summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ltshell.php2
-rw-r--r--shell/bin/cd.php2
-rw-r--r--shell/bin/editor.php7
-rw-r--r--shell/bin/whoami.php2
-rw-r--r--shell/exec.php71
-rw-r--r--shell/shell.php54
-rw-r--r--shell/shell2.php48
7 files changed, 131 insertions, 55 deletions
diff --git a/ltshell.php b/ltshell.php
index f3e348d..88a993e 100644
--- a/ltshell.php
+++ b/ltshell.php
@@ -3,7 +3,7 @@
Plugin Name: LTS WebShell
Plugin URI: http://lukeshu.ath.cx/1/src/
Description: An entirely PHP web shell (doesn't require system)
-Version: 3.5
+Version: 3.6
Author: Luke Shumaker
Author URI: http://lukeshu.ath.cx
License: GPL2
diff --git a/shell/bin/cd.php b/shell/bin/cd.php
index e8505bd..baf30f3 100644
--- a/shell/bin/cd.php
+++ b/shell/bin/cd.php
@@ -2,7 +2,7 @@
class p_cd extends prog {
public static function main($args, $env) {
@$dir = $args[1];
- return php_chdir($dir);
+ return lts_chdir($dir);
}
}
diff --git a/shell/bin/editor.php b/shell/bin/editor.php
index 39db3d8..a136cd2 100644
--- a/shell/bin/editor.php
+++ b/shell/bin/editor.php
@@ -2,7 +2,8 @@
class p_editor extends prog {
public static function main($args, $env) {
if (isset($_POST['stdin'])) {
- if (isset($args[1])) {
+ if (false) {//if (isset($args[1])) {
+ echo $args[0].': saving to `'.$args[1]."'\n";
file_put_contents($args[1],$_POST['stdin']);
} else {
echo $_POST['stdin'];
@@ -14,8 +15,8 @@ class p_editor extends prog {
$text = '';
}
echo '<div class="editor">';
- echo '<input type="hidden" name="stddest" value="'.$_POST['c'].'" />';
- echo '<textarea name="stdin">'.$text.'</textarea>'."\n";
+ echo '<input type="hidden" name="stdout_dest" value="'.$_POST['c'].'" />';
+ echo '<textarea name="stdin">'.htmlentities($text).'</textarea>'."\n";
echo '<input type="submit" value="save" />';
echo '</div>';
}
diff --git a/shell/bin/whoami.php b/shell/bin/whoami.php
index 7e560f2..fd7afa1 100644
--- a/shell/bin/whoami.php
+++ b/shell/bin/whoami.php
@@ -1,7 +1,7 @@
<?php
class p_whoami extends prog {
public static function main($args, $env) {
- echo get_current_user();
+ echo get_current_user()."\n";
}
}
diff --git a/shell/exec.php b/shell/exec.php
index b842ea8..9c22e5b 100644
--- a/shell/exec.php
+++ b/shell/exec.php
@@ -1,32 +1,27 @@
<?php
-function php_chdir($dir) {
+function lts_chdir($dir) {
$ret = chdir($dir);
echo '<input type="hidden" name="d" value="'.getcwd().'" />';
+ if ($ret == false) { echo 'chdir: unable to change directories: `'.$dir."'\n";
return $ret;
}
abstract class prog { public static abstract function main($args, $env); }
-function php_exec($com, $cwd='') {
- if ($cwd != '') { php_chdir($cwd); }
+function lts_shell_exec($com, $env) {
+ if ($env['CWD'] != '') { lts_chdir($env['CWD']); }
if ($com=='') { return 0; }
- $root = dirname(__FILE__);
-
- $ifs=' ';
- $path = $root.'/bin';
-
- $env = array('IFS' => $ifs, 'PATH' => $path);
-
- $coms = array(); $stdout_dest = array();
- $a = 0;
- $c = 0;
- $q = '';
+ $coms = array();
+ $stdout_dest = array();
+
+ // Parse command(s)
+ $a = 0; $c = 0; $q = '';
while ($com != '') {
$char = substr($com,0,1);
$com = substr($com,1);
- if (substr_count ('\'',$char)!==0) {
+ if (substr_count ('\'',$char)!==0) {
if (substr($q,0,1)===$char) {
$q = substr($q,1);
} else {
@@ -34,14 +29,16 @@ function php_exec($com, $cwd='') {
}
} elseif ($q != '') {
$coms[$c][$a].=$char;
- } elseif (substr_count ($ifs,$char)!==0) {
+ } elseif (substr_count ($env['IFS'],$char)!==0) {
if (isset($coms[$c][$a])) {
$a++;
}
- } elseif (substr_count (';',$char)!==0) {
- $stdout_dest[$c] = '/dev/stdout';
+ } elseif ($char==';') {
+ if (!isset($stdout_dest[$c])) {
+ $stdout_dest[$c] = '/dev/stdout';
+ }
$c++; $a=0;
- } elseif (substr_count ('|',$char)!==0) {
+ } elseif ($char=='|') {
$stdout_dest[$c] = '/dev/stdin';
$c++; $a=0;
} else {
@@ -52,25 +49,18 @@ function php_exec($com, $cwd='') {
$stdout_dest[$c] = '/dev/stdout';
}
+ // execude commands
$ret=0;
- if (!isset($_POST['stdin'])) { $_POST['stdin']=''; }
foreach ($coms as $key => $args) {
if ($stdout_dest[$key] != '/dev/stdout') {
ob_start();
}
- if (!class_exists('p_'.$args[0])) {
- $file=$path.'/'.$args[0].'.php';
- if (file_exists($file)) {
- include($file);
- }
- }
- if (class_exists('p_'.$args[0])) {
- $ret = call_user_func(array('p_'.$args[0],'main'),$args,$env);//main($args,$env);
+
+ lts_exec($args, $env);
+
+ if ($stdout_dest[$key] == '/dev/stdout') {
+ unset($_POST['stdin']);
} else {
- echo 'sh: command not found: `'.$args[0]."'\n";
- $ret = 1;
- }
- if ($stdout_dest[$key] != '/dev/stdout') {
switch ($stdout_dest[$key]) {
case '/dev/stdin': $_POST['stdin']=ob_get_contents(); break;
default: file_put_contents($stdout_dest[$key],ob_get_contents()); break;
@@ -80,3 +70,20 @@ function php_exec($com, $cwd='') {
}
return $ret;
}
+
+function lts_exec($args, $env) {
+ if (!class_exists('p_'.$args[0])) {
+ $file=$env['PATH'].'/'.$args[0].'.php';
+ if (file_exists($file)) {
+ include($file);
+ }
+ }
+ if (class_exists('p_'.$args[0])) {
+ $ret = call_user_func(array('p_'.$args[0],'main'),$args,$env);
+ } else {
+ echo 'lts_exec: command not found: `'.$args[0]."'\n";
+ $ret = 1;
+ }
+ return $ret;
+}
+
diff --git a/shell/shell.php b/shell/shell.php
index 7ad8ae2..499441d 100644
--- a/shell/shell.php
+++ b/shell/shell.php
@@ -1,28 +1,48 @@
<?php if (!isset($LTS)) { die(); }
- include('exec.php');
- if (isset($_POST['stddest'])) {
- $_POST['c'] = $_POST['stddest'];
- }
+include('exec.php');
+
+// Set up environment
+$ltshell_dir = dirname(__FILE__);
+$env['PATH'] = $ltshell_dir.'/bin';
+$env['IFS'] = " \t\n";
+if (isset($_POST['d'])) { chdir($_POST['d']); }
+$env['CWD'] = getcwd();
+
+// Check for an incomplete command
+if (isset($_POST['stdout_dest'])) {
+ $_POST['c'] = $_POST['stdout_dest'];
+ unset($_POST['stdout_dest']);
+}
+
+// Figure out what needs to be displayed on the terminal
+ob_start();
if ($_POST['c'] == 'clear') {
- $term = '';
+ lts_chdir('.');
} else {
- ob_start();
- echo $_POST['t'];
+ echo htmlentities($_POST['stdout']);
echo $_POST['c']."\n";
- php_exec($_POST['c'],$_POST['d']);
+
+ lts_shell_exec($_POST['c'],$env);
+
echo '$ ';
- $term = ob_get_contents();
- ob_end_clean();
}
+$term = ob_get_contents();
+ob_end_clean();
+
+// Display it
?>
<div class="term"><?php
- ?><form action="<?php echo $_SERVER['PHP_SELF'];?>#prompt" method="post"><?php
- php_chdir('.');
- echo $term;
- echo $sh;
- ?><input id="prompt" type="text" name="c" /><?php
- ?><textarea name="t" class="hidden" readonly="readonly"><?php echo preg_replace('/<[^>]*>/','',$term); ?></textarea><?php
- ?></form><?php
+ echo '<form action="'.$_SERVER['PHP_SELF'].'#prompt" method="post">';
+ echo $term;
+ echo '<input id="prompt" type="text" name="c" />';
+ echo '<textarea name="stdout" class="hidden" readonly="readonly">';
+ // this PCRE is so that only markup from the current
+ // command ends up on the terminal; the rest gets
+ // stripped out
+ echo preg_replace('/<[^>]*>/','',$term);
+ echo '</textarea>';
+ echo '</form>';
?></div>
</form>
+
diff --git a/shell/shell2.php b/shell/shell2.php
new file mode 100644
index 0000000..345064d
--- /dev/null
+++ b/shell/shell2.php
@@ -0,0 +1,48 @@
+<?php if (!isset($LTS)) { die(); }
+
+include('exec.php');
+
+// Set up environment
+$ltshell_dir = dirname(__FILE__);
+$env['PATH'] = $ltshell_dir.'/bin';
+$env['IFS'] = " \t\n";
+if (isset($_POST['d'])) { chdir($_POST['d']); }
+$env['CWD'] = getcwd();
+
+// Check for an incomplete command
+if (isset($_POST['stdout_dest'])) {
+ $_POST['c'] = $_POST['stdout_dest'];
+ unset($_POST['stdout_dest']);
+}
+
+// Figure out what needs to be displayed on the terminal
+ob_start();
+ if ($_POST['c'] == 'clear') {
+ lts_chdir('.');
+ } else {
+ echo htmlentities($_POST['stdout']);
+ echo $_POST['c']."\n";
+
+ lts_shell_exec($_POST['c'],$env);
+
+ echo '$ ';
+ }
+$term = ob_get_contents();
+ob_end_clean();
+
+// Display it
+?>
+<div class="term"><?php
+ echo '<form action="'.$_SERVER['PHP_SELF'].'#prompt" method="post">';
+ echo $term;
+ echo '<input id="prompt" type="text" name="c" />';
+ echo '<textarea name="stdout" class="hidden" readonly="readonly">';
+ // this PCRE is so that only markup from the current
+ // command ends up on the terminal; the rest gets
+ // stripped out
+ echo preg_replace('/<[^>]*>/','',$term);
+ echo '</textarea>';
+ echo '</form>';
+?></div>
+</form>
+<!-- edited -->