Announcing RWSH v1.1 – Now with more cowbell!

While it has been over a year since the initial release, I'm very excited to announce the release of RWSH v1.1!

For those of you not familiar with this tool, here is the original release.

The main goal of RWSH is to offer a simple, yet versatile, web shell and pseudo-interactive client.

Main Features

  • Encoded communication
  • Pseudo-interactive shell
  • Cleaner output formatting than PHP passthru
  • Hostname and username (whoami) detection
  • (Mostly) Clean exiting

New features in RWSH v1.1

Finally, some methods!

RWSH v1.1 - New methods

  • I removed the encoded.php file, but kept the way that I generated it as a comment in the current shell.php
  • I added support for POST requests, as well as the ability to select between GET and POST
  • Methods for sending the request, encoding the request, and decoding the response have been added
  • I updated the README to reflect these changes
  • Now licensed under Apache 2.0, so build something even better!
  • Removed from my SecurityTools repository and created its own (see below)
  • First official tagged release -

Future work

  • Add ability to easily obfuscate shell.php
  • Add client specific functionality similar to meterpreter (upload, download, etc.)
  • Include randomly generated filenames for server.php (similar to Metasploit payloads)
  • Look into better methods of encryption or encoding the traffic
  • Handle all exit cases better
  • Perform OS detection and better prompt displays
  • Look into the ability to change directories (change the prompt, prepend the current directory to any requests?)
  • Pseudo random key for forward-secrecy
  • Better encoded version to avoid detection (grep, AI-Bolit)
  • Clean up and add more methods
  • Add support for more HTTP verbs as well as headers (cookies, arbitrary, etc.)


Let me know if you have any questions, comments, suggestions, or ideas!

I'm hoping to have v1.2 out sooner than a year for now, and I have a lot of great ideas for v2.0.

Finally, you can find the code and updates in its new GitHub repository.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.