"Find, confirm, and document real RCEs — not just hints."
This project automates two phases:
- Phase 1 – Static Detection (
shellhunter.py): scans the codebase, applies heuristics/signatures and produces areport.jsonwith candidates. - Phase 2 – Dynamic Verification (
verify_rce.py): maps Phase-1 file paths to live URLs, fires payloads (including obfuscated variants), detects visible evidence, blind timing, classifies PHP errors, and generates timestamped reports, logs, and artifacts.
C:.
| config.yml
| endpoints.txt
| requeriments.txt
| rules.yml
| shellhunter.py
| verify_rce.py
|
\---whitelists
ignore_hashes.txt
ignore_paths.txt
python shellhunter.py -h
usage: shellhunter.py [-h] -r ROOTS [ROOTS ...] [--rules RULES] [-o OUT] [--csv CSV] [--ext EXT [EXT ...]] [--exclude [EXCLUDE ...]]
[--whitelist-paths WHITELIST_PATHS] [--whitelist-hashes WHITELIST_HASHES] [--threshold THRESHOLD] [--max-size-mb MAX_SIZE_MB]
[--max-read-kb MAX_READ_KB] [--workers WORKERS] [--keep-all] [--verbose] [--log-file LOG_FILE] [--stream-findings]
ShellHunter — local webshell scanner (no-RCE) with a progress bar and single status line
options:
-h, --help show this help message and exit
-r ROOTS [ROOTS ...], --roots ROOTS [ROOTS ...]
Root directories to scan
--rules RULES YAML rules file
-o OUT, --out OUT JSON output
--csv CSV CSV output
--ext EXT [EXT ...] Included extensions
--exclude [EXCLUDE ...]
Exclusion regexes
--whitelist-paths WHITELIST_PATHS
File with regexes (one per line) to ignore paths
--whitelist-hashes WHITELIST_HASHES
File with partial SHA256 hashes (one per line) to ignore
--threshold THRESHOLD
Score threshold for HIGH
--max-size-mb MAX_SIZE_MB
Max file size
--max-read-kb MAX_READ_KB
Bytes to read per file (for speed)
--workers WORKERS Threads (I/O bound)
--keep-all Keep even score=0
--verbose DEBUG logging to console
--log-file LOG_FILE Write log to file
--stream-findings Print each finding (FOUND/ERROR) on separate lines
python verify_rce.py -h
usage: verify_rce.py [-h] [--report REPORT] [--map MAP_PATH] [--urls [URLS ...]] [--params [PARAMS ...]] [--methods [METHODS ...]] [--timeout TIMEOUT]
[--workers WORKERS] [--out OUT] [--csv CSV] [--verbose] [--headers HEADERS] [--cookie COOKIE] [--risk-min RISK_MIN]
[--no-time-based] [--only-http-200] [--aggressive] [--aggr-budget AGGR_BUDGET] [--aggr-max-auth AGGR_MAX_AUTH]
[--aggr-max-pass AGGR_MAX_PASS] [--extra-kv EXTRA_KV] [--alt-evidence ALT_EVIDENCE] [--no-datetime] [--log LOG]
[--positives-out POSITIVES_OUT] [--positives-csv POSITIVES_CSV] [--save-bodies SAVE_BODIES] [--save-bodies-all]
Verify possible webshell RCE via HTTP requests
options:
-h, --help show this help message and exit
--report REPORT Phase-1 JSON (report.json)
--map MAP_PATH config.yml with mappings root→url_prefix
--urls [URLS ...] Additional URLs to test (optional)
--params [PARAMS ...]
Parameter names to try (override)
--methods [METHODS ...]
HTTP methods to try (default GET and POST). Example: --methods GET
--timeout TIMEOUT
--workers WORKERS
--out OUT
--csv CSV
--verbose
--headers HEADERS Extra headers as JSON (e.g. '{"X-Token":"abc"}')
--cookie COOKIE Literal cookie string (e.g. PHPSESSID=abc; other=1)
--risk-min RISK_MIN HIGH or MEDIUM (default MEDIUM)
--no-time-based Disable timing-based checks
--only-http-200 Ignore endpoints whose initial status is not 200 (unless name looks like a known shell)
--aggressive Enable extra variants (auth/json/multipart + secondary toggles and obfuscated techniques)
--aggr-budget AGGR_BUDGET
Max requests per endpoint in aggressive mode (default 500)
--aggr-max-auth AGGR_MAX_AUTH
Max auth param names to try (default 6)
--aggr-max-pass AGGR_MAX_PASS
Max passwords per auth name (default 8)
--extra-kv EXTRA_KV Extra pairs k=v separated by comma (e.g., func=system,ajax=1)
--alt-evidence ALT_EVIDENCE
Extra strings that count as visible evidence if present (comma-separated)
--no-datetime Do not append timestamp to output filenames
--log LOG Log file (use {ts} to place the timestamp explicitly)
--positives-out POSITIVES_OUT
JSON with positives only (default generated next to --out)
--positives-csv POSITIVES_CSV
CSV with positives only (default generated next to --csv)
--save-bodies SAVE_BODIES
Directory to save HTTP response bodies (positives by default)
--save-bodies-all Also save bodies for NO-RCE/ERR (may grow large)
- Python 3.9+
pip install -r requeriments.txt
# or manually:
pip install requests pyyaml tqdm coloramaMinimal example:
mappings:
- root: "C:\\xampp\\htdocs\\your_patch"
url_prefix: "http://localhost:8080/your_patch"- root: absolute filesystem path where Phase 1 found the files.
- url_prefix: HTTP prefix from which those same files are served.
You can define multiple mappings for multiple docroots/vhosts.
Run the static scan to build the report:
python shellhunter.py --rules rules.yml --out report.json --verbosereport.json should include entries like:
{
"findings": [
{"path": "C:\\xampp\\htdocs\\your_patch\\webshell.php", "risk": "HIGH"},
{"path": "C:\\...\\testshell.php", "risk": "MEDIUM"}
]
}Use whitelists/ignore_paths.txt and whitelists/ignore_hashes.txt to filter Phase-1 false positives.
Confirms real RCE by interacting with endpoints.
python verify_rce.py \
--report report.json \
--map config.yml \
--verbose# Windows:
python verify_rce.py --urls $(type endpoints.txt) --verbose
# Linux/Mac:
python verify_rce.py --urls $(cat endpoints.txt) --verbosepython verify_rce.py \
--report report.json --map config.yml \
--methods GET POST --timeout 10 --workers 16 \
--aggressive --aggr-budget 500 \
--alt-evidence "SAFE_TEST_OBF_HOT,SAFE_TEST_INCLUDE_USER" \
--save-bodies out/bodies --save-bodies-all \
--out out/rce_verified.json --csv out/rce_verified.csv \
--log out/verify.log \
--verbose- Visible evidence: appearance of the canary token (e.g.,
SHCANARY_abcd1234) or any alt-evidence you define. - Blind timing: ~5s delay over baseline (Linux:
sleep 5; Windows:ping -n 6 127.0.0.1). - Informative PHP errors: classified and included in evidence (e.g.,
php_error:php8_incompat,php_error:parse_error) — great to explain "why it didn't pop."
By default, filenames receive _{YYYYMMDD_HHMMSS} (disable with --no-datetime).
- Full JSON:
rce_verified_{ts}.json - Full CSV:
rce_verified_{ts}.csv - Positives only:
- JSON:
rce_verified_{ts}_positives.json - CSV:
rce_verified_{ts}_positives.csv
- JSON:
- Log:
rce_verified_{ts}.log(or path from--log) - Bodies (HTML): folder from
--save-bodies
By default, saves positives only.
With --save-bodies-all, it also saves NO-RCE and ERR (watch disk usage).
| Option | Description |
|---|---|
--report PATH |
Phase-1 JSON with findings[].path and risk. |
--map PATH |
config.yml with mappings[].root → url_prefix (requires pyyaml). |
--urls URL ... |
List of URLs to verify manually (skip Phase 1). |
--risk-min LEVEL |
Filter Phase-1 candidates: HIGH or MEDIUM (default MEDIUM). |
| Option | Description |
|---|---|
--params P ... |
Override params to try. Default: cmd,c,exec,command,run,shell,q,s,action,do,code,payload,p,x,a,b,u,file,include,f,user,page,path,tpl,template,module,data,tmpl. |
--methods GET POST |
HTTP methods to use (default: both). |
--no-time-based |
Disable ~5s timing test. |
--aggressive |
Extra variants: auth (pass/password/key... + small wordlist), multipart/json, secondary flags (func=system, ajax=1, etc.), base64, and include php://input. |
--aggr-budget N |
Max requests per endpoint in aggressive mode (default: 500). |
--aggr-max-auth N |
Number of auth param names to try (default: 6). |
--aggr-max-pass N |
Passwords per auth name (default: 8). |
--extra-kv "k1=v1,k2=v2" |
Extra k/v pairs added to every request (helpful to "unlock" branches). |
--alt-evidence "A,B,C" |
Strings that count as visible evidence if present in the response (including baseline). Useful for test pages with known banners. |
| Option | Description |
|---|---|
--headers JSON |
Extra headers (e.g., '{"X-Token":"abc"}'). |
--cookie "k=v; a=b" |
Literal cookies. |
--timeout N |
Per-request timeout (default: 10s). |
--workers N |
Concurrency (default: 16). |
--only-http-200 |
Ignore endpoints whose initial status is not 200 (except if the name looks like a known shell: r57, c99, wso, …). |
| Option | Description |
|---|---|
--out PATH |
Full JSON (timestamp added unless --no-datetime). |
--csv PATH |
Full CSV (timestamp added unless --no-datetime). |
--positives-out PATH |
Positives-only JSON (default: <out>_positives.json). |
--positives-csv PATH |
Positives-only CSV (default: <csv>_positives.csv). |
--log PATH |
Log path (default: <out_basename>.log). Accepts {ts}. |
--save-bodies DIR |
Folder to save HTML bodies. Accepts {ts}. |
--save-bodies-all |
Save bodies for NO-RCE and ERR as well. |
--no-datetime |
Don't append timestamp to filenames. |
--verbose |
Verbose mode (per-URL summary + hints). |
url,rce,method,param,os,evidence,status_code,elapsed,error
http://.../webshell.php,True,GET,cmd,win,token:SHCANARY_xxxx visible,200,0.08,
...
Each entry includes everything from the CSV plus resp_text (when captured) — handy if you enabled --save-bodies.
-
Nail the mapping (
config.yml). If you see a lot of 403/404/301/302, yoururl_prefix/base path likely doesn't match. The verifier prints hints automatically. -
Cookies/Headers: use
--cookie/--headersfor sessions or tokens. -
Param-specific shells: some shells require a specific name (
cmd,p, etc.). Use--params cmdto force it. -
alt-evidence: if your test pages print a unique banner (e.g.,
SAFE_TEST_INCLUDE_USER), pass it via--alt-evidence "SAFE_TEST_INCLUDE_USER". If it appears in the baseline (no params), it still counts. -
PHP errors:
php_error:*in evidence often explains non-exploitation (PHP 8 incompat, disabled functions, …). -
Blind timing: when a WAF strips echo, blind timing may be your only confirmation (delay ~5s over baseline).
python verify_rce.py --urls http://localhost:8080/your_patch/webshell.php --verbosepython verify_rce.py \
--report report.json --map config.yml \
--cookie "PHPSESSID=abc123; role=admin" \
--headers '{"X-Auth":"mytoken"}' \
--verbosepython verify_rce.py \
--urls http://localhost:8080/your_patch/shell.php \
--params cmd \
--aggressive --aggr-budget 300 \
--verbosepython verify_rce.py \
--report report.json --map config.yml \
--save-bodies out/bodies --save-bodies-all \
--verbose"Everything is 403/404/301/302"
Check config.yml (url_prefix), use --cookie/--headers to authenticate, and verify the server actually serves that path.
"r57/c99 doesn't run on PHP 8"
You'll see php_error:php8_incompat. Try --aggressive and --extra-kv to "unlock" branches; if the code is broken, there won't be RCE.
"My sample prints something without params, but no token"
Add that string with --alt-evidence "MY_BANNER". Baseline matches count too.
"Blind timing doesn't trigger"
Ensure timing is enabled (don't pass --no-time-based). Very low baseline latency might require repeated attempts.
"I need to see the exact server reply"
Use --save-bodies (and maybe --save-bodies-all). Positives also include resp_text in JSON.
This tool is for authorized security testing only. Make sure you have explicit written permission. Misuse is the operator's responsibility.
- Proxy support and basic/NTLM auth.
- Tech-specific payloads (ASP/JSP).
- WAF-evasion payload mutation engine.
- Add Rules
Inspired by classic signatures (r57, c99, wso…) and static scanning tools. Thanks to the FOSS projects that made this possible.
-- by dEEpEst _ Hack Tools Dark Community --