WebHole is an advanced, open-source remote access and control tool designed for modern web environments. Unlike its predecessor HIPHP, which was limited to PHP, WebHole supports multiple server-side languages, including PHP, Flask (Python), Go (Golang), and Django, offering unmatched flexibility for developers and administrators.
By injecting a small piece of codeβreferred to as the WebHole Hole Codeβinto your project, WebHole enables secure communication over HTTP/HTTPS using POST or GET methods, typically over port 80 or 443. This allows authorized users to perform operations such as file management, script execution, configuration editing, and more, all remotely and in real-time.
Key features include:
-
β Multi-Language Support: Seamlessly works with PHP, Python (Flask & Django), and Go.
-
π Password-Protected Access: Ensures only authorized users can control the server.
-
𧱠Modular Architecture: Easily extend or adapt to new environments and frameworks.
-
π Remote File Execution & Editing: Modify, run, and manage files from any location.
-
π¦ Zero-Dependency Setup: No need for third-party softwareβjust plug the hole code into your project.
Originally inspired by the limitations of HIPHP, WebHole is built for developers, security professionals, and system admins who need granular control over diverse web stacksβwithout relying on external tools or services.
Whether you're managing a single PHP site or a multi-framework infrastructure, WebHole empowers you with a unified, secure, and developer-friendly backdoor solution.
usage: main.py [-h] [--KEY KEY] [--URL URL] [--HOLE HOLE] [--NKEY NKEY] [--PKGS]
Webhole Command-Line Interface: Configure keys, URLs, and manage packages.
options:
-h, --help Show this help message and exit.
--KEY KEY, --key KEY Authentication key used for secure operations. Can be provided via the KEY environment variable.
--URL URL, --url URL Target URL for the operation. Can be provided via the URL environment variable.
--HOLE HOLE, --hole HOLE Hole identifier or reference. Can be provided via the HOLE environment variable.
--NKEY NKEY, --nkey NKEY New authentication key for updating or replacing an existing key. Can be provided via the NKEY environment variable.
--PKGS, --pkgs Display all installed packages in Webhole. Can be enabled via the PKGS environment variable.# Flask server configuration
endpoint: "/"
authentication:
method: "User-Agent header"
key: "__key__" # Replace with your secret key
execution:
commands:
- "ls"
- "cd"
- "tree"
- "cat"- Setup
# Clone the WebHole repository
git clone https://github.com/yasserbdj96/WebHole.git
# Navigate to the project directory
cd WebHole
# Install the required dependencies
pip install -r requirements.txt- Client Connection
# Connect to an existing WebHole instance
python main.py --URL="http://server-ip:port" --KEY="your_secret_key"
# Display installed packages on the WebHole
python main.py --pkgs
# Example output:
# go-http-server β 0.0.1-beta
# php β 0.0.2-beta
# python-django β 0.0.0-beta
# python-flask β 0.0.2-beta
# Create a new WebHole code for a specific platform (Flask, Django, Go, PHP, etc.)
# Without a password (you can set one manually later):
python main.py --hole="package_name"
# With a specified password (encrypted automatically):
python main.py --hole="package_name" --nkey="your_new_key"| Command | Description | Example | *go-http-server | *php | *python-django | *python-flask |
|---|---|---|---|---|---|---|
| [COMMAND] | Put your command | [COMMAND] | β | β | β | β |
| ls | List directory contents | ls | β | β | β | β |
| cd | Change directory | cd [PATH] | β | β | β | β |
| tree | Show directory tree | tree | β | β | β | β |
| tree -f | Display directory structure in a tree format with full paths | tree -f | β | β | β | β |
| cat | Display file content | cat [file] | β | β | β | β |
| hole | Display HOLE Code | hole | β | β | β | β |
| -v | Show version information | -v | β | β | β | β |
| -h | Show help | -h | β | β | β | β |
| exit | Exit the shell | exit | β | β | β | β |
- MD5-hashed authentication keys
- Secure command execution sandbox
- Encrypted communication
- Restricted command whitelisting
webhole/
β CHANGELOG
β config.json
β logo.png
β main.py
β README.md
β requirements.txt
β version.txt
ββββTasks
β django_server.py
β flask_server.py
β go_server.go
β php_server.php
β servers_config.json
β server_launcher.py
ββββwebhole
β messages.json
β __init__.py
β __version__.py
β
ββββmodules
β del_line_startswith.py
β tomd5.py
β url_fix.py
β
ββββpackages
ββββgo-http-server
β config.json
β hole.go
β ls.go
β
ββββphp
β cat.php
β cd.php
β config.json
β hole.php
β ls.php
β tree.php
β tree_f.php
β
ββββpython-django
β cat.py
β cd.py
β config.json
β hole.py
β ls.py
β tree.py
β tree_f.py
β
ββββpython-flask
β cat.py
β cd.py
β config.json
β hole.py
β ls.py
β tree.py
β tree_f.py
β
ββββ__functions__
fn_listsort.pyβββ(python-flask@example.com)ββ[/home/user]
ββWEBHOLE> ls
π CHANGELOG | π config.json | π logo.png
π main.py | π README.md | π requirements.txt
π Tasks | π version.txt | π versions
π webhole
βββ(python-flask@example.com)ββ[/home/user]
ββWEBHOLE> cd Tasks
βββ(python-flask@example.com)ββ[/home/user/Tasks]
ββWEBHOLE> tree
.
ββββ django_server.py
ββββ flask_server.py
ββββ go_server.go
ββββ php_server.php
ββββ server_launcher.py
ββββ servers_config.json
βββ(python-flask@example.com)ββ[/home/user/Tasks]
ββWEBHOLE> tree -f
rrw-rw-rw- Jun 18 14:54 1.54 KB django_server.py
rrw-rw-rw- Jun 18 14:52 1.30 KB flask_server.py
rrw-rw-rw- Jun 18 15:20 2.30 KB go_server.go
rrw-rw-rw- Apr 07 21:22 655 bytes php_server.php
rrw-rw-rw- Jun 18 15:03 528 bytes servers_config.json
rrw-rw-rw- Jun 18 14:54 3.00 KB server_launcher.py
βββ(python-flask@example.com)ββ[/home/user/Tasks]
ββWEBHOLE> cat servers_config.json
{
"flask": {
"enabled": true,
"host": "127.0.0.1",
"port": 81,
"entry": "flask_server.py"
},
"php": {
"enabled": true,
"host": "127.0.0.1",
"port": 82,
"php_path": "C:\\xampp\\php\\php.exe",
"root": ".",
"entry": "php_server.php"
},
"go": {
"enabled": true,
"entry": "go_server.go",
"host": "127.0.0.1",
"port": 83
},
"django": {
"enabled": true,
"host": "127.0.0.1",
"port": 84,
"entry": "django_server.py"
}
}
Always use in trusted environments - command execution capabilities pose security risks if misconfigured.
Website . Github . Instagram . youtube . pypi . docker . gitter . e-mail . sponsor