############################################################################
#    Created by Scoperchiatore http://scoperchiatore.netsons.org           #
#                                                                          #
#    This program is free software; you can redistribute it and#or modify  #
#    it under the terms of the GNU General Public License as published by  #
#    the Free Software Foundation; either version 3 of the License, or     #
#    (at your option) any later version.                                   #
#                                                                          #
#    This program is distributed in the hope that it will be useful,       #
#    but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         #
#    GNU General Public License for more details.                          #
#                                                                          #
#    You should have received a copy of the GNU General Public License     #
#    along with this program (the file COPYING.TXT).                       #
#    Write to the                                                          #
#       Free Software Foundation, Inc.,                                    #
#       59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.          #
#    for further informations.                                             #
############################################################################

                         WSH 1.1.0 README

                    Motivations and Upload FAQ

WSH is Web-SHell written in Java to be used in Java environments.
A Web Shell is a Web Application that acts like a shell and let 
you execute commands on a target.

Actually, WSH is a little more than a webshell, because it gives you 
an user friendly "File Manager" to examinate file systems, and a 
way to open a backdoor on a taget.

The README is a big FAQ useful to explain all WSH informations and
usage hints.

________________________________________________________________________

                      FAQ - Usefulness

Q: Is WSH of any use?
A: I think so.

Q: Is WSH an exploit/attack?
A: No. It is only a tool to let you gain something more from other 
   vulnerabilities (like weak passwords), and to let you go a little 
   further during a Penetration Test, gaining new users or hosts.

________________________________________________________________________

                      FAQ - Upload Guide

Q: What do I need to know before using it?
A: The meaning of Application Server, servlet or JSP, and a little
   idea of the difference between a Web Server and an Application
   Server. Please document yourself about the Application Server
   you are uploading WSH; it is a complex world, and sometimes such
   softwares behaves in a "strange" way.
   
Q: Can i use it to break into a system for fun/profit?
A: No. Every unauthorized use is prohibited. You should use it only
   on you personal PC or during authorized Penetration Tests or
   Ethical Hacking activities. The author can not be responsable of 
   any unauthorized use of this tool. 

Q: Why/When/Where may I find myself in need of use WSH?
A: The typical scenario is when you find a weak password for the
   Administration panel of some Java Application Server. WSH will
   let you gain a shell on that server with the privileges of the
   user who launched the Application Server Management process.
   
Q: A practical example?
A: You nmap the host, and find the 8080 HTTP port open. You go
   to such page, and you see the default Tomcat Welcome Page. You 
   click on the left, Tomcat Manager, and try tomcat/admin.
   If you are in, it's time to upload WSH and get into the server.
   
Q: Can I upload it without accessing the Management?
A: Every Application Server has a different management interface, but 
   the most of them do not let you upload an application only
   copyng it into the filesystem, so I think the only way to upload
   WSH or any WebShell on an Application Server is to gain access to
   the Management (BEA Weblogic Console, Tomcat Manager, Oracle IAS 
   Console, Sun AS Console, etc...).
   
Q: Ok, I have the admin password to the Management. And now?
A: Now, you have to search for the "WAR Upload" function, and then upload
   the war file that IS wsh.
   
Q: Do I have to recompile WSH before uploading?
Q: No. Java is a language created to be "build once and run everywhere"
   and this works even with webapps like WSH.
   
Q: Ok, I did upload the WSH war. And now?
A: Now everything depends on the Application Server and its
   configuration. For example, on Tomcat, you should access WSH
   simply going to
      http://IP_OF_THE_APPLICATION_SERVER:8080/wsh/
   or, it you founf the Tomcat Manager on port XXXX you can access WSH at
      http://IP_OF_THE_APPLICATION_SERVERl:XXXX/wsh/
   If you found the HTTPs interface, you should use it.
   SUN AS, JBoss, BEA and Oracle IAS bind the console and the applications
   on a different port. So if you found the BEA console at
      http://IP_OF_THE_APPLICATION_SERVER:7001/console/
   you have few chances to find WSH at
      http://IP_OF_THE_APPLICATION_SERVER:7001/wsh.
   Perhaps you can try 
      http://IP_OF_THE_APPLICATION_SERVER:8000/wsh.
      https://IP_OF_THE_APPLICATION_SERVER:8001/wsh.
   
   Sometimes you may find the wsh in
      /wsh1.0.2/
      /wsh1.1.0/   
      ...
   instead of
      /wsh/
   This dir, the context path, is specified into the wsh war but can be
   overwritten by the Application Server.
   
Q: Is there a clear way to understand how to access WSH after the upload?
A: Sure! You got into the Application Server Management, you can easily
   find all the configuration informations you need. However the differs
   much from AS to AS. 
   
Q: Other ways?
A: You may try to bruteforce all open HTTP/HTTPs ports trying to find
   the /wsh/index.jsp. However, some application servers may add the 
   /[NODENAME]/ path before each application uploaded into such node.
   It is a complex world...
   
Q: Ok, i finally found WSH on the server! And now?
A: Now, you may refer to the online HELP (The big ? image on the right).
   I think most of the features are really simple. However, take a look
   to each HELP subsection, because there are some details you should
   know.
   
Q: It is useful to explore this server filesystem trough WSH?
A: I don't think so. The first thing you should try to do after accessing
   the WSH page on a new server, is to find a way to access such server
   through SSH or any other kind of remote login! 
   Apart from this, remember WSH let you execute commands with the 
   privileges of the Application Server user on the system 
   (tomcat, ias_admin, bea, weblogic, and so on)
   You may have/gain another user on such system who does not have 
   such privileges, so let's think about creating a suided sh 
   (/bin/sh) to finalize a local privilege escalation.
   
Q: Any other usage of issuing command as the Application Server user?
A: He can surely access to all webapps (Servlets, EJB, JSP, ...)
   uploaded into its server. So, through WSH, you may access them
   too. You can download them and analyze them on your PC, trying
   to find password, keys, ports, and all kind of informations.
   
Q: What's that "Backdoor" button in the upper-right corner of WSH?
A: It is a way to do the same things you can do with the Web Interface
   through telnet. You can open a backdoor, and then telnet to it to
   get a quasi-shell with the same limitations WSH has (read the
   known_bugs.txt for further details).
   
Q: Can WSH be used on C# or Phyton Application Servers?
A: No.

Q: Does WSH suffer of security issues??
A: Sure, many. First of all, it suffers of Remote Command Execution: it
   is its purpose. Then many parameters are not sanitized, and the session
   is not properly handled. I think there are many XSS, and i am quite sure
   you may alter path and path specification. If you are wondering
   if i will fix such bugs, the answer is no, because it is unuseful
   for this tool to be "securely written".
   
_____________________________________________________________________
   
                         FAQ - Project

Q: Why did you wrote it?
A: Simply, i needed something like that during a Penetration Test, and 
   I could not find it googling.

Q: Is this the only JAVA Web Shell in the world?
A: No, there is at least another one here written by The Old School t0s 
	http://www.t0s.org/code.php?option=3
   They wrote the same thing for php and asp too!
   However I discovered their site after starting coding WSH. In addition,
   their jsp toolkit does not have some features WSH has.
   Last but not least, their site is no longer updated since 2004.
   
Q: So, are t0s and WSH the only JAVA Web Shells in the world?
A: I really do not think so, but i was not able to find another one. If
   you find tools like WSH, please write me to scoperchiatore AT gmail D0T com
   or pass it to me through delicious (always scoperchiatore).
   
Q: Why did you not spend more time in searching?
A: Because I did not want to find a closed tool. It is too dangerous 
   to upload a backdoor without reading its code first.
   This is why WSH is Open Source, GPLv3 (as written everywhere in this code!)

Q: And where can i find sources?
A: Into the WAR file. Unpack it (as a ZIP) and you will see the 
   .class files (compiled) and the .java and .jsp files (sources).
   
Q: Did you add something malicious into the code? Keylogger, hidden 
   backdoors, malaware, etc?
A: No. To have a confirmation, please read the code. I think is better 
   to start from the class wgui.frames.WebShellFrame.java, that is the 
   upper frame, the WSH one.
   The other frame is the wgui.frames.FileManagerRightFrame.java, that
   is the File Manager one.
   The package contains more or less a dozen of "important" classes (not
   utility or gui classes), but I think it could last a couple of hours
   to read all the main methods. I cannot suggest you how to assess if 
   this code fits your needs, however.

Q: What are WSH story and implementation perspectives ?
A: WSH was first written to show the impact of a weak Application Server
   administrator password. Next, I used it in other situations where the
   AS admin weak password was the only way I had to access the system;
   this made me add features thinking about all those situations 
   one cannot get the SSH access, but really needs to explore a server.
   After doing that, I revisited such features in order to guarantee
   the security of the server you are analyzing (that is, if you open
   a backdoor you MUST be sure you can close it when you want!)
   Last but not least, I take into account the server performance
   adding the Max Execution Time function.
   In the 1.1.0 release I got everything working under Windows, because
   you may find many Windows Application Servers.
   
Q: Anything to add ?
A: Yes. Why many hackers ignores what an Application Server is, what it
   does, which are its fundamentals, and so on? Don't you find them in each
   (internal) PT you make, like me? 