|
Warning: this is an htmlized version!
The original is here, and the conversion rules are here. |
# «.webshell» (to "webshell")
# «.webshell-old» (to "webshell-old")
# «.phpnuke» (to "phpnuke")
# (find-phpdocpage "tutorial")
# (find-phpfuncpage "phpinfo")
# (find-phpfuncpage "require")
#####
#
# ?
# 2004sep24
#
#####
#*
# (ee-once (eeb-php))
echo getcwd(), "\n";
#*
# (ee-once (eeb-php))
echo system("set"), "\n";
#*
# (ee-once (eeb-php))
echo $_SERVER['REMOTE_ADDR'], "\n";
#*
# (ee-once (eeb-php))
$ip = $_SERVER['REMOTE_ADDR'];
$goodip = "127.0.0.1";
if ($ip != $goodip) {
echo "$ip != $goodip\n";
exit;
}
echo "ok\n";
#*
# (ee-once (eeb-php+))
# (find-phpdocpage "index")
phpinfo();
#*
# (ee-once (eeb-php))
# (find-phplangpage "types.array")
$arr = array("foo" => "bar", 12 => true);
echo $arr["foo"], "\n"; // bar
echo $arr[12], "\n"; // 1
#*
# (find-phpdocpage "index")
# (find-phplangpage "variables.external")
# (find-phpfuncpage "import-request-variables")
#####
#
# webshell
# 2004sep24
#
#####
# «webshell» (to ".webshell")
#*
sudo touch /var/www/tmp.php
sudo chmod 666 /var/www/tmp.php
#*
cat > /var/www/tmp.php <<'%%%'
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<title></title>
</head>
<body>
<?
$ip = $_SERVER['REMOTE_ADDR'];
$goodip = "127.0.0.1";
if ($ip != $goodip) {
echo "$ip != $goodip\n";
exit;
} else {
$pwd = $_REQUEST['pwd'];
if (!$pwd) { $pwd = getcwd(); }
$command = $_REQUEST['command'];
if ($command) { $result = `cd $pwd\n$command`; }
?>
<form action="<? echo basename($_SERVER['SCRIPT_NAME']) ?>" method=get>
at: <input type=text name=pwd value="<? echo $pwd ?>" size=56><br>
do:
<textarea name='command' cols=60 rows=4><? echo $command ?>
</textarea>
<br>
<input type=submit name=do value="Go!">
</form>
<pre>
<? echo $result ?>
</pre>
<?
}
?>
</body></html>
%%%
lynx http://127.0.0.1/tmp.php
#*
sudo rm /var/www/tmp.php
#*
#####
#
# To run shell commands in machines that allow only php
# 2000aug02
#
#####
# «webshell-old» (to ".webshell-old")
# (find-fline "~/PHP3/tarstuff.php3")
#*
cat > /var/www/tmp.php3 <<'---'
<? include ("/home/root/PHP3/functions.php3");
// error_reporting(1+12+48);
function v($s) { return htmlspecialchars($s); }
function p($s) { return htmlspecialchars($s); }
if (!$pwd)
$pwd = posix_getcwd();
echo "<head></head>
<body>
<form action=\"http://$HTTP_HOST$SCRIPT_NAME\" method=post>
cd <input type=text size=60 name=pwd value=\"".v($pwd)."\"><br>
<input type=text size=63 name=cmd value=\"".v($cmd)."\"><br>
<input type=submit></form>
<pre>\n";
if (!@chdir($pwd)) {
echo "no such dir: $pwd\n";
} else {
if ($cmd) {
$s = "# $pwd\n# $cmd\n\n";
$arr = array();
$cmd = "export EE=" . dirname($SCRIPT_FILENAME) . "/ee.sh; " .
"alias ee='. $EE'; " .
"($cmd) 2>&1";
exec($cmd, $arr, $exitcode);
$s .= join("\n", $arr) . "\n";
if ($exitcode)
$s .= "\n# exitcode = $exitcode\n";
echo p($s);
}
}
echo "</pre></body>\n";
?>
---
wget -q -O - 'http://127.0.0.1/tmp.php3'
wget -q -O - 'http://127.0.0.1/tmp.php3?pwd=/home'
wget -q -O - 'http://127.0.0.1/tmp.php3?pwd=/home&cmd=echo+hello'
wget -q -O - 'http://127.0.0.1/tmp.php3?pwd=/home&cmd=ls;false'
wget -q -O - 'http://127.0.0.1/tmp.php3?pwd=/naaa'
lynx http://127.0.0.1/tmp.php3
#*
# Local Variables:
# coding: raw-text-unix
# ee-delimiter-hash: "\n#*\n"
# ee-anchor-format: "«%s»"
# End: