I was in need of some web shells for some security research I was conducting. I found w0rms.com which has a nice selection of shells that can be downloaded to accomodate my need to test some malicious PHP code in my application.

Backdoor

As expected every shell on w0rms.com is backdoored (backdoor the backdoors eh?).

This code is found at the bottom of EVERY shell supplied by w0rms.com. These scripts are inherently to not be trusted or run on your web server as they are often backdoored and do all kinds of other nasty things. They are used by bad actors to view, modify, and often upload more files to compromised PHP web applications. The javascript found in each of the supplied web shells is sending the location of each web shell to the owners of w0rms.com:

This means that when a bad actor uses a malicious web shell that was posted on w0rms.com the location of that shell is sent to the owners of w0rms.com. From here the owners of w0rms.com likely automatically upload additional malicious code. This is very common and clearly points out that there is no honor among script kiddies.

I hope that they sanitize their input and check that it’s actually a valid URL 🙂

$ while true; do curl -A butts http://w0rms.com/oku/kaydet.php?a=$RANDOM; done