ShellHunter — WebShell Detection & RCE Verification

[Prapattimynk]

​

ShellHunter — WebShell Detection & RCE Verification (Phase 1 + Phase 2)​

"Find, confirm, and document real RCEs — not just hints."

---

Overview​

ShellHunter automates **two phases** of webshell discovery and verification:

1. Phase 1 – Static Detection (shellhunter.py): Scans the codebase using heuristics/signatures and produces report.json with candidates.
2. Phase 2 – Dynamic Verification (verify_rce.py): Maps Phase-1 findings to live URLs, fires payloads (including obfuscated variants), detects visible/blind RCE, classifies PHP errors, and generates timestamped reports, logs, and artifacts.

---

Project Layout​

C:.
|   config.yml
|   endpoints.txt
|   requeriments.txt
|   rules.yml
|   shellhunter.py
|   verify_rce.py
|
\---whitelists
        ignore_hashes.txt
        ignore_paths.txt

---

Usage​

Phase 1 – Static Detection

python shellhunter.py --rules rules.yml --out report.json --verbose

Example output:

{
  "findings": [
    {"path": "C:\\xampp\\htdocs\\your_patch\\webshell.php", "risk": "HIGH"},
    {"path": "C:\\...\\testshell.php", "risk": "MEDIUM"}
  ]
}

Whitelist files help reduce false positives:

• whitelists/ignore_paths.txt
• whitelists/ignore_hashes.txt

---

Phase 2 – Dynamic Verification

python verify_rce.py --report report.json --map config.yml --verbose

Quick example with explicit URLs:

python verify_rce.py --urls $(cat endpoints.txt) --verbose

Aggressive verification with evidence saving:

python verify_rce.py \
  --report report.json --map config.yml \
  --methods GET POST --timeout 10 --workers 16 \
  --aggressive --aggr-budget 500 \
  --alt-evidence "SAFE_TEST_OBF_HOT,SAFE_TEST_INCLUDE_USER" \
  --save-bodies out/bodies --save-bodies-all \
  --out out/rce_verified.json --csv out/rce_verified.csv \
  --log out/verify.log \
  --verbose

---

What It Detects​

• Visible Evidence → e.g. canary token `SHCANARY_abcd1234`
• Blind Timing → ~5s delay (Linux: `sleep 5`, Windows: `ping -n 6 127.0.0.1`)
• PHP Errors → Classified evidence (`php_errorhp8_incompat`, `php_errorarse_error`)

---

Requirements​

• Python 3.9+
• pip install -r requeriments.txt
• Dependencies: requests, pyyaml, tqdm, colorama

---

Best Practices​

• Nail the config.yml mapping (avoid 403/404 errors).
• Use --cookie / --headers for authenticated sessions.
• Use --params for shells requiring specific parameter names.
• Add unique banners with --alt-evidence.
• Use --save-bodies to capture server responses for analysis.

---

Roadmap​

• Proxy support + Basic/NTLM auth.
• Tech-specific payloads (ASP/JSP).
• WAF-evasion payload mutation engine.
• More detection rules.

---

⬇ Download ShellHunter ⬇​