diff options
| author | Luke Shumaker <LukeShu@sbcglobal.net> | 2011-11-27 11:26:20 -0500 |
|---|---|---|
| committer | Luke Shumaker <LukeShu@sbcglobal.net> | 2011-11-27 11:26:20 -0500 |
| commit | 76ead734626996f82caddaca57dc2f84243b0947 (patch) | |
| tree | 32ea6607a7c70de059b4bf376897b64391af2321 | |
| parent | fb0380f48203a11584773f3db335eaadd9cc6fdf (diff) | |
This zip file was identified as ltshell-3.6.zip
| -rw-r--r-- | ltshell.php | 2 | ||||
| -rw-r--r-- | shell/bin/cd.php | 2 | ||||
| -rw-r--r-- | shell/bin/editor.php | 7 | ||||
| -rw-r--r-- | shell/bin/whoami.php | 2 | ||||
| -rw-r--r-- | shell/exec.php | 71 | ||||
| -rw-r--r-- | shell/shell.php | 54 | ||||
| -rw-r--r-- | shell/shell2.php | 48 |
7 files changed, 131 insertions, 55 deletions
diff --git a/ltshell.php b/ltshell.php index f3e348d..88a993e 100644 --- a/ltshell.php +++ b/ltshell.php @@ -3,7 +3,7 @@ Plugin Name: LTS WebShell Plugin URI: http://lukeshu.ath.cx/1/src/ Description: An entirely PHP web shell (doesn't require system) -Version: 3.5 +Version: 3.6 Author: Luke Shumaker Author URI: http://lukeshu.ath.cx License: GPL2 diff --git a/shell/bin/cd.php b/shell/bin/cd.php index e8505bd..baf30f3 100644 --- a/shell/bin/cd.php +++ b/shell/bin/cd.php @@ -2,7 +2,7 @@ class p_cd extends prog { public static function main($args, $env) { @$dir = $args[1]; - return php_chdir($dir); + return lts_chdir($dir); } } diff --git a/shell/bin/editor.php b/shell/bin/editor.php index 39db3d8..a136cd2 100644 --- a/shell/bin/editor.php +++ b/shell/bin/editor.php @@ -2,7 +2,8 @@ class p_editor extends prog { public static function main($args, $env) { if (isset($_POST['stdin'])) { - if (isset($args[1])) { + if (false) {//if (isset($args[1])) { + echo $args[0].': saving to `'.$args[1]."'\n"; file_put_contents($args[1],$_POST['stdin']); } else { echo $_POST['stdin']; @@ -14,8 +15,8 @@ class p_editor extends prog { $text = ''; } echo '<div class="editor">'; - echo '<input type="hidden" name="stddest" value="'.$_POST['c'].'" />'; - echo '<textarea name="stdin">'.$text.'</textarea>'."\n"; + echo '<input type="hidden" name="stdout_dest" value="'.$_POST['c'].'" />'; + echo '<textarea name="stdin">'.htmlentities($text).'</textarea>'."\n"; echo '<input type="submit" value="save" />'; echo '</div>'; } diff --git a/shell/bin/whoami.php b/shell/bin/whoami.php index 7e560f2..fd7afa1 100644 --- a/shell/bin/whoami.php +++ b/shell/bin/whoami.php @@ -1,7 +1,7 @@ <?php class p_whoami extends prog { public static function main($args, $env) { - echo get_current_user(); + echo get_current_user()."\n"; } } diff --git a/shell/exec.php b/shell/exec.php index b842ea8..9c22e5b 100644 --- a/shell/exec.php +++ b/shell/exec.php @@ -1,32 +1,27 @@ <?php -function php_chdir($dir) { +function lts_chdir($dir) { $ret = chdir($dir); echo '<input type="hidden" name="d" value="'.getcwd().'" />'; + if ($ret == false) { echo 'chdir: unable to change directories: `'.$dir."'\n"; return $ret; } abstract class prog { public static abstract function main($args, $env); } -function php_exec($com, $cwd='') { - if ($cwd != '') { php_chdir($cwd); } +function lts_shell_exec($com, $env) { + if ($env['CWD'] != '') { lts_chdir($env['CWD']); } if ($com=='') { return 0; } - $root = dirname(__FILE__); - - $ifs=' '; - $path = $root.'/bin'; - - $env = array('IFS' => $ifs, 'PATH' => $path); - - $coms = array(); $stdout_dest = array(); - $a = 0; - $c = 0; - $q = ''; + $coms = array(); + $stdout_dest = array(); + + // Parse command(s) + $a = 0; $c = 0; $q = ''; while ($com != '') { $char = substr($com,0,1); $com = substr($com,1); - if (substr_count ('\'',$char)!==0) { + if (substr_count ('\'',$char)!==0) { if (substr($q,0,1)===$char) { $q = substr($q,1); } else { @@ -34,14 +29,16 @@ function php_exec($com, $cwd='') { } } elseif ($q != '') { $coms[$c][$a].=$char; - } elseif (substr_count ($ifs,$char)!==0) { + } elseif (substr_count ($env['IFS'],$char)!==0) { if (isset($coms[$c][$a])) { $a++; } - } elseif (substr_count (';',$char)!==0) { - $stdout_dest[$c] = '/dev/stdout'; + } elseif ($char==';') { + if (!isset($stdout_dest[$c])) { + $stdout_dest[$c] = '/dev/stdout'; + } $c++; $a=0; - } elseif (substr_count ('|',$char)!==0) { + } elseif ($char=='|') { $stdout_dest[$c] = '/dev/stdin'; $c++; $a=0; } else { @@ -52,25 +49,18 @@ function php_exec($com, $cwd='') { $stdout_dest[$c] = '/dev/stdout'; } + // execude commands $ret=0; - if (!isset($_POST['stdin'])) { $_POST['stdin']=''; } foreach ($coms as $key => $args) { if ($stdout_dest[$key] != '/dev/stdout') { ob_start(); } - if (!class_exists('p_'.$args[0])) { - $file=$path.'/'.$args[0].'.php'; - if (file_exists($file)) { - include($file); - } - } - if (class_exists('p_'.$args[0])) { - $ret = call_user_func(array('p_'.$args[0],'main'),$args,$env);//main($args,$env); + + lts_exec($args, $env); + + if ($stdout_dest[$key] == '/dev/stdout') { + unset($_POST['stdin']); } else { - echo 'sh: command not found: `'.$args[0]."'\n"; - $ret = 1; - } - if ($stdout_dest[$key] != '/dev/stdout') { switch ($stdout_dest[$key]) { case '/dev/stdin': $_POST['stdin']=ob_get_contents(); break; default: file_put_contents($stdout_dest[$key],ob_get_contents()); break; @@ -80,3 +70,20 @@ function php_exec($com, $cwd='') { } return $ret; } + +function lts_exec($args, $env) { + if (!class_exists('p_'.$args[0])) { + $file=$env['PATH'].'/'.$args[0].'.php'; + if (file_exists($file)) { + include($file); + } + } + if (class_exists('p_'.$args[0])) { + $ret = call_user_func(array('p_'.$args[0],'main'),$args,$env); + } else { + echo 'lts_exec: command not found: `'.$args[0]."'\n"; + $ret = 1; + } + return $ret; +} + diff --git a/shell/shell.php b/shell/shell.php index 7ad8ae2..499441d 100644 --- a/shell/shell.php +++ b/shell/shell.php @@ -1,28 +1,48 @@ <?php if (!isset($LTS)) { die(); } - include('exec.php'); - if (isset($_POST['stddest'])) { - $_POST['c'] = $_POST['stddest']; - } +include('exec.php'); + +// Set up environment +$ltshell_dir = dirname(__FILE__); +$env['PATH'] = $ltshell_dir.'/bin'; +$env['IFS'] = " \t\n"; +if (isset($_POST['d'])) { chdir($_POST['d']); } +$env['CWD'] = getcwd(); + +// Check for an incomplete command +if (isset($_POST['stdout_dest'])) { + $_POST['c'] = $_POST['stdout_dest']; + unset($_POST['stdout_dest']); +} + +// Figure out what needs to be displayed on the terminal +ob_start(); if ($_POST['c'] == 'clear') { - $term = ''; + lts_chdir('.'); } else { - ob_start(); - echo $_POST['t']; + echo htmlentities($_POST['stdout']); echo $_POST['c']."\n"; - php_exec($_POST['c'],$_POST['d']); + + lts_shell_exec($_POST['c'],$env); + echo '$ '; - $term = ob_get_contents(); - ob_end_clean(); } +$term = ob_get_contents(); +ob_end_clean(); + +// Display it ?> <div class="term"><?php - ?><form action="<?php echo $_SERVER['PHP_SELF'];?>#prompt" method="post"><?php - php_chdir('.'); - echo $term; - echo $sh; - ?><input id="prompt" type="text" name="c" /><?php - ?><textarea name="t" class="hidden" readonly="readonly"><?php echo preg_replace('/<[^>]*>/','',$term); ?></textarea><?php - ?></form><?php + echo '<form action="'.$_SERVER['PHP_SELF'].'#prompt" method="post">'; + echo $term; + echo '<input id="prompt" type="text" name="c" />'; + echo '<textarea name="stdout" class="hidden" readonly="readonly">'; + // this PCRE is so that only markup from the current + // command ends up on the terminal; the rest gets + // stripped out + echo preg_replace('/<[^>]*>/','',$term); + echo '</textarea>'; + echo '</form>'; ?></div> </form> + diff --git a/shell/shell2.php b/shell/shell2.php new file mode 100644 index 0000000..345064d --- /dev/null +++ b/shell/shell2.php @@ -0,0 +1,48 @@ +<?php if (!isset($LTS)) { die(); }
+
+include('exec.php');
+
+// Set up environment
+$ltshell_dir = dirname(__FILE__);
+$env['PATH'] = $ltshell_dir.'/bin';
+$env['IFS'] = " \t\n";
+if (isset($_POST['d'])) { chdir($_POST['d']); }
+$env['CWD'] = getcwd();
+
+// Check for an incomplete command
+if (isset($_POST['stdout_dest'])) {
+ $_POST['c'] = $_POST['stdout_dest'];
+ unset($_POST['stdout_dest']);
+}
+
+// Figure out what needs to be displayed on the terminal
+ob_start();
+ if ($_POST['c'] == 'clear') {
+ lts_chdir('.');
+ } else {
+ echo htmlentities($_POST['stdout']);
+ echo $_POST['c']."\n";
+
+ lts_shell_exec($_POST['c'],$env);
+
+ echo '$ ';
+ }
+$term = ob_get_contents();
+ob_end_clean();
+
+// Display it
+?>
+<div class="term"><?php
+ echo '<form action="'.$_SERVER['PHP_SELF'].'#prompt" method="post">';
+ echo $term;
+ echo '<input id="prompt" type="text" name="c" />';
+ echo '<textarea name="stdout" class="hidden" readonly="readonly">';
+ // this PCRE is so that only markup from the current
+ // command ends up on the terminal; the rest gets
+ // stripped out
+ echo preg_replace('/<[^>]*>/','',$term);
+ echo '</textarea>';
+ echo '</form>';
+?></div>
+</form>
+<!-- edited -->
|