creating a simple file has also been updated; we added the usage of fopen and the echo system command in case file_put_contents wasn't useable.
- All the javascript xor encryption functions has been merged together, this had to be done since using multiple ones is plain stupid but we were doing it because we never cared about the amount of code as much as we cared about it's effectiveness; if it works then it's good but beautiful and simple code costs money mates so here it is lol.
- Some of the features in the file manager were available when they shouldn't have been and that's because we did some mistakes checking
permissions so it's been fixed now. - Reading a file has also been updated. In case file_get_contents was blocked/disabled fopen or system commands ("type" for Windows and "cat" for
Linux) go for it. - The GUI has been updated, there's 3 columns now; the first one is fixed and holds various information, the third one is also fixed and holds a file explorer for DAws's chosen directory and the second one holds what's left of DAws. We also fixed few HTML/CSS code and made things smoother and faster to load. Finally, we shoved hidden divs in the file manager that will show up whenever you chose to rename something.
- Updated the CGI Batch shell since it wasn't working properly (apparently we were using a test version by mistake)
- Added the support of https when retrieving the output of CGI Shell.
- Updated the execution of PHP code; eval will also be used if not disabled by Suhosin.
- Removed the Process Manager since it was based on system commands; "tasklist" and "taskkill" for Windows and "ps aux" and "kill" for Linux.
- Removed the execution of C and C++ because they're useless in that part. The only reason people use the Eval part was to write some fast and situational scripts. C and C++ are mostly used to compile advanced code such as an exploit or a botnet.
- and much more, but I forgot...
ShellShock
Updates
1. Thanks to Starfall's Exploit and to Dyme who shared his part of it in a Pull Request, DAws now supports the usage of CVE-2014-6271 (ShellShock). It's currently based on exploiting a mail server but we've been working on going after CGI scripts and since we started it already (you can find the code, commented, on line 773) we will finish it and append it as well, so there will be 2 methods ready to be used. We will be upgrading both with the following exploits in the near future. 2. As promised, the CGI Batch Script has been fixed and it supports base64 encoding now and works perfectly, it's completely related to DAws so you do not have to worry about anything and yes, we know that base64 isn't the best but we gonna have to stick with it for now. Also, the CGI Batch Script's source has been released and you can find it here. 3. A huge bug was found in the `Directory Roaming Function`, for Windows, which wasn't getting the job done. 4. A huge bug was found in the PHP code related to dropping the CGI Batch Script.And I guess that's it for today, let us know what happens; we're willing to update, upgrade, fix and do whatever is needed to keep DAws up and running properly.
Thanks for supporting the project,
dotcppfile and Aces.
Tools
Hello everyone,
This update was all about fixing the tools:
bpscan - Python & PHP
1. We're not using canyouseeme.org anymore but yougetsignal.com because it made life easier.bpscan - Python
1. Fixed a dependency bugbpscan - PHP
1. Uses `Curl` or `file_get_contents`, depends on what's available 2. Bypass WAFs and Protection SystemsBash CGI Shell
1. Added base64 support to bypass WAFs that is completely related to DAws; we know that base64 isn't the best so we will be updating this soon.Serbot - Client
1. Fixed a dependency bug.We also released the sources of all these tools and you can find them at https://github.com/dotcppfile/DAws/tree/master/Tools%20and%20Shells
Thanks for supporting DAws,
dotcppfile.
Merge
Updates
1. This is what matters the most in this update; In our last releases, DAws was capable of spawning working batch/bash CGI Shells which was pretty good but these CGI Shells were independent; they had nothing to do with DAws, so, if `system`, `passthru`, `exec`, `shell_exec`, `popen` and `proc_open` were all disabled then the `Process Manager` and Most of the `Eval` forms would completely fail even though our CGI Shell is there which wasn't enough, so I've decided to Merge it completely with DAws. What I'm trying to say is that, now, DAws fully communicates with the CGI Shell to do everything needed. 2. When you login/a new session is created, DAws will automatically drop these CGI shells and everything related to them in the `writeable/readable` directory that was found by the `Directory Roaming` function and it will also test them out to check if they're working, and if they are then DAws will start communicating with them completely. 3. The Bash CGI Shell has been updated, now, it only receives base64 encoded `get` data since that was extremely needed because WAFs were easily blocking the CGI Shell. I know that base64 isn't enough but we will be implementing DAws's encoding system into the CGI Shell soon. When it comes to the Batch CGI Shell, it's not working properly now because we didn't finish updating it yet but it should done within 24 hours. 4. We added a new function called `url_get_content` which uses Curl to get the output of the CGI Shells along with `file_get_contents` and that is because `file_get_contents` won't work if `allow_url_fopen` was disabled. 5. The feature that checks the `Free Memory` on windows has been fixed. 6. Thanks to asm-99 who reported the bug, the `Directory Roaming` function has been updated.Thank you all for supporting DAws,
dotcppfile.
Game Changer
Updates
1. CGI Support has now been added. In conclusion, if the server supports `CGI` and has `.htaccess` allowed then DAws will use this to create a directory, put a .htaccess file in it which will make this directory the `ScriptAllias` and then it will drop its Bash Shell (For Linux) or Batch Shell (For Windows), as simple as that. You can then use these Shells to execute any command on the Server. The point of all this is to bypass, completely, Disablers, WAFs and Protection Systems related to PHP in general. 2. In its first releases, DAws was using the `temp` directories to drop it's scripts and execute them which wasn't really efficient since the `temp` directories aren't always writable/readable so we've decided to create a function that would roam threw the `web` directory of the server looking for a single writable/readable directory which will later on be used by DAws to deal with everything needed. 3. We're now not only using `include` instead of `eval` but also `include_once`, `require` and `require_once`. 4. Cache Limiter Added (no cache) 5. The `Del` feature for directories has been fixed 6. A small bug in the `File Manager` related to Files/Dirs Permissions has been fixed. 7. Updated visuals.Now we do actually consider this update a game changer since it actually makes DAws completely unique and pretty powerful and useful in many cases. We intend to make DAws even better with every update and we still have many ideas to append so stick around mates.
Thanks for supporting DAws,
dotcppfile and Aces.
DAws cannot be blocked
Updates
Well this update is pretty much based on dealing with Suhosin. In the first release, we were using function_exist
to check if a function is enabled or not which wasn't really the best way since this function has nothing to do with Suhosin, and that is why we decided to use init_get
to check what is/isn't disabled by PHP(in general) and Suhosin.
The point of all this is that DAws cannot be blocked by Suhosin in the middle of something anymore, whatever it does is based on what it knows.
Future Updates
We're working even more on this to make DAws completely stable, our future updates will be based on extra security bypassing techniques.
Thank you all for supporting DAws,
dotcppfile and Aces.
New Features
Updates
1. Added the PHP `include` function that can easily replace the PHP `eval` function to bypass Protection Systems. 2. Added `bpscan - php` coded in PHP(obviously) by Aces. This was created in case Python wasn't installed or couldn't be executed on the Server (which means that the original version of `bpscan` won't work), in this case, DAws will simply use the new appended feature to execute your PHP script. `bpscan - php` will help you find useable/unblocked ports on the server which you can later on use to get a Bind Shell. 3. Fixed the Windows `Eval` Form and now it works perfectly. 4. Made the code easily Readable and Commented every part with a title; this should make the Source easier to understand by whoever is interested.Future Updates:
1. Currently, DAws writes all the necessary output in `tmp` for Linux or in its current directory for Windows which isn't good enough because these Directories can be UnWritable which can cause many issues, and that is why we will be adding a Directory Roaming Function which will check for a Writable directory and if found, this directory will become DAws's best friend Lol.That is all for today,
Thanks for supporting DAws,
dotcppfile and Aces.
New Encoding Techniques
Update
So, many people were saying that Base64 is not enough so we added a simple XOR Encoding function that generates a random key for every new session and this key is then used to Encode your GET and POST data then Base64 encode it using btoa
in JS and base64_encode
in PHP.
Yet, functions like base64_encode
and base64_decode
in PHP were being detected or disabled by different protection systems, so screw em both Lol.
I decided to write Base64 encoding and decoding functions, and both of these functions were mostly based on Math, I tried my best not to use PHP functions that can be disabled at any point and I think I succeeded.
Other than that, we fixed few bugs and made the shell even better.
Future Updates
A substitute for PHP Eval is coming soon which will also make it possible for everyone using DAws to bypass the protection systems and execute the Built In Shells which should guarantee another way in the server.
And I guess that is all for now,
Thanks for supporting DAws,
dotcppfile.
New Massive Release
Updates:
1. Removed simple Base64 Encoding and added a simple XOR Encryption with a randomized key with every new session + base64 encoding which will make things even better. This was applied for Java Script and PHP. 2. Encoded all the `Shells` to keep WAFs away. 3. Removed PHP `eval` function since it was causing a lot of detections within different protection systems. 4. Fixed the `Download File` function since it wasn't getting the job done. 5. Fixed a small amount of bugs and added few extra needed functions.We will be adding different WAF evasion methods soon, we won't stop here so stick with us and enjoy the shell.