Skip to content

The Client Trojan API

Chris Lane edited this page Oct 19, 2016 · 2 revisions


The novahot client communicates with the trojan by POST-ing JSON to the URI at which the trojan resides. The trojan returns a JSON response.

The Client

The POST body from the novahot client will resemble the following:

  auth : 'the-control-password',
  cwd  : '/var/www/public',
  cmd  : 'ls',


  • auth is the trojan's control password
  • cwd is the trojan's current working directory
  • cmd is the command to pass to the trojan

Additionally, an args property may optionally be attached to the POST body, and may contain arbitrary parameters. (args is currently used to implement "virtual commands", but can be used to extend a trojan at-will.)

The Trojan

The trojan will return JSON resembling the following:

  stderr : [ ],
  stdout : [ 'index.html' ],
  cwd    : '/var/www/public',


  • stderr is an array of lines written to stderr
  • stdout is an array of lines written to stdout
  • cwd is the trojan's current working directory

Extending the Trojans

The trojans process the data POST-ed from the client thusly:

  1. If cmd is a "payload function" (ie, a function that has been defined within the trojan), the payload function will be executed and passed args as a parameter.

  2. If cmd is not a "payload function", cmd will be passed to a system subshell.

Only two payload functions ship with the novahot trojans by default: payload_upload (for uploading files), and payload_download (for downloading files).

"Payload" Mode

To extend the trojans, simply add additional payload functions to the trojan source.

It is possible to send arbitrary parameters to custom payloads using the "payload" mode. To enter the payload mode, type .payload from within the shell.

Once in payload mode, aribtrary payloads may be executed using the following syntax:

payload> payload_name { "foo" : "bar" }


  • payload_name corresponds with the name of a payload function in the trojan

  • payload_name is (optionally) followed by parameters formatted as valid JSON.

The optional parameters will be attached to the POST body as the args property.

Note that payload functions must return JSON formatted as specified above in order to be fully compatible with the shell.

You can’t perform that action at this time.